9. Redundant array of independent disk (RAID) technology does not use which of the following?

a. Electronic vaulting

b. Mirroring

c. Parity

d. Striping

9. a. Redundant array of independent disk (RAID) technology uses three data redundancy techniques such as mirroring, parity, and striping, not electronic vaulting. Electronic vaulting is located offsite, whereas RAID is placed at local servers where the former may use the latter.

10. Regarding BCP and DRP, the board of directors of an organization is not required to follow which of the following?

a. Duty of due care

b. Duty of absolute care

c. Duty of loyalty

d. Duty of obedience

10. b. Duty of absolute care is not needed because reasonable and normal care is expected of the board of directors because no one can anticipate or protect from all disasters. However, the directors need to follow the other three duties of due care, loyalty, and obedience.

11. Which of the following tasks is not a part of business continuity plan (BCP)?

a. Project scoping

b. Impact assessment

c. Disaster recovery procedures

d. Disaster recovery strategies

11. c. Tasks are different between a business continuity plan (BCP) and disaster recovery planning (DRP) because of timing of those tasks. For example, disaster recovery procedures come into play only during disaster, which is a part of DRP.

12. Which of the following tasks is not a part of disaster recovery planning (DRP)?

a. Restoration procedures

b. Procuring the needed equipment

c. Relocating to a primary processing site

d. Selecting an alternate processing site

12. d. Tasks are different between business continuity plan (BCP) and disaster recovery planning (DRP) because of timing of those tasks. For example, selecting an alternative processing site should be planned out prior to a disaster, which is a part of a BCP. The other three choices are a part of DRP. Note that DRP is associated with data processing and BCP refers to actions that keep the business running in the event of a disruption, even if it is with pencil and paper.

13. Regarding BCP and DRP, critical measurements in business impact analysis (BIA) include which of the following?

a. General support system objectives

b. Major application system objectives

c. Recovery time objectives and recovery point objectives

d. Uninterruptible power supply system objectives

13. c. Two critical measurements in business impact analysis (BIA) include recovery time objectives (RTOs) and recovery point objectives (RPOs). Usually, systems are classified as general support systems (for example, networks, servers, computers, gateways, and programs) and major application systems (for example, billing, payroll, inventory, and personnel system). Uninterruptible power supply (UPS) system is an auxiliary system supporting general systems and application systems. Regardless of the nature and type of a system, they all need to fulfill the RTOs and RPOs to determine their impact on business operations.

14. Regarding BCP and DRP, which of the following establishes an information system’s recovery time objective (RTO)?

a. Cost of system inoperability and the cost of resources

b. Maximum allowable outage time and the cost to recover

c. Cost of disruption and the cost to recover

d. Cost of impact and the cost of resources

14. b. The balancing point between the maximum allowable outage (MAO) and the cost to recover establishes an information system’s recovery time objective (RTO). Recovery strategies must be created to meet the RTO. The maximum allowable outage is also called maximum tolerable downtime (MTD). The other three choices are incorrect because they do not deal with time and cost dimensions together.

15. Regarding BCP and DRP, which of the following determines the recovery cost balancing?

a. Cost of system inoperability and the cost of resources to recover

b. Maximum allowable outage and the cost to recover

c. Cost of disruption and the cost to recover

d. Cost of impact and the cost of resources

15. a. It is important to determine the optimum point to recover an IT system by balancing the cost of system inoperability against the cost of resources required for restoring the system. This is called recovery cost balancing, which indicates how long an organization can afford to allow the system to be disrupted or unavailable. The other three choices are incorrect because they do not deal with the recovery cost balancing principle.

16. Regarding contingency planning, which of the following actions are performed when malicious attacks compromise the confidentiality or integrity of an information system?

1. Graceful degradation

2. System shutdown

3. Fallback to manual mode

4. Alternate information flows

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

16. d. The actions to perform during malicious attacks compromise the confidentiality or integrity of the information system include graceful degradation, information system shutdown, fallback to a manual mode, alternative information flows, or operating in a mode that is reserved solely for when the system is under attack.

17. In transaction-based systems, which of the following are mechanisms supporting transaction recovery?

1. Transaction rollback

2. Transaction journaling

3. Router tables

4. Compilers

a. 1 only

b. 1 and 2

c. 3 and 4

d. 1, 2, 3, and 4

17. b. Transaction rollback and transaction journaling are examples of mechanisms supporting transaction recovery. Routers use router tables for routing messages and packets. A compiler is software used to translate a computer program written in a high-level programming language (source code) into a machine language for execution. Both router tables and compilers do not support transaction recovery.

18. Regarding contingency planning, which of the following is susceptible to potential accessibility problems in the event of an area-wide disaster?

1. Alternative storage site

2. Alternative processing site

3. Alternative telecommunications services

4. Remote redundant secondary systems

a. 1 and 2

b. 2 and 3

c. 3 only

d. 1 and 4