1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 231
Выбрать главу

18. a. Both alternative storage site and alternative processing site are susceptible to potential accessibility problems in the event of an area-wide disruption or disaster. Explicit mitigation actions are needed to handle this problem. Telecommunication services (ISPs and network service providers) and remote redundant secondary systems are located far away from the local area, hence not susceptible to potential accessibility problems.

19. Which of the following ensures the successful completion of tasks in the development of business continuity and disaster recovery plans?

a. Defining individual roles

b. Defining operational activities

c. Assigning individual responsibility

d. Exacting individual accountability

19. d. It is important to ensure that individuals responsible for the various business continuity and contingency planning activities are held accountable for the successful completion of individual tasks and that the core business process owners are responsible and accountable for meeting the milestones for the development and testing of contingency plans for their core business processes.

20. Regarding contingency planning, strategic reasons for separating the alternative storage site from the primary storage site include ensuring:

1. Both sites are not susceptible to the same hazards.

2. Both sites are not colocated in the same area.

3. Both sites do not have the same recovery time objectives.

4. Both sites do not have the same recovery point objectives.

a. 1 and 2

b. 1, 2, and 3

c. 1, 2, and 4

d. 1, 2, 3, and 4

20. a. It is important to ensure that both sites (i.e., alternative storage site and primary storage site) are not susceptible to the same hazards, are not colocated in the same area, have the same recovery time objectives (RTOs), and have the same recovery point objectives (RPOs).

21. Regarding BCP and DRP, if MAO is maximum allowable outage, BIA is business impact analysis, RTO is recovery time objective, MTBF is mean-time-between-failures, RPO is recovery point objective, MTTR is mean-time-to-repair, and UPS is uninterruptible power supply, which one of the following is related to and compatible with each other within the same choice?

a. MAO, BIA, RTO, and MTBF

b. BIA, RTO, RPO, and MAO

c. MAO, MTTR, RPO, and UPS

d. MAO, MTBF, MTTR, and UPS

21. b. A business impact analysis (BIA) is conducted by identifying a system’s critical resources. Two critical resource measures in BIA include recovery time objective (RTO) and recovery point objective (RPO). The impact in BIA is expressed in terms of maximum allowable outage (MAO). Hence, BIA, RTO, RPO, and MAO are related to and compatible with each other. MTBF is mean-time-between-failures, MTTR is mean-time-to-repair, and UPS is uninterruptible power supply, and they have no relation to BIA, RTO, RPO, and MAO because MAO deals with maximum time, whereas MTTF and MTTR deals with mean time (i.e., average time).

22. Regarding contingency planning, system-level information backups do not require which of the following to protect their integrity while in storage?

a. Passwords

b. Digital signatures

c. Encryption

d. Cryptographic hashes

22. a. Backups are performed at the user-level and system-level where the latter contains an operating system, application software, and software licenses. Only user-level information backups require passwords. System-level information backups require controls such as digital signatures, encryption, and cryptographic hashes to protect their integrity.

23. Which of the following is an operational control and is a prerequisite to developing a disaster recovery plan?

a. System backups

b. Business impact analysis

c. Cost-benefit analysis

d. Risk analysis

23. a. System backups provide the necessary data files and programs to recover from a disaster and to reconstruct a database from the point of failure. System backups are operational controls, whereas the items mentioned in the other choices come under management controls and analytical in nature.

24. Which of the following is a critical benefit of implementing an electronic vaulting program?

a. It supports unattended computer center operations or automation.

b. During a crisis situation, an electronic vault can make the difference between an organization’s survival and failure.

c. It reduces required backup storage space.

d. It provides faster storage data retrieval.

24. b. For some organizations, time becomes money. Increased system reliability improves the likelihood that all the information required is available at the electronic vault. If data can be retrieved immediately from the off-site storage, less is required in the computer center. It reduces retrieval time from hours to minutes. Because electronic vaulting eliminates tapes, which are a hindrance to automated operations, electronic vaulting supports automation.

25. Regarding contingency planning, information system backups require which of the following?

1. Both the primary storage site and alternative storage site do not need to be susceptible to the same hazards.

2. Both operational system and redundant secondary system do not need to be colocated in the same area.

3. Both primary storage site and alternative storage site do not need to have the same recovery time objectives.

4. Both operational system and redundant secondary system do not need to have the same recovery point objectives.

a. 1 and 2

b. 1, 2, and 3

c. 1, 2, and 4

d. 1, 2, 3, and 4

25. a. System backup information can be transferred to the alternative storage site, and the same backup can be maintained at a redundant secondary system, not colocated with the operational system. Both sites and both systems must have the same recovery time objectives (RTOs) and same recovery point objectives (RPOs). This arrangement can be activated without loss of information or disruption to the operation.

26. Disaster recovery strategies must consider or address which of the following?

1. Recovery time objective

2. Disruption impacts

3. Allowable outage times

4. Interdependent systems

a. I only

b. 1 and 2

c. 1, 2, and 3

d. 1, 2, 3, and 4

26. d. A disaster recovery strategy must be in place to recover and restore data and system operations within the recovery time objective (RTO) period. The strategies should address disruption impacts and allowable outage times identified in the business impact analysis (BIA). The chosen strategy must also be coordinated with the IT contingency plans of interdependent systems. Several alternatives should be considered when developing the strategy, including cost, allowable outage times, security, and integration into organization-level contingency plans.

~ 231 ~