27. The final consideration in the disaster recovery strategy must be which of the following?

a. Criticality of data and systems

b. Availability of data and systems

c. Final costs and benefits

d. Recovery time objective requirements

27. c. The final consideration in the disaster recovery strategy must be final costs and benefits; although, cost and benefit data is considered initially. No prudent manager or executive would want to spend ten dollars to obtain a one dollar benefit. When costs exceed benefits, some managers accept the risk and some do not. Note that it is a human tendency to understate costs and overstate benefits. Some examples of costs include loss of income from loss of sales, cost of not meeting legal and regulatory requirements, cost of not meeting contractual and financial obligations, and cost of loss of reputation. Some examples of benefits include assurance of continuity of business operations, ability to make sales and profits, providing gainful employment, and satisfying internal and external customers and other stakeholders.

The recovery strategy must meet criticality and availability of data and systems and recovery time objective (RTO) requirements while remaining within the cost and benefit guidelines.

28. Regarding BCP and DRP, which of the following does not prevent potential data loss?

a. Disk mirroring

b. Offsite storage of backup media

c. Redundant array of independent disk

d. Load balancing

28. b. Although offsite storage of backup media enables a computer system to be recovered, data added to or modified on the server since the previous backup could be lost during a disruption or disaster. To avoid this potential data loss, a backup strategy may need to be complemented by redundancy solutions, such as disk mirroring, redundant array of independent disk (RAID), and load balancing.

29. Which of the following is an example of a recovery time objective (RTO) for a payroll system identified in a business impact analysis (BIA) document?

a. Time and attendance reporting may require the use of a LAN server and other resources.

b. LAN disruption for 8 hours may create a delay in time sheet processing.

c. The LAN server must be recovered within 8 hours to avoid a delay in time sheet processing.

d. The LAN server must be recovered fully to distribute payroll checks on Friday to all employees.

29. c. “The LAN server must be recovered within 8 hours to avoid a delay in time sheet processing” is an example of BIA’s recovery time objective (RTO). “Time and attendance reporting may require the use of a LAN server and other resources” is an example of BIA’s critical resource. “LAN disruption for 8 hours may create a delay in time sheet processing” is an example of BIA’s resource impact. “The LAN server must be recovered fully to distribute payroll checks on Friday to all employees” is an example of BIA’s recovery point objective (RPO).

30. Which of the following are closely connected to each other when conducting business impact analysis (BIA) as a part of the IT contingency planning process?

1. System’s components

2. System’s interdependencies

3. System’s critical resources

4. System’s downtime impacts

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

30. c. A business impact analysis (BIA) is a critical step to understanding the information system components, interdependencies, and potential downtime impact. Contingency plan strategy and procedures should be designed in consideration of the results of the BIA. A BIA is conducted by identifying the system’s critical resources. Each critical resource is then further examined to determine how long functionality of the resource could be withheld from the information system before an unacceptable impact is experienced. Therefore, system’s critical resources and system’s downtime impacts are closely related to each other than the other items.

31. Business continuity plans (BCP) need periodic audits to ensure the accuracy, currency, completeness, applicability, and usefulness of such plans in order to properly run business operations. Which one of the following items is a prerequisite to the other three items?

a. Internal audits

b. Self-assessments

c. External audits

d. Third-party audits

31. b. Self-assessments are proactive exercises and are a prerequisite to other types of audits. Self-assessments are in the form of questionnaires and usually a company’s employees (for example, supervisors or mangers) conduct these self-assessments to collect answers from functional management and IT management on various business operations. If these self-assessments are conducted with honesty and integrity, they can be eye-opening exercises because their results may not be the same as expected by the company management. The purpose of self-assessments is to identify strengths and weaknesses so weaknesses can be corrected and strengths can be improved.

In addition, self-assessments make an organization ready and prepared for the other audits such as internal audits by corporate internal auditors, external audits by public accounting firms, and third-party audits by regulatory compliance auditors, insurance industry auditors, and others. In fact, overall audit costs can be reduced if these auditors can rely on the results of self-assessments, and it can happen only when these assessments are done in an objective and unbiased manner. This is because auditors do not need to repeat these assessments with functional and IT management, thus saving their audit time, resulting in reduction in audit costs. However, auditors will conduct their own independent tests to validate the answers given in the assessments. The audit process validates compliance with disaster recovery standards, reviews recovery problems and solutions, verifies the appropriateness of recovery test exercises, and reviews the criteria for updating and maintaining a BCP.

Here, the major point is that self-assessments should be performed in an independent and objective manner without the company management’s undue influence on the results. Another proactive thinking is sharing these self-assessments with auditors earlier to get their approval prior to actually using them in the company to ensure that right questions are asked and right areas are addressed.

32. A company’s vital records program must meet which of the following?

1. Legal, audit, and regulatory requirements

2. Accounting requirements

3. Marketing requirements

4. Human resources requirements

a. 1 only

b. 1 and 2

c. 1, 3, and 4

d. 1, 2, 3, and 4

32. d. Vital records support the continuity of business operations and present the necessary legal evidence in a court of law. Vital records should be retained to meet the requirements of functional departments of a company (for example, accounting, marketing, production, and human resources) to run day-to-day business operations (current and future). In addition, companies that are heavily regulated (for example, banking and insurance) require certain vital records to be retained for a specified amount of time. Also, internal auditors, external auditors, and third-party auditors (for example, regulatory auditors and banking/insurance industry auditors) require certain vital records to be retained to support their audit work. Periodically, these auditors review compliance with the record retention requirements either as a separate audit or as a part of their scheduled audit. Moreover, vital records are needed during recovery from a disaster. In other words, vital records are so vital for the long-run success of a company.