First, a company management with the coordination of corporate legal counsel must take an inventory of all records used in a company, classify what records are vital, and identify what vital records support the continuity of business operations, legal evidence, disaster recovery work, and audit work; knowing that not all records and documents that a company handles everyday are vital records.

Some records are on paper media while other records are on electronic media. An outcome of inventorying and classifying records is developing a list of “record retention” showing each document with its retention requirements in terms of years. Then, a systematic method is needed to preserve and store these vital records onsite and offsite with rotation procedures between the onsite and offsite locations.

Corporate legal counsel plays an important role in defining retention requirements for both business (common) records and legal records. IT management plays a similar role in backing up, archiving, and restoring the electronic records for future retrieval and use. The goal is to ensure that the current version of the vital records is available and that outdated backup copies are deleted or destroyed in a timely manner.

Examples of vital records follow:

Legal records: General contracts; executive employment contracts; bank loan documents; business agreements with third parties, partners, and joint ventures; and regulatory compliance forms and reports.

Accounting/finance records: Payroll, accounts payable, and accounts receivable records; customer invoices; tax records; and yearly financial statements.

Marketing records: Marketing plans; sales contracts with customers and distributors; customer sales orders; and product shipment documents.

Human resources records: Employment application and test scores, and employee performance appraisal forms.

33. IT resource criticality for recovery and restoration is determined through which of the following ways?

1. Standard operating procedures

2. Events and incidents

3. Business continuity planning

4. Service-level agreements

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

33. c. Organizations determine IT resource criticality (for example, firewalls and Web servers) through their business continuity planning efforts or their service-level agreements (SLAs), which document actions and maximum response times and state the maximum time for restoring each key resource. Standard operating procedures (SOPs) are a delineation of the specific processes, techniques, checklists, and forms used by employees to do their work. An event is any observable occurrence in a system or network. An incident can be thought of as a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

34. An information system’s recovery time objective (RTO) considers which of the following?

1. Memorandum of agreement

2. Maximum allowable outage

3. Service-level agreement

4. Cost to recover

a. 1 and 3

b. 2 and 4

c. 3 and 4

d. 1, 2, 3, and 4

34. b. The balancing point between the maximum allowable outage (MAO) for a resource and the cost to recover that resource establishes the information system’s recovery time objective (RTO). Memorandum of agreement is another name for developing a service-level agreement (SLA).

35. Contingency planning integrates the results of which of the following?

a. Business continuity plan

b. Business impact analysis

c. Core business processes

d. Infrastructural services

35. b. Contingency planning integrates and acts on the results of the business impact analysis. The output of this process is a business continuity plan consisting of a set of contingency plans—with a single plan for each core business process and infrastructure component. Each contingency plan should provide a description of the resources, staff roles, procedures, and timetables needed for its implementation.

36. Which of the following must be defined to implement each contingency plan?

a. Triggers

b. Risks

c. Costs

d. Benefits

36. a. It is important to document triggers for activating contingency plans. The information needed to define the implementation triggers for contingency plans is the deployment schedule for each contingency plan and the implementation schedule for the replaced mission-critical systems. Triggers are more important than risks, costs, and benefits because the former drives the latter.

37. The least costly test approach for contingency plans is which of the following?

a. Full-scale testing

b. Pilot testing

c. Parallel testing

d. End-to-end testing

37. d. The purpose of end-to-end testing is to verify that a defined set of interrelated systems, which collectively support an organizational core business area or function, interoperate as intended in an operational environment. Generally, end-to-end testing is conducted when one major system in the end-to-end chain is modified or replaced, and attention is rightfully focused on the changed or new system. The boundaries on end-to-end tests are not fixed or predetermined but rather vary depending on a given business area’s system dependencies (internal and external) and the criticality to the mission of the organization.

Full-scale testing is costly and disruptive, whereas end-to-end testing is least costly. Pilot testing is testing one system or one department before testing other systems or departments. Parallel testing is testing two systems or two departments at the same time.

38. Organizations practice contingency plans because it makes good business sense. Which of the following is the correct sequence of steps involved in the contingency planning process?

1. Anticipating potential disasters

2. Identifying the critical functions

3. Selecting contingency plan strategies

4. Identifying the resources that support the critical functions

a. 1, 2, 3, and 4

b. 1, 3, 2, and 4

c. 2, 1, 4, and 3

d. 2, 4, 1, and 3

38. d. Contingency planning involves more than planning for a move offsite after a disaster destroys a data center. It also addresses how to keep an organization’s critical functions operating in the event of disruptions, both large and small. This broader perspective on contingency planning is based on the distribution of computer support throughout an organization. The correct sequence of steps is as follows: