b. Hot sites

c. Cold sites

d. Reciprocal agreements

70. b. Hot sites are fully equipped computer centers. Some have fire protection and warning devices, telecommunications lines, intrusion detection systems, and physical security. These centers are equipped with computer hardware that is compatible with that of a large number of subscribing organizations. This type of facility is intended to serve an organization that has sustained total destruction and cannot defer computer services. The other three choices do not have this kind of support.

71. A full-scale testing of application systems cannot be accomplished in which of the following alternative computing backup facilities?

a. Shared contingency centers and hot sites

b. Dedicated contingency centers and cold sites

c. Hot sites and reciprocal agreements

d. Cold sites and reciprocal agreements

71. d. The question is asking about the two alternative computing facilities that can perform full-scale testing. Cold sites do not have equipment, so full-scale testing cannot be done until the equipment is installed. Adequate time may not be allowed in reciprocal agreements due to time pressures and scheduling conflicts between the two parties.

Full-scale testing is possible with shared contingency centers and hot sites because they have the needed equipment to conduct tests. Shared contingency centers are essentially the same as dedicated contingency centers. The difference lies in the fact that membership is formed by a group of similar organizations which use, or could use, identical hardware.

72. Which of the following computing backup facilities has a cost advantage?

a. Shared contingency centers

b. Hot sites

c. Cold sites

d. Reciprocal agreements

72. d. Reciprocal agreements do not require nearly as much advanced funding as do commercial facilities. They are inexpensive compared to other three choices where the latter are commercial facilities. However, cost alone should not be the overriding factor when making backup facility decisions.

73. Which of the following organization’s functions are often ignored in planning for recovery from a disaster?

a. Computer operations

b. Safety

c. Human resources

d. Accounting

73. c. Human resource policies and procedures impact employees involved in the response to a disaster. Specifically, it includes extended work hours, overtime pay, compensatory time, living costs, employee evacuation, medical treatment, notifying families of injured or missing employees, emergency food, and cash during recovery. The scope covers the pre-disaster plan, emergency response during recovery, and post-recovery issues. The major reason for ignoring the human resource issues is that they encompass many items requiring extensive planning and coordination, which take a significant amount of time and effort.

74. Which of the following is the best organizational structure and management style during a disaster?

a. People-oriented

b. Production-oriented

c. Democratic-oriented

d. Participative-oriented

74. b. During the creation of a disaster recovery and restoration plan, the management styles indicated in the other three choices are acceptable due to the involvement and input required of all people affected by a disaster. However, the situation during a disaster is entirely different requiring execution, not planning. The command-and-control structure, which is a production-oriented management style, is the best approach to orchestrate the recovery, unify all resources, and provide solid direction with a single voice to recover from the disaster. This is not the time to plan and discuss various approaches and their merits. The other three choices are not suitable during a disaster.

75. The primary objective of emergency planning is to:

a. Minimize loss of assets.

b. Ensure human security and safety.

c. Minimize business interruption.

d. Provide backup facilities and services.

75. b. Emergency planning provides the policies and procedures to cope with disasters and to ensure the continuity of vital data center services. The primary objective of emergency planning is personnel safety, security, and welfare; secondary objectives include (i) minimizing loss of assets, (ii) minimizing business interruption, (iii) providing backup facilities and services, and (iv) providing trained personnel to conduct emergency and recovery operations.

76. Which of the following is most important in developing contingency plans for information systems and their facilities?

a. Criteria for content

b. Criteria for format

c. Criteria for usefulness

d. Criteria for procedures

76. c. The only reason for creating a contingency plan is to provide a document and procedure that will be useful in time of emergency. If the plan is not designed to be useful, it is not satisfactory. Suggestions for the plan content and format can be described, but no two contingency plans will or should be the same.

77. All the following are objectives of emergency response procedures except:

a. Protect life

b. Control losses

c. Protect property

d. Maximize profits

77. d. Emergency response procedures are those procedures initiated immediately after an emergency occurs to protect life, protect property, and minimize the impact of the emergency (loss control). Maximizing profits can be practiced during nonemergency times but not during an emergency.

78. The post-incident review report after a disaster should not focus on:

a. What happened?

b. What should have happened?

c. What should happen next?

d. Who caused it?

78. d. The post-incident review after a disaster has occurred should focus on what happened, what should have happened, and what should happen next, but not on who caused it. Blaming people will not solve the problem.

79. An effective element of damage control after a disaster occurs is to:

a. Maintain silence.

b. Hold press conferences.

c. Consult lawyers.

d. Maintain secrecy.

79. b. Silence is guilt, especially during a disaster. How a company appears to respond to a disaster can be as important as the response itself. If the response is kept in secrecy, the press will assume there is some reason for secrecy. The company should take time to explain to the press what happened and what the response is. A corporate communications professional should be consulted instead of a lawyer due to the specialized knowledge of the former. A spokesperson should be selected to contact media, issue an initial statement, provide background information, and describe action plans, which are essential to minimize the damage. The company lawyers may add restrictions to ensure that everything is done accordingly, which may not work well in an emergency.