1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 242
Выбрать главу

d. Deciding which applications can be handled as standalone personal computer tasks

106. b. It is true that during a disaster, not all application systems have to be supported while the local-area network (LAN) is out of service. Some LAN applications may be handled manually, some as standalone PC tasks, whereas others need to be supported offsite. Although these duties are clearly defined, it is not so clear which users must secure and back up their own data. It is important to communicate to users that they must secure and back up their own data until normal LAN operations are resumed. This is often a missing link in developing a LAN methodology for contingency planning.

107. Which of the following uses both qualitative and quantitative tools?

a. Anecdotal analysis

b. Business impact analysis

c. Descriptive analysis

d. Narrative analysis

107. b. The purpose of business impact analysis (BIA) is to identify critical functions, resources, and vital records necessary for an organization to continue its critical functions. In this process, the BIA uses both quantitative and qualitative tools. The other three choices are examples that use qualitative tools. Anecdotal records constitute a description or narrative of a specific situation or condition.

108. With respect to BCP/DRP, single point of failure means which of the following?

a. No production exists

b. No vendor exists

c. No redundancy exists

d. No maintenance exists

108. c. A single point of failure occurs when there is no redundancy in data, equipment, facilities, systems, and programs. A failure of a component or element may disable the entire system. Use of redundant array of independent disks (RAID) technology provides greater data reliability through redundancy because the data can be stored on multiple hard drives across an array, thus eliminating single points of failure and decreasing the risk of data loss significantly.

109. What is an alternative processing site that is equipped with telecommunications but not computers?

a. Cold site

b. Hot site

c. Warm site

d. Redundant site

109. c. A warm site has telecommunications ready to be utilized but does not have computers. A cold site is an empty building for housing computer processors later but equipped with environmental controls (for example, heat and air conditioning) in place. A hot site is a fully equipped building ready to operate quickly. A redundant site is configured exactly like the primary site.

110. Which of the following computer backup alternative sites is the least expensive method and the most difficult to test?

a. Nonmobile hot site

b. Mobile hot site

c. Warm site

d. Cold site

110. d. A cold site is an environmentally protected computer room equipped with air conditioning, wiring, and humidity control for continued processing when the equipment is shipped to the location. The cold site is the least expensive method of a backup site, but the most difficult and expensive to test.

111. Which of the following is the correct sequence of events when surviving a disaster?

a. Respond, recover, plan, continue, and test

b. Plan, respond, recover, test, and continue

c. Respond, plan, test, recover, and continue

d. Plan, test, respond, recover, and continue

111. d. The correct sequence of events to take place when surviving a disaster is plan, test, respond, recover, and continue.

112. Which of the following tools provide information for reaching people during a disaster?

a. Decision tree diagram

b. Call tree diagram

c. Event tree diagram

d. Parse tree diagram

112. b. A call tree diagram shows who to contact when a required person is not available or not responding. The call tree shows the successive levels of people to contact if no response is received from the lower level of the tree. It shows the backup people when the primary person is not available. A decision tree diagram shows all the choices available with their outcomes to make a decision. An event tree diagram can be used in project management, and a parse tree diagram can be used in estimating probabilities and the nature of states in software engineering.

Scenario-Based Questions, Answers, and Explanations

Use the following information to answer questions 1 through 7.

The GKM Company has just completed the business impact analysis (BIA) for its data processing facilities. The continuity planning team found in the risk analysis that there is a single point of failure in that backup tapes from offsite locations are controlled by an individual who works for the vendor. The contract for the vendor does not expire for 3 years.

1. Which of the following uses both qualitative and quantitative tools?

a. Anecdotal analysis

b. Business impact analysis

c. Descriptive analysis

d. Narrative analysis

1. b. The purpose of BIA is to identify critical functions, resources, and vital records necessary for an organization to continue its critical functions. In this process, the BIA uses both quantitative and qualitative tools. The other three choices are incorrect because they are examples that use qualitative tools. Anecdotal records constitute a description or narrative of a specific situation or condition.

2. With respect to business continuity planning/disaster recovery planning (BCP/DRP), risk analysis is part of which of the following?

a. Cost-benefit analysis

b. Business impact analysis

c. Backup analysis

d. Recovery analysis

2. b. The risk analysis is usually part of the business impact analysis (BIA). It estimates both the functional and financial impact of a risk occurrence to the organization and identifies the costs to reduce the risks to an acceptable level through the establishment of effective controls. Cost-benefit analysis, backup analysis, and recovery analysis are part of the BIA.

3. With respect to BCP/DRP, the BIA identifies which of the following?

a. Threats and risks

b. Costs and impacts

c. Exposures and functions

d. Events and operations

3. a. BIA is the process of identifying an organization’s exposure to the sudden loss of selected business functions and/or the supporting resources (threats) and analyzing the potential disruptive impact of those exposures (risks) on key business functions and critical business operations. The BIA usually establishes a cost (impact) associated with the disruption lasting varying lengths of time.

4. The business impact analysis (BIA) should critically examine the business processes and which of the following?

a. Composition

b. Priorities

~ 242 ~