CISSP Practice полностью

c. The LAN server must be recovered within 8 hours to avoid a delay in time sheet processing.

d. The LAN server must be recovered fully to distribute payroll checks on Friday to all employees.

29. c. “The LAN server must be recovered within 8 hours to avoid a delay in time sheet processing” is an example of BIA’s recovery time objective (RTO). “Time and attendance reporting may require the use of a LAN server and other resources” is an example of BIA’s critical resource. “LAN disruption for 8 hours may create a delay in time sheet processing” is an example of BIA’s resource impact. “The LAN server must be recovered fully to distribute payroll checks on Friday to all employees” is an example of BIA’s recovery point objective (RPO).

30. Which of the following are closely connected to each other when conducting business impact analysis (BIA) as a part of the IT contingency planning process?

1. System’s components

2. System’s interdependencies

3. System’s critical resources

4. System’s downtime impacts

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

30. c. A business impact analysis (BIA) is a critical step to understanding the information system components, interdependencies, and potential downtime impact. Contingency plan strategy and procedures should be designed in consideration of the results of the BIA. A BIA is conducted by identifying the system’s critical resources. Each critical resource is then further examined to determine how long functionality of the resource could be withheld from the information system before an unacceptable impact is experienced. Therefore, system’s critical resources and system’s downtime impacts are closely related to each other than the other items.

31. Business continuity plans (BCP) need periodic audits to ensure the accuracy, currency, completeness, applicability, and usefulness of such plans in order to properly run business operations. Which one of the following items is a prerequisite to the other three items?

a. Internal audits

b. Self-assessments

c. External audits

d. Third-party audits

31. b. Self-assessments are proactive exercises and are a prerequisite to other types of audits. Self-assessments are in the form of questionnaires and usually a company’s employees (for example, supervisors or mangers) conduct these self-assessments to collect answers from functional management and IT management on various business operations. If these self-assessments are conducted with honesty and integrity, they can be eye-opening exercises because their results may not be the same as expected by the company management. The purpose of self-assessments is to identify strengths and weaknesses so weaknesses can be corrected and strengths can be improved.

In addition, self-assessments make an organization ready and prepared for the other audits such as internal audits by corporate internal auditors, external audits by public accounting firms, and third-party audits by regulatory compliance auditors, insurance industry auditors, and others. In fact, overall audit costs can be reduced if these auditors can rely on the results of self-assessments, and it can happen only when these assessments are done in an objective and unbiased manner. This is because auditors do not need to repeat these assessments with functional and IT management, thus saving their audit time, resulting in reduction in audit costs. However, auditors will conduct their own independent tests to validate the answers given in the assessments. The audit process validates compliance with disaster recovery standards, reviews recovery problems and solutions, verifies the appropriateness of recovery test exercises, and reviews the criteria for updating and maintaining a BCP.

Here, the major point is that self-assessments should be performed in an independent and objective manner without the company management’s undue influence on the results. Another proactive thinking is sharing these self-assessments with auditors earlier to get their approval prior to actually using them in the company to ensure that right questions are asked and right areas are addressed.

32. A company’s vital records program must meet which of the following?

1. Legal, audit, and regulatory requirements

2. Accounting requirements

3. Marketing requirements

4. Human resources requirements

a. 1 only

b. 1 and 2

c. 1, 3, and 4

d. 1, 2, 3, and 4