CISSP Practice полностью

32. d. Vital records support the continuity of business operations and present the necessary legal evidence in a court of law. Vital records should be retained to meet the requirements of functional departments of a company (for example, accounting, marketing, production, and human resources) to run day-to-day business operations (current and future). In addition, companies that are heavily regulated (for example, banking and insurance) require certain vital records to be retained for a specified amount of time. Also, internal auditors, external auditors, and third-party auditors (for example, regulatory auditors and banking/insurance industry auditors) require certain vital records to be retained to support their audit work. Periodically, these auditors review compliance with the record retention requirements either as a separate audit or as a part of their scheduled audit. Moreover, vital records are needed during recovery from a disaster. In other words, vital records are so vital for the long-run success of a company.

First, a company management with the coordination of corporate legal counsel must take an inventory of all records used in a company, classify what records are vital, and identify what vital records support the continuity of business operations, legal evidence, disaster recovery work, and audit work; knowing that not all records and documents that a company handles everyday are vital records.

Some records are on paper media while other records are on electronic media. An outcome of inventorying and classifying records is developing a list of “record retention” showing each document with its retention requirements in terms of years. Then, a systematic method is needed to preserve and store these vital records onsite and offsite with rotation procedures between the onsite and offsite locations.

Corporate legal counsel plays an important role in defining retention requirements for both business (common) records and legal records. IT management plays a similar role in backing up, archiving, and restoring the electronic records for future retrieval and use. The goal is to ensure that the current version of the vital records is available and that outdated backup copies are deleted or destroyed in a timely manner.

Examples of vital records follow:

Legal records: General contracts; executive employment contracts; bank loan documents; business agreements with third parties, partners, and joint ventures; and regulatory compliance forms and reports.

Accounting/finance records: Payroll, accounts payable, and accounts receivable records; customer invoices; tax records; and yearly financial statements.

Marketing records: Marketing plans; sales contracts with customers and distributors; customer sales orders; and product shipment documents.

Human resources records: Employment application and test scores, and employee performance appraisal forms.

33. IT resource criticality for recovery and restoration is determined through which of the following ways?

1. Standard operating procedures

2. Events and incidents

3. Business continuity planning

4. Service-level agreements

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

33. c. Organizations determine IT resource criticality (for example, firewalls and Web servers) through their business continuity planning efforts or their service-level agreements (SLAs), which document actions and maximum response times and state the maximum time for restoring each key resource. Standard operating procedures (SOPs) are a delineation of the specific processes, techniques, checklists, and forms used by employees to do their work. An event is any observable occurrence in a system or network. An incident can be thought of as a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

34. An information system’s recovery time objective (RTO) considers which of the following?

1. Memorandum of agreement

2. Maximum allowable outage

3. Service-level agreement

4. Cost to recover

a. 1 and 3

b. 2 and 4

c. 3 and 4

d. 1, 2, 3, and 4

34. b. The balancing point between the maximum allowable outage (MAO) for a resource and the cost to recover that resource establishes the information system’s recovery time objective (RTO). Memorandum of agreement is another name for developing a service-level agreement (SLA).

35. Contingency planning integrates the results of which of the following?

a. Business continuity plan

b. Business impact analysis

c. Core business processes

d. Infrastructural services