35. b. Contingency planning integrates and acts on the results of the business impact analysis. The output of this process is a business continuity plan consisting of a set of contingency plans—with a single plan for each core business process and infrastructure component. Each contingency plan should provide a description of the resources, staff roles, procedures, and timetables needed for its implementation.
36. Which of the following must be defined to implement each contingency plan?
a. Triggers
b. Risks
c. Costs
d. Benefits
36. a. It is important to document triggers for activating contingency plans. The information needed to define the implementation triggers for contingency plans is the deployment schedule for each contingency plan and the implementation schedule for the replaced mission-critical systems. Triggers are more important than risks, costs, and benefits because the former drives the latter.
37. The least costly test approach for contingency plans is which of the following?
a. Full-scale testing
b. Pilot testing
c. Parallel testing
d. End-to-end testing
37. d. The purpose of end-to-end testing is to verify that a defined set of interrelated systems, which collectively support an organizational core business area or function, interoperate as intended in an operational environment. Generally, end-to-end testing is conducted when one major system in the end-to-end chain is modified or replaced, and attention is rightfully focused on the changed or new system. The boundaries on end-to-end tests are not fixed or predetermined but rather vary depending on a given business area’s system dependencies (internal and external) and the criticality to the mission of the organization.
Full-scale testing is costly and disruptive, whereas end-to-end testing is least costly. Pilot testing is testing one system or one department before testing other systems or departments. Parallel testing is testing two systems or two departments at the same time.
38. Organizations practice contingency plans because it makes good business sense. Which of the following is the correct sequence of steps involved in the contingency planning process?
1. Anticipating potential disasters
2. Identifying the critical functions
3. Selecting contingency plan strategies
4. Identifying the resources that support the critical functions
a. 1, 2, 3, and 4
b. 1, 3, 2, and 4
c. 2, 1, 4, and 3
d. 2, 4, 1, and 3
38. d. Contingency planning involves more than planning for a move offsite after a disaster destroys a data center. It also addresses how to keep an organization’s critical functions operating in the event of disruptions, both large and small. This broader perspective on contingency planning is based on the distribution of computer support throughout an organization. The correct sequence of steps is as follows:
Identify the mission or business or critical functions.
Identify the resources that support the critical functions.
Anticipate potential contingencies or disasters.
Select contingency planning strategies.
39. A contingency planning strategy consists of the following four parts. Which of the following parts are closely related to each other?
a. Emergency response and recovery
b. Recovery and resumption
c. Resumption and implementation
d. Recovery and implementation
39. b. The selection of a contingency planning strategy should be based on practical considerations, including feasibility and cost. Risk assessment can be used to help estimate the cost of options to decide an optimal strategy. Whether the strategy is onsite or offsite, a contingency planning strategy normally consists of emergency response, recovery, resumption, and implementation.
In emergency response, it is important to document the initial actions taken to protect lives and limit damage. In recovery, the steps that will be taken to continue support for critical functions should be planned. In resumption, what is required to return to normal operations should be determined. The relationship between recovery and resumption is important. The longer it takes to resume normal operations, the longer the organization will have to operate in the recovery mode. In implementation, it is necessary to make appropriate preparations, document the procedures, and train employees. Emergency response and implementation do not have the same relationship as recovery and resumption does.
