CISSP Practice полностью

1. Possible threats include natural (for example, fires, floods, and earthquakes), technical (for example, hardware/software failure, power disruption, and communications interference), and human (for example, riots, strikes, disgruntled employees, and sabotage).

2. Assess impacts from loss of information and services from both internal and external sources. This includes financial condition, competitive position, customer confidence, legal/regulatory requirements, and cost analysis to minimize exposure.

3. Evaluate critical needs. This evaluation also should consider timeframes in which a specific function becomes critical. This includes functional operations, key personnel, information, processing systems, documentation, vital records, and policies and procedures.

4. Establish priorities for recovery based on critical needs.

51. For business continuity planning/disaster recovery planning (BCP/DRP), business impact analysis (BIA) primarily identifies which of the following?

a. Threats and risks

b. Costs and impacts

c. Exposures and functions

d. Events and operations

51. a. Business impact analysis (BIA) is the process of identifying an organization’s exposure to the sudden loss of selected business functions and/or the supporting resources (threats) and analyzing the potential disruptive impact of those exposures (risks) on key business functions and critical business operations. Threats and risks are primary and costs and impacts are secondary, where the latter is derived from the former.

The BIA usually establishes a cost (impact) associated with the disruption lasting varying lengths of time, which is secondary.

52. Which of the following is the best course of action to take for retrieving the electronic records stored at an offsite location?

a. Installing physical security controls offsite

a. Installing environmental security controls offsite

c. Ensuring that software version stored offsite matches with the vital records version

d. Rotating vital records between onsite and offsite

52. c. The IT management must ensure that electronic records are retrievable in the future, requiring the correct version of software that created the original records is tested and stored offsite, and that the current software version is matched with the current version of vital records.

The other three choices are incorrect because, although they are important in their own way, they do not directly address the retrieval of electronic records. Examples of physical security controls include keys and locks, sensors, alarms, sprinklers, and surveillance cameras. Examples of environmental controls include humidity, air conditioning, and heat levels. Rotating vital records between onsite and offsite is needed to purge the obsolete records and keep the current records only.

53. What is the purpose of a business continuity plan (BCP)?

a. To sustain business operations

b. To recover from a disaster

c. To test the business continuity plan

d. To develop the business continuity plan

53. a. Continuity planning involves more than planning for a move offsite after a disaster destroys a data center. It also addresses how to keep an organization’s critical functions operating in the event of disruptions, both large and small. This broader perspective on continuity planning is based on the distribution of computer use and support throughout an organization. The goal is to sustain business operations.

54. The main body of a contingency or disaster recovery plan document should not address which of the following?

a. What?

b. When?

c. How?

d. Who?

54. c. The plan document contains only the why, what, when, where, and who, not how. The how deals with detailed procedures and information required to carry out the actions identified and assigned to a specific recovery team. This information should not be in the formal plan because it is too detailed and should be included in the detail reference materials as an appendix to the plan. The why describes the need for recovery, the what describes the critical processes and resource requirements, the when deals with critical time frames, the where describes recovery strategy, and the who indicates the recovery team members and support organizations. Keeping the how information in the plan document confuses people, making it hard to understand and creating a maintenance nightmare.

55. Which of the following contingency plan test results is most meaningful?