| 1. | Disaster recovery planning is a critical component of protecting data availability and integrity. Which of the following is the MOST important consideration of a disaster recovery plan? 
| A. | Alternative processing capability |
| B. | Protection and redundancy of data |
| C. | Protection of human life |
| D. | Ensuring that the disaster-recovery plan effectively supports organizational goals and objectives |
|
| A1: | Answer: C. Although all the answers are important considerations of disaster recovery planning, the primary objective is to protect human life. |
| 2. | Disaster recovery planning often comes down to a compromise between cost and target recovery times. Which of the following statements is true regarding this compromise?
| A. | Disaster-recovery duration times and costs should decrease. |
| B. | Disaster-recovery duration times should decrease, but recovery costs will necessarily increase. |
| C. | Disaster-recovery duration times should remain constant, but recovery costs should decrease. |
| D. | Disaster-recovery times should remain constant, but recovery costs should increase. |
|
| A2: | Answer: A. Effective recovery-control planning incorporates a control feasibility study, including a cost/benefit analysis. The objective of DRP is to reduce the financial business impact of a disaster or disruptive event to a greater extent than the cost of implementing a disaster-recovery control. Therefore, a control that decreases the recovery time and associated net recovery costs of the disaster is accepted and implemented. |
| 3. | Which of the following is ultimately accountable for effective business continuity and disaster-recovery controls?
| A. | Stockholders |
| B. | Security administrators |
| C. | Network administrators |
| D. | Executive officers |
|
| A3: | Answer: D. The executive officers of an organization are ultimately accountable corporate governance, which includes decisions to have or forego BCP/DRP controls. Although security administrators and network administrators might actually implement the controls that the executive officers or the board of directors approves, stockholders hold executive management accountable for making sure organizational viability is protected. |
| 4. | Which of the following BCP/DRP processes MOST requires end-user participation for effective business continuity and disaster-recovery planning?
| A. | Development of recovery strategies |
| B. | Business impact assessment (BIA) |
| C. | Development of the BCP/DRP plan documents |
| D. | Final testing of the BCP and DRP |
|
| A4: | Answer: B. As the initial step of effective business continuity and disaster-recovery planning, a business impact assessment (BIA) must be accurate to effectively perform an additional BCP/DRP processes. Therefore, end-user involvement is most critical to the BIA phase, to make sure that continuity risks are fully understood and properly assessed. |
| 5. | Regarding alternate site data-processing facilities, which of the following best practices is MOST important?
| A. | The facility is not clearly identified as belonging to the company. |
| B. | The facility is clearly identified as belonging to the company. |
| C. | Primary-site recovery teams can reach the facility within an hour to ensure minimal business impact from the disruptive event. |
| D. | The facility does not provide any external windows. |
|
| A5: | Answer: A. Because a potential disruptive event could be facility sabotage or bomb threat, the alternate processing facility should not be easily identified as belonging to the company. Because off-site facilities mitigate the risk of widespread natural disasters such as hurricanes and earthquakes, the facilities should be geographically distant from the primary site. External windows should be avoided because such windows expose the facility to unauthorized physical access, as well as storm damage. However, this best practice is not considered as important as answer A. |
| 6. | When should a business continuity or disaster plan be updated?
| A. | Annually |
| B. | Biannually |
| C. | Semiannually |
| D. | Upon any significant change to the organization, such as asset acquisition or release |
|
| A6: | Answer: D. Business continuity and disaster recovery planning should be an ongoing program that is event-triggered rather than simply a periodic project. After all, newly acquired assets should be protected sooner rather than later. |
| 7. | Hot-site off-site processing facilities are characterized by:
| A. | High implementation and maintenance costs |
| B. | Reduced recovery time |
| C. | Decreased disaster preparation costs |
| D. | Both answers A and B |
| E. | Both answers B and C |
|
| A7: | Answer: D. Hot sites are the most expensive type of alternate processing redundancy, but they are very appropriate for operations that require immediate or very short recovery times. |
| 8. | Which of the following is the MOST important control aspect of maintaining data backup at off-site storage facilities?
| A. | The security of the storage facility is as secure as or more secure than the primary site. |
| B. | The data backups are always tested for accuracy and reliability. |
| C. | Critical and time-sensitive data is kept current at the off-site storage facility. |
| D. | Applications for processing the data are backed up to the off-site storage facility along with critical data. |
|
| A8: | Answer: C. Organizations should use off-site storage facilities to maintain redundancy of current and critical information within backup files. All other answers are important, too, but answer C is considered most important. |
| 9. | Critical real-time data such as that associated with transaction processing requires special backup procedures. Which of the following is recommended for backing up transaction-processing files?
| A. | Duplicate logging of transactions |
| B. | Time stamping of transactions and communications data |
| C. | Use of before-and-after images of master records |
| D. | All of the above |
|
| A9: | Answer: D. Duplicate logging of transactions, use of before-and-after images of master records, and time stamping of transactions and communications data are all recommended best practices for establishing effective redundancy of transaction databases. |
| 10. | Which of the following is considered MOST appropriate for backing up real-time transaction databases?
| A. | Periodic imaging of transaction database master records, along with automated periodic incremental tape backups |
| B. | Electronic vaulting |
| C. | Remote journaling |
| D. | Answers A and C |
| E. | Answers B and C |
|
| A10: | Answer: E. Electronic vaulting and remote journaling are both considered effective redundancy controls for backing up real-time transaction databases. Periodic imaging of transaction database master records along with automated periodic incremental tape-backups does not support immediate or short recovery times. |
