Documente Academic
Documente Profesional
Documente Cultură
2008 CISA
Review Course
Chapter 6
Business Continuity And
Disaster Recovery
Chapter Outline
6.1 Introduction
6.2 Business Continuity / Disaster Recovery
Planning
6.3 Auditing Business Continuity (DRP +
COOP + BRP)
Exam Relevance
Ensure that the CISA candidate
Understands and can provide assurance that in the event of a
disruption the business continuity and disaster recovery processes
will ensure the timely resumption of IT services while minimizing
the business impact.
The content area in this chapter will
represent approximately 14% of
the CISA examination
(approximately 28 questions).
T6.2
T6.3
KS6.2
KS6.3
KS6.4
KS6.7
KS6.8
6.2 Business
Continuity/Disaster Recovery
Planning
Business continuity planning (BCP) is a process
designed to reduce the organizations business
risk
A BCP is much more than just a plan for the
information systems
Practice Question
6-1 During an audit of a large bank, the IS auditor observes that no
formal risk assessment exercise has been carried out for the
various business applications to arrive at their relative importance
and recovery time requirements. The risk to which the bank is
exposed is that the:
A. business continuity plan may not have been calibrated to the relative risk
that disruption of each application poses to the organization.
B. business continuity plan may not include all relevant applications and,
therefore, may lack completeness in terms of its coverage.
C. business impact of a disaster may not have been accurately understood
by the management.
D. business continuity plan may lack an effective ownership by the business
owners of such applications.
Practice Question
6-2 Which of the following is necessary to have
FIRST in the development of a business
continuity plan?
A. Risk-based classification of systems
B. Inventory of all assets
C. Complete documentation of all disasters
D. Availability of hardware and software
Practice Question
6-3 An IS auditor should be involved in:
A. observing tests of the disaster recovery plan.
B. developing the disaster recovery plan.
C. maintaining the disaster recovery plan.
D. reviewing the disaster recovery requirements of
supplier contracts.
6.2.1 Business
Continuity/Disaster Recovery
Planning
IS processing is of strategic importance:
Critical component of overall BCP
Most key business processes depend on the
availability of key systems and infrastructure
components
Critical
Vital
Sensitive
Nonsensitive
Practice Question
6-4 The window of time for recovery of information
processing capabilities is based on the:
A.
B.
C.
D.
Practice Question
6-5 When preparing a business continuity plan,
which of the following must be known to
establish a recovery point objective (RPO)?
A. The acceptable data loss in case of disruption of
operations
B. The acceptable downtime in case of disruption of
operations
C. Types of offsite backup facilities available
D. Types of IT platforms supporting critical business
functions
Practice Question
6-6 When preparing a business continuity plan,
which of the following must be known to
establish a recovery point objective (RPO)?
A. The acceptable data loss in case of disruption of
operations
B. The acceptable downtime in case of disruption of
operations
C. Types of offsite backup facilities available
D. Type of IT platforms supporting critical business
functions
Configurations
Disaster
Speed of availability
Subscribers per site and area
Preference
Insurance
Audit
Reliability
Practice Question
6-7 An IS auditor discovers that an organizations business
continuity plan provides for an alternate processing site that
will accommodate 50 percent of the primary processing
capability. Based on this, which of the following actions
should the IS auditor take?
A. Do nothing, because generally, less than 25 percent of all processing is
critical to an organizations survival and the backup capacity, therefore, is
adequate.
B. Identify applications that could be processed at the alternate site, and
develop manual procedures to back up other processing.
C. Ensure that critical applications have been identified and that the alternate
site could process all such applications.
D. Recommend that the information processing facility arrange for an alternate
processing site with the capacity to handle at least 75 percent of normal
processing.
Installing and testing systems software and applications at the systems recovery
Reconstructing databases
Supplying necessary office goods, i.e., special forms, check stock, paper
Arranging and paying for employee relocation expenses at the recovery facility
Practice Question
6-8 In a business continuity plan, which of the
following notification directories is the MOST
important?
A. Equipment and supply vendors
B. Insurance company agents
C. Contract personnel services
D. A prioritized contact list
Practice Question
6-9 Which of the following components of a
business continuity plan is PRIMARILY the
responsibility of an organizations IS
department?
A. Developing the business continuity plan
B. Selecting and approving the strategy for the business
continuity plan
C. Declaring a disaster
D. Restoring the IS systems and data after a disaster.
Practice Question
6-10 In an audit of a business continuity plan
which of the following findings is of MOST
concern?
A. There is not insurance for the addition of assets during the
year.
B. The business continuity plan manual is not updated on a
regular basis.
C. Testing of the backup of data has not been done regularly.
D. Records for maintenance of the access system have not
been maintained
A.
B.
C.
D.