Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 88

  1. Which of the following backup techniques is the MOST appropriate when an organization requires extremely granular data restore points, as defined in the recovery point objective (RPO)?

    • Virtual tape libraries
    • Disk-based snapshots
    • Continuous data backup
    • Disk-to-tape backup

    Explanation:
    The recovery point objective (RPO) is based on the acceptable data loss in the case of a disruption. In this scenario the organization needs a short RPO. Virtual tape libraries, disk- based snapshots and disk-to-tape backup would require time to complete the backup, while continuous data backup happens online (in real time).

  2. What is the BEST backup strategy for a large database with data supporting online sales?

    • Weekly full backup with daily incremental backup
    • Daily full backup
    • Clustered servers
    • Mirrored hard disks
    Explanation:
    Weekly full backup and daily incremental backup is the best backup strategy; it ensures the ability to recover the database and yet reduces the daily backup time requirements. A full backup normally requires a couple of hours, and therefore it can be impractical to conduct a full back up every day. Clustered servers provide a redundant processing capability, but are not a backup.
    Mirrored hard disks will not help in case of disaster.
  3. During an audit, an IS auditor notes that an organization’s business continuity plan (BCP) does not adequately address information confidentiality during a recovery process. The IS auditor should recommend that the plan be modified to include:

    • the level of information security required when business recovery procedures are invoked.
    • information security roles and responsibilities in the crisis management structure.
    • information security resource requirements.
    • change management procedures for information security that could affect business continuity arrangements.
    Explanation:
    Business should consider whether information security levels required during recovery should be the same, lower or higher than when business is operating normally. In particular, any special rules for access to confidential data during a crisis need to be identified. The other choices do not directly address the information confidentiality issue.
  4. Which of the following is the GREATEST risk when storage growth in a critical file server is not managed properly?

    • Backup time would steadily increase
    • Backup operational cost would significantly increase
    • Storage operational cost would significantly increase
    • Server recovery work may not meet the recovery time objective (RTO)
    Explanation:
    In case of a crash, recovering a server with an extensive amount of data could require a significant amount of time. If the recovery cannot meet the recovery time objective (RTO), there will be a discrepancy in IT strategies. It’s important to ensure that server restoration can meet the RTO. Incremental backup would only take the backup of the daily differential, thus a steady increase in backup time is not always true. The backup and storage costs issues are not as significant as not meeting the RTO.
  5. Which of the following is the MOST important consideration when defining recovery point objectives (RPOs)?

    • Minimum operating requirements
    • Acceptable data loss
    • Mean time between failures
    • Acceptable time for recovery
    Explanation:
    Recovery time objectives (RTOs) are the acceptable time delay in availability of business operations, while recovery point objectives (RPOs) are the level of data loss/reworking an organization is willing to accept. Mean time between failures and minimum operating requirements help in defining recovery strategies.
  6. A structured walk-through test of a disaster recovery plan involves:

    • representatives from each of the functional areas coming together to go over the plan.
    • all employees who participate in the day-to-day operations coming together to practice executing the plan.
    • moving the systems to the alternate processing site and performing processing operations.
    • distributing copies of the plan to the various functional areas for review.
    Explanation:
    A structured walk-through test of a disaster recovery plan involves representatives from each of the functional areas coming together to review the plan to determine if the plan pertaining to their area is accurate and complete and can be implemented when required. Choice B is a simulation test to prepare and train the personnel who will be required to respond to disasters and disruptions. Choice C is a form of parallel testing to ensure that critical systems will perform satisfactorily in the alternate site. Choice D is a checklist test.
  7. In a contract with a hot, warm or cold site, contractual provisions should cover which of the following considerations?

    • Physical security measures
    • Total number of subscribers
    • Number of subscribers permitted to use a site at one time
    • References by other users
    Explanation:
    The contract should specify the number of subscribers permitted to use the site at any one time. Physical security measures are not a part of the contract, although they are an important consideration when choosing a third-party site. The total number of subscribers is not a consideration; what is important is whether the agreement limits the number of subscribers in a building or in a specific area. The references that other users can provide is a consideration taken before signing the contract; it is by no means part of the contractual provisions.
  8. Which of the following is the GREATEST concern when an organization’s backup facility is at a warm site?

    • Timely availability of hardware
    • Availability of heat, humidity and air conditioning equipment
    • Adequacy of electrical power connections
    • Effectiveness of the telecommunications network
    Explanation:
    A warm site has the basic infrastructure facilities implemented, such as power, air conditioning and networking, but is normally lacking computing equipment. Therefore, the availability of hardware becomes a primary concern.
  9. Which of the following recovery strategies is MOST appropriate for a business having multiple offices within a region and a limited recovery budget?

    • A hot site maintained by the business
    • A commercial cold site
    • A reciprocal arrangement between its offices
    • A third-party hot site
    Explanation:
    For a business having many offices within a region, a reciprocal arrangement among its offices would be most appropriate. Each office could be designated as a recovery site for some other office. This would be the least expensive approach to providing an acceptable level of confidence. A hot site maintained by the business would be a costly solution but would provide a high degree of confidence. Multiple cold sites leased for the multiple offices would lead to a costly solution with a high degree of confidence. A third-party facility for recovery is provided by a traditional hot site. This would be a costly approach providing a high degree of confidence.
  10. The PRIMARY purpose of a business impact analysis (BIA) is to:

    • provide a plan for resuming operations after a disaster.
    • identify the events that could impact the continuity of an organization’s operations.
    • publicize the commitment of the organization to physical and logical security.
    • provide the framework for an effective disaster recovery plan.
    Explanation:
    A business impact analysis (BIA) is one of the key steps in the development of a business continuity plan (BCP). A BIA will identify the diverse events that could impact the continuity of the operations of an organization.
  11. After implementation of a disaster recovery plan, pre-disaster and post-disaster operational costs for an organization will:

    • decrease.
    • not change (remain the same).
    • increase.
    • increase or decrease depending upon the nature of the business.
    Explanation:
    There are costs associated with all activities and disaster recovery planning (DRP) is not an exception. Although there are costs associated with a disaster recovery plan, there are unknown costs that are incurred if a disaster recovery plan is not implemented.
  12. Which of the following is the MOST reasonable option for recovering a noncritical system?

    • Warm site
    • Mobile site
    • Hot site
    • Cold site
    Explanation:
    Generally, a cold site is contracted for a longer period at a lower cost. Since it requires more time to make a cold site operational, it is generally used for noncritical applications. A warm site is generally available at a medium cost, requires less time to become operational and is suitable for sensitive operations. A mobile site is a vehicle ready with all necessary computer equipment that can be moved to any cold or warm site depending upon the need. The need for a mobile site depends upon the scale of operations. A hot site is contracted for a shorter time period at a higher cost and is better suited for recovery of vital and critical applications.
  13. An organization’s disaster recovery plan should address early recovery of:

    • all information systems processes.
    • all financial processing applications.
    • only those applications designated by the IS manager.
    • processing in priority order, as defined by business management.
    Explanation:
    Business management should know which systems are critical and when they need to process well in advance of a disaster. It is management’s responsibility to develop and maintain the plan. Adequate time will not be available for this determination once the disaster occurs. IS and the information processing facility are service organizations that exist for the purpose of assisting the general user management in successfully performing their jobs.
  14. Am advantage of the use of hot sites as a backup alternative is that:

    • the costs associated with hot sites are low.
    • hot sites can be used for an extended amount of time.
    • hot sites can be made ready for operation within a short period of time.
    • they do not require that equipment and systems software be compatible with the primary site.
    Explanation:
    Hot sites can be made ready for operation normally within hours. However, the use of hot sites is expensive, should not be considered as a long-term solution, and requires that equipment and systems software be compatible with the primary installation being backed up.
  15. Which of the following is a practice that should be incorporated into the plan for testing disaster recovery procedures?

    • Invite client participation.
    • involve all technical staff.
    • Rotate recovery managers.
    • install locally-stored backup.
    Explanation:
    Recovery managers should be rotated to ensure the experience of the recovery plan is spread among the managers. Clients may be involved but not necessarily in every case. Not all technical staff should be involved in each test. Remote or offsite backup should always be used.
  16. Disaster recovery planning (DRP) addresses the:

    • technological aspect of business continuity planning.
    • operational piece of business continuity planning.
    • functional aspect of business continuity planning.
    • overall coordination of business continuity planning.
    Explanation:
    Disaster recovery planning (DRP) is the technological aspect of business continuity planning. Business resumption planning addresses the operational part of business continuity planning.
  17. An IS auditor conducting a review of disaster recovery planning (DRP) at a financial processing organization has discovered the following:

    -The existing disaster recovery plan was compiled two years earlier by a systems analyst in the organization’s IT department using transaction flow projections from the operations department.
    -The plan was presented to the deputy CEO for approval and formal issue, but it is still awaiting their attention.
    – the plan has never been updated, tested or circulated to key management and staff, though interviews show that each would know what action to take for its area in the event of a disruptive incident.

    The IS auditor’s report should recommend that:

    • the deputy CEO be censured for their failure to approve the plan.
    • a board of senior managers is set up to review the existing plan.
    • the existing plan is approved and circulated to all key management and staff.
    • a manager coordinates the creation of a new or revised plan within a defined time limit.
    Explanation:
    The primary concern is to establish a workable disaster recovery plan, which reflects current processing volumes to protect the organization from any disruptive incident. Censuring the deputy CEO will not achieve this and is generally not within the scope of an IS auditor to recommend.
    Establishing a board to review the plan, which is two years out of date, may achieve an updated plan, but is not likely to be a speedy operation, and issuing the existing plan would be folly without first ensuring that it is workable. The best way to achieve a disaster recovery plan in a short time is to make an experienced manager responsible for coordinating the knowledge of other managers into a single, formal document within a defined time limit.
  18. An IS auditor conducting a review of disaster recovery planning (DRP) at a financial processing organization has discovered the following:

    -The existing disaster recovery plan was compiled two years earlier by a systems analyst in the organization’s IT department using transaction flow projections from the operations department.

    -The plan was presented to the deputy CEO for approval and formal issue, but it is still awaiting his/her attention.

    -The plan has never been updated, tested or circulated to key management and staff, though interviews show that each would know what action to take for its area in the event of a disruptive incident.

    The basis of an organization’s disaster recovery plan is to reestablish live processing at an alternative site where a similar, but not identical, hardware configuration is already established. An IS auditor should:

    • take no action as the lack of a current plan is the only significant finding.
    • recommend that the hardware configuration at each site is identical.
    • perform a review to verify that the second configuration can support live processing.
    • report that the financial expenditure on the alternative site is wasted without an effective plan.
    Explanation:
    An IS auditor does not have a finding unless it can be shown that the alternative hardware cannot support the live processing system. Even though the primary finding is the lack of a proven and communicated disaster recovery plan, it is essential that this aspect of recovery is included in the audit. If it is found to be inadequate, the finding will materially support the overall audit opinion. It is certainly not appropriate to take no action at all, leaving this important factor untested. Unless it is shown that the alternative site is inadequate, there can be no comment on the expenditure, even if this is considered a proper comment for the IS auditor to make. Similarly, there is no need for the configurations to be identical. The alternative site could actually exceed the recovery requirements if it is also used for other work, such as other processing or systems development and testing. The only proper course of action at this point would be to find out if the recovery site can actually cope with a recovery.
  19. Disaster recovery planning (DRP) for a company’s computer system usually focuses on:

    • operations turnover procedures.
    • strategic long-range planning.
    • the probability that a disaster will occur.
    • alternative procedures to process transactions.
    Explanation:
    It is important that disaster recovery identifies alternative processes that can be put in place while the system is not available.
  20. The MAIN purpose for periodically testing offsite facilities is to:

    • protect the integrity of the data in the database.
    • eliminate the need to develop detailed contingency plans.
    • ensure the continued compatibility of the contingency facilities.
    • ensure that program and system documentation remains current.
    Explanation:
    The main purpose of offsite hardware testing is to ensure the continued compatibility of the contingency facilities. Specific software tools are available to protect the ongoing integrity of the database. Contingency plans should not be eliminated and program and system documentation should be reviewed continuously for currency.