Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 90

  1. When auditing a disaster recovery plan for a critical business area, an IS auditor finds that it does not cover all the systems. Which of the following is the MOST appropriate action for the IS auditor?

    • Alert management and evaluate the impact of not covering all systems.
    • Cancel the audit.
    • Complete the audit of the systems covered by the existing disaster recovery plan.
    • Postpone the audit until the systems are added to the disaster recovery plan.

    An IS auditor should make management aware that some systems are omitted from the disaster recovery plan. An IS auditor should continue the audit and include an evaluation of the impact of not including all systems in the disaster recovery plan. Cancelling the audit, ignoring the fact that some systems are not covered or postponing the audit are inappropriate actions to take.

  2. Which of the following should be of MOST concern to an IS auditor reviewing the BCP?

    • The disaster levels are based on scopes of damaged functions, but not on duration.
    • The difference between low-level disaster and software incidents is not clear.
    • The overall BCP is documented, but detailed recovery steps are not specified.
    • The responsibility for declaring a disaster is not identified.
    If nobody declares the disaster, the response and recovery plan would not be invoked, making all other concerns mute. Although failure to consider duration could be a problem, it is not as significant as scope, and neither is as critical as the need to have someone invoke the plan. The difference between incidents and low-level disasters is always unclear and frequently revolves around the amount of time required to correct the damage. The lack of detailed steps should be documented, but their absence does not mean a lack of recovery, if in fact someone has invoked the plan.
  3. Of the following alternatives, the FIRST approach to developing a disaster recovery strategy would be to assess whether:

    • all threats can be completely removed.
    • a cost-effective, built-in resilience can be implemented.
    • the recovery time objective can be optimized.
    • the cost of recovery can be minimized.
    It is critical to initially identify information assets that can be made more resilient to disasters, e.g., diverse routing, alternate paths or multiple communication carriers. It is impossible to remove all existing and future threats. The optimization of the recovery time objective and efforts to minimize the cost of recovery come later in the development of the disaster recovery strategy.
  4. An organization has a number of branches across a wide geographical area. To ensure that all aspects of the disaster recovery plan are evaluated in a cost effective manner, an IS auditor should recommend the use of a:

    • data recovery test.
    • full operational test.
    • posttest.
    • preparedness test.
    A preparedness test should be performed by each local office/area to test the adequacy of the preparedness of local operations in the event of a disaster. This test should be performed regularly on different aspects of the plan and can be a cost-effective way to gradually obtain evidence of the plan’s adequacy. A data recovery test is a partial test and will not ensure that all aspects are evaluated. A full operational test is not the most cost effective test in light of the geographical dispersion of the branches, and a posttest is a phase of the test execution process.
  5. If the recovery time objective (RTO) increases:

    • the disaster tolerance increases.
    • the cost of recovery increases.
    • a cold site cannot be used.
    • the data backup frequency increases.
    The longer the recovery time objective (RTO), the higher disaster tolerance and the lower the recovery cost. It cannot be concluded that a cold site is inappropriate or that the frequency of data backup would increase.
  6. Due to changes in IT, the disaster recovery plan of a large organization has been changed. What is the PRIMARY risk if the new plan is not tested?

    • Catastrophic service interruption
    • High consumption of resources
    • Total cost of the recovery may not be minimized
    • Users and recovery teams may face severe difficulties when activating the plan
    Choices B, C and D are all possible problems that might occur, and would cause difficulties and financial losses or waste of resources. However, if a new disaster recovery plan is not tested, the possibility of a catastrophic service interruption is the most critical of all risks.
  7. When developing a disaster recovery plan, the criteria for determining the acceptable downtime should be the:

    • annualized loss expectancy (ALE).
    • service delivery objective.
    • quantity of orphan data.
    • maximum tolerable outage.
    The recovery time objective is determined based on the acceptable downtime in case of a disruption of operations, it indicates the maximum tolerable outage that an organization considers to be acceptable before a system or process must resume following a disaster. Choice A is incorrect, because the acceptable downtime would not be determined by the annualized loss expectancy (ALE). Choices B and C are relevant to business continuity, but they are not determined by acceptable downtime.
  8. A lower recovery time objective (RTO) results in:

    • higher disaster tolerance.
    • higher cost. 
    • wider interruption windows.
    • more permissive data loss.
    A recovery time objective (RTO) is based on the acceptable downtime in case of a disruption of operations. The lower the RTO, the higher the cost of recovery strategies. The lower the disaster tolerance, the narrower the interruption windows, and the lesser the permissive data loss.
  9. Regarding a disaster recovery plan, the role of an IS auditor should include:

    • identifying critical applications.
    • determining the external service providers involved in a recovery test.
    • observing the tests of the disaster recovery plan. determining the criteria for 
    • establishing a recovery time objective (RTO).
    The IS auditor should be present when disaster recovery plans are tested, to ensure that the test meets the targets for restoration, and the recovery procedures are effective and efficient. As appropriate, the auditor should provide a report of the test results. All other choices are a responsibility of management.
  10. During a disaster recovery test, an IS auditor observes that the performance of the disaster recovery site’s server is slow. To find the root cause of this, the IS auditor should FIRST review the:

    • event error log generated at the disaster recovery site.
    • disaster recovery test plan.
    • disaster recovery plan (DRP).
    • configurations and alignment of the primary and disaster recovery sites.
    Since the configuration of the system is the most probable cause, the IS auditor should review that first. If the issue cannot be clarified, the IS auditor should then review the event error log. The disaster recovery test plan and the disaster recovery plan (DRP) would not contain information about the system configuration.
  11. An organization has a recovery time objective (RTO) equal to zero and a recovery point objective (RPO) close to 1 minute for a critical system. This implies that the system can tolerate:

    • a data loss of up to 1 minute, but the processing must be continuous.
    • a 1-minute processing interruption but cannot tolerate any data loss.
    • a processing interruption of 1 minute or more.
    • both a data less and processing interruption longer than 1 minute.
    The recovery time objective (RTO) measures an organization’s tolerance for downtime and the recovery point objective (RPO) measures how much data loss can be accepted. Choices B, C and D are incorrect since they exceed the RTO limits set by the scenario.
  12. Which of the following issues should be the GREATEST concern to the IS auditor when reviewing an IT disaster recovery test?

    • Due to the limited test time window, only the most essential systems were tested. The other systems were tested separately during the rest of the year.
    • During the test it was noticed that some of the backup systems were defective or not working, causing the test of these systems to fail.
    • The procedures to shut down and secure the original production site before starting the backup site required far more time than planned.
    • Every year, the same employees perform the test. The recovery plan documents are not used since every step is well known by all participants.
    A disaster recovery test should test the plan, processes, people and IT systems. Therefore, if the plan is not used, its accuracy and adequacy cannot be verified. Disaster recovery should not rely on key staff since a disaster can occur when they are not available. It is common that not all systems can be tested in a limited test time frame. It is important, however, that those systems which are essential to the business are tested, and that the other systems are eventually tested throughout the year. One aim of the test is to identify and replace defective devices so that all systems can be replaced in the case of a disaster. Choice B would only be a concern if the number of discovered problems is systematically very high, in a real disaster, there is no need for a clean shutdown of the original production environment since the first priority is to bring the backup site up.
  13. The frequent updating of which of the following is key to the continued effectiveness of a disaster recovery plan (DRP)?

    • Contact information of key personnel
    • Server inventory documentation
    • individual roles and responsibilities
    • Procedures for declaring a disaster
    In the event of a disaster, it is important to have a current updated list of personnel who are key to the operation of the plan. Choices B, C and D would be more likely to remain stable overtime.
  14. A live test of a mutual agreement for IT system recovery has been carried out, including a four- hour test of intensive usage by the business units. The test has been successful, but gives only partial assurance that the:

    • system and the IT operations team can sustain operations in the emergency environment.
    • resources and the environment could sustain the transaction load.
    • connectivity to the applications at the remote site meets response time requirements.
    • workflow of actual business operations can use the emergency system in case of a disaster.
    The applications have been intensively operated, therefore choices B, C and D have been actually tested, but the capability of the system and the IT operations team to sustain and support this environment (ancillary operations, batch closing, error corrections, output distribution, etc.) is only partially tested.
  15. To address an organization’s disaster recovery requirements, backup intervals should not exceed the:

    • service level objective (SLO).
    • recovery time objective (RTO).
    • recovery point objective (RPO).
    • maximum acceptable outage (MAO).
    The recovery point objective (RPO) defines the point in time to which data must be restored after a disaster so as to resume processing transactions. Backups should be performed in a way that the latest backup is no older than this maximum time frame. If service levels are not met, the usual consequences are penalty payments, not cessation of business. Organizations will try to set service level objectives (SLOs) so as to meet established targets. The resulting time for the service level agreement (SLA) will usually be longer than the RPO. The recovery time objective (RTO) defines the time period after the disaster in which normal business functionality needs to be restored. The maximum acceptable outage (MAO) is the maximum amount of system downtime that is tolerable. It can be used as a synonym for RTO. However, the RTO denotes an objective/target, while the MAO constitutes a vital necessity for an organization’s survival.
  16. After completing the business impact analysis (BIA), what is the next step in the business continuity planning process?

    • Test and maintain the plan.
    • Develop a specific plan.
    • Develop recovery strategies.
    • implement the plan.
    The next phase in the continuity plan development is to identify the various recovery strategies and select the most appropriate strategy for recovering from a disaster. After selecting a strategy, a specific plan can be developed, tested and implemented.
  17. Which of the following is an appropriate test method to apply to a business continuity plan (BCP)?

    • Pilot
    • Paper
    • Unit
    • System
    A paper test is appropriate for testing a BCP. it is a walkthrough of the entire plan, or part of the plan, involving major players in the plan’s execution, who reason out what may happen in a particular disaster. Choices A, C and D are not appropriate for a BCP.
  18. An IS auditor has audited a business continuity plan (BCP). Which of the following findings is the MOST critical?

    • Nonavailability of an alternate private branch exchange (PBX) system
    • Absence of a backup for the network backbone
    • Lack of backup systems for the users’ PCs
    • Failure of the access card system
    Failure of a network backbone will result in the failure of the complete network and impact the ability of all users to access information on the network. The nonavailability of an alternate PBX system will result in users not being able to make or receive telephone calls or faxes; however, users may have alternate means of communication, such as a mobile phone or e-mail. Lack of backup systems for user PCs will impact only the specific users, not all users. Failure of the access card system impacts the ability to maintain records of the users who are entering the specified work areas; however, this could be mitigated by manual monitoring controls.
  19. As part of the business continuity planning process, which of the following should be identified FIRST in the business impact analysis?

    • Organizational risks, such as single point-of-failure and infrastructure risk
    • Threats to critical business processes
    • Critical business processes for ascertaining the priority for recovery
    • Resources required for resumption of business
    The identification of the priority for recovering critical business processes should be addressed first. Organizational risks should be identified next, followed by the identification of threats to critical business processes. Identification of resources for business resumption will occur after the tasks mentioned.
  20. Which of the following activities should the business continuity manager perform FIRST after the replacement of hardware at the primary information processing facility?

    • verify compatibility with the hot site.
    • Review the implementation report.
    • Perform a walk-through of the disaster recovery plan.
    • Update the IS assets inventory.
    An IS assets inventory is the basic input for the business continuity/disaster recovery plan, and the plan must be updated to reflect changes in the IS infrastructure. The other choices are procedures required to update the disaster recovery plan after having updated the required assets inventory.