Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 91

  1. Which of the following would contribute MOST to an effective business continuity plan (BCP)?

    • Document is circulated to all interested parties
    • Planning involves all user departments
    • Approval by senior management
    • Audit by an external IS auditor

    Explanation: 
    The involvement of user departments in the BCP is crucial for the identification of the business processing priorities. The BCP circulation will ensure that the BCP document is received by all users. Though essential, this does not contribute significantly to the success of the BCP. A BCP approved by senior management would not ensure the quality of the BCP, nor would an audit necessarily improve the quality of the BCP.

  2. To develop a successful business continuity plan, end user involvement is critical during which of the following phases?

    • Business recovery strategy
    • Detailed plan development
    • Business impact analysis (BIA)
    • Testing and maintenance
    Explanation: 
    End user involvement is critical in the BIA phase. During this phase the current operations of the business needs to be understood and the impact on the business of various disasters must be evaluated. End users are the appropriate persons to provide relevant information for these tasks, inadequate end user involvement in this stage could result in an inadequate understanding of business priorities and the plan not meeting the requirements of the organization.
  3. Which of the following would an IS auditor consider to be the MOST important to review when conducting a business continuity audit?

    • A hot site contracted and available as needed.
    • A business continuity manual is available and current.
    • insurance coverage is adequate and premiums are current.
    • Media backups are performed on a timely basis and stored offsite.
    Explanation: 
    Without data to process, all other components of the recovery effort are in vain. Even in the absence of a plan, recovery efforts of any type would not be practical without data to process.
  4. The PRIMARY objective of business continuity and disaster recovery plans should be to:

    • safeguard critical IS assets.
    • provide for continuity of operations.
    • minimize the loss to an organization.
    • protect human life.
    Explanation: 
    Since human life is invaluable, the main priority of any business continuity and disaster recovery plan should be to protect people. All other priorities are important but are secondary objectives of a business continuity and disaster recovery plan.
  5. After a full operational contingency test, an IS auditor performs a review of the recovery steps. The auditor concludes that the time it took for the technological environment and systems to return to full-functioning exceeded the required critical recovery time. Which of the following should the auditor recommend?

    • Perform an integral review of the recovery tasks.
    • Broaden the processing capacity to gain recovery time.
    • Make improvements in the facility’s circulation structure.
    • increase the amount of human resources involved in the recovery.
    Explanation: 
    Performing an exhaustive review of the recovery tasks would be appropriate to identify the way these tasks were performed, identify the time allocated to each of the steps required to accomplish recovery, and determine where adjustments can be made. Choices B, C and D could be actions after the described review has been completed.
  6. While designing the business continuity plan (BCP) for an airline reservation system, the MOST appropriate method of data transfer/backup at an offsite location would be:

    • shadow file processing.
    • electronic vaulting.
    • hard-disk mirroring.
    • hot-site provisioning.
    Explanation: 
    In shadow file processing, exact duplicates of the files are maintained at the same site or at a remote site. The two files are processed concurrently. This is used for critical data files, such as airline booking systems. Electronic vaulting electronically transmits data either to direct access storage, an optical disc or another storage medium; this is a method used by banks. Hard-disk mirroring provides redundancy in case the primary hard disk fails. All transactions and operations occur on two hard disks in the same server. A hot site is an alternate site ready to take over business operations within a few hours of any business interruption and is not a method for backing up data.
  7. Depending on the complexity of an organization’s business continuity plan (BCP), the plan may be developed as a set of more than one plan to address various aspects of business continuity and disaster recovery, in such an environment, it is essential that:

    • each plan is consistent with one another.
    • all plans are integrated into a single plan.
    • each plan is dependent on one another.
    • the sequence for implementation of all plans is defined.
    Explanation: 
    Depending on the complexity of an organization, there could be more than one plan to address various aspects of business continuity and disaster recovery. These do not necessarily have to be integrated into one single plan. However, each plan has to be consistent with other plans to have a viable business continuity planning strategy. It may not be possible to define a sequence in which plans have to be implemented, as it may be dependent on the nature of disaster, criticality, recovery time, etc.
  8. During a business continuity audit, an IS auditor found that the business continuity plan (BCP) covers only critical processes. The IS auditor should::

    • recommend that the BCP cover all business processes.
    • assess the impact of the processes not covered.
    • report the findings to the IT manager.
    • redefine the critical processes.
    Explanation: 
    The business impact analysis needs to be either updated or revisited to assess the risk of not covering all processes in the plan. It is possible that the cost of including all processes might exceed the value of those processes; therefore, they should not be covered. An IS auditor should substantiate this by analyzing the risk.
  9. An IS auditor noted that an organization had adequate business continuity plans (BCPs) for each individual process, but no comprehensive BCP. Which would be the BEST course of action for the IS auditor?

    • Recommend that an additional comprehensive BCP be developed.
    • Determine whether the BCPs are consistent.
    • Accept the BCPs as written.
    • Recommend the creation of a single BCP.
    Explanation: 
    Depending on the complexity of the organization, there could be more than one plan to address various aspects of business continuity and disaster recovery. These do not necessarily have to be integrated into one single plan; however, each plan should be consistent with other plans to have a viable business continuity planning strategy.
  10. When developing a business continuity plan (BCP), which of the following tools should be used to gain an understanding of the organization’s business processes?

    • Business continuity self-audit
    • Resource recovery analysis
    • Risk assessment
    • Gap analysis
    Explanation: 
    Risk assessment and business impact assessment are tools for understanding business- for- business continuity planning. Business continuity self-audit is a tool for evaluating the adequacy of the BCP, resource recovery analysis is a tool for identifying a business resumption strategy, while the role gap analysis can play in business continuity planning is to identify deficiencies in a plan. Neither of these is used for gaining an understanding of the business.
  11. During an audit of a business continuity plan (BCP), an IS auditor found that, although all departments were housed in the same building, each department had a separate BCP. The IS auditor recommended that the BCPs be reconciled. Which of the following areas should be reconciled FIRST?

    • Evacuation plan
    • Recovery priorities
    • Backup storages
    • Call tree
    Explanation: 
    Protecting human resources during a disaster-related event should be addressed first. Having separate BCPs could result in conflicting evacuation plans, thus jeopardizing the safety of staff and clients. Choices B, C and D may be unique to each department and could be addressed separately, but still should be reviewed for possible conflicts and/or the possibility of cost reduction, but only after the issue of human safety has been analyzed.
  12. Management considered two projections for its business continuity plan; plan A with two months to recover and plan B with eight months to recover. The recovery objectives are the same in both plans. It is reasonable to expect that plan B projected higher:

    • downtime costs.
    • resumption costs.
    • recovery costs.
    • walkthrough costs.
    Explanation: 
    Since the recovery time is longer in plan B, resumption and recovery costs can be expected to be lower. Walkthrough costs are not a part of disaster recovery. Since the management considered a higher window for recovery in plan B, downtime costs included in the plan are likely to be higher.
  13. The optimum business continuity strategy for an entity is determined by the:

    • lowest downtime cost and highest recovery cost.
    • lowest sum of downtime cost and recovery cost.
    • lowest recovery cost and highest downtime cost.
    • average of the combined downtime and recovery cost.
    Explanation: 
    Both costs have to be minimized, and the strategy for which the costs are lowest is the optimum strategy. The strategy with the highest recovery cost cannot be the optimum strategy. The strategy with the highest downtime cost cannot be the optimum strategy. The average of the combined downtime and recovery cost will be higher than the lowest combined cost of downtime and recovery. 
  14. The PRIMARY objective of testing a business continuity plan is to:

    • familiarize employees with the business continuity plan.
    • ensure that all residual risks are addressed.
    • exercise all possible disaster scenarios.
    • identify limitations of the business continuity plan.
    Explanation: 
    Testing the business continuity plan provides the best evidence of any limitations that may exist. Familiarizing employees with the business continuity plan is a secondary benefit of a test. It is not cost effective to address residual risks in a business continuity plan, and it is not practical to test all possible disaster scenarios.
  15. In determining the acceptable time period for the resumption of critical business processes:

    • only downtime costs need to be considered.
    • recovery operations should be analyzed.
    • both downtime costs and recovery costs need to be evaluated.
    • indirect downtime costs should be ignored.
    Explanation: 
    Both downtime costs and recovery costs need to be evaluated in determining the acceptable time period before the resumption of critical business processes. The outcome of the business impact analysis (BIA) should be a recovery strategy that represents the optimal balance. Downtime costs cannot be looked at in isolation. The quicker information assets can be restored and business processing resumed, the smaller the downtime costs. However, the expenditure needed to have the redundant capability required to recover information resources might be prohibitive for nonessential business processes. Recovery operations do not determine the acceptable time period for the resumption of critical business processes, and indirect downtime costs should be considered in addition to the direct cash outflows incurred due to business disruption. The indirect costs of a serious disruption to normal business activity, e.g., loss of customer and supplier goodwill and loss of market share, may actually be more significant than direct costs over time, thus reaching the point where business viability is threatened.
  16. In the event of a disruption or disaster, which of the following technologies provides for continuous operations?

    • Load balancing
    • Fault-tolerant hardware
    • Distributed backups
    • High-availability computing
    Explanation: 
    Fault-tolerant hardware is the only technology that currently supports continuous, uninterrupted service. Load balancing is used to improve the performance of the server by splitting the work between several servers based on workloads. High-availability (HA) computing facilities provide a quick but not continuous recovery, while distributed backups require longer recovery times.
  17. Which of the following would be MOST important for an IS auditor to verify when conducting a business continuity audit?

    • Data backups are performed on a timely basis
    • A recovery site is contracted for and available as needed
    • Human safety procedures are in place
    • insurance coverage is adequate and premiums are current
    Explanation: 
    The most important element in any business continuity process is the protection of human life. This takes precedence over all other aspects of the plan.
  18. Which of the following insurance types provide for a loss arising from fraudulent acts by employees?

    • Business interruption
    • Fidelity coverage
    • Errors and omissions
    • Extra expense
    Explanation: 
    Fidelity insurance covers the loss arising from dishonest or fraudulent acts by employees. Business interruption insurance covers the loss of profit due to the disruption in the operations of an organization. Errors and omissions insurance provides legal liability protection in the event that the professional practitioner commits an act that results in financial loss to a client. Extra expense insurance is designed to cover the extra costs of continuing operations following a disaster/disruption within an organization.
  19. The BEST method for assessing the effectiveness of a business continuity plan is to review the:

    • plans and compare them to appropriate standards.
    • results from previous tests.
    • emergency procedures and employee training.
    • offsite storage and environmental controls.
    Explanation: 
    Previous test results will provide evidence of the effectiveness of the business continuity plan. Comparisons to standards will give some assurance that the plan addresses the critical aspects of a business continuity plan but will not reveal anything about its effectiveness. Reviewing emergency procedures, offsite storage and environmental controls would provide insight into some aspects of the plan but would fall short of providing assurance of the plan’s overall effectiveness. 
  20. With respect to business continuity strategies, an IS auditor interviews key stakeholders in an organization to determine whether they understand their roles and responsibilities. The IS auditor is attempting to evaluate the:

    • clarity and simplicity of the business continuity plans.
    • adequacy of the business continuity plans.
    • effectiveness of the business continuity plans.
    • ability of IS and end-user personnel to respond effectively in emergencies.
    Explanation: 
    The IS auditor should interview key stakeholders to evaluate how well they understand their roles and responsibilities. When all stakeholders have a detailed understanding of their roles and responsibilities in the event of a disaster, an IS auditor can deem the business continuity plan to be clear and simple. To evaluate adequacy, the IS auditor should review the plans and compare them to appropriate standards. To evaluate effectiveness, the IS auditor should review the results from previous tests. This is the best determination for the evaluation of effectiveness. An understanding of roles and responsibilities by key stakeholders will assist in ensuring the business continuity plan is effective. To evaluate the response, the IS auditor should review results of continuity tests. This will provide the IS auditor with assurance that target and recovery times are met. Emergency procedures and employee training need to be reviewed to determine whether the organization had implemented plans to allow for the effective response.