What is the first step that individuals responsible for the development of a business continuity plan should perform Chapter 3?

Upgrade to remove ads

Only ₩37,125/year

Terms in this set (61)

B. The business organization analysis helps the initial planners select appropriate BCP team members and then guides the overall BCP process.

What is the first step that individuals responsible for the development of a business continuity plan should perform?

A. BCP team selection
B. Business organization analysis
C. Resource requirements analysis
D. Legal and regulatory assessment

B. The first task of the BCP team should be the review and validation of the business organization analysis initially performed by those individuals responsible for spearheading the BCP effort. This ensures that the initial effort, undertaken by a small group of individuals, reflects the beliefs of the entire BCP team.

Once the BCP team is selected, what should be the first item placed on the team's agenda?

A. Business impact assessment
B. Business organization analysis
C. Resource requirements analysis
D. Legal and regulatory assessment

C. A firm's officers and directors are legally bound to exercise due diligence in conducting their activities. This concept creates a fiduciary responsibility on their part to ensure that adequate business continuity plans are in place.

What is the term used to describe the responsibility of a firm's officers and directors to ensure that adequate measures are in place to minimize the effect of a disaster on the organization's continued viability?

A. Corporate responsibility
B. Disaster requirement
C. Due diligence
D. Going concern responsibility

D. During the planning phase, the most significant resource utilization will be the time dedicated by members of the BCP team to the planning process. This represents a significant use of business resources and is another reason that buy-in from senior management is essential.

What will be the major resource consumed by the BCP process during the BCP phase?

A. Hardware
B. Software
C. Processing time
D. Personnel

A. The quantitative portion of the priority identification should assign asset values in monetary units.

What unit of measurement should be used to assign quantitative values to assets in the priority identification phase of the business impact assessment?

A. Monetary
B. Utility
C. Importance
D. Time

C. The annualized loss expectancy (ALE) represents the amount of money a business expects to lose to a given risk each year. This figure is quite useful when performing a quantitative prioritization of business continuity resource allocation.

Which one of the following BIA terms identifies the amount of money a business expects to lose to a given risk each year?

A. ARO
B. SLE
C. ALE
D. EF

C. The maximum tolerable downtime (MTD) represents the longest period a business function can be unavailable before causing irreparable harm to the business. This figure is useful when determining the level of business continuity resources to assign to a particular function.

What BIA metric can be used to express the longest time a business function can be unavailable without causing irreparable harm to the organization?

A. SLE
B. EF
C. MTD
D. ARO

B. The SLE is the product of the AV and the EF. From the scenario, you know that the AV is $3,000,000 and the EF is 90 percent, based on the fact that the same land can be used to rebuild the facility. This yields an SLE of $2,700,000.

You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building, and 10 percent is attributed to the land itself. What is the single loss expectancy of your shipping facility to avalanches?

A. $3,000,000
B. $2,700,000
C. $270,000
D. $135,000

D. This problem requires you to compute the ALE, which is the product of the SLE and the ARO. From the scenario, you know that the ARO is 0.05 (or 5 percent). From question 8, you know that the SLE is $2,700,000. This yields an SLE of $135,000.

Referring to the scenario in question 8, what is the annualized loss expectancy?

A. $3,000,000
B. $2,700,000
C. $270,000
D. $135,000

A. This problem requires you to compute the ALE, which is the product of the SLE and ARO. From the scenario, you know that the ARO is 0.10 (or 10 percent). From the scenario presented, you know that the SLE is $7.5 million. This yields an SLE of $750,000.

You are concerned about the risk that a hurricane poses to your corporate headquarters in South Florida. The building itself is valued at $15 million. After consulting with the National Weather Service, you determine that there is a 10 percent likelihood that a hurricane will strike over the course of a year. You hired a team of architects and engineers who determined that the average hurricane would destroy approximately 50 percent of the building. What is the annualized loss expectancy (ALE)?

A. $750,000
B. $1.5 million
C. $7.5 million
D. $15 million

C. The strategy development task bridges the gap between business impact assessment and continuity planning by analyzing the prioritized list of risks developed during the BIA and determining which risks will be addressed by the BCP.

Which task of BCP bridges the gap between the business impact assessment and the continuity planning phases?

A. Resource prioritization
B. Likelihood assessment
C. Strategy development
D. Provisions and processes

D. The safety of human life must always be the paramount concern in business continuity planning. Be sure that your plan reflects this priority, especially in the written documentation that is disseminated to your organization's employees!

Which resource should you protect first when designing continuity plan provisions and processes?

A. Physical plant
B. Infrastructure
C. Financial resources
D. People

C. It is difficult to put a dollar figure on the business lost because of negative publicity. Therefore, this type of concern is better evaluated through a qualitative analysis.

Which one of the following concerns is not suitable for quantitative measurement during the business impact assessment?

A. Loss of a plant
B. Damage to a vehicle
C. Negative publicity
D. Power outage

B. The single loss expectancy (SLE) is the amount of damage that would be caused by a single occurrence of the risk. In this case, the SLE is $10 million, the expected damage from one tornado. The fact that a tornado occurs only once every 100 years is not reflected in the SLE but would be reflected in the annualized loss expectancy (ALE).

Lighter Than Air Industries expects that it would lose $10 million if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the single loss expectancy for this scenario?

A. 0.01
B. $10,000,000
C. $100,000
D. 0.10

C. The annualized loss expectancy (ALE) is computed by taking the product of the single loss expectancy (SLE), which was $10 million in this scenario, and the annualized rate of occurrence (ARO), which was 0.01 in this example. These figures yield an ALE of $100,000.

Referring to the scenario in question 14, what is the annualized loss expectancy?

A. 0.01
B. $10,000,000
C. $100,000
D. 0.10

C. In the provisions and processes phase, the BCP team actually designs the procedures and mechanisms to mitigate risks that were deemed unacceptable during the strategy development phase.

In which business continuity planning task would you actually design procedures and mechanisms to mitigate risks deemed unacceptable by the BCP team?

A. Strategy development
B. Business impact assessment
C. Provisions and processes
D. Resource prioritization

D. This is an example of alternative systems. Redundant communications circuits provide backup links that may be used when the primary circuits are unavailable.

What type of mitigation provision is utilized when redundant communications links are installed?

A. Hardening systems
B. Defining systems
C. Reducing systems
D. Alternative systems

C. Disaster recovery plans pick up where business continuity plans leave off. After a disaster strikes and the business is interrupted, the disaster recovery plan guides response teams in their efforts to quickly restore business operations to normal levels.

What type of plan addresses the technical controls associated with alternate processing facilities, backups, and fault tolerance?

A. Business continuity plan
B. Business impact assessment
C. Disaster recovery plan
D. Vulnerability assessment

A. The single loss expectancy (SLE) is computed as the product of the asset value (AV) and the exposure factor (EF). The other formulas displayed here do not accurately reflect this calculation.

What is the formula used to compute the single loss expectancy for a risk scenario?

A. SLE = AV × EF
B. SLE = RO × EF
C. SLE = AV × ARO
D. SLE = EF × ARO

C. You should strive to have the highest-ranking person possible sign the BCP's statement of importance. Of the choices given, the chief executive officer is the highest ranking.

Of the individuals listed, who would provide the best endorsement for a business continuity plan's statement of importance?

A. Vice president of business operations
B. Chief information officer
C. Chief executive officer
D. Business continuity manager

Business Continuity Planning

These activities are typically strategically focused at a high level and center themselves on business processes and operations.

Disaster Recovery Plan

These tend to be more tactical in nature and describe technical activities such as recovery sites, backups, and fault tolerance.

1. Project scope and planning
2. Business impact assessment
3. Continuity planning
4. Approval and implementation

The four main elements to the Business Continuity Planning Process:

people

The top priority of BCP and DRP is always _________.

analysis

One of the first responsibilities of the individuals responsible for business continuity planning is to perform a(n) ___________ of the business organization to identify all departments and individuals who have a stake in the BCP process.

1. BCP Development
2. BCP Testing, Training, and Maintenance
3. BCP Implementation

The three distinct BCP phases:

Business Impact Analysis (BIA)

This identifies the resources that are critical to an organization's ongoing viability and the threats posed to those resources. It also assesses the likelihood that each threat will actually occur and the impact those occurrences will have on the business.

Quantitative

This type of decision-making involves the use of numbers and formulas to reach a decision. This type of data often expresses options in terms of the dollar value to the business.

Qualitative

This type of decision-making takes non-numerical factors, such as reputation, investor/customer confidence, workforce stability, and other concerns, into account. This type of data often results in categories of prioritization (such as high, medium, and low).

Priority Identification Task or Criticality Prioritization

This involves creating a comprehensive list of business processes and ranking them in order of importance. Although this task may seem somewhat daunting, it's not as hard as it seems.

Identifying business priorities

What is the first BIA task facing the BCP Team?

Maximum Tolerable Downtime (MTD)
or
Maximum Tolerable Outage (MTO)

The second quantitative measure that the team must develop is what?

Maximum Tolerable Downtime (MTD)

This is the maximum length of time a business function can be inoperable without causing irreparable harm to the business. It provides valuable information when you're performing both BCP and DRP planning.

Recovery Time Objective (RTO)

This is the amount of time in which you think you can feasibly recover the function in the event of a disruption.

Risk Identification

Third phase of the BIA is what?

Natural Risks
Man-made Risks

What are the two forms of risk?

Qualitative

Is the risk identification portion of the process quantitative or qualitative in nature?

likelihood

The fourth phase of the BIA process.

Annualized Rate of Occurrence (ARO)

This reflects the number of times a business expects to experience a given disaster each year.

Exposure Factor (EF)

This is the amount of damage that the risk poses to the asset, expressed as a percentage of the asset's value.

Single Loss Expectancy (SLE)

This is the monetary loss that is expected each time the risk materializes.

SLE = AV (Asset Value) x EF (Exposure Factor)

What is the formula for Single Loss Expectancy (SLE)?

Annualized Loss Expectancy (ALE)

This is the monetary loss that the business expects to occur as a result of the risk harming the asset over the course of a year.

ALE = SLE x ARO

What is the formula for Annualized Loss Expectancy (ALE)?

Prioritize the allocation of business continuity resources

The final phase of the BIA is what?

Continuity Planning

This phase of the BCP focuses on developing and implementing a continuity strategy to minimize the impact realized risks might have on protected assets.

1. Strategy Development
2. Provisions and Processes
3. Plan Approval
4. Plan Implementation
5. Training and Education

What are the five sub-tasks involved in continuity planning?

Strategy Development

This phase bridges the gap between the business impact assessment and the continuity planning phases of BCP development.

Provisions and Processes

In this task, the BCP team designs the specific procedures and mechanisms that will mitigate the risks deemed unacceptable during the strategy development stage.

1. People
2. Buildings/Facilities
3. Infrastructure

What are the three categories of assets that must be protected through BCP provisions and processes?

Senior Management Endorsement

What's the next step of the BCP process after completing the design phase?

Statement of Importance

This document reflects the criticality of the BCP to the organization's continued viability. This document commonly takes the form of a letter to the organization's employees stating the reason that the organization devoted significant resources to the BCP development process and requesting the cooperation of all personnel in the BCP implementation phase.

Continuity Planning Goals

This plan should describe the goals of continuity planning as set forth by the BCP team and senior management. These goals should be decided on at or before the first BCP team meeting and will most likely remain unchanged throughout the life of the BCP.

Statement of Priorities

This flows directly from the identify priorities phase of the business impact assessment. It simply involves listing the functions considered critical to continued business operations in a prioritized order.

Statement of Organizational Responsibility

This also comes from a senior-level executive and can be incorporated into the same letter as the statement of importance. It basically echoes the sentiment that "business continuity is everyone's responsibility!" This restates the organization's commitment to business continuity planning and informs employees, vendors, and affiliates that they are individually expected to do everything they can to assist with the BCP process.

Statement of Urgency and Timing

This expresses the criticality of implementing the BCP and outlines the implementation timetable decided on by the BCP team and agreed to by upper management.

Risk Assessment

This portion of the BCP documentation essentially recaps the decision-making process undertaken during the business impact assessment. It should include a discussion of all the risks considered during the BIA as well as the quantitative and qualitative analyses performed to assess these risks

Risk Acceptance/Mitigation

This section of the BCP documentation contains the outcome of the strategy development portion of the BCP process. It should cover each risk identified in the risk analysis portion of the document and outline one of two thought processes.

Vital Records Program

This document states where critical business records will be stored and the procedures for making and storing backup copies of those records.

Emergency-Response Guidelines

This outlines the organizational and individual responsibilities for immediate response to an emergency situation. This document provides the first employees to detect an emergency with the steps they should take to activate provisions of the BCP that do not automatically activate.

True

T or F: It is a good practice to include BCP components in job descriptions to ensure the BCP remains fresh and is performed correctly.

Sets with similar terms

Chapter 3

20 terms

therealestever_3

Chap 3 Questions

9 terms

wnan42

Ch 3: Planning for Contingencies

10 terms

anb201

CISA Questions 201 - 300

100 terms

Brandon_Wanlass

Sets found in the same folder

Ch. 6- Cryptography and Symmetric Key Algorithms

20 terms

emitc68

Ch. 7- PKI and Cryptographic Applications

20 terms

emitc68

CISSP Chapter 1 Review Questions

78 terms

wsabatierPLUS

Ch. 8- Principles of Security Models, Design, and…

20 terms

emitc68

Other sets by this creator

CH 8 and 4

28 terms

emitc68

CH 2 and 7

18 terms

emitc68

Ch. 2

81 terms

emitc68

CH. 1

120 terms

emitc68

Other Quizlet sets

exam 3 study guide

55 terms

mollyelizabeth0603

Health 100: Chapters 1-4 (Study Guide)

26 terms

Beatboxing_sky21

PSYC 331 Final - Review

49 terms

soskan

Essentials of Understanding Psychology Chapter 3

22 terms

emerly10

Related questions

QUESTION

A signal that would not warn challengers that strong retaliation is likely is

9 answers

QUESTION

for business documents, which guideline about headings helps improve the ease of reading?

9 answers

QUESTION

Bioplus Inc. has introduced a new anti-aging cream in the market with a price that is higher than those of similar products from its competitors. At which position should Bioplus Inc. include the price in its sales message?

4 answers

QUESTION

Select all that are true about the transferability of interest of a limited liability company:

2 answers

What is the first step that individuals responsible for the development of a business continuity plan?

What is the first step in business continuity quizlet?

What is the first step of BCP implementation?

What is the first phase of a BCP?