- What is the first step that individuals responsible for the development of a business continuity plan should perform?
A. BCP team selection
B. Business organization analysis
C. Resource requirements analysis
D. Legal and regulatory assessment
Answer: B
The business organization analysis helps the initial planners select appropriate BCP team members and then guides the overall BCP process.
- Once the BCP team is selected, what should be the first item placed on the team’s agenda?
A. Business impact assessment
B. Business organization analysis
C. Resource requirements analysis
D. Legal and regulatory assessment
Answer: B
The first task of the BCP team should be the review and validation of the business organization analysis initially performed by those individuals responsible for spearheading the BCP effort. This ensures that the initial effort, undertaken by a small group of individuals, reflects the beliefs of the entire BCP team.
- What is the term used to describe the responsibility of a firm’s officers and directors to ensure that adequate measures are in place to minimize the effect of a disaster on the organization’s continued viability?
A. Corporate responsibility
B. Disaster requirement
C. Due diligence
D. Going concern responsibility
Answer: C
A firm’s officers and directors are legally bound to exercise due diligence in conducting their activities. This concept creates a fiduciary responsibility on their part to ensure that adequate business continuity plans are in place.
- What will be the major resource consumed by the BCP process during the BCP phase?
A. Hardware
B. Software
C. Processing time
D. Personnel
Answer: D
During the planning phase, the most significant resource utilization will be the time dedicated by members of the BCP team to the planning process itself. This represents a significant use of business resources and is another reason that buy-in from senior management is essential.
- What unit of measurement should be used to assign quantitative values to assets in the priority identification phase of the business impact assessment?
A. Monetary
B. Utility
C. Importance
D. Time
Answer: A
The quantitative portion of the priority identification should assign asset values in monetary units.
- Which one of the following BIA terms identifies the amount of money a business expects to lose to a given risk each year?
A. ARO
B. SLE
C. ALE
D. EF
Answer: C
The annualized loss expectancy (ALE) represents the amount of money a business expects to lose to a given risk each year. This figure is quite useful when performing a quantitative prioritization of business continuity resource allocation.
- What BIA metric can be used to express the longest time a business function can be unavailable without causing irreparable harm to the organization?
A. SLE
B. EF
C. MTD
D. ARO
Answer: C
The maximum tolerable downtime (MTD) represents the longest period a business function can be unavailable before causing irreparable harm to the business. This figure is useful when determining the level of business continuity resources to assign to a particular function.
- You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building and 10 percent is attributed to the land itself. What is the single loss expectancy of your shipping facility to avalanches?
A. $3,000,000
B. $2,700,000
C. $270,000
D. $135,000
Answer: B
The SLE is the product of the AV and the EF. From the scenario, you know that the AV is $3,000,000 and the EF is 90 percent, based on that the same land can be used to rebuild the facility. This yields an SLE of $2,700,000.
- (8) You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building and 10 percent is attributed to the land itself.
Referring to the scenario in question 8, what is the annualized loss expectancy?
A. $3,000,000
B. $2,700,000
C. $270,000
D. $135,000
Answer: D
This problem requires you to compute the ALE, which is the product of the SLE and the ARO. From the scenario, you know that the ARO is 0.05 (or 5 percent). From question 8, you know that the SLE is $2,700,000. This yields an SLE of $135,000.
- You are concerned about the risk that a hurricane poses to your corporate headquarters in South Florida. The building itself is valued at $15 million. After consulting with the National Weather Service, you determine that there is a 10 percent likelihood that a hurricane will strike over the course of a year. You hired a team of architects and engineers who determined that the average hurricane would destroy approximately 50 percent of the building. What is the annualized loss expectancy (ALE)?
A. $750,000
B. $1.5 million
C. $7.5 million
D. $15 million
Answer: A
This problem requires you to compute the ALE, which is the product of the SLE and ARO. From the scenario, you know that the ARO is 0.10 (or 10 percent). From the scenario presented, you know that the SLE is $7.5 million. This yields an SLE of $750,000.
- Which task of BCP bridges the gap between the business impact assessment and the continuity planning phases?
A. Resource prioritization
B. Likelihood assessment
C. Strategy development
D. Provisions and processes
Answer: C
The strategy development task bridges the gap between business impact assessment and continuity planning by analyzing the prioritized list of risks developed during the BIA and determining which risks will be addressed by the BCP.
- Which resource should you protect first when designing continuity plan provisions and processes?
A. Physical plant
B. Infrastructure
C. Financial
D. People
Answer: D
The safety of human life must always be the paramount concern in business continuity planning. Be sure that your plan reflects this priority, especially in the written documentation that is disseminated to your organization’s employees!
- Which one of the following concerns is not suitable for quantitative measurement during the business impact assessment?
A. Loss of a plant
B. Damage to a vehicle
C. Negative publicity
D. Power outage
Answer: C
It is very difficult to put a dollar figure on the business lost because of negative publicity. Therefore, this type of concern is better evaluated through a qualitative analysis.
- Lighter Than Air Industries expects that it would lose $10 million if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the single loss expectancy for this scenario?
A. 0.01
B. $10,000,000
C. $100,000
D. 0.10
Answer: B
The single loss expectancy (SLE) is the amount of damage that would be caused by a single occurrence of the risk. In this case, the SLE is $10 million, the expected damage from one tornado. The fact that a tornado occurs only once every 100 years is not reflected in the SLE but would be reflected in the annualized loss expectancy (ALE).
- (14) Lighter Than Air Industries expects that it would lose $10 million if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years.
Referring to the scenario in question 14, what is the annualized loss expectancy?
A. 0.01
B. $10,000,000
C. $100,000
D. 0.10
Answer: C
The annualized loss expectancy (ALE) is computed by taking the product of the single loss expectancy (SLE), which was $10 million in this scenario, and the annualized rate of occurrence (ARO), which was 0.01 in this example. These figures yield an ALE of $100,000.
- In which business continuity planning task would you actually design procedures and mechanisms to mitigate risks deemed unacceptable by the BCP team?
A. Strategy development
B. Business impact assessment
C. Provisions and processes
D. Resource prioritization
Answer: C
In the provisions and processes phase, the BCP team actually designs the procedures and mechanisms to mitigate risks that were deemed unacceptable during the strategy development phase.
- What type of mitigation provision is utilized when redundant communications links are installed?
A. Hardening systems
B. Defining systems
C. Reducing systems
D. Alternative systems
Answer: D
This is an example of alternative systems. Redundant communications circuits provide backup links that may be used when the primary circuits are unavailable.
- What type of plan outlines the procedures to follow when a disaster interrupts the normal operations of a business?
A. Business continuity plan
B. Business impact assessment
C. Disaster recovery plan
D. Vulnerability assessment
Answer: C
Disaster recovery plans pick up where business continuity plans leave off. After a disaster strikes and the business is interrupted, the disaster recovery plan guides response teams in their efforts to quickly restore business operations to normal levels.
- What is the formula used to compute the single loss expectancy for a risk scenario?
A. SLE = AV × EF
B. SLE = RO × EF
C. SLE = AV × ARO
D. SLE = EF × ARO
Answer: A
The single loss expectancy (SLE) is computed as the product of the asset value (AV) and the exposure factor (EF). The other formulas displayed here do not accurately reflect this calculation.
- Of the individuals listed, who would provide the best endorsement for a business continuity plan’s statement of importance?
A. Vice president of business operations
B. Chief information officer
C. Chief executive officer
D. Business continuity manager
Answer: C
You should strive to have the highest-ranking person possible sign the BCP’s statement of importance. Of the choices given, the chief executive officer is the highest ranking.
