Читаем CISSP Practice полностью

24. b. For some organizations, time becomes money. Increased system reliability improves the likelihood that all the information required is available at the electronic vault. If data can be retrieved immediately from the off-site storage, less is required in the computer center. It reduces retrieval time from hours to minutes. Because electronic vaulting eliminates tapes, which are a hindrance to automated operations, electronic vaulting supports automation.

25. Regarding contingency planning, information system backups require which of the following?

1. Both the primary storage site and alternative storage site do not need to be susceptible to the same hazards.

2. Both operational system and redundant secondary system do not need to be colocated in the same area.

3. Both primary storage site and alternative storage site do not need to have the same recovery time objectives.

4. Both operational system and redundant secondary system do not need to have the same recovery point objectives.

a. 1 and 2

b. 1, 2, and 3

c. 1, 2, and 4

d. 1, 2, 3, and 4

25. a. System backup information can be transferred to the alternative storage site, and the same backup can be maintained at a redundant secondary system, not colocated with the operational system. Both sites and both systems must have the same recovery time objectives (RTOs) and same recovery point objectives (RPOs). This arrangement can be activated without loss of information or disruption to the operation.

26. Disaster recovery strategies must consider or address which of the following?

1. Recovery time objective

2. Disruption impacts

3. Allowable outage times

4. Interdependent systems

a. I only

b. 1 and 2

c. 1, 2, and 3

d. 1, 2, 3, and 4

26. d. A disaster recovery strategy must be in place to recover and restore data and system operations within the recovery time objective (RTO) period. The strategies should address disruption impacts and allowable outage times identified in the business impact analysis (BIA). The chosen strategy must also be coordinated with the IT contingency plans of interdependent systems. Several alternatives should be considered when developing the strategy, including cost, allowable outage times, security, and integration into organization-level contingency plans.

27. The final consideration in the disaster recovery strategy must be which of the following?

a. Criticality of data and systems

b. Availability of data and systems

c. Final costs and benefits

d. Recovery time objective requirements

27. c. The final consideration in the disaster recovery strategy must be final costs and benefits; although, cost and benefit data is considered initially. No prudent manager or executive would want to spend ten dollars to obtain a one dollar benefit. When costs exceed benefits, some managers accept the risk and some do not. Note that it is a human tendency to understate costs and overstate benefits. Some examples of costs include loss of income from loss of sales, cost of not meeting legal and regulatory requirements, cost of not meeting contractual and financial obligations, and cost of loss of reputation. Some examples of benefits include assurance of continuity of business operations, ability to make sales and profits, providing gainful employment, and satisfying internal and external customers and other stakeholders.

The recovery strategy must meet criticality and availability of data and systems and recovery time objective (RTO) requirements while remaining within the cost and benefit guidelines.

28. Regarding BCP and DRP, which of the following does not prevent potential data loss?

a. Disk mirroring

b. Offsite storage of backup media

c. Redundant array of independent disk

d. Load balancing

28. b. Although offsite storage of backup media enables a computer system to be recovered, data added to or modified on the server since the previous backup could be lost during a disruption or disaster. To avoid this potential data loss, a backup strategy may need to be complemented by redundancy solutions, such as disk mirroring, redundant array of independent disk (RAID), and load balancing.

29. Which of the following is an example of a recovery time objective (RTO) for a payroll system identified in a business impact analysis (BIA) document?

a. Time and attendance reporting may require the use of a LAN server and other resources.

b. LAN disruption for 8 hours may create a delay in time sheet processing.