Free Access to ISACA.CISA.v2024-12-27.q999 with Valid Practice Test (Page 121)

Question 596

Which of the following term in business continuity determines the maximum tolerable amount of time needed to bring all critical systems back online after disaster occurs?

A.RPO
B.RTO
C.WRT
D.MTD

Correct Answer: B

Explanation/Reference:
The recovery time objective (RTO) is the duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity.
It can include the time for trying to fix the problem without a recovery, the recovery itself, testing, and the communication to the users. Decision time for users representative is not included.
The business continuity timeline usually runs parallel with an incident management timeline and may start at the same, or different, points.
In accepted business continuity planning methodology, the RTO is established during the Business Impact Analysis (BIA) by the owner of a process (usually in conjunction with the business continuity planner). The RTOs are then presented to senior management for acceptance.
The RTO attaches to the business process and not the resources required to support the process.
The RTO and the results of the BIA in its entirety provide the basis for identifying and analyzing viable strategies for inclusion in the business continuity plan. Viable strategy options would include any which would enable resumption of a business process in a time frame at or near the RTO. This would include alternate or manual workaround procedures and would not necessarily require computer systems to meet the RTOs.
For your exam you should know below information about RPO, RTO, WRT and MTD :
Stage 1: Business as usual
Business as usual

Image Reference - http://defaultreasoning.files.wordpress.com/2013/12/bcdr-01.png At this stage all systems are running production and working correctly.
Stage 2: Disaster occurs
Disaster Occurs

Image Reference - http://defaultreasoning.files.wordpress.com/2013/12/bcdr-02.png On a given point in time, disaster occurs and systems needs to be recovered. At this point the Recovery Point Objective (RPO) determines the maximum acceptable amount of data loss measured in time. For example, the maximum tolerable data loss is 15 minutes.
Stage 3: Recovery
Recovery

Image Reference - http://defaultreasoning.files.wordpress.com/2013/12/bcdr-03.png At this stage the system are recovered and back online but not ready for production yet. The Recovery Time Objective (RTO) determines the maximum tolerable amount of time needed to bring all critical systems back online. This covers, for example, restore data from back-up or fix of a failure. In most cases this part is carried out by system administrator, network administrator, storage administrator etc.
Stage 4: Resume Production
Resume Production

Image Reference - http://defaultreasoning.files.wordpress.com/2013/12/bcdr-04.png At this stage all systems are recovered, integrity of the system or data is verified and all critical systems can resume normal operations. The Work Recovery Time (WRT) determines the maximum tolerable amount of time that is needed to verify the system and/or data integrity. This could be, for example, checking the databases and logs, making sure the applications or services are running and are available.
In most cases those tasks are performed by application administrator, database administrator etc. When all systems affected by the disaster are verified and/or recovered, the environment is ready to resume the production again.
MTD

Image Reference - http://defaultreasoning.files.wordpress.com/2013/12/bcdr-05.png The sum of RTO and WRT is defined as the Maximum Tolerable Downtime (MTD) which defines the total amount of time that a business process can be disrupted without causing any unacceptable consequences. This value should be defined by the business management team or someone like CTO, CIO or IT manager.
The following answers are incorrect:
RPO - Recovery Point Objective (RPO) determines the maximum acceptable amount of data loss measured in time. For example, the maximum tolerable data loss is 15 minutes.
WRT - The Work Recovery Time (WRT) determines the maximum tolerable amount of time that is needed to verify the system and/or data integrity. This could be, for example, checking the databases and logs, making sure the applications or services are running and are available. In most cases those tasks are performed by application administrator, database administrator etc. When all systems affected by the disaster are verified and/or recovered, the environment is ready to resume the production again.
MTD - The sum of RTO and WRT is defined as the Maximum Tolerable Downtime (MTD) which defines the total amount of time that a business process can be disrupted without causing any unacceptable consequences. This value should be defined by the business management team or someone like CTO, CIO or IT manager.
The following reference(s) were/was used to create this question:
CISA review manual 2014 page number 284
http://en.wikipedia.org/wiki/Recovery_time_objective
http://defaultreasoning.com/2013/12/10/rpo-rto-wrt-mtdwth/

Question 597

Which of the following is the BEST recommendation for the establishment of an information security policy?

A.The policy should be developed by IS management
B.The development and approval should be overseen by business area management.
C.The policy should be developed by the security administrator.
D.The policy and guidelines should be developed by the human resources department.

Question 598

Which of the following testing method examines the functionality of an application without peering into its
internal structure or knowing the details of it's internals?

A.Black-box testing
B.Parallel Test
C.Regression Testing
D.Pilot Testing

Correct Answer: A

Section: Information System Acquisition, Development and Implementation
Explanation/Reference:
Black-box testing is a method of software testing that examines the functionality of an application (e.g. what
the software does) without peering into its internal structures or workings (see white-box testing). This
method of test can be applied to virtually every level of software testing: unit, integration, system and
acceptance. It typically comprises most if not all higher level testing, but can also dominate unit testing as
well.
For your exam you should know the information below:
Alpha and Beta Testing - An alpha version is early version is an early version of the application system
submitted to the internal user for testing. The alpha version may not contain all the features planned for the
final version. Typically, software goes to two stages testing before it consider finished. The first stage is
called alpha testing is often performed only by the user within the organization developing the software. The
second stage is called beta testing, a form of user acceptance testing, generally involves a limited number
of external users. Beta testing is the last stage of testing, and normally involves real world exposure,
sending the beta version of the product to independent beta test sites or offering it free to interested user.
Pilot Testing -A preliminary test that focuses on specific and predefined aspect of a system. It is not meant
to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept
are early pilot tests - usually over interim platform and with only basic functionalities.
White box testing - Assess the effectiveness of a software program logic. Specifically, test data are used in
determining procedural accuracy or conditions of a program's specific logic path. However, testing all
possible logical path in large information system is not feasible and would be cost prohibitive, and therefore
is used on selective basis only.
Black Box Testing - An integrity based form of testing associated with testing components of an information
system's "functional" operating effectiveness without regards to any specific internal program structure.
Applicable to integration and user acceptance testing.
Function/validation testing - It is similar to system testing but it is often used to test the functionality of the
system against the detailed requirements to ensure that the software that has been built is traceable to
customer requirements.
Regression Testing -The process of rerunning a portion of a test scenario or test plan to ensure that
changes or corrections have not introduced new errors. The data used in regression testing should be
same as original data.
Parallel Testing - This is the process of feeding test data into two systems - the modified system and an
alternative system and comparing the result.
Sociability Testing -The purpose of these tests is to confirm that new or modified system can operate in its
target environment without adversely impacting existing system. This should cover not only platform that
will perform primary application processing and interface with other system but, in a client server and web
development, changes to the desktop environment. Multiple application may run on the user's desktop,
potentially simultaneously, so it is important to test the impact of installing new dynamic link libraries
(DLLs), making operating system registry or configuration file modification, and possibly extra memory
utilization.
The following answers are incorrect:
Parallel Testing - This is the process of feeding test data into two systems - the modified system and an
alternative system and comparing the result.
Regression Testing -The process of rerunning a portion of a test scenario or test plan to ensure that
changes or corrections have not introduced new errors. The data used in regression testing should be
same as original data.
Pilot Testing -A preliminary test that focuses on specific and predefined aspect of a system. It is not meant
to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept
are early pilot tests - usually over interim platform and with only basic functionalities
The following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 167
Official ISC2 guide to CISSP CBK 3rd Edition Page number 176

Question 599

An organization's IS audit charter should specify the:

A.short- and long-term plans for IS audit engagements
B.objectives and scope of IS audit engagements.
C.detailed training plan for the IS audit staff.
D.role of the IS audit function.

Question 600

Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?

A.Utilize a network-based firewall.
B.Conduct regular user security awareness training.
C.Enforce a strong password policy meeting complexity requirements.
D.Perform domain name system (DNS) server security hardening.

Question 596

Question 597

Question 598

Question 599

Question 600

Download PDF File