CBCP-002 Questions and Answers

A disaster lasting longer than seventy-two (72) hours requires implementation of a business continuity and disaster recovery plan. A business continuity and disaster recovery plan is a comprehensive document that outlines how an organization will respond to and recover from adisaster that disrupts its normal operations. It covers both the IT aspects (disaster recovery) and the business aspects (business continuity) of restoring the critical functions and processes within an acceptable time frame. A disaster lasting longer than seventy-two (72) hours is likely to have significant impacts on the organization’s performance, reputation, assets, and stakeholders, and therefore requires a coordinated and structured approach to ensure its survival and resilience. Verified References: https://www.ready.gov/business-continuity-plan https://www.csoonline.com/article/515730/business-continuity-and-disaster-recovery-planning-the-basics.html

Threats can be considered any events or situations that can cause harm or disruption to an organization’s functions or processes. Threats can be natural, human-made, or technological in origin. Some examples of threats are water (such as floods, leaks, or spills), technology failure (such as system crashes, cyberattacks, or power outages), and fire (such as arson, accidents, or explosions). Verified References: https://www.iso.org/publication/PUB100442.html https://phoenixnap.com/blog/what-is-business-continuity-management

Damage assessment is the process of evaluating the extent and severity of the damage caused by a disruption to an organization’s facilities, equipment, systems, data, records, or personnel. It includes identifying the affected business functions and processes, estimating the time it will take to restore them to normal or acceptable levels of operation, and evaluating whether the recovery time exceeds the maximum tolerable downtime (MTD) for each function or process. If so, a disaster should be declared and the business continuity plan should be activated. Having the insurance company declare the total extent of the damages is not part of the damage assessment process, as it may take longer than the MTD and may not reflect the operational impact of the damage. Verified References: https://www.fema.gov/pdf/emergency/nims/Damage_Assessment.pdf https://drii.org/resources/professionalpractices/EN

Risk control is the control mechanism that is the process by which an organization reduces the likelihood of a risk event occurring or mitigates the effects should it occur. Risk control is the process of implementing measures or actions to modify or influence the risk level of an organization. Risk control can involve various strategies, such as avoidance, reduction, transfer, sharing, retention, or acceptance. Risk control can help to improve the organization’s resilience and performance. Verified References: https://www.investopedia.com/terms/r/risk-control.asp https://www.thebci.org/training-qualifications/good-practice-guidelines.html

The four T’s of risk guidance produced by the Office of Government Commerce are transfer, tolerate, treat, and terminate. They are:

Transfer: This strategy involves transferring or sharing some or all of the responsibility or impact of a risk to another party, such as an insurer, a supplier, or a partner.

Tolerate: This strategy involves accepting or retaining a risk without taking any further action to reduce it, either because the risk level is acceptable or because the cost or effort of reducing it is not justified.

Treat: This strategy involves taking steps to reduce the likelihood or impact of a risk to an acceptable level, such as implementing controls, mitigations, or contingency plans.

Terminate: This strategy involves eliminating or avoiding a risk by discontinuing or changing the activity that causes it. Verified References:https://www.investopedia.com/terms/t/the-four-ts.asp https://www.thebci.org/training-qualifications/good-practice-guidelines.html

In Business Continuity Planning (BCP), confidentiality and security of sensitive information are critical considerations when releasing details publicly. According to standard practices outlined in Business Continuity Professional guidelines, such as those from the Disaster Recovery Institute International (DRI) and ISO 22301, certain elements of a BCP should remain confidential to protect the organization and its stakeholders.

Process flows: These describe how critical processes are maintained or recovered during a disruption. While detailed process flows may be sensitive internally, a high-level overview can often be shared publicly to demonstrate preparedness without compromising operational security. Thus, they are not inherently prohibited from public release.

Contact lists: These contain personal and operational details such as names, phone numbers, and roles of key personnel involved in the BCP. Releasing contact lists publicly poses significant risks, including privacy violations, potential targeting by malicious actors, and operational vulnerabilities. Best practices dictate that contact lists should remain confidential and restricted to authorized personnel only.

BIA results: The Business Impact Analysis (BIA) identifies critical functions, recovery time objectives (RTOs), and potential impacts of disruptions. While detailed BIA results are sensitive, summary-level findings (e.g., critical processes identified without specific vulnerabilities) can sometimes be shared to show due diligence. However, this is not strictly prohibited in public releases if anonymized or generalized.

All of the above: Since process flows and BIA results can be released in a controlled, summarized form, this option is incorrect. The key element that should unequivocally not be released is the contact list due to its sensitive nature.

Therefore, the correct answer isB. Contact lists, as it aligns with the principle of protecting sensitive personal and operational data in public disclosures.

References:

DRI International Professional Practices for Business Continuity Management (2023), Section 6: Business Continuity Plan Development – Emphasizes safeguarding sensitive data like contact details.

ISO 22301:2019, Clause 8.4 – Highlights confidentiality in BCP documentation and communication.

In pre-crisis management, CM activities are focused on prevention and preparedness activities. This is true because pre-crisis management is the phase before a crisis occurs, where the organization tries to anticipate and avoid potential crises or reduce their likelihood and impact. Pre-crisis management involves activities such as risk assessment, business impact analysis,business continuity planning, contingency planning, crisis communication planning, training and awareness, testing and exercising, monitoring and reviewing. Verified References: https://www.cisco.com/c/en/us/solutions/hybrid-work/what-is-business-continuity.html https://phoenixnap.com/blog/what-is-business-continuity-management