CBCP-002 Questions and Answers

The three components of a business continuity plan are emergency response, incident management, and disaster recovery. They are:

• Emergency response: This component involves the immediate actions taken to protect the life, health, and safety of people and the environment in the event of a disruption. Emergency response may include activating alarms, evacuating premises, contacting emergency services, or providing first aid.
• Incident management: This component involves the coordination and communication of the activities and resources required to manage and resolve a disruption. Incident management may include activating the business continuity team, declaring a disaster, assessing the impact, activating the recovery strategies, or communicating with stakeholders.
• Disaster recovery: This component involves the restoration and recovery of the IT systems, data, and infrastructure that support the critical functions and processes of the organization. Disaster recovery may include activating the backup systems, restoring the data, repairing or replacing the equipment, or testing the functionality. Verified References: https://www.ready.gov/business-continuity-plan https://www.csoonline.com/article/515730/business-continuity-and-disaster-recovery-planning-the-basics.html

 A plan walkthrough is a low-pressure exercise that uses presentation techniques including videos, slides and handouts, so that participants fully understand their plans1.

Bilateral continuity planning is the type of continuity planning that will enhance the functioning relationship with the organization’s key suppliers, creating stronger assurances of continuous supply of information, material product and services. Bilateral continuity planning is the process of developing and maintaining mutual agreements and arrangements between an organization and its key suppliers to ensure the continuity of their respective functions and processes in the event of a disruption. Bilateral continuity planning can help to reduce risks, costs, and dependencies, as well as to improve communication, coordination, and collaboration. Verified References: https://www.iso.org/publication/PUB100442.html https://phoenixnap.com/blog/what-is-business-continuity-management

Operational risk is the type of risk that is related to human error or achievement. Operational risk is the uncertainty or variability of the execution or outcome of an organization’s functions or processes. Operational risk can result from factors such as inadequate policies, procedures, systems, controls, skills, training, supervision, or compliance. Operational risk can affect an organization’s operational efficiency, quality, safety, security, reputation, or profitability. Verified References: https://www.investopedia.com/terms/o/operational_risk.asp https://www.thebci.org/training-qualifications/good-practice-guidelines.html

The four T’s of risk guidance produced by the Office of Government Commerce are transfer, tolerate, treat, and terminate. They are:

• Transfer: This strategy involves transferring or sharing some or all of the responsibility or impact of a risk to another party, such as an insurer, a supplier, or a partner.
• Tolerate: This strategy involves accepting or retaining a risk without taking any further action to reduce it, either because the risk level is acceptable or because the cost or effort of reducing it is not justified.
• Treat: This strategy involves taking steps to reduce the likelihood or impact of a risk to an acceptable level, such as implementing controls, mitigations, or contingency plans.
• Terminate: This strategy involves eliminating or avoiding a risk by discontinuing or changing the activity that causes it. Verified References: https://www.investopedia.com/terms/t/the-four-ts.asp https://www.thebci.org/training-qualifications/good-practice-guidelines.html

A formal “disaster” can only be declared by the firm owners or by the IT Department Manager. This is false because a formal “disaster” can be declared by any authorized person who has the responsibility and authority to activate the business continuity and disaster recovery plan. The authorized person may vary depending on the type, scope, and severity of the disaster, but it should be clearly defined in the plan who can declare a disaster and under what circumstances. The authorized person should also communicate the declaration of a disaster to all relevant stakeholders, such as employees, customers, suppliers, partners, regulators, media, or the public. Verified References: https://www.ready.gov/business-continuity-plan https://www.csoonline.com/article/515730/business-continuity-and-disaster-recovery-planning-the-basics.html

A publicly released BCP is a version of a business continuity plan that is intended for external audiences, such as customers, suppliers, partners, regulators, media, or the public. It should not contain sensitive or confidential information that may compromise the security or privacy of theorganization or its stakeholders. Therefore, it should not include process flows that detail how each function or process is performed; contact lists that reveal personal or organizational information; BIA results that show criticality ratings or recovery time objectives; or any other information that may expose vulnerabilities or risks. Verified References: https://www.ready.gov/business-continuity-plan https://drii.org/resources/professionalpractices/EN