ISC2 CISSP Exam: Business Impact Analysis (BIA) Questions

Questions and Answers

What should be included in a Business Impact Analysis (BIA) questionnaire?

Determining the technological dependence of the business processes (correct)

Determining the risk of a business interruption occurring

Identifying the financial impacts of a business interruption

Identifying the operational impacts of a business interruption

What action will reduce risk to a laptop before traveling to a high-risk area?

Purge or re-image the hard disk drive

Implement more stringent baseline configurations

Change access codes (correct)

Examine the device for physical tampering

Which represents the GREATEST risk to data confidentiality?

Security awareness training is not completed

Network redundancies are not implemented

Backup tapes are generated unencrypted (correct)

Users have administrative privileges

What is the MOST important consideration from a data security perspective when an organization plans to relocate?

Implement encryption for all data during relocation

What should an organization do to protect personnel before relocating?

Implement fire prevention and detection systems at the new location

What is the recommended action to reduce risk to a laptop from physical tampering?

Use full-disk encryption

In preparing a companywide Business Continuity Planning (BCP) for an IT company delivering services from a Tier 4 data center, which failure should the IT manager be concerned with?

Power

When assessing an organization’s security policy according to ISO 27001 and 27002 standards, when can management responsibilities be defined?

Only when assets are clearly defined

What is the MOST cost-effective method to provide a reactive control for protecting personnel in public areas?

Hire a guard to protect the public area

What is the PRIMARY focus for achieving information security according to the principle of defense in depth?

People, technology, and operations

What are intellectual property rights PRIMARILY concerned with?

Right of the owner to enjoy their creation

What is MOST important when assigning ownership of an asset to a department?

All members should be trained on their responsibilities

Which one of the following affects the classification of data?

'Passage of time'

What is the BEST description of the responsibilities of a data owner?

'Approving access requests and monitoring usage'

In a Business Impact Analysis (BIA) questionnaire, which of the following items should NOT be included?

Questions that assess the technological dependence of the business processes

What action will reduce the risk to a laptop before traveling to a high-risk area?

Encrypt all sensitive data on the laptop

Which of the following is the GREATEST risk to data confidentiality?

Generation of unencrypted backup tapes

What is the MOST important consideration from a data security perspective when an organization plans to relocate?

Ensuring fire prevention and detection systems are sufficient to protect personnel

Which action will NOT effectively reduce risk to a laptop before traveling to a high-risk area?

Install additional antivirus software

What is the PRIMARY focus for achieving information security according to the principle of defense in depth?

Layered and overlapping defensive measures

When preparing a companywide Business Continuity Planning (BCP) for an IT company delivering services from a Tier 4 data center, which failure should the IT manager be concerned with?

Power

According to ISO 27001 and 27002 standards, when can management responsibilities be defined?

Only when assets are clearly defined

What is the PRIMARY focus for achieving information security according to the principle of defense in depth?

People, technology, and operations

What are intellectual property rights PRIMARILY concerned with?

Right of the owner to enjoy their creation

What is the MOST important when assigning ownership of an asset to a department?

All members should be trained on their responsibilities

Which one of the following affects the classification of data?

Passage of time

Study Notes

Business Impact Analysis (BIA) Questionnaire

• Should include questions on critical business functions, resources required, and impacts of disruption.
• Avoid subjective questions that do not pertain to the objective evaluation of business continuity.

Risk Reduction for Laptops

• Before traveling to high-risk areas, encrypt data on the laptop to protect sensitive information.
• Implement access controls to mitigate unauthorized access to data.

Data Confidentiality Risks

• The greatest risk to data confidentiality comes from unauthorized access and insider threats.
• Weak passwords and lack of security awareness training further exacerbate risks.

Considerations for Relocation

• The most important data security consideration during an organization’s relocation is ensuring the protection of sensitive data and IT infrastructure.
• Assess potential vulnerabilities associated with new premises.

Protecting Personnel Before Relocating

• Organizations should conduct risk assessments and provide safety training for employees.
• Establish clear communication protocols for emergencies.

Mitigating Physical Tampering Risk

• To reduce risk of physical tampering to a laptop, use a cable lock or physical security measures.
• Implement logging and alert systems for unauthorized access attempts.

Business Continuity Planning (BCP) Concerns for IT Companies

• IT managers should be concerned with power outages and hardware failures in Tier 4 data centers, as they can severely impact service delivery.
• Focus on redundancy and backup scenarios to maintain operations.

Management Responsibilities According to ISO Standards

• Management responsibilities in ISO 27001 and 27002 can be defined during the establishment of the information security management system.
• Regular reviews and updates are necessary as roles evolve.

Cost-effective Personnel Protection in Public Areas

• The most cost-effective method for protecting personnel in public areas is establishing a visible security presence.
• Training staff on awareness and vigilance is also effective without substantial costs.

Defense in Depth Principle

• The primary focus for achieving information security through the principle of defense in depth is implementing multiple layers of security controls.
• Aim to create overlapping protection measures to safeguard information at various points.

Intellectual Property Rights

• Intellectual property rights are primarily concerned with protecting creators' original works, inventions, and proprietary information.
• Ensure legal recourse against unauthorized use or reproduction.

Ownership of Assets

• When assigning ownership of an asset to a department, clarity on responsibility for maintenance, security, and compliance is essential.
• Ensure that the department aligns with organizational goals and compliance requirements related to asset management.

Data Classification Factors

• The classification of data is affected by sensitivity, legal implications, and potential impact on the organization if compromised.
• Identify data types and regulatory compliance requirements to ensure proper classification.

Responsibilities of a Data Owner

• Data owners are responsible for the overall security, integrity, and usage of the data within their control.
• They must establish access controls and data management policies to safeguard sensitive information.

Description

Test your knowledge of Business Impact Analysis (BIA) with this set of questions and answers from the ISC2 CISSP exam. Find out if you can identify the key components that should be included in a BIA questionnaire.