Most CISA candidates are professionals who have little to no IT background. There are a few Accountants that have taken upon themselves the challenge of becoming CISA certified. These candidates usually struggle with IT concepts. Here is a typical example of a question regarding Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) that most candidates struggle with.
Ransom’s Question on 23/02/2017 – BCP and DRP
A company recently completed its disaster recovery plan and commissioned an offsite recovery site. An IS auditor has been sent to audit the disaster recovery plan and the offsite recovery site. What will the IS auditor be MOST concerned about?
A – The offsite recovery site is a warm site and not a hot site.
B – The disaster recovery plan does not deal extensively with processes at the offsite recovery site.
C – The offsite recovery site is located at the residence of the Chief Financial Officer without a firewall and an antivirus software.
D – The Business Continuity plan and the Disaster Recovery plan have not been tested.
Let us apply the K-E-C approach in answering this question.
Please note that the K-E-C approach is as follows:
K = Keyword, phrase or stem of the question
E = Eliminate two incorrect options
C = Choose the best answer for the remaining two options, linking the answer to the Key or K.
So let us approach this question.
K = Key – The key phrase here is “MOST concerned about”. This question is about determining what is of most priority. We can break down this question to say “what would give the IS auditor sleepless nights”.
I want us to think really seriously about this question so that if you come across a similar question in your CISA exam, you shouldn’t panic. It is worth noting that ISACA is increasingly focused on business continuity and disaster recovery planning because there is a lot going on in our world today. After the September 11 attack, this area has been a key focus area.
Before we dive into this question, I want us to examine a fundamental question. What is the DRP and the BCP designed to protect? As far as ISACA is concerned, the BCP and the DRP are designed to protect DATA loss. The whole purpose of the plan and implementing it is about protecting data. To further zoom into this, we can confidently say that the DRP and BCP are about DATA. If there is no data, there is no need to protect anything. Hence, an antivirus and a firewall will only help us if there is data to protect. The site and the plan are meaningless if there is no data to work with. Data is thus KING. So our priority should be whether or not the plan is able to protect and preserve data loss and then we start thinking about what the recovery site can do with the data that has been recovered.
E = Eliminate two options – If we scan through the options above, we can easily eliminate answers A and B. Option A talks about the site being a warm site and not a hot site. Irrespective of the nature of the site, the biggest question is if the plan actually works.
Option B is about the plan not dealing extensively with processes at the recovery site. This is not a big as a priority as how we make sure that we even recover data after an attack. If there is no data, the processes at the recovery site will mean very little.
C = Choose the correct answer that lines up with the KEY – We are thus left with options C and D to choose from. Option C talks about the offsite recovery site being located at the CFO’s premises without a firewall. This is important but the question is whether or not we can confidently say that data will not be lost in an event of a disaster at the company.
Option D says the plan has not been tested. This, apparently little phrase, makes all the difference and here is why. The fact that the plan has not been tested means that there is no guarantee that the DRP and the BCP actually work. It means we aren’t even sure if data will be recovered and the business will continue in the event of a disaster.
The correct answer is thus D – BCP and DRP have not been tested. One of the key steps in developing a DRP and a BCP is to test the plan so ensure that it works. If the plan is not tested, we might have a nicely written document which is ineffective and it is just as good as the paper it was printed on. The IS auditor should be more concerned about D than all the other options.
Posted by @RansomNformi