ISC Exam Questions

Which choice below most accurately describes a business impact analysis (BIA)?

seenagape

Which choice below most accurately describes a business impact analysis (BIA)?

A.
Activities designed to return an organization to an acceptable operating condition
The TCB shall support separate operator and administrator functions for B2 systems and above.

B.
A management-level analysis that identifies the impact of losing an entitys resources
The role of a security administrator shall be identified and auditable in B2 systems and above.

C.
A prearranged agreement between two or more entities to provide assistance
The TCB shall support separate operator and administrator functions for C2 systems and above.

D.
A program that implements the strategic goals of the organization
The role of a security administrator shall be identified and auditable in C2 systems and above.

F.
Tipton, Auerback, 1999 edition.

QUESTION 1903
Which statement is accurate about trusted facility management?

A.
Activities designed to return an organization to an acceptable operating condition
The TCB shall support separate operator and administrator functions for B2 systems and above.

B.
A management-level analysis that identifies the impact of losing an entitys resources
The role of a security administrator shall be identified and auditable in B2 systems and above.

C.
A prearranged agreement between two or more entities to provide assistance
The TCB shall support separate operator and administrator functions for C2 systems and above.

D.
A program that implements the strategic goals of the organization
The role of a security administrator shall be identified and auditable in C2 systems and above.

Explanation:
A business impact analysis (BIA) measures the effect of resource loss and escalating losses over time
in order to provide the entity with reliable data upon which to base decisions on hazard mitigation
and continuity planning. A BIA is performed as one step during the creation of a Business Continuity
Plan (BCP). A common five-step approach to a BCP could consist of: BCP project scope creation
Business impact assessment Recovery strategy development Recovery plan development
Implementation, testing, and maintenance. Answer a is a definition of a disaster/emergency
management program. Answer c describes a mutual aid agreement. Answer d is the definition of a
recovery program. Source: NFPA 1600 Standard on Disaster/Emergency Management and Business
Continuity, National Fire Protection Association, 2000 edition and Handbook of Information Security
Management, by Micki Krause and Harold

Trusted Facility Management has two different requirements, one for B2 systems and another for B3
systems. The B2 requirements state: the TCB shall support separate operator and administrator
functions. The B3 requirements are as follows: The functions performed in the role of a security
administrator shall be identifieD. System administrative personnel shall only be able to perform
security administrator functions after taking a distinct auditable action to assume the security
administrator role on the system. Non-security functions that can be performed in the security
administration role shall be limited strictly to those essential to performing the security role
effectively.6 Source: NCSC-TG-O15, Guide To Understanding Trusted Facility Management [Brown
Book].