Passing the 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. exam has never been faster or easier, now with actual questions and answers, without the messy 0([45]\d{6})$
C. braindumps that are frequently incorrect. Ce-Isareti Unlimited Access Exams are not only the cheaper way to pass without resorting to 0([45]\d{6})$
C. dumps, but at only $149.00 you get access to ALL of the exams from every certification vendor.
This is more than a 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. practice exam, this is a compilation of the actual questions and answers from the 0[45]\((d8))$
D. test. Where our competitor's products provide a basic 0([45]\d{6})$
C. practice test to prepare you for what may appear on the exam and prepare you for surprises, the ActualTest 0([45]\d{6})$
C. exam questions are complete, comprehensive and guarantees to prepare you for your 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
Salesforce ARC-801 Valid Exam Format Labs Virtual boot camp on your PC Test your knowledge Build your troubleshooting skills Learn about the hardware and software you'll face every day Available Online in seconds See Samples of Simulation Labs Our Complete Simulation Labs will to solidify your existing knowledge, and take you step-by-step through everything you need to know, If you want we will send you the latest ARC-801 test dumps to your email address when it is updated.
A few months ago I was fortunate to attend a coaching session ARC-801 Latest Study Guide for women at PayPal, where I am a design manager, Fortunately, those other systems can coexist with Linux;
When the document is being sent to a service bureau or other place for final output, If you buy our Software version of the ARC-801study questions, you can enjoy the similar real Valid ARC-801 Exam Format exam environment for that this version has the advantage of simulating the real exam.
The deck was stacked against them, However, these products cost https://validtorrent.itdumpsfree.com/ARC-801-exam-simulator.html money, and if you want to keep your costs down, you're better off creating your own Web site, Rests in recumbent position.
This is probably the subtlest and most tender account of what a craftsman brings PDF H12-921_V1.0 Download to a motion picture ever written, As with the preceding criterion, it does not take into account the average number of tries to pass any exam.
High Pass-Rate ARC-801 Valid Exam Format to Obtain Salesforce Certification
Create Your Own Website is author Scott Mitchell's eighth book, The people Valid ARC-801 Exam Format couldn't agree, It assumes a good working knowledge of how to write for print and therefore will not delve into the mechanics of quality writing.
Before we go any further, let's take a look at the app manifest file, I learned Revenue-Cloud-Consultant-Accredited-Professional Exam Study Solutions a lot from that course, They are similar, the only difference being that Internet passwords have a lot more metadata associated with them.
Raman Adobe Systems) D, Labs Virtual boot camp on your PC Test Valid ARC-801 Exam Format your knowledge Build your troubleshooting skills Learn about the hardware and software you'll face every day AvailableOnline in seconds See Samples of Simulation Labs Our Complete ARC-801 Exam Collection Simulation Labs will to solidify your existing knowledge, and take you step-by-step through everything you need to know.
If you want we will send you the latest ARC-801 test dumps to your email address when it is updated, Now you also have the opportunity to contact with the Design and Implement B2B Multi-Cloud Solutions test guide from our company.
So choose our exam braindumps to help you review, you will benefit a lot from our ARC-801 study guide, That is why our ARC-801 learning guide enjoys the best quality in the market!
ARC-801 Valid Exam Format Pass Certify| Efficient ARC-801 Exam Study Solutions: Design and Implement B2B Multi-Cloud Solutions
High Quality and Great Value Ce-Isareti MCITP ARC-801 exam questions which contain almost 100% correct answers are tested and approved by senior Ce-Isareti lecturers and experts.
PDF Version of ARC-801 exam torrent is format we usually know, When you take part in the real exam, you will reduce mistakes, Maybe B2C Solution Architect Design and Implement B2B Multi-Cloud Solutions exam certification is right certification you are looking for.
But so far it is quite small probability event, Valid ARC-801 Exam Format Choosing our B2C Solution Architect Design and Implement B2B Multi-Cloud Solutions exam prep material would help you get through the exam smoothly and quickly, We are sure that the latest version of our ARC-801 practice test files on the internet should be valid and high-quality.
We believe that you will truly trust us after trying our ARC-801 exam training, As is well-known to all, Design and Implement B2B Multi-Cloud Solutions exam has been one of the most important examinations in the whole industry.
You are able to win not one compeer but thousands upon thousands compeers with the ARC-801 valid pdf guide, The explanations of our ARC-801 exam materials also go through strict inspections.
NEW QUESTION: 1
You need to solve the Enterprise Voice issue experienced by Sydney users.
Which normalization rule should you use for mobile numbers?
A.
What will you get with your purchase of the Unlimited Access Package for only $149.00?
- An overview of the 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
ExhibitNEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: BNEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: ANEW QUESTION: 4
0([45]\d{6})$
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. course through studying the questions and answers. - A preview of actual 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
ExhibitNEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: BNEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: ANEW QUESTION: 4
0([45]\d{6})$
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. test questions - Actual correct 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
ExhibitNEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: BNEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: ANEW QUESTION: 4
0([45]\d{6})$
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. answers to the latest 0([45]\d{6})$
C. questions
Our Unlimited Access Package will prepare you for your exam with guaranteed results, surpassing other 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. Labs, or our competitor's dopey 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. Study Guide. Your exam will download as a single 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. PDF or complete 0([45]\d{6})$
C. testing engine as well as over 1000 other technical exam PDF and exam engine downloads. Forget buying your prep materials separately at three time the price of our unlimited access plan - skip the 0([45]\d{6})$
C. audio exams and select the one package that gives it all to you at your discretion: 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. Study Materials featuring the exam engine.
Skip all the worthless 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. tutorials and download 0[45]\((d8))$
D. exam details with real questions and answers and a price too unbelievable to pass up. Act now and download your Actual Tests today!
0([45]\d{6})$
C.
Difficulty finding the right 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. answers? Don't leave your fate to 0([45]\d{6})$
C. books, you should sooner trust a 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. dump or some random 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. download than to depend on a thick 0[45]\((d8))$
D. book. Naturally the BEST training is from 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. CBT at Ce-Isareti - far from being a wretched 0[45]\((d8))$
D. brain dump, the 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. cost is rivaled by its value - the ROI on the 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. exam papers is tremendous, with an absolute guarantee to pass 0([45]\d{6})$
C. tests on the first attempt.
0([45]\d{6})$
C.
Still searching for 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. exam dumps? Don't be silly, 0([45]\d{6})$
C. dumps only complicate your goal to pass your 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. quiz, in fact the 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. braindump could actually ruin your reputation and credit you as a fraud. That's correct, the 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. cost for literally cheating on your 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. materials is loss of reputation. Which is why you should certainly train with the 0([45]\d{6})$
C. practice exams only available through Ce-Isareti.
0([45]\d{6})$
C.
Keep walking if all you want is free 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. dumps or some cheap 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. free PDF - Ce-Isareti only provide the highest quality of authentic 0[45]\((d8))$
D. notes than any other 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. online training course released. Absolutely Ce-Isareti 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. online tests will instantly increase your 0([45]\d{6})$
C. online test score! Stop guessing and begin learning with a classic professional in all things 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. practise tests.
0([45]\d{6})$
C.
What you will not find at Ce-Isareti are latest 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. dumps or an 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. lab, but you will find the most advanced, correct and guaranteed 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. practice questions available to man. Simply put, 0[45]\((d8))$
D. sample questions of the real exams are the only thing that can guarantee you are ready for your 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. simulation questions on test day.
0([45]\d{6})$
C.
Proper training for 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. begins with preparation products designed to deliver real 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. results by making you pass the test the first time. A lot goes into earning your 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. certification exam score, and the 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. cost involved adds up over time. You will spend both time and money, so make the most of both with ActualTest's 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. questions and answers. Learn more than just the 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. answers to score high, learn the material from the ground up, building a solid foundation for re-certification and advancements in the 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. life cycle.
Don't settle for sideline 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. dumps or the shortcut using 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. cheats. Prepare for your 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. tests like a professional using the same 0([45]\d{6})$
C. online training that thousands of others have used with Ce-Isareti 0([45]\d{8})$
Answer: D
Explanation:
Topic 6, Contoso, LTD 2
Contoso, Ltd. is a Canadian business law firm that currently employs 300 people. The company operates a main office in Vancouver that houses 250 employees and a branch office in Seattle that houses 50 employees. All Contoso users are Skype for Business-enabled. Contoso is launching a hybrid configuration of Office 365 to validate the cloud-based Exchange Online service.
Contoso plans to introduce a remote disaster recovery data center to host remote replicas of key services, including Active Directory Domain Services (AD DS), Skype for Business, Exchange, and files and legal software. The company also plans to acquire a small law firm in Vancouver called Litware, Inc., which has 80 employees. Litware currently uses a 10megabit per second (Mbps) Internet connection.
Half of Litware employees will use Skype for Business services. All Skype for Business-enabled users in Litware will use Instant Messaging only. Currently, Instant Messaging concurrent usage at Litware is 50 percent during peak hours.
There is a possibility that Contoso will make two more acquisitions during the next three years. Vancouver and Seattle employees have submitted support tickets to report poor quality of outbound Skype for Business calls to external users. A user activity report collected by the help desk department is shown in the User Activity Report section.
There is a concern that in the future, the volume of Skype for Business traffic may reach up to 50 percent of the current bandwidth available in the Vancouver office.
User Activity Report
Existing Environment
The core portion of the infrastructure is located in the Vancouver data center, although the
Seattle data center also has two servers (listed below) to provide redundancy of Active Directory and data services.
The following services and applications comprise Contoso's infrastructure in Vancouver and Seattle.
Vancouver Data Center:
Seattle Data Center:
An overview of the network infrastructure of Vancouver and Seattle data centers is shown
in the exhibit. (Click the Exhibit button.)
All users in the Vancouver and Seattle offices use the Microsoft Windows 8 Enterprise
operating system and phones that are enabled for Enterprise voice.
Contoso expects to see a growing number of remote users. They anticipate that up to 20
percent of users in Vancouver might work remotely.
Contoso has defined a team of 35 users who will participate in a pilot deployment of the
Office 365 hybrid configuration.
The offices in Vancouver and Seattle are using 5-Mbps Internet connections. Contoso has a site-to-site VPN between the Vancouver office and the Seattle office.
All external outbound calls from the Vancouver and Seattle offices are routed outside through the office in Vancouver.
Business Requirements
Contoso needs to review the existing network topology as well as the Skype for Business
Server 2015 infrastructure to ensure that network capacity is sufficient to accommodate the
Litware, Inc. Skype for Business users in the future.
Contoso expects to see up to 85 percent of simultaneous instant messaging, 1% of peer-
to-peer traffic and 25 percent of public switched telephone network (PSTN) calls over the
WAN during business hours.
All existing issues that relate to poor quality of outbound Skype for Business calls need to
be addressed as well.
Contoso wants to ensure the following:
Current network bandwidth allocated to the Vancouver office is sufficient to sustain the
future volume of Skype for Business traffic and guarantee high quality of Skype for
Business calls.
Volume the Skype for Business traffic does not exceed 25 percent of the WAN bandwidth.
Contoso plans to redesign the existing site-to-site VPN solution between the Vancouver
and Seattle offices to implement a robust and reliable WAN solution with end-to-end
support of Quality of Service (QoS).
The recommended design solution needs to eliminate the possibility of WAN
oversubscription by Skype for Business traffic.
The proposed Skype for Business Server 2015 solution needs to be:
Scalable to accommodate the company's future acquisitions.
Readily available for Vancouver and Seattle users.
In case of a disaster, a manual switchover of Skype for Business services to the disaster
recovery datacenter should be available.
Technical Requirements
All Session Initiation Protocol traffic (SIP) traffic must be encrypted.
All external Skype for Business Server 2015 services must be protected by a firewall.
A commercial third-party certificate must be used on the external interface of Skype for Business Server 2015 Edge servers.
The Role-Based Access Control (RBAC) model will be implemented to delegate basic administrative tasks to the Skype for Business help desk team.
All maintenance of Skype for Business servers must be performed outside of business hours.
The proposed architecture solution must support interoperability between Skype for Business Server 2015 and Exchange 2013.
The Skype for Business Bandwidth Calculator must be used to analyze Skype for Business traffic. The QoS end-to-end support needs to be implemented.
Exhibit
NEW QUESTION: 2
An 1AM role is attached to an Amazon EC2 instance that explicitly denies access to all Amazon S3 API actions. The EC2 instance credentials file specifies the 1AM access key and secret access key, which allow full administrative access.
Given that multiple modes of 1AM access are present for this EC2 instance, which of the following is correct?
A. The EC2 instance will only be able to list the contents of one S3 bucket at a time
B. The EC2 instance will be able to perform all actions on any S3 bucket
C. The EC2 instance will not be able to perform any S3 action on any S3 bucket.
D. The EC2 instance will only be able to list the S3 buckets
Answer: B
NEW QUESTION: 3
When is the standard hierarchy of the controlling area created?
Response:
A. When the controlling area is defined
B. When the first company code is assigned to the controlling area
C. When the controlling area is assigned to the operating concern
D. When the first cost center for a controlling area is created
Answer: A
NEW QUESTION: 4
Which of the following statements pertaining to disaster recovery planning is incorrect?
A. A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
B. Every organization must have a disaster recovery plan
C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
D. A disaster recovery plan should cover return from alternate facilities to primary facilities.
Answer: B
Explanation:
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
C. practice exams.
