CCNA Is Operations Resilience Questions

72 questions · Is Operations Resilience topic · All types, answers revealed

1
MCQhard

An online retail company runs its e-commerce platform on a virtualized infrastructure with 50 virtual servers. The platform experiences intermittent slowdowns during peak hours, and recent monitoring reports show that disk I/O latency on the storage area network (SAN) frequently exceeds 50 ms during these periods. The SAN has two fabric switches and a single storage array with 12 TB of usable capacity, currently at 80% utilization. The company’s disaster recovery plan requires recovery point objective (RPO) of 1 hour and recovery time objective (RTO) of 4 hours for the e-commerce platform. During a recent test failover to the disaster recovery site, the IT team discovered that the replication link between primary and DR sites is saturated, causing replication lag of up to 3 hours. The team also noted that the DR site storage has only 6 TB of usable capacity, now at 60% utilization. The IT manager is concerned about meeting the RPO and RTO. Which course of action should the IT team take first?

A.Upgrade the SAN fabric switches to support higher throughput and reduce disk I/O latency
B.Add additional storage capacity to the DR site to reduce storage utilization
C.Implement more frequent incremental backups and reduce retention period to free up storage
D.Upgrade the replication link between primary and DR sites to a higher bandwidth connection
AnswerD

This directly addresses the replication lag, reducing it to meet the 1-hour RPO, and is the most urgent action to ensure disaster recovery objectives.

Why this answer

The immediate issue preventing the organization from meeting its RPO of 1 hour is the saturated replication link, which causes replication lag of up to 3 hours. Upgrading the link to a higher bandwidth connection directly addresses the bottleneck, reducing replication time and enabling the RPO to be met. Other options, while potentially beneficial, do not resolve the primary cause of the RPO failure.

Exam trap

The trap here is that candidates focus on the disk I/O latency or storage utilization issues, which are performance concerns, rather than recognizing that the saturated replication link is the direct cause of the RPO failure and must be addressed first.

How to eliminate wrong answers

Option A is wrong because upgrading the SAN fabric switches addresses disk I/O latency, which is a performance issue, not the replication lag that causes the RPO violation. Option B is wrong because adding storage capacity to the DR site does not reduce replication lag; it may even increase the amount of data that needs to be replicated. Option C is wrong because implementing more frequent incremental backups does not solve the replication link saturation; it could increase the load on the link and worsen the lag, and backups are not the same as synchronous or asynchronous replication used for RPO.

2
MCQmedium

A financial institution operates a critical payment processing system that must maintain 99.999% availability. The system is deployed across two data centers in active-active mode with load balancing. During a routine maintenance window, a network misconfiguration caused all traffic to be directed to one data center, which then became overloaded and crashed, resulting in 30 minutes of downtime. The incident response team wants to prevent recurrence. Which of the following is the BEST action?

A.Configure health checks on the load balancers to detect and isolate unhealthy nodes.
B.Schedule all maintenance during non-peak hours only.
C.Increase the capacity of each data center to handle full traffic load.
D.Implement automatic failover to the backup data center when a threshold is exceeded.
AnswerA

Health checks can automatically remove an overloaded node from the pool, preventing cascading failure.

Why this answer

Option B is correct because health checks on load balancers can automatically detect an overloaded node and redirect traffic to the healthy one. Option A assumes a failover mechanism that is not needed in active-active. Option C is costly and does not prevent similar misconfigurations.

Option D does not address the technical root cause.

3
MCQmedium

An organization uses a hot site for disaster recovery. During a recent test, the hot site did not have the latest version of the application software. What is the MOST likely cause?

A.Inadequate change management procedures
B.Failure to synchronize data
C.Lack of backup media
D.Insufficient bandwidth
AnswerA

Without proper change management, software updates may not be applied to the hot site.

Why this answer

Option D is correct because inadequate change management procedures fail to ensure that updates are replicated to the hot site. Options A, B, and C are less likely.

4
MCQeasy

Which is the MOST likely cause?

A.Network connectivity lost
B.Backup software license expired
C.Backup media is full
D.Backup media is not connected
AnswerD

The error indicates the device is not ready, often due to disconnection or power off.

Why this answer

Option B is correct because 'The device is not ready' indicates the backup media is not available. Option A would give a different error; C typically shows license; D shows network.

5
Multi-Selectmedium

Which TWO of the following are primary objectives of capacity management? (Select exactly 2.)

Select 2 answers
A.To ensure adequate IT resources to meet current and future business demands
B.To monitor and report on system performance against SLAs
C.To minimize the total cost of ownership of IT resources
D.To procure hardware and software at the lowest possible cost
E.To optimize the use of existing resources to support business growth
AnswersA, E

This is the core purpose of capacity management.

Why this answer

Options B and E are correct. Capacity management aims to ensure that current and future business requirements are met cost-effectively. Option A is about financial management; Option C is performance monitoring but not the primary objective; Option D is procurement.

6
MCQmedium

Given this configuration, which is the PRIMARY concern?

A.Data change rate exceeds bandwidth
B.RTO may not be achievable
C.Synchronous replication may impact application performance
D.Bandwidth may be insufficient to meet RPO
AnswerD

The required replication bandwidth exceeds available bandwidth, risking RPO violations.

Why this answer

Option A is correct because the data change rate of 50 GB per hour (~112 Mbps sustained) exceeds the 100 Mbps bandwidth, causing replication lag that may exceed the RPO. Option B is less direct; C is a concern but not primary; D is the same as A.

7
MCQeasy

A medium-sized retail company relies on an ERP system for order processing and inventory management. The system is hosted on-premises with daily backups stored on tape. The company's business continuity plan specifies an RTO of 4 hours and an RPO of 1 hour for the ERP system. During a recent fire drill, it was discovered that restoring the ERP system from tape took over 6 hours, and the most recent backup was from the previous day. Which of the following is the BEST course of action to meet the RTO and RPO goals?

A.Increase the frequency of tape backups to every 30 minutes.
B.Conduct quarterly fire drills instead of annually.
C.Implement a hot standby site with real-time replication.
D.Replace tape backups with weekly cloud backups.
AnswerC

Hot standby with replication meets both RTO and RPO requirements.

Why this answer

Option A is correct because a hot standby site with real-time replication can achieve an RPO near zero and an RTO within 4 hours. Option B reduces RPO but does not improve the long restore time. Option C increases RPO to days, which is worse.

Option D does not address the recovery capability.

8
Multi-Selectmedium

Which TWO of the following are essential components of an effective incident response plan? (Select exactly 2.)

Select 2 answers
A.Root cause analysis procedures
B.Detailed vulnerability scanning schedules
C.Clearly defined roles and responsibilities
D.List of all hardware vendors and support contacts
E.Communication and escalation procedures
AnswersC, E

Essential for coordinated response.

Why this answer

Clearly defined roles and responsibilities (C) are essential because they ensure that during a security incident, every team member knows their specific tasks, such as who leads the investigation, who communicates with stakeholders, and who executes containment actions. Without this clarity, response efforts become chaotic, leading to delays and missed containment windows, which directly impacts the organization's ability to minimize damage and recover quickly.

Exam trap

ISACA often tests the distinction between proactive security activities (like vulnerability scanning or vendor lists) and the reactive, operational components of an incident response plan, leading candidates to mistakenly include non-essential items that are important for general IT management but not for immediate incident handling.

9
MCQmedium

An IT auditor is reviewing the change management process for a financial application. The auditor finds that emergency changes are frequently implemented without post-implementation review. What is the MOST significant risk?

A.The change may not be documented properly
B.The change may cause an outage during the next backup cycle
C.Security vulnerabilities may be introduced and remain undetected
D.Users may not be notified of the change
AnswerC

Emergency changes bypass normal controls, and lack of review means any flaws are not corrected promptly.

Why this answer

Option A is correct because without review, emergency changes may introduce security vulnerabilities or instability that go unnoticed. Option B is a lesser risk; Option C is a consequence but not the most significant; Option D is operational risk but less critical than security.

10
MCQeasy

During a disaster recovery test, the recovery time objective (RTO) for a critical application was not met. Which of the following is the MOST likely cause?

A.The backup media was stored offsite
B.The standby server had insufficient storage capacity
C.The network connectivity was tested beforehand
D.The recovery procedures were documented
AnswerB

Correct: Lack of storage can prevent or delay data restoration.

Why this answer

Insufficient storage on the standby server delays data restoration, directly impacting RTO. Other options are good practices that would not cause failure.

11
MCQmedium

An organization's online transaction processing system experienced a sudden performance degradation. The database administrator checked system resources and found excessive I/O wait time on the storage subsystem. Which of the following is the MOST likely root cause?

A.An inefficient SQL query causing table scans
B.Inadequate disk spindles or a storage area network (SAN) bottleneck
C.Insufficient memory allocated to the database server
D.Network latency between the application and database servers
AnswerB

I/O wait is a clear indicator of storage subsystem saturation, often due to insufficient disk spindles or SAN performance issues.

Why this answer

Option C is correct because excessive I/O wait time typically indicates that the storage system cannot keep up with the demand, often due to insufficient disk spindles or a storage bottleneck. Option A is wrong because insufficient memory usually causes high CPU usage or swapping, not directly I/O wait. Option B is wrong because network latency affects network I/O, not disk I/O.

Option D is wrong because application code bugs might cause logical errors but not necessarily storage I/O issues.

12
Multi-Selecthard

Which THREE of the following are common techniques for ensuring business resilience?

Select 3 answers
A.Insurance policies
B.Regular data backups
C.Annual employee training
D.Redundant hardware
E.Single point of failure analysis
AnswersA, B, D

Insurance provides financial resilience to recover from losses.

Why this answer

Correct answers are A, B, and D: redundant hardware, regular data backups, and insurance policies. C and E are not resilience techniques; C is a risk analysis step, E is training which is supportive but not a core resilience technique.

13
MCQeasy

A small e-commerce company uses a cloud-based e-commerce platform with automatic scaling. The company's business continuity plan relies on the cloud provider's promise of 99.99% uptime. During a regional outage affecting the cloud provider's primary availability zone, the company's website became unavailable for 2 hours, resulting in lost sales. The IT manager wants to improve resilience. Which of the following is the BEST action?

A.Maintain a secondary on-premises server for failover.
B.Increase the reserved capacity in the cloud to handle spikes.
C.Negotiate a higher service-level agreement (SLA) with the provider.
D.Implement a multi-cloud strategy with active-active deployment.
AnswerD

Multi-cloud reduces dependency on a single provider and improves availability.

Why this answer

Option B is correct because deploying across multiple cloud providers (multi-cloud) with active-active configuration can withstand a single provider's regional outage. Option A only improves compensation, not availability. Option C is less scalable and may not integrate well.

Option D helps with scaling but not with provider failure.

14
Multi-Selecteasy

Which TWO of the following are essential components of a disaster recovery plan (DRP)?

Select 2 answers
A.Steps for restoring IT systems
B.Detailed financial audit procedures
C.Employee performance reviews
D.List of critical contacts
E.Backup media rotation schedule
AnswersA, D

Restoration procedures are a core component of DRP.

Why this answer

Option A is correct because the primary purpose of a DRP is to restore IT systems and operations after a disaster. The plan must include step-by-step recovery procedures for critical systems, applications, and data to ensure business continuity. Without these steps, the DRP cannot guide the recovery team through the technical restoration process.

Exam trap

The trap here is that candidates often confuse operational procedures like backup rotation schedules (Option E) with the essential recovery-focused components of a DRP, but the DRP itself does not include the rotation schedule—it only references the use of backups.

15
MCQhard

A multinational corporation has implemented a hot site disaster recovery solution for its critical financial applications. Which of the following is the MOST important consideration to ensure the effectiveness of the hot site?

A.Data replication latency is less than 15 minutes
B.The hot site is located in a different seismic zone
C.The hot site complies with regional data privacy regulations
D.Regular, documented testing of the failover process is performed
AnswerD

Testing is the only way to verify that the hot site will work when needed, including all technical and procedural aspects.

Why this answer

Option D is correct because without regular testing, the hot site may not function as expected. Options A, B, and C are important but secondary: A is part of planning, B is operational, C is compliance but not the most critical for effectiveness.

16
MCQeasy

A company is designing its backup strategy for a critical database that must be available 24/7. The database experiences high transaction volumes. Which backup method minimizes data loss while allowing continuous operations?

A.Offline full backup performed weekly
B.Differential backup performed daily
C.Online backup with transaction log backups
D.Full backup performed during low-usage periods
AnswerC

Online backups run while the database is active, and transaction logs allow point-in-time recovery with minimal data loss.

Why this answer

Online backup with transaction log backups (Option C) is correct because it allows the database to remain fully operational (24/7 availability) while capturing every committed transaction in the transaction log. In the event of a failure, you can restore the most recent full backup and then apply all subsequent transaction log backups to recover to the exact point of failure, minimizing data loss to only uncommitted transactions.

Exam trap

The trap here is that candidates often confuse 'differential backup' with 'transaction log backup,' assuming differential backups provide the same granularity of recovery, when in fact differentials only capture cumulative changes since the last full backup and cannot restore to an arbitrary point in time.

How to eliminate wrong answers

Option A is wrong because an offline full backup performed weekly requires taking the database offline, which violates the 24/7 availability requirement, and a weekly full backup alone would result in up to a week of potential data loss. Option B is wrong because a differential backup captures all changes since the last full backup but does not capture every individual transaction; it still requires a full backup and can lose all changes made since the last differential backup, which could be up to 24 hours of data. Option D is wrong because a full backup performed during low-usage periods still requires taking the database offline (or at least putting it in a consistent state), which disrupts continuous operations, and it does not provide point-in-time recovery granularity.

17
MCQhard

During an incident, the IT team identifies that a critical patch was not applied due to an expired software maintenance contract. Which of the following is the BEST long-term remediation?

A.Renew the maintenance contract
B.Apply the patch immediately
C.Isolate the affected system
D.Implement a vulnerability management program
AnswerD

Correct: A formal program ensures patches are timely and contracts are monitored.

Why this answer

A vulnerability management program ensures systematic identification and remediation of missing patches, addressing the root cause. Immediate patching and isolation are tactical; renewing the contract is necessary but not a process improvement.

18
MCQhard

An organization is implementing a business continuity plan (BCP) and needs to determine the maximum acceptable downtime for a critical system. Which metric should be defined FIRST?

A.Recovery Time Objective (RTO)
B.Mean Time to Repair (MTTR)
C.Recovery Point Objective (RPO)
D.Service Level Agreement (SLA)
AnswerA

Correct: RTO is the primary metric for downtime tolerance.

Why this answer

RTO defines the maximum acceptable downtime; it is the foundational metric for recovery planning. RPO, MTTR, and SLA are defined later or are contractual.

19
MCQmedium

A company's backup policy requires daily full backups to tape and offsite storage. After a ransomware attack, the IT team discovers that the latest backup set is corrupted. Which of the following controls would have BEST prevented this?

A.Implementation of immutable backup storage
B.Encryption of backup tapes
C.Periodic restoration testing
D.Journaling of backup logs
AnswerA

Correct: Immutability prevents alteration, protecting backup integrity.

Why this answer

Immutable backup storage ensures backups cannot be altered or deleted, preventing corruption from ransomware. Encryption protects confidentiality, not integrity; logging detects but does not prevent; restoration testing detects corruption after the fact.

20
MCQhard

During an incident response exercise, the IT team discovers that the failover to the disaster recovery (DR) site failed because the DR site's storage area network (SAN) was not zoned correctly for the replicated data. Which of the following controls would BEST prevent this issue?

A.Maintaining a configuration management database (CMDB)
B.Implementing a change management process for SAN configurations
C.Using automated replication monitoring tools
D.Conducting regular disaster recovery testing including full failover
AnswerD

Regular testing validates that all components work together, including SAN zoning.

Why this answer

Option D is correct because regular disaster recovery testing that includes a full failover is the only control that directly validates that the DR site's SAN zoning is correctly configured to accept replicated data. Without such testing, misconfigurations like incorrect zone sets or missing WWPN (World Wide Port Name) mappings in the SAN fabric remain undetected until an actual failover is attempted. This aligns with the CISA emphasis on testing recovery procedures to ensure business continuity.

Exam trap

The trap here is that candidates often choose 'implementing a change management process' (Option B) because they assume process controls prevent misconfigurations, but they overlook that change management does not validate the actual technical correctness of the configuration—only testing (Option D) can confirm that the DR site's SAN zoning works under failover conditions.

How to eliminate wrong answers

Option A is wrong because a CMDB is a repository for configuration items and their relationships; it does not actively prevent SAN zoning misconfigurations or validate that the DR site's SAN is correctly zoned for replication. Option B is wrong because a change management process for SAN configurations ensures changes are authorized and documented, but it does not guarantee that the resulting zoning is correct for replication or that the DR site's SAN will accept replicated data during failover. Option C is wrong because automated replication monitoring tools can detect replication failures or latency, but they cannot identify a zoning misconfiguration that prevents the DR site from accepting replicated data; they only report on the replication status, not the underlying SAN fabric configuration.

21
MCQmedium

A database administrator accidentally deleted a critical table. The last full backup was taken 24 hours ago, and transaction logs are archived every 15 minutes. Which recovery method will minimize data loss?

A.Use a standby database
B.Point-in-time recovery using transaction logs
C.Restore from full backup only
D.Restore from full backup and apply transaction logs up to the time of deletion
AnswerD

This recovery method recovers most data, limited only by the log archive interval.

Why this answer

Option C is correct because restoring the full backup and applying transaction logs up to the deletion point recovers all data except the very last transactions. Option A is incomplete; B loses 24 hours; D is not applicable.

22
MCQeasy

Which of the following is the BEST indicator that an organization's incident management process is effective?

A.The average time to resolve incidents is under 1 hour
B.The number of incidents reported per month is increasing
C.All incidents are logged within 10 minutes of detection
D.The percentage of recurring incidents is decreasing over time
AnswerD

A reduction in recurrence shows that the process is identifying and eliminating root causes.

Why this answer

Option C is correct because a decreasing number of recurring incidents indicates that root causes are being identified and resolved. Option A is about recovery time, not effectiveness; Option B is about volume, which could increase; Option D is reactive, not proactive effectiveness.

23
Multi-Selectmedium

Which TWO of the following are key performance indicators (KPIs) for IT operations?

Select 2 answers
A.Number of unresolved incidents
B.Employee satisfaction score
C.Mean time to repair (MTTR)
D.System availability percentage
E.Budget variance
AnswersC, D

MTTR measures the efficiency of incident resolution.

Why this answer

Mean time to repair (MTTR) measures the average time taken to restore a failed IT service or component, directly reflecting operational efficiency and incident response effectiveness. It is a standard KPI for IT operations because it quantifies the speed of recovery, which is critical for minimizing downtime and maintaining service levels.

Exam trap

The trap here is that candidates confuse operational metrics (like unresolved incidents) with KPIs, or they mistakenly include non-operational metrics (like employee satisfaction or budget variance) that are relevant to other domains but not to IT operations performance.

24
MCQhard

Refer to the exhibit. Which of the following is the most significant risk associated with the backup policy for critical data?

A.Offsite backup storage is not configured
B.Retention period is insufficient to meet regulatory requirements
C.Backup frequency is too low to meet recovery point objectives
D.Encryption is not enabled for backup data
AnswerB

The policy retains backups for 30 days, but compliance requires 7 years. This is a critical gap.

Why this answer

Option B is correct because the backup policy shows a retention period of only 30 days, which is insufficient to meet common regulatory requirements such as GDPR, HIPAA, or SOX that often mandate retention of critical data for months or years. Without adequate retention, the organization risks non-compliance, legal penalties, and inability to produce historical records during audits or litigation.

Exam trap

The trap here is that candidates focus on operational risks like backup frequency or encryption, but the most significant risk is regulatory compliance failure due to insufficient retention, which can result in severe penalties and loss of business license.

How to eliminate wrong answers

Option A is wrong because offsite backup storage is not configured; while this increases risk of data loss during a site disaster, it is less significant than regulatory non-compliance, and the policy could still meet RPO/RTO with local backups. Option C is wrong because backup frequency (daily) is typically sufficient to meet common recovery point objectives (RPOs) of 24 hours or less, and the question does not indicate a tighter RPO requirement. Option D is wrong because encryption of backup data, while a security best practice, is not the most significant risk here; the policy does not mention encryption, but the primary concern is retention compliance, not data confidentiality at rest.

25
MCQhard

Which control failure is MOST significant?

A.Insufficient incident notification procedures
B.Lack of timely incident response
C.Delayed alerting
D.Inadequate monitoring
AnswerA

The 95-minute gap between alert and notification indicates a procedural failure.

Why this answer

Option D is correct because the delay in notifying the incident response team (from 14:25 to 16:00) is the most significant failure, as it allowed unauthorized access to continue. Option A is not a failure (alert timely); B is a factor but not the primary; C is secondary.

26
Drag & Dropmedium

Order the steps for conducting a business impact analysis (BIA) in the correct sequence.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

BIA steps: identify processes, define recovery objectives, assess impact, prioritize, and document.

27
MCQeasy

An organization wants to ensure that its backup tapes are protected from unauthorized access. Which of the following is the MOST effective control?

A.Physical locks on the tape library
B.Encryption of the backup data
C.Access control lists on the backup server
D.Offsite storage of tapes
AnswerB

Correct: Encryption renders data unreadable without the key.

Why this answer

Encryption protects data confidentiality even if physical security is breached. Physical locks, access controls, and offsite storage are important but do not protect against all threats like theft during transit.

28
MCQhard

During an audit, the IS auditor finds that the business continuity plan (BCP) was last updated two years ago and does not include new cloud-based applications. The organization has not conducted a BCP test in 18 months. What should the auditor recommend FIRST?

A.Obtain management approval for BCP updates
B.Perform a risk assessment to prioritize changes
C.Immediately schedule a full-scale test
D.Update the BCP to include cloud applications
AnswerB

A risk assessment identifies the most critical gaps, enabling efficient allocation of resources.

Why this answer

Option B is correct because a risk assessment is needed to prioritize which updates are critical. Option A is premature without understanding current risks; C is part of the update process but should follow risk assessment; D is later in the process.

29
Multi-Selecthard

A company is updating its business continuity plan (BCP). Which THREE of the following should be included as key components?

Select 3 answers
A.List of critical staff and contact information
B.Detailed network topology diagrams
C.Vendor contracts for equipment replacement
D.Procedures for activating the plan
E.Results of the latest risk assessment
AnswersA, D, E

Correct: Essential for communication and activation.

Why this answer

A BCP must define who is responsible, how to activate the plan, and the risks it addresses. Network diagrams and vendor contracts are supporting documents but not key components of the plan itself.

30
MCQhard

Refer to the exhibit. During a security audit, an IS analyst identifies that a critical business application hosted on 192.168.1.100:443 is unreachable from the 10.0.1.0/24 subnet. Which of the following is the MOST likely cause?

A.The first rule blocks all traffic from 10.0.1.0/24
B.The second rule blocks HTTPS traffic from any source to the host
C.The third rule permits all traffic from the 10.0.0.0/16 subnet
D.The firewall is misconfigured for TCP traffic
AnswerA

Correct: The deny rule for the subnet overrides any permit.

Why this answer

The first rule denies all IP traffic from 10.0.1.0/24 to any destination; this rule takes precedence. The second rule blocks only HTTPS from any source, but the first rule already blocks all traffic from that subnet. The permit rule is for a different subnet.

31
MCQmedium

An organization experiences a critical system failure during non-business hours. The IT team discovers that the last full backup was 48 hours ago, and the incremental backups for the past 24 hours are corrupted. The recovery time objective (RTO) for this system is 4 hours, and the recovery point objective (RPO) is 1 hour. Which of the following is the MOST immediate concern?

A.The backup schedule should be changed to daily full backups
B.The data loss may exceed the recovery point objective (RPO)
C.The root cause of the failure must be determined before recovery
D.The recovery time objective (RTO) of 4 hours will be exceeded
AnswerB

With corrupted incremental backups, data loss will be at least 48 hours, far exceeding the 1-hour RPO.

Why this answer

The RPO of 1 hour means the organization can tolerate losing at most 1 hour of data. With the last full backup 48 hours old and incremental backups for the past 24 hours corrupted, the usable recovery point is at least 24 hours old, resulting in data loss far exceeding the 1-hour RPO. This gap between actual and acceptable data loss is the most immediate concern because it directly violates the business continuity requirement.

Exam trap

The trap here is that candidates focus on the RTO (4 hours) as the most urgent metric, overlooking that the RPO violation (data loss of 24+ hours vs. 1-hour tolerance) is a more fundamental and immediate business continuity failure, since lost data cannot be recovered by simply restoring faster.

How to eliminate wrong answers

Option A is wrong because changing the backup schedule to daily full backups does not address the immediate data loss crisis; it is a long-term preventive measure, not an urgent response to the current RPO violation. Option C is wrong because determining the root cause of the failure should occur after recovery, not before; delaying recovery to investigate the cause would worsen the RTO breach and data loss. Option D is wrong because the RTO of 4 hours is a recovery speed target, and while it may be challenged, the primary and most immediate concern is the massive data loss (RPO violation), not the recovery time itself.

32
MCQhard

A multinational organization operates a critical ERP system on a virtualized infrastructure across two data centers (primary and DR). The primary data center is located in Region A, and the DR site in Region B, 500 km away. The ERP database is 2 TB and changes at an average rate of 10 MB per second. The organization uses synchronous replication between the two sites over a dedicated 10 Gbps WAN link. During a recent disaster simulation, the IT team observed that the replication link experienced 15 ms latency, causing the primary database to slow down significantly under peak load, ultimately missing the defined RTO of 4 hours for full failover. The business has an RPO of 15 minutes. The CISO asks the IS auditor to recommend a solution that balances cost and performance while meeting both RTO and RPO. Which of the following is the BEST course of action?

A.Change replication to asynchronous mode and implement continuous data protection (CDP) to meet the 15-minute RPO.
B.Reduce the RPO to 30 minutes and perform snapshots every 30 minutes on the primary site.
C.Upgrade the WAN link to 40 Gbps to reduce latency and improve replication throughput.
D.Implement a backup-to-disk solution with daily full backups and hourly transaction log backups to the DR site.
AnswerA

Correct: Asynchronous replication eliminates performance impact, and CDP provides point-in-time recovery within RPO.

Why this answer

Synchronous replication over long distance introduces latency that degrades primary performance. Changing to asynchronous replication with continuous data protection (CDP) can meet the 15-minute RPO without impacting the primary site. Upgrading bandwidth does not reduce latency; backup-to-disk with hourly logs may not meet RPO due to potential data loss; reducing RPO changes the business requirement unacceptably.

33
Multi-Selecthard

Which THREE of the following are common challenges when implementing a bring-your-own-device (BYOD) policy that affect information systems operations? (Select exactly 3.)

Select 3 answers
A.Difficulty in enforcing data encryption and remote wipe capabilities
B.Reduced hardware procurement costs for the organization
C.Increased employee productivity due to device familiarity
D.Incompatibility between corporate applications and various device platforms
E.Increased risk of malware infections due to unmanaged devices
AnswersA, D, E

Ensuring data security on personal devices is challenging.

Why this answer

Options A, C, and D are correct. BYOD introduces security risks (A), support complexity (C), and data leakage (D). Option B is an advantage, not a challenge; Option E is less common as a challenge compared to the others.

34
MCQmedium

An IS auditor is reviewing the change management process for a financial application. Which of the following findings would be of MOST concern?

A.Change requests are logged in a spreadsheet
B.Standard changes are pre-approved
C.Change windows are defined in the policy
D.Emergency changes are not reviewed within 30 days
AnswerD

Correct: Emergency changes require timely retroactive review to ensure proper authorization.

Why this answer

Emergency changes bypass normal controls; failure to review them within a reasonable time (e.g., 30 days) increases risk of undocumented changes. Logging in spreadsheet, pre-approved standard changes, and defined change windows are acceptable or even good practices.

35
Matchingmedium

Match each testing technique to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Simulated attack to find weaknesses

Automated check for known flaws

Manual inspection of source code

Manipulating people to divulge info

Why these pairings

Testing techniques assess different aspects.

36
MCQeasy

Which of the following is the PRIMARY purpose of a business impact analysis (BIA) in business continuity planning?

A.To determine the criticality of business processes and their recovery requirements
B.To create a list of emergency contacts
C.To identify the resources required for recovery
D.To document the technical recovery procedures
AnswerA

The BIA's main goal is to quantify the impact of disruptions and set RTO/RPO.

Why this answer

Option C is correct because BIA identifies critical processes and determines the maximum allowable downtime (RTO) and data loss (RPO). Options A, B, and D are subsequent steps after the BIA.

37
MCQmedium

An organization is implementing a backup strategy for its critical database. The database is updated continuously during business hours, and the recovery point objective (RPO) is 15 minutes. Which backup method should be used to meet the RPO while minimizing backup storage and performance impact?

A.Perform full backups every 24 hours
B.Implement synchronous replication to a standby server
C.Perform incremental backups with transaction log backups every 15 minutes
D.Perform differential backups every 6 hours
AnswerC

Transaction log backups enable point-in-time recovery to within 15 minutes, meeting the RPO, while incremental backups reduce storage and performance overhead.

Why this answer

Incremental backups with transaction log backups every 15 minutes meets the 15-minute RPO by capturing all changes since the last full or incremental backup, while transaction log backups record every individual database transaction. This method minimizes storage by only backing up changes and reduces performance impact compared to continuous replication, as log backups are lightweight and can be scheduled without constant I/O overhead.

Exam trap

The trap here is that candidates often confuse synchronous replication (Option B) with a backup method, but it is a high-availability solution that does not meet RPO requirements without additional log backups and introduces performance degradation, whereas transaction log backups are the correct granular backup technique for low RPOs.

How to eliminate wrong answers

Option A is wrong because full backups every 24 hours can only restore to the point of the last full backup, which would result in up to 24 hours of data loss, far exceeding the 15-minute RPO. Option B is wrong because synchronous replication requires the primary and standby servers to commit transactions simultaneously, which introduces latency and high performance overhead on the primary database, and it does not inherently provide point-in-time recovery to a specific 15-minute window without additional log management. Option D is wrong because differential backups capture all changes since the last full backup, but if performed every 6 hours, the maximum data loss could be up to 6 hours, which exceeds the 15-minute RPO; moreover, differential backups do not provide the granularity needed for sub-hour recovery.

38
Drag & Dropmedium

Arrange the steps to implement a patch management process in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Patch management starts with inventory, then evaluation, testing, deployment, and verification.

39
Multi-Selecteasy

During a disaster recovery test, the team discovers that the backup server is unable to restore data because of incompatible software versions. Which TWO controls should have been implemented to prevent this?

Select 2 answers
A.Maintaining a configuration management database
B.Using cloud-based backup solutions
C.Implementing intrusion detection systems
D.Increasing the frequency of full backups
E.Performing regular patch management
AnswersA, E

Correct: CMDB tracks software versions across environments.

Why this answer

A configuration management database (CMDB) tracks software versions, and a patch management process ensures compatibility. Cloud backups, backup frequency, and IDS do not address version compatibility.

40
MCQmedium

An IT manager notices that the CPU utilization of a critical server consistently exceeds 90% during peak hours. Which is the BEST course of action?

A.Implement load balancing
B.Immediately add more CPUs
C.Increase monitoring frequency
D.Schedule batch jobs during off-peak
AnswerA

Load balancing distributes traffic and reduces CPU utilization on a single server.

Why this answer

Option A is correct because implementing load balancing distributes the workload across multiple servers, addressing the performance issue. Options B, C, and D are not the best; B is hasty, C helps but is not best, D does not fix the problem.

41
Multi-Selectmedium

An IS auditor is evaluating the effectiveness of a backup strategy for a critical database. Which TWO of the following are essential controls to ensure data recoverability?

Select 2 answers
A.Storing backups offsite
B.Encrypting backup tapes
C.Performing regular restoration tests
D.Labeling tapes with dates
E.Using high-capacity media
AnswersA, C

Correct: Offsite storage protects against site-level disasters.

Why this answer

Regular restoration tests verify that backups are recoverable, and offsite storage ensures availability after a site disaster. Encryption, labeling, and capacity are security or operational considerations but not essential for recoverability.

42
MCQeasy

A company's backup policy requires that backup media be stored offsite. Which of the following is the PRIMARY reason for this requirement?

A.To ensure data is available in case of a site disaster
B.To reduce backup storage costs
C.To comply with regulatory requirements
D.To protect against theft
AnswerA

Offsite storage preserves data integrity when the primary site is compromised.

Why this answer

Option C is correct because offsite storage ensures data availability in case of a site disaster. Options A, B, and D are secondary or incorrect.

43
MCQmedium

Refer to the exhibit. An IS auditor reviewing backup logs notices this error. Which of the following is the MOST likely root cause?

A.Backup script has a syntax error
B.Incorrect database credentials
C.Storage array is offline
D.Insufficient disk space on backup target
AnswerC

Correct: Offline array prevents mounting.

Why this answer

The error indicates failure to mount the backup target, implying a connectivity issue with the storage array. A syntax error would produce a script error; disk space would show a different error; authentication would show a credentials error.

44
MCQhard

Refer to the exhibit. An IT operator receives this error message from an automated backup job. What is the MOST likely cause of this failure?

A.The FinanceDB database is corrupted
B.The network link between servers is down
C.The backup server's disk is full
D.The LUN presenting the virtual disk is not zoned or masked to the backup server
AnswerD

The error 'Unable to mount virtual disk' strongly suggests a SAN zoning/LUN masking issue.

Why this answer

Option D is correct because the error indicates that the backup server cannot access the virtual disk, which is typically a LUN masking or zoning issue. Option A is plausible but the message specifically points to storage access; Option B is not indicated; Option C is possible but less direct.

45
MCQeasy

An organization is implementing a business continuity plan (BCP). Which of the following is the PRIMARY purpose of conducting a business impact analysis (BIA)?

A.To document the step-by-step recovery procedures for each system
B.To identify potential threats and vulnerabilities to the organization
C.To inventory all IT assets and their configurations
D.To identify critical business processes and their recovery time objectives (RTOs)
AnswerD

BIA helps prioritize processes and define RTOs and RPOs.

Why this answer

The primary purpose of a business impact analysis (BIA) is to identify critical business processes and quantify the impact of their disruption, which directly drives the recovery time objectives (RTOs) and recovery point objectives (RPOs). These RTOs and RPOs form the foundation for selecting appropriate recovery strategies and technologies, such as synchronous replication for near-zero RPO or warm standby sites for specific RTO windows. Without a BIA, the BCP would lack the business-driven metrics needed to prioritize recovery efforts and allocate resources effectively.

Exam trap

The trap here is that candidates often confuse the BIA with a risk assessment or asset inventory, but the BIA is exclusively focused on business process criticality and recovery time objectives, not on threats, vulnerabilities, or hardware lists.

How to eliminate wrong answers

Option A is wrong because documenting step-by-step recovery procedures is the purpose of the recovery plan development phase, not the BIA; the BIA identifies what needs recovery and how quickly, but does not prescribe the technical steps. Option B is wrong because identifying potential threats and vulnerabilities is the domain of a risk assessment, which is a separate process that often uses the BIA's outputs to prioritize risks, but the BIA itself focuses on business process impact, not threat enumeration. Option C is wrong because inventorying all IT assets and their configurations is part of asset management or configuration management (e.g., CMDB), not the BIA; the BIA identifies which processes are critical, not the detailed hardware/software inventory.

46
MCQmedium

An administrator sees the above error after a failed backup job. What is the MOST likely cause?

A.The backup service account does not have write permissions to the destination
B.The network share \\BACKUPSRV\DBBackups\DB01\ is offline or unreachable
C.The SQL Server backup client is not installed
D.The backup destination disk is full
AnswerB

The error indicates the path specified does not exist or is unavailable.

Why this answer

The error message indicates that the backup destination path \BACKUPSRV\DBBackups\DB01\ is inaccessible. This is most commonly caused by the network share being offline, unreachable due to network issues, or the target server being down. Without connectivity to the UNC path, the backup job cannot proceed, even if permissions and disk space are adequate.

Exam trap

The trap here is that candidates often assume a failed backup is always due to permissions or disk space, but the error message's specific wording about the path being 'offline or unreachable' directly points to a network connectivity issue, not authorization or capacity.

How to eliminate wrong answers

Option A is wrong because the error message does not mention permission denial; a permissions issue would typically produce an 'access denied' or similar error, not a generic 'unreachable' failure. Option C is wrong because the SQL Server backup client is not required for backing up to a network share; SQL Server uses its native VDI or T-SQL BACKUP command, and the error points to connectivity, not missing client software. Option D is wrong because a full disk would generate a 'disk full' or 'insufficient space' error, not a failure to reach the destination path.

47
MCQeasy

A company is experiencing frequent server crashes due to memory leaks. The operations team has implemented a monitoring solution. Which of the following is the BEST indicator to trigger an automated failover to a standby server?

A.Memory usage exceeding 90% for more than 5 minutes
B.Disk I/O latency greater than 10ms
C.CPU utilization spikes above 80% for 1 minute
D.Network packet loss exceeding 1%
AnswerA

Correct: Directly reflects memory leak condition.

Why this answer

Memory leaks cause gradual memory consumption; sustained high memory usage directly indicates the condition. CPU spikes, disk latency, and packet loss are less specific to memory leaks.

48
Multi-Selecthard

Based on the backup logs, the backup administrator notices that the incremental backup job failed due to insufficient storage. Which TWO actions should the administrator take to resolve the immediate issue and prevent recurrence?

Select 2 answers
A.Free up space on the backup storage device by removing old backup sets manually
B.Check network bandwidth between the backup server and storage device
C.Increase the frequency of incremental backups to reduce data volume per job
D.Configure backup retention policies and enable data deduplication on the backup device
E.Investigate and resolve the file-in-use warnings from the full backup job
AnswersA, D

This addresses the immediate 'insufficient storage' error by freeing up space for the next backup.

Why this answer

Option A is correct because freeing up space on the backup storage device by removing old backup sets immediately resolves the insufficient storage issue that caused the incremental backup job to fail. This is a direct, short-term fix that reclaims capacity without altering backup schedules or configurations.

Exam trap

The trap here is that candidates may confuse a storage capacity issue with a performance issue (Option B) or incorrectly assume that increasing backup frequency (Option C) reduces data volume, when in fact it increases the number of backup objects and metadata overhead.

49
MCQmedium

A company's IT service desk receives multiple reports of users being unable to access a cloud-based CRM system. The network team confirms that internet connectivity is working. Which of the following should be the FIRST step in troubleshooting the issue?

A.Ask a user to try accessing from a different device
B.Restart the company's firewall and proxy servers
C.Check the vendor's service status page for any reported outages
D.Review recent change requests for the CRM system
AnswerC

This quickly identifies if the issue is widespread and outside the organization's control.

Why this answer

Option A is correct because checking the status of the CRM service provider helps determine if it is a known outage. Option B is premature; Option C is device-specific; Option D is a later step.

50
MCQeasy

A medium-sized financial services firm recently suffered a ransomware attack that encrypted critical servers and backups. The recovery process took three weeks because the backup tapes were stored in the same building (which was also infected) and the backup software had a vulnerability that allowed the ransomware to delete old backups. The firm's BCP did not account for simultaneous loss of primary and secondary data. As the IS auditor, you are asked to recommend the most effective improvement to the backup strategy to prevent recurrence and improve resilience. Which of the following actions should the firm implement?

A.Implement immutable backups and store them offsite or in a separate air-gapped environment
B.Increase the frequency of full backups to daily
C.Conduct quarterly tabletop exercises to test recovery procedures
D.Move all backups to a cloud storage provider with default settings
AnswerA

Immutable backups prevent unauthorized deletion or modification, directly mitigating the risk from ransomware.

Why this answer

Immutable backups prevent modification or deletion by ransomware, even if the backup software or administrative credentials are compromised. Storing them offsite or in an air-gapped environment ensures that a simultaneous physical or logical attack cannot destroy both primary and secondary data, directly addressing the root cause of the three-week recovery delay.

Exam trap

The trap here is that candidates often choose increased backup frequency or cloud migration, thinking they improve resilience, but they overlook the critical requirement that backups must be protected from deletion or encryption by the same attack that compromises the primary systems.

How to eliminate wrong answers

Option B is wrong because increasing the frequency of full backups to daily does not protect against ransomware that can encrypt or delete existing backups; it only reduces the recovery point objective, not the vulnerability to deletion. Option C is wrong because quarterly tabletop exercises test recovery procedures and team readiness but do not prevent the backup data from being encrypted or deleted by ransomware; they improve process, not data resilience. Option D is wrong because moving all backups to a cloud storage provider with default settings does not guarantee immutability or air-gapping; default cloud storage configurations often allow deletion or overwrite by compromised credentials, leaving backups vulnerable to the same attack vector.

51
MCQmedium

A multinational corporation is implementing a disaster recovery plan for its critical financial systems. The plan includes off-site backups and redundant hardware. During a recent test, the recovery time objective (RTO) was met, but the recovery point objective (RPO) was exceeded by 30 minutes due to delayed data replication. Which of the following is the BEST action to address this issue?

A.Extend the RPO to accommodate the delay.
B.Implement synchronous replication to the secondary site.
C.Reduce the bandwidth for replication to avoid congestion.
D.Increase the frequency of full backups to every 4 hours.
AnswerB

Synchronous replication ensures near-zero data loss, directly addressing the RPO exceedance.

Why this answer

Option B is correct because synchronous replication ensures data is written to both sites simultaneously, minimizing RPO. Option A is wrong because increasing full backups to every 4 hours still leaves up to 4 hours of potential data loss. Option C is wrong because reducing bandwidth for replication would likely increase the delay further.

Option D is wrong because extending the RTO does not address the RPO issue.

52
MCQhard

A healthcare organization is required to comply with HIPAA regulations for data backup and disaster recovery. They operate a primary data center and a colocation facility for disaster recovery. The current backup strategy involves nightly full backups to tape, which are stored off-site monthly. The recovery time for the electronic health record (EHR) system is estimated at 8 hours, but the RTO required by the business is 2 hours. Additionally, the RPO requirement is 15 minutes. The IT manager proposes implementing a continuous data protection (CDP) solution. However, the CFO is concerned about the cost. Which of the following is the BEST argument to justify the CDP investment?

A.CDP can achieve an RPO of seconds and significantly reduce recovery time.
B.CDP is required by HIPAA for all healthcare systems.
C.CDP will reduce the need for IT staff to perform backups.
D.CDP eliminates the need for any off-site storage, reducing costs.
AnswerA

This directly addresses the gaps in RTO and RPO, justifying the investment.

Why this answer

Option A is correct because CDP provides near-zero RPO and can significantly reduce recovery time, directly meeting the RTO and RPO requirements. Option B is false; CDP still requires off-site storage for disaster recovery. Option C is incorrect; HIPAA does not mandate CDP.

Option D is a benefit but not the primary justification.

53
MCQhard

An organization's business continuity plan includes a reciprocal agreement with another company. What is the PRIMARY risk of this arrangement?

A.The other company may be a competitor
B.Both companies may be affected by the same disaster
C.The agreement may not be legally enforceable
D.The other company may not have adequate security
AnswerB

If the companies are geographically close, a single disaster can impact both, rendering the agreement useless.

Why this answer

Option D is correct because both companies may be affected by the same regional disaster. Options A, B, and C are valid concerns but secondary.

54
MCQhard

A large enterprise is implementing a backup strategy for a critical database that requires an RTO of 2 hours and an RPO of 15 minutes. The database is 2 TB in size. Which backup method would BEST meet these requirements while minimizing storage costs?

A.Daily full backups
B.Continuous data protection (CDP) replicating to a remote site
C.Weekly full backups with transactional log backups every 15 minutes
D.A daily full backup and a differential backup every 4 hours
AnswerC

Log backups capture every transaction, achieving a 15-minute RPO, and storage cost is low compared to frequent full backups.

Why this answer

Option B is correct because incremental backups after a full backup minimize data loss and allow frequent backups with low storage overhead, meeting the 15-minute RPO. Option A does not meet RPO; Option C uses too much storage; Option D is for file-level, not databases.

55
MCQhard

A multinational corporation operates an e-commerce platform hosted in a private cloud environment. The platform consists of web servers, application servers, and a database cluster. The database cluster uses synchronous replication across two data centers (Primary and DR) located 500 km apart. The recovery time objective (RTO) for the platform is 2 hours, and the recovery point objective (RPO) is 15 minutes. During a recent disaster simulation, the primary data center lost power completely. The IT team initiated failover to the DR site. However, the failover process took 3 hours due to a misconfiguration in the DNS failover scripts, and the database was found to be inconsistent because the replication link was broken 30 minutes before the power loss. The team had to restore from a backup that was 4 hours old. After the incident, management requests a review of the disaster recovery plan. Which of the following is the BEST course of action to address the issues identified?

A.Increase the synchronous replication distance limit to ensure link stability over 500 km
B.Conduct a full-scale disaster recovery test including DNS failover and database consistency checks
C.Switch to asynchronous replication to avoid data loss during link failures
D.Implement automated DNS failover with health checks and reduce TTL values to 60 seconds
AnswerB

A comprehensive test would identify both the DNS script error and the replication link vulnerability, allowing corrective actions.

Why this answer

The correct answer is B because the incident revealed failures in DNS failover scripts (causing RTO breach) and database consistency checks (causing RPO breach). A full-scale test that includes DNS failover and database consistency validation is the only option that directly addresses both root causes, ensuring the DR plan meets the stated RTO of 2 hours and RPO of 15 minutes. Without such a test, the organization cannot verify that the failover process and data integrity mechanisms work as intended under realistic conditions.

Exam trap

The trap here is that candidates focus on the technical symptom (DNS failover delay) and choose a quick fix like automated DNS failover (Option D), while ignoring the more critical database inconsistency issue that requires a comprehensive test to validate the entire DR plan.

How to eliminate wrong answers

Option A is wrong because increasing the synchronous replication distance limit does not fix link stability; synchronous replication over 500 km is inherently prone to latency and link failures, and the issue was a broken replication link 30 minutes before the power loss, not a distance limit. Option C is wrong because switching to asynchronous replication would increase the risk of data loss beyond the 15-minute RPO, as asynchronous replication introduces a lag that could exceed the RPO during link failures, and the problem here was inconsistency, not replication mode. Option D is wrong because while automated DNS failover with health checks and reduced TTL values can improve failover speed, it does not address the database inconsistency caused by the broken replication link and the need to restore from a 4-hour-old backup, which requires validation of database consistency and backup integrity.

56
MCQhard

An IS auditor is reviewing the incident management process. The organization has a policy that all security incidents must be reported within one hour. However, the average reporting time is four hours. Which is the BEST corrective action?

A.Reduce the reporting time requirement
B.Increase penalties for non-compliance
C.Implement automated incident detection
D.Provide additional training to staff
AnswerD

Training improves awareness and compliance with reporting requirements.

Why this answer

Option A is correct because additional training addresses the human factors causing delays. Option B lowers the standard; C is punitive; D might help but is not the best first step.

57
MCQmedium

Refer to the exhibit. An auditor reviews the security log of a sensitive server. Which of the following is the MOST suspicious event?

A.The use of Negotiate authentication package
B.The logoff event at 23:45:12
C.The remote interactive logon from IP 192.168.10.50 using NTLM
D.The logon from workstation WS-FINANCE at 10.0.0.15
AnswerC

Remote interactive logon allows interactive access, and the source IP is different from the usual internal range; NTLM is less secure.

Why this answer

Option B is correct because a logon type 10 (Remote Interactive) from an unknown IP (192.168.10.50) using NTLM could indicate an unauthorized remote desktop session, especially if the employee is not on shift or the IP is unfamiliar. Option A is a normal network logon; Option C is not an event; Option D is not logged here.

58
MCQeasy

Which of the following is the PRIMARY objective of an operational audit?

A.To identify security vulnerabilities
B.To evaluate financial reporting
C.To verify compliance with laws
D.To assess the efficiency and effectiveness of operations
AnswerD

Operational audits evaluate how well resources are used and objectives are met.

Why this answer

Option A is correct because operational audit focuses on efficiency and effectiveness. Options B, C, and D are objectives of other types of audits.

59
Multi-Selectmedium

Which TWO of the following are key elements of an effective incident response plan? (Select exactly 2.)

Select 2 answers
A.A schedule for post-incident reviews
B.A detailed inventory of software licenses
C.A clear escalation path with contact information
D.A list of all hardware serial numbers
E.Predefined communication templates for internal and external stakeholders
AnswersC, E

Escalation ensures that incidents are routed to the appropriate response teams.

Why this answer

Options B and D are correct. A clear escalation path ensures proper reporting and decision-making; predefined communication templates speed up notification. Option A is not essential; Option C is part of strategy but not directly incident response; Option E is after-action, not during.

60
Multi-Selectmedium

Which TWO of the following are primary objectives of a business continuity plan (BCP)?

Select 2 answers
A.Replace the disaster recovery plan
B.Minimize financial loss
C.Guarantee 100% system uptime
D.Maintain regulatory compliance during disruptions
E.Ensure critical business functions continue during a disruption
AnswersD, E

Compliance with regulations is a primary objective of BCP.

Why this answer

Option D is correct because a primary objective of a BCP is to ensure that the organization can continue to meet legal and regulatory obligations during a disruption. This includes maintaining required data protection, reporting, and operational standards as mandated by regulations such as GDPR, HIPAA, or SOX, even when normal operations are impaired.

Exam trap

The trap here is that candidates often confuse the BCP's primary objectives with secondary benefits like cost savings or uptime guarantees, or mistakenly think the BCP replaces the DRP, when in fact the BCP is a broader plan that includes the DRP as a component.

61
MCQeasy

During an IT audit, the auditor finds that a system administrator has local administrator rights on multiple production servers and uses a shared service account for routine maintenance. What is the PRIMARY risk associated with this practice?

A.Audit trails cannot attribute actions to a specific individual
B.Password changes become more difficult to manage
C.The administrator may accidentally delete critical files
D.The shared account may be used by unauthorized personnel
AnswerA

Shared accounts break the link between an action and an individual, violating the principle of accountability.

Why this answer

Option B is correct because a shared account obscures individual accountability, making it impossible to determine who performed specific actions. Option A is a general risk but less specific; Option C is not the primary risk; Option D is the opposite.

62
Matchingmedium

Match each disaster recovery site type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Fully equipped and ready within hours

Partially configured, ready in days

Basic infrastructure, no equipment

Portable unit deployed as needed

Why these pairings

Recovery site types differ in readiness and cost.

63
MCQmedium

A company's backup policy requires that backup tapes be stored offsite for at least one year. During an audit, the auditor finds that the offsite storage facility is not access-controlled and backup tapes are not encrypted. Which of the following is the auditor's BEST recommendation?

A.Negotiate a new contract with a different offsite storage provider
B.Move the tapes back to the primary site until the offsite facility is secured
C.Implement a check-in/check-out log for the offsite facility
D.Encrypt all backup tapes before sending them offsite
AnswerD

Encryption mitigates the risk of unauthorized access to data on the tapes.

Why this answer

The core issue is that backup tapes contain sensitive data and are stored in an uncontrolled environment. Encrypting the tapes before transport ensures that even if the physical security of the offsite facility is compromised, the data remains confidential. This directly addresses the risk of unauthorized access to the data, which is the primary concern, and is a cost-effective, immediate control that does not disrupt operations.

Exam trap

The trap here is that candidates often focus on physical security controls (like logs or moving tapes) rather than recognizing that data confidentiality is the paramount risk, and encryption is the only option that directly protects the data itself regardless of physical security failures.

How to eliminate wrong answers

Option A is wrong because negotiating a new contract is a long-term administrative solution that does not address the immediate data exposure risk; the current tapes are still unencrypted and vulnerable. Option B is wrong because moving tapes back to the primary site violates the backup policy requirement for offsite storage and increases the risk of a single point of failure (e.g., fire or theft at the primary site). Option C is wrong because a check-in/check-out log only provides accountability for physical access but does not protect the data on the tapes if the facility is breached or a tape is stolen; it does not mitigate the confidentiality risk.

64
MCQeasy

Refer to the exhibit. An auditor reviews the log shipping configuration for a critical database. Based on the information provided, what is the MOST significant finding?

A.The current latency of 18 minutes exceeds the 15-minute log shipping interval
B.The alert threshold of 30 minutes is too high
C.The secondary server is not being used for reporting
D.The last backup was created at 06:00, but it is now later in the day
AnswerA

This indicates a potential data loss if a failover occurs, as the secondary may not have the latest data.

Why this answer

Option B is correct because the latency (18 minutes) exceeds the log shipping interval (15 minutes), indicating that the secondary server is falling behind. Option A is not a finding; Option C is not indicated; Option D is about alerting but latency is the core issue.

65
Multi-Selecthard

An organization is evaluating its business continuity plan (BCP) to ensure alignment with the IT disaster recovery plan. Which TWO of the following are critical elements that should be included in the BCP to support effective business resilience?

Select 2 answers
A.A list of all critical IT applications with their recovery priorities.
B.Procedures for manual operations during system unavailability.
C.A complete inventory of hardware and software licenses.
D.Contact information for key stakeholders and emergency response teams.
E.Detailed step-by-step procedures for restoring network connectivity.
AnswersB, D

Manual workarounds are essential for business continuity when systems are down.

Why this answer

Option C (contact information for stakeholders) and Option E (procedures for manual operations) are essential BCP elements. Option A and B are more aligned with IT disaster recovery, and Option D is an asset inventory detail, not a critical BCP element.

66
MCQmedium

An organization implemented a business continuity plan (BCP) that includes manual workarounds. Which of the following is the PRIMARY risk of relying on manual processes during a disruption?

A.Higher probability of human error under stress
B.Longer recovery time for automated systems
C.Higher cost of implementation
D.Increased dependency on technology
AnswerA

Correct: Stress increases error likelihood, jeopardizing continuity.

Why this answer

Human error is significantly higher under stress, which can cause delays and mistakes. Other options are not primary risks.

67
MCQhard

An organization is evaluating its business continuity plan (BCP) for a critical application with a recovery time objective (RTO) of 4 hours and a recovery point objective (RPO) of 1 hour. The current backup strategy involves daily full backups and hourly transaction log backups. Which of the following is the MOST significant risk?

A.The backup media is stored in the same building as the primary system
B.The recovery process requires manual intervention to apply logs
C.The backups are not tested regularly
D.The hourly logs cover only the last 24 hours
AnswerA

If the building is destroyed, both primary and backup data are lost, violating basic business continuity principles.

Why this answer

Option D is correct because if the backups are stored at the same site, a disaster destroying the primary site would also destroy the backups, making recovery impossible. Options A, B, and C are less critical: A is a procedural issue, B is a minor gap, C is about recovery method but not as fundamental as off-site storage.

68
Multi-Selecthard

Which THREE of the following are key metrics to include in a disaster recovery test report? (Select exactly 3.)

Select 3 answers
A.Amount of data lost (actual vs. RPO)
B.Cost per incident
C.Time taken to recover each critical system
D.Number of personnel involved
E.Percentage of successful restores
AnswersA, C, E

Measures data loss.

Why this answer

Option A is correct because the amount of data lost (actual vs. RPO) directly measures whether the recovery process met the Recovery Point Objective. This metric validates the effectiveness of backup frequency and replication lag, which is critical for determining if the DR plan preserved data integrity within acceptable loss limits.

Exam trap

The trap here is that candidates often confuse operational metrics (like cost or personnel count) with technical DR success metrics, leading them to select B or D instead of focusing on RPO, RTO, and restore integrity.

69
MCQhard

A multinational corporation is designing its disaster recovery strategy to meet a recovery point objective (RPO) of 15 minutes for its critical database. Which replication method is MOST appropriate?

A.Asynchronous replication over WAN
B.Daily incremental backups to tape
C.Synchronous replication with write-back caching
D.Periodic snapshot every hour
AnswerC

Correct: Synchronous replication ensures transactions are committed at both sites, meeting RPO.

Why this answer

Synchronous replication with write-back caching provides near-zero data loss while managing performance impact. Asynchronous replication may have higher latency, daily backups exceed RPO, and hourly snapshots are insufficient.

70
MCQhard

An organization has configured HSRP as shown. During a failover test, the primary router (G0/1) is shut down, but the DR site router does not become active. What is the MOST likely reason?

A.The default route on the primary router points to the wrong next-hop
B.The preempt command is missing on the DR router
C.The OSPF routing protocol is not redistributing the default route
D.The HSRP group numbers on the two interfaces do not match
AnswerD

HSRP group 1 is on G0/1 and group 2 on G0/2; they should be the same group to provide redundancy for the same virtual IP.

Why this answer

HSRP requires that both routers participating in the same virtual IP address use the same group number to form a single HSRP group. If the group numbers on the two interfaces do not match, each router will form its own separate HSRP group, and neither will recognize the other as a peer. Consequently, when the primary router fails, the DR router does not assume the active role because it is not part of the same HSRP group.

Exam trap

The trap here is that candidates often confuse HSRP group number mismatch with missing preempt or routing issues, but Cisco specifically tests the fundamental requirement that HSRP group numbers must match for the protocol to establish adjacency.

How to eliminate wrong answers

Option A is wrong because the default route on the primary router pointing to the wrong next-hop would affect traffic forwarding but does not prevent HSRP failover; HSRP operates independently of routing table entries. Option B is wrong because the preempt command is only needed if you want a higher-priority router to reclaim the active role after it recovers; it is not required for the DR router to become active during a failover when the primary is shut down. Option C is wrong because OSPF redistribution of a default route is unrelated to HSRP state transitions; HSRP uses its own hello messages and timers to determine active/standby status, not OSPF routing updates.

71
MCQeasy

An organization's backup strategy involves weekly full backups and daily incremental backups. After a system failure, the restoration takes longer than expected. What is the most likely cause?

A.Incremental backups not stored offsite
B.Full backup frequency too low
C.Restoration process not tested
D.Tape rotation failure
AnswerC

Without testing, the actual time required for restoration is unknown, leading to unrealistic expectations.

Why this answer

Option D is correct because without periodic testing, the recovery time may be underestimated. Option A is plausible but not the most likely cause given the time issue; B and C are incorrect because they are not directly related to the restoration time.

72
MCQhard

An IT auditor is reviewing the business continuity plan (BCP) for a financial services firm. The plan includes a hot site that is shared with another organization under a reciprocal agreement. Which of the following findings should be of MOST concern to the auditor?

A.The hot site uses a different internet service provider than the primary site
B.The hot site has not been tested in the past 12 months
C.The reciprocal agreement does not guarantee exclusive use of the hot site during a disaster
D.The hot site is located in the same seismic zone as the primary site
AnswerC

If both organizations activate simultaneously, the hot site may not have sufficient capacity for both.

Why this answer

Option C is correct because a reciprocal agreement for a shared hot site does not guarantee exclusive access during a disaster. If both organizations declare a disaster simultaneously, the site may become oversubscribed, leading to resource contention and potential failure of the BCP. This directly undermines the recovery capability, making it the most critical finding.

Exam trap

The trap here is that candidates may focus on technical details like ISP diversity or testing frequency, but the core BCP principle is that a shared resource without guaranteed exclusive access is a fundamental design flaw that can render the entire plan ineffective during a concurrent disaster.

How to eliminate wrong answers

Option A is wrong because using a different ISP for the hot site is actually a best practice to avoid single points of failure and is not a concern. Option B is wrong because while annual testing is recommended, the lack of a test in 12 months is a finding but not as critical as the lack of guaranteed exclusive access; the plan could still be viable with more frequent testing scheduled. Option D is wrong because being in the same seismic zone is a risk, but it is less immediate than the operational risk of resource contention; many organizations accept this risk with geographic separation within the same region.

Ready to test yourself?

Try a timed practice session using only Is Operations Resilience questions.