Professional Documents
Culture Documents
Domain 4
©Copyright 2016 ISACA. All rights reserved. 2 © Copyright 2016 ISACA. All rights reserved.
3 © Copyright 2016 ISACA. All rights reserved. 4 © Copyright 2016 ISACA. All rights reserved.
architecture (EA).
5 © Copyright 2016 ISACA. All rights reserved. 6 © Copyright 2016 ISACA. All rights reserved.
4.3 Evaluate IT operations (e.g., job scheduling, 4.5 Evaluate database management practices to
configuration management, capacity and performance determine the integrity and optimization of databases.
management) to determine whether they are controlled 4.6 Evaluate data quality and life cycle management to
determine whether they continue to meet strategic
objectives. objectives.
4.4 Evaluate IT maintenance (patches, upgrades) to 4.7 Evaluate problem and incident management
determine whether they are controlled effectively and practices to determine whether problems and incidents
. are prevented, detected, analyzed, reported and
resolved in a timely manner to support the
objectives.
7 © Copyright 2016 ISACA. All rights reserved. 8 © Copyright 2016 ISACA. All rights reserved.
Task 4.1
4.8 Evaluate change and release management practices
to determine whether changes made to systems and
applications are adequately controlled and documented.
4.9 Evaluate end-user computing to determine whether
Evaluate the IT service management framework
the processes are effectively controlled and support the
and practices (internal or third party) to
4.10 Evaluate IT continuity and resilience determine whether the controls and service
(backups/restores, disaster recovery plan [DRP]) to levels expected by the organization are being
determine whether they are controlled effectively and adhered to and whether strategic objectives
. are met.
9 © Copyright 2016 ISACA. All rights reserved. 10 © Copyright 2016 ISACA. All rights reserved.
11 © Copyright 2016 ISACA. All rights reserved. 12 © Copyright 2016 ISACA. All rights reserved.
How does Task 4.1 relate to each of the following How does Task 4.1 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K4.2 Knowledge of service Service level management ensures K4.5 Knowledge of the functionality of The IS auditor must be familiar with
management practices and service fundamental technology (e.g., the functionality of information system
level management expectations and that service level hardware and network components, hardware and network components.
agreements (SLAs) are continuously system software, middleware, This includes understanding the
maintained and improved as needed. database management systems) importance of the physical part of all
IS/IT solutions that support the
K4.3 Knowledge of the techniques for It is essential for the IS auditor to
organizational objectives and goals.
monitoring third-party performance understand the latest approaches in
and compliance with service contracting strategies, processes and
agreements and regulatory contract management practices.
requirements
13 © Copyright 2016 ISACA. All rights reserved. 14 © Copyright 2016 ISACA. All rights reserved.
How does Task 4.1 relate to each of the following How does Task 4.1 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K4.10 Knowledge of capacity planning The IS auditor is expected to be aware K4.11 Knowledge of systems IT performance monitoring of critical
and related monitoring tools and of the concepts of capacity performance monitoring processes, processes and assets should be
techniques management and the essential tools and techniques (e.g., network conducted on a continuous basis to
information requirements of the task, analyzers, system utilization reports, ensure reliable IT services that meet
such as technical performance reports load balancing) SLAs and achieve defined business
and information on projected business objectives.
needs. K4.14 Knowledge of data quality It is necessary for the IS auditor to
(completeness, accuracy, integrity) understand the concepts of data
and life cycle management (aging, quality and data life cycle
retention) management.
15 © Copyright 2016 ISACA. All rights reserved. 16 © Copyright 2016 ISACA. All rights reserved.
IT Service Management
How does Task 4.1 relate to each of the following IT service management (ITSM) supports business needs
knowledge statements? through the implementation and management of IT
services.
Knowledge Statement Connection
K4.18 Knowledge of regulatory, legal, The IS auditor needs to understand People, processes, and information technology are each
contractual and insurance issues and be able to evaluate the following: a part of IT services.
related to disaster recovery The applicable regulatory and
contractual environment
A service management framework provides support for
The disaster recovery strategies the implementation of ITSM.
needed to enable the organization
to meet these requirements
regardless of the operational state
of the IS environment
17 © Copyright 2016 ISACA. All rights reserved. 18 © Copyright 2016 ISACA. All rights reserved.
19 © Copyright 2016 ISACA. All rights reserved. 20 © Copyright 2016 ISACA. All rights reserved.
SLA Tools
Several reporting tools aid in determining whether When there is a contractual relationship between the IT
service expectations are being met. These include: department and the end user or customer, SLA service
o Exception reports level definition is particularly important.
o System and application logs o The IS auditor should be aware of these defined
o Operator problem reports expectations, ensuring that they are comprehensive.
o Operator work schedules o These should include measures to address:
Risk, security and control
Efficiency and effectiveness
21 © Copyright 2016 ISACA. All rights reserved. 22 © Copyright 2016 ISACA. All rights reserved.
Audit of Infrastructure
Enterprise architecture (EA) describes the design of the When auditing infrastructure and operations, the IS
components of a business system or subsystem. auditor should:
o o Follow the overall EA.
structured form, facilitating consideration of IT o Use the EA as a main source of information.
investments and clarifying interrelationships between o Ensure that IT systems are aligned with the EA and
IT components. meet organizational objectives.
23 © Copyright 2016 ISACA. All rights reserved. 24 © Copyright 2016 ISACA. All rights reserved.
25 © Copyright 2016 ISACA. All rights reserved. 26 © Copyright 2016 ISACA. All rights reserved.
29 © Copyright 2016 ISACA. All rights reserved. 30 © Copyright 2016 ISACA. All rights reserved.
How does Task 4.2 relate to each of the following How does Task 4.2 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K4.4 Knowledge of enterprise The IS auditor needs to understand K4.10 Knowledge of capacity planning Capacity planning ensures that all the
architecture (EA) EA processes used in documenting an and related monitoring tools and current and future capacity and
techniques performance aspects of business
manner to facilitate understanding, requirements are anticipated in
management and planning for IT advance, assessed and, as
investments. necessary, provided in a cost-effective
K4.5 Knowledge of the functionality of The IS auditor must be familiar with manner.
fundamental technology (e.g., the functionality of information
hardware and network components, system hardware, platform operating
system software, middleware, systems, common database
database management systems) applications and network components.
31 © Copyright 2016 ISACA. All rights reserved. 32 © Copyright 2016 ISACA. All rights reserved.
How does Task 4.2 relate to each of the following How does Task 4.2 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K4.11 Knowledge of systems IT performance monitoring of critical K4.14 Knowledge of data quality Data management processes should
performance monitoring processes, processes and assets should be (completeness, accuracy, integrity) be in place to ensure data creation,
tools and techniques (e.g., network conducted on a continuous basis to and life cycle management (aging, categorization, protection, retention
analyzers, system utilization reports, ensure reliable IT services that meet retention) and destruction policies are in
load balancing) SLAs and achieve defined business alignment with current and emerging
objectives. business and regulatory requirements.
33 © Copyright 2016 ISACA. All rights reserved. 34 © Copyright 2016 ISACA. All rights reserved.
Source: ISACA, CISA Review Manual 26th Edition, figure 4.26 Source: ISACA, CISA Review Manual 26th Edition, figure 4.27
35 © Copyright 2016 ISACA. All rights reserved. 36 © Copyright 2016 ISACA. All rights reserved.
Database-supported IT asset
IS controls management
37 © Copyright 2016 ISACA. All rights reserved. 38 © Copyright 2016 ISACA. All rights reserved.
39 © Copyright 2016 ISACA. All rights reserved. 40 © Copyright 2016 ISACA. All rights reserved.
Consider
Observe IS Review operator Examine access to
The Big
adequacy of
personnel access the library
operator manuals
41 © Copyright 2016 ISACA. All rights reserved. 42 © Copyright 2016 ISACA. All rights reserved.
43 © Copyright 2016 ISACA. All rights reserved. 44 © Copyright 2016 ISACA. All rights reserved.
objectives.
45 © Copyright 2016 ISACA. All rights reserved. 46 © Copyright 2016 ISACA. All rights reserved.
47 © Copyright 2016 ISACA. All rights reserved. 48 © Copyright 2016 ISACA. All rights reserved.
How does Task 4.3 relate to each of the following How does Task 4.3 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K4.9 Knowledge of the control System interfaces including K4.16 Knowledge of change All changes to the production system
techniques that ensure the integrity of middleware, application program management, configuration or infrastructure should be approved
system interfaces interfaces (APIs) and other similar management, release management according to an established change
software present special risk, and patch management practices management process. Adequate
because they may not be subject to segregation of duties (SoD) should be
the same security and control rigor enforced.
that is found in large-scale application
systems.
K4.15 Knowledge of problem and
incident management practices understanding of good practices for
incident and problem management is
essential.
49 © Copyright 2016 ISACA. All rights reserved. 50 © Copyright 2016 ISACA. All rights reserved.
IS Operations
The IS operations function is responsible for the ongoing The organization of IS operations varies
depending on the size of the computing
environment, ensuring:
environment.
o Computer processing requirements are met
The IS auditor should understand the scope of
o End users are satisfied
IS operations when conducting an audit of this
o Information is processed securely
area.
o Outside parties (third parties, cloud computing) meet
51 © Copyright 2016 ISACA. All rights reserved. 52 © Copyright 2016 ISACA. All rights reserved.
IS Operations Documentation
The IS control environment requires procedures Such documentation includes procedures for:
detailing operational tasks and processes as o Operating instructions and job flows for computers
well as IS management oversight. and peripheral equipment
o Monitoring systems and applications
o Detection of system and application errors and issues
o Handling of IS problems and the escalation of
unresolved issues
o Backup and recovery
53 © Copyright 2016 ISACA. All rights reserved. 54 © Copyright 2016 ISACA. All rights reserved.
Job Scheduling
Job scheduling is a major function within the IT The schedule includes:
department, and in environments in which a large
number of batch routines are processed, this may be
o Jobs that must be run
managed through the use of job scheduling software. o The sequence of job execution
It is necessary to ensure that IS resources are optimized o The conditions that cause job execution
based on processing requirements.
o The ability to prioritize jobs according to time
availability
55 © Copyright 2016 ISACA. All rights reserved. 56 © Copyright 2016 ISACA. All rights reserved.
57 © Copyright 2016 ISACA. All rights reserved. 58 © Copyright 2016 ISACA. All rights reserved.
59 © Copyright 2016 ISACA. All rights reserved. 60 © Copyright 2016 ISACA. All rights reserved.
controlled effectively and continue to condition specified in the service delivery objectives or
business continuity plan
61 © Copyright 2016 ISACA. All rights reserved. 62 © Copyright 2016 ISACA. All rights reserved.
63 © Copyright 2016 ISACA. All rights reserved. 64 © Copyright 2016 ISACA. All rights reserved.
65 © Copyright 2016 ISACA. All rights reserved. 66 © Copyright 2016 ISACA. All rights reserved.
Patch Management
A patch is software code that is installed to maintain Patch management tasks include:
software as current between full-scale version releases. o Maintaining current knowledge of available patches
A patch often addresses security risks that have been o Determining which patches are appropriate for
detected in the original code. particular systems
o Ensuring that patches are properly installed
o Testing systems after installation
o Documenting all patch-related procedures
Because a patch can introduce new problems to a
system, it is a good practice to test a patch on a
non-critical system and perform backups prior to
installing patches.
67 © Copyright 2016 ISACA. All rights reserved. 68 © Copyright 2016 ISACA. All rights reserved.
place to verify that these changes are: What it does? Copies all main Copies files and Copies files and
o Authorized files and folders to
the backup media
folders that have
changed or are new
folders that have been
added or changed
o Tested since last backup since a full backup
was performed
o Implemented in a controlled manner What are its Creates a unique Requires less time and Faster than full
QA personnel also oversee the proper maintenance of
advantages? archive in case of media than full backup backup; requires only
restoration latest full and
program versions and source code to object. differential backup sets
for full restoration
What are its Requires more time All backup sets are Requires more time
disadvantages? and media capacity required to implement and media capacity
than other methods a full restoration, than incremental
taking more time backup
69 © Copyright 2016 ISACA. All rights reserved. 70 © Copyright 2016 ISACA. All rights reserved.
71 © Copyright 2016 ISACA. All rights reserved. 72 © Copyright 2016 ISACA. All rights reserved.
73 © Copyright 2016 ISACA. All rights reserved. 74 © Copyright 2016 ISACA. All rights reserved.
75 © Copyright 2016 ISACA. All rights reserved. 76 © Copyright 2016 ISACA. All rights reserved.
77 © Copyright 2016 ISACA. All rights reserved. 78 © Copyright 2016 ISACA. All rights reserved.
79 © Copyright 2016 ISACA. All rights reserved. 80 © Copyright 2016 ISACA. All rights reserved.
81 © Copyright 2016 ISACA. All rights reserved. 82 © Copyright 2016 ISACA. All rights reserved.
83 © Copyright 2016 ISACA. All rights reserved. 84 © Copyright 2016 ISACA. All rights reserved.
85 © Copyright 2016 ISACA. All rights reserved. 86 © Copyright 2016 ISACA. All rights reserved.
87 © Copyright 2016 ISACA. All rights reserved. 88 © Copyright 2016 ISACA. All rights reserved.
89 © Copyright 2016 ISACA. All rights reserved. 90 © Copyright 2016 ISACA. All rights reserved.
IT Asset Management
COBIT 5 defines the management of assets in the following To achieve the objectives of asset management, assets must
way: be identified.
The inventory record of each information asset should
Manage IT assets through their life cycle to make include:
sure that their use delivers value at optimal cost, o Specific identification of the asset
they remain operational (fit for purpose), they are o Relative value to the organization
accounted for and physically protected, and those o Loss implications and recovery priority
assets that are critical to support service capability o Location
are reliable and available. o Security/risk classification
o Asset group, when the asset is part of a larger information
system
o Owner and designated custodian
COBIT 5 BAI09
Manage assets
91 © Copyright 2016 ISACA. All rights reserved. 92 © Copyright 2016 ISACA. All rights reserved.
Adapted from: ISACA, CISA Review Manual 26th Edition, figures 4.18 and 4.19
93 © Copyright 2016 ISACA. All rights reserved. 94 © Copyright 2016 ISACA. All rights reserved.
95 © Copyright 2016 ISACA. All rights reserved. 96 © Copyright 2016 ISACA. All rights reserved.
97 © Copyright 2016 ISACA. All rights reserved. 98 © Copyright 2016 ISACA. All rights reserved.
99 © Copyright 2016 ISACA. All rights reserved. 100 © Copyright 2016 ISACA. All rights reserved.
101 © Copyright 2016 ISACA. All rights reserved. 102 © Copyright 2016 ISACA. All rights reserved.
103 © Copyright 2016 ISACA. All rights reserved. 104 © Copyright 2016 ISACA. All rights reserved.
105 © Copyright 2016 ISACA. All rights reserved. 106 © Copyright 2016 ISACA. All rights reserved.
How does Task 4.7 relate to each of the following How does Task 4.7 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K4.9 Knowledge of the control The IS auditor needs to understand K4.15 Knowledge of problem and The IS auditor must ensure the
techniques that ensure the integrity of and be able to recommend the incident management practices organization has processes in place to
system interfaces appropriate application of incident and ensure all incidents or problems are
problem, change and release detected, reported, managed and
management and quality assurance resolved in a timely manner.
processes. K4.17 Knowledge of the operational It is necessary for the IS auditor to
K4.11 Knowledge of systems In order to identify incidents and risk and controls related to end-user understand the risk associated with
performance monitoring processes, problems, IT performance monitoring computing end-user computing (e.g., Microsoft®
tools and techniques (e.g., network of critical processes and assets should Excel, Access, etc.).
analyzers, system utilization reports, be conducted on a continuous basis.
load balancing)
107 © Copyright 2016 ISACA. All rights reserved. 108 © Copyright 2016 ISACA. All rights reserved.
Incident Management
Incident management focuses on providing continuity of A critical element of an incident management process is
service through the removal or reduction of the adverse the prioritization of incidents.
effect of disruptions to IT services. o Both urgency and impact must be considered.
It covers nearly all nonstandard operations and events o IS management should have parameters in place for
related to IT services. assigning incident priority.
The IS auditor should examine problem reports and logs
to ensure that incidents have been resolved in a timely
manner by those most capable of resolving the problem.
109 © Copyright 2016 ISACA. All rights reserved. 110 © Copyright 2016 ISACA. All rights reserved.
111 © Copyright 2016 ISACA. All rights reserved. 112 © Copyright 2016 ISACA. All rights reserved.
Source: ISACA, CISA Review Manual 26th Edition, figure 4.32 Source: ISACA, CISA Review Manual 26th Edition, figure 4.7
113 © Copyright 2016 ISACA. All rights reserved. 114 © Copyright 2016 ISACA. All rights reserved.
115 © Copyright 2016 ISACA. All rights reserved. 116 © Copyright 2016 ISACA. All rights reserved.
117 © Copyright 2016 ISACA. All rights reserved. 118 © Copyright 2016 ISACA. All rights reserved.
119 © Copyright 2016 ISACA. All rights reserved. 120 © Copyright 2016 ISACA. All rights reserved.
Change Management
How does Task 4.8 relate to each of the following The change management process is implemented when:
knowledge statements? o Hardware is changed.
Knowledge Statement Connection o Software is installed or upgraded.
K4.16 Knowledge of change The IS auditor should also be aware of o Network devices are configured.
management, configuration the need for established procedures Change control is part of the broader change management
management, release management to control changes made to systems in
process.
and patch management practices normal and emergency situations.
It is designed to control the movement of application changes
from the test environment through QA and into the production
environment.
121 © Copyright 2016 ISACA. All rights reserved. 122 © Copyright 2016 ISACA. All rights reserved.
Change Requests
The change management process ensures that: Formalized and documented change processes
o Relevant personnel are aware of the change and its timing. incorporate the following elements:
o Documentation is complete and in compliance. o Change request
o Job preparation, scheduling and operating instructions have been
established. o Authorization
o System and program results have been reviewed and approved o Testing
by both project management and the end user. o Implementation
o Data file and system conversions have been completed
accurately and completely.
o Communication to end users
o All aspects of jobs turned over have been tested, reviewed and
approved by control/operations personnel.
o Legal and compliance issues have been addressed.
o Risk associated with the change has been planned for, and a
rollback plan has been developed to back out the changes
should that become necessary.
123 © Copyright 2016 ISACA. All rights reserved. 124 © Copyright 2016 ISACA. All rights reserved.
125 © Copyright 2016 ISACA. All rights reserved. 126 © Copyright 2016 ISACA. All rights reserved.
127 © Copyright 2016 ISACA. All rights reserved. 128 © Copyright 2016 ISACA. All rights reserved.
129 © Copyright 2016 ISACA. All rights reserved. 130 © Copyright 2016 ISACA. All rights reserved.
131 © Copyright 2016 ISACA. All rights reserved. 132 © Copyright 2016 ISACA. All rights reserved.
133 © Copyright 2016 ISACA. All rights reserved. 134 © Copyright 2016 ISACA. All rights reserved.
135 © Copyright 2016 ISACA. All rights reserved. 136 © Copyright 2016 ISACA. All rights reserved.
137 © Copyright 2016 ISACA. All rights reserved. 138 © Copyright 2016 ISACA. All rights reserved.
(backups/restores, disaster recovery plan Resilience The ability of a system or network to resist failure or to
recover quickly from any disruption, usually with minimal
[DRP]) to determine whether they are recognizable effect.
139 © Copyright 2016 ISACA. All rights reserved. 140 © Copyright 2016 ISACA. All rights reserved.
141 © Copyright 2016 ISACA. All rights reserved. 142 © Copyright 2016 ISACA. All rights reserved.
How does Task 4.10 relate to each of the following How does Task 4.10 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
KS4.21 Knowledge of the benefits and An IS auditor must be able to analyze KS 4.23 Knowledge of the processes An IS auditor must understand the
drawbacks of alternate processing used to invoke the disaster recovery concepts behind the decision to
sites (e.g., hot sites, warm sites, cold alternate processing facility is plans (DRPs) declare a disaster and to invoke a
sites) BCP/DRP and should understand the
recovery requirements. impact of the decision on an
KS4.22 Knowledge of disaster An IS auditor should know the testing organization, remembering that
recovery testing methods approaches and methods for invocation of the BCP/DRP can, in
BCP/DRP to evaluate the itself, be a disruption.
effectiveness of the plans.
143 © Copyright 2016 ISACA. All rights reserved. 144 © Copyright 2016 ISACA. All rights reserved.
145 © Copyright 2016 ISACA. All rights reserved. 146 © Copyright 2016 ISACA. All rights reserved.
147 © Copyright 2016 ISACA. All rights reserved. 148 © Copyright 2016 ISACA. All rights reserved.
149 © Copyright 2016 ISACA. All rights reserved. 150 © Copyright 2016 ISACA. All rights reserved.
Recovery Strategies
Documented recovery procedures ensure a return to The selection of a recovery strategy depends on the criticality
normal system operations in the event of an interruption. of the business process and its associated applications, cost,
security and time to recover.
These are based on recovery strategies, which should
be: In general, each IT platform running an application that
supports a critical business function will need a recovery
o Recommended to and selected by senior strategy.
management Appropriate strategies are those in which the cost of recovery
o Used to further develop the business continuity plan within a specific time frame is balanced by the impact and
(BCP) likelihood of an occurrence.
The cost of recovery includes both the fixed costs of providing
redundant or alternate resources and the variable costs of
putting these into use should a disruption occur.
151 © Copyright 2016 ISACA. All rights reserved. 152 © Copyright 2016 ISACA. All rights reserved.
Recovery Alternatives
A facility with all of the IT and communications equipment required A complete infrastructure, partially configured for IT, usually with
to support critical applications, along with office accommodations network connections and essential peripheral equipment. Current
for personnel. versions of programs and data would likely need to be installed
before operations could resume at the recovery site.
Cold sites
Source: ISACA, CISA Review Manual 26th Edition, figure 4.34 Source: ISACA, CISA Review Manual 26th Edition, figure 4.34
153 © Copyright 2016 ISACA. All rights reserved. 154 © Copyright 2016 ISACA. All rights reserved.
Source: ISACA, CISA Review Manual 26th Edition, figure 4.34 Source: ISACA, CISA Review Manual 26th Edition, figure 4.34
155 © Copyright 2016 ISACA. All rights reserved. 156 © Copyright 2016 ISACA. All rights reserved.
Application Resiliency
The ability to protect an application against a disaster Clustering protects against single points of failure in
depends on providing a way to restore it as quickly as which the loss of a resource would result in the loss of
possible. service or production.
A cluster is a type of software installed on every server in There are two major types of application clusters, active-
which an application runs. It includes management passive and active-active.
software that permits control of and tuning of the cluster
behavior.
157 © Copyright 2016 ISACA. All rights reserved. 158 © Copyright 2016 ISACA. All rights reserved.
159 © Copyright 2016 ISACA. All rights reserved. 160 © Copyright 2016 ISACA. All rights reserved.
telecommunication networks.
These are susceptible to the same interruptions as data Alternative Diverse
Redundancy
centers and several other issues, for example: routing routing
o Central switching office disasters
o Cable cuts
o Security breaches Long-haul Last-mile
Voice
To provide for the maintenance of critical business processes, network circuit
recovery
telecommunications capabilities must be identified for various diversity protection
thresholds of outage.
161 © Copyright 2016 ISACA. All rights reserved. 162 © Copyright 2016 ISACA. All rights reserved.
163 © Copyright 2016 ISACA. All rights reserved. 164 © Copyright 2016 ISACA. All rights reserved.
165 © Copyright 2016 ISACA. All rights reserved. 166 © Copyright 2016 ISACA. All rights reserved.
Domain 4 Summary
Evaluate IT service management framework and Evaluate data quality and life cycle management.
practices. Evaluate problem and incident management practices.
Evaluate IT operations (e.g., job scheduling, Evaluate change and release management practices.
configuration management, capacity and performance Evaluate end-user computing.
management).
Evaluate IT continuity and resilience (backups/restores,
Evaluate IT maintenance (patches, upgrades). disaster recovery plan [DRP]).
Evaluate database management practices.
167 © Copyright 2016 ISACA. All rights reserved. 168 © Copyright 2016 ISACA. All rights reserved.
169 © Copyright 2016 ISACA. All rights reserved. 170 © Copyright 2016 ISACA. All rights reserved.
Discussion Question
Which of the following is the GREATEST risk of an
organization using reciprocal agreements for disaster
recovery between two business units?
A. The documents contain legal deficiencies.
B. Both entities are vulnerable to the same incident.
C. IT systems are not identical.
D. One party has more frequent disruptions than the
other.