Domain 7 – Section B Review: Recovery and Continuity
This section integrates:
- Disaster Recovery Strategies (hot, warm, cold sites; cloud-based DR)
- Backup Strategy and Data Protection (RPO, RTO, backup types, replication)
- High Availability and Fault Tolerance (redundancy, clustering, failover)
- Disaster Recovery Plan Testing (progressive testing, success criteria, lessons learned)
- Business Continuity Planning (BIA, BCP lifecycle, governance, supply chain continuity)
- Physical Security Implementation (access control, surveillance, environmental monitoring)
- Personnel Safety and Security (life safety priority, duress, travel security, emergency response)
Section B questions test your ability to connect recovery objectives to strategy selection, validate plans through testing, maintain continuity beyond IT, and always place life safety above asset protection.
Section B – Practice Questions
Question 1
An organization’s BIA determines that its e-commerce platform has an MTD of 2 hours and an RPO of 15 minutes. The IT team proposes implementing a cold site with daily tape backups as the recovery strategy.
What is the FUNDAMENTAL problem with this proposal?
A. Tape backups are outdated and should be replaced with disk-based backups
B. A cold site cannot meet a 2-hour RTO, and daily backups cannot meet a 15-minute RPO — the strategy does not match the BIA requirements
C. The organization should use a cloud provider instead of a physical site
D. The BIA requirements are unrealistic and should be adjusted to match the proposed solution
Answer & reasoning
Correct: B
Cold sites require hours to days to activate — far exceeding the 2-hour MTD. Daily backups mean up to 24 hours of data loss, well beyond the 15-minute RPO. The recovery strategy must be selected to meet BIA requirements, not the other way around. This scenario requires a hot or warm site with near-real-time replication.
Question 2
During a parallel DR test, the recovery team successfully brings up all critical applications at the alternate site. However, they discover that the network configuration at the alternate site routes traffic through a different ISP, and several firewall rules reference the primary site’s IP ranges. External users cannot connect to the applications.
What process should have prevented this?
A. The parallel test should have been replaced with a full interruption test
B. Change management should ensure that DR site configurations are updated when primary site network changes occur
C. The ISP contract should require identical IP addressing at both sites
D. External users should not be included in DR testing scope
Answer & reasoning
Correct: B
When the primary site’s network configuration changes (new IP ranges, updated firewall rules), those changes must also be reflected in the DR site configuration. This is a change management integration failure — the same gap that causes many DR plans to fail. The parallel test did exactly what it was supposed to do: reveal this problem before an actual disaster.
Question 3
A severe storm damages a company’s headquarters. The DR plan restores all IT systems at the hot site within 90 minutes. However, 60% of employees cannot reach the alternate work location because it is 200 miles from their homes, and no remote access capability was provisioned.
What planning failure does this represent?
A. The hot site was located too far from the primary site
B. The disaster recovery plan failed because 90 minutes exceeded the RTO
C. The business continuity plan did not address workforce availability and alternate work arrangements
D. Employees should have been required to relocate near the hot site
Answer & reasoning
Correct: C
The DRP succeeded — systems were recovered. The failure is in the BCP, which did not plan for how employees would access those systems. Business continuity must address people, not just technology. Remote access, temporary housing, or distributed work arrangements should have been part of the continuity strategy.
Question 4
A data center’s fire suppression system activates during a false alarm. The system uses a clean agent that displaces oxygen. Two technicians working inside the server room are caught in the discharge.
What design control should have prevented this risk to personnel?
A. The fire suppression system should use water-based sprinklers instead of clean agents
B. Pre-discharge alarms and a time delay should allow personnel to evacuate before agent release
C. Clean agent systems should only be installed in unmanned facilities
D. The technicians should have been wearing breathing apparatus at all times
Answer & reasoning
Correct: B
Clean agent fire suppression systems that displace oxygen must include pre-discharge warnings (audible and visual alarms) and a time delay sufficient for personnel to exit the protected space. This is a life safety control that must be part of any suppression system design in occupied spaces. The system protects equipment, but the delay protects people.
Question 5
An organization conducts annual tabletop exercises for its BCP but has never performed a simulation or parallel test. The CIO states that tabletops are sufficient because they consistently identify and resolve procedural issues.
What risk remains unaddressed?
A. Tabletop exercises do not validate that technical recovery procedures actually work when executed
B. Annual testing frequency is insufficient for any test type
C. The CIO should not be involved in BCP testing decisions
D. Tabletop exercises are not a recognized DR test type
Answer & reasoning
Correct: A
Tabletop exercises validate coordination, communication, and procedural logic — but they are theoretical. Nobody actually restores a database, fails over a network, or boots a recovery server. The risk that remains is that the documented procedures may not work when physically executed. Simulation or parallel testing is needed to validate technical recovery.
Question 6
A security audit reveals that the corporate badge system logs show consistent after-hours access to the finance department by a facilities maintenance contractor. The contractor’s agreement authorizes access only to common areas and mechanical rooms.
What is the FIRST step?
A. Terminate the contractor’s badge immediately
B. Review badge access logs to determine the full scope and duration of unauthorized access, then restrict the badge to authorized areas
C. Install additional cameras in the finance department
D. Notify law enforcement of potential unauthorized access
Answer & reasoning
Correct: B
Before taking action, determine the scope: how long has this been happening, what areas were accessed, and during what times? This information informs whether it is an access control configuration error, a contractor exceeding authorized scope, or something more concerning. Simultaneously restrict the badge to prevent further unauthorized access while the investigation continues.
Question 7
A company’s sole-source supplier of a critical manufacturing component declares bankruptcy. The company’s BCP does not address supply chain disruptions. Production halts within one week.
What BCP element was missing?
A. The BIA did not identify the dependency on a sole-source supplier as a critical risk
B. The DRP should have included manufacturing process recovery
C. The company should have maintained a larger inventory of all components
D. Financial risk analysis should have predicted the supplier’s bankruptcy
Answer & reasoning
Correct: A
The BIA should have identified the sole-source supplier as a single point of failure and a critical dependency. This would have driven continuity strategies such as qualifying alternate suppliers, maintaining safety stock, or contractual protections. The gap started in the BIA, which did not map the supply chain dependency.
Question 8
During a workplace active shooter drill, the security team instructs all employees to evacuate through the main lobby. An employee with a mobility disability reports that they cannot use the stairs, and the elevators have been disabled as part of the drill protocol.
What emergency planning failure does this expose?
A. Elevators should remain operational during evacuations for employees with disabilities
B. Evacuation procedures did not include designated areas of refuge and assistance protocols for employees who cannot use stairs
C. Employees with disabilities should be exempt from emergency drills
D. The drill should have been announced in advance so accommodations could be arranged
Answer & reasoning
Correct: B
Emergency evacuation plans must include provisions for personnel who cannot use standard evacuation routes. Areas of refuge (protected spaces where individuals can wait for assisted evacuation), designated evacuation assistants, and communication with emergency responders are required elements. Enabling elevators during emergencies (A) may create additional safety hazards.
Question 9
An organization implements synchronous data replication between its primary data center and a hot site 50 miles away. After implementation, application performance drops by 40% due to replication latency.
What should the organization evaluate?
A. Switch to a cold site to eliminate the performance impact
B. Move the hot site closer to the primary data center to reduce latency
C. Evaluate asynchronous replication as a trade-off between RPO requirements and application performance
D. Disable replication during business hours and replicate only at night
Answer & reasoning
Correct: C
Synchronous replication ensures zero data loss (RPO = 0) but introduces latency proportional to distance. If the RPO requirement allows for some data loss (even seconds or minutes), asynchronous replication significantly reduces the performance impact. This is a trade-off between RPO precision and operational performance that should be evaluated against actual BIA requirements.
Question 10
A regional power outage disables a hospital’s primary data center. The DR plan is activated, and systems begin failing over to the backup site. Midway through the failover, the DR coordinator receives a report that the backup generator at the primary site has started and power is being restored.
What should the DR coordinator do?
A. Immediately stop the failover and revert all systems to the primary site
B. Complete the failover to the backup site, verify stability, then plan a controlled failback to the primary site during a maintenance window
C. Split operations between both sites to balance the load
D. Shut down the backup site and wait for the primary to fully restore
Answer & reasoning
Correct: B
Interrupting a failover midway creates a split-brain scenario where some systems are at the primary site and others at the backup, with potential data consistency issues. The safer approach is to complete the failover, verify that all systems are stable at the backup site, and then plan a controlled failback to the primary during a scheduled maintenance window. Controlled transitions reduce risk.