Exam CISA topic 1 question 1054 discussion

RPO is a greater concern: Recovery Point Objective (RPO) Shorter than in DRP (C): If the RPO in the SLA is shorter than what is outlined in the DRP, it means the service provider is offering a more stringent data recovery capability than what the organization has planned for. This could potentially be problematic because if the SLA commits to a shorter RPO but the DRP expects a longer RPO, there is a risk that the data recovery might not meet the organization's actual needs if the backups and recovery processes are not aligned. Essentially, the data might not be recoverable to the point expected if the backups do not meet the shorter RPO requirement. Recovery Time Objective (RTO) Longer than in DRP (B): If the RTO in the SLA is longer than the RTO in the DRP, the organization might still be able to meet its DRP objectives if the provider’s RTO is longer. However, it could indicate that the provider’s recovery capabilities are not fully aligned with the organization’s needs, which might impact the speed at which services are restored.

The finding that the Recovery Time Objective (RTO) in the SLA has a longer duration than documented in the Disaster Recovery Plan (DRP) is of the GREATEST concern to the auditor. The RTO is a critical parameter that defines the maximum tolerable downtime for a system after a disruption. If the RTO in the SLA is longer than what is specified in the DRP, it may indicate a misalignment between the agreed-upon service levels and the organization's expectations for recovery time. This could lead to potential disruptions in business continuity and impact the bank's ability to recover its services within the desired timeframe in case of a disaster.

The finding of GREATEST concern to the IS auditor in this scenario would be: B. The recovery time objective (RTO) has a longer duration than documented in the disaster recovery plan (DRP). This is a significant concern because the RTO specifies the maximum allowable downtime for the bank’s systems. If the RTO in the SLA is longer than what is documented in the disaster recovery plan, it means that in the event of a disaster, the third-party provider may not be able to meet the bank’s required downtime limits. This could potentially result in extended downtime, financial losses, and disruptions to the bank’s operations. It’s crucial for the RTO in the SLA to align with the bank’s business continuity requirements as outlined in its disaster recovery plan.

Out of the four options provided, the finding that should be of greatest concern to the auditor is option C where the recovery point objective (RPO) has a shorter duration than documented in the disaster recovery plan. The RPO is the maximum amount of data loss that an organization can tolerate, and it is usually defined in the disaster recovery plan. If the RPO in the SLA is shorter than what is documented in the disaster recovery plan, it means that the bank may not be able to recover all of its data if a disaster occurs. For example, if the disaster recovery plan states that the RPO is four hours, but the SLA with the third-party provider has an RPO of two hours, it means that the bank may lose some data if a disaster occurs before the two-hour mark. This could result in financial losses or regulatory compliance issues, especially if the lost data includes critical information such as customer transactions or personal data.

Should be B as thats the greatest concern if RTO is longer than whats documented in the DRP.

B: RTO has a longer duration than documented in DRP. This is insufficient as in agreement doc.

This is B

B. The recovery time objective (RTO) has a longer duration than documented in the disaster recovery plan (DRP).