Ch.17 - Business Continuity and Disaster Recovery

Question 1

What Is A Business Impact Analysis (BIA)?

Answer 1

• Study used to identify impact that can result from disruptions in business
• Focuses on failure of one or more critical IT functions
• Terms to know:
o Maximum acceptable outage (MAO)
o Critical business functions (CBFs)
o Critical success factors (CSFs)

Question 2

Dimensions of a BIA

Answer 2

▪ Identify the business impact of IT disruptions
▪ Mission-critical IT systems and components
▪ Does not analyze all IT functions
▪ Stakeholders identify mission-critical systems
▪ Compliance issues often drive BIA
▪ Inputs into the business continuity plan (BCP) and risk assessment (RA)

Question 3

Objectives of BIA

Answer 3

▪ Identify critical business functions (CBFs)
o Unless you own process, critical business functions are not always apparent – Ex: if you
are the security expert, you may not know CBFs of an online Web site

▪ Identify critical resources
o Critical resources are those that are required to support CBFs
o Once you identified CBFs, you can analyze them to determine critical resources for each
▪ Identify maximum acceptable outage (MAO) and impact
o Once you identified CBFs and IT resources that support them, turn your attention to
MAO and its impact
o When calculating MAO for org, it’s important to consider direct/indirect costs
▪ Identify recovery requirements
o Recovery requirements show time frame in which systems must be recoverable

Question 4

Balancing Costs

Answer 4

• Cost to recover
• Cost of disruption
• Consider Direct costs and Indirect costs

Question 5

What Is a Disaster Recovery Plan?

Answer 5

• Plan to restore critical business process or system to operation after disaster
• DRP terms to know:
o Critical business function (CBF)
o Maximum acceptable outage (MAO)
o Recovery time objectives (RTO)
o Business impact analysis (BIA)

Question 6

Purpose of a DRP

Answer 6

• Most DRPs include purpose statement – Helps identify goals of DRP
• DRP often has multiples goals or purposes:
  o Saving Lives: Protection and safety of personnel is always important
  ▪ If any steps are required to protect personnel, DRP will identify these steps
  ▪ Includes preparation steps before impending disaster (ex: Hurricane)
  • Includes steps to take as disaster is occurring

o Ensuring Business Continuity: DRP includes procedures to restore CBFs if disaster occurs
▪ Purpose is to ensure that mission-critical operations continue to function during and after disaster

o Recovering After A Disaster: DRP also addresses processes to recover organization after
disaster has passed
▪ Include normalizing any CBFs moved to alternate location or normalizing noncritical functions

Question 7

Critical Success Factors

Answer 7

• Elements that are critical to success of DRP include:
  o Management support
  o Knowledge and authority for DRP developers
  o Identification of primary concerns
  ▪ Ex: recovery time objectives and alternate location needs
  o Disaster recovery budget

Question 8

Importance of Backups

Answer 8

• Backups of data

* Off-site copies

Question 9

Cold Site

Answer 9

▪ Available building
▪ Has electricity, running water, and restrooms
▪ No equipment or data needed for critical operations
▪ May support a server environment (no equipment, data, applications)

Question 10

Hot Site

Answer 10

▪ Include all equipment and data necessary for business functions
▪ Able to assume operations within hours or minutes
▪ Personnel on location 24/7

Question 11

Warm Site

Answer 11

▪ Compromise between cold and hot sites
▪ Operational equipment maintained
▪ Usually no data kept up to date
▪ Capable of updating and going live

Question 12

Cloud Computing Alternatives

Answer 12

• Not location dependent

Question 13

Common Elements of a DRP

Answer 13

➢ Purpose and scope
➢ Disaster/emergency declaration
➢ Communications
➢ Emergency response
➢ Activities
➢ Recovery procedures
➢ Critical operations, customer service, and operations recovery
➢ Restoration and normalization

Question 14

What is a Business Continuity Plan?

Answer 14

• Plan designed to help organization continue to operate during and after disruption
• BIA is included as part of a BCP
• BIA key objectives that directly support BCP:
o Identify critical business functions (CBFs)
o Identify critical processes supporting CBFs
o Identify critical IT services supporting CBFs, including any dependencies
o Determine acceptable downtimes for CBFs, processes, and IT service

Question 15

Elements of a BCP

Answer 15

▪ Purpose and scope
▪ Assumptions and planning principles
▪ System description and architecture
▪ Responsibilities
▪ Phases
▪ Plan training, testing, and exercises
▪ Plan maintenance

Question 16

Phases within a BCP Plan

Answer 16

1) Notification/activation phase
2) Recovery phase
3) Reconstitution phase

Question 17

Defining Data that Needs to Be Protected

Answer 17

• Identify all critical components for system
o There are two reasons for including this data:
a) Makes it clear which components are needed for CBF
b) Provides list that you can use to restore system from scratch
• Identify all equipment (servers, switches, routers)
o servers may need to be rebuilt from scratch – BCP should list OS and any applications needed to support system
o If image is used to rebuild servers, it will list version number
• Include databases hosted on system
• Include files (documents or spreadsheets)
• Include necessary supplies
o can be simple office supplies (printer/paper/toner)
o For some systems, it can include technical supplies (special oils for machinery or tools needed for maintenance)

Question 18

Business Continuity VS Disaster Recovery

Answer 18

Business Continuity Plan
- Covers all functional areas of business
(Ensures entire business can continue to operate in the event of disruption)
- Includes BIA, and address other non-technical elements of event
- Focused on getting overall business functions
back to normal

Disaster Recovery Plan
- Function of IT department
- Includes elements necessary to recover from
declared disaster
- Involves copying critical data to media or online. If required, move IT operations off site to recover
- Focused on restoring and recovering IT functions

Question 19

Steps for Implementing a BCP

Answer 19

1) Create BCP scope statements
2) Conduct business impact analysis (BIA)
3) Identify countermeasures and preventive controls
4) Develop individual disaster recovery plans (DRPs)
5) Implement training
6) Test and exercise plans
7) Maintain and update plans