Ch.17 - Business Continuity and Disaster Recovery Flashcards
What Is A Business Impact Analysis (BIA)?
• Study used to identify impact that can result from disruptions in business
• Focuses on failure of one or more critical IT functions
• Terms to know:
o Maximum acceptable outage (MAO)
o Critical business functions (CBFs)
o Critical success factors (CSFs)
Dimensions of a BIA
▪ Identify the business impact of IT disruptions
▪ Mission-critical IT systems and components
▪ Does not analyze all IT functions
▪ Stakeholders identify mission-critical systems
▪ Compliance issues often drive BIA
▪ Inputs into the business continuity plan (BCP) and risk assessment (RA)
Objectives of BIA
▪ Identify critical business functions (CBFs)
o Unless you own process, critical business functions are not always apparent – Ex: if you
are the security expert, you may not know CBFs of an online Web site
▪ Identify critical resources
o Critical resources are those that are required to support CBFs
o Once you identified CBFs, you can analyze them to determine critical resources for each
▪ Identify maximum acceptable outage (MAO) and impact
o Once you identified CBFs and IT resources that support them, turn your attention to
MAO and its impact
o When calculating MAO for org, it’s important to consider direct/indirect costs
▪ Identify recovery requirements
o Recovery requirements show time frame in which systems must be recoverable
Balancing Costs
- Cost to recover
- Cost of disruption
- Consider Direct costs and Indirect costs
What Is a Disaster Recovery Plan?
• Plan to restore critical business process or system to operation after disaster • DRP terms to know: o Critical business function (CBF) o Maximum acceptable outage (MAO) o Recovery time objectives (RTO) o Business impact analysis (BIA)
Purpose of a DRP
- Most DRPs include purpose statement – Helps identify goals of DRP
- DRP often has multiples goals or purposes:
o Saving Lives: Protection and safety of personnel is always important
▪ If any steps are required to protect personnel, DRP will identify these steps
▪ Includes preparation steps before impending disaster (ex: Hurricane)
• Includes steps to take as disaster is occurring
o Ensuring Business Continuity: DRP includes procedures to restore CBFs if disaster occurs
▪ Purpose is to ensure that mission-critical operations continue to function during and after disaster
o Recovering After A Disaster: DRP also addresses processes to recover organization after
disaster has passed
▪ Include normalizing any CBFs moved to alternate location or normalizing noncritical functions
Critical Success Factors
- Elements that are critical to success of DRP include:
o Management support
o Knowledge and authority for DRP developers
o Identification of primary concerns
▪ Ex: recovery time objectives and alternate location needs
o Disaster recovery budget
Importance of Backups
- Backups of data
* Off-site copies
Cold Site
▪ Available building
▪ Has electricity, running water, and restrooms
▪ No equipment or data needed for critical operations
▪ May support a server environment (no equipment, data, applications)
Hot Site
▪ Include all equipment and data necessary for business functions
▪ Able to assume operations within hours or minutes
▪ Personnel on location 24/7
Warm Site
▪ Compromise between cold and hot sites
▪ Operational equipment maintained
▪ Usually no data kept up to date
▪ Capable of updating and going live
Cloud Computing Alternatives
- Not location dependent
Common Elements of a DRP
➢ Purpose and scope ➢ Disaster/emergency declaration ➢ Communications ➢ Emergency response ➢ Activities ➢ Recovery procedures ➢ Critical operations, customer service, and operations recovery ➢ Restoration and normalization
What is a Business Continuity Plan?
• Plan designed to help organization continue to operate during and after disruption
• BIA is included as part of a BCP
• BIA key objectives that directly support BCP:
o Identify critical business functions (CBFs)
o Identify critical processes supporting CBFs
o Identify critical IT services supporting CBFs, including any dependencies
o Determine acceptable downtimes for CBFs, processes, and IT service
Elements of a BCP
▪ Purpose and scope ▪ Assumptions and planning principles ▪ System description and architecture ▪ Responsibilities ▪ Phases ▪ Plan training, testing, and exercises ▪ Plan maintenance