Chapter 3 Flashcards
Business Continuity Planning (BCP)
used to maintain the continuous operation of a business in the event of an emergency
Difference between BCP and DRP
BC is strategic and high level - focused on business processes and operations. DR are more tactical and describe technical activities like recovery sites, backups, and fault tolerance.
4 steps of business continuity
- Project scope and planning
- Business impact analysis
- Continuity planning
- Approval and implementation
top priority of BCP and DRP
PEOPLE - don’t let them die
Which step of BCP does this belong to?
Perform a structured review of the business’s organization from a crisis planning POV
- Project Scope and Planning
Which step of BCP does this belong to?
Create a BCP team with the approval of senior management.
- Project scope and planning
Which step of BCP does this belong to?
Assess the resources available to participate in BC activities
- Project scope and planning
Which step of BCP does this belong to?
Analyze the legal and regulatory landscape that governs an organization’s respond to a catastrophic event.
- project scope and planning
Which step of BCP does this describe?
Analyze the business organization to identify all departments and individuals who have a stake in the BCP process
- Organizational Review
What are four key departments to identify during the Organizational Review?
- Operational departmets - core services
- Critical support - maintain systems for operations
- physical security teams - usually first responders
- senior executives
Why would a BCP team made of only the IT and security departments be a critical flaw?
other departments may not know about the plan until it is too late
plan may not take into account aspects critical to business ops
critical roles filled by snr management in bcp
setting priorities, providing staff and financial resources, settling disputes
Resource requirements should be assessed for three phases. Which are they?
- BCP development - time and staff effort
- BCP testing, training, and maintenance
- BCP implementation - when disaster strikes
Which step of BCP does this describe?
Identify business processes and tasks that are critical to an organization’s viability and threats to those resources
- Business Impact Analysis
Quantitative Impact Assessment
use numbers and formulas to reach a decision - often expressed in dollar value
Qualitative Impact Analysis
uses non-numerical factors that are categorized (high, med, low)
critical business functions
activities that if disrupted would jeopardize the organization’s ability to achieve its goal
MTD/MTO
maximum tolerable downtime/maximum tolerable outage
length of time a business function can tolerate a disruption before suffering irreparable harm
RTO
Recovery Time Objective
amount of time in which you think you can feasibly recover the function
RPO
Recovery Point Objective
defines the point in time before the incident where the organization should be able to recover data from a critical business process
how much data the business will loose during an incident
two types of risks
natural and person-made
pandemics are an example of
natural risks
fires can be examples of both
true
transportation failures are examples of
human made risks
risk identification is qualitative
true
Exposure Factor (EF)
amount of damage the risk poses to an asset, percentage of asset’s value
Single Loss Expectancy (SLE)
monetary loss expected each time the risk materializes
SLE=AV*EF
Annualized Loss Expectancy (ALE)
monetary loss the business expects to suffer from a risk during a typical year
ALE = SLE x ARO
What step of BIA does this describe?
prioritize the allocation of business continuity resources to the various risks identified.
resource prioritization (last step)
If a risk has loss of life should it be prioritized higher than it’s quantitative priority?
Yes
Which phase of BCP does this describe?
developing and implementing a continuity strategy
Continuity Planning
Two subtasks in continuity planning
- strategy development
- provisions and processes
Continuity of Operations Plan (COOP)
how the business will carry out critical functions beginning shortly after a disruption occurs and extending for up to one month of sustained ops
Which part of continuity planning does this describe?
determine which risks identified in the BIA will be addressed by the business continuity plan
strategy development
Which part of continuity planning does this describe?
design the procedures and mechanisms that will mitigate the unacceptable risks
provisions and processes
3 categories of assets that much be protected
- people
- buildings/facilities
- infrastructure
Two areas that should be addressed for each facility
- Hardening Provisions
- Alternate Sites
Hardening Provisions
protect existing facilities against identified risks ie fireproof walls
2 areas to address for infrastructure
- Physically Hardening Systems
- Alternative Systems - redundancy
If all IT systems are in the cloud, they do not need to be considered in BCP.
FALSE - the service providers should also have BCPs and contracts should have SLAs that are achievable by the vendor.
Essential Components of the written BCP (11)
Continuity Planning Goals
Statement of Importance
Statement of Priorities
Statement of Organizational Responsibility
Statement of Urgency and Timing
Risk Assessment
Risk Acceptance/Mitigation
Vital Records Program
Emergency Response Guidelines
Maintenance
Testing/Exercises
Statement of Priorities
listing the functions considered critical to business ops in prioritized order
vital records program
states where critical business records will be stored and the procedures for making and storing backup copies of those records
