CHAPTER 8_Business Continuity and Disaster Recovery Flashcards

1
Q

Explanation Bullets: The organization can take the following steps to better ensure the continuity of its outsourcing:

A
  • Make the ability of such companies to reliably assure continuity of products and services part of any work proposals.
  • Make sure that BCP is included in contracts with such companies, and that their responsibilities and levels of service are clearly spelled out.
  • Draw up realistic and reasonable service levels that the outsourced firm will meet during an incident.
  • If possible, have the outsourcing companies take part in BCP awareness programs, training, and testing.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Explanation Bullets: 2. Performed the BIA

A
  • Identified critical business functions, their resources, and MTD values
  • Identified threats and calculated the impact of these threats
  • Identified solutions
  • Presented findings to management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Explanation Bullets: • Management Practices:

A
  • Management Practices:

* Technical Practices:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Emphasis: executive succession planning

A

Organizations should already have executive succession planning in place. This means that if someone in a senior executive position retires, leaves the company, or is killed, the organization has predetermined steps to carry out to protect the company. The loss of a senior executive could tear a hole in the company’s fabric, creating a leadership vacuum that must be filled quickly with the right individual. The line-of-succes-sion plan defines who would step in and assume responsibility for this role. Many organizations have “deputy” roles. For example, an organization may have a deputy CIO, deputy CFO, and deputy CEO ready to take over the necessary tasks if the CIO, CFO, or CEO becomes unavailable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Emphasis: Identify preventive controls

A
  1. Identify preventive controls. Once threats are recognized, identify and implement controls and countermeasures to reduce the organization’s risk level in an economical manner.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Explanations: Tertiary Sites

A

During the BIA phase, the team may recognize the danger of the primary backup facility not being available when needed, which could require a tertiary site. This is a secondary backup site, just in case the primary backup site is unavailable. The secondary backup site is sometimes referred to as a “backup to the backup.” This is basically plan B if plan A does not work out.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Emphasis: Standards and Best Practices

A

Standards and Best PracticesAlthough no specific scientific equation must be followed to create continuity plans, certain best practices have proven themselves over time. The National Institute of Standards and Technology (NIST) is responsible for developing best practices and standards as they pertain to U.S. government and military environments. It is common for NIST to document the requirements for these types of environments, and then everyone else in the industry uses their documents as guidelines. So these are “musts” for U.S. government organizations and “good to have” for other nongovernment entities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Explanation Bullets: Business Continuity Planning

Preplanned procedures allow an organization to

A
  • Provide an immediate and appropriate response to emergency situations
  • Protect lives and ensure safety
  • Reduce business impact
  • Resume critical business functions
  • Work with outside vendors and partners during the recovery period
  • Reduce confusion during a crisis
  • Ensure survivability of the business
  • Get “up and running” quickly after a disaster
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Emphasis: Develop the continuity planning policy statement

A
  1. Develop the continuity planning policy statement. Write a policy that provides the guidance necessary to develop a BCP, and that assigns authority to the necessary roles to carry out these tasks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Emphasis: ISO 22301

A

• ISO 22301 Pending International Standard for business continuity management systems. The specification document against which organizations will seek certification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Emphasis: recovery strategy stage

A

In the recovery strategy stage, the team approaches the information gathered during the BIA stage from a practical perspective. It has to figure out what the company needs to do to actually recover the items it has identified as being so important to the organization overall. In its business continuity and recovery strategy, the team closely examines the critical, agreed-upon business functions, and then evaluates the numerous recovery and backup alternatives that might be used to recover critical business operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Explanations: Human Resources

A

We have everything up and running now—where are all the people to run these systems?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Bullets: Strengths

A

Characteristics of the project team that give it an advantage over others

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Explanation Bullets: The main parts of a risk assessment are:

A
  • Review the existing strategies for risk management
  • Construct a numerical scoring system for probabilities and impacts
  • Make use of a numerical score to gauge the effect of the threat
  • Estimate the probability of each threat
  • Weigh each threat through the scoring system
  • Calculate the risk by combining the scores of likelihood and impact of each threat
  • Get the organization’s sponsor to sign off on these risk priorities
  • Weigh appropriate measures
  • Make sure that planned measures that alleviate risk do not heighten other risks
  • Present the assessment’s findings to executive management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Emphasis: Enterprise-Wide BCP

A

Enterprise-Wide BCPThe agreed-upon scope of the BCP will indicate if one or more facilities will be included in the plan. Most BCPs are developed to cover the enterprise as a whole, instead of dealing with only portions of the organization. In larger organizations, it can be helpful for each department to have its own specific contingency plan that will address its specific needs during recovery. These individual plans need to be compatible with the enterprise-wide BCP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Emphasis: BS 25999

A

• BS 25999 The British Standards Institute’s (BSI) standard for business continuity management (BCM). This BS standard has two parts:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Explanations: BCP Project Components

A

Before everyone runs off in 2,000 different directions at one time, let’s understand what needs to be done in the project initiation phase. This is the phase in which the company really needs to figure out what it is doing and why. So, after someone gets the donuts and coffee, let’s get down to business.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Explanations: Recovery Strategies

A

Up to this point, the BCP team has carried out the project initiation phase. In this phase, the team obtained management support and the necessary resources, laid out the scope of the project, and identified the BCP team. It also completed the BIA phase. This means that the committee carried out a risk assessment and analysis, which resulted in a report of the real risk level the company faces.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Explanations: Supply and Technology Recovery

A

At this point, the BCP team has mapped out the necessary business functions that need to be up and running and the specific backup facility option that is best for its organization. Now the team needs to dig down into the more granular items, such as backup solutions for the following:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Emphasis: Facility Recovery

A

Facility RecoveryDisruptions, in BCP terms, are of three main types: nondisasters, disasters, and catastrophes. A nondisaster is a disruption in service due to a device malfunction or failure. The solution could include hardware, software, or file restoration. A disaster is an event that causes the entire facility to be unusable for a day or longer. This usually requires the use of an alternate processing facility and restoration of software and data from offsite copies. The alternate site must be available to the company until its main facility is repaired and usable. A catastrophe is a major disruption that destroys the facility altogether. This requires both a short-term solution, which would be an offsite facility, and a long-term solution, which may require rebuilding the original facility.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Explanation Bullets: Warm and Cold Site Disadvantages

A
  • Operational testing not usually available

* Resources for operations not immediately available

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Explanation Bullets: Hot Site Disadvantages

A
  • Very expensive

* Limited on hardware and software choices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Explanation Bullets: The initiation process for BCP might include the following:

A
  • Setting up a budget and staff for the program before the BCP process begins. Dedicated personnel and dedicated hours are essential for executing something as labor-intensive as a BCP.
  • Setting up the program would include assigning duties and responsibilities to the BCP coordinator and to representatives from all of the functional units of the organization.
  • Senior management should kick off the BCP with a formal announcement or, better still, an organization-wide meeting to demonstrate high-level support.
  • Awareness-raising activities to let employees know about the BCP program and to build internal support for it.
  • Establishment of skills training for the support of the BCP effort.
  • The start of data collection from throughout the organization to aid in crafting various continuity options.
  • Putting into effect “quick wins” and gathering of “low-hanging fruit” to show tangible evidence of improvement in the organization’s readiness, as well as improving readiness.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Emphasis: business interruption insurance

A

A company could also choose to purchase a business interruption insurance policy. With this type of policy, if the company is out of business for a certain length of time, the insurance company will pay for specified expenses and lost earnings. Another policy that can be bought insures accounts receivable. If a company cannot collect on its accounts receivable for one reason or another, this type of coverage covers part or all of the losses and costs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Explanation Bullets: The BCP team needs to understand these different steps of the company’s most critical processes. The data are usually presented as a workflow document that contains the roles and resources needed for each process. The BCP team must understand the following about critical business processes:

A
  • Required roles
  • Required resources
  • Input and output mechanisms
  • Workflow steps
  • Required time for completion
  • Interfaces with other processes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Emphasis: business continuity plan (BCP)

A

A disaster recovery plan (DRP) is carried out when everything is still in emergency mode, and everyone is scrambling to get all critical systems back online. A business continuity plan (BCP) takes a broader approach to the problem. It can include getting critical systems to another environment while repair of the original facilities is under way, getting the right people to the right places during this time, and performing business in a different mode until regular conditions are back in place. It also involves dealing with customers, partners, and shareholders through different channels until everything returns to normal. So, disaster recovery deals with, “Oh my goodness, the sky is falling,” and continuity planning deals with, “Okay, the sky fell. Now, how do we stay in business until someone can put the sky back where it belongs?”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Supply and Technology Recovery : At this point, the BCP team has mapped out the necessary business functions that need to be up and running and the specific backup facility option that is best for its organization. Now the team needs to dig down into the more granular items, such as backup solutions for the following:

A
  • Network and computer equipment
  • Voice and data communications resources
  • Human resources
  • Transportation of equipment and personnel
  • Environment issues (HVAC)
  • Data and personnel security issues
  • Supplies (paper, forms, cabling, and so on)
  • Documentation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Explanation Bullets: Single points of failure, that is, concentrations of risk that threaten business continuity

A
  • Continuity risks from concentrations of critical skills or critical shortages of skills
  • Continuity risks due to outsourced vendors and suppliers
  • Continuity risks that the BCP program has accepted, that are handled elsewhere, or that the BCP program does not address
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Emphasis: Conduct the business impact analysis (BIA)

A
  1. Conduct the business impact analysis (BIA). Identify critical functions and systems and allow the organization to prioritize them based on necessity. Identify vulnerabilities and threats, and calculate risks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Explanation Bullets: In the industry, HA is usually thought about only in technology terms, but remember that there are many things that an organization needs to keep functioning. Availability of each of the following items must be thought through and planned:

A
  • Facility
  • Cold, warm, hot, redundant, rolling, reciprocal sites
  • Infrastructure
  • Redundancy, fault tolerance
  • Storage
  • RAID, Storage Area Network (SAN), mirroring, disk shadowing, cloud
  • Server
  • Clustering, load balancing
  • Data
  • Tapes, backups, vaulting, online replication
  • Business processes
  • People
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Emphasis: Maintain the plan

A
  1. Maintain the plan. Put in place steps to ensure the BCP is a living document that is updated regularly.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Emphasis: ISO/IEC 27031:2011

A

• ISO/IEC 27031:2011 Guidelines for information and communications technology readiness for business continuity. This ISO/IEC standard that is a component of the overall ISO/IEC 27000 series was covered in Chapter 2.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Emphasis: Business Process Recovery

A

Business Process RecoveryA business process is a set of interrelated steps linked through specific decision activities to accomplish a specific task. Business processes have starting and ending points and are repeatable. The processes should encapsulate the knowledge about services, resources, and operations provided by a company. For example, when a customer requests to buy a book via an organization’s e-commerce site, a set of steps must be followed, such as these:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Emphasis: full backup

A

The first step is to do a full backup, which is just what it sounds like—all data are backed up and saved to some type of storage media. During a full backup, the archive bit is cleared, which means that it is set to 0. A company can choose to do full backups only, in which case the restoration process is just one step, but the backup and restore processes could take a long time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Emphasis: Develop the contingency plan

A
  1. Develop the contingency plan. Write procedures and guidelines for how the organization can still stay functional in a crippled state.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Explanation Bullets: The process of drawing up a policy includes these steps:

A
  • Identify and document the components of the policy.
  • Identify and define policies of the organization that the BCP might affect.
  • Identify pertinent legislation, laws, regulations, and standards.
  • Identify “good industry practice” guidelines by consulting with industry experts.
  • Perform a gap analysis. Find out where the organization currently is in terms of continuity planning, and spell out where it wants to be at the end of the BCP process.
  • Compose a draft of the new policy.
  • Have different departments within the organization review the draft.
  • Put the feedback from the departments into a revised draft.
  • Get the approval of top management on the new policy.
  • Publish a final draft, and distribute and publicize it throughout the organization.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Explanation Bullets: Up until now, we have established management’s responsibilities as the following:

A
  • Committing fully to the BCP
  • Setting policy and goals
  • Making available the necessary funds and resources
  • Taking responsibility for the outcome of the development of the BCP
  • Appointing a team for the process
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Explanations: Implementing Strategies

A

Once the strategies have been decided upon, the BCP team needs to document them and put them into place. This moves the efforts from a purely planning stage to an actual implementation and action phase.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Emphasis: Business Continuity Institute’s Good Practice Guidelines (GPG)

A

• Business Continuity Institute’s Good Practice Guidelines (GPG) BCM best practices, which are broken down into the following management and technical practices:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Emphasis: salvage team

A

The restoration team should be responsible for getting the alternate site into a working and functioning environment, and the salvage team should be responsible for starting the recovery of the original site. Both teams must know how to do many tasks, such as install operating systems, configure workstations and servers, string wire and cabling, set up the network and configure networking services, and install equipment and applications. Both teams must also know how to restore data from backup facilities. They also must know how to do so in a secure manner, one that ensures the confidentiality, integrity, and availability of the system and data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Bullets: Weaknesses

A

Characteristics that place the team at a disadvantage relative to others

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Explanation Bullets: The BCP team’s responsibilities are as follows:

A
  • Identifying regulatory and legal requirements that must be met
  • Identifying all possible vulnerabilities and threats
  • Estimating the possibilities of these threats and the loss potential
  • Performing a BIA
  • Outlining which departments, systems, and processes must be up and running before any others
  • Identifying interdependencies among departments and processes
  • Developing procedures and steps in resuming business after a disaster
43
Q

Explanations: Risk Assessment

A

To achieve success, the organization should systematically plan and execute a formal BCP-related risk assessment. The assessment fully takes into account the organization’s tolerance for continuity risks. The risk assessment also makes use of the data in the BIA to supply a consistent estimate of exposure.

44
Q

Explanation Bullets: The BCP team should carry out and address in the resulting plan the following interrelation and interdependency tasks:

A
  • Define essential business functions and supporting departments.
  • Identify interdependencies between these functions and departments.
  • Discover all possible disruptions that could affect the mechanisms necessary to allow these departments to function together.
  • Identify and document potential threats that could disrupt interdepartmental communication.
  • Gather quantitative and qualitative information pertaining to those threats.
  • Provide alternative methods of restoring functionality and communication.
  • Provide a brief statement of rationale for each threat and corresponding information.
45
Q

Explanation Bullets: Organizations can keep the plan updated by taking the following actions:

A
  • Make business continuity a part of every business decision.
  • Insert the maintenance responsibilities into job descriptions.
  • Include maintenance in personnel evaluations.
  • Perform internal audits that include disaster recovery and continuity documentation and procedures.
  • Perform regular drills that use the plan.
  • Integrate the BCP into the current change management process.
  • Incorporate lessons learned from actual incidents into the plan.
46
Q

Explanation Bullets: Warm and Cold Site Advantages

A
  • Less expensive
  • Available for longer timeframes because of the reduced costs
  • Practical for proprietary hardware or software use
47
Q

Emphasis: redundant sites

A

Some companies choose to have redundant sites, or mirrored sites, meaning one site is equipped and configured exactly like the primary site, which serves as a redundant environment. The business-processing capabilities between the two sites can be completely synchronized. These sites are owned by the company and are mirrors of the original production environment. A redundant site has clear advantages: it has full availability, is ready to go at a moment’s notice, and is under the organization’s complete control. This is, however, one of the most expensive backup facility options, because a full environment must be maintained even though it usually is not used for regular production activities until after a disaster takes place that triggers the relocation of services to the redundant site. But expensive is relative here. If the company would lose a million dollars if it were out of business for just a few hours, the loss potential would override the cost of this option. Many organizations are subjected to regulations that dictate they must have redundant sites in place, so expense is not an issue in these situations.

48
Q

Emphasis: Warm site

A

• Warm site A leased or rented facility that is usually partially configured with some equipment, such as HVAC, and foundational infrastructure components, but not the actual computers. In other words, a warm site is usually a hot site without the expensive equipment such as communication equipment and servers. Staging a facility with duplicate hardware and computers configured for immediate operation is extremely expensive, so a warm site provides an alternate facility with some peripheral devices.

49
Q

Emphasis: functional analysis

A

A BIA (business impact analysis) is considered a functional analysis, in which a team collects data through interviews and documentary sources; documents business functions, activities, and transactions; develops a hierarchy of business functions; and finally applies a classification scheme to indicate each individual function’s criticality level. But how do we determine a classification scheme based on criticality levels?

50
Q

Bullets: Responsibility

A

Each individual involved with recovery and continuity should have their responsibilities spelled out in writing to ensure a clear understanding in a chaotic situation. Each task should be assigned to the individual most logically situated to handle it. These individuals must know what is expected of them, which is done through training, drills, communication, and documentation. So, for example, instead of just running out of the building screaming, an individual must know that he is responsible for shutting down the servers before he can run out of the building screaming.

51
Q

Explanation Bullets: The following provides a quick overview of the differences between offsite facilities:

Hot Site Advantages

A
  • Ready within hours for operation
  • Highly available
  • Usually used for short-term solutions, but available for longer stays
  • Annual testing available
52
Q

Explanations: Software Backups

A

I have a backup server and my backed-up data, but no operating system or applications.

53
Q

Explanation Bullets: 3. Identified and implemented preventive controls

A
  • Put controls into place to reduce the company’s identified risks
  • Bought insurance
  • Implemented facility structural reinforcements
  • Rolled out backup solutions for data
  • Installed redundant and fault-tolerant mechanisms
54
Q

Explanation Bullets: Important issues need to be addressed before a disaster hits if a company decides to participate in a reciprocal agreement with another company:

A
  • How long will the facility be available to the company in need?
  • How much assistance will the staff supply in integrating the two environments and ongoing support?
  • How quickly can the company in need move into the facility?
  • What are the issues pertaining to interoperability?
  • How many of the resources will be available to the company in need?
  • How will differences and conflicts be addressed?
  • How does change control and configuration management take place?
  • How often can drills and testing take place?
  • How can critical assets of both companies be properly protected?
55
Q

Explanation Bullets: Which types of preventive mechanisms should be put in place depends upon the results of the BIA, but they may include some of the following:

A
  • Fortification of the facility in its construction materials
  • Redundant servers and communications links
  • Redundant power lines coming in through different transformers
  • Redundant vendor support
  • Purchasing of insurance
  • Purchasing of uninterruptible power supplies (UPSs) and generators
  • Data backup technologies
  • Media protection safeguards
  • Increased inventory of critical equipment
  • Fire detection and suppression systems
56
Q

Emphasis: cold site

A

Most companies use warm sites, which have some devices such as disk drives, tape drives, and controllers, but very little else. These companies usually cannot afford a hot site, and the extra downtime would not be considered detrimental. A warm site can provide a longer-term solution than a hot site. Companies that decide to go with a cold site must be able to be out of operation for a week or two. The cold site usually includes power, raised flooring, climate control, and wiring.

57
Q

Explanation Bullets: A company needs to address several issues and ask specific questions when it is deciding upon a storage facility for its backup materials. The following provides a list of just some of the issues that need to be thought through before committing to a specific vendor for this service:

A
  • Can the media be accessed in the necessary timeframe?
  • Is the facility closed on weekends and holidays, and does it only operate during specific hours of the day?
  • Are the access control mechanisms tied to an alarm and/or the police station?
  • Does the facility have the capability to protect the media from a variety of threats?
  • What is the availability of a bonded transport service?
  • Are there any geographical environmental hazards such as floods, earthquakes, tornadoes, and so on that might affect the facility?
  • Is there a fire detection and suppression system?
  • Does the facility provide temperature and humidity monitoring and control?
  • What type of physical, administrative, and logical access controls are used?
58
Q

Emphasis: failover

A

If a technology has a failover capability, this means that if there is a failure that cannot be handled through normal means, then processing is “switched over” to a working system. For example, two servers can be configured to send each other heartbeat signals every 30 seconds. If server A does not receive a heartbeat signal from server B after 40 seconds, then all processes are moved to server A so that there is no lag in operations. Also, when servers are clustered, this means that there is an overarching piece of software monitoring each server and carrying out load balancing. If one server within the cluster goes down, the clustering software stops sending it data to process so that there are no delays in processing activities.

59
Q

Emphasis: Work Recovery Time (WRT)

A

The Work Recovery Time (WRT) is the remainder of the overall MTD value. RTO usually deals with getting the infrastructure and systems back up and running, and WRT deals with restoring data, testing processes, and then making everything “live” for production purposes.

60
Q

Emphasis: Cold site

A

• Cold site A leased or rented facility that supplies the basic environment, electrical wiring, air conditioning, plumbing, and flooring, but none of the equipment or additional services. A cold site is essentially an empty data center. It may take weeks to get the site activated and ready for work. The cold site could have equipment racks and dark fiber (fiber that does not have the circuit engaged) and maybe even desks. However, it would require the receipt of equipment from the client, since it does not provide any.

61
Q

Bullets: Authority

A

In times of crisis, it is important to know who is in charge. Teamwork is important in these situations, and almost every team does much better with an established and trusted leader. Such leaders must know that they are expected to step up to the plate in a time of crisis and understand what type of direction they should provide to the rest of the employees. Clear-cut authority will aid in reducing confusion and increasing cooperation.

62
Q

Emphasis: High availability (HA)

A

High availability (HA) is a combination of technologies and processes that work together to ensure that some specific thing is always up and running. The specific thing can be a database, a network, an application, a power supply, etc. Service providers have SLAs with their customers, which outline the amount of uptime they promise to provide and a turnaround time to get the item fixed if it does go down. For example, a hosting company can promise to provide 98 percent uptime for Internet connectivity. This means they are guaranteeing that at least 98 percent of the time, the Internet connection you purchase from them will be up and running. The hosting company knows that some things may take place to interrupt this service, but within your SLA with them, it promises an eight-hour turnaround time. This means if your Internet connection does go down, they will either fix it or provide you with a different connection within eight hours.

63
Q

Emphasis: Recovery Time Objective (RTO)

A

The Recovery Time Objective (RTO) is the earliest time period and a service level within which a business process must be restored after a disaster to avoid unacceptable consequences associated with a break in business continuity. The RTO value is smaller than the MTD value, because the MTD value represents the time after which an inability to recover significant operations will mean severe and perhaps irreparable damage to the organization’s reputation or bottom line. The RTO assumes that there is a period of acceptable downtime. This means that a company can be out of production for a certain period of time (RTO) and still get back on its feet. But if the company cannot get production up and running within the MTD window, the company is sinking too fast to properly recover.

64
Q

Emphasis: DRI International Institute’s Professional Practices for Business Continuity Planners

A

• DRI International Institute’s Professional Practices for Business Continuity Planners Best practices and framework to allow for BCM processes, which are broken down into the following sections:

65
Q

Explanation Bullets: As indicators of success, the risk assessment should identify, evaluate, and record all relevant items, which may include:

A
  • Vulnerabilities for all of the organization’s most time-sensitive resources and activities
  • Threats and hazards to the organization’s most urgent resources and activities
  • Measures that cut the possibility, length, or effect of a disruption on critical services and products
66
Q

Emphasis: Offsite Location

A

Offsite LocationWhen choosing a backup facility, it should be far enough away from the original site so that one disaster does not take out both locations. In other words, it is not logical to have the backup site only a few miles away if the company is concerned about tornado damage, because the backup site could also be affected or destroyed. There is a rule of thumb that suggests that alternate facilities should be, at a bare minimum, at least 5 miles away from the primary site, while 15 miles is recommended for most low-to-medium critical environments, and 50 to 200 miles is recommended for critical operations to give maximum protection in cases of regional disasters.

67
Q

Explanation Bullets: 26. A. The missing step is the BIA. The steps of the BIA are as follows:

A
  • Identify the company’s critical business functions.
  • Decide on information-gathering techniques: interviews, surveys, qualitative or quantitative questionnaires.
  • Identify resources these functions depend upon.
  • Calculate how long these functions can be without these resources.
  • Identify vulnerabilities and threats to these functions.
  • Calculate the risk for each different business function.
  • Develop backup solutions for resources based on tolerable outage times.
  • Develop recovery solutions for the company’s individual departments and for the company as a whole.
68
Q

Explanation Bullets: Different organizations have different criteria, because the business drivers and critical functions will vary from organization to organization. The criteria may comprise some or all of the following elements:

A
  • Danger to human life
  • Danger to state or national security
  • Damage to facility
  • Damage to critical systems
  • Estimated value of downtime that will be experienced
69
Q

Bullets: Priorities

A

It is extremely important to know what is critical versus what is merely nice to have. Different departments provide different functionality for an organization. The critical departments must be singled out from the departments that provide functionality that the company can live without for a week or two. It is necessary to know which department must come online first, which second, and so on. That way, the efforts are made in the most useful, effective, and focused manner. Along with the priorities of departments, the priorities of systems, information, and programs must be established. It may be necessary to ensure that the database is up and running before working to bring the web servers online. The general priorities must be set by management with the help of the different departments and IT staff.

70
Q

Explanation Bullets: The team has figured out these types of MTD timelines for the individual business functions, operations, and resources. Now it has to identify the recovery mechanisms and strategies that must be implemented to make sure everything is up and running within the timelines it has calculated. The team needs to break down these recovery strategies into the following sections:

A
  • Business process recovery
  • Facility recovery
  • Supply and technology recovery
  • User environment recovery
  • Data recovery
71
Q

Explanations: End-User Environment

A

Because the end users are usually the worker bees of a company, they must be provided a functioning environment as soon as possible after a disaster hits. This means that the BCP team must understand the current operational and technical functioning environment and examine critical pieces so they can replicate them.

72
Q

Explanation Bullets: The committee needs to step through scenarios in which the following problems result:

A
  • Equipment malfunction or unavailable equipment
  • Unavailable utilities (HVAC, power, communications lines)
  • Facility becomes unavailable
  • Critical personnel become unavailable
  • Vendor and service providers become unavailable
  • Software and/or data corruption
73
Q

Emphasis: BCP committee

A

A leader needs a team, so a BCP committee needs to be put together. Management and the coordinator should work together to appoint specific, qualified people to be on this committee. The team must comprise people who are familiar with the different departments within the company, because each department is unique in its functionality and has distinctive risks and threats. The best plan is when all issues and threats are brought to the table and discussed. This cannot be done effectively with a few people who are familiar with only a couple of departments. Representatives from each department must be involved with not only the planning stages but also the testing and implementation stages.

74
Q

Explanation Bullets: Once the coordinator, management, and salvage team sign off on the readiness of the facility, the salvage team should carry out the following steps:

A
  • Back up data from the alternate site and restore it within the new facility.
  • Carefully terminate contingency operations.
  • Securely transport equipment and personnel to the new facility.
75
Q

Explanation Bullets: 4. Developed recovery strategies

A
  • Implemented processes of getting the company up and running in the necessary time
  • Created the necessary teams
  • Developed goals and procedures for each team
  • Created notification steps and planned activation criteria
  • Identified alternate backup solutions
76
Q

Explanations: Risk Assessment Evaluation and Process

A

In a BCP setting, a risk assessment looks at the impact and likelihood of various threats that could trigger a business disruption. The tools, techniques, and methods of risk assessment include determining threats, assessing probabilities, tabulating threats, and analyzing costs and benefits.

77
Q

Explanations: Electronic Backup Solutions

A

Manually backing up systems and data can be time-consuming, error-prone, and costly. Several technologies serve as automated backup alternatives. Although these technologies are usually more expensive, they are quicker and more accurate, which may be necessary for online information that changes often.

78
Q

Emphasis: Understanding the Organization First

A

Understanding the Organization FirstA company has no real hope of rebuilding itself and its processes after a disaster if it does not have a good understanding of how its organization works in the first place. This notion might seem absurd at first. You might think, “Well, of course a company knows how it works.” But you would be surprised at how difficult it is to fully understand an organization down to the level of detail required to rebuild it. Each individual may know and understand his or her little world within the company, but hardly anyone at any company can fully explain how each and every business process takes place.

79
Q

Emphasis: Test the plan and conduct training and exercises

A
  1. Test the plan and conduct training and exercises. Test the plan to identify deficiencies in the BCP, and conduct training to properly prepare individuals on their expected tasks.
80
Q

Explanations: Making BCM Part of the Enterprise Security Program

A

Why do we need to combine business continuity and security plans anyway?Response: They both protect the business, unenlightened one.

81
Q

Emphasis: Fault tolerance

A

Fault tolerance is the capability of a technology to continue to operate as expected even if something unexpected takes place (a fault). If a database experiences an unexpected glitch, it can roll back to a known good state and continue functioning as though nothing bad happened. If a packet gets lost or corrupted during a TCP session, the TCP protocol will resend the packet so that system-to-system communication is not affected. If a disk within a RAID system gets corrupted, the system uses its parity data to rebuild the corrupted data so that operations are not affected.

82
Q

Explanation Bullets: Table 8-1 Steps to Be Documented and Approved in Continuity Planning

A
  • Objective-to-task mapping
  • Resource-to-task mapping
  • Workflows
  • Milestones
  • Deliverables
  • Budget estimates
  • Success factors
  • Deadlines
83
Q

Explanation Bullets: The committee should be made up of representatives from at least the following departments:

A
  • Business units
  • Senior management
  • IT department
  • Security department
  • Communications department
  • Legal department
84
Q

Emphasis: BCP policy

A

The BCP policy supplies the framework for and governance of designing and building the BCP effort. The policy helps the organization understand the importance of BCP by outlining BCP’s purpose. It provides an overview of the principles of the organization and those behind BCP, and the context for how the BCP team will proceed.

85
Q

Explanation Bullets: The BCP coordinator needs to define several different teams that should be properly trained and available if a disaster hits. The types of teams an organization needs depend upon the organization. The following are some examples of teams that a company may need to construct:

A
  • Damage assessment team
  • Legal team
  • Media relations team
  • Recovery team
  • Relocation team
  • Restoration team
  • Salvage team
  • Security team
86
Q

Emphasis: Assigning Values to Assets

A

Assigning Values to AssetsThe next step in the risk analysis is to assign a value to the assets that could be affected by each threat. This helps establish economic feasibility of the overall plan. As discussed in Chapter 2, assigning values to assets is not as straightforward as it seems. The value of an asset is not just the amount of money paid for it. The asset’s role in the company has to be considered, along with the labor hours that went into creating it if it is a piece of software. The value amount could also encompass the liability issues that surround the asset if it were damaged or insecure in any manner. (Review Chapter 2 for an in-depth description and criteria for calculating asset value.)

87
Q

Bullets: Opportunities

A

Elements that could contribute to the project’s success

88
Q

Bullets: Implementation and testing

A

It is great to write down very profound ideas and develop plans, but unless they are actually carried out and tested, they may not add up to a hill of beans. Once a continuity plan is developed, it actually has to be put into action. It needs to be documented and put in places that are easily accessible in times of crisis. The people who are assigned specific tasks need to be taught and informed how to fulfill those tasks, and dry runs must be done to walk people through different situations. The drills should take place at least once a year, and the entire program should be continually updated and improved.

89
Q

Emphasis: High Availability

A

High AvailabilityHigh availability (HA) is a combination of technologies and processes that work together to ensure that some specific thing is always up and running. The specific thing can be a database, a network, an application, a power supply, etc. Service providers have SLAs with their customers, which outline the amount of uptime they promise to provide and a turnaround time to get the item fixed if it does go down. For example, a hosting company can promise to provide 98 percent uptime for Internet connectivity. This means they are guaranteeing that at least 98 percent of the time, the Internet connection you purchase from them will be up and running. The hosting company knows that some things may take place to interrupt this service, but within your SLA with them, it promises an eight-hour turnaround time. This means if your Internet connection does go down, they will either fix it or provide you with a different connection within eight hours.

90
Q

Explanations: BCP Development Products

A

Since there is so much work in collecting, analyzing, and maintaining DRP and BCP data, using a product that automates these tasks can prove to be extremely helpful.

91
Q

Emphasis: disk mirroring

A

Disk shadowing is used to ensure the availability of data and to provide a fault-tolerant solution by duplicating hardware and maintaining more than one copy of the information. The data are dynamically created and maintained on two or more identical disks. If only disk mirroring is used, then each disk would have a corresponding mirrored disk that contains the exact same information. If shadow sets are used, the data can be stored as images on two or more disks.

92
Q

Explanations: Data Backup Alternatives

A

As we have discussed so far, backup alternatives are needed for hardware, software, personnel, and offsite facilities. It is up to each company and its continuity team to decide if all of these components are necessary for its survival and the specifics for each type of backup needed.

93
Q

Emphasis: Response: They both protect the business, unenlightened one

A

Why do we need to combine business continuity and security plans anyway?Response: They both protect the business, unenlightened one.

94
Q

Explanation Bullets: The main reasons plans become outdated include the following:

A
  • The business continuity process is not integrated into the change management process.
  • Changes occur to the infrastructure and environment.
  • Reorganization of the company, layoffs, or mergers occur.
  • Changes in hardware, software, and applications occur.
  • After the plan is constructed, people feel their job is done.
  • Personnel turn over.
  • Large plans take a lot of work to maintain.
  • Plans do not have a direct line to profitability.
95
Q

Explanation Bullets: The BCP committee must identify the threats to the company and map them to the following characteristics:

A
  • Maximum tolerable downtime and disruption for activities
  • Operational disruption and productivity
  • Financial considerations
  • Regulatory responsibilities
  • Reputation
96
Q

Emphasis: Disk duplexing

A

NOTE Disk duplexing means there is more than one disk controller. If one disk controller fails, the other is ready and available.

97
Q

Explanations: Interdependencies

A

Operations depend on manufacturing, manufacturing depends on R&D, payroll depends on accounting, and they all depend on IT.

98
Q

Explanation Bullets: The end goals of a risk assessment include:

A
  • Identifying and documenting single points of failure
  • Making a prioritized list of threats to the particular business processes of the organization
  • Putting together information for developing a management strategy for risk control, and for developing action plans for addressing risks
  • Documenting acceptance of identified risks, or documenting acknowledgment of risks that will not be addressed
99
Q

Bullets: Threats

A

Elements that could contribute to the project’s failure

100
Q

Explanations: Full-Interruption Test

A

This type of test is the most intrusive to regular operations and business productivity. The original site is actually shut down, and processing takes place at the alternate site. The recovery team fulfills its obligations in preparing the systems and environment for the alternate site. All processing is done only on devices at the alternate offsite facility.

101
Q

Emphasis: Hot site

A

• Hot site A facility that is leased or rented and is fully configured and ready to operate within a few hours. The only missing resources from a hot site are usually the data, which will be retrieved from a backup site, and the people who will be processing the data. The equipment and system software must absolutely be compatible with the data being restored from the main site and must not cause any negative interoperability issues. Some facilities, for a fee, store data backups close to the hot site. These sites are a good choice for a company that needs to ensure a site will be available for it as soon as possible. Most hot-site facilities support annual tests that can be done by the company to ensure the site is functioning in the necessary state of readiness.

102
Q

Emphasis: continuity planning

A

The goal of disaster recovery is to minimize the effects of a disaster or disruption. It means taking the necessary steps to ensure that the resources, personnel, and business processes are able to resume operation in a timely manner. This is different from continuity planning, which provides methods and procedures for dealing with longer-term outages and disasters. The goal of a disaster recovery plan is to handle the disaster and its ramifications right after the disaster hits; the disaster recovery plan is usually very information technology (IT)–focused.

103
Q

Explanation Bullets: Loss criteria must be applied to the individual threats that were identified. The criteria may include the following:

A
  • Loss in reputation and public confidence
  • Loss of competitive advantages
  • Increase in operational expenses
  • Violations of contract agreements
  • Violations of legal and regulatory requirements
  • Delayed income costs
  • Loss in revenue
  • Loss in productivity