CISSP (Domain 8 - Business Continuity and Disaster Recover Planning) Flashcards
Business Continuity Planning (BCP)
- Short-term
- project scope, planning, business impact analysis, recovery strategy, recovery plan development, implementation
- put in place for business to funcation
Disaster Recovery Planning (DRP)
- Long-term
- recovery plan development, implementation, restoration
NIST 800-34
Business Continuity Standard
Business Continuity Planning (BCP) - Senior Management Responsibilities (7 Things)
- Support and finalize plans
- Setting the business continuity policy
- Prioritizing critical business functions
- Allocating sufficient resources and personnel
- Providing oversight for and approving the BCP
- Directing and reviewing test results
- Ensuring maintenance of a current plan
Business Continuity Planning (BCP) - Senior
Functional Management Responsibilities (5 Things)
- Develop and document maintenance and testing strategy
- Identify and prioritize mission-critical systems
- Monitor progress of plan development and execution
- Ensure period tests
- Create the various teams necessary to execute the plans
*Department Head
Business Continuity Planning (BCP) - Committee
- Execute the BIA
- Coordinate with department representatives
- Develop analysis group
- Findings are input to BR/DR
Business Continuity Planning (BCP) - Rescue Team
Deals with the immediacy of disaster
- Employee evacuation
- Crashing the server room
Business Continuity Planning (BCP) - Recovery Team
Gets the alternative facility up and running
Business Continuity Planning (BCP) - Salvage Team
Return of operations to the original or permanent facility
7 Phases of a Business Continuity Planning (BCP)
- Project initiation
- Business impact analysis
- Risk analysis
- Risk mitigation
- Implementation
- Test
- Maintenance
Business Impact Analysis (BIA)
- See how company would be affected by different identified threats
- Quantitative and Qualitative information gathered
- First step in disaster recovery planning
3 Priority Goals of Business Impact Analysis (BIA)
- Prioritize critical functions
- Determine requirements/applications which serve core business functions
- Estimate amount of downtime company can handle
Management Should Establish Recovery Priorities for Business Processes That Identify These 5 Things
- Essential personnel
- Technologies
- Facilities
- Communications systems
- Vital records and data
Recovery Point Objective (RPO) - BIA Key Metric
Maximum sustainable data loss based on backup schedules and data needs
- Weekly, hourly, daily?
Recovery Time Objective (RTO) - BIA Key Metric
Duration of time required to bring critical systems back online
- System recovery time
Work Recovery Time (WRT) - BIA Key Metric
Duration of time needed to recover lost data (Based on RPO) and to enter data resulting from work backlogs
- Manual workload
Maximum Tolerable Downtime (MTD) - BIA Key Metric
Duration of Recovery Time Objective (RTO) and Work Recovery Time (WRT)
- Max time a business can tolerate the downtime of a particular business function
3 Threats to Disaster Recovery and Continuity Planning
MNT
- Man-made: Fires, Terrorism, Hackers, Riots
- Natural: Tornado, Flood, Earthquake
- Technical: Power outage, device failure, virus infection
3 Categories of Disruptions
- Non-disaster: Device malfunction, disruption of service
- Disaster: Entire facility unusable for a day or longer
- Catastrophe: Destroys facility
Short-term Loss Criteria (4 Things)
- loss in profits
- Loss in productivity
- Increase in operational expenses
- Violations of contract agreements
Loss Criteria
Once threats are identified and critical business functions are understood, a specific loss criteria must be developed
Long-Term Loss Criteria (4 Things)
- Delayed income costs
- Loss in repudiation and public confidence
- Loss of compensation advantages
- Hidden Costs (Not always insurance expenses)
Results from Business Impact Analysis (BIA) (5 Things)
- Identified critical departments and required resources
- Identified threats and risks
- Impact company can handle dealing with each risk
- Outage time that would not be critical
- Recovery alternatives
- then document for management approval and create recovery plans
4 Disaster Recovery Plan Objectives
- Protect company if parts or all of services become unusable
- Improve responsiveness by employees in different situations
- Guarantee reliability of standby systems
- If employee knows what they are expected to do during disaster, management can address larger picture
Goals Must Contain These 4 things for a Useful Disaster Recovery Plan
(RAPI)
- Responsibility: Each individual involved knows what they need to do (training/drills)
- Authority: Importation to know who is in charge
- Priorities: Know what is critical vs. what is nice to have. Different departments need different items
- Implementation and Testing: Plan put into action
Number 1 Priority in Disaster Recovery
Safety of People
2 Priorities in Disaster Recovery Planning Testing
- Protect company as a whole
- Minimize property damage
Written Recovery Plan Should Include - Disaster Recovery Plan (10 Things)
- Activation criteria and Procedure
- People: operations, technical, business requirements
- Facility issues: main facility and backup sites
- Utilities: power, telecommunications
- Hardware: servers, workstations
- Vendor assistance and service providers
- Software: operating systems, applications, data
- Supplies: hvac, ups, office supplies
- Recovery and emergency procedures
- Critical documentation and/or records
Activation Criteria Based On (3 Things)
- Extent of damage (physical, cost, operational)
- Criticality of the system to the organization
- Expected Duration Longer Than RTO
3 Phases Following a Disruption
NA/RP/R
- Notification/Activation: Notify personnel and perform damage assessment
- Recovery Phase - Failover: Actions taken for recovery
- Reconstitution - Failback: Outlines actions taken to return to normal state
Data Recovery Options are Driven by Metrics Established In ….
Business Impact Analysis (BIA)
Electronic Vaulting - Transaction Redundancy
Copy of modified file sent to remote location where an original backup is stored
Remote Journaling - Transaction Redundancy
Moves transaction logs to a remote location, not actual files
During Restoration of Operations What Should be Recovered First
Less critical departments should be returned first to test out infrastructure
2 Things for Disaster Recovery Planning Testing
- Demonstrate if a company can actually recover (set a goal)
- Performed at least once a year (point out issues, gain confidence)
Checklist Test - DR
Copies of plan distributed to different departments and functional managers review
*Finds what missing
Structured Walk-Through (Table Top) Test - DR
Representatives from each department go over the plan
*Gives people chance to review what they will be doing
Simulation Test
Going through a disaster scenario, up to real relocation
Parallel Test
Systems moved to alternate site and processing takes place there
Full-Interruption Test
Original site shutdown and all processing moved to other facility
