D1: Business Continuity & Disaster Recovery Planning

Question 1

BCP vs. DRP

Answer 1

Business Continuity Planning: focuses on sustaining operations and protecting the viability of the business following a disaster, until normal business conditions can be restored. The BCP is an “umbrella” term that includes many other plans including the DRP. Long term focused.
- we’ve had a fire, now how to be keep our operations going until we get back to a state of permanence.

Disaster Recovery Planning: The goal is to minimize the effects of a disaster and to take the necessary steps to ensure that the resources, personnel and business processes are able to resume operations in a timely manner. Deals with the immediate aftermath of the disaster, and is often IT focused. Short term focused

• goal is to restore the most critical operations and processes up first
• critical = time sensitivity
• certain systems cost more money while they’re down

Question 2

BCP Relationship to Risk Management

Answer 2

Potential Risks > Risk Assessment > Identified Risks > Security Controls > Residual Risks > Contingency Plans

Risks that weren’t considered, mitigation controls didn’t work, higher amount of residual risk, etc = BCP is the safety net that we have in place if what we factored in is NOT enough

Risk management = considered things that will likely happen. If then scenario, while BCP is for EVERYTHING else, didn’t see coming

BCP will catch anything that slips through the cracks of risk management/strategies
- main facility is compromised, so go to a backup facility

Question 3

Categories of Disruptions

Answer 3

Non-disaster: Inconvenience; hard drive failure

• disruption of service
• device malfunction
• can recover from
• relatively small scale

Emergency/Crisis
- urgent, immediate event where there is the potential of loss of life or property

Disaster

• entire facility unusable for a day or longer
• should have a plan while operations are not possible in the facility
• ex. communication to end users, getting critical processes in place
• DRP should have these plans listed in here

Catastrophe

• destroys facility
• large scale
• at a minimum, the disaster has occurred

A company should understand and be prepared for each category

Anyone can declare an emergency, but only the coordinator can declare a disaster.
- anyone can pull the fire alarm, or trigger an emergency alarm. Only the BCP coordinator, senior manager or someone specified in the BCP can declare a disaster which will then trigger failover to another facility.

Question 4

BCP Frameworks

Answer 4

• Standards help solve issues of inconsistency in terms, definitions and documents (within the organization)
• the exam will not reference a specific framework, but how a plan conceptualizes everything (NOT TERMS)

The following institutes will provide guidance on BCP/DRP:
- DRII (disaster Recovery Institute International)
- NIST 800-34 rev 1
- ISO 27031
- BCI GPG (Business Continuity International Good - Practice Guidelines
- ISC2.org Four Processes of Business Continuity*****
REVIEW THIS FOR THE EXAM!!!!!!

Question 5

NIST 7 Phases of Business Continuity Planning

Answer 5

1. BCP Policy: get it from senior management; this is a part of business initiation, buy-in from senior management (support and general approach)
2. Business Impact Analysis: before we start writing our plan, we need to understand the organization. “know your business” and critical
3. ID Preventative Controls: what controls do we already have in place. How effective are those controls, residual risk
4. Create Contingency Strategies
5. Develop on IS Contingency Plan
6. Testing, training and exercises
7. Maintenance

Question 6

NIST SP 800-34 revision 1

Answer 6

Continuity policy 
BIA
Identify preventative controls
create contingency strategies
develop BCP
exercise, test, and drill
maintain

Question 7

ISC2 Four Business Continuity Planning Processes

Answer 7

1. Project scope and planning
   - what’s the business like
   - who’s on the team
2. Business impact assessment
   - the most important document in the BCP
3. Continuity planning
4. Approval implementation

Question 8

BCP Step 1: Project Scope and Planning

Answer 8

Acquire BCP policy statement form senior management

Business Organization Analysis: structured analysis of the business organizational assets, including cross-functional department input

BCP Team Creation, including Project manager. Should be cross-functional team, including representation of senior management

• An assessment of the resources available and commitment to support the BCP process from Senior Management
• An analysis of the legal and regulatory landscape that goes on an organization’s response to a catastrophic event.

Question 9

Business Organizational Analysis

Answer 9

BOA provides the groundwork necessary to help identify potential members of the BCP team as well as provides the foundation for the remainder of the BCP processes

BOA evaluates considerations such as

• operational departments that are responsible for the core services
• critical support services
• senior executives and other key individuals essential for the ongoing viability of the organization

Question 10

BCP Team Selection

Answer 10

MUST BE CROSS-FUNCTIONAL!

Representatives from each of the organization’s departments responsible for the core services performed by the business

Representatives from the key support departments identified by the organizational analysis

IT representatives with technical expertise in areas covered by the BCP

Security representatives with knowledge of the BCP process

Legal representatives familiar with corporate, legal, regulatory and contractual responsibilities

Representatives from senior management

Question 11

BCP Assess Resource Needs

Answer 11

BCP Development
- the BCP team will require some resources to perform the four elements of the BCP process. It’s more than likely that the major resource will be effort expended by the BCP team and the support staff they call on to assist in the development of the plan

BCP Testing, Training and Maintenance
- The testing, training and maintenance phases of BCP will require some hardware and software commitments, but once again, the major commitment in this phase will be effort on the part of the employees involved in those activities

BCP Implementation
- When disaster strikes and the BCP team deems it necessary to conduct a full-scale implementation of the BCP, this implementation will require significant resources. This includes a large amount of effort

Question 12

BCP - Legal and Regulatory Compliance

Answer 12

Senior management has the ultimate legal responsibility. They may be:

• held responsible and liable under various laws and regulations
• sued by their stockholders if not managing with due diligence and due care
• sued by employees or families in the event of injury or loss of life

Question 13

If senior management doesn’t have full buy-in to support the BCP process, what would be your best argument to convince them?

Answer 13

Liability, non-compliance, fines - things that hit the pocketbook, regulations, legal requirements - in the event of a failure in the BCP planning

Question 14

BCP Step 2: Business Impact Analysis

Answer 14

• identifies and prioritizes all business processes/resources based on criticality
• risk identification: internal vs. 3rd party and probability, impact
• categorizes process/resources based on criticality
• defines quantitative metrics to assist with prioritizing recovery focus - RPO, RTO, SLOs
• BIA will help prioritize recovery priorities

Question 15

BCP Step 2: Business Impact Analysis: Identify priorities

Answer 15

• create an in-depth list of business processes and their impact on the organization
• often delegated to individual departments for accuracy and buy-in

Criticality is driven by the amount of loss the organization will suffer if the resource is unavailable:
- MTD/MTO: Maximum Tolerable Downtime/Outage: Longest time the function can be inoperable before causing a loss to senior management that is unacceptable
EX: domain controller 1 has a MTD of 2 hours (facilitates logins).
- if the DC is physically destroyed, it will take a certain amount of time to physically replace the box (RTO) and restore services (another metric - work recovery time) WRT

• RTO Recovery Time Objective: This is the amount of time in which you think you can feasibly recover the function in the event of a disruption (must be less than MTD)
• RPO Recovery Point Objective: Tolerance for data loss, how much data willing to lose

Question 16

Flow of BCP Planning

Answer 16

Policy > Senior Management > Team together > BIA > so on

Question 17

Goals of the BIA

Answer 17

Document the flow

Identify critical resources from senior management (business owners/process owners aka shouldn’t be an IT centered event) > Interruption windows > recovery metrics

Question 18

Service Level Agreement vs. Operational Level Agreement

Answer 18

OLA - what the org commits for maintenance and delivery; interdepartmental

SLA: between vendor and client; legally binding and contractually binding

Question 19

BCP Step 2: BIA Risk Associated with Procurements and the Cloud

Answer 19

Guarantees are documented in the SLAs

Verify controls in place to meet obligations in person or through independent audit made available as SOCs

• SOC1: financial reporting
• SOC2: security & technology; would require NDA
• SOC3: security & technology, but publicly available, if you want to assess a cloud service to use one day

Question 20

Step 2: BIA Probability and Impact Assessment

Answer 20

Asset Value * Probability * Impact = Total Risk

Total Risk * Controls Gap = Residual Risk

Probability = ARO

Impact EF

SLE Single Loss Expectancy
ALE Annual Loss Expectancy

Some losses CANNOT be quantified

Question 21

Step 2: BIA Resource Prioritization

Answer 21

• Qualitative Analysis can be used to prioritize risk

- Qualitative Analysis is needed to perform cost/benefit analysis and to provide justification for mitigation strategies

Question 22

Step 3: Continuity Planning

Answer 22

Strategy development
Provisions and processes
Plan approval
Plan implementation
Training and education

Sr. management is critical, and rarely is it a one time thing

Question 23

Step 3: Continuity Planning - Strategy Development

Answer 23

Examines the BIA for metrics and maps controls to meet the objectives

Determine appropriate responses:

• reduce
• assign/transfer
• accept
• reject

Some risks will have to be accepted (based on cost/benefit) while other require a more active strategy

Question 24

Step 3: Continuity Planning: Provisions and Processes

Answer 24

BCP designs the specific procedures necessary to mitigate the risks to a level tha is acceptable to senior management

EXAM always make the choice that saves human life first

Three assets:

• people - first priority always
• buildings/facilities
• • hardening provisions - mitigating harm to facility
• alternate sites
• • mirrored
• • leased sites
• – cold
• — warm
• — hot

Infrastructure

• redundancy of critical systems and services
• recovery strategies
• failover/failback

Question 25

Step 3: Continuity Planning: Facility Recovery

Answer 25

Dedicated site owned or operated by the organization

Reciprocal agreement or memorandum of agreement with an internal or external entity - to help provide with facility recovery

Commercially leased facility

• • hot: exclusive access to this site
• • warm: secondary location, equipment at te location, connectivity at location
• EXAM** the most common type, can get up and running in a couple of days
• • cold: cheapest location; secondary; plumbing and electricity and not much else

MOA/MOUs or SLAs should be obtained from the provider

Mirrored site = under our ownership

Question 26

Step 3: Continuity Planning: Infrastructure

Answer 26

Infrastructure supports the critical elements of the business. Servers, systems, routers, switches, processes, architecture

High Availability

• redundancy
• resiliency
• fault tolerance

Hardened Systems

Question 27

Step 4: Plan Approval and Implementation

Answer 27

Plan Approval

• If possible, CEO should endorse plan
• otherwise another senior officer
• indicates dedication of the business to the process of business continuity planning

Plan Implementation

• create implementation guide/ schedule
• deploy resources
• supervise maintenance of plan

Train and Educate Employees

• Distribute plan on need to know basis
• Everyone should get at least an overview

Question 28

BCP Sub Plans

Answer 28

BCP Sub Plans Have 3 Main Purposes:

1. Protect
   - Crisis communication plan
   - OEP - Occupant Emergency Plan
2. Recover
   - BRP Business Recovery Plan
   - DRP Disaster Recovery Plan
   - Continuity of Support Plan/IT Contingency Plan
3. Sustain
   - COOP (Continuity of Operations Plans)

Question 29

BCP Sub Plans: Protect

Answer 29

1. Crisis Communication Plans
   - Purpose: Disseminate necessary information
2. Occupant Emergency Plan (OEP)
   - Purpose: Provide coordinated procedures for minimizing loss of life or injury and protecting property damage in response to a physical threat

Question 30

BCP Sub Plans: Recovery

Answer 30

Business Recovery Plan (BRP) aka Resumption
- Purpose: provide procedures for recovering business operations immediately following a disaster

Continuity of Support Plan / IT Contingency Plan
- Purpose: provide procedures and capabilities for recovering a major application or general support system

Cyber Incident Response Plan

• Purpose: provide strategies to detect, respond to, and limit consequences of malicious cyber incident
• Scope: focuses on information security responses to incidents affecting systems and/or networks

Disaster recovery Plan (DRP)
- Purpose: provide detailed procedures to facilitate recovery of capability at an alternate

Question 31

BCP Continuity Sub Plans: Sustain

Answer 31

COOP: Continuity of Operations Plan
- Purpose: Provide procedures and capabilities to sustain an organization’s essential, strategic functions at an alternate site for up to 30 days. This term is sometimes used in US Government to refer to the field of Business continuity management, but per NIST 800-34, it is a unique sub-plan of the BCP. Note, BCP addresses ALL business processes, not just mission critical

Scope: Addresses the subset of an organization’s missions that are deemed most critical; usually written at headquarters and not IT focused.

Question 32

Senior Executive Management Responsibilities

Answer 32

Senior Executive Management

• consistent support and final approval of plans
• setting the business continuity policy
• prioritizing critical business functions
• allocating sufficient resources and personnel
• providing oversight for and approving the BCP
• directing and reviewing test results
• ensuring maintenance of a current plan

Question 33

Senior Functional Management Responsibilities

Answer 33

Senior Functional Management

• develop and document maintenance and testing strategy
• identify and prioritize mission critical systems
• monitor progress of plan development and execution
• ensure periodic tests
• create the various teams necessary to execute the plans

Question 34

BCP Steering Committee

Answer 34

Conducts the BIA
Coordinate with department representatives

Should include:

• business units
• senior management
• IT department
• security department
• communications department
• legal department

Question 35

DRP Teams

Answer 35

Rescue: responsible for dealing with the immediacy of disaster - employee evacuation, “crashing” the server room, etc.

Recover: Responsible for getting the alternate facility up and running and restoring the most critical services first. AKA fail-over

Salvage: responsible for the return of operations to the original or permanent facility (reconstitution)

Question 36

Developing Teams

Answer 36

Management should appoint team members

Each member must understand the goals of the plan and be familiar with the department they are responsible for

Agreed upon prior to the event:

• who will talk to the media, customers, shareholders
• who will setup alternative communication methods
• who will setup the offsite facility
• established agreements with off-site facilities should be in place
• who will work on the primary facility

Question 37

Checklist Test

Answer 37

Copies of plan distributed to different departments

functional managers review

Question 38

Structured Walk-through (Table Top) test

Answer 38

Representatives from each department go over the plan

Question 39

Simulation Test

Answer 39

Going through a disaster scenario

Continues up to the actual relocation to an offsite facility

Question 40

Parallel Test

Answer 40

Systems moved to alternate site, and processing takes place there

Question 41

Full Interruption Test

Answer 41

Original site shut down

All of processing moved to offsite facility

Question 42

Post Incident Review

Answer 42

After a test or disaster has taken place:

• focus on how to improve
• what should have happened
• what should happen next
• not who’s fault it was; this is not productive

Question 43

Maintaining the BCP

Answer 43

Keeping plan in date

• make it a part of business meetings and decisions
• centralize responsibility for updates
• part of job descriptions
• personnel evaluations
• report regularly
• audits
• as plans get revised, original copies should be retrieved and destroyed