D1: Business Continuity & Disaster Recovery Planning Flashcards
BCP vs. DRP
Business Continuity Planning: focuses on sustaining operations and protecting the viability of the business following a disaster, until normal business conditions can be restored. The BCP is an “umbrella” term that includes many other plans including the DRP. Long term focused.
- we’ve had a fire, now how to be keep our operations going until we get back to a state of permanence.
Disaster Recovery Planning: The goal is to minimize the effects of a disaster and to take the necessary steps to ensure that the resources, personnel and business processes are able to resume operations in a timely manner. Deals with the immediate aftermath of the disaster, and is often IT focused. Short term focused
- goal is to restore the most critical operations and processes up first
- critical = time sensitivity
- certain systems cost more money while they’re down
BCP Relationship to Risk Management
Potential Risks > Risk Assessment > Identified Risks > Security Controls > Residual Risks > Contingency Plans
Risks that weren’t considered, mitigation controls didn’t work, higher amount of residual risk, etc = BCP is the safety net that we have in place if what we factored in is NOT enough
Risk management = considered things that will likely happen. If then scenario, while BCP is for EVERYTHING else, didn’t see coming
BCP will catch anything that slips through the cracks of risk management/strategies
- main facility is compromised, so go to a backup facility
Categories of Disruptions
Non-disaster: Inconvenience; hard drive failure
- disruption of service
- device malfunction
- can recover from
- relatively small scale
Emergency/Crisis
- urgent, immediate event where there is the potential of loss of life or property
Disaster
- entire facility unusable for a day or longer
- should have a plan while operations are not possible in the facility
- ex. communication to end users, getting critical processes in place
- DRP should have these plans listed in here
Catastrophe
- destroys facility
- large scale
- at a minimum, the disaster has occurred
A company should understand and be prepared for each category
Anyone can declare an emergency, but only the coordinator can declare a disaster.
- anyone can pull the fire alarm, or trigger an emergency alarm. Only the BCP coordinator, senior manager or someone specified in the BCP can declare a disaster which will then trigger failover to another facility.
BCP Frameworks
- Standards help solve issues of inconsistency in terms, definitions and documents (within the organization)
- the exam will not reference a specific framework, but how a plan conceptualizes everything (NOT TERMS)
The following institutes will provide guidance on BCP/DRP:
- DRII (disaster Recovery Institute International)
- NIST 800-34 rev 1
- ISO 27031
- BCI GPG (Business Continuity International Good - Practice Guidelines
- ISC2.org Four Processes of Business Continuity*****
REVIEW THIS FOR THE EXAM!!!!!!
NIST 7 Phases of Business Continuity Planning
- BCP Policy: get it from senior management; this is a part of business initiation, buy-in from senior management (support and general approach)
- Business Impact Analysis: before we start writing our plan, we need to understand the organization. “know your business” and critical
- ID Preventative Controls: what controls do we already have in place. How effective are those controls, residual risk
- Create Contingency Strategies
- Develop on IS Contingency Plan
- Testing, training and exercises
- Maintenance
NIST SP 800-34 revision 1
Continuity policy BIA Identify preventative controls create contingency strategies develop BCP exercise, test, and drill maintain
ISC2 Four Business Continuity Planning Processes
- Project scope and planning
- what’s the business like
- who’s on the team - Business impact assessment
- the most important document in the BCP - Continuity planning
- Approval implementation
BCP Step 1: Project Scope and Planning
Acquire BCP policy statement form senior management
Business Organization Analysis: structured analysis of the business organizational assets, including cross-functional department input
BCP Team Creation, including Project manager. Should be cross-functional team, including representation of senior management
- An assessment of the resources available and commitment to support the BCP process from Senior Management
- An analysis of the legal and regulatory landscape that goes on an organization’s response to a catastrophic event.
Business Organizational Analysis
BOA provides the groundwork necessary to help identify potential members of the BCP team as well as provides the foundation for the remainder of the BCP processes
BOA evaluates considerations such as
- operational departments that are responsible for the core services
- critical support services
- senior executives and other key individuals essential for the ongoing viability of the organization
BCP Team Selection
MUST BE CROSS-FUNCTIONAL!
Representatives from each of the organization’s departments responsible for the core services performed by the business
Representatives from the key support departments identified by the organizational analysis
IT representatives with technical expertise in areas covered by the BCP
Security representatives with knowledge of the BCP process
Legal representatives familiar with corporate, legal, regulatory and contractual responsibilities
Representatives from senior management
BCP Assess Resource Needs
BCP Development
- the BCP team will require some resources to perform the four elements of the BCP process. It’s more than likely that the major resource will be effort expended by the BCP team and the support staff they call on to assist in the development of the plan
BCP Testing, Training and Maintenance
- The testing, training and maintenance phases of BCP will require some hardware and software commitments, but once again, the major commitment in this phase will be effort on the part of the employees involved in those activities
BCP Implementation
- When disaster strikes and the BCP team deems it necessary to conduct a full-scale implementation of the BCP, this implementation will require significant resources. This includes a large amount of effort
BCP - Legal and Regulatory Compliance
Senior management has the ultimate legal responsibility. They may be:
- held responsible and liable under various laws and regulations
- sued by their stockholders if not managing with due diligence and due care
- sued by employees or families in the event of injury or loss of life
If senior management doesn’t have full buy-in to support the BCP process, what would be your best argument to convince them?
Liability, non-compliance, fines - things that hit the pocketbook, regulations, legal requirements - in the event of a failure in the BCP planning
BCP Step 2: Business Impact Analysis
- identifies and prioritizes all business processes/resources based on criticality
- risk identification: internal vs. 3rd party and probability, impact
- categorizes process/resources based on criticality
- defines quantitative metrics to assist with prioritizing recovery focus - RPO, RTO, SLOs
- BIA will help prioritize recovery priorities
BCP Step 2: Business Impact Analysis: Identify priorities
- create an in-depth list of business processes and their impact on the organization
- often delegated to individual departments for accuracy and buy-in
Criticality is driven by the amount of loss the organization will suffer if the resource is unavailable:
- MTD/MTO: Maximum Tolerable Downtime/Outage: Longest time the function can be inoperable before causing a loss to senior management that is unacceptable
EX: domain controller 1 has a MTD of 2 hours (facilitates logins).
- if the DC is physically destroyed, it will take a certain amount of time to physically replace the box (RTO) and restore services (another metric - work recovery time) WRT
- RTO Recovery Time Objective: This is the amount of time in which you think you can feasibly recover the function in the event of a disruption (must be less than MTD)
- RPO Recovery Point Objective: Tolerance for data loss, how much data willing to lose
Flow of BCP Planning
Policy > Senior Management > Team together > BIA > so on
Goals of the BIA
Document the flow
Identify critical resources from senior management (business owners/process owners aka shouldn’t be an IT centered event) > Interruption windows > recovery metrics