D1: Business Continuity & Disaster Recovery Planning Flashcards

1
Q

BCP vs. DRP

A

Business Continuity Planning: focuses on sustaining operations and protecting the viability of the business following a disaster, until normal business conditions can be restored. The BCP is an “umbrella” term that includes many other plans including the DRP. Long term focused.
- we’ve had a fire, now how to be keep our operations going until we get back to a state of permanence.

Disaster Recovery Planning: The goal is to minimize the effects of a disaster and to take the necessary steps to ensure that the resources, personnel and business processes are able to resume operations in a timely manner. Deals with the immediate aftermath of the disaster, and is often IT focused. Short term focused

  • goal is to restore the most critical operations and processes up first
  • critical = time sensitivity
  • certain systems cost more money while they’re down
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

BCP Relationship to Risk Management

A

Potential Risks > Risk Assessment > Identified Risks > Security Controls > Residual Risks > Contingency Plans

Risks that weren’t considered, mitigation controls didn’t work, higher amount of residual risk, etc = BCP is the safety net that we have in place if what we factored in is NOT enough

Risk management = considered things that will likely happen. If then scenario, while BCP is for EVERYTHING else, didn’t see coming

BCP will catch anything that slips through the cracks of risk management/strategies
- main facility is compromised, so go to a backup facility

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Categories of Disruptions

A

Non-disaster: Inconvenience; hard drive failure

  • disruption of service
  • device malfunction
  • can recover from
  • relatively small scale

Emergency/Crisis
- urgent, immediate event where there is the potential of loss of life or property

Disaster

  • entire facility unusable for a day or longer
  • should have a plan while operations are not possible in the facility
  • ex. communication to end users, getting critical processes in place
  • DRP should have these plans listed in here

Catastrophe

  • destroys facility
  • large scale
  • at a minimum, the disaster has occurred

A company should understand and be prepared for each category

Anyone can declare an emergency, but only the coordinator can declare a disaster.
- anyone can pull the fire alarm, or trigger an emergency alarm. Only the BCP coordinator, senior manager or someone specified in the BCP can declare a disaster which will then trigger failover to another facility.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

BCP Frameworks

A
  • Standards help solve issues of inconsistency in terms, definitions and documents (within the organization)
  • the exam will not reference a specific framework, but how a plan conceptualizes everything (NOT TERMS)

The following institutes will provide guidance on BCP/DRP:
- DRII (disaster Recovery Institute International)
- NIST 800-34 rev 1
- ISO 27031
- BCI GPG (Business Continuity International Good - Practice Guidelines
- ISC2.org Four Processes of Business Continuity*****
REVIEW THIS FOR THE EXAM!!!!!!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

NIST 7 Phases of Business Continuity Planning

A
  1. BCP Policy: get it from senior management; this is a part of business initiation, buy-in from senior management (support and general approach)
  2. Business Impact Analysis: before we start writing our plan, we need to understand the organization. “know your business” and critical
  3. ID Preventative Controls: what controls do we already have in place. How effective are those controls, residual risk
  4. Create Contingency Strategies
  5. Develop on IS Contingency Plan
  6. Testing, training and exercises
  7. Maintenance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

NIST SP 800-34 revision 1

A
Continuity policy 
BIA
Identify preventative controls
create contingency strategies
develop BCP
exercise, test, and drill
maintain
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

ISC2 Four Business Continuity Planning Processes

A
  1. Project scope and planning
    - what’s the business like
    - who’s on the team
  2. Business impact assessment
    - the most important document in the BCP
  3. Continuity planning
  4. Approval implementation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

BCP Step 1: Project Scope and Planning

A

Acquire BCP policy statement form senior management

Business Organization Analysis: structured analysis of the business organizational assets, including cross-functional department input

BCP Team Creation, including Project manager. Should be cross-functional team, including representation of senior management

  • An assessment of the resources available and commitment to support the BCP process from Senior Management
  • An analysis of the legal and regulatory landscape that goes on an organization’s response to a catastrophic event.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Business Organizational Analysis

A

BOA provides the groundwork necessary to help identify potential members of the BCP team as well as provides the foundation for the remainder of the BCP processes

BOA evaluates considerations such as

  • operational departments that are responsible for the core services
  • critical support services
  • senior executives and other key individuals essential for the ongoing viability of the organization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

BCP Team Selection

A

MUST BE CROSS-FUNCTIONAL!

Representatives from each of the organization’s departments responsible for the core services performed by the business

Representatives from the key support departments identified by the organizational analysis

IT representatives with technical expertise in areas covered by the BCP

Security representatives with knowledge of the BCP process

Legal representatives familiar with corporate, legal, regulatory and contractual responsibilities

Representatives from senior management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

BCP Assess Resource Needs

A

BCP Development
- the BCP team will require some resources to perform the four elements of the BCP process. It’s more than likely that the major resource will be effort expended by the BCP team and the support staff they call on to assist in the development of the plan

BCP Testing, Training and Maintenance
- The testing, training and maintenance phases of BCP will require some hardware and software commitments, but once again, the major commitment in this phase will be effort on the part of the employees involved in those activities

BCP Implementation
- When disaster strikes and the BCP team deems it necessary to conduct a full-scale implementation of the BCP, this implementation will require significant resources. This includes a large amount of effort

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

BCP - Legal and Regulatory Compliance

A

Senior management has the ultimate legal responsibility. They may be:

  • held responsible and liable under various laws and regulations
  • sued by their stockholders if not managing with due diligence and due care
  • sued by employees or families in the event of injury or loss of life
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

If senior management doesn’t have full buy-in to support the BCP process, what would be your best argument to convince them?

A

Liability, non-compliance, fines - things that hit the pocketbook, regulations, legal requirements - in the event of a failure in the BCP planning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

BCP Step 2: Business Impact Analysis

A
  • identifies and prioritizes all business processes/resources based on criticality
  • risk identification: internal vs. 3rd party and probability, impact
  • categorizes process/resources based on criticality
  • defines quantitative metrics to assist with prioritizing recovery focus - RPO, RTO, SLOs
  • BIA will help prioritize recovery priorities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

BCP Step 2: Business Impact Analysis: Identify priorities

A
  • create an in-depth list of business processes and their impact on the organization
  • often delegated to individual departments for accuracy and buy-in

Criticality is driven by the amount of loss the organization will suffer if the resource is unavailable:
- MTD/MTO: Maximum Tolerable Downtime/Outage: Longest time the function can be inoperable before causing a loss to senior management that is unacceptable
EX: domain controller 1 has a MTD of 2 hours (facilitates logins).
- if the DC is physically destroyed, it will take a certain amount of time to physically replace the box (RTO) and restore services (another metric - work recovery time) WRT

  • RTO Recovery Time Objective: This is the amount of time in which you think you can feasibly recover the function in the event of a disruption (must be less than MTD)
  • RPO Recovery Point Objective: Tolerance for data loss, how much data willing to lose
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Flow of BCP Planning

A

Policy > Senior Management > Team together > BIA > so on

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Goals of the BIA

A

Document the flow

Identify critical resources from senior management (business owners/process owners aka shouldn’t be an IT centered event) > Interruption windows > recovery metrics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Service Level Agreement vs. Operational Level Agreement

A

OLA - what the org commits for maintenance and delivery; interdepartmental

SLA: between vendor and client; legally binding and contractually binding

19
Q

BCP Step 2: BIA Risk Associated with Procurements and the Cloud

A

Guarantees are documented in the SLAs

Verify controls in place to meet obligations in person or through independent audit made available as SOCs

  • SOC1: financial reporting
  • SOC2: security & technology; would require NDA
  • SOC3: security & technology, but publicly available, if you want to assess a cloud service to use one day
20
Q

Step 2: BIA Probability and Impact Assessment

A

Asset Value * Probability * Impact = Total Risk

Total Risk * Controls Gap = Residual Risk

Probability = ARO

Impact EF

SLE Single Loss Expectancy
ALE Annual Loss Expectancy

Some losses CANNOT be quantified

21
Q

Step 2: BIA Resource Prioritization

A
  • Qualitative Analysis can be used to prioritize risk

- Qualitative Analysis is needed to perform cost/benefit analysis and to provide justification for mitigation strategies

22
Q

Step 3: Continuity Planning

A
Strategy development
Provisions and processes
Plan approval
Plan implementation
Training and education

Sr. management is critical, and rarely is it a one time thing

23
Q

Step 3: Continuity Planning - Strategy Development

A

Examines the BIA for metrics and maps controls to meet the objectives

Determine appropriate responses:

  • reduce
  • assign/transfer
  • accept
  • reject

Some risks will have to be accepted (based on cost/benefit) while other require a more active strategy

24
Q

Step 3: Continuity Planning: Provisions and Processes

A

BCP designs the specific procedures necessary to mitigate the risks to a level tha is acceptable to senior management

EXAM always make the choice that saves human life first

Three assets:

  • people - first priority always
  • buildings/facilities
    • hardening provisions - mitigating harm to facility
  • alternate sites
    • mirrored
    • leased sites
  • – cold
  • — warm
  • — hot

Infrastructure

  • redundancy of critical systems and services
  • recovery strategies
  • failover/failback
25
Q

Step 3: Continuity Planning: Facility Recovery

A

Dedicated site owned or operated by the organization

Reciprocal agreement or memorandum of agreement with an internal or external entity - to help provide with facility recovery

Commercially leased facility

    • hot: exclusive access to this site
    • warm: secondary location, equipment at te location, connectivity at location
  • EXAM** the most common type, can get up and running in a couple of days
    • cold: cheapest location; secondary; plumbing and electricity and not much else

MOA/MOUs or SLAs should be obtained from the provider

Mirrored site = under our ownership

26
Q

Step 3: Continuity Planning: Infrastructure

A

Infrastructure supports the critical elements of the business. Servers, systems, routers, switches, processes, architecture

High Availability

  • redundancy
  • resiliency
  • fault tolerance

Hardened Systems

27
Q

Step 4: Plan Approval and Implementation

A

Plan Approval

  • If possible, CEO should endorse plan
  • otherwise another senior officer
  • indicates dedication of the business to the process of business continuity planning

Plan Implementation

  • create implementation guide/ schedule
  • deploy resources
  • supervise maintenance of plan

Train and Educate Employees

  • Distribute plan on need to know basis
  • Everyone should get at least an overview
28
Q

BCP Sub Plans

A

BCP Sub Plans Have 3 Main Purposes:

  1. Protect
    - Crisis communication plan
    - OEP - Occupant Emergency Plan
  2. Recover
    - BRP Business Recovery Plan
    - DRP Disaster Recovery Plan
    - Continuity of Support Plan/IT Contingency Plan
  3. Sustain
    - COOP (Continuity of Operations Plans)
29
Q

BCP Sub Plans: Protect

A
  1. Crisis Communication Plans
    - Purpose: Disseminate necessary information
  2. Occupant Emergency Plan (OEP)
    - Purpose: Provide coordinated procedures for minimizing loss of life or injury and protecting property damage in response to a physical threat
30
Q

BCP Sub Plans: Recovery

A

Business Recovery Plan (BRP) aka Resumption
- Purpose: provide procedures for recovering business operations immediately following a disaster

Continuity of Support Plan / IT Contingency Plan
- Purpose: provide procedures and capabilities for recovering a major application or general support system

Cyber Incident Response Plan

  • Purpose: provide strategies to detect, respond to, and limit consequences of malicious cyber incident
  • Scope: focuses on information security responses to incidents affecting systems and/or networks

Disaster recovery Plan (DRP)
- Purpose: provide detailed procedures to facilitate recovery of capability at an alternate

31
Q

BCP Continuity Sub Plans: Sustain

A

COOP: Continuity of Operations Plan
- Purpose: Provide procedures and capabilities to sustain an organization’s essential, strategic functions at an alternate site for up to 30 days. This term is sometimes used in US Government to refer to the field of Business continuity management, but per NIST 800-34, it is a unique sub-plan of the BCP. Note, BCP addresses ALL business processes, not just mission critical

Scope: Addresses the subset of an organization’s missions that are deemed most critical; usually written at headquarters and not IT focused.

32
Q

Senior Executive Management Responsibilities

A

Senior Executive Management

  • consistent support and final approval of plans
  • setting the business continuity policy
  • prioritizing critical business functions
  • allocating sufficient resources and personnel
  • providing oversight for and approving the BCP
  • directing and reviewing test results
  • ensuring maintenance of a current plan
33
Q

Senior Functional Management Responsibilities

A

Senior Functional Management

  • develop and document maintenance and testing strategy
  • identify and prioritize mission critical systems
  • monitor progress of plan development and execution
  • ensure periodic tests
  • create the various teams necessary to execute the plans
34
Q

BCP Steering Committee

A

Conducts the BIA
Coordinate with department representatives

Should include:

  • business units
  • senior management
  • IT department
  • security department
  • communications department
  • legal department
35
Q

DRP Teams

A

Rescue: responsible for dealing with the immediacy of disaster - employee evacuation, “crashing” the server room, etc.

Recover: Responsible for getting the alternate facility up and running and restoring the most critical services first. AKA fail-over

Salvage: responsible for the return of operations to the original or permanent facility (reconstitution)

36
Q

Developing Teams

A

Management should appoint team members

Each member must understand the goals of the plan and be familiar with the department they are responsible for

Agreed upon prior to the event:

  • who will talk to the media, customers, shareholders
  • who will setup alternative communication methods
  • who will setup the offsite facility
  • established agreements with off-site facilities should be in place
  • who will work on the primary facility
37
Q

Checklist Test

A

Copies of plan distributed to different departments

functional managers review

38
Q

Structured Walk-through (Table Top) test

A

Representatives from each department go over the plan

39
Q

Simulation Test

A

Going through a disaster scenario

Continues up to the actual relocation to an offsite facility

40
Q

Parallel Test

A

Systems moved to alternate site, and processing takes place there

41
Q

Full Interruption Test

A

Original site shut down

All of processing moved to offsite facility

42
Q

Post Incident Review

A

After a test or disaster has taken place:

  • focus on how to improve
  • what should have happened
  • what should happen next
  • not who’s fault it was; this is not productive
43
Q

Maintaining the BCP

A

Keeping plan in date

  • make it a part of business meetings and decisions
  • centralize responsibility for updates
  • part of job descriptions
  • personnel evaluations
  • report regularly
  • audits
  • as plans get revised, original copies should be retrieved and destroyed