Lecture 11 Notes

Question 1

Business Continuity Planning (BCP)

Answer 1

focuses on maintaining business operations with reduced or restricted infrastructure capabilities or resources

As long as the continuity of the organization’s mission-critical tasks is maintained, BCP can be used to manage and restore the environment

Question 2

Disaster Recovery Planning (DRP)

Answer 2

If the continuity is broken, then business processes have stopped and the organization is in disaster mode

Question 3

BCP Steps

Answer 3

1 Project scope and planning
2 Business impact assessment
3 Continuity planning
4 Approval and implementation

Question 4

Step 1 – Project Scope and Planning

Answer 4

Business Organization Analysis

BCP Team Selection

Resource Requirements

Legal and Regulatory Requirements

Question 5

Business Organization Analysis

Answer 5

Project Scope and Planning
analyze the business organization and identify departments and individuals who have a stake in the process

Consider
Operational departments
Critical support services
Senior executives

Question 6

BCP Team Selection

Answer 6

Project Scope and Planning
Representatives from each of the organization’s core departments

Representatives from the key support departments

IT professionals with technical expertise in areas covered by the BCP

Security representatives with knowledge of the BCP process

Legal representatives familiar with corporate legal, regulatory, and contractual responsibilities

Representatives from senior management

Question 7

Resource Requirements

Answer 7

Project Scope and Planning
BCP development

BCP testing, training, and maintenance

BCP implementation

Question 8

Legal and Regulatory Requirements

Answer 8

Project Scope and Planning

Federal, state, and local laws may mandate certain elements or degrees of BCP

Question 9

Step 2 - Business Impact Assessment

Answer 9

identifies critical resources and the threats posed to those resources

Question 10

Maximum Tolerable Downtime (MTD)

Answer 10

The maximum length of time a business function can be inoperable without causing irreparable harm to the business

Question 11

Recovery Time Objective (RTO)

Answer 11

amount of time in which you think you can feasibly recover the function

Question 12

Goal of BCP (RTO vs MTD)

Answer 12

RTOs are less than MTDs

Question 13

Step 3 – Continuity Planning

Answer 13

focuses on developing and implementing a continuity strategy

Question 14

Strategy Development (Continuity Planning)

Answer 14

Determine which risks are acceptable vs. those that must be mitigated or otherwise addressed

Question 15

Provisions and Processes (Continuity Planning)

Answer 15

designs the specific procedures and mechanisms that will mitigate the risks deemed unacceptable during the strategy development stage

Categories of assets
People
Buildings and facilities
Infrastructure

Question 16

Step 4 - Plan Approval & Implementation

Answer 16

Once the BCP team completes the design phase of the BCP document, senior management must review and approve developed BCP plan

Question 17

Training and Education (BCP)

Answer 17

Everyone in the organization should receive at least a plan overview briefing

Question 18

Disaster Recovery Plan

Answer 18

When a disaster strikes and a business continuity plan fails to prevent interruption of business activities, the disaster recovery plan guides the actions of emergency-response personnel until the end goal is reached:

Restoring the business to full operating capacity

Question 19

Disaster Recovery Strategy Subtasks

Answer 19

Business Unit Priorities
Crisis Management
Emergency Communications
Work Group Recovery
Alternate Processing Sites
Mutual Assistance Agreements
Database Recovery

Question 20

Business Unit and Functional Priorities (Disaster Recovery Strategy Subtasks)

Answer 20

Business units and/or functions with the highest priority must be recovered first

You might find that it would be best to restore highest-priority units to 50 percent capacity

Question 21

Crisis Management (Disaster Recovery Strategy Subtasks)

Answer 21

If your training budget permits, investing in crisis training for your key employees is a good idea

Question 22

Emergency Communications (Disaster Recovery Strategy Subtasks)

Answer 22

When a disaster strikes, it is important that the organization be able to communicate internally as well as with the outside world

Have alternate means of communication available

Question 23

Work Group Recovery (Disaster Recovery Strategy Subtasks)

Answer 23

When designing a disaster recovery plan, it’s important to consider the restoration of work groups to the point that they can resume their activities

To facilitate this effort, it’s sometimes best to develop separate recovery facilities for different work groups

Question 24

Alternate Processing Sites (Disaster Recovery Strategy Subtasks)

Answer 24

Cold sites
Standby facilities large enough to handle the processing load of an organization, equipped with electrical/environmental support systems

Hot site
Backup facilities maintained in constant working order, with servers, etc.
Ready to assume primary operations responsibilities

Warm site
Similar to hot sites, but do not typically contain copies of the client’s data

Mobile site
Self-contained trailers or other easily relocated units

Service Bureaus
Companies that lease computer time

Question 25

Mutual Assistance Agreements (Disaster Recovery Strategy Subtasks)

Answer 25

Under an MAA, two organizations pledge to assist each other in the event of a disaster by sharing computing facilities or other resources

Question 26

Database Recovery (Disaster Recovery Strategy Subtasks)

Answer 26

Electronic vaulting Database backups are transferred to a remote site using bulk transfers Remote journaling Only transfers copies of the database transaction logs containing the transactions that occurred since the previous transfer Remote mirroring A live database server is maintained at the backup site

Question 27

Disaster Recovery Plan Development

Answer 27

- Emergency Response - Personnel Notification - Backups and Off-Site Storage - Software Escrow Arrangements - External Communications - Utilities - Logistics and Supplies - Recovery vs. Restoration

Question 28

Emergency Response (Disaster Recovery Plan Development)

Answer 28

contain simple yet comprehensive instructions for essential personnel to follow immediately upon recognizing that a disaster is in progress or is imminent Often in the form of checklist

Question 29

Personnel Notification (Disaster Recovery Plan Development)

Answer 29

A disaster recovery plan should also contain a list of personnel to contact in the event of a disaster

Question 30

Backups and Off-Site Storage (Disaster Recovery Plan Development)

Answer 30

Access to backed up data is often essential for recovery from a disaster Full backups: store a complete copy of the data Incremental and differential backups: store only files that have been modified since the most recent full or incremental backup

Question 31

Software Escrow Arrangements (Disaster Recovery Plan Development)

Answer 31

Protect against the failure of a software development contractor Source code is held in third-party escrow

Question 32

Recovery vs. Restoration

Answer 32

Recovery involves restoring business operations and processes to a working state The recovery team members have a very short time frame in which to operate (MTD/RTO) Restoration involves restoring a business facility and environment to a workable state The salvage team has more time to work than the recovery team