CISSP Disaster recovery and Business Continuity
CISSP – Disaster recovery and Business continuity work hand in hand to provide an organization with the means to continue and recover business operations when a disaster strikes.
- Business continuity deals with keeping business operations running — perhaps in another location or by using different tools and processes — after a disaster has struck.
- Disaster recovery deals with restoring normal business operations after the disaster takes place.
- Disaster Recovery Plan (DRP)
- Business Continuity Plan (BCP)
- Business Continuity Management
Mission critical functions are functions you require to keep the business going, such as web servers, firewalls, power to the facility, etc. (this also includes staff needed to operate equipment and application troubleshooting). For example, an ecommerce site would need to keep its sales and inventory fully functional to maintain operations.
Once contingency procedures have brought the critical functions back, disaster recovery would be initiated, which represents the efforts needed to transition from contingency operations to normal operations. Here is a breakdown of the order:
- Business continuity – mission critical
- Contingency operations
- Disaster Recovery
The acronym “BCDR” is frequently used for business continuity and CISSP disaster recovery, however you can use the acronym to visualize the order in which recovery procedures should be done at a high level.
BC and DR efforts are often performed concurrently by the same or related functions in the organization.
A plan should be developed either for BC and DR separately, or together as BCDR plan.
Recovery Objectives – Recovery objectives need to be determined by senior management. Here are the terms to be familiar with:
Maximum allowable outage (MAO) – previously known as MTD and MAD, this is the maximum time operations can be down before business goes under.
Recovery point objective (RPO) – the maximum data that can be lost before a business goes under (measured in time).
Recovery Time Objective (RTO) – the preferred amount of time biz operations can be down (the key word here would be goal).
Determining the critical path
- Mission Statement
- Identify and documents the compoenents of the policy
- Identify and define existing policies that the BCP may affect
- Identify pertinent laws and standards
- Identify best pratices
- Perform a GAP analysis
- Compose a draft of the new policy
- Incorporate feedback into the draft
- Get approval of senior managment
- Public a final draft and distribute throughout organiztation
- Senior Management Support – The development of a Business Continuity Plan (BCP) is time consuming, with no immediate or tangible return on investment (ROI). To ensure a successful business continuity planning project, you need the support of the organization’s senior management, including adequate budget, manpower, and visible statements backing the project. Senior management needs to make explicit statements identifying the responsible parties, as well as the importance of the business continuity planning project, budget, priorities, urgency, and timing.
Business Impact Analysis (BIA)
Business Impact Analysis (BIA) – a tool or template that contains asset values, the business impact if there is a loss, and possible threats to the organization.
Methods of conducting the BIA include:
- Internal survey – talk to the asset owners; this can be informative but can also be biased
- Financial audit – audits are thorough but might not be accurate for value fluctuations
- Customer responses/surveys – such surveys only see the customer’s view, not the whole organization, operations, or the whole value chain
Estimate tolerable downtime
- Maximum Tolerable Down-Time (MTD)
- Maximum Period Time of Disruption (MPTD)
- Select individuals to interview for data gathering
- Create data gathering tools
- Identify companys critical business functions
- Identify the resources these functions depend on
- Calculate how long these functions can survive without these resources
- Identify vulnerabilities and threats to these functions
- Calculate the risk for each different business function
- Document finding and report to senior management
BCP Project Elements
- Senior Management Support: Budgets and resources
- Senior Management Involvement: Implicit responsibility
- Project Team Management: Relevant functions
Here are the business continuity testing types:
- Read through or tabletop – conducting the test in a conference room while reading through scripts, plans, and scenarios, followed by a discussion.
- Walkthrough – same as tabletop with the added activity of walking to locations mentioned in the plan.
- Simulation – or a drill, such as a fire drill, or emergency communications drill. Can include components of a walkthrough.
- Parallel – initiating and conducting operations at the alternate site.
- Full interruption – mimicking an actual event.