ISC(2) CISSP Revision Notes – Business Continuity and Disaster Planning

business-continuity-and-disaster-planning

Business Continuity and Disaster Planning, what do we do when it all doesn’t quite go to plan?

In NO way should these notes be used as your sole source of study for the CISSP exam.  These notes lack things completely that could be included on your exam.  I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning.  For further information see my CISSP Study and Exam Tips.

ISC(2) CISSP Revision Notes – Study and Exam Tips
ISC(2) CISSP Revision Notes – Overarching Themes for the CISSP
ISC(2) CISSP Revision Notes – Access Control
ISC(2) CISSP Revision Notes – Business Continuity and Disaster Planning (You are here)
ISC(2) CISSP Revision Notes – Cryptography
ISC(2) CISSP Revision Notes – Information Security Governance and Risk Management
ISC(2) CISSP Revision Notes – Legal, Regulatory, Investigations and Compliance
ISC(2) CISSP Revision Notes – Operations Security
ISC(2) CISSP Revision Notes – Security Architectural Design
ISC(2) CISSP Revision Notes – Software Development Security
ISC(2) CISSP Revision Notes – Telecommunications and Network Security

#1 Priority is Human Life

Natural vs Man-made Disasters

Secondary effects: Eg power loss after a flood

Damage can affect: Buildings, records, equipment, connections, public utilities, transport systems, loss of life.

BCP vs DRP

Business Continuity Planning (BCP): Keeping business running in a disaster

Disaster Recovery Planning (DRP): Restoring normal business operations

Commonalities:

  • Identify critical business functions
  • Identify possible disaster scenarios
  • Experts who understand the business

BCP Project Elements

Critical Items

  • Senior Management Support: Budgets and resources
  • Senior Management Involvement: Implicit responsibility
  • Project Team Management: Relevant functions

BCP Scope: Scope if fundamental to the plan

Conducting Business Impact Assessment (BIA)

Eg loss of revenue, liabilities, service quality, market share

1)Perform vulnerability Assessment: Critical areas which if lost could cause irresponsible harm

2) Criticality Assessment: Inventory of all high level business functions, some may be more critical at times than others

3) Identifying Key Players: Start with organization chart and what each department does

4) Establish Maximum Tolerable Downtime (MTD): How long can we be down until significant and lasting damage

5) Establish Trusted Recovery Targets

Period of onset until resumed functions

  • Recovery Time Objective (RTO): Maximum time to recover
  • Recovery Point Objective (RPO) Maximum amount of loss after a disaster

5) Defining Resource Requirements: List of resources which an organization needs to continue operating, eg systems, people, suppliers

Business Continuity Plan

Emergency Response: Who deals with what disasters and which procedures?

Damage Assessment: Survey, what have we got

Personnel Safety: #1 Priority

Personnel Notification: How do we let our staff know?

Backup & Offsite Storage: What is it?  How long will it take to restore?

Software Escrow:

External Communications: Stakeholders and the market

Utilities: Power, water (UPS and generators)

Logistics & Supply: Can we get the things we need?

Fire & Water Protection: (See Environmental Security)

Documentation: How will we get it?

Data Processing Continuity Planning:

  • Cold Site: Empty room with no computers
  • Warm Site: Computers but no data
  • Hot Site: Computers with data
  • Reciprocal Site: Partner with another company
  • Multiple Data Centers

Developing the Business Continuity Plan: No bias, teams of experts, breakdown large functions into smaller chunks

Implementing the Business Continuity Plan

Senior management approval

Promoting & Awareness: All employees should know about the BCP

Maintain the plan and review

Disaster Recovery Planning

Emergency Response

  • Specialty trained teems to deal with disaster
  • Salvage: Assessment, cleaning and restoration of facilities
  • Recovery: Both BCP and DRP with procedures
  • Financial Readiness: Insurance, cash reserves and agreements
  • Notifying Personnel: Communication
  • Facilitating Eternal Comms
  • Monitoring Physical and Logical Security: While recovering, need to have same security as on life systems

Testing the Disaster Recovery Plan

Checklist: Is this what we do?

Structure Walk Through: Longer and involves more teams

Simulation: Going through the motions

Parallel: Live systems are kept running and a full recovery is conducted

Interruption: Existing system is disabled and recovery conducted, think large banks – the ultimate test

Competitive Advantage

CRP and DRP can provide advantage “we can keep running no matter what happens”

In NO way should these notes be used as your sole source of study for the CISSP exam.  These notes lack things completely that could be included on your exam.  I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning.  For further information see my CISSP Study and Exam Tips.

3 Comments on "ISC(2) CISSP Revision Notes – Business Continuity and Disaster Planning"

  1. I just fixed that download link. Thanks for letting us know informative blog.Thanks for posting such a nice information.

Trackbacks for this post

  1. ISC(2) CISSP Revision Notes – Access Control | Gyp the Cat dot Com
  2. ISC(2) CISSP Revision Notes – Study and Exam Tips | Gyp the Cat dot Com

Got something to say? Go for it!