ISC(2) CISSP Revision Notes – Business Continuity and Disaster Planning
Business Continuity and Disaster Planning, what do we do when it all doesn’t quite go to plan?
[alert style=”red”]In NO way should these notes be used as your sole source of study for the CISSP exam. These notes lack things completely that could be included on your exam. I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning. For further information see my CISSP Study and Exam Tips.[/alert]
ISC(2) CISSP Revision Notes – Study and Exam Tips
ISC(2) CISSP Revision Notes – Overarching Themes for the CISSP
ISC(2) CISSP Revision Notes – Access Control
ISC(2) CISSP Revision Notes – Business Continuity and Disaster Planning (You are here)
ISC(2) CISSP Revision Notes – Cryptography
ISC(2) CISSP Revision Notes – Information Security Governance and Risk Management
ISC(2) CISSP Revision Notes – Legal, Regulatory, Investigations and Compliance
ISC(2) CISSP Revision Notes – Operations Security
ISC(2) CISSP Revision Notes – Security Architectural Design
ISC(2) CISSP Revision Notes – Software Development Security
ISC(2) CISSP Revision Notes – Telecommunications and Network Security
#1 Priority is Human Life
Natural vs Man-made Disasters
Secondary effects: Eg power loss after a flood
Damage can affect: Buildings, records, equipment, connections, public utilities, transport systems, loss of life.
BCP vs DRP
Business Continuity Planning (BCP): Keeping business running in a disaster
Disaster Recovery Planning (DRP): Restoring normal business operations
Commonalities:
- Identify critical business functions
- Identify possible disaster scenarios
- Experts who understand the business
BCP Project Elements
Critical Items
- Senior Management Support: Budgets and resources
- Senior Management Involvement: Implicit responsibility
- Project Team Management: Relevant functions
BCP Scope: Scope if fundamental to the plan
Conducting Business Impact Assessment (BIA)
Eg loss of revenue, liabilities, service quality, market share
1)Perform vulnerability Assessment: Critical areas which if lost could cause irresponsible harm
2) Criticality Assessment: Inventory of all high level business functions, some may be more critical at times than others
3) Identifying Key Players: Start with organization chart and what each department does
4) Establish Maximum Tolerable Downtime (MTD): How long can we be down until significant and lasting damage
5) Establish Trusted Recovery Targets
Period of onset until resumed functions
- Recovery Time Objective (RTO): Maximum time to recover
- Recovery Point Objective (RPO) Maximum amount of loss after a disaster
5) Defining Resource Requirements: List of resources which an organization needs to continue operating, eg systems, people, suppliers
Business Continuity Plan
Emergency Response: Who deals with what disasters and which procedures?
Damage Assessment: Survey, what have we got
Personnel Safety: #1 Priority
Personnel Notification: How do we let our staff know?
Backup & Offsite Storage: What is it? How long will it take to restore?
Software Escrow:
External Communications: Stakeholders and the market
Utilities: Power, water (UPS and generators)
Logistics & Supply: Can we get the things we need?
Fire & Water Protection: (See Environmental Security)
Documentation: How will we get it?
Data Processing Continuity Planning:
- Cold Site: Empty room with no computers
- Warm Site: Computers but no data
- Hot Site: Computers with data
- Reciprocal Site: Partner with another company
- Multiple Data Centers
Developing the Business Continuity Plan: No bias, teams of experts, breakdown large functions into smaller chunks
Implementing the Business Continuity Plan
Senior management approval
Promoting & Awareness: All employees should know about the BCP
Maintain the plan and review
Disaster Recovery Planning
Emergency Response
- Specialty trained teems to deal with disaster
- Salvage: Assessment, cleaning and restoration of facilities
- Recovery: Both BCP and DRP with procedures
- Financial Readiness: Insurance, cash reserves and agreements
- Notifying Personnel: Communication
- Facilitating Eternal Comms
- Monitoring Physical and Logical Security: While recovering, need to have same security as on life systems
Testing the Disaster Recovery Plan
Checklist: Is this what we do?
Structure Walk Through: Longer and involves more teams
Simulation: Going through the motions
Parallel: Live systems are kept running and a full recovery is conducted
Interruption: Existing system is disabled and recovery conducted, think large banks – the ultimate test
Competitive Advantage
CRP and DRP can provide advantage “we can keep running no matter what happens”
[alert style=”red”]In NO way should these notes be used as your sole source of study for the CISSP exam. These notes lack things completely that could be included on your exam. I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning. For further information see my CISSP Study and Exam Tips.[/alert]
3 Comments
[…] – Overarching Themes for the CISSP ISC(2) CISSP Revision Notes – Access Control (You are here) ISC(2) CISSP Revision Notes – Business Continuity and Disaster Planning ISC(2) CISSP Revision Notes – Cryptography ISC(2) CISSP Revision Notes – Information Security […]
[…] Revision Notes – Overarching Themes for the CISSP ISC(2) CISSP Revision Notes – Access Control ISC(2) CISSP Revision Notes – Business Continuity and Disaster Planning ISC(2) CISSP Revision Notes – Cryptography ISC(2) CISSP Revision Notes – Information Security […]
I just fixed that download link. Thanks for letting us know informative blog.Thanks for posting such a nice information.