CISSP Security & Risk Management- Business Continuity (BC) & Disaster Recovery (DR) Requirements

19 May 2016

- Project Initiation and Management
- Develop and Document Project Scope and Plan

Conduct the Business Impact Analysis (BIA)
Identify and Prioritize
Assess exposure to Outages
Recovery Point Objectives (RPO)

BC – Proper Planning

An organization is more vulnerable after a disaster hits
Organization still has responsibilities even after a disaster (protection of confidential and sensitive assets)
Recovery is more than just having an offsite location
- People must be trained to know what to do
- Various recovery procedures need to be developed and documented
- Understand organization’s vulnerabilities, true threats, and business impact of different types of disasters
Being proactive
- Implementing redundant power supplies
- Backing up communication mechanisms
- Identifying single points of failures
- Recognizing necessary fault tolerant solutions
- ETC., etc…….

Business Continuity Planning (BCP)

How an organization can stay in business even in a crippled state
Plan contains steps for continuing critical business functions using alternative mechanisms until normal operations can be resumed at the primary site or elsewhere.
Reduce overall impact of business interruption

Disaster Recovery Planning (DRP)

How to survive a disaster and how to handle the recovery process
Emergency response responsibilities and procedures
Plan lists and describes the efforts to resume normal operations at the primary site of business.
BCP and DRP may sound like the same thing, BUT they are not the same.

Business Continuity Planning (BCP)

Business Continuity (BC): represents the final response of the organization when faced with an interruption of its critical operations
More than 50% of all organizations that close their doors for more than a week never reopen, due to lack of planning.
BC is designed to get the organization’s most critical services up and running as quickly as possible.
DR rather focuses on resuming operations at the primary site; BCP concentrates on resuming critical functions at an alternate site.

Where Do We Start From:

Project Initiation

Management Support sought
Make a business case
Cost vs. benefit
Regulatory requirement
Current inherent vulnerabilities of organization
Ramifications of similar organizations not having such plans
Business issues of partners, insurance, and obtaining capital

Senior Executive Management’s Role

Due diligence and Due care
Drive all phases of the plan
Consistent support and final approval
Ensure that testing takes place
Create a budget for this work

Why Is BCP/DRP a Hard Sell to Mgmt.

Resource intensive and takes years to complete
Direct return on investment (ROI) not perceived
Rather a drain on organization’s bottom line

Importance of Plan

Organization could vanish if not prepared
Capability of staying “up and running”, avoiding any significant down time
Lack of plan could affect insurance, liability, and business opportunities
Part of business decisions today (Partners need to know, Shareholders/Board of trustees demand it, A Regulatory MUST)
9/11 Has Fueled Change of Attitudes About BCP

Who Does It?

BCP/DRP Teams

Group that will perform risk assessment and analysis
Representatives from different organization’s departments
Analysis must be performed before developing plan
A BCP coordinator must be appointed to oversee and execute:
- A Business Impact Analysis
- Plan development and implementation
- Testing and plan maintenance

BC Team Organization

Emphasis should be on generalized business and technology skills
BC team should have representatives from:
- Senior management
- Corporate functional units, including HR, Legal, and Accounting
- IT managers and a few technical specialists with broad technical skill sets
- InfoSec managers and a few technical specialists
BC team members cannot also be on the DR team
BC team may be divided into sub-teams:
- BC management team
- Operations team
- Computer setup (hardware) team
- Systems recovery (OS) team
- Network recovery team
- Applications recovery team
- Data management team
- Logistics team
BC Management team:
- Command and control group responsible for all planning and coordination
- Facilitates the transfer to the alternate site
- Handles communications, business interface, and vendor contact functions
Operations team:
- Works to establish core business functions needed to sustain critical business operations
Computer setup (hardware) team:
- Sets up hardware in the alternate location
Systems recovery (OS) team:
Installs operating systems on hardware, sets up user accounts and remote connectivity with network team
Network recovery team:
- Establishes short- and long-term networks, including hardware, wiring, and Internet and intranet connectivity
Applications recovery team:
- Responsible to get internal and external services up and running
Data management team:
Responsible for data restoration and recovery
Logistics team:
Provides any needed supplies, materials, food, services, or facilities needed at the alternate site

BC Planning process

Develop the BC planning policy statement
Review the BIA
Identify preventive controls
Develop relocation strategies
Develop the continuity plan
Testing, training, and exercises
Plan maintenance

Purpose:
- Executive vision
- Primary purpose of the BC program
Scope:
- Organizational groups and units to which the policy applies
Roles and responsibilities:
- Identifies key players and their responsibilities
Resource requirements:
- Allocates specific resources to be dedicated to the development of the BC

Training requirements:
- Training for various employee groups
Exercise and testing schedule:
- Stipulation for the frequency and type of testing for the BC plan
Plan maintenance schedule:
- Frequency of review and who is involved
Special considerations:
- Overview of information storage and retrieval plans and who is responsible

To Become Certified For CISSP Please Visit This Link;