Domain 1: Security and Risk Management: Business Continuity

Identify Recovery Priorities

After all the resource requirements have been identified, the organization must identify the recovery priorities. Establish recovery priorities by taking into consideration process criticality, outage impacts, tolerable downtime, and system resources. After all this information is compiled, the result is an information system recovery priority hierarchy. Three main levels of recovery priorities should be used: high, medium, and low. The BIA stipulates the recovery priorities but does not provide the recovery solutions. Those are given in the DRP.

Business Continuity

Business continuity is an organization's capability to continue delivery of products or services at acceptable predefined levels following a disruptive incident. As part of risk management, security professionals should ensure that the organization prepares appropriate business continuity plans.

documented criticality levels

Each organization must develop its own documented criticality levels. A good example of organizational resource and function criticality levels include critical, urgent, important, normal, and nonessential. Critical resources are those resources that are most vital to the organization's operation and should be restored within minutes or hours of the disaster or disruptive event. Urgent resources should be restored in 24 hours but are not considered as important as critical resources. Important resources should be restored in 72 hours but are not considered as important as critical or urgent resources. Normal resources should be restored in 7 days but are not considered as important as critical, urgent, or important resources. Nonessential resources should be restored within 30 days. Each process, function, and resource must have its criticality level defined to act as an input into the DRP. If critical priority levels are not defined, a DRP might not be operational within the timeframe the organization needs to recover.

Human-Caused Disasters

Human-caused disasters occur through human intent or error. Human-caused disasters include enemy attacks, bombings, sabotage, arson, terrorism, strikes or other job actions, infrastructure failures, personnel unavailability due to emergency evacuation, and mass hysteria. In most cases, human-caused disasters are intentional.

Business Impact Analysis Development

The BCP development depends most on the development of the BIA. The BIA helps the organization to understand what impact a disruptive event would have on the organization. It is a management-level analysis that identifies the impact of losing an organization's resources. The BIA relies heavily on any vulnerability analysis and risk assessment that is completed. The vulnerability analysis and risk assessment maybe performed by the BCP committee or by a separately appointed risk assessment team.

Senior business unit managers are responsible for

identifying and prioritizing time-critical systems.

Technological disasters are not usually?

intentional. If a technological disaster is not recovered from in a timely manner, an organization might suffer a financial collapse.

A business continuity coordinator should be named by senior management to?

leads the BCP committee. The committee develops, implements, and tests the BCP and DRP.

A disaster is an emergency that goes beyond the?

normal response of resources. A disaster usually affects a wide geographical area and results in severe damage, injury, loss of life, and loss of property. Any disaster has negative financial and reputational effects on the organization. The severity of the financial and reputational damage is also affected by the amount of time the organization takes to recover from the disaster.

the BCP defines the?

organizational aspects that can be affected and

Disasters require that the organization

publicly acknowledge the event and provide the public with information on how the organization will recover.

the DRP defines how to?

recover functions and systems,

Availability

Availability is one of the key principles of the confidentiality, integrity, and availability (CIA) triad and will be discussed in almost every defined CISSP domain. Availability is a main component of business continuity planning. The organization must determine the acceptable level of availability for each function or system. If the availability of a resource falls below this defined level, then specific actions must be followed to ensure that availability is restored. In regard to availability, most of the unplanned downtime of functions and systems is attributed to hardware failure. Availability places emphasis on technology.

Project Scope and Plan

Creating the BCP is vital to ensure that the organization can recover from a disaster or disruptive event. Several groups have established standards and best practices for business continuity. These standards and best practices include many common components and steps.

SP 800-34 Step-2 Conduct business impact analysis (BIA).

Identify critical processes and resources. Identify outage impacts, and estimate downtime. Identify resource requirements. Identify recovery priorities.

SP 800-34 Step-1 Develop contingency planning policy.

Identify statutory or regulatory requirements Develop IT contingency planning policy statement. Publish policy.

SP 800-34 Step-6 Test, train, and exercise.

Test the plan. Train personnel. Plan exercises.

Mean time to repair (MTTR)

The average time required to repair a single resource or function when a disaster or disruption occurs

The causes of disasters are categorized into?

The causes of disasters are categorized into three main areas according to origin: technological disasters, human-caused disasters, and natural disasters. A disaster is officially over when all business elements have returned to normal function at the original site. The primary concern during any disaster is personnel safety.

Personnel Components

The most important personnel in the development of the BCP is senior management. Senior management support of business continuity and disaster recovery drives the overall organizational view of the process. Without senior management support, this process will fail. Senior management sets the overall goals of business continuity and disaster recovery. A business continuity coordinator should be named by senior management and leads the BCP committee. The committee develops, implements, and tests the BCP and DRP. The BCP committee should contain a representative from each business unit. At least one member of senior management should be part of this committee. In addition, the organization should ensure that the IT department, legal department, security department, and communications department are represented because of the vital role that these departments play during and after a disaster. With management direction, the BCP committee must work with business units to ultimately determine the business continuity and disaster recovery priorities. Senior business unit managers are responsible for identifying and prioritizing time-critical systems. After all aspects of the plans have been determined, the BCP committee should be tasked with regularly reviewing the plans to ensure they remain current and viable. Senior management should closely monitor and control all business continuity efforts and publicly praise any successes. After an organization gets into disaster recovery planning, other teams are involved.

Mean time between failure (MTBF)

. The estimated amount of time a device will operate before a failure occurs. This amount is calculated by the device vendor. System reliability is increased by a higher MTBF and lower MTTR.

The four main steps of the BIA are as follows:

1. Identify critical processes and resources. 2. Identify outage impacts, and estimate downtime. 3. Identify resource requirements. 4. Identify recovery priorities.

Business Impact Analysis (BIA)

A business impact analysis (BIA) is a functional analysis that occurs as part of business continuity and disaster recovery. Performing a thorough BIA will help business units understand the impact of a disaster. The resulting document that is produced from a BIA lists the critical and necessary business functions, their resource dependencies, and their level of criticality to the overall organization.

Disruptions

A disruption is any unplanned event that results in the temporary interruption of any organizational asset, including processes, functions, and devices. Disruptions are grouped into three main categories: non-disaster, disaster, and catastrophe. Non-disasters are temporary interruptions that occur due to malfunction or failure. Non-disasters might or might not require public notification and are much easier to recover from than disasters or catastrophes. A disaster is a suddenly occurring event that has a long-term negative impact on life. Disasters require that the organization publicly acknowledge the event and provide the public with information on how the organization will recover. Disasters require more effort for recovery than non-disasters but less than catastrophes. A catastrophe is a disaster that has a much wider and much longer impact. In most cases, a disaster is considered a catastrophe if facilities are destroyed, thereby resulting in the need for the rebuilding of the facilities and the use of a temporary offsite facility.

Identify Outage Impacts, and Estimate Downtime

After determining all the business processes, functions, and resources, the organization should then determine the criticality level of each resource. As part of determining how critical an asset is, you need to understand the following terms: ■ Maximum tolerable downtime (MTD): The maximum amount of time that an organization can tolerate a single resource or function being down. This is also referred to as maximum period time of disruption (MPTD). ■ Mean time to repair (MTTR): The average time required to repair a single resource or function when a disaster or disruption occurs . ■ Mean time between failure (MTBF): The estimated amount of time a device will operate before a failure occurs. This amount is calculated by the device vendor. System reliability is increased by a higher MTBF and lower MTTR. ■ Recovery time objective (RTO): The shortest time period after a disaster or disruptive event within which a resource or function must be restored to avoid unacceptable consequences. RTO assumes that an acceptable period of downtime exists. RTO should be smaller than MTD. ■ Work recovery time (WRT): The difference between RTO and MTD, which is the remaining time that is left over after the RTO before reaching the maximum tolerable. ■ Recovery point objective (RPO): The point in time to which the disrupted resource or function must be returned.

Identify Resource Requirements

After the criticality level of each function and resource is determined, you need to determine all the resource requirements for each function and resource. For example, an organization's accounting system might rely on a server that stores the accounting application, another server that holds the database, various client systems that perform the accounting tasks over the network, and the network devices and infrastructure that support the system. Resource requirements should also consider any human resources requirements. When human resources are unavailable, the organization can be just as negatively impacted as when technological resources are unavailable.

Continuity Planning and the Business Continuity Plan (BCP)

Continuity planning deals with identifying the impact of any disaster and ensuring that a viable recovery plan for each function and system is implemented. Its primary focus is how to carry out the organizational functions when a disruption occurs. The BCP considers all aspects that are affected by a disaster, including functions, systems, personnel, and facilities. It lists and prioritizes the services that are needed, particularly the telecommunications and IT functions. More details on continuity planning are given later in this chapter.

SP 800-34 Step-4 Create recovery strategies.

Develop backup and recovery strategies. Identify roles and responsibilities. Develop alternative site. Identify equipment and cost considerations. Integrate into architecture.

Disaster Recovery and the Disaster Recovery Plan (DRP)

Disaster recovery minimizes the effect of a disaster and includes the steps necessary to resume normal operation. Disaster recovery must take into consideration all organizational resources, functions, and personnel. Efficient disaster recovery will sustain an organization during and after a disruption due to a disaster. Each organizational function or system will have its own disaster recovery plan (DRP). The DRP for each function or system is created as a direct result of that function or system being identified as part of the business continuity plan (BCP). The DRP is implemented when the emergency occurs and includes the steps to restore functions and systems. The goal of DRP is to minimize or prevent property damage and prevent loss of life. More details on disaster recovery are given later in this chapter.

SP 800-34 Step-5 Develop business continuity plan (BCP).

Document recovery strategy.

Fault Tolerance

Fault tolerance is provided when a backup component begins operation when the primary component fails. One of the key aspects of fault tolerance is the lack of service interruption. Varying levels of fault tolerance can be achieved at most levels of the organization based on how much an organization is willing to spend. However, the backup component often does not provide the same level of service as the primary component. For example, an organization might implement a high-speed T1 connection to the Internet. However, the backup connection to the Internet that is used in the event of the failure of the T1 line might be much slower but at a much lower cost of implementation than the primary T1 connection.

SP 800-34 Step-3 Identify preventive controls.

Identify controls. Implement controls. Maintain controls.

Business Continuity Steps

Many organizations have developed standards and guidelines for performing business continuity and disaster recovery planning. One of the most popular standards is Special Publication (SP) 800-34 Revision 1 (R1) from the National Institute of Standards and Technology (NIST). The following list summarizes the steps of SP 800 34 R1: 1. Develop contingency planning policy. 2. Conduct business impact analysis (BIA). 3. Identify preventive controls. 4. Create recovery strategies. 5. Develop business continuity plan (BCP). 6. Test, train, and exercise. 7. Maintain the plan.

Natural Disasters

Natural disasters occur because of a natural hazard. Natural disasters include flood, tsunami, earthquake, hurricane, tornado, and other such natural events. A fire that is not the result of arson is also considered a natural disaster.

Recoverability

Recoverability is the ability of a function or system to be recovered in the event of a disaster or disruptive event. As part of recoverability , downtime must be minimized. Recoverability places emphasis on the personnel and resources used for recovery.

Reliability

Reliability is the ability of a function or system to consistently perform according to specifications. It is vital in business continuity to ensure that the organization's processes can continue to operate. Reliability places emphasis on processes.

SP 800-34 Step-7 Maintain the plan.

Review and update the plan. Coordinate updates with internal and external organizations. Control the distribution of the plan. Document the changes.

Business Continuity and Disaster Recovery Concepts

Security professionals must be involved in the development of any business continuity and disaster recovery processes. Basic concepts involved in business continuity and disaster recovery planning, including the following: ■ Disruptions ■ Disasters — Technological — Human-caused — Natural ■ Disaster Recovery and the Disaster Recovery Plan (DRP) ■ Continuity Planning and the Business Continuity Plan (BCP) ■ Business Impact Analysis (BIA) ■ Contingency Plan ■ Availability ■ Reliability ■ Recoverability ■ Fault Tolerance

Technological Disasters

Technological disasters occur when a device fails. This failure can be the result of device defects, incorrect implementation, incorrect monitoring, or human error. Technological disasters are not usually intentional. If a technological disaster is not recovered from in a timely manner, an organization might suffer a financial collapse. If a disaster occurs because of a deliberate attack against an organization's infrastructure, the disaster is considered a human-caused disaster even if the attack is against a specific device or technology. In the past, all technological disasters were actually considered human-caused disasters because technological disasters are usually due to human error or negligence. However, in recent years, experts have started categorizing technological disasters separately from human-caused disasters, although the two are closely related.

Contingency Plan

The contingency plan is part of an organization's overall BCP. Although the BCP defines the organizational aspects that can be affected and the DRP defines how to recover functions and systems, the contingency plan provides instruction on what personnel should do until the functions and systems are restored to full functionality. Think of the contingency plan as a guideline for operation at a reduced state. It usually includes contact information for all personnel, vendor contract information, and equipment and system requirements. Failure of the contingency plan is usually considered a management failure. A contingency plan, along with the BCP and DRP, should be reviewed at least once a year. As with all such plans, version control should be maintained. Copies should be provided to personnel for storage both onsite and offsite to ensure that personnel can access the plan in the event of the destruction of the organization's main facility.

Work recovery time (WRT)

The difference between RTO and MTD, which is the remaining time that is left over after the RTO before reaching the maximum tolerable

Maximum tolerable downtime (MTD)

The maximum amount of time that an organization can tolerate a single resource or function being down. This is also referred to as maximum period time of disruption (MPTD)

Recovery time objective (RTO)

The shortest time period after a disaster or disruptive event within which a resource or function must be restored to avoid unacceptable consequences. RTO assumes that an acceptable period of downtime exists. RTO should be smaller than MTD.

Project Scope

To ensure that the development of the BCP is successful, senior management must define the BCP scope. A business continuity project with an unlimited scope can often become too large for the BCP committee to handle correctly. For this reason, senior management might need to split the business continuity project into smaller, more manageable pieces. When considering the splitting of the BCP into pieces, an organization might want to split the pieces based on geographic location or facility. However, an enterprise wide BCP should be developed that ensures compatibility of the individual plans.

Identify Critical Processes and Resources

When identifying the critical processes and resources of an organization, the BCP committee must first identify all the business units or functional areas within the organization. After all units have been identified, the BCP team should select which individuals will be responsible for gathering all the needed data and select how to obtain the data. These individuals will gather the data using a variety of techniques, including questionnaires, interviews, and surveys. They might also actually perform a vulnerability analysis and risk assessment or use the results of these tests as input for the BIA. During the data gathering, the organization's business processes and functions and the resources upon which these processes and functions depend should be documented. This list should include all business assets, including physical and financial assets that are owned by the organization, and any assets that provide competitive advantage or credibility.

If a disaster occurs because of a deliberate attack against an organization's infrastructure, the disaster is considered?

a human-caused disaster even if the attack is against a specific device or technology.

Senior management sets the overall goals of

business continuity and disaster recovery.

part of risk management

business continuity plans

Recovery point objective (RPO)

he point in time to which the disrupted resource or function must be returned.

the contingency plan provides instruction on?

what personnel should do until the functions and systems are restored to full functionality.

Basic concepts involved in business continuity and disaster recovery planning, including the following?

■ Disruptions ■ Disasters — Technological — Human-caused — Natural ■ Disaster Recovery and the Disaster Recovery Plan (DRP) ■ Continuity Planning and the Business Continuity Plan (BCP) ■ Business Impact Analysis (BIA) ■ Contingency Plan ■ Availability ■ Reliability ■ Recoverability ■ Fault Tolerance