CISSP Chapter 3 - Business Continuity Planning
Darren is concerned about the risk of a serious power outage affecting his organization's data center. He consults the organization's business impact analysis and determines that the ARO of a power outage is 20 percent. He notes that the assessment took place three years ago and no power outage has occurred. What ARO should he use in this year's assessment, assuming that none of the circumstances underlying the analysis have changed A. 20 percent B. 50 percent C. 75 percent D. 100 percent
A. The annualized rate of occurrence (ARO) is the likelihood that the risk will materialize in any given year. The fact that a power outage did not occur in any of the past three years doesn't change the probability that one will occur in the upcoming year. Unless other circumstances have changed, the ARO should remain the same.
Ryan is assisting with his organization's annual business impact analysis effort. He's been asked to assign quantitative values to assets as part of the priority identification exercise. What unit of measure should he use? A. Monetary B. Utility C. Importance D. Time
A. The quantitative portion of the priority identification should assign asset values in monetary units. The organization may also choose to assign other values to assets, but non-monetary measures should be part of a qualitative, rather than a quantitative, assessment.
You are concerned about the risk that a hurricane poses to your corporate headquarters in South Florida. The building itself is valued at $15 million. After consulting with the National Weather Service, you determine that there is a 10 percent likelihood that a hurricane will strike over the course of a year. You hired a team of architects and engineers, who determined that the average hurricane would destroy approximately 50 percent of the building. What is the annualized loss expectancy (ALE)? A. $750,000 B. $1.5 million C. $7.5 million D. $15 million
A. This problem requires you to compute the ALE, which is the product of the SLE and the ARO. From the scenario, you know that the ARO is 0.10 (or 10 percent). From the scenario presented, you know that the SLE is $7.5 million. This yields an ALE of $750,000
James was recently asked by his organization's CIO to lead a core team of four experts through a business continuity planning process for his organization. What is the first step that this core team should undertake? A. BCP team selection B. Business organization analysis C. Resource requirements analysis D. Legal and regulatory assessment
B. As the first step of the process, the business organization analysis helps guide the remainder of the work. James and his core team should conduct this analysis and use the results to aid in the selection of team members and the design of the BCP process
Lighter than Air Industries expects that it would lose $10 million if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the single loss expectancy for this scenario? A. 0.01 B. $10 million C. $100,000 D. 0.10
B. The single loss expectancy (SLE) is the amount of damage that would be caused by a single occurrence of the risk. In this case, the SLE is $10 million, the expected damage from one tornado. The fact that a tornado occurs only once every 100 years is not reflected in the SLE but would be reflected in the annualized loss expectancy (ALE)
You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building, and 10 percent is attributed to the land itself. What is the single loss expectancy (SLE) of your shipping facility to avalanches? A. $3 million B. $2,700,000 C. $270,000 D. $135,000
B. The single loss expectancy (SLE) is the product of the asset value (AV) and the exposure factor (EF). From the scenario, you know that the AV is $3 million and the EF is 90 percent; based on that the same land can be used to rebuild the facility. This yields an SLE of $2,700,000
what is BCP development and what are 2 primary subtask in Business Continuity planning
BCP development, continuity planning, focuses on developing and implementing a continuity strategy to minimize the impact realized risks might have on protected assets. The goal is to create Continuity of Operations Plan (COOP) 1. Strategy development 2. Provision and processes
Once the BCP plan is approved, what happens in the implementation phase?
BCP team should develop implementation schedule that utilized the resource dedicated to program to achieve the stated process and provision goals in prompt manner as possible. After fully deploying resources, the BCP team should supervise the design and implementation of a BCP maintenance program. This program ensures that the plan remains responsive to evolving business need
What is Business Continuity Plan?
Business continuity planning (BCP) involves assessing the risks to organizational processes and creating policies, plans, and procedures to minimize the impact those risks might have on the organization if they were to occur. BCP is used to maintain the continuous operation of a business in the event of an emergency
Understand the four steps of the business continuity planning process.
Business continuity planning involves four distinct phases: project scope and planning, business impact analysis, continuity planning, and approval and implementation. Each task contributes to the overall goal of ensuring that business operations continue uninterrupted in the face of an emergency
Know the legal and regulatory requirements that face business continuity planners
Business leaders must exercise due diligence to ensure that shareholders' interests are protected in the event disaster strikes. Some industries are also subject to federal, state, and local regulations that mandate specific BCP procedures. Many businesses also have contractual obligations to their clients that they must meet before, during, and after a disaster
The board of directors of Clashmore Circuits conducts an annual review of the business continuity planning process to ensure that adequate measures are in place to minimize the effect of a disaster on the organization's continued viability. What obligation are they satisfying by this review? A. Corporate responsibility B. Disaster requirement C. Due diligence D. Going concern responsibility
C. A firm's officers and directors are legally bound to exercise due diligence in conducting their activities. This concept creates a fiduciary responsibility on their part to ensure that adequate business continuity plans are in place. This is an element of corporate responsibility, but that term is vague and not commonly used to describe a board's responsibilities. Disaster requirement and going concern responsibilities are also not risk management terms.
Helen is working on her organization's resilience plans, and her manager asks her whether the organization has sufficient technical controls in place to recover operations after a disruption. What type of plan would address the technical controls associated with alternate processing facilities, backups, and fault tolerance? A. Business continuity plan B. Business impact analysis C. Disaster recovery plan D. Vulnerability assessment
C. Disaster recovery plans pick up where business continuity plans leave off. After a disaster strikes and the business is interrupted, the disaster recovery plan guides response teams in their efforts to quickly restore business operations to normal levels
In which business continuity planning task would you actually design procedures and mechanisms to mitigate risks deemed unacceptable by the BCP team? A. Strategy development B. Business impact analysis C. Provisions and processes D. Resource prioritization
C. In the provisions and processes phase, the BCP team designs the procedures and mechanisms to mitigate risks that were deemed unacceptable during the strategy development phase.
Ricky is conducting the quantitative portion of his organization's business impact analysis. Which one of the following concerns is least suitable for quantitative measurement during this assessment? A. Loss of a plant B. Damage to a vehicle C. Negative publicity D. Power outage
C. It is difficult to put a dollar figure on the business lost because of negative publicity. Therefore, this type of concern is better evaluated through a qualitative analysis. The other items listed here are all more easily quantifiable
Chris is completing the risk acceptance documentation for his organization's business continuity plan. Which one of the following items is Chris least likely to include in this documentation? A. Listing of risks deemed acceptable B. Listing of future events that might warrant reconsideration of risk acceptance decisions C. Risk mitigation controls put in place to address acceptable risks D. Rationale for determining that risks were acceptable
C. Risk mitigation controls to address acceptable risks would not be in the BCP. The risk acceptance documentation should contain a thorough review of the risks facing the organization, including the determination as to which risks should be considered acceptable and unacceptable. For acceptable risks, the documentation should include a rationale for that decision and a list of potential future events that might warrant a reconsideration of that determination. The documentation should include a list of controls used to mitigate unacceptable risks, but it would not include controls used to mitigate acceptable risks, since acceptable risks do not require mitigation
Referring to the scenario in question 14, what is the annualized loss expectancy? A. 0.01 B. $10 million C. $100,000 D. 0.10
C. The annualized loss expectancy (ALE) is computed by taking the product of the single loss expectancy (SLE), which was $10 million in this scenario, and the annualized rate of occurrence (ARO), which was 0.01 in this example. These figures yield an ALE of $100,000.
Renee is reporting the results of her organization's BIA to senior leaders. They express frustration at all of the detail, and one of them says, "Look, we just need to know how much we should expect these risks to cost us each year." What measure could Renee provide to best answer this question? A. ARO B. SLE C. ALE D. EF
C. The annualized loss expectancy (ALE) represents the amount of money a business expects to lose to a given risk each year. This figure is quite useful when performing a quantitative prioritization of business continuity resource allocation
Jake is conducting a business impact analysis for his organization. As part of the process, he asks leaders from different units to provide input on how long the enterprise resource planning (ERP) system could be unavailable without causing irreparable harm to the organization. What measure is he seeking to determine? A. SLE B. EF C. MTD D. ARO
C. The maximum tolerable downtime (MTD) represents the longest period a business function can be unavailable before causing irreparable harm to the business. This figure is useful when determining the level of business continuity resources to assign to a particular function
Tracy is preparing for her organization's annual business continuity exercise and encounters resistance from some managers who don't see the exercise as important and feel that it is a waste of resources. She has already told the managers that it will only take half a day for their employees to participate. What argument could Tracy make to best address these concerns? A. The exercise is required by policy. B. The exercise is already scheduled and canceling it would be difficult. C. The exercise is crucial to ensuring that the organization is prepared for emergencies. D. The exercise will not be very time-consuming.
C. This question requires that you exercise some judgment, as do many questions on the CISSP exam. All of these answers are plausible things that Tracy could bring up, but we're looking for the best answer. In this case, that is ensuring that the organization is ready for an emergency—a mission-critical goal. Telling managers that the exercise is already scheduled or required by policy doesn't address their concerns that it is a waste of time. Telling them that it won't be time-consuming is not likely to be an effective argument because they are already raising concerns about the amount of time requested
Of the individuals listed, who would provide the best endorsement for a business continuity plan's statement of importance? A. Vice president of business operations B. Chief information officer C. Chief executive officer D. Business continuity manager
C. You should strive to have the highest-ranking person possible sign the BCP's statement of importance. Of the choices given, the chief executive officer (CEO) has the highest ranking.
Explain the importance of comprehensively documenting an organization's business continuity plan
Committing the plan to writing provides the organization with a written of the procedures to follow when disaster strikes. It prevents the "it's in my head" syndrome and ensures the orderly progress of events in an emergency
Darcy is leading the BCP effort for her organization and is currently in the project scope and planning phase. What should she expect will be the major resource consumed by the BCP process during this phase? A. Hardware B. Software C. Processing time D. Personnel
D. During the planning phase, the most significant resource utilization will be the time dedicated by members of the BCP team to the planning process. This represents a significant use of business resources and is another reason that buy-in from senior management is essential.
Brian is developing continuity plan provisions and processes for his organization. What resource should he protect as the highest priority in those plans? A. Physical plant B. Infrastructure C. Financial D. People
D. The safety of human life must always be the paramount concern in business continuity planning. Be sure that your plan reflects this priority, especially in the written documentation that is disseminated to your organization's employees
Matt is supervising the installation of redundant communications links in response to a finding during his organization's BIA. What type of mitigation provision is Matt overseeing? A. Hardening systems B. Defining systems C. Reducing systems D. Alternative systems
D. This is an example of alternative systems. Redundant communications circuits provide backup links that may be used when the primary circuits are unavailable
Referring to the scenario in question 8, what is the annualized loss expectancy?
D. This problem requires you to compute the annualized loss expectancy (ALE), which is the product of the single loss expectancy (SLE) and the annualized rate of occurrence (ARO). From the scenario, you know that the ARO is 0.05 (or 5 percent). From question 8, you know that the SLE is $2,700,000. This yields an ALE of $135,000
Describe the process used to develop a continuity strategy
During the strategy development phase, the BCP team determines which risks they will mitigate. In the provisions and processes phase, the team designs mechanisms and procedures that will mitigate identified risks. The plan must then be approved by senior management and implemented. Personnel must also receive training on their roles in the BCP process
For building/facilities, what are 2 areas for each critical facility?
Hardening Provisions - Protecting your existing facilities against risk, such as installing hurricane shutters, fireproof walls, security fences, etc. Alternates Sites - is where business activities can be resume immediately or within the MTD for critical business functions.
What is the first task in Business impact analysis?
Identify business priorities. You should create a comprehensive list of critical business functions and rank them in order of importance
Describe how to perform the business organization analysis.
In the business organization analysis, the individuals responsible for leading the BCP process determine which departments and individuals have a stake in the business continuity plan. This analysis serves as the foundation for BCP team selection and, after validation by the BCP team, is used to guide the next stages of BCP development.
The 4th step is impact analysis in BIA. What is the impact analysis phase?
In this phase, you analyze the data gathered during risk identification and likelihood assessment and attempt to determine what impact each one of the identified risks would have on the business if it were to occur.
What is organization review (identification process) of BCP?
It is the first step in identifying all departments and stakeholders in the BCP process, some areas to consider as follow: - Operational departments for core services of the business - critical support services, such as IT departments that maintain IT systems - Corp. Security Team - for physical security - Senior Mgmt/leadership - essential for ongoing viability of the organization
Why is it essential to include legal representatives on your business continuity planning team?
Many federal, state, and local laws or regulations require businesses to implement BCP provisions. Including legal representation on your BCP team helps ensure that you remain compliant with laws, regulations, and contractual obligations
What is MTO or MTD?
Maximum tolerable outage or maximum tolerable downtime is the max length of time a business function can tolerate a disruption before suffering irreparable harm. The MTD provides valuable information when you're performing both BCP and DRP planning. example of an online retailer, the MTD for the website selling products may be only a few minutes, whereas the MTD for their internal email system might be measured in hours.
The final step in BIA is resource prioritization, to prioritize the allocation of business continuity resources to the various risks that you identified and assessed in earlier phases of the BIA. What is Quantitative and Qualitative POV of this step?
Quantitative - create list of all risk analyzed in the BIA process sort them by ALE calculated Quantitative - meet with BCP team and representatives from Sr. mgmt. to combine the list (quantitative and qualitative) to justify priorities
What is Quantitative impact assessment?
Quantitative Impact Assessment Involves the use of numbers and formulas to reach a decision. This type of data often expresses options in terms of the dollar value to the business.
What is the difference between quantitative and qualitative assessment?
Quantitative risk assessment involves using numbers and formulas to make a decision. Qualitative risk assessment includes expertise instead of numeric measures, such as emotions, investor/consumer confidence, and workforce stability
What is Qualitative impact assessment?
Takes non-numerical factors, such as reputation, investor/customer confidence, workforce stability, and other concerns, into account. This type of data often results in categories of prioritization (such as high, medium, and low)
What is wrong with taking an informal approach to business continuity planning?
The "seat-of-the-pants" approach is an excuse used by individuals who do not want to invest time and money in the proper creation of a BCP. This can lead to catastrophe when a firmly laid plan isn't in place to guide the response during a stressful emergency situation
The 2nd step in the Business impact analysis is Risk identification. What are two forms of risk?
The 2 forms of Risk are natural risk and person made risk. Natural risk - storms, lighting, earthquakes, mudslide, volcano, pandemics Person made - terrorist, theft, explosions, power outages, building collapse, transportation, internet disruptions, service provide outage, economic crisis Risk identification is purely qualitative
What is the Provision and Process phase in the BCP planning?
The BCP team designs specific procedures and mechanisms that will mitigate the risks deemed unacceptable during the strategy development stage. Three categories of assets must be protected through BCP provisions and processes: people, buildings/facilities, and infrastructure
List the necessary members of the business continuity planning team
The BCP team should contain, at a minimum, representatives from each of the operational and support departments; technical experts from the IT department; physical and IT security personnel with BCP skills; legal representatives familiar with corporate legal, regulatory, and contractual responsibilities; and representatives from senior management. Additional team members depend on the structure and nature of the organization.
What critical components should you include in your business continuity training plan?
The BCP training plan should include a plan overview briefing for all employees and specific training for individuals with direct or indirect involvement. In addition, backup personnel should be trained for each key BCP role.
What is Business impact analysis?
The BIA identifies the business processes and tasks that are critical to an organization's ongoing viability and the threats posed to those resources. It also assesses the likelihood that each threat will occur and the impact those occurrences will have on the business. The results of the BIA provide you with quantitative measures that can help you prioritize the commitment of business continuity resources to the various local, regional, and global risk exposures facing your organization
What is COOP?
The continuity of operations plan focuses on how an organization will carry out critical business functions beginning shortly after a disruption occurs and extending for up to one month of sustained operations
What is the difference between BCP and Disaster Recovery Plan (DRP)?
The difference is that business continuity activities are typically strategically focused at a high level and center themselves on business processes and operations. Disaster recovery plans tend to be more tactical and describe technical activities such as recovery sites, backups, and fault tolerance
Explain the steps of the business impact analysis process.
The five stages of the business impact analysis process are the identification of priorities, risk identification, likelihood assessment, impact analysis, and resource prioritization.
What are the four main steps of the business continuity planning process?
The four steps of the BCP process are project scope and planning, business impact analysis, continuity planning, and approval/implementation.
Once a BCP completes the design phase of the BCP document, its time for plan approval and implementation. Who should approval the plan?
The plan should be endorsed by top executives in your business, CEO, Chair Person, President and similar business leader
What is your Recovery Point Objective (RPO)?
The recovery point objective (RPO) is the data loss equivalent to the time-focused RTO. The RPO defines the point in time before the incident where the organization should be able to recover data from a critical business process. For example, an organization might perform database transaction log backups every 15 minutes. In that case, the RPO would be 15 minutes, meaning that the organization may lose up to 15 minutes' worth of data after an incident.
What is Recovery Time Objective (RTO)?
The recovery time objective (RTO) for each business function is the amount of time in which you think you can feasibly recover the function in the event of a disruption. This value is closely related to the MTD. Once you have defined your recovery objectives, you can design and plan the procedures necessary to accomplish the recovery tasks.
What is the top priority of BCP and DRP?
The top priority of BCP and DRP is always people. The primary concern is to get people out of harm's way; then you can address IT recovery and restoration issues
Should RTO time be less than MTD?
ensure that your RTOs are less than your MTDs, resulting in a situation in which a function should never be unavailable beyond the maximum tolerable downtime
The 3rd step in Business impact analysis (BIA) is Likelihood assessment of each risk will occur. This is determined using the Annualized Rate of occurrence (ARO). What is ARO?
reflects the number of times a business expects to experience a given disaster each year
What is the role of Senior mgmt. in the BCP process?
setting priorities, providing staff and financial resources, and arbitrating disputes about the criticality (i.e., relative importance) of services
What is Strategy development in the BCP planning?
strategy development phase bridges the gap between the business impact analysis and the continuity planning phases of BCP development The BCP team decides which risks are acceptable and which require mitigation, laying the groundwork for the subsequent provisions and processes phase. The BCP team should look at the MTD (Maximum Tolerable downtime) for which risk can be acceptable)
What are qualitative points of view to consider in BIA?
- loss of goodwill among your client base - loss of employees to other jobs after prolonged downtime - social/ethical responsibilities to the community - negative publicity
What are the 3 phases of resource requirements?
1. BCP Development - resource to perform the 4 steps of BCP Process 2. BCP Testing, Training and Maintenance - require hardware/software commitments 3. BCP Implementation - when disaster strike and BCP team necessary to conduct full scale implementation of the BCP that require resource and financial expenses
What are some essentials components of written business continuity plan?
1. Continuity planning goals - goals of the BCP plan. such as continuous operation of the business in the event of an emergency 2. Statement of importance - reflects the criticality of the BCP to the organization's continued viability 3. Statement of Priorities - simply involves listing the functions considered critical to continued business operations in a prioritized order 4. Statement of Organizational Responsibility - business continuity is everyone's responsibility! 5. Statement of Urgency and Timing - expresses the criticality of implementing the BCP and outlines the implementation timetable decided on by the BCP team and agreed to by upper management 6. Risk Assessment - Recap decision making process in BIA. 7. Risk Acceptance/Mitigation - cover risk identified, risk analysis, risk acceptance and risk unacceptable 8. Vital Records Program - states where critical business records will be stored and procedures for making/storing backups 9. Emergency Response Guidelines - outline organization/individual responsibility for immediate response to an emergency and who to contact. 10. Maintenance - BCP documentation is a living document and must be maintained. 11. Testing/Exercises - exercise program to ensure plan remains current
What are the benefits of committing your BCP methodology to documentation?
1. Ensure BCP personnel have written continuity documents to reference in event of emergency 2. provides a historical record of the BCP process that will be useful to future personnel seeking to both understand the reasoning behind various procedures and implement necessary changes in the plan 3. forces the team members to commit their thoughts to paper—a process that often facilitates the identification of flaws in the plan
What are the quantitative metrics use in the BIA?
1. Exposure Factor (EF) - is the amount of damage that the risk poses to the asset, expressed as a percentage of the asset's value. An example is BCP team consult fire experts and they gave that 70% of the building would be destroy in a fire, then EF is 70%. 2. Single Loss Expectancy (SLE) - is the monetary loss expected each time the risk materializes. Calculated as SLE = AV * EF Example: Building is worth $500k (AV) * 70% (EF) = $350K worth of damage 3. Annualized Loss Expectancy (ALE) - is the monetary loss that the business expects to suffer as a result of the risk harming the asset during a typical year. Calculated as ALE = SLE * ARO Example: Fire occurs once every 30 years. Giving (1/30 = .03) chance fire in any given year. The ALE is 3% * 350K = $10,500 that represents the avg cost due to fire over 30 years.
What are the 5 steps in BIA?
1. Identify Business Priority 2. Risk Identification 3. Likelihood assessment 4. Impact analysis 5. Resource prioritization
The BCP plan must address how organization with protect business infrastructure (IT systems, servers, etc.). What 2 main methods of protection?
1. Physically Hardening Systems: Protect systems against risk by introducing protect measures such as computer safe fire suppression system or uninterruptible power supplies (UPS) 2. Alternative Systems: protect business function via redundancy
What are the 4 main steps of BCP?
1. Project scope and planning 2. Business impact analysis 3. Continuity planning 4. Approval and implementation
Why is identification process critical for 2 reasons?
1. Provides groundwork necessary to help identify potential members of the BCP team 2. Builds the foundation for remainder of the BCP process
What are the individuals should be part of the BCP Team? (Consider team members that provide diverse view for the organization technical, financial and political/public view)
1. Representatives from each org. department for cores services of the business 2. Business team members from functional areas 3. IT SME 4. Cybersecurity team members 5. Physical/facility security team members 6. Attorneys 7. HR 8. PR Team members 9. Sr. Mgmt/leadership
What are the goals of project scope and planning stage of BCP?
1. Review the organization's structure for crisis planning. 2. Form a BCP team approved by senior management. 3. Assess available resources for business continuity activities. 4. Analyze legal and regulatory aspects affecting the organization's response to crises.
