< All ISC2 CISSP Notes

NessaT | ISC2 CISSP | CISSP Module 01

By: NessaT | Related Course: ISC2 CISSP | Published: August 10, 2017 | Modified: January 29, 2018
Join Cybrary

NotepadBCP phases

responsibilities, authority, priorities, testing, ..

This lesson addresses what happens after a BCP is researched and planned out and now the plan is ready to be put into writing. A strong business continuity plan needs to address:
• Responsibility
• Authority
• Priorities
• Testing
Testing needs to happen once a year, or as the result of major changes and the type of testing depends on the type of organization. Types of testing include:
• Parallel Test
• Full-Interruption Test
After testing, a review of conducted and the plan goes into a maintenance mode.


The remaining phases of the Business Continuity Plan (BCP):
1. Plan and Design Development
2. Implementation: three phases following a disruption

a. Notification/Activation
b. Recovery Phase: Failover
c. Reconstitution: Failback

3. Testing

a. Checklist Test
b. Structured Walk Through
c. Simulation Test
d. Parallel Test
e. Full interruption Test

4. Maintenance

NotepadBCP Subplans



• RPO: Recovery Point Objective
• MTD: Maximum Tolerable Downtime
o RTO: Recovery Time Objective
o WRT: Work Recovery Time
• MTBF: Mean Time Between Failures
• MTTR: Mean Time to Repair
• MOR: Minimum Operating Requirements
Results of the BIA should contain:
• ALL Businesses processes and assets
• Impact company can handle dealing with each risk
• Outage time that would be critical vs which would not be critical
• Preventative controls


Governance: board of director interface with stakeholders make sure of their needs (balance agreed upon enterprise objectives to be achieved). Make sure we have objectives and that meets the stakeholders needs.  Prioritize the needs of certain stakeholders.Making sure the structure is in place, that they are reviewing tests and audit results and elements to make sure if there are aggressions to be made and put in motion.

Governance is responsible for risk appetite (aggressive, neutral, etc).

Management responsible for risk tolerance, how are we gonna operate within the confines of risk appetite. 

Governance says what we’re going to accomplish and management says how?

NotepadRisk and Security

 Quantitative vs. qualitative.  We always must pay for security!

NotepadRisk Management

Risk = likelihood that a threat will exploit a vulnerability
threat = something/one that can do something bad
vulnerability = a weakness, defect
Risk = threat x vulnerability
Exploit = instance of compromise
control = countermeasures or safeguards (reactive or proactive)
Secondary risk = event that appears due to another risk’s response
Residual risk = leftover risk after it has been controlled
Fallback plan = plan ’B”
asset = something we value and want to protect (tangible or intangible, e.g. hardware or data)
workaround = response for when everything else fails

”Risk is the likelihood that a threat will exploit a vulnerability.”
Risk = (vulnerability x threat x probability x impact)/countermeasures

< All ISC2 CISSP Notes
Join Cybrary

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?