< All Chief Information Security Officer (CISO) Notes

richardb8006 | Chief Information Security Officer (CISO) | Module 8 - Business Continuity & Disaster Recovery

By: richardb8006 | Related Course: Chief Information Security Officer (CISO) | Published: February 11, 2018 | Modified: February 11, 2018
Join Cybrary

NotepadModule 8 - Business continuity intro

BCP versus DRP

Business Continuity Planning:

Focuses on sustaining operations and protecting the viability of the business following a disaster, until normal business conditions can be restored. The BCP is an ’umbrella’ term that includes many other plans including the DRP. Long term focused.

Disaster Recovery Planning:

Goal is to minimize the effects of a disaster and to take the necessary steps to ensure that the resources, personnel and business processes are able to resume operations in a timely manner. Deals with the immediate aftermath of the disaster, and is often IT focused. Short term focused.


Potential risks


  • Fire
  • Hurricane
  • Flood
  • Tornado


  • Sabotage
  • Malicious code
  • Operator error


  • Hardware failure
  • Data corruption
  • Telecom outage
  • Power failure

Identified risks

After a risk assessment, the risks are identified. Then the appropriate security controls can be implemented to mitigate the risks.

Security controls

  • Management controls
  • Operational controls
  • Technical controls

Residual risks

Residual risk is the leftover risk after implementing a security control. For these risks, mitigation is already done by implementing security controls. What you can do with residual risk is make contingency plans in the case when the residual risk is happening.

Business Continuity planningThreat types

Disaster recovery and continuity planning deal with uncertainty and chance. It is key to identify all possible threats and estimate possible damage and to develop viable alternatives.

The threat types are:

Man-made: Strikes, riots, fires, terrorism, hackers, vandals

Natural: Tornado, flood, earthquake

Technical: Power outage, device failure, loss of a T1 line

Categories of disruptions

Non disaster: inconvenience. Harddrive failure, disruption of service, device malfunction.

Emergency/crisis: Urgent, immediate event where there is the potential for loss of life or property.

Disaster: Entire facility unusable for a day or longer.

Catastrophe: Destroys facility

A company should understand and be prepared for each category.




NotepadModule 8 - Business Continuity Phases

A business continuity plan consists out of 7 steps/phases:

  • Project initiation
  • Business impact analysis
  • Recovery strategy
  • Plan design and development
  • Implementation
  • Testing
  • Maintenance

Project initiation:

  • Obtain senior management’s support
  • Secure funding and resource allocation
  • Name BCP coordinator/project manager
  • Develop project charter
  • Determine scope of the plan
  • Select members of the BCP team

NotepadModule 8 - Phases of the BCP - Business impact analysis

Business impact analysis (BIA)

Initiated by BCP comittee

Identifies and prioritizes all business processes based on criticality

Addresses the impact on the organization in the event of loss of a specific services or process

Quantitive: Loss of revenue, loss of capital, loss due to liabilities, penalties and fines etc.

Qualitative: Loss of service quality, competitive advantage, market share, reputation etc.

Establishes key metrics for use in determining appropriate counter measures and recovery strategy.

Importance (relevance) versus criticality (downtime):

The auditing department is certainly important, though not usually critical. The BIA focuses on criticality.

Key metrics to establish:

  • Service level objectives
  • RPO (Recovery Point Objective)
  • MTD (Maximum Tolerable Downtime)
  • RTO (Recovery Time Objective)
  • WRT (Work Recovery Time)
  • MTBF (Mean Time Between Failures)
  • MTTR (Mean Time to Repair)
  • MOR (Minimum Operating Requirements)

Elements of the plan

Management should establish recovery priorities for business processes that identify:

  • Essential personnel: consisting out of succession plans, MOA’S/MOU’S (memorandums of agreement/understanding)
  • Technologies
  • Facilities
  • Communications systems
  • Vital records and data

Results from the BIA

Results of business impact analysis contain:

  • Identified all business processes and assets, not just those considered critical
  • Impact company can handle dealing with each risk
  • Outage time that would be critical versus those which would not be critical
  • Preventive controles

Document and present to management for approval

Results are used to create the recovery plans

NotepadModule 8 - Phases of the plan - Remaining phases

Plan and design development

  • Now that all the research and planning has been done, this phase is where the actual plan is written
  • Should address: responsibility, authority, priorities, testing.


  • Plan is often created for an enterprise with individual functional managers responsible for plans specific to their departments
  • Copies of plan should be kept in multiple locations
  • Both electronic and paper copies should be kept
  • Plan should be distributed to those with a need to know. Most employees will only see a small portion of the plan.

Three phases following a disruption

  • Notification/activation: notifying recovery personnel, performing a damage assessment
  • Recovery phase/failover: actions taken by recovery teams and personnel to restore IT operations at an alternate site or using contingency capabilities. Performed by recovery team.
  • Reconstitution/failback: outlines actions taken to return the system to normal operation conditions. Performed by salvage team.

Testing the plan

  • Should happen once per year or as the result of a major change (very testable)
  • The purpose of testing is to improve the response (never to find fault or blame)
  • The type of testing is based upon the criticality of the organization, resources available and risk tolerance.

Testing: happens before implementation of a plan. The goal is to ensure the accuracy and the effectiveness of the plan.

Exercises/drills: Employees walk through step by step. Happens periodically. Main goal is to train employees.

Auditing: 3rd party observer ensures that components of a plan are being carried out and that they are effective.

Types of tests

There are 5 types of tests:

  1. Checklist test: copies of plan distributed to different departments, functional managers review
  2. Structured walk through test (table top): representatives from each department go over the plan
  3. Simulation test: Going through a disaster scenario, continues up to the actual relocation to an offsite facility 
  4. Parallel test: systems moved to alternate site and processing takes place there
  5. Full interruption test: original site shut down, all of processing moved to an offsite facility

Post incident review

  • Focus on how to improve
  • What should have happened
  • What should happen next
  • Not who’s fault it was; this is not productive

Maintenance of the plan

  • Change management: technical hard/software, people, environment, laws
  • Large plans can take a lot of work to maintain
  • Does not have a direct line to profitability

Keeping plan in date

  • Make it part of business meetings and decisions
  • Centralize responsibility for updates
  • Part of job description
  • Personnel evaluations
  • Report regularly
  • Audits
  • As plans get revised, original copies should be retrieved and destroyed

< All Chief Information Security Officer (CISO) Notes
Join Cybrary

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge



Is Linux Worth Learning in 2020?
Views: 566 / December 14, 2019
How do I Get MTA Certified?
Views: 1138 / December 12, 2019
How much does your PAM software really cost?
Views: 1582 / December 10, 2019
How Do I Get into Android Development?
Views: 1965 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?