Now our next section is talking about business continuity and disaster recovery, and I always like to think about that. Every decision we make starts with risk management, and it marches towards business continuity, meaning we make all of our security decisions
based on risk, right? We will get the asset, what it's worth,
threats and vulnerabilities. We get a potential for loss versus the cost of a countermeasure. We make good decisions based on cost benefit analysis for what protective controls we put in place, whether they're preventive or detective or corrective or whatever those may be.
So we make our decisions based on risk management. But also at the back of our mind is the idea.
What if it fails? What if it's not enough? What if, What if? What if? Because we cannot prepare for every imaginable situation. So what do we do if we have disaster recovery plans? And we have business continuity plans in place so that our organization continues no matter what.
So that's what this next section is, and business continuity, planning and disaster recovery planning. So many times go hand in hand. But the difference between the two is the business cotton be plan is kind of the over arching plan that includes a portion
on disaster recovery. So the D. R P is usually a part of the BCP. So the BCP is all inclusive in nature, and it's a long term focused right. It's not just here's how you put out the fire. That's the disaster recovery plan. So the disaster recovery plane is Theo immediacy
and business continuity plan looks at. Yeah,
the D R piece part of that. But the BCP goes much further into how do we recover? How do we maintain operations, how we get packed to the point of permanent operations and move forward,
right? They're both, of course, about minimizing the disruption on the business. But the D. R P is immediate. Thea Other thing. Business continuity plan business.
It's about the business. It's not just I t focused, right. So
have you looked at the disaster recovery plan? Disaster recovery plans do Tin to B. I t focused. So you've got the dealing with the immediacy of the disaster that's covered in the D. R. P. And then also, recovery of critical service is, and we'll talk about
what critical means and how to determine what's critical in just a second. But any time you hear recovery, it's about getting our most critical stuff back up and running. And I might as well say now when we talk about critical, we're talking about things that are time sensitive.
How much money do I lose when this element is not present? When this element isn't running? You know, earlier, I'd mentioned what happens if Amazon loses their Web presence.
Well, they lose millions of dollars, right? So that's a very critical resource for them.
Where's Kelly Hander Hand trainer? My Web presence is not gonna be anywhere nearest critical. So one of the things we learned when we're assessing how critical our assets are is we go back to risk management. We think about what sort of controls and what sort of mitigation strategies were put in place.
I'll guarantee you Amazon spends a lot more money on redundancy if their Web service
than I do, but it's all based on cost benefit analysis, right. So with the disaster recovery plan, we have to identify through a document called the B I. A. Will look at the second what's critical and how critical disaster recovery plan is all about. Getting those critical resource is back up and running