8 hours 39 minutes
all right. Glad you made it back from that cliff hanger of the last section, and I had laid out the question for you. What happens if risk management fails? What happens with risks? You failed to identify what hell happens with mitigation. Strategies that don't work
would, if you underestimate the impact of a risk or even the probability and that risk materializes
and there's tremendous loss. So basically, what I'm asking you is what keeps your organization moving forward when risk management does fail and the answer's business continuity planning. Sometimes you'll hear continuity of operations planning. So we must have a business continuity plan
to help our organization continue to move forward, at least with their most critical service is
no matter what in the event of a disruption of any type of scale. All right, so of course, this is going to go to the responsibility of senior management, and
the assumption is again that they've been entrusted with the assets of the organization. So no matter what, they have to provide protection,
all right, so sometimes we'll hear business continuity and disaster recovery plan maybe used interchangeably or not used quite right. So the business continuity plan really is kind of an overarching document that has lots of little plans and one of those little plans, if not necessarily little. But one of those plans
is a disaster recovery plan,
and the disaster recovery plan focuses on returning operations to normal. Okay,
in the order of criticality. So disaster recovery planning is all about getting our most critical service is back up and running. But ultimately the goal is to get us completely restored to service, right? We want to get back to the state that we were,
um or really, let's say, get back to a state of permanence. We don't necessarily want to get to the state that we work as we've just been subjected to a disaster,
right? But we do want to get back to a state of permanent the business continuity plan. You know, you can think of as much longer term in focus. The disaster recovery plan is in that immediacy of the disaster. We got to get going into those critical resource is back up and running.
I will also point out to you that the disaster recovery plan tends to be I t focused
where the business continuity plan incorporates everything about the business. So you might have a business recovery plan or process. Recovery plan. You'll have part of your business continuity plan. Things like occupant emergency plans, crisis communication plans. So you'll have lots of plans
that are part of the business continuity plan
now, definitely. Some terms you want to know. So we've got recovery time objective. We've got acceptable interruption Window and recovery point objective
now at the disaster recovery site. Okay, so we're gonna assume that we've had a disaster and we have a plan to switch over operations to, uh, an offsite facility 50 miles away. Okay.
Our recovery time objective is the amount of time necessary to return to full operation,
right? That's what the disaster recovery plans all about. So I can set this for a particular system or for a process, or for the whole offsite facility. You know what is gonna happen before we're up and running at full capacity.
Now, the acceptable interruption window is the amount of time in which basic functionality must be restored, as in, we're out of the interruption of business were operating with our most critical systems were not at full recovery yet, but we are processing so
again. Basically, this comes around to most critical systems.
Now mentioned that several times. Does anybody remember the document that's necessary? That's gonna help us prioritize which systems are most critical. Senior management has to sign off and has to help with the prioritization.
But that document was called Wait for it. Wait for it. What is it? Business impact analysis, Right. I know you all had that on the tip of your tongue, but it's the business impact analysis that prioritizes all business processes based on criticality.
So when we get to those recovery time objectives when we get to the acceptable
interruption window, those elements are gonna be important to know. Usually these terms air wrapped up in the business impact analysis
all right. And then the last one recovery point objective is how current your data must be.
So if your data, if you're willing to lose an hour's worth of data one hour, be your RPF.
Now if you really think about it an organization that on Lee doesn't nightly back up,
How much are they saying? They're willing to lose? This forest data goes. So we're 9 to 5 shop. We do a nightly back up every evening at 11 o'clock. We're pretty much saying we're willing to lose a full day's worth of data. So that's our recovery point objective.
Now, sometimes when we talk about it in those terms, we might have seen your management say, Wait, we can't lose a day's worth of transactions.
Well, then we need to do something other than just backing up once a day. We might need to use database shadowing where Dad has written to multiple databases. At least two we could do batch transactions or, you know, shifted to an off site facility. But bottom line is what our recovery point objective
is is going to dictate how frequently
we back up or use some other means to create redundancy of data. Okay, those terms really big. Gotta know
Cybrary's Certified Information Security Manager (CISM) course is a great fit for IT professionals looking to move up in their organization and advance their careers and/or current CISMs looking to learn about the latest trends in the IT industry.