all right, So let's go ahead and move from talking about just principles of security and governance. Risk management to the next section of this chapter. That's equally important. Business continuity and disaster recovery planning. Honestly, we'll talk more about the disaster recovery planning piece
in Chapter seven security operations.
focus on primarily at this piece is planning for business continuity. Um, making sure that our organization can withstand failure, making sure that we're resilient. Where's disaster recovery planning's gonna focus much more on the immediacy of the disaster.
So, as a matter of fact, just starting right off with the basic difference between the two.
Business continuity planning is long term in nature. It is We're gonna, you know, regardless of what happens, will be able to keep the organization going in extended capacity, no matter what.
Now the disaster recovery plan is more I t focused, and it's all about recovering critical I t assets as quickly as possible.
And any time you hear recovery as part of a plan because, well, look at several other plans. Recovery is always about restoring functionality based on criticality. Getting those things back up and running that cost us the most money.
Now when we talk about the relationship, the business continuity, planning in risk management, you know, we talk about risk management earlier in this section, and so what we want to do is we want to identify our assets. We wanna look at threats and vulnerabilities, come up with a potential for loss and then find
a mitigating strategy that is going to be cost effective.
So sometimes we will accept risks. Sometimes are mitigation will be sufficient. Sometimes the risk is greater than anticipated. Sometimes we fail to detect risks. Sometimes risk management just doesn't catch everything.
And when that's the case, business continuity is the safety net. Underneath risk management,
you can think about risk management
being for those things that are medium to high probability. Sometimes they're referred to his known unknowns. We don't know if they're gonna happen, but we know enough so that their owner on our radar, those things we think are kind of likely to happen or ATT least
or where the fact there is that possibility now. Business continuity is for the unknown unknowns for those things that we really that are outside of our realm of expert of experience, those things that have a very low probability. But
if they manifest, they'll have a very high impact.
Okay, so the relationship I would really just kind of think about BCP is the safety net under risk management
Now when we talk about what's gonna calls us to move into our business continuity plan frequently there's been some sort of major incident. So when we look at the different types of disruptions that we could have, we could have a non disruption. You know,
it's an inconvenience system failed,
uh, loss of power. Malicious code has infected a system, data loss, whatever. Those are non disasters. However, when we start expanding where the loss is greater, then we look into more serious events. Now on emergency
imminent event that's gonna threaten loss of life or of property. So there's that immediate danger.
A disaster is where the facility is unusable for a day or longer. And when we talk about the facility being unusable, Ah, lot of times when we think of disasters, we think fire and brimstone and chaos and cats and dogs living together in sin and crazy things at think,
and that's not the case. What we look for two classified event is a disaster is that our building is inaccessible. And what that means is we look to the disaster recovery plan and that's gonna dictate what we do about it. How we notify our employees will have multiple faces. So
in the event that we have a snow day where they're 15 inches of snow, we're gonna close our building.
to the first section.
Where is we? Look at our disaster recovery plan because, of course, that's where we detail what to do in disasters, and we go to the notification face and we may simply put a post on our Facebook page. It says, Hey, we're closed today or we may contact the media or whatever.
So the point I'm trying to make is just because something has just declared a disaster
doesn't mean we're in full fledged disaster mode. It may just mean that we go to our disaster recovery plan and say, Hey, here, the folks that have to work from home.
Here's how we're gonna contact.
Excuse me. Sorry about that. So that means we're gonna look to phase one of our disaster recovery plan and figure out how we notify our employees how we determine who's gonna work from home.
What are those elements that we need to do to deal with today's lack of functionality? All right, so it's not always a big, catastrophic event now. A catastrophe is when the building is destroyed. So we're in a totally different frame of mind, a totally different environment
when there's a catastrophe. The building's been destroyed,
so we may look at moving toe an off site facility we may look at. Perhaps you're shutting our doors for a period of time. We could think about reciprocal agreements in other ways that we can keep our business going, but ultimate
ultimately with the catastrophe large scale. Hey, now we're so used to saying senior management as our answers. But if our question who can declare an emergency, the answer would be anybody write. Anybody can pull the fire alarm or yell fire.
Who could declare a disaster? That's senior management