12 hours 25 minutes
And now we move on to step three, where we do the actual continuity, planning And really what we want to do is put into place a plan that's gonna help us maintain and sustain the organization and minimize the impact on the business.
So here we develop our strategy, going to figure out what sort of processes we need to put in place and what provisions to make those processes work.
We have tohave approval of the plan, and that's got to come from senior management. And don't forget, the best way to ensure this plane is going to be successful is have direct
interaction with senior management throughout the creation of this and senior management being involved. All right, then we're gonna implement the plan. And like I said many times when you come to this plan, you find out what the controls we have in place right now, we're not working, so
we need to determine Okay, nightly backup isn't enough.
So how are we gonna move to database shadowing or what are the different elements that we are going to implement so that we can meet our recovery time objectives and recovery point objectives and so on.
And then, of course, you have to train your people. People need to know how to carry out the plan.
All right, so strategy, development We go back to the B, I A right. We look at our metrics and we want to make sure that our metrics are gonna match two objectives. So our objective should be to meet the metrics
and we talk about risk if you'll remember we talked about reduce except transfer and avoiding risk or ultimate risk reduction is avoidance. We're just accepting risks. And we know that sometimes you have to accept risk. So we're going right back to risk management.
Me some risks have to be accepted because there's nothing else we can do about it.
All right now, the precision provisions in processes So ultimately, how are we going to protect our assets? And our assets come in three main groups. The first priority always protect your people. So I need plans in place that put human life first.
That focus on the safe evacuation of my employees, verifying that all employees have been able to be evacuated
getting headcounts focus first and foremost on the safety of people.
Then I looked too protective, building the facility,
making sure that we have. And this goes into human life as well. But making sure that we have fire suppression mechanisms, making sure that the facility can continue moving forward. And if it can't, if the facility is damaged, then we need to think about offsite locations.
And really, we need to think about that well ahead of time.
So we might have least sites where we have cold, warm and hot facilities that are provided by the then by a vendor and release those on a monthly basis. We'll talk about theres a few more in a minute and then protecting our infrastructure. Our service is our servers are business processes.
Implementing fail over and fail back of key service is
so we're gonna focus this on people building an infrastructure.
Now, I mentioned we're gonna come back and talk. I'm gonna talk about the offsite facilities for a moment,
so I'm gonna pay a monthly fee for a facility that a vendor's gonna lease me. But that's strictly for the purpose of recovery. So one of the sites that I can lease is a cold site,
but a cold site is only going to be a building with plumbing and electricity, very bare bones. So I'm gonna have to move into it. I'm gonna have to bring my furniture and my infrastructure systems and all those pieces. It's gonna be inexpensive, but it's gonna take me a while
to transition over
with cold sites. Often the vendor doesn't even guarantee me a specific location.
They might say. OK, you get 1800 square feet within five square miles within a five mile radius of downtown Washington, D. C. And the reason for that is thes. Vendors will lease out the same site too many different customers. So it's a vendor. I might have 10 sites that I lease out to 100 customers
with the idea that a localized disaster, you know, building if your building catches on fire,
it's not gonna affect anybody else. Why can lease and lease and leased the same facility? What happens in the event of a regional disaster? Then we have everybody showing up, and it turns into kind of first come first served,
it's cheap, but it takes me a while to recover, and I don't have exclusive use
now, when I move into the war in sight.
Warm sites are the most popular
and warm sites have some equipment there. So I would Lisa site that has furniture, maybe bare bones infrastructure. None of my infrastructure, none of my systems. But they're gonna have phone systems and very basic computer systems. Maybe Internet access.
Some of those pieces. It's still gonna take me,
you know, several days to get my equipment there, restore from backup. Get my process. It's in place. Warm site is the most common
That hot site is exclusively mine. I have my equipment. They're really All I need is to come over and restore the most recent copy of backups or do the most recent restore, and then I should be virtually up and running.
Now we need tohave this commitment in writing from our vendors. So our service level agreements are going to guarantee Hey, in the event of a disaster, here's where you're gonna be located. Here. The facilities Here's what we're gonna provide that needs to be in a service level agreement
and then also emo ways which your memorandum of agreement
any time that we have a vendor commitment We want to make sure that there's an understanding what we expect that vendor to provide and what they expect to provide. So memorandum of agreements will cover that
for a test tip. If you would see anything where
you counted on a particular individual or vendor to provide a service in a disaster. But they didn't show up,
and when you contact them, they say they had no idea that was a responsibility. Well, the solution to that would have been a memorandum of agreement,
and I'll give you a heads up. Also here they could call them Emo Yoo's memorandum sze of understanding. The two are technically different. Very subtle difference. But there is a difference. But don't worry about that for the exam. They'll either use M O A or M O U, and they'll use them interchangeably. Okay,
All right. So our infrastructure, those critical elements of our environment now if we have infrastructure is a service and all this is managed at a cloud provider, well, kind of turning that responsibility to continue. Those service is over to R. C S P pull out service provider,
but internally warehousing the service's
well, we're the ones responsible for keeping their service is up. So we gotta think about redundancy not having a single mechanism, right? But having, uh, redundant servers, for instance, if server a fail server beacon, pick up the load
so you could think about things like clustering, you could think about raid.
Certainly redundancy of data through backups.
Resiliency is along the same line, but it's a little bit a little bit different in that resiliency indicates the ability to withstand a compromise. So can I take a hit and keep on ticking is resiliency. Do I have a means of self repair? Perhaps
fault tolerance. So we gotta, again, kind of tied in there with resiliency have got to be able to tolerate and keep moving
in the event of a loss.
And then also, we have to think about making sure our systems are heartened anytime. I say a hardened system that's always gonna mean a secured system, and things like removing a necessary service is patching the system's renaming administrative accounts. Those air, all part of hardening systems
ISACA CISM - Certified Information Security Manager
The ISACA Certified Information Security Manager (CISM) practice test from CyberVista helps students to prepare ...
Certified Information Security Manager
Certified Information Security Manager practice exam helps to prepare for the ISACA CISM certification exam. ...