ISC2 Four BCP Processes

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Let's take a look now at ISC squared
00:00
Four Business Continuity Planning Processes.
00:00
In the last section,
00:00
we talked about NIST special publication
00:00
that they devoted to business continuity planning.
00:00
That was 800-34.
00:00
If you haven't done so already,
00:00
I'd like you to actually go
00:00
back and listen to that section.
00:00
Because what I want you to do is know that
00:00
these NIST and ISC squared,
00:00
two different organizations, two different frameworks.
00:00
But what I want you to notice is
00:00
the similarity between the two.
00:00
Now, one may have seven steps,
00:00
this one has four steps,
00:00
but really we're doing this the same thing.
00:00
We're going to talk about the
00:00
>> four stages of ISC squared
00:00
>> processes that will match up to NIST.
00:00
We start out with a project scope and planning,
00:00
we move to the business impact assessment,
00:00
then we do the continuity planning,
00:00
and we get approval of the plan from senior management.
00:00
Just like before, just like
00:00
>> in NIST special publication,
00:00
>> we have to start with planning.
00:00
We have to start first of all,
00:00
really even before we plan,
00:00
with getting buy in from senior management.
00:00
In this step 1 that's named Project Scope and Planning,
00:00
this is where we're going to get sign off from
00:00
senior management namely in the form
00:00
of likely a project charter,
00:00
where senior management commits to buy in,
00:00
to resources, to funding,
00:00
and they name as a project manager,
00:00
they set the scope,
00:00
they specify the business need,
00:00
ultimately the problems that they're trying to solve
00:00
by this business continuity planning process.
00:00
We start there. We always
00:00
start with figuring out the scope,
00:00
getting commitment from senior management,
00:00
making sure we're in
00:00
>> alignment with the business itself,
00:00
>> understanding the organization before
00:00
we first start writing down plans.
00:00
All of that happens in step 1.
00:00
We also need to select
00:00
our business continuity planning team.
00:00
Now, senior management may select these folks for us,
00:00
we may choose our own,
00:00
there may be a combination of the two.
00:00
But what we're looking for here is we're looking for
00:00
representatives across
00:00
all the organization's departments.
00:00
I'm not just looking for IT.
00:00
This is business continuity planning,
00:00
it's not IT continuity planning.
00:00
I'm going to have representatives from
00:00
all the organization's departments.
00:00
Doesn't mean everybody is going to
00:00
be sitting in a room with me,
00:00
some departments may be represented
00:00
through surveys and other forms of input.
00:00
But again, this is about the organization as a whole,
00:00
so we need to make sure that
00:00
we have comprehensive representation.
00:00
We also want to make sure that the folks that are on
00:00
our team aren't just the folks
00:00
from each department that aren't busy.
00:00
There's a reason they're not busy.
00:00
We need to make sure that we have competent,
00:00
knowledgeable members that are
00:00
representing their department.
00:00
If it's not going to be the managers,
00:00
then it should be lead technicians,
00:00
engineers, or folks that have been around awhile to
00:00
make sure that they can identify what
00:00
business processes are necessary.
00:00
We certainly want technical expertise on the BCP,
00:00
but we also want legal representation,
00:00
HR representation, and again, operations.
00:00
We want all of those elements of the business
00:00
represented and then senior management,
00:00
of course, because they're going to be the folks that
00:00
provide the ultimate sign offs.
00:00
Now, the business impact assessment.
00:00
This is huge. It was huge in the last framework.
00:00
This is the document that everything
00:00
we do is based off of because
00:00
here is where we identify
00:00
the business processes and we
00:00
prioritize them based on criticality.
00:00
This is the single most important document
00:00
in business continuity planning,
00:00
because everything we do here forms the basis.
00:00
If we're wrong here,
00:00
there's no way we can write
00:00
an accurate disaster recovery plan
00:00
or the larger business continuity plan.
00:00
The job here is we're going to focus on what
00:00
business processes are most critical to our livelihood.
00:00
What are those processes where we suffered
00:00
the greatest loss in event of failure?
00:00
In order to do that,
00:00
again, this goes hand in hand with risk management.
00:00
We look at the value of the assets.
00:00
What are the things that threaten?
00:00
What are the weaknesses?
00:00
When we start talking about writing our plans,
00:00
we may start talking about third parties,
00:00
outsourcing certain types of work.
00:00
But even here in business impact assessments,
00:00
what we determine with our risks is also going to
00:00
drive what we're looking
00:00
for in our service level agreements,
00:00
our memorandum of agreement from our vendors.
00:00
We're talking about risk,
00:00
we think about risks associated with third parties,
00:00
we think about how our vendors can
00:00
help us in the event of disasters.
00:00
They can also [NOISE] cause disasters as well.
00:00
We also want to make sure
00:00
again that individual departments are contacted.
00:00
Sometimes we will give them a survey,
00:00
sometimes we have these folks that are
00:00
responsible for the business impact piece.
00:00
But ultimately, we need the expertise of
00:00
that department in order to
00:00
tell what the most critical functions are.
00:00
Also in the BIA,
00:00
this is where we group processes based on
00:00
criticality that might be based
00:00
on maximum tolerable downtime or outage.
00:00
How long can this function be out of
00:00
service before we have an unacceptable loss,
00:00
and recovery time objective,
00:00
how quickly we'd like to get
00:00
>> the service back in running.
00:00
>> We're going to categorize these functions.
00:00
I might say, okay,
00:00
anything that has to be up and running
00:00
within 10 minutes, that's critical.
00:00
Anything that it needs to be running
00:00
within two hours time, that's essential.
00:00
Anything that can be off over a day,
00:00
I'm going to specify and I'm going to
00:00
categorize based on criticality.
00:00
Then this impact assessment is going
00:00
to lead into our next piece
00:00
where we actually write the plan.
00:00
>> Once I'm done with the BIA,
00:00
I should have what the processes are,
00:00
and then I should have those
00:00
mapped to individual devices.
00:00
For instance, in this case,
00:00
we see that the time and
00:00
attendance reporting has
00:00
>> been determined to be critical.
00:00
>> IT then has to come in and say,
00:00
to make the time and attendance reporting possible,
00:00
there's LAN server or WAN server.
00:00
We need email, mainframe access,
00:00
so we know that senior management has
00:00
named this surface of
00:00
time and attendance reporting as critical,
00:00
we have to find the individual devices,
00:00
hardware, software, whatever that'll support it.
00:00
By the end of the BIA,
00:00
we know what senior management wants to
00:00
accomplish and we know how.
00:00
Then we move into writing the plan.
00:00
That plan is going to be based
00:00
on the requirements given by senior management.
00:00
It's going to be based on what we
00:00
did in the business impact analysis.
00:00
So we're going to determine our strategy.
00:00
Strategy is always about closing the gap.
00:00
Here's where we are, here's where we want to be,
00:00
figuring out how to bring the two closer together.
00:00
If our recovery time objective is
00:00
two hours and we go in and analyze and
00:00
say there's no way we can get to server
00:00
backup online and running in two hours,
00:00
well, we need to figure out how to close that gap.
00:00
How can we make it?
00:00
Do we need to upgrade,
00:00
do we need to back up more frequently?
00:00
Do we need to send files off site? What can we do?
00:00
That's gap analysis.
00:00
Remember our focus in
00:00
continuity and particularly disaster recovery,
00:00
are people are always going to be our first priority.
00:00
Always get our people to safety.
00:00
Then we look after the facility,
00:00
>> then our infrastructure.
00:00
>> That's the priorities for us because
00:00
that's the significance of loss,
00:00
people first, of course.
00:00
But then we're going to suffer
00:00
more loss if the building is damaged,
00:00
and then we want to protect our infrastructure.
00:00
Now, I want to mention over on the right-hand side,
00:00
we see a little diagram of cold,
00:00
warm, and hot disaster recovery methods.
00:00
In our continuity plans,
00:00
we're going to have to determine,
00:00
do we have availability of these least sites?
00:00
Because many times,
00:00
we lease one of these sites in the event of a disaster,
00:00
which means we pay on a monthly or quarterly basis.
00:00
With the cold side, all we're paying
00:00
for is a specific location.
00:00
It just has plumbing,
00:00
electricity, h FAQ, no equipment.
00:00
It's just a blank space, essentially.
00:00
Now we could also pay for a warm site.
00:00
A warm site has some equipment, it has furniture,
00:00
it has computer systems,
00:00
it has a very basic network setup.
00:00
It has phones.
00:00
We can get into a warm site
00:00
and in just a matter of days,
00:00
get back up and running.
00:00
Within a hot site,
00:00
we're going to be able to have our resources there.
00:00
It has everything that we need with
00:00
the exception of the most recent data.
00:00
We come in, we restore from backup,
00:00
we make few changes, we're up and running.
00:00
Now, I will tell you that based on how
00:00
numerous companies are providing
00:00
disaster recovery as a service
00:00
and business continuity as a service,
00:00
we're going to see a lot of
00:00
these leases no longer being chosen
00:00
as a means of disaster recovery because
00:00
now your data is recoverable
00:00
>> from anywhere on the planet.
00:00
>> We have found out because of COVID,
00:00
people can work from home pretty
00:00
satisfactorily for most jobs,
00:00
so we're going to see disaster recovery
00:00
>> changing based on
00:00
>> what we've learned through
00:00
the COVID disaster and that's how it should be.
00:00
We should take what happens
00:00
and use that to shape our plans for the future.
00:00
Then the last step, get sign-off.
00:00
Who gives the sign-off?
00:00
Senior management,
00:00
ideally, the top of the food chain, the CEO,
00:00
because when we talk about liability for
00:00
continuity of operations, for legal compliance,
00:00
for safety of employees,
00:00
that's exactly where the liability goes,
00:00
up to the top of the organization.
00:00
They should put their thumbprint on the plan.
00:00
They should approve it.
00:00
They want to make sure that it's implemented properly.
00:00
We need to make sure that employees are trained,
00:00
and the plan should be
00:00
distributed on a need to know basis.
00:00
Not everybody gets the full copy
00:00
of my business continuity plan.
00:00
Of course, most people only
00:00
need the portion that tells them how to evacuate.
00:00
Look for the person in the orange safety vest,
00:00
here where the stairways are,
00:00
the closest stairway from your location,
00:00
meet out in parking lot A
00:00
until you're released back into the building.
00:00
That's all most people need.
00:00
Because remember, in this continuity plan,
00:00
we're going to specify all the ways
00:00
we're going to continue to protect our resources.
00:00
We don't want to make that public.
00:00
Attackers know the quickest way to clear a building,
00:00
set off the fire alarm,
00:00
so we don't want to tip our hand to any of
00:00
the protective mechanisms we have in place,
00:00
less they'd be rendered useless.
00:00
Going to remind you one more time,
00:00
at least once a year,
00:00
or in the event of a major change,
00:00
we go back and we look at the phases.
00:00
We make sure that our continuity plan
00:00
is accurate and it's up to date.
00:00
It adequately handles threats
00:00
just like it did a year ago,
00:00
making sure that anything that needs to
00:00
be adjusted is done.
00:00
At least once per year or in
00:00
>> the event of a major change.
00:00
>> Just wrapping up with continuity,
00:00
we make sure that we follow
00:00
the four stages of
00:00
the ISC Squared approach to continuity.
00:00
If you'll remember, in that section,
00:00
we looked at project scope and planning.
00:00
Then we did the business impact analysis.
00:00
Then we made sure that
00:00
we wrote the plan based on the
00:00
>> business impact analysis.
00:00
>> Finally, we got the plan approved.
00:00
After approval, we implement,
00:00
but we always go back and maintain the plan as well.
Up Next