NIST 800-34 Rev 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Now, as we look at a handful of business continuity and
00:00
disaster recovery frameworks in the last section,
00:00
I want to mention,
00:00
even though of course,
00:00
ISC squares framework for
00:00
business continuity is the one we would focus on most,
00:00
the thing about all of
00:00
these different organizations putting
00:00
forth some framework,
00:00
you will find that regardless of who you're looking at,
00:00
if you're looking at ISO 27000 and 31,
00:00
you're looking at NIST SP 800-34,
00:00
you're looking at Disaster
00:00
Recovery Institute International.
00:00
Doesn't matter.
00:00
Each one is going to have you go through a series of
00:00
processes and they're going to be
00:00
very similar across the frameworks.
00:00
They're going to use different terms.
00:00
Sure. They're going to group certain steps into
00:00
a single-step in one and break out
00:00
one step into multiple steps and another.
00:00
But in every one of these frameworks,
00:00
we're going to be doing the same thing.
00:00
I'd like to look at NIST 800-34 revision 1 first,
00:00
because what this shows us
00:00
>> is the flow according to NIST.
00:00
>> NIST provides guidelines and
00:00
frameworks for federal government,
00:00
but also many private sector organizations
00:00
follow NIST standards.
00:00
What they've done is they've given us
00:00
a seven step approach to business continuity planning.
00:00
You'll notice that the very first step
00:00
is getting a continuity policy.
00:00
What does that mean?
00:00
That means securing senior management's buy-in.
00:00
Usually if you think about this in
00:00
terms of project management,
00:00
this would happen in the project initiation phase.
00:00
Before we jump in and
00:00
start running around and documenting,
00:00
collecting information, first thing we
00:00
have to do is make sure senior management is on board.
00:00
That should pretty much be
00:00
a continuing theme throughout this class.
00:00
Making sure senior management is on board,
00:00
making sure that we understand how
00:00
we support the business with this process.
00:00
Making sure we have alignment
00:00
of our continuity goals with business goals.
00:00
We start out by getting
00:00
senior management to come in and sign off.
00:00
This continuity policies often written up in
00:00
a project charter where senior management says,
00:00
look, we get the business need for this.
00:00
Here's the problem that exists.
00:00
Here's how this plan is going to provide the solution.
00:00
We named Kelly Handerhan as the project manager.
00:00
We at, a broad level,
00:00
we'll define the scope,
00:00
the schedule, and the budget.
00:00
Senior management provides a commitment for
00:00
funding and support and then they sign off.
00:00
Without that document, without
00:00
senior management commitment in writing,
00:00
we're going to find that we're
00:00
not going to be as successful.
00:00
We're going to need to be working
00:00
with members of the risk team.
00:00
We're going to have
00:00
senior management that we're working with.
00:00
We're going to have representatives
00:00
across the organization as a whole.
00:00
So we have to have that support.
00:00
We've got to have some clout when
00:00
we're looking for information.
00:00
When we're looking to have input from team members,
00:00
we may be taking some resources out of
00:00
operations while they
00:00
>> contribute to our planning process,
00:00
>> we need senior management buy-in.
00:00
Now, after I get my policy,
00:00
the first action item and the
00:00
most important arguably is the BIA.
00:00
The BIA stands for business impact analysis.
00:00
Business impact analysis.
00:00
It's exactly what it sounds like.
00:00
What are those resources or
00:00
>> processes or functions within
00:00
>> the business that would have
00:00
the greatest impact if they were not available?
00:00
Business impact analysis is all about availability.
00:00
For instance, Amazon, imagine how much
00:00
money Amazon is going to lose if their storefront,
00:00
if their web presence is down.
00:00
They're going to lose millions
00:00
depending on how long it's down.
00:00
I can guarantee you that it's one
00:00
of their most critical resources,
00:00
and they have numerous elements of redundancy in place,
00:00
but they also spent a lot on continuity planning
00:00
and disaster recovery planning in
00:00
the event that their web presence is not available.
00:00
That's one of their top priorities.
00:00
I had mentioned earlier the
00:00
disaster recovery plan is focused
00:00
on bringing those most critical services
00:00
back online first.
00:00
Well, the way we know what
00:00
those most critical services are comes from the BIA.
00:00
That business impact analysis
00:00
allows us to list out the processes and
00:00
functions and then we go back
00:00
and we prioritize them based on their criticality.
00:00
That's where those ideas like
00:00
recovery time objectives, recovery point objectives.
00:00
Let's go through and figure out
00:00
what length of time is acceptable and what
00:00
isn't and then we have
00:00
to write our disaster recovery plan
00:00
to restore those resources
00:00
within the acceptable timeframes.
00:00
That BIA is critical.
00:00
Senior management needs to sign off on
00:00
the BIA before we move on.
00:00
Now, once senior management signs
00:00
off and they say, "Okay,
00:00
you've prioritized the resources well.
00:00
I can live with your critical response times,
00:00
your recovery time objectives.
00:00
You've got the resources you need.
00:00
Great." We then move into
00:00
looking at the preventive controls that are in place.
00:00
I mean, ideally, we don't have any loss ever and we
00:00
have controls to prevent at least for
00:00
>> temporary periods,
00:00
>> this type of loss.
00:00
We look at what controls we have in
00:00
place and then, well, let me say this.
00:00
We look at the preventive controls in place knowing
00:00
full well you can't prevent disasters,
00:00
you can only mitigate.
00:00
We have contingency strategies
00:00
in case the risk does materialize.
00:00
We have steps that are proactive,
00:00
but we also have reactive strategies,
00:00
okay, so our proactive strategies don't work.
00:00
That information,
00:00
preventive controls, contingency planning,
00:00
criticality, all goes
00:00
into writing the business continuity plan.
00:00
In this business continuity plan,
00:00
we have detailed procedures,
00:00
we have recovery elements,
00:00
the teams that are involved,
00:00
various roles, but we
00:00
write out the business continuity plan.
00:00
This is what we do.
00:00
Again, that business continuity plan
00:00
starts with the declaration of
00:00
the disaster all the way to the point where
00:00
we're restored to full operations.
00:00
Now, we develop the plan,
00:00
then we test the plan.
00:00
When you talk about testing the plan,
00:00
we are verifying the plan
00:00
for accuracy and for completeness.
00:00
When we talk about testing the BCP,
00:00
is the BCP accurate and is it complete?
00:00
If so, then we look to exercises and drills,
00:00
to focus on employee response.
00:00
We test the plan.
00:00
We conduct exercises and drills
00:00
to make sure our employees can carry out the plan.
00:00
Then last but not least,
00:00
we maintain our business continuity plan,
00:00
we make sure that it stays current and valid.
00:00
I will specifically tell you,
00:00
particularly for the test,
00:00
you go back and re-evaluate
00:00
the business continuity plan at
00:00
least once per year or in the event of a major change,
00:00
has to be a regular basis
00:00
and that's at least once per year.
00:00
Now watch for them, kind of pointing you
00:00
in that direction in your test questions.
00:00
If they make a point of telling you you wrote
00:00
the BCP 13 months ago,
00:00
then you've got to re-evaluate.
00:00
If they make the point of telling you you did
00:00
this 11 months ago and nothing is changed, you're good.
00:00
You can leave it as is,
00:00
and there'll be that particular.
00:00
What they're really just trying to
00:00
test is do you get that
00:00
one year is that cutoff
00:00
for when you want to go back and re-evaluate.
00:00
All right, so in this section we talked about
00:00
NIST special publication 800-30 for revision 1,
00:00
that focuses on the phases of continuity planning.
00:00
In the next section we're going to talk
00:00
about ISC swears framework
00:00
for business continuity and
00:00
what I really want you to do is to look for
00:00
similarities in ISC squares
00:00
framework to that of NIST framework.
Up Next