CRISC

Course
Time
5 hours 20 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson covers business continuity and disaster recovery planning. Business continuity and disaster recovery planning is a major part of the exam so it's very important for examinees to have a strong grasp of these concepts. Business continuity planning focuses on sustaining operations and protecting the viability of the business following a disaster, until normal business conditions can be restored. The BCP is an 'umbrella' term that that includes many other plans including the DRP. It is long term focused. The goal of disaster recovery planning is to minimize the effects of a disaster and to take the necessary steps to ensure that the resources, personnel and business processes are able to resume operations in a timely manner. Deals with the immediate aftermath of the disaster and is often IT focused and more for short term.

Video Transcription

00:04
All right. So moving on to chapter nine. And as I mentioned before, such an essential chapter on this exam this is number one or two as faras test ability goes, So you want to be very, very solid in your grasp of business continuity and disaster recovery planning.
00:20
Now, that being said, this is not a riel What I would call a flash card
00:26
chapter.
00:27
For instance, if you get to networking telecom or cryptography, you can take a lot of notes. And a lot of that stuff is just gonna be brewed memorization of facts. You know what layer of the O. S I modeled this TCP operate at? That's gonna be stuff you can learn with flash cards, business continuity and disaster recovery planning.
00:45
This is much more conceptual.
00:48
And this is one of those chapters at people that have real world experience with business continuity tend to benefit the most, obviously. So this is one that you're gonna get more conceptually. The reason I say that is this being one of the most important chapters? You would think it would be the longest chapter, and it's actually fairly short and pretty straightforward,
01:07
but most of it just revolves around the concepts more so than memorization of facts.
01:11
So when we get started, we're gonna talk about what a business continuity plan is versus a disaster recovery plan. And a lot of times people use B, C, P and G R P. They almost always go together, but sometimes people use them interchangeably. Business Continuity Plan It's about the business more so than I t department,
01:32
and it's also about surviving. Ah, disaster, not just the immediacy of the disaster, but in the interim. And in the long term, where's disaster? Recovery is more about the immediacy of the disaster. I've heard people describe D R. Pia's The sky is falling and then BCP
01:53
the sky's fallen. Now what do we do?
01:55
And I think there's there's some validity in that.
01:57
The other thing I understand is that the business continuity plan is a plan made up of lots of subsidiary plans. It's sort of an umbrella term for lots of many plans, and the disaster recovery plan is part of your business continuity plain as a whole,
02:12
there are other plans, like business recovery plan. There's continuity of operations plan, occupant emergency plan.
02:19
So there are a lot of elements that make up that B, C, P and the d. R P. It's just one of them,
02:24
All right. We'll talk about some common terms and disaster recovery planning in business continuity will look at the roles and responsibilities. That's definitely very testable. Topic. Certainly, senior management's ultimately responsible for the health of the company in the event of a disaster.
02:42
But what about other roles within the organization? What is the I T department responsible for?
02:46
What about functional managers? Went about the business continuity team, so we'll cover that roles and responsibilities, as I mentioned made the BCP being made up of many sub plans will cover those sub plans here.
03:00
And then we're gonna look at a seven days approach or seven step approach to business continuity. Planning is a hole.
03:07
Ah, and then at the end will wrap up with some frameworks that give us guidance on creating a business continuity plan.
03:16
All right, so if we move into this business continuity, planning, sustaining operations and protecting the business just like what we've we'd expect
03:27
And remember this exam is very, very business focused. Not about I t. I t is only important to us as it protects the business. And again, the business continuity plans an umbrella term. There are lots of little plans, and the disaster recovery plan is but one of them.
03:45
But any time you see recovery or resumption is part of a plans name, you know, that's about the immediacy of the disaster. And usually it's about getting those most critical. Service is back up and running as quickly as we can. And when I talk about critical service is or when I talk about the criticality
04:03
of elements on your network,
04:05
critical means time sensitive. It's not the same as important. So if I talk about a critical function that may be very different than important functions in your environment,
04:17
for instance, let's say you're a health care organization that has to be in compliance with HIPPA.
04:24
So auditing is gonna be hugely tremendously important for your organization to make sure that you don't violate law. Auditing will be essential. It will be important.
04:34
However, if my building burns down tomorrow, I don't have to get the audit team back up and running within, you know, half a Knauer
04:43
so criticality, what are the areas that caused my company the greatest loss. Think about a company like Amazon, for instance, how much money his aim is on lose when their Web presence is not available.
04:56
You know, I think the estimate was something like $4 million for every 15 minutes. So obviously the Web presence there is gonna be just tremendously critical.
05:05
And although there are other service is that are important, it will be difficult to find anything quite as critical for a company like Amazon.
05:16
All right now, risk management we talk about risk management is the first chapter off our class, and the reason for that is all decisions start with risk management.
05:28
What are my assets? What are they worth?
05:30
What are the threats and vulnerabilities? What strategies cannot put in place to protect those assets?
05:36
However, risk management does not always work.
05:40
Sometimes their risks. We fail to identify.
05:43
Sometimes there are residual risks that are left over. Sometimes one risk response causes another risk event that would be a secondary risk. So what happens with risk management fails, and the answer is business continuity picks up the slack,
06:00
So business continuity is that safety net underneath risk management so If you take a look at the slide, you'll see. Okay, we've identified certain risks, and this would be qualitative analysis that we're doing here. We talk about fire and hurricanes and floods. We're not an area where tornadoes are very popular common, so
06:19
we may choose
06:20
to accept that risk.
06:23
We'll talk about threats like sabotage and operator error. We'll talk about different technologies and will implement controls to address these risks. But there are risks that are left over there, risks we couldn't identify, and all of those fall to the course of the business continuity plan. So
06:42
once again,
06:44
where risk management leaves off, business continuity picks up
06:48
all right now
06:49
with
06:50
the plan with risk management or risk mitigation with business continuity planning, what we're trying to do is mitigate or reduce the loss associated with the disaster or some sort of major incident.
07:05
Always remember, human life is the top priority,
07:10
and I say this almost jokingly. If human life is an answer on the exam, go ahead and choose it because they want to make sure that we keep our focus at protecting human life, much more so than elements of the business.
07:24
All right. So I've got my people. The safety were no longer concerned about human life. The next greatest asset and organization has is their reputation.
07:32
And when you look at companies that have suffered a compromise in the last five years or so, they've taken a hit to their reputation. Can they recover? That hit is really going to determine the long term health of the company.
07:47
All right, business continuity. Planning.
07:51
Um, both of these. We've got to do our very best to identify all the possible threats. Now that's a tall order. Threats come from a lot of different directions. There are many, many threats that might be off our radar that could still materialize.
08:07
That's why I as an I t director, not the only one sitting round writing down a list of risks,
08:13
we have to have a cross functional team to determine what the risks are with the potential for losses. And we'll talk about that on the Business Continuity Planning team is that we need representatives across the different departments that are gonna help me assess what risks are
08:31
now risks. Generally, we think about them coming from three major categories. Manmade risks, whether they are intentional or unintentional. So it might be a cyber attack from a hacker for political reasons, for business reasons. Or it might simply be a user deleting the file.
08:48
We have, AH, natural disasters. Hurricane, flood, earthquake, fire, those sorts of things. And then we have technical disasters where we have hard drive failures. We have loss of power, whatever those elements might be.
09:05
So the bottom line is we have threats coming from major categories. We need to think about all three categories
09:11
now. They're also different types of disruptions. Not everything's a disaster, and even a disaster might have a definition different than what you would anticipate. So when we look at the categories of disasters, the 1st 1 is a non disaster.
09:28
A and a non disaster is simply an incident. It's some sort of element. Honestly, it's really more of an inconvenience. I've had a hard drive, failed Power's been out for half an hour. Um, you know, there's there's been ah, virus that was relatively easy to contain.
09:46
Those would all be non disasters.
09:48
When we cross over into the field of disaster with that generally revolves around, these were unable to work for a day or longer. It may work, revolve around the facility,
10:01
so we can't get to the facility or the facility itself is damaged and can't be used. But we're looking at right about a day or longer.
10:09
So if you're in an area like, for instance, last winner in the D. C region, we got, like 26 inches of snow within a day, maybe two days. And for some of you that may not be very much, but we hear in the metro D C area really aren't equipped to deal with that much snow. So when we had it, most people
10:28
had the day off work.
10:30
And when the business shuts down isn't available to conduct normal operations for a day or longer, that still is. Actually lumped is a disaster.
10:39
A disaster does not mean weeping gnashing of teeth. All a disaster really means is we're gonna look to our disaster recovery plan and we're gonna implement it. Probably not the whole thing, but maybe just phase one and phase one of our disaster recovery plan may simply be we're gonna contact our employees until not coming to work.
11:00
But if there's something that affects our facility. We look to the disaster recovery plain to see what we do there.
11:07
All right, next, one catastrophe. So cash a catastrophe. I've heard that called a scorched earth
11:16
policy or plan when you come to the catastrophe that the catastrophe phase, it's been a bad day. We've had large scale loss, the facility's been destroyed,
11:28
and then one that I skipped up here, I want adult to mention emergency. An emergency is when there is the imminent threat, toe life or property. And what makes it that emergency? Is Theo immediacy of the threat.
11:41
So I would be prepared to answer a question. Maybe like ah, within your organization, who can declare an emergency?
11:50
And the answer, of course, would be anybody. Anybody can declare an emergency. Anybody can pull the fire alarm or or shout smoke.
11:58
Who can declare a disaster? That should be senior management on Lee, Senior Management says. Let's move to phase one of the disaster recovery plan. Let's contact our employees until not to come into the office. Let's have our essential employees work from home, whatever that might be.
12:16
Okay so anyone can declare an emergency. But on Lee senior Management and down here I have the BCP coordinator. They also convict Claire
12:26
a disaster as well

Up Next

CRISC

Archived Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor