CRISC

Course
Time
5 hours 20 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson covers the business impact analysis. In this plan, management should establish recovery priorities for business processes that identify: - Essential personnel - Technologies - Facilities - Communications systems - Vital records and data Once the BIA is complete, the results contain: - Identified ALL business processes and assets, not just those considered critical - Impact the company can handle dealing with each risk - Outage time that would be critical vs those which would not be critical - Preventative controls The phases of the plan Identify recovery strategies - Facility recovery - Hardware and software recovery - Personnel recovery - Data recovery

Video Transcription

00:04
now with their business impact analysis. We have certain elements of the plan, and we've talked about a lot of things, but just kind of a review. Remember, management's job is to establish priorities and document those and some things that they need to think about. We need to make sure that we have essential personnel accounted for people.
00:23
You know, we have all these mechanisms in place. We have all these recovery strategies for a data. But if we have no one to restore the backup tapes, it doesn't matter.
00:30
So when we talk about people think about having succession plans. So I might name the head of I T or the lead technician of the lead engineer as, ah, being responsible for a particular activity. But what happens if that lead engineer is not available? So I need to name a succession plan?
00:49
Ah, usually we go several layers deep in the succession plan,
00:53
memorandum of agreement and memorandum of understanding. I don't know that they're going to differentiate between the two on this exam, but these air both documents that would ensure that individuals know what their role is in the realm of disaster recovery.
01:10
So for instance here when you come across something that revolves around
01:14
Ah, maybe a backup operator not knowing that he was part of the disaster recovery plan or someone doesn't show up because they didn't realize they were required to, that would usually be traced back to a memorandum of agreement or memorandum of understanding. So these air documents and M o is actually legally binding
01:32
in low use a lot of times, or from department to department.
01:36
But ultimately, these are documents that ensure our people know what their roles are in disaster recovery.
01:42
All right, we're gonna think about technologies. Um, I mentioned earlier the significance of configuration management and change control. I'm gonna have to restore the technology's within my environment. How am I gonna do that? You know, I don't know many people that could recreate an access control list or all the access control entries
02:01
on their firewall from memory.
02:04
I have to be able to go back to documentation and no, those configuration settings. I oughta have documented the types of systems I have on my end user workstations all the way to the point of what their BIOS revision number is. I need to document because in the element that we do have, or in the event that we do have a disaster,
02:23
I've got to be able to recover those technologies
02:28
in a little bit. We'll talk about facilities, and we'll talk about subscription sites like hot, warm and cold sites as whereas millet as well as mirrored sites. We also think about our communications systems are records and data. And remember, when we talk about regulatory requirements to protect
02:46
patient information, customer information,
02:49
employee information, none of those regulations have an escape clause in case there's a disaster. So we have to make sure that the degree of privacy we're required to maintain will continue on even the effect of some sort of large scale incident.
03:06
Now, ultimately, once my B I A. Is complete, what do I have? What am I left with? What have I accomplished? So I've identified all business processes. I prioritized him based on criticality, and I've done that through the help of senior management, and I've gotten their sign off.
03:23
I understand what the impact is that we can withstand.
03:27
I have documented our risk tolerance in our tolerance for losses.
03:31
A what outage time is critical. Ah, and what's noncritical as well? It's documenting any sort of preventive controls to make sure these elements are provided for.
03:44
And then the next thing I do is I go in and I start thinking about recovery strategies. Okay, so remember, we're still going through the faces of a business continuity plan. We started out with Project Initiation where we got our policy.
04:00
Then we wrote our business impact analysis or conducted our business impact analysis.
04:04
Now we're gonna identify recovery strategies. Which strategies do we currently have in place to protect our assets and going back to the idea of Maybe our organization has a very short recovery point objective which we've identified in the business impact analysis now in recovery strategies. I want to figure out
04:25
well what we currently have in place, too.
04:28
Keep our data current, you know, Like I said, if we just do a nightly back up essentially, what I'm saying is, I'm willing to lose a full day's worth of data. So what strategies do we currently have in place? And are those sufficient to meet the metrics in the B I. A. That's what we're doing here. And once again It's not just about data.
04:46
We gotta think about people in recovery,
04:49
you know, for personnel recovery. What happens if we have an off site facility that's 200 miles away?
04:56
How am I gonna staff that offsite facility? Am I gonna hire contractors or temporary employees? Am I gonna ask my people to commute? Probably not for 200 miles a day. Am I gonna put him up in a hotel? We just have to think about those elements with facility recovery.
05:14
Just been talking about the facility specifically.
05:16
And let me tell you this. Ah, hot topic for the exam. Expect to see several questions on this.
05:21
Um, what happens if we do have a fire? What happens if we have a flood? What happens if our building is damaged and is unusable for a least a period of time?
05:31
Well, like we said, a disaster is officially characterized by I. C. Square's the building just being unusable for a day or more.
05:41
So, obviously, if our buildings unavailable for one day, we have totally different strategies than if it's been rendered unusable for a month. So we don't always activate all phases of the plan, right? If we have a snow day will activate phase one that might just mean contact my employees.
05:59
But if we have a larger scale disaster, we might move into Stage two,
06:02
where we relocate our business operations at an off site facility
06:08
where, well, it depends on what situations or what what we set apart ahead of time. What we've planned for and what we've agreed upon, and one of the things that we might do is we might lease an off site facility through a subscription service, and in that element, we would have hot,
06:26
warm and cold sites that we could choose from.
06:29
And we'll talk about those in just a moment. But I just kind of wanted given over a few here. So hot, warm, cold sites means that I pay a vendor so much money per month, and in the event of a disaster, I have somewhere to relocate
06:44
reciprocal agreements. Uh, if I have a very specialized type of company, I might, let's say, a print newspapers.
06:53
Obviously I can't really afford a facility and have a separate set of printing equipment, so what I might do is make a new agreement with the newspaper. Three towns over and say OK, in the event of a disaster. Ah, you can print your papers at my facility or, if we have a disaster, will print it your facility.
07:12
We keep in mind
07:14
that these reciprocal agreements are very good in theory, but they may be tough to enforce. A lot of times they're just handshake based agreements. They're not legally binding,
07:24
all right, Other alternatives. Air having redundant sites. So where's hot, warm and cold sites we pay? A vendor for a redundant side is almost always under my ownership, as in, It's a branch office. When we had the snowstorm in Greensboro and had to flip the call center operations down to Jacksonville, it was done
07:42
almost instantaneously,
07:44
essentially just the flip of the switch. It was fully staffed. They had access to all the data. It was a very smooth and seamless transfer. So that's a redundant sites. Very hard to have that sort of switch over with the hot or certainly couldn't have it with the warm or cold.
08:01
All right, we might outsource. You know, we might just choose for whatever reason, we can't process thes incoming calls or we can't process this we can't do the data processing. We can't do this element of our job or another. We could outsource
08:16
rolling hot sites a lot of times. You know, we're talking about a trailer pulling up in the parking lot, and we do a small degree of processing their prefab buildings. The benefit there's, of course, they go up very quickly, and you could move into them with relatively short notice.
08:31
Now, I just wanna, um, I want to qualify this down at the bottom where it says offsite facility should be no less than 15 miles away. For low to medium environments, critical operations should have an off site facility 50 to 200 miles away.
08:48
I agree that's on the slide, and this might be an okay rule of thumb,
08:52
but I would caution you with making statements of this should be 15 miles away, or this should be 200 miles away again. Maybe just a good idea to base on, but
09:03
and and obviously with the concern is is we don't wanna have an off site facility across the street because of office. A floods office be will flood, and I'll tell you, if we learn nothing from Hurricane Sandy, Hurricane Katrina, some of the flooding in Vermont and in Nashville, and some of the places on the East Coast of ad
09:22
major flooding in the last 5 10 years,
09:24
uh, that we saw as many companies going out of business, even companies that had offsite facilities because the offsite facilities were just down the road. And we have to consider the possibility of regional disasters as well.
09:37
But ultimately, really, rather than mapping this to a number of miles away, what I would really like you to think about and again, this is more real world unnecessarily test world. I would like you to think about your offsite facility should be one geographic distance away.
09:54
So if we've got a Jacksonville, Florida office, having an office in Charleston, South Carolina, doesn't make a lot of sense. We want to get off the coast
10:01
for hurricane or something along those lines, so it's rarely just a simple saying move 50 feet away or 50 miles away. Rather,
10:11
also, when we do have an off site facility 50 or 200 miles away or somewhere in the interim, we really have to consider how are we going to staff that facility. People aren't gonna drive back and forth to work 200 miles away. So personnel needs to be achieved consideration there.
10:28
All right, this is a good chart, and I really If I were a student sitting this online class, I would probably Paul's here and make sure that I'm solid with the ideas of a cold, warm and hot site. Actually, let me explain each of these to you within to make sure that you have this material. Because, like I said a lot of questions here
10:48
with a hot, warm and cold site, what we would be looking at is leasing these facilities from a vendor. Now they're vendors that do nothing but sell off site facility, not sell, but least offsite facilities. Now
11:05
with a cold site. What I'm leasing here is simply a building space.
11:09
900 square feet have power, have plumbing in just the bare essentials. There's no furniture, there's no computer equipment. There's nothing of mine. And as a matter of fact, what vendors often do is they over cell meaning. I've got one facility that I'm a lease to 10 different companies.
11:28
Why? Because what? I'm providing them a least four or
11:33
of strategy for is if they have a fire or if they have a flood, I'm not really offering them protection for a regional disaster. And if we do have a regional disaster and I've leased this office space to 10 different cos what we're gonna have is a first come, first serve kind of environment.
11:52
But I will tell you, also a lot of these vendors. What they'll do is, rather than leasing you space at 900 Walker Avenue. What they'll do is they'll guarantee you a certain amount of square footage within a certain proximity to the greater metro area so that okay, maybe there is a regional disaster.
12:11
I put company on Walker Street, but I have another facility out in Reston, Virginia. This location, another facility in Herndon
12:18
or wherever that might be. So bottom line is, you may not even be paying for specific address at your cold site. A certain facility, a certain size of certain proximity to a location, but not necessarily specific, got location specific address.
12:35
These are the cheapest by far because there's nothing really there other than empty office space.
12:41
It's great, you know, low cost but it takes a long time to get in there and set up your systems. So you're cold site. You can see we're looking to occupy and get back up and running within 30 days. That's pretty large span
12:54
now. Warm sites, these air the most popular, usually at these warm sites. Um, what we have is we have the basics. Certainly we have 900 square feet or however much square footage we we asked for. We have the basics that we would get in a cold site. But we also have office furniture.
13:13
We've got desks week that chairs,
13:15
we've got telephones. We have a very generic computer system. Ultimately, that really any company could step into.
13:24
We've got to make it ours. We've got to bring in our own data. We gotta bring in our proprietary systems. But we're closer to getting back up and running. Certainly. Then we would be with a cold site, so we have a little bit more. We don't have any life data. We don't have anything that's ours. An important point to understand about both of these.
13:43
Is these air generic?
13:45
They don't. I'm not guaranteed this location of that location So it's not like I could just walk in and test either of thes sites, and I think that could be testable. I think they might ask if you're wanting an off site facility where you can conduct tests to ensure its readiness. Which type would you choose?
14:03
Well, you couldn't choose cold or warm because I don't know where that facilities necessarily located.
14:09
And even if I did it so generic, they're releasing a lot of testing that I could do
14:15
if I want to make it mine. That's where your hot site comes in. And obviously this is much more expensive because I have exclusive use of this facility. I have my own proprietary equipment there, and I can go in and test assuming it's written into the contract a CZ needed. So here we're looking to get back up and running pretty quickly
14:35
with a mirror site.
14:35
Like I said, this is usually a branch office. This is under my ownership. And even though this says time to occupy within 24 hours, usually because of the expense required to maintain service is for a marriage site. Usually I'm looking to get back up and running within seconds sometimes, but certainly within hours.
14:56
If I'm if I have a day's time, I may not go through the expense of a mirrored site.
15:01
Now I'll mention what really makes these expensive Is the technology to say OK, all this static that was available in the Greensboro office is now available to Jacksonville. All the calls being routed to Greensboro are rerouted to Jacksonville, so having that technology for switch over can be very expensive.
15:18
Obviously, today, as we start to talk about cloud computing,
15:22
where were accessing resource is not a deficit, physical office or branch were accessing these resource is thes databases estaba up in the cloud up in the Internet or on the Internet. That's bringing the cost of redundancy down fairly significantly. So that's certainly a big benefit.
15:43
Um, and like I said right now, I would. Paul's here.
15:46
I would familiarize myself with this chart, and I would expect a good handful of questions on the different types of facilities

Up Next

CRISC

Archived Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor