CRISC

Course
Time
5 hours 20 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson focuses on planning and developing the business continuity plan. The plan needs to address: - Responsibility - Authority - Priorities - Testing Phases of the plan are: - Implementation - Testing

Video Transcription

00:04
All right, so we've collected our information. Now let's plan what we're gonna do with all this information. So we've gotten the business impact analysis. We know what our assets are. We know how valuable they are to us. And remember, we're thinking about that in term of terms of business processes and criticality.
00:23
Then we went and collected information about recovery strategies currently in place.
00:29
And now we're planning the design of the plan. We've got to think about responsibilities. We've already talked about this a little bit. Level of authority, priorities and testing. So again, we're still in that planning piece. We're not ready to write the plan till we get to implementation.
00:47
So all of that research,
00:49
here's where we write the plan. But it's also where we implement those strategies that we've planned for. So we've decided, for instance, that backups are not sufficient. We're gonna incorporate remote journaling well during the implementation piece. This is where we implement remote journaling
01:06
may as well as writing into the plan. How remote journaling is gonna help us recover our data.
01:11
All right. So often, like I said, the plan is frequently created for the entire enterprise, but within that enterprise wide plan. We have department specific plans. So, really, all these little departments have each of their plans that roll up into a larger plan as a whole.
01:32
The copies of the plan, where do we keep the plan? Well, we need to keep the plan on site, but we also need to keep the plan offsite us. Well, we want electronic, and we want hard copies. And we distribute the plan on Lee to those parties that have a need to know.
01:51
Hey, we don't make the disaster recovery plan or the business continuity plan widespread known because this is what my company does in the event of a disaster. So I don't want to make known all the security mechanisms I have in place all the ways that we're going to respond to a disaster
02:08
because I'm tipping my hand, so to speak
02:12
right. Sometimes a disaster is a diversion. It's a way to get everybody out of the building. So by making known, will hear the strategies I have, I might be letting the bad guys, so to speak, have more information than they need. So who gets the plan needs to know now Once I distribute the plan
02:30
as we have revisions, I'm gonna get the original plan back and I'm gonna I'm gonna destroy it. I want to make sure nobody's looking at old plan.
02:39
Just the example of many departmental plans being rolled up into the enterprise plan as a whole.
02:46
Now with implementation, what's in the plan itself? We break out the plan into three distinct faces. Notify, recover, reconstitute
02:57
notification. What are the triggers that? Tell me we're gonna move into disaster recovery plan? Phase one? What am I looking for That says, Let's activate this plan.
03:07
Second piece recovery. Who are the people and really, you know, who are my recovery teams and water? The processes that they do to get the most critical service is back up online. So these are the people that are going to restore the operations at our offsite facility.
03:28
What are the steps? Where do the things that need to happen in order to make that work
03:31
and then we have reconstitution. How are we gonna get our primary site back up? Online
03:38
recovery, sometimes called fail over reconstitution, sometimes called fail back or salvage Out of all these reconstitution is really the one that's most complicated because in recovery we're looking to just get those most critical operations back up and running. But in failed back or reconstitution,
03:58
we're trying to get back to a state of permanence,
04:00
and the disaster is not over until we've done complete reconstitution and we're operating in a permanent state. So everything's been restored that's gonna be restored.
04:13
And each of these faces This is a slide that's not particularly readable, so you'll have to trust me with this. Each of the phases recovery.
04:20
I'm sorry. Notification. Recovering reconstitution up at the top, supporting information and supporting information. Ah, business case policy Management's by in Why this business continuity plan is important, you know, just setting out the groundwork for what we're gonna do.
04:41
And then the last piece, our plan dependence is
04:44
this is where there's memory in terms of agreement or stored, maybe our service level agreements. This is where our succession plans are phone lists, you know, anything to support the policy, so I wouldn't be concerned if you can't read this slide very well. It just essentially says you've got three elements of the plan.
05:02
Notify, recover, reconstitute
05:04
those make up the meat of the plan. You'll begin it with supporting information. You'll close it with a section for a penance. Is
05:13
Winston Churchill once said, No matter how brilliant your plan, you should test it, and I'm paraphrasing a little bit, but I think there's a lot of wisdom there. So we've written us. You know, we've done all this tremendous amount of research we got by in. We've got funding with senior management.
05:29
We've put the key players in place. We have a well written and well thought out plan.
05:34
We've got to test it,
05:35
and testing is really where you find out. Is it really a well written plan or not? And the degree of testing is going to determine my degree of confidence in the plan itself.
05:47
So when we talk about testing once again, this is verifying the plan
05:55
for accuracy and completeness. This isn't about employee response. It's about the plan. Is it well written? And did we think of everything?
06:02
Testing should happen at least once per year or in the event of a major change, and that's so important because we know network environments are not stagnant there, frequently changing we might acquire another organization or we might merge with another company. We might redo network infrastructure.
06:23
There are a 1,000,000 different significant changes within our organization.
06:28
We must test our plans.
06:30
A down at the bottom again. Testing is about the plan. Exercises and drills are all about improving employee response. And ultimately, when we look ATT, beach drills and we look at these tests, how to get a truly objective assessment is we have 1/3 party auditor
06:49
monitor how these plans were carried out.

Up Next

CRISC

Archived Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor