CISSP Exam Cram: Business Continuity and Disaster Recovery Planning
Terms you'll need to understand:
- Disaster recovery
- Business continuity
- Hot site
- Warm site
- Cold site
- Criticality prioritization
- Maximum tolerable downtime (MTD)
- Remote journaling
- Electronic vaulting
- Qualitative assessment
- Quantitative assessment
- Database shadowing
Techniques you'll need to master:
- Development and processing of contingency plans
- Completing Business impact analyses
- Creation of backup strategies
- Integrating management responsibilities
- Steering team responsibilities
- Testing emergency plans
- Notifying employees of procedures
- Testing issues and concerns
- Determining disaster recovery strategies
Most of this book has focused on ways in which security incidents can be prevented. The business continuity plan (BCP) and disaster recovery plan (DRP) domain address the need to prepare for, and how to respond to, the occasions when things do go wrong. For a company to be successful under duress of hardship or catastrophe, it must plan how to preserve business operations in the face of these major disruptions. A BCP identifies how a business would respond in the wake of serious damage, and evolves only as the result of a risk assessment that identifies potentials for serious damage. It is an unfortunate reality that this critical planning for disasters and disruptions is an often overlooked area of IT security. One of the best sources of information about disaster recovery is http://www.drii.org, which is the Disaster Recovery Institute International (DRII).
Notable recent events such as tsunamis in Southeast Asia, 9/11 in New York, Pennsylvania, and Washington, D.C., Hurricane Katrina in New Orleans, earthquakes in China, and Hurricane Ike in Houston, continue to highlight the need for organizations to be adequately prepared. Even after these calamitous events, DRII reports that most United States companies still spend, on average, only 3.7% of their IT budget on disaster recovery planning, whereas best practice calls for 6%.
A CISSP exam candidate must know the steps that make up the BCP process to pass the business continuity and disaster recovery domain. Some key elements of this domain include project management and planning, business impact analysis (BIA), continuity planning design and development, and BCP testing and training. The DRP is a subset of the overall BCP plan and describes the planning and restoration that a business would undertake following a disastrous event.
Although some individuals believe that the creation of a disaster recovery plan completes the process, the truth is that no demonstrated recovery exists until the plan has been tested. A DRP can be tested in multiple levels, including tabletop, full interruptions, checklists, and functional tests.