CISSP - Business Continuity and Disaster Recovery (BCDR)

Goals

Disaster Recovery is to minimize the effect of a Desaster
Business Continuity is to resume normal business after a Desaster

Components

Disaster Recovery Plan (DRP)
Business Continuity Plan (BCP)
Business Continuity Management

NIST SP800-34

Develop the contingency planning policy statement. A formal policy provides the authority and guidance necessary to develop an effective contingency plan.
Conduct the business impact analysis (BIA). The BIA helps identify and prioritize information systems and components critical to supporting the organization's mission/business functions. A template for developing the BIA is provided to assist the user.
Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.
Create contingency strategies. Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption.
Develop an information system contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system unique to the system's security impact level and recovery requirements.
Ensure plan testing, training, and exercises. Testing validates recovery capabilities, whereas training prepares recovery personnel for plan activation and exercising the plan identifies planning gaps; combined, the activities improve plan effectiveness and overall organization preparedness.
Ensure plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements and organizational changes.

BCP Policy

Contains

Scope
Mission Statement
Principles
Guidelines
Standards

Creation Process

Identify and documents the compoenents of the policy
Identify and define existing policies that the BCP may affect
Identify pertinent laws and standards
Identify best pratices
Perform a GAP analysis
Compose a draft of the new policy
Incorporate feedback into the draft
Get approval of senior managment
Public a final draft and distribute throughout organiztation

Requirements

Senior Management Support

Business Impact Analysis (BIA)

Functional Analasys
Identify the companies critial systems that are needed for survival

Estimate tolerable downtime

Maximum Tolerable Down-Time (MTD)
Maximum Period Time of Disruption (MPTD)

Steps

Select individuals to interview for data gathering
Create data gathering tools
Identify companys critical business functions
Identify the resources these functions depend on
Calculate how long these functions can survive without these resources
Identify vulnerabilities and threats to these functions
Calculate the risk for each different business function
Document finding and report to senior management

Risk Assessment

Goals

Identify and document single point of failure
Make a prioritized list of threats
Gather information to develop risk control strategies
Document acceptance of identifies risks
Document acknowledgement of risks that may not be addressed

Formula

Risk = Threat * Impact * Probability

RTO and RPO

Recovery Time Objective (RTO)

The recovery time objective (RTO) is the targeted duration of time [...] within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity.

Recovery Point Objective (RPO)

(The) recovery point objective, or “RPO”,[...] is the maximum targeted period in which data might be lost from an IT service due to a major incident.

Facility Recovery

Non-Disaster Disruption of service due to a device failure
Disaster Event that causes the entire facility to be unusable for a day or longer
Catastrophe Major disruption that destroys the facility
MTBF Mean time between failure
MTTR Mean time to repair
Hot-Site Facility that must be up within a few houres
Warm-Site Facility that must be up within a few days
Cold-Site Facility that must be up within a few weeks