CISSP Exam Cram: Business Continuity and Disaster Recovery Planning
Terms you'll need to understand:
Disaster recovery
Business continuity
Hot site
Warm site
Cold site
Criticality prioritization
Maximum tolerable downtime (MTD)
Remote journaling
Electronic vaulting
Qualitative assessment
Quantitative assessment
Database shadowing
Techniques you'll need to master:
Development and processing of contingency plans
Completing Business impact analyses
Creation of backup strategies
Integrating management responsibilities
Steering team responsibilities
Testing emergency plans
Notifying employees of procedures
Testing issues and concerns
Determining disaster recovery strategies
Introduction
Most of this book has focused on ways in which security incidents can be prevented. The business continuity plan (BCP) and disaster recovery plan (DRP) domain address the need to prepare for, and how to respond to, the occasions when things do go wrong. For a company to be successful under duress of hardship or catastrophe, it must plan how to preserve business operations in the face of these major disruptions. A BCP identifies how a business would respond in the wake of serious damage, and evolves only as the result of a risk assessment that identifies potentials for serious damage. It is an unfortunate reality that this critical planning for disasters and disruptions is an often overlooked area of IT security. One of the best sources of information about disaster recovery is http://www.drii.org, which is the Disaster Recovery Institute International (DRII).
Notable recent events such as tsunamis in Southeast Asia, 9/11 in New York, Pennsylvania, and Washington, D.C., Hurricane Katrina in New Orleans, earthquakes in China, and Hurricane Ike in Houston, continue to highlight the need for organizations to be adequately prepared. Even after these calamitous events, DRII reports that most United States companies still spend, on average, only 3.7% of their IT budget on disaster recovery planning, whereas best practice calls for 6%.
A CISSP exam candidate must know the steps that make up the BCP process to pass the business continuity and disaster recovery domain. Some key elements of this domain include project management and planning, business impact analysis (BIA), continuity planning design and development, and BCP testing and training. The DRP is a subset of the overall BCP plan and describes the planning and restoration that a business would undertake following a disastrous event.
Although some individuals believe that the creation of a disaster recovery plan completes the process, the truth is that no demonstrated recovery exists until the plan has been tested. A DRP can be tested in multiple levels, including tabletop, full interruptions, checklists, and functional tests.