Chapter 4: Understanding Business Continuity Planning (BCP), Disaster Recovery Planning (DRP), and Continuity of Operations Planning (COOP) (16/17)

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

332 ◾ Ofﬁcial (ISC)

® Guide to the ISSMP® CBK®

recovery. Only materials from the o-site storage facility should be avail-

able to participants. e simulation should include a rehearsal of all actions

up to the actual movement of employees or equipment and materials to the

alternate site. is test is a condence builder that enables all concerned to

experience role-playing in preparation for an actual disaster.

5. Full interruption involves actually shutting down normal operations and rely-

ing on the recovery procedure accuracy and personnel to provide continuity

of operations. is can be dangerous for large organizations because of the

possibility of precipitating an actual disaster, so it is not recommended except

in unusual circumstances.

Schedule

e scheduling of tests is an important consideration because it involves the required

participation of several key personnel, but should not generally be allowed to inter-

rupt or otherwise impact normal operations. Tests should be conducted frequently

enough to ensure that changes to critical systems, equipment, facilities, and person-

nel do not make continuity/recovery plan specications obsolete. Many organiza-

tional changes can adversely impact plans, but most often it is changes to contact

information or personnel that are a problem. e test schedule should be published

well ahead of time to enable key personnel to adjust their personal schedules in

order to be available. Each scheduled test should include a test plan that identies

the test objectives, scope, time requirements, participating personnel, location, etc.

Approval

Since tests involve the participation of several personnel, management approval

should be obtained before publishing the schedule. Executive management must

approve expensive tests such as simulation and full interruption.

Success Criteria

How can you ever know when you have been successful? e basic purpose of test-

ing is to discover potential problems either in the ability of the plan to meet the

recovery time and recovery point objectives or the readiness of personnel and mate-

rials to execute the plans eectively. erefore, the purpose is to identify problems.

If no problems are experienced, something is wrong with the testing procedure. It

is best to start small with testing until most of the problems are resolved in order to

minimize wasted employee time. More elaborate and complex testing should follow

to thoroughly ensure that interfaces and overlapping requirements are accommo-

dated. One of the most common problems is assigning key personnel to more than

one team. is usually doesn’t work well because of the overlapping need to be in

more than one place at the same time.

Understanding BCP, DRP, and COOP ◾ 333

Reporting

Reporting the results of testing is very important for several reasons. One is that

it keeps management aware of the program and its need for continued support.

Another is that it provides information for maintaining the plans. It can also be

evidence for auditors to show progress and viability of the planning process.

Plan Feedback and Update

Documentation of plans must be kept updated to accommodate personnel changes,

equipment upgrades, critical system changes, and facility movements. e updates

should be centrally coordinated to maintain consistency. If test results show that

aspects of the plans are inadequate, the planning team should meet and develop

modications.

It is extremely important that strict version control be established for all plans

to ensure that all participants of response and recovery operations are using the

same procedures and guidelines.

Training, Education, and Awareness

All members of sta should be aware of the importance of business continuity plan-

ning. Training and awareness are important to make sure that sta fully under-

stands the plan and the role they will play in it.

Awareness can range from simple knowledge of the assembly points should the

building have to be evacuated, to the exact role each member of sta will have in

the event of a disaster or unexpected event.

Awareness training should be undertaken on a regular basis and be included in

any sta induction programs.

Training in emergency response skills needs to be provided for those personnel

assigned to teams involved in damage assessment, rescue operations, safety evalu-

ations, etc.

Sta who will have specic responsibilities for the recovery of IT systems should

be given further technical training. is will ensure that they are able to recover

systems and applications quickly and eciently.

Changes to the plan may require the retraining of key personnel and additional

testing to ensure that the changes result in anticipated improvements.

Any third parties who have a critical role in your business continuity plans

should be part of this awareness training. If, for example, you have set up oce-

sharing arrangements with another business, then they need to know the proce-

dures you will follow if your own oce becomes unavailable.

You might also wish to consider training for any member of sta who may need

to talk to the media in the event of a disruption or incident. is is particularly

334 ◾ Ofﬁcial (ISC)

® Guide to the ISSMP® CBK®

important if the reputation and public perception of your business are key to its

ongoing success.

Audit

e auditors have a special role to play in BCP/DRP/COOP. ey should review the

plans to ensure that they reect the industry best practices, and they should observe

the plan tests and report on the eectiveness of plan implementations. Audit nd-

ings should be appropriately addressed in plan updates. Also, the auditors evaluate

the plans for compliance with legislation and organization policy. e audit role

provides due diligence with their assurance that due care is completely addressed.

Restoration

Depending on the cause of the disaster, restoration of the primary facility could be

fairly easy or very complicated. Of course, it is wise to prepare for the worst case

based on your threat analysis that was previously completed.

e primary objective of restoration is to return the primary facility and equip-

ment to normal full operations. e facility and equipment must rst be cleaned of

water, smoke, or re contamination. e damaged equipment must be repaired or

replaced and water-soaked documents salvaged. ere are vendors that can repair

and salvage equipment and documentation. Quick action is required to limit water

damage and minimize mold. Equipment should not be restarted until the equipment

vendor declares it safe to do so; otherwise, insurance protection could be voided.

e primary facility should be operated in parallel with the recovery site to

ensure that processing is successful. After completion of this step, the recovery site

is decommissioned, and the restoration completion report to management, users,

and stakeholders can be issued.

Review Questions

1. Which one of the following is not a benet of developing a disaster recovery

plan?

a. Reducing disruptions to operations

b. Training personnel to perform alternate roles

c. Minimizing decision making during a disastrous event

d. Minimizing legal liability and insurance premiums

2. A business continuity policy should be reviewed and re-evaluated

a. Annually in light of management’s strategic vision

b. Biannually in preparation for an audit review

Understanding BCP, DRP, and COOP ◾ 335

c. Whenever critical systems are outsourced

d. During implementation of system upgrades

3. Which of the following is a key phase of BC and DR plans?

a. Damage assessment

b. Personnel evacuation

c. Emergency transportation

d. Emergency response

4. e vitally important issue for emergency response is

a. Calling emergency services

b. Protecting the corporate image

c. Accounting for employees

d. Employee evacuation

5. e third stage in the development of business continuity plans is

a. Dene Business Continuity Management strategy.

b. Exercise, review, and maintain the policy.

c. Understand the organization.

d. Develop and implement the BCM policy.

6. Which one of the following is not required for understanding the organiza-

tion? Understanding the organization’s

a. Organization chart

b. Risk appetite

c. Information technology infrastructure

d. Core business functions

7. Key milestones in developing the project plan and governance include all of

the following except

a. Risk analysis

b. Data gathering

c. Audit approval

d. Training, education, and awareness

8. e output of a business impact analysis is

a. A prioritized list of critical data

b. A prioritized list of sensitive systems

c. e recommendation for alternate processing

d. e scope of the business continuity plan

9. When a critical system cannot function at an acceptable level without input from a

system on which it is dependent, which of the following statements is incorrect?

a. e system on which it is dependent is at a higher priority.

b. e system on which it is dependent is at a lower priority.

c. e system on which it is dependent is at the same priority.

d. e critical system feeds a lower priority system.

10. People-based threats include

a. eft, whitelisting, industrial action

b. Industrial action, blacklisting, pandemics

336 ◾ Ofﬁcial (ISC)

® Guide to the ISSMP® CBK®

c. Pandemics, theft, industrial action

d. Pandemics, call forwarding, theft

11. Risk acceptance is usually most appropriate when

a. Impact is high and probability is low.

b. Probability is high and impact is low.

c. Impact is high and probability is high.

d. Impact is low and probability is low.

12. Heat maps reect the level of risk an activity poses and include all of the

following except

a. A suggested risk appetite boundary

b. Proposed risk countermeasures

c. Risk zones

d. Color coding

13. A System Information Form contains all of the following information except

a. Recovery priority

b. Maximum outage time

c. Dependencies on other systems

d. Recovery point objective

14. e Notication Activation Phase of the BCP/DRP includes

a. A sequence of recovery goals

b. Activities to notify recovery personnel

c. e basis for declaring an emergency

d. e assessment of system damage

15. Documenting recovery procedures is for

a. Implementing recovery strategy

b. Highlighting points requiring coordination between teams

c. Outsourcing disaster recovery system development

d. Providing instructions for the least knowledgeable recovery personnel

16. e primary purposes of testing are to

a. Satisfy audit requirements.

b. Check that sources of data are adequate.

c. Raise sta awareness of recovery plans.

d. Prove the ability to recover from disruption.

17. Plan maintenance should be scheduled

a. After testing to account for hardware or personnel changes

b. In anticipation of audit activity

c. When changes are made to protected systems

d. When changes are made to supported business processes

18. Communications is a critical activity during the response and recovery phases

of an incident. e communications plan must provide

a. Alternative types of communications media

b. A list of contacts reachable through a communications tree

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 4: Understanding Business Continuity Planning (BCP), Disaster Recovery Planning (DRP), and Continuity of Operations Planning (COOP) (16/17)

Create new playlist

Sign In

Sign Up

Table of Contents for
Chapter 4: Understanding Business Continuity Planning (BCP), Disaster Recovery Planning (DRP), and Continuity of Operations Planning (COOP) (16/17)