Understanding BCP, DRP, and COOP ◾ 261
© 2011 by Taylor & Francis Group, LLC
what might cause that failure and plan to mitigate it. If businesses operated in a
static world, identifying such cause and eect scenarios would be a relatively sim-
ple activity. However, businesses operate in a dynamic environment where inter-
nal and external changes conate to provide complex and multiple perspectives.
Businesses grow, expand, contract, divest, and redirect their operations operating
in local, national, multinational, and global arenas; technology advances change
their modus operandi; adversaries present themselves no longer as the bored student
looking for the fun of “breaking and entering,” but under the guise of organized
crime funding extraordinary activities. Legislation, passed to protect employees’
and customers’ privacy, increases the need for vigilance and protection of corporate
systems, applications, and data in their four states (in situ, in ight, in backup, and
in archive).
e other domains covered previously during your CISSP and here for your
ISSMP take account of the various technology and security perspectives. We are
concerned here with replicating a safe environment for business operations to con-
tinue should an incident or event occur.
One of the greatest challenges facing the ISSMP whether as a Chief Security
Ocer (CSO), a Chief Information Security Ocer (CISO), or an IT Security
O cer (ITSO), or any other senior position responsible for ensuring that a business
is able to function under any condition, is to convince the board of directors of that
need. Security, business continuity, and disaster recovery are often considered as
business overheads and noncontributory to the bottom line. It is your role to con-
vince the board that without the forward planning, the impact to the business could
be unrecoverable. e tools we use for this are risk assessment and business impact
analysis. ese are not simply mathematical calculations but require an element of
qualitative and quantitative analyses to assess the likelihood of any impact to busi-
ness operations and revenue generation. It is, therefore, no longer sucient for you
to be technical experts in communications or systems architecture or applications
development or data storage, protection, and privacy: the ISSMP must also under-
stand the business, its strategy, and its core assets. Whether you have responsibility
for the business continuity or disaster recovery, or your role is of a more technical
nature, understanding how each area contributes to continued success—the busi-
ness needs to understand the technology and the technology needs to understand
the business—is necessary. Understanding the impact of an event or incident to
business assets at a tactical or operational level is well rehearsed during the CISSP
and SSCP; however, at the strategic level, we need to take the wider pan–business
view to explore end-to-end processes rather than view activities in silos.
Accordingly, this chapter takes a strategic view of business continuity, disaster
recovery, and continuity of operations, extending the discussions of those during
your CISSP and SSCP.
is chapter provides step-by-step guidance of the stages involved in managing the
activities involved in the strategic decision-making processes to develop the following: