Module 6: Business Continuity And Disaster Recovery

Lesson 1: Business Continuity Planning

Business continuity ensures a large scale disaster or interruption does not impact business operations
CIA must be taken in account during and after a disaster or interruption to ensure business continuity
BCP ensures organizations have a process of restoring system operations in a secure manner
Continuity of Operations (COOP) and Contingency Planning are Business Continuity Planning (BCP)
o BCP identifies and documents critical assets necessary for operations in the event of a disaster or disruption
Business Continuity Management (BCM)
o The overarching process for BCP and DRP which is focused on protecting the business from harm
o Zachman Framework is used for BCM
o Zachman helps align system infrastructure core business processes and identifies organizational
interdependencies
o Requires organization policies to define business continuity and disaster recovery requirements
BCP policy
o Written direction of the purpose, principles, and context for BCP
o Should fit within the overall policy and strategy framework of the company
o Should also require the creation of a BCP
BCP plan identifies the organizations BCP processes, procedures, and personnel
BCP plan should include (at a minimum) the purpose, scope, BCP team, any dependencies, a testing and exercise
requirements
BCP purpose should define the reason/need, objectives, and regulatory requirements for business continuity
BCP scope should define the critical business assets required for BCP, such as personnel, departments, and
components

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 6: Business Continuity And Disaster Recovery

BCP team should define all BCP team members and any outside parties
BCP dependencies should identify required resources and personnel to ensure a successful execution of the BCP
BCP testing and exercises should define in the BCP policy how the plan will be reviewed, tested, and audited
The BCP must be maintained or it can become ineffective and expose the organization to significant risk if a disaster
occurs

Lesson 2: Conducting A Business Impact Analysis

BCP ensures business operations are continued in the event of a disruption to organizational assets
BIA analyzes business processes and assets to understand business impacts during a disruption or disaster
BIA is designed to keep the business up and running if something bad happens
BIA helps identify the most important assets and resources to the organization
An organizational risk assessment should be completed as part of BIA
Quantitative risk assessment is best for BIA
BIA data collection can be accomplished by surveys, interviews, or workshops
The BIA process typically includes: identifying critical business processes and functions, identifying critical system
resources, defining the business tolerance levels, and updating BCP to address business impacts
With critical processes, identify what will be required to restore or recover that process or functionality
With system resources, dependencies such as technology, personnel, 3rd party services, etc. must be taken in account
BIA is a top-down approach, so it’s important to start with senior leadership to discover what they think is critical to the
business
Tolerance levels determine how long the organization can function without the processes and resources
MTD is acceptable amount of time a critical process or function can be disrupted

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 6: Business Continuity And Disaster Recovery

RTO is the maximum amount of time a critical process or function can be unavailable before the business is negatively
impacted
RPO is point in time in which the system can be recovered in order to resume operations
Recovery priorities should be based on tolerance levels
Results from the BIA must be captured in the Business Continuity Plan (BCP)
The BCP will support due care and due diligence for regulatory compliance

Lesson 3: Disaster Recovery Planning

Disaster recover - ensures critical assets can be recovered or transitioned during disaster or disruption
o Outlines the processes and procedures for managing long-term disruptions in service
Recovery strategy determines the resources and process to recover from a disruption or disaster, such as:
o Non-disaster is a device malfunction or failure is experienced
o Disaster is when the operational facility goes offline due to a disruption or failure
o Catastrophe is when the operational facility is completely destroyed
MTBF estimated lifespan of an asset, indicating when an asset will likely need to be replaced
MTTR is how long it will likely take to repair an asset and restore it to proper functionality
Having 1 or more spare assets ensures system resilience if a failure occurs
Fault tolerance technology allows a system component to continue functioning in the event of a fault or failure
Redundancy is the deployment duplicate system components configured with fault tolerance technology
High availability is measured by the probability that a system will maintain functionality in the event of a disruption
Data backups can be full, differential, incremental, but is often a combination these methods:
o A full backup creates a complete copy of all data
o A differential backup only backs up the files modified since the last full backup

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 6: Business Continuity And Disaster Recovery

o An incremental backup backs up the files modified since the last full or incremental backup
o Backed up data should be stored onsite and offsite
 Onsite backup data allows quickly data restoration
 Offsite avoids data loss during a disaster
Electronic vaulting is the copying and transmitting digital information to an offsite storage location
Remote journaling is electronic vaulting of message or log files, not the data itself
Remote mirroring is electronic vaulting that is conducted in real-time
Using Alternative Locations:
o Cold Sites contains only essential environmental infrastructure
o Warm Sites contain basic infrastructure and HVAC equipment but no computing systems
o Hot Sites contain a full suite of all business and system components
o Mobile Sites are a rolling backup site containing the critical assets for disaster recovery
o Mirrored Sites are fully operational replicas of the primary operational site
SLA is a legal agreement between a service provider and a service client
Reciprocal agreements allows two companies to use each other’s facilities for disaster recovery
MAA is similar to a reciprocal agreement, but it is between multiple companies
Maintenance agreements are SLAs for hardware or software vendors to provide specific levels of support

Lesson 4: Creating A Disaster Recovery Plan

The purpose of the DRP is to help personnel efficiently respond to emergency situations
Only companies with effective disaster recovery plans are able to survive these events
Creating a DRP allows personnel to identify all of the necessary actions during a disruption or disaster event

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 6: Business Continuity And Disaster Recovery

If the DRP is ever used in a real disaster, it will be likely become evidence in a civil and or criminal case
For the Disaster Recovery Process:
o Personnel will create checklists of tasks and responsibilities
o Personnel process is how DRP personnel are selected within the organization
o Communication process is how DRP information or activation will be communicated
o Assessment process is how damage will be assessed during a disaster event
o Response process is how the organization will respond during a disaster
o Restoration process is how the organization will recover from a disaster
After the DRP is complete, it's time to implement, train, and test the plan to determine effectiveness

Lesson 5: Disaster Recovery Testing

DRP needs to be tested to verify it will prevent business interruptions in the event of a disaster
DRP tests often identify weak points in organization’s recovery plan
Organizations cannot have confidence in a DRP until it has been tested
Test Types:
o Checklist tests allow departments to review the DRP and make recommended changes
o Read-through tests provide a thorough review of the DRP to discover errors and ensure all DRP requirements
are captured
o Walkthrough tests allow DRP personnel to collectively work together and rehearse disaster scenarios
o Simulation tests carry out a disaster scenario under realistic conditions
o Parallel tests the DRP at an alternate or backup facility to ensure they can be brought online successfully
o A full-interruption test shuts down operations at the primary facility and establishes full processing at the
backup site

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 6: Business Continuity And Disaster Recovery

DRP personnel may require addition training such as first aid, CPR, and crisis management
Protecting employees takes priority over saving company data or the information system
Proper training and tests will help personnel develop appropriate DRP skills and responses

Lesson 6: Incident Handling And Response

Event: Something negative that has occurred and can be verified
Incident: A violation of a security policy or regulation
Incident Management: The process of responding, handling, and recovering from an incident
Incident response is addressing and manage a security incident
Incident response team are skilled personnel who are trained in incident response
Response plan contains the incident response goals, objectives, and the processes or procedures
Detection: Identify or learn of an event
Response: Take action to stop and/or control damage
Recovery/Remediation: Restore the system to normal or functional operations
Reporting: A detailed account of the incident
Mitigation: Identify any necessary changes

Lesson 7: Conducting a Post Incident Investigation

After handling an incident, an investigation needs to find the cause, motive, and reason the incident occurred
Root cause analysis of an incident finds:
o Motive (Why and Who)
o Opportunity (When and Where)
o Means (What and How)

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 6: Business Continuity And Disaster Recovery

Types of Investigations:
o Operational investigation is used when an incident occurred in an operational or production environment
o Criminal investigation when a crime may/may not have occurred
o Civil investigation when a crime hasn't occurred, but may result in liability
o Regulatory investigation when a regulation violation occurs
Evidence is something tangible that proves or disprove something occurred
o All evidence must be relevant and legally obtained
o Direct evidence is proof/actual evidence that needs no other support
o Real evidence is tangible/physical or digital evidence
o Circumstantial evidence are facts that create a conclusion
o Corroborative evidence supports a claim of an event
o Hearsay evidence cannot be supported by firsthand evidence
o Opinion evidence are statements or an opinion of the facts
o Secondary evidence is unreliable yet supporting evidence
o Digital evidence is direct or real evidence in an electronic or digital format
Electronic discovery is digital evidence or forensic data
IOCE/SWGDE defines principals and standards for digital forensic evidence collection and handling
Evidence must be stored in a secure location that controls access

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 6: Business Continuity And Disaster Recovery

Lesson 8: Digital Forensics

Data forensics is the science of identifying, collecting, analyzing, and preserving electronic data
Forensics combines criminal investigation techniques and the information system components in an attempt to
understand what crime (if any) occurred
Data forensics can be used for investigations, security assessments, or even for regulatory and organizational
compliance
Forensic investigators, IT and security professionals, and incident handlers and responders can perform forensic duties
o Consider response times, costs, and data confidentiality when tasking forensic personnel
The forensic process includes collection, examination, analysis, and reporting
o Data collection is identifying data sources and determining what data to collect to help with the investigation
o Data examination is reviewing the collected data or working through technical issues to discover additional data
o Data analysis is to draw an investigative conclusion from the data collected
o Investigation reporting is the documentation of forensic data with the investigators explanation and conclusion
Organizations should perform forensics using a consistent policy and be proactive in data collection
Analysts should be aware of the range of possible data sources
Analysts should use a methodical approach to studying the data

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.