CISSP Training Series – Business Continuity Plan Concepts
Business Continuity Planning (BCP) is addressed as part of Domain 1, section 1.8 in the CISSP material. A strong BCP ensures that a company can continue its operations during and after a disaster or disruption. Here are the objectives surrounding BCP as covered in the CISSP material:
- Explain the overall organizational business continuity practice
- Describe the importance of the Business Impact Analysis (BIA)
- Identify key steps and resources necessary to support the BIA.
The number one thing of BCP is preparing for the time when it needs to be invoked. Taking Covid for example. I remember speaking with a gentleman the week lockdowns started. He knew of a financial institution that instructed employees to stay at home on Thursday and to login via VPN exactly at 1PM. They actively tested their plan before the lockdowns came into full effect the next week. Another person who I spoke with from another organization simply said, “we’re f***ed”. One place had a BCP they could test, which made them resilient, adaptive, and agile in the face of a global pandemic. The other expected bad things to not happen to them.
Companies who commit to investing in BCP planning, training their people and equipping them to deal with emergencies will always outperform their peers in continuity. This may be a matter of the business being able to survive adversity.
When creating the BCP, a company can choose to build a program in-house, but there are standards that can be followed. Standards that are referenced include the following:
NIST SP 800-34
Standards may be required if you are in a regulated environment. I believe the standard numbers themselves aren’t the focus for the exam. They’re good to know, but I think the big picture of BCP is what you need to know for your CISSP exam.
Business Impact Analysis
After a standard is selected, the first item that needs to be addressed is the Business Impact Analysis. The BIA determines the potential effects of an interruption to critical business operations. It does so by reviewing all assets, processes and business obligations and their impact on the organization. The BIA is a management process which is then used by the security function to create and execute the BCP/DR plan.
The BIA can be performed using several methods. These include:
- Interviews with system owners to determine system value.
- Financial audit to determine asset values.
- Customer surveys to get external view of system importance.
- Standards to get advice from regulators
The ultimate goal of the BIA is to determine critical operations (a.k.a. critical path).
The difference between Business Continuity and Disaster Recovery
Business Continuity allows the company to continue operations, even if processes change during the event (e.g. manually filling out forms instead of automatic collection). Disaster Recovery is the process of recovering systems back to “normal” from contingency operations.
Planning BCDR is all about how long a system can be unavailable until significant pain is experienced. This is referred to as the Maximum Allowable Downtime (MAD). Other terms include:
Recovery Time Objective (RTO). The RTO is defined by management and must be lower than the MAD time. It must be noted the RTO is NOT return to normal. It is restoring some form of functionality for a system (even if a replacement process is invoked).
Recovery Point Objective (RPO). The RPO is the amount of acceptable data loss. It is measured in time, not data (think hours between last data backup and the outage occurring)
The lower the MAD, RTO and RPO, the higher the cost. This is considered part of BCDR planning according to ISC2. For example, if you have a requirement for zero data loss, this means you require high availability systems in multiple locations with as opposed to nightly backups.
This concludes our coverage of the BCP and DR discussion found in objective 8 of domain 1 of the CISSP material. For more information on our Official ISC2 CISSP training, please check out our standard and all-inclusive training solutions for you and your team!