Page322

BCP and DRP Overview and Process

The terms and concepts associated with Business Continuity and Disaster Recovery Planning are very often misunderstood. Clear understanding of what is meant by both Business Continuity and Disaster Recovery Planning, as well as what they entail, is critical for the CISSP® candidate. In addition to understanding what constitutes each discipline, information security professionals should also have an understanding of the relationship between these two processes.

Another critical element to understanding Business Continuity and Disaster Recovery Planning is analyzing the various types of potential disasters that threaten to impact an organization. In addition to appreciating the various types of disruptive events that could trigger a Disaster Recovery or Business Continuity response, it is important to be able to take into account the likelihood or occurrence associated with the types of disasters.

Finally, this section will define the high-level phases of the Business Continuity and Disaster Recovery Planning processes. The goal of this section is to ensure a basic understanding of the overall approach and major phases prior to delving into the details of each phase that will occur in the next major section: Developing a BCP/DRP. Disasters are an inevitable fact of life. Given a long enough operational existence, every organization will experience a significant disaster. A thorough, regimented, and ongoing process of continually reviewing the threats associated with disaster events, an organization’s vulnerabilities to those threats, and the likelihood of the risk manifesting will allow an organization to appropriately mitigate the inherent risks of disaster.

Business Continuity Planning

Though many organizations will simply use the phrases Business Continuity Planning or Disaster Recovery Planning interchangeably, they are two distinct disciplines. Though both plans are essential to the effective management of disasters and other disruptive events, their goals are different. The overarching goal of a BCP is to ensure that the business will continue to operate before, throughout, and after a disaster event is experienced. The focus of a BCP is on the business as a whole, and ensuring that those critical services that the business provides or critical functions that the business regularly performs can still be carried out both in the wake of a disruption as well as after the disruption has been weathered. In order to ensure that the critical business functions are still operable, the organization will need to take into account the common threats to their critical functions as well as any associated vulnerabilities that might make a significant disruption more likely. Business Continuity Planning provides a long-term strategy for ensuring the continued successful operation of an organization in spite of inevitable disruptive events and disasters.

Disaster Recovery Planning

While Business Continuity Planning provides the long-term strategic business oriented plan for continued operation after a disruptive event, the Disaster Recovery Plan is more tactical in its approach. The DRP provides a short-term plan for dealing with specific disruptions. Mitigating a malware infection that shows risk of spreading to other systems is an example of a specific IT-oriented disruption that a DRP would address. The DRP focuses on efficiently attempting to mitigate the impact of a disaster and the immediate response and recovery of critical IT systems in the face of a significant disruptive event. Disaster Recovery Planning is considered tactical rather than strategic and provides a means for immediate response to disasters. The DRP does not focus on long-term business impact in the same fashion that a BCP does.

Exam Warning As discussed in Chapter 4, Domain 3: Security Architecture and Engineering, the most important objective for all controls is personnel safety. This is especially true for exam questions regarding Disaster Recovery Planning.