Page338

Identify Preventive Controls

Preventive controls prevent disruptive events from having an impact. For example, as stated in Chapter 4, Domain 3: Security Architecture and Engineering, HVAC systems are designed to prevent computer equipment from overheating and failing.

The BIA will identify some risks that may be mitigated immediately. This is another advantage of performing BCP/DRP, including the BIA: it improves your security, even if no disaster occurs.

Recovery Strategy

Once the BIA is complete, the BCP team knows the Maximum Tolerable Downtime. This metric, as well as others including the Recovery Point Objective and Recovery Time Objective, is used to determine the recovery strategy. A cold site cannot be used if the MTD is 12 hours, for example. As a general rule, the shorter the MTD, the more expensive the recovery solution will be, as shown in Fig. 8.20.

You must always maintain technical, physical, and administrative controls when using any recovery option.

Supply Chain Management

Acquisition of computer equipment and business systems can be fairly straightforward during normal business operations. This can change drastically during a disaster. For example, an organization plans to equip a cold site in the event of disaster and purchase 200 computer servers during a disaster.

If the disaster is localized to that one organization, this strategy can be successful. But what if there is a generalized disaster, and many organizations are each seeking to purchase hundreds of computers? In an age of “just in time” shipment of goods, this means many organizations will fail to acquire adequate replacement computers. Supply chain management manages this challenge.

Some computer manufacturers offer guaranteed replacement insurance for a specific range of disasters. The insurance is priced per server, and includes a service level agreement that specifies the replacement time. The BCP team should analyze all forms of relevant insurance.