BCP/DRP Quick Notes
In case you haven't studied the BCP/DRP section of your studies yet, here is some information that I sent to the folks on the newsletter:
The topic of proper business continuity and disaster recovery planning is highly testable. Expect to be tested on the following:
BCP process and steps (Not specifics, just the general flow)
Components of the Business Impact Analysis (ARO, MTTR, MTBF, SLE)
The idea that all stakeholders of a BCP should be involved in the planning
Business continuation strategies
The importance of documentation
Here are some important concepts to remember:
The process of recovering an organization's critical business functions after a disaster is known as BCP
Dealing with a more immediate or specific emergency is known as DRP.
Difference between BCP and DRP
BCP is more high-level than DRP. DRP falls under the umbrella of BCP.
"What if our main data center was destroyed by an earthquake, what do we do?" - That's BCP.
"What if our firewall failed at our main data center, what do we do?" - That's DRP.
The start of any organization's DRP/BCP program must have the approval of the senior management team
Management's approval is also a show of their support
BCP/DRP is all about documentation, documentation, documentation
According to the CISSP, the first thing to look for in a disaster is the proper documentation that contains procedures and guidelines on how to deal with a disaster
Here are some types of disasters:
The basic steps of a sound BCP are:
Phase 1: Scope and Initiation
Phase 2: Business Impact Analysis
Phase 3: Recovery Strategies and Continuity Development
Phase 4: Implementation and Testing
Phase 5: Maintenance
List the steps of the BIA
The below graphic is from Shon Harris AIO 7th Edition page 134, this was the source of my videos, as well as the Sybex. You can see the list of the BIA as explained by Shon, as well as some of the other phases.
RTO vs RPO vs MTTF vs MTTR
RTO is the maximum amount of time that is needed to bring critical business functions back to normal operating status before that business is crushed.
RPO is the measure of at what point in time a business can go back and still salvage enough data to fully operate. For example, can a business lose all the data it has accumulated in the last 10 minutes and still operate as a business? Probably. But can it lose all the data it has accumulated in a 12 hour period and still function? This depends on the type of business. A company that deals with the stock market and money, probably has a really short RPO, compared to a school with a database of past test scores, which could have a longer RPO.
MTTF as we stated is the same thing as MTBF. It is the measure of how long something is supposed to operate before failure.
MTTR is the amount of time required that is necessary to bring a critical business function back to operation. The mean time to recovery for your 2nd monitor in a dual monitor setup can probably be 72 hours to a week before you start finding it necessary to have a 2nd monitor again. The mean time to recovery for your mouse is probably a lot shorter, maybe minutes to hours?
Click here for a video and PDF download on MTD, RPO, RTO, WRT.
Due Care vs Due Diligence Example
Differentiating these two is a tough one, it's like comparing when you are angry vs when you are frustrated. The best way to understand it is to keep reading examples of it until it sinks in.
Due Care: Updating, patching, and securing a firewall
Due Diligence: Keep firewall support license warranty up-to-date, review SLA annually, check the news for CVEs against the firewall technology.
Due Care: Doing the immediate right thing, like updating your Windows machine when updates come in Due Diligence: Maybe look into other types of solutions where there aren't so many vulnerabilities. For example, if you have a Windows web server, but Windows is experiencing a lot of vulnerabilities that is affecting your business, research the possibility of moving to a Linux machine.
Due Care: Taking the CISSP exam Due Diligence: Studying everything you can about the exam before taking it
Due Care: An action
Due Diligence: A process or framework
You'll also have to know stuff like hot site, cold site, warm site, and the differences between them, along with when each site should be utilized.