CISSP: Business continuity planning and exercises
This article is part of our CISSP certification prep series. For more CISSP-related resources, see our CISSP certification hub.
Business continuity planning (BCP) is the process of ensuring the continuous operation of your business before, during, and after a disaster event. The focus of BCP is totally on business continuation and it ensures that all services that the business provides or critical functions that the business performs are still carried out in the wake of the disaster. To ensure that the critical business services and functions are still operable, the organization needs to take into account the most common threats to their critical functions and also consider any associated vulnerabilities.
BCP is covered in the CISSP certification exam in several domains:
- Domain 1 — 1.8 Identify, analyze, and prioritize Business Continuity (BC) requirements
- Domain 6 — 6.3 Collect security process data (e.g., technical and administrative), including disaster recovery (DR) and business continuity (BC)
- Domain 7 — 7.13 Participate in Business Continuity (BC) planning and exercises
The business continuity planning process
The purpose of business continuity planning is to respond to disruption, activate recovery teams, handle tactical disaster status communication, assess damage caused by disruption, and recover critical assets and processes.
Developing a BCP plan is vital for an organization. It helps to minimize an interruption in normal business functions for any event, from small to catastrophic. BCP has a specific set of requirements for review and implementation to insure that all planning has been considered.
Following are the steps for BCP:
- Project initiation
- Business impact analysis
- Identify preventive control
- Recovery strategy
- Designing and development
- Implementation, training, and testing
- BCP maintenance
NIST SP800-34 provides a guideline for developing a logical BCP. It can be found at:
The scope of the project must be defined and agreed upon before developing a BCP. There are seven milestones involved:
- Develop a contingency planning policy statement.
- Conduct business impact analysis (BIA).
- Identify preventive control.
- Develop strategies for recovery.
- Develop an IT contingency plan.
- Plan testing, training, and exercises.
- Maintenance planning.
Upper-level management support is very important in BCP planning and implementation. C-level management must agree to the plan set forth and must also support the plan’s action items. C-level management is an important resource in case of a disruption because they have the power to speak to the entire organization and the external media. Also, they have the power to commit the resources necessary to move from disaster to recovery.
The BCP project manager is main point of contact; he or she ensures that the BCP is updated and tested periodically. The project manager should have business skills, should be knowledgeable with regards to the organization’s mission, and of course must have good managerial and leadership skills to handle the tumultuous events that call for BCP measures.
The BCP team
The BCP team has the sole responsibility to handle emergency situations and carry out the BCP plans. Before establishing the BCP team, the continuity planning project team (CPPT) must be assembled. This CPPT should represent all the stakeholders in the organization, such as HR, the IT department, the physical security department, public relations, and all other personnel responsible for effective business. The focus of the CPPT is on identifying the resources that will play a part in handling a disastrous event.
The scope of BCP is very difficult but crucial to define. BCP scoping requires us to define the exact assets that are covered and protected by the plan, which types of emergency events the plan will be able to address, and determining the resources necessary to create and implement the plan. Many key players in the organization will have to be involved in the scoping of BCP to ensure that all aspects of organizational function are represented. It is also crucial to assess the critical state. This assessment can be difficult because determining which pieces of IT infrastructure are critical isn’t always straightforward. Without consultation from key users, this can be difficult to determine. It is recommended that you use a qualitative approach when documenting the assets, groups, impacts, and processes.
Executive management support will be needed for the following three steps:
- Initiation of the plan
- Final approval of the plan
- Demonstration of due care and due diligence to the satisfaction of management
Business impact analysis
Business impact analysis (BIA) is a formal methodology to determine how a disruption to the IT system of an organization will impact the organization process, requirements and interdependencies with respect to its business mission. This process of analysis determines and prioritizes the critical IT systems, allowing the project manager to fully delineate the IT contingency priorities. It helps in correlating the IT system components with the critical services it supports. It also aims to quantify the possible damage that can be done to the system components by disaster. The primary goal of BIA is to calculate the maximum tolerable downtime (MTD) for an IT asset. Other benefits of BIA include improvements in business processes and procedures, as it will highlight inefficiencies in these areas.
The main components of BIA are as follows:
- Identify critical assets
- Conduct risk assessment
- Determine maximum tolerable downtime (MTD)
- Failure and recovery metrics
Identify preventive controls
Preventive controls are used to prevent disruptive events from happening before they start. An example is an HVAC system that prevents the equipment from overheating. Your BIA can also identify risks that can be mitigated immediately and can improve security.
Once your BIA is performed successfully, it will help in devising a recovery strategy. Metrics like maximum tolerable downtime, recovery point objective and recovery time objective are used to determine the strategy for disaster recovery. Technical, physical and administrative controls are to be maintained while using a recovery option. Recovery options include:
- Supply chain management (acquisition of computer equipment is assured during disaster)
- Telecommunication management (availability of electronic communication during disaster)
- Utility management (Availability of utilities like power, gas, water, etc.)
A redundant site is a duplicate of the production site that can operate seamlessly without loss of services. The redundant site should have live data backup replication, so no user data is lost.
A hot site is a location to which an organization may relocate in case of a major disaster. The hot site will have all necessary hardware and applications installed and real-time data mirrored. This will allow the organization to resume the operations in a very short period of time.
As you might expect, a warm site has some of the same aspects as a hot site—for instance, readily available hardware and communication capabilities. However, it will rely on backup data to reconstruct operations. Because of the cost involved in the maintenance of redundant or hot site, many organizations go for warm site solutions.
This is the least expensive solution to implement. A cold site doesn’t contain any readily available hardware or copies of data backups. It will take the longest time to setup a cold site after a disaster occurs.
This can be described as a data center on wheels. Towable trailers containing racks of computer equipment, HVAC, physical security, and fire suppression mechanisms are part of mobile site.
BCP planning and/or implementation can sometimes be outsourced to another organization, thus transferring the risk to the insurer company. Various organizations build their profit models by offering BCP services for customers.
Once the BCP plan is completed and ready for management approval, it is the responsibility of senior management to protect an organization’s critical personnel and assets. Senior management must understand that they are responsible for the plan and therefore must thoroughly understand the plan, own the plan, and ensure that they will take the steps necessary to make the plan a success.
Implementation, training, and testing
Training, testing, and awareness must be performed for the disaster portion of BCP. Skipping these is one of the most common mistakes. It needs to be emphasized that BCP is never complete. Rather, it is a continuous process to ensure the ability of an organization to recover in a good manner. Furthermore, while most experienced individuals carry out the planning, mistakes can happen in the process. Third, each member of the disaster recovery team should be exceedingly familiar with their roles in BCP. Here is where training comes into play. Awareness is imperative for general users, along with awareness of organizational emphasis on ensuring the safety of operations and personnel.
Once the plan is completed, tested, and implemented, it must be kept up to date. Business and IT systems are changed quickly, so your BCP must keep pace with them. BCP maintenance should contain the following components:
- Change management
- Version control
- Accounting for mistakes
The change management process includes tracking and documenting changes, approvals, and the results of completed changes. Version control is the process of managing the updates in the BCP to ensure that all parts of the system are using the most up-to-date version. Common mistakes in the BCP include: lack of support from management, lack of stakeholder involvement, improper supply chain management, lack of testing and lack of training, etc.
It is a luxury to imagine that your IT department can encounter a catastrophic emergency that shuts your company’s network down and take all the time they want to figure out how to get things back up to date. Every minute your operations are down can mean profits lost, services interrupted, and loss of reputation with users and stakeholders. Even though recovery and the problem-solving process needed to restore operations can take time, your company needs to be back online as soon as possible. Having a detailed plan to make sure this happens efficiently isn’t a luxury—it’s an imperative.