Spotlight article: Domain 7, Business Continuity

Detailed background on CISSP exam Domain 7, covering business continuity and disaster recovery. Security SchoolBusiness continuity planning can be the item that determines life or death of a company. Today, approximately 65% of companies could not stay in business if they had to be closed for a week or longer. It's estimated that less than 5% of companies are truly prepared to endure and survive a disaster. These numbers have been improving since 9/11/2001, which caused many corporations take business continuity and disaster recovery more seriously.

Disaster recovery focuses on how to survive a disaster and what to do right after a disaster. These plans are usually technology-oriented and focus on getting the network and systems up and running as quickly as possible. Business continuity deals with keeping a company and business after a disaster has been experienced and takes a lot more into account than just technology. More and more companies are developing business continuity into their environment because of the raised awareness of tragic possibilities, but also because of new regulatory requirements that infer executive management obligations for fiscal responsibility. The following topics in this domain are covered:

  • Business continuity and disaster recovery planning: Management leadership, goals and requirements, business impact analysis, team building and implementation.
  • Backup alternatives: Hardware and software approaches, collocation, electronic vaulting, offsite facilities requirements and types.
  • Recovery and testing: Strategies for executing recovery, carrying out drills and types of plan testing.
  • Emergency response: Preserving assets and life, reducing fraud, theft and vandalism.

Business continuity and disaster recovery planning
It's critical that companies understand the degree of potential damage and revenue losses that different types of business interruptions can cause. These can be man-made, natural disasters, technology failures and more. Almost every type of business interruption causes some direct or indirect affect on the productivity of a company, thus its revenue stream. It's prudent to identify the large and small issues that can negatively affect a company and identify backup alternatives before experiencing them.

The most critical part of continuity planning is management support. Management must be convinced of the necessity for such a plan. Therefore, a business case must be made to obtain this support. The business case can include current vulnerabilities, regulatory and legal obligations, current status of recovery plans and recommendations. Management will be mostly concerned with cost/benefit issues, so preliminary numbers will need to be gathered and potential losses estimated. The decision of how a company should plan to recover is purely a business decision and should be treated as such.

A business impact analysis is the core of business continuity planning. Qualitative and quantitative impact information should be gathered and then properly analyzed and interpreted. The goal is to see exactly how a business will be affected by different threats. The effects can be economical, operational, or both. This information can be gathered through standard survey tools or questionnaires given to the most knowledgeable people within the company. This will give a fuller understanding of all the possible business impacts.

The overall goals of the business impact analysis are as follows:

  • Identify the most critical business functions necessary for the survival of the company
  • Identify the necessary resources for those critical functions
  • Calculate the maximum tolerable downtime (MTD) that the company can endure for each resource
  • Identify vulnerabilities and threats
  • Calculate the risk of each threat
  • Provide backup and alternate solutions

The main goals of a business continuity plan are to improve responsiveness by the employees in different situations, ease confusion by providing written procedures and participation in drills and help ensure logical decisions are made during a crisis. If the employees know where to go when the all-hands-on-deck alarm is called, and are familiar with what tasks are expected of them and how to perform these tasks, then the people in position to make decisions on how to properly deal with the event can do so in a calmer and more controlled manner. This can prove to be a crucial element in business continuity.

The business continuity planning committee needs to investigate the following items, which need to be properly integrated into the business continuity management plan:

  • Primary facility recovery and backup sites: If primary site is destroyed, where should processing take place
  • People: Human resources is the resource that is most forgotten about
  • Hardware: Replacement time requirements, SLAs from suppliers, dangers of legacy, and/or proprietary devices
  • Software: Necessary applications, utilities, operating systems for production
  • Communication to different entities after a disaster: Customers, stock holders, suppliers, media
  • Looting and fraudulent activities after a disaster
  • Legal responsibilities
  • Employees' responsibilities to families: May need to tend to their families instead of helping the company get back on its feet

Backup alternatives
When we think of backup, we generally think of secure, offsite tape storage that will be available should we accidentally damage or destroy a needed file. Although access to up-to-date data is critically important to disaster recovery, it's not the only thing that must be backed up. Imagine a scenario where an earthquake destroys your building. You would need to replace all computer resources, networking -- maybe even people -- as well as find a new site to get your business running again. Therefore, backup includes site space, hardware, software and people, as well as data. How to choose a backup facility site is covered in this section, and different approaches to data backup are detailed.

There are several types of technologies available for backing up data and providing redundancy:

  • Database shadowing
  • Electronic vaulting
  • Remote journaling
  • Storage area network and hierarchical storage management
  • Co-location
  • RAID
  • Failover clustering

There are also several types of offsite facility choices that are available to companies. A hot site is a geographically remote facility that is fully equipped and ready to power up at a moments notice. A less expensive alternative would be a warm site, which includes the needed communications components but does not have computers installed. Less expensive still, is a cold site, which provides only the basic environment that can be outfitted with communication components and computers, though this may take from one to several weeks. Companies unable to support the ongoing service fees required for these options sometimes make arrangements with compatible companies who will host each other's employees and business functions in the event of a disaster. This is by far the least expensive, but is also the most risky since few companies maintain the extra capacity and equipment that would be suitable to host another company's business processes. However, it is still better than having no plan at all.

The necessary software -- the operating systems, programs and utilities used during regular business -- must also be backed up regularly to the offsite facility. If a program is built for a particular version of an operating system, it will not run if the wrong version of the operating system is installed at the offsite facility. If data is formatted to a particular version of a spreadsheet program, and that version is not also updated to the backup facility, it's possible that the necessary data will not be available in the time of need.

Too often our attention is only on backing up data and technology, and we over look people and the necessary skill set to continue the operation of the company. There are different reasons why the current employees may not be available after a disaster, including death, injury, or family responsibilities. The business continuity committee must identify the necessary skill set for each critical task and come up with back up solutions as in using temp agencies or cross training individuals.

Recovery and testing
After a disaster, there are usually two teams assembled -- the salvage team that assesses damage and works to bring the primary facility back on-line, and the recovery team that coordinates bringing up the alternative site. To be sure everyone knows what to do, tests are conducted. These can range from troubleshooting the plan by simply walking through the documents detailing the sequence of events, to actually rehearsing the plan up to the point of actual data or resource recovery at the main site. A CISSP candidate must know the difference between, checklist, structured walk-through, simulation, parallel and full-interrupt tests.

Emergency response
Finally, emergency response drills are necessary not only to minimize asset damage and preserve life, but to reduce the chance of fraud, theft and vandalism since the security mechanisms usually in place may be completely disabled. Companies need put processes in place to accomplish the following items:

  • Actions taken immediately to avoid injury and loss of life
  • Alert authorities and notify management
  • Contain damages if possible
  • Rescue critical data and equipment


CISSP® is a registered certification mark of the International Information Systems Security Certification Consortium, Inc., also known as ISC(2). 

Next Steps

Conti ransomware spree draws FBI attention

This was last published in September 2008

Dig Deeper on CISSP certification