From the course: ISC2 Certified Information Systems Security Professional (CISSP) (2024) Cert Prep

Business continuity planning

From the course: ISC2 Certified Information Systems Security Professional (CISSP) (2024) Cert Prep

Start my 1-month free trial Buy for my team

Business continuity planning

- [Narrator] Business continuity planning is one of the core responsibilities of the information security profession. Business continuity efforts are a collection of activities designed to keep a business running in the face of adversity. This may come in the form of a small scale incident, such as a single system failure or a catastrophic incident such as an earthquake or tornado. Business continuity plans may also be activated by person made disasters, such as a terrorist attack or hacker intrusion. The focus of business continuity is keeping operations running, and because of this, business continuity planning is sometimes referred to as continuity of operations planning. While many organizations place responsibility for business continuity with operational engineering teams, business continuity is a core security concept because it's the primary control that supports the security objective of availability. Remember, that's one of the big three objectives of information security: confidentiality, integrity, and availability. When an organization begins a business continuity effort, it's easy to quickly become overwhelmed by the many possible scenarios and controls that the project might consider. For this reason, the team developing a business continuity plan should take time upfront to carefully define their scope. What business activities will be covered by the plan? What types of systems will it cover? What types of controls will it consider? The answers to these questions will help make critical prioritization decisions down the road. Continuity planners use a tool known as a business impact assessment, or BIA, to help make these decisions. The BIA is a risk assessment that follows one of the quantitative or qualitative processes that we discussed earlier. It begins by identifying the organization's mission essential functions, and then tracing those backward to identify the critical IT systems that support those processes. Once planners have identified the affected IT systems, they then identify the potential risks to those systems and conduct a risk assessment. The output of a business impact assessment is a prioritized listing of risks that might disrupt the organization's business, such as the ones shown here. Planners can use this information to help select controls that mitigate the risks facing the organization within acceptable expense limits. For example, notice that the risks in this scenario are listed in descending order of expected loss. It makes sense to place the highest priority on addressing the risk at the top of the list, hurricane damage to the data center, but the organization must then make decisions about control implementation that factor in cost. For example, if a $50,000 flood prevention system would reduce the risk of hurricane damage to the data center by 50%, purchasing that system is clearly a good decision because it has an expected payback period of less than one year. In a cloud-centric environment, business continuity planning becomes a collaboration between the cloud service provider and the customer. For example, the risk of a hurricane damaging a data center may be mitigated by the service provider building a flood prevention system, but it may also be mitigated by the customer choosing to replicate services across data centers, availability zones and geographic regions. Cloud service providers are one example of the many external dependencies that you should include when developing your business continuity plan. Other external dependencies could include third party vendors, supply chain partners, and critical infrastructure elements. It's essential to have a thorough understanding of these relationships and their impact on your operations. By doing so, you can better anticipate potential disruptions and develop more robust and effective continuity strategies.

Contents