What are the primary and alternate sites in the context of contingency planning?
Chapter 11 Questions20 points1.What is BCP? Show
2.What is the difference between disaster recovery and business continuity? 3.What are the primary and alternate sites in the context of contingency planning? 4.What are RTO and RPO, and why is it essential to define them early in the BCplanning process? 5.What parts of the organization should the BC team draw on for its members? We have textbook solutions for you!The document you are viewing contains questions related to this textbook. Principles of Information Systems Reynolds/Stair Expert Verified Chapter 11 Questions20 pointsis significantly reduced, and the emphasis should be placed in generalizedbusiness and technology skills instead of highly specialized technical skills. Stephen D. Gantz, Daniel R. Philpott, in
FISMA and the Risk Management Framework, 2013 Contingency planning policy is typically developed at the agency level, rather than the
individual information system level, often as a component of organizational policies for continuity of operations. System owners should consider the functional, technical, and security needs of their own systems in the context of agency contingency planning policy, to determine whether any system-specific policy statements are required to extend or differ from agency policy. Contingency planning policy defines the agency’s contingency
objectives, identifies contingency and continuity planning drivers applicable to the agency, and establishes expectations and responsibilities for system owners and others with roles in the contingency planning process. Contingency planning policies should specify agency requirements and standards for systems categorized at different FIPS 199 impact levels, and identify obligations for systems that support mission essential and primary mission essential functions. Special Publication 800-34
specifies the following elements contingency planning policies should address: [35] Roles and responsibilities. Scope as applies to common platform types and organization functions subject to contingency planning. Resource requirements. Training
requirements. Exercise and testing schedules. Plan maintenance schedule. Minimum frequency of backups and storage of backup media. As the key system-specific artifact produced in the contingency planning process, the information system contingency plan should reflect organizational policies
for contingency planning and for related functions, including information and physical security, system operations and maintenance, and emergency preparedness and response. Agencies do not develop contingency planning policies or contingency plans in isolation, but instead should recognize the interdependencies between contingency planning and subordinate processes like disaster recovery planning, as well as with information system security planning and continuity of operations planning. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597496414000151 The FedRAMP Cloud Computing Security RequirementsMatthew Metheny, in Federal Cloud Computing, 2013 Contingency Planning (CP)
Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597497374000095 Domain 8Eric Conrad, ... Joshua Feldman, in CISSP Study Guide (Second Edition), 2012 Project initiationIn order to develop the BCP/DRP, the scope of the project must be determined and agreed upon. This involves seven distinct milestones, as listed below [9]: •Develop the contingency planning policy statement—A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan. •Conduct the business impact analysis (BIA)—The BIA helps to identify and prioritize critical IT systems and components. A template for developing the BIA is also provided to assist the user. •Identify preventive controls—Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency lifecycle costs. •Develop recovery strategies—Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption. •Develop an IT contingency plan—The contingency plan should contain detailed guidance and procedures for restoring a damaged system. •Plan testing, training, and exercises—Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness. •Plan maintenance—The plan should be a living document that is updated regularly to remain current with system enhancements. Implementing software and application recovery can be the most difficult for organizations facing a disaster event. Hardware is relatively easy to obtain. Specific software baselines and configurations with user data can be extremely difficult to implement if not planned for before the event occurs. Figure 9.2 shows the BCP/DRP process, actions, and personnel involved with the plan creation and implementation. IT is a major part of any organizational BCP/DRP, but, as Figure 9.2 shows, it is not the only concern for C-level managers. In fact, IT is called upon to provide support to those parts of the organization directly fulfilling the business mission. IT has particular responsibilities when faced with a disruption in business operations because the organization's communications depend so heavily on the IT infrastructure. As you review Figure 9.2, also note that the IT BCP/DRP will have a direct impact on the entire organization's response during an emergency event. The top line of Figure 9.2 shows the organizationwide BCP/DRP process; below that is the IT BCP/DRP process. You can see through the arrows how each is connected to the other. Figure 9.2. The BCP/DRP Process. Management supportIt goes without saying that any BCP/DRP is worthless without the consent of the upper level management team. C-level managers must agree to any plan set forth and also must agree to support the action items listed in the plan if an emergency event occurs. C-level management refers to positions within an organization such as chief executive officer (CEO), chief operating officer (COO), chief information officer (CIO), and chief financial officer (CFO). C-level managers are important, especially during a disruptive event, because they have enough power and authority to speak for the entire organization when dealing with outside media and are high enough within the organization to commit resources necessary to move from the disaster into recovery if outside resources are required. This also includes getting agreement for spending the necessary resources to reconstitute the organization's necessary functionality. Another reason why C-level management may want to conduct a BCP/DRP project for the organization is to identify process improvements and increase efficiency within the organization. Once the BCP/DRP project development plan has been completed, management will be able to determine which portions of the organization are highly productive and will be aware of all of the impacts they have on the rest of the organization and how other entities within the organization affect them. BCP/DRP project managerThe BCP/DRP project manager is the key point of contact (POC) for ensuring that a BCP/DRP not only is completed but also is routinely tested. This person needs to have business skills, to be extremely competent, and to be knowledgeable with regard to the organization and its mission, in addition to being a good manager and leader in case there is an event that causes the BCP or DRP to be implemented. In most cases, the project manager is the POC for every person within the organization during a crisis. Organizational skills are necessary to manage such a daunting task, as these are very important, and the project manager must be very organized. The most important quality of the project manager is that he or she has credibility and enough authority within the organization to make important, critical decisions with regard to implementing the BCP/DRP. Surprisingly enough, this person does not need to have in-depth technical skills. Some technical knowledge is required, certainly, but, most importantly, the project manager must have the negotiation and people skills necessary to create and disseminate the BCP/DRP among all the stakeholders within the organization. Building the BCP/DRP teamBuilding the BCP/DRP team is essential for the organization. The BCP/DRP team is comprised of those personnel who will have responsibilities if or when an emergency occurs. Before identification of the BCP/DRP personnel can take place, the continuity planning project team (CPPT) must be assembled. The CPPT is comprised of stakeholders within an organization and focuses on identifying who would need to play a role if a specific emergency event were to occur. This includes people from the human resources section, public relations (PR), IT staff, physical security, line managers, essential personnel for full business effectiveness, and anyone else responsible for essential functions. Also, depending on the emergency of the event, different people may have to play a different role; for example, in an IT emergency event that only affected the internal workings of the organization, PR may not have a vital role. Any emergency that affects customers or the general public, however, would require PR's direct involvement. A difficult issue facing the CPPT is how to handle the manager/employee relationship. In many software and IT-related businesses, employees are “matrixed.” A matrixed organization leverages the expertise of employees by having them work numerous projects under many different management chains of command. Suppose employee John Smith is working on four different projects for four different managers. Who will take responsibility for John in the event of an emergency? These types of questions will be answered by the CPPT. It is the planning organization that finds answers to organizational questions such as the above example. It should be understood and planned that, in an emergency situation, people become difficult to manage. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597499613000091 Domain 7: Security Operations (e.g., Foundational Concepts, Investigations, Incident Management, Disaster Recovery)Eric Conrad, ... Joshua Feldman, in CISSP Study Guide (Third Edition), 2016 Project InitiationIn order to develop the BCP/DRP, the scope of the project must be determined and agreed upon. This involves seven distinct milestones [17] as listed below: 1.Develop the contingency planning policy statement: A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan. 2.Conduct the business impact analysis (BIA): The BIA helps to identify and prioritize critical IT systems and components. A template for developing the BIA is also provided to assist the user. 3.Identify preventive controls: Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs. 4.Develop recovery strategies: Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption. 5.Develop an IT contingency plan: The contingency plan should contain detailed guidance and procedures for restoring a damaged system. 6.Plan testing, training, and exercises: Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness. 7.Plan maintenance: The plan should be a living document that is updated regularly to remain current with system enhancements. [18] Implementing software and application recovery can be the most difficult for organizations facing a disaster event. Hardware is relatively easy to obtain. Specific software baselines and configurations with user data can be extremely difficult to implement if not planned for before the event occurs. Figure 8.12 shows the BCP/DRP process, actions, and personnel involved with the plan creation and implementation. IT is a major part of any organizational BCP/DRP but, as Figure 8.12 shows, it is not the only concern for C-level managers. In fact, IT is called upon to provide support to those parts of the organization directly fulfilling the business mission. IT has particular responsibilities when faced with a disruption in business operations because the organization’s communications depend so heavily on the IT infrastructure. As you review Figure 8.12, also note that the IT BCP/DRP will have a direct impact on the entire organization’s response during an emergency event. The top line of Figure 8.12 shows the organization-wide BCP/DRP process; below that is the IT BCP/DRP process. You can see through the arrows how each is connected to the other. Figure 8.12. The BCP/DRP Process Management SupportIt goes without saying that any BCP/DRP is worthless without the consent of the upper level management team. The “C”-level managers must agree to any plan set forth and also must agree to support the action items listed in the plan if an emergency event occurs. C-level management refers to people within an organization like the chief executive officer (CEO), the chief operating officer (COO), the chief information officer (CIO), and the chief financial officer (CFO). C-level managers are important, especially during a disruptive event, because they have enough power and authority to speak for the entire organization when dealing with outside media and are high enough within the organization to commit resources necessary to move from the disaster into recovery if outside resources are required. This also includes getting agreement for spending the necessary resources to reconstitute the organization’s necessary functionality. Another reason that the C-level management may want to conduct a BCP/DRP project for the organization is to identify process improvements and increase efficiency within the organization. Once the BCP/DRP project development plan has been completed, the management will be able to determine which portions of the organization are highly productive and are aware of all of the impacts they have on the rest of the organization and how other entities within the organization affect them. BCP/DRP Project ManagerThe BCP/DRP project manager is the key Point of Contact (POC) for ensuring that a BCP/DRP is not only completed, but also routinely tested. This person needs to have business skills, be extremely competent and knowledgeable with regard to the organization and its mission, and must be a good manager and leader in case there is an event that causes the BCP or DRP to be implemented. In most cases, the project manager is the Point of Contact for every person within the organization during a crisis. Organizational skills are necessary to manage such a daunting task, as these are very important, and the project manager must be very organized. The most important quality of the project manager is that he/she has credibility and enough authority within the organization to make important, critical decisions with regard to implementing the BCP/DRP. Surprisingly enough, this person does not need to have in-depth technical skills. Instead, some technical knowledge is required but, most importantly, the project manager needs to have the negotiation and people skills necessary to create and disseminate the BCP/DRP among all the stakeholders within the organization. Building The BCP/DRP TeamBuilding the BCP/DRP team is essential for the organization. The BCP/DRP team comprises those personnel that will have responsibilities if/when an emergency occurs. Before identification of the BCP/DRP personnel can take place, the Continuity Planning Project Team (CPPT) must be assembled. The CPPT is comprised of stakeholders within an organization and focuses on identifying who would need to play a role if a specific emergency event were to occur. This includes people from the human resources section, public relations (PR), IT staff, physical security, line managers, essential personnel for full business effectiveness, and anyone else responsible for essential functions. Also, depending on the type of emergency, different people may have to play a different role. For example, in an IT emergency event that only affected the internal workings of the organization, PR may not have a vital role. However, any emergency that affects customers or the general public would require PR’s direct involvement. Some difficult issues with regards to planning for the CPPT are how to handle the manager/employee relationship. In many software and IT-related businesses, employees are “matrixed.” A matrixed organization leverages the expertise of employees by having them work numerous projects under many different management chains of command. For example: employee John Smith is working on four different projects for four different managers. Who will take responsibility for John in the event of an emergency? These types of questions will be answered by the CPPT. It is the planning team that finds answers to organizational questions such as the above example. It should be understood and planned that, in an emergency situation, people become difficult to manage. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128024379000084 Domain 7
Eric Conrad, ... Joshua Feldman, in Eleventh Hour CISSP® (Third Edition), 2017 Project InitiationIn order to develop the BCP/DRP, the scope of the project must be determined and agreed upon.
Fast FactsProject Initiation involves seven distinct milestones,2 as listed below: •Develop the contingency planning policy statement: A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan. •Conduct the BIA: The BIA helps identify and prioritize critical IT systems and components. A template for developing the BIA is also provided to assist the user. •Identify preventive controls: Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life-cycle costs. •Develop recovery strategies: Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption. •Develop an IT contingency plan: The contingency plan should contain detailed guidance and procedures for restoring a damaged system. •Plan testing, training, and exercises: Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness. •Plan maintenance: The plan should be a living document that is updated regularly to remain current with system enhancements.2 Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128112489000073 Domain 8: Business Continuity and Disaster Recovery PlanningEric Conrad, ... Joshua Feldman, in Eleventh Hour CISSP (Second Edition), 2014 Project InitiationIn order to develop the BCP/DRP, the scope of the project must be determined and agreed upon. Fast FactsProject Initiation involves seven distinct milestones3 as listed below: 1.“Develop the contingency planning policy statement: A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan. 2.Conduct the business impact analysis (BIA): The BIA helps to identify and prioritize critical IT systems and components. A template for developing the BIA is also provided to assist the user. 3.Identify preventive controls: Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs. 4.Develop recovery strategies: Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption. Develop an IT contingency plan: The contingency plan should contain detailed guidance and procedures for restoring a damaged system. 6.Plan testing, training, and exercises: Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness. 7.Plan maintenance: The plan should be a living document that is updated regularly to remain current with system enhancements.”4 Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B978012417142800008X Storage Area Networking Security DevicesRobert Rounsavall, in Computer and Information Security Handbook (Third Edition), 2017 Use Best Practices For Disaster Recovery And BackupGuidelines such as the NIST Special Publication 800-342 outline best practices for disaster recovery and backup. The seven steps for contingency planning are outlined below: 1.Develop the contingency planning policy statement. A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan. 2.Conduct the business impact analysis (BIA). The BIA helps identify and prioritize the critical IT systems and components. A template for developing the BIA is also provided to assist the user. 3.Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life-cycle costs. 4.Develop recovery strategies. Thorough recover strategies ensure that the system may be recovered quickly and effectively following a disruption. 5.Develop and IT contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system. 6.Plan testing, training, and exercises. Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness. 7.Plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128038437000624 Security Component Fundamentals for AssessmentLeighton Johnson, in Security Controls Evaluation, Testing, and Assessment Handbook, 2016 Seven Steps to Contingency Planning as Defined in SP 800-34SP 800-34, rev. 1, provides instructions, recommendations, and considerations for federal information system CP. CP refers to interim measures to recover information system services after a disruption. Interim measures may include relocation of information systems and operations to an alternate site, recovery of information system functions using alternate equipment, or performance of information system functions using manual methods. This guide addresses specific CP recommendations for three platform types and provides strategies and techniques common to all systems: •Client/server systems •Telecommunications systems •Mainframe systems This guide defines the following seven-step CP process that an organization may apply to develop and maintain a viable CP program for their information systems. These seven progressive steps are designed to be integrated into each stage of the system development life cycle: 1.Develop the CP policy statement. A formal policy provides the authority and guidance necessary to develop an effective contingency plan. 2.Conduct the business impact analysis (BIA). The BIA helps identify and prioritize information systems and components critical to supporting the organization’s mission/business processes. 3.Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life-cycle costs. 4.Create contingency strategies. Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption. 5.Develop an information system contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system unique to the system’s security impact level and recovery requirements. 6.Ensure plan testing, training, and exercises. Testing validates recovery capabilities, whereas training prepares recovery personnel for plan activation and exercising the plan identifies planning gaps; combined, the activities improve plan effectiveness and overall organization preparedness. 7.Ensure plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements and organizational changes. The assessor should be looking for multiple areas of focus which the organization has applied in its CP activities. SP 800-34 provides the agencies and organizations the guidance to conduct these events and the assessor gathers the evidence to ensure these events have been conducted in accordance with these guidelines. Key points to review and assess include: 1.The CP policy statement: a.Policy should define the organization’s overall contingency objectives and establish the organizational framework and responsibilities for system CP. b.To be successful, senior management, most likely the CIO, must support a contingency program and be included in the process to develop the program policy. c.The policy must reflect the FIPS-199 impact levels and the contingency controls that each impact level establishes. Key policy elements are as follows: -Roles and responsibilities -Scope as applies to common platform types and organization functions (i.e., telecommunications, legal, media relations) subject to CP -Resource requirements -Training requirements -Exercise and testing schedules -Plan maintenance schedule -Minimum frequency of backups and storage of backup media 2.The ISCPs must be written in coordination with other plans associated with each target system as part of organization-wide resilience strategy. Such plans include the following: a.Information SSPs b.Facility-level plans, such as the OEP and DRP c.MEF support such as the COOP plan d.Organization-level plans, such as CIP plans Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128023242000117 What is an alternate site?An Alternate Site is a site held in readiness for use during a business continuity event to maintain an organisation's business continuity. An alternate site may be for use during/following an invocation of business or disaster recovery plans to continue urgent and important activities of an organization.
How many types of alternate recovery sites are there and what are they?Alternate Sites Recovery Strategy. In addition, there are four different types of Alternate Sites. They are cold sites, warm sites, hot sites and mobile sites.
What are the 3 types of recovery sites?There are three major types of disaster recovery sites that can be used: cold, warm, and hot sites. Understanding the differences among these three can help SMBs, working in cooperation with an expert IT consultant, to select the one that best suits company needs and mission-critical business operations.
What are the three components of contingency planning?Contingency planning has three components: an estimate of what is going to happen, a plan based on this estimate of what the response should be; and some actions identified to be best prepared. This chapter helps planners think through what is going to happen, and the likely impact on people's lives and livelihoods.
|