Business continuity efforts are a collection of activities designed to keep a business running in the face of adversity. In this video, you will learn the business continuity planning process, including developing and documenting the project scope, conducting business impact assessments, and developing risk assessments.
- [Narrator] Business continuity planning is one of the core responsibilities of the information security profession. Business continuity efforts are a collection of activities designed to keep a business running in the face of adversity. This adversity may come in the form of a small scale incident, such as a single system failure, or a catastrophic incident, such as an earthquake or tornado. Business continuity plans may also be activated by man-made disasters, such as a terrorist attack or hacker intrusion. While many organizations place responsibility for business continuity with operational engineering teams, business continuity is a core security concept because it is the primary control that supports the security objective of availability.
Remember, that's one of the big three objectives of information security: confidentiality, integrity, and availability. When an organization begins a business continuity effort, it's easy to quickly become overwhelmed by the many possible scenarios and controls that the project might consider. For this reason, the team developing a business continuity plan should take time up front to carefully define their scope. What business activities will be covered by the plan? What types of systems will it cover? What types of controls will it consider? The answers to these questions will help make critical prioritization decisions down the road.
Continuity planners use a tool known as a business impact assessment, or BIA to help make these decisions. The BIA is a risk assessment that follows one of the quantitative or qualitative processes that we discussed earlier in this course. The BIA begins by identifying the organization's critical business processes, and then tracing those backwards to the critical IT systems that support those processes. Once planners have identified the affected IT systems, they then identify the potential risks to those systems, and conduct a risk assessment.
The output of a business impact assessment is a prioritized listing of risks that might disrupt the organization's business, such as the one shown here. Planners can then use this information to help select controls that mitigate the risks facing the organization within acceptable expense limits. For example, notice that the risks in this scenario are listed in descending order of expected loss. It makes sense to place the highest priority on addressing a risk at the top of the list, hurricane damage to the data center, but the organization must then make decisions about control implementation that factor in costs.
For example, if a $50,000 flood prevention system would reduce the risk of hurricane damage to the data center by 50%, purchasing the system is clearly a good decision because it has an expected payback period of less than one year.
Members who complete this course will be prepared to answer questions on the Security and Risk Management domain of the CISSP exam, and establish a critical foundation for the rest of their careers.
Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- Aligning security with the business
- Using control frameworks
- Understanding compliance ethics
- Implementing effective security policies
- Ensuring the security of employees
- Managing risk
- Identifying threats
- Managing vendors
- Building security awareness and conducting security training