Join Mike Chapple for an in-depth discussion in this video Business continuity planning, part of CompTIA Security+ (SY0-501) Cert Prep: 5 Risk Management.
- [Instructor] Business continuity planning is one of the core responsibilities of the information security profession. Business continuity efforts are a collection of activities designed to keep a business running in the face of adversity. This adversity may come in the form of a small-scaled incident such as a single system failure or a catastrophic incident, such as an earthquake or tornado. Business continuity plans may also be activated by man-made disasters such as a terrorist attack or hacker intrusion. While many organizations place responsibility for business continuity with operational engineering teams, business continuity is a core security concept because it is the primary control that supports the security objective of availability.
Remember, that's one of the big three objectives of information security; confidentiality, integrity, and availability. When an organization begins a business continuity effort, it's easy to quickly become overwhelmed by the many possible scenarios and controls a project might consider. For this reason, the team developing a business continuity plan should take time up front to carefully define their scope. What business activities will be covered by the plan? What types of systems will it cover? What types of controls will it consider? The answers to these questions will help make critical prioritization decisions down the road.
Continuity planners use a tool known as a Business Impact Assessment, or BIA, to help make these decisions. The BIA is a risk assessment that follows one of the quantitative or qualitative processes that we discussed earlier in this course. The BIA begins by identifying the mission-essential functions that a business depends upon, and then traces them backwards to identify the critical systems that support those functions. Once planners have identified the affected systems, they can then identify the potential risks to those systems, and conduct a risk assessment.
This risk assessment is based upon a variety of factors, including the impact on life and safety, the impact on property and finances, and the impact on the organization's reputation. The risk assessment should cover all of the threats that might face an organization, either from internal or external sources. These threats should include both manmade threats, such as hackers and terrorism, and environmental threats, such as hurricanes and earthquakes.
The output of a business impact assessment is a prioritized listing of risks that might disrupt the organization's business, such as the one shown here. Planners can then use this information to help select controls that mitigate the risks facing the organization within acceptable expense limits. For example, notice that the risks in this scenario are listed in descending order of expected loss. It makes sense to place the highest priority on addressing the risk at the top of the list, hurricane damage to the data center.
But the organization must then make decisions about control implementation that factor in cost. For example, if a $50,000 flood prevention system would reduce the risk of hurricane damage to the data center by 50%, purchasing the system is clearly a good decision because it has an expected payback period of less than one year.
- Security controls and policies
- Risk assessment and management
- Managing vendor relationships
- Social network security
- Security in the hiring process
- Measuring security education
- Business continuity planning and controls
- Preparing for incident response
- Network and software forensics
- Data security policies and roles
- Privacy assessments