Hi Percy,
Business continuity testing/rehearsal enable test team to identify weaknesses, gaps, and risks within continuity plans before deploying them in a crisis situation. I can list some benefits as following:
• Reduce cost of operation during a disaster
• Reduce operational downtime
• Provide more effective continuity strategies
• Reduce impact of disaster
• Reduce duration of outage
Rehearsing the BCP enables the team to evaluate the adequacy and effectiveness of the plan, and to tick-the-box that you’ve done this for an audit rail. Rehearsing the BCP gives each member an opportunity to master his or her role and understand what they are required to do during crisis.
Because business objective is the goal for every company. Like we learnt in IT Governance class, the company should apply IT controls follow along the business objective. Also, IT systems is a part of business operations support.
Its a business concern because if you cant recover form the disaster than there is no business left. Many companies fail in the months after a major incident because they cant recover quick enough to regain cash flow.
In majority of the organizations, IT is used for supporting the core business processes rather than being a revenue generating process (e.g. Cloud service providers). Hence. on its own, IT teams cannot assign criticality levels as they wouldn’t be in a position to know how much loss in revenue would be caused in case, a particular information system is not functioning. These financial numbers are given by business teams, who calculate the loss in revenue in case of the information systems, used for supporting that business line is down. Depending on these numbers, IT systems are assigned their criticality. This process is nothing but BIA in a nutshell and hence DRP should be a business concern as well.
Hi Akshay,
I think deciding between a hot site or cold site depends on company’s priorities. For a small or medium-size company, cost will likely a key role in which type of site the company prefers. Therefore, if the priority is cutting cost, they probably will choose cold site. However, if the company doesn’t allow long downtime, in this case, they should pick hot site. The important thing is company’s understanding of how each type of DR site works and what resources each one requires. There are many factors that should be considered such as from cost of equipment to staffing.
As far as I know, BCP is based on DRP. So if a company has BCP, they will have a DRP. But if a company has DRP but without BCP, there is a high chance that they have not completed their contingency planing and will have a BCP in the future.
Companies could potentially have a BCP without a DRP as the DRP can be considered a subset of the BCP, so for a company to create a DRP without a BCP it would be a huge challenge. Since BCP deals with continuing business processes as a whole and DRP handles recovering IT infrastructure, it’s really in a company’s best interest to have both plans in order to have the best chance of continuity/recovery in the event of a disaster.
When considering key personnel to include in Computer Security Incident Response Teams (CSIRT), what other employees should be members aside from the ones mentioned in the textbook (ie. Senior manager, affected-line employees, PR director, HR, legal team)?
The CERT (Computer Emergency Readiness Team) recommends following roles among the CSIRT:
• Manager or Team Lead
• Assistant Managers or Group Leaders
• Help Desk or Triage Staff
• Incident Handlers
• Vulnerability Handlers
• Artifact Analysis Staff
• Platform Specialists
• Trainers
• Technology Watch
I believe you are talking about physical and health disasters that could impact the workers who are incharge of the security protocol. I believe there should be contingency plans that revolve around the employees and a potential impact on them. We often take for granted the human capital that organizations have.
Basically, the company should perform annually basis followed along the plan. Both IT and business users should both involve. The result of testing DRP should be formally recorded.
It depends on the system architecture, and impact level of the security. I think it should be simulation annually, or every six months.In addition, attention should be paid to personnel changes. When personnel changes are frequent, it may be necessary to temporarily add simulation.
A major issue with intrusion detection systems is that they tend to produce too many false positives, so alarms will often be ignored. What do you think would be a good solution to this problem?
The best solution to this problem is knowing what “normal” looks like on your network. Being able to look at you baseline to see if a truly adverse event is happening of if it is a false positive.
More open ports means different ways to exploit a system. It means that attackers may spend more time trying different methods of exploiting vulnerabilities on each port depending on the service running,
How much does BCP and DRP need to be done for a medium size company comparing to a larger or smaller company? Is there any different for different size of company?
Hello,
Among the more critical things to consider that help determine the amount of time and effort put into preparing the BCP and DRP is the business impact analysis. Another part that organizations consider prior to determining the time and effort put into preparing the BCP and DRP is the amount and types of information systems involved in critical business processes.
What is the most important step to a disaster recovery plan? Is there something missing that should be an outlined step? Possibly in the beginning or the end?
I think performing Business Impact Analysis (BIA) to determine critical systems, RTO, RPO value is the most important step to DRP. If company define inappropriate value, it will seriously impact to business operations and cause damage and loss to financial and systems.
Percy Jacob Rwandarugali says
What are some of the direct benefits of rehearsing BCPs?
Zeynep Sahin says
Hi Percy,
Business continuity testing/rehearsal enable test team to identify weaknesses, gaps, and risks within continuity plans before deploying them in a crisis situation. I can list some benefits as following:
• Reduce cost of operation during a disaster
• Reduce operational downtime
• Provide more effective continuity strategies
• Reduce impact of disaster
• Reduce duration of outage
Percy Jacob Rwandarugali says
Hi Zeynep,
I can’t agree more with you, the benefits you have listed are all astonishing and they validate the importance of performing rehearsals.
Innocent says
Rehearsing the BCP enables the team to evaluate the adequacy and effectiveness of the plan, and to tick-the-box that you’ve done this for an audit rail. Rehearsing the BCP gives each member an opportunity to master his or her role and understand what they are required to do during crisis.
Zeynep Sahin says
Why should disaster recovery be a business concern rather than be a concern for only techies?
Joseph Nguyen says
The IT should follow the business processes and not the opposit. I think
Numneung Koedkietpong says
Because business objective is the goal for every company. Like we learnt in IT Governance class, the company should apply IT controls follow along the business objective. Also, IT systems is a part of business operations support.
Christopher James Lukens says
Its a business concern because if you cant recover form the disaster than there is no business left. Many companies fail in the months after a major incident because they cant recover quick enough to regain cash flow.
Akshay Shendarkar says
Hello Zeynep,
In majority of the organizations, IT is used for supporting the core business processes rather than being a revenue generating process (e.g. Cloud service providers). Hence. on its own, IT teams cannot assign criticality levels as they wouldn’t be in a position to know how much loss in revenue would be caused in case, a particular information system is not functioning. These financial numbers are given by business teams, who calculate the loss in revenue in case of the information systems, used for supporting that business line is down. Depending on these numbers, IT systems are assigned their criticality. This process is nothing but BIA in a nutshell and hence DRP should be a business concern as well.
Akshay Shendarkar says
For a small to medium size business, which factors need to be assessed before selecting a backup facility (e.g. Hot site or cold site)?
Zeynep Sahin says
Hi Akshay,
I think deciding between a hot site or cold site depends on company’s priorities. For a small or medium-size company, cost will likely a key role in which type of site the company prefers. Therefore, if the priority is cutting cost, they probably will choose cold site. However, if the company doesn’t allow long downtime, in this case, they should pick hot site. The important thing is company’s understanding of how each type of DR site works and what resources each one requires. There are many factors that should be considered such as from cost of equipment to staffing.
Numneung Koedkietpong says
Is it possible for companies to create only BCP or DRP? or they should have both?
Peiran Liu says
Hi Numneung,
As far as I know, BCP is based on DRP. So if a company has BCP, they will have a DRP. But if a company has DRP but without BCP, there is a high chance that they have not completed their contingency planing and will have a BCP in the future.
Sarah Puffen says
Companies could potentially have a BCP without a DRP as the DRP can be considered a subset of the BCP, so for a company to create a DRP without a BCP it would be a huge challenge. Since BCP deals with continuing business processes as a whole and DRP handles recovering IT infrastructure, it’s really in a company’s best interest to have both plans in order to have the best chance of continuity/recovery in the event of a disaster.
Imran Jordan Kharabsheh says
When considering key personnel to include in Computer Security Incident Response Teams (CSIRT), what other employees should be members aside from the ones mentioned in the textbook (ie. Senior manager, affected-line employees, PR director, HR, legal team)?
Zeynep Sahin says
Hi Imran,
The CERT (Computer Emergency Readiness Team) recommends following roles among the CSIRT:
• Manager or Team Lead
• Assistant Managers or Group Leaders
• Help Desk or Triage Staff
• Incident Handlers
• Vulnerability Handlers
• Artifact Analysis Staff
• Platform Specialists
• Trainers
• Technology Watch
Joseph Nguyen says
Do you think virus and the humain factors impacts should be included in the BIA?
Alexander Reichart-Anderson says
I believe you are talking about physical and health disasters that could impact the workers who are incharge of the security protocol. I believe there should be contingency plans that revolve around the employees and a potential impact on them. We often take for granted the human capital that organizations have.
Natalie Dorely says
How often should an organization perform a simulation in reaction to a disaster?
Joseph Nguyen says
I read somewhere that it s every year.
Numneung Koedkietpong says
Basically, the company should perform annually basis followed along the plan. Both IT and business users should both involve. The result of testing DRP should be formally recorded.
Junjie Han says
It depends on the system architecture, and impact level of the security. I think it should be simulation annually, or every six months.In addition, attention should be paid to personnel changes. When personnel changes are frequent, it may be necessary to temporarily add simulation.
Sarah Puffen says
A major issue with intrusion detection systems is that they tend to produce too many false positives, so alarms will often be ignored. What do you think would be a good solution to this problem?
Christopher James Lukens says
The best solution to this problem is knowing what “normal” looks like on your network. Being able to look at you baseline to see if a truly adverse event is happening of if it is a false positive.
Innocent says
How would more open ports affect the ability of your honeypot to attract hackers?
Christopher James Lukens says
More open ports means different ways to exploit a system. It means that attackers may spend more time trying different methods of exploiting vulnerabilities on each port depending on the service running,
Peiran Liu says
How much does BCP and DRP need to be done for a medium size company comparing to a larger or smaller company? Is there any different for different size of company?
Imran Jordan Kharabsheh says
Hello,
Among the more critical things to consider that help determine the amount of time and effort put into preparing the BCP and DRP is the business impact analysis. Another part that organizations consider prior to determining the time and effort put into preparing the BCP and DRP is the amount and types of information systems involved in critical business processes.
Alexander Reichart-Anderson says
What is the most important step to a disaster recovery plan? Is there something missing that should be an outlined step? Possibly in the beginning or the end?
Numneung Koedkietpong says
I think performing Business Impact Analysis (BIA) to determine critical systems, RTO, RPO value is the most important step to DRP. If company define inappropriate value, it will seriously impact to business operations and cause damage and loss to financial and systems.
Junjie Han says
How to calculate Maximum Tolerable Downtime (MTD) , what factors should be taken into consideration?