From the course: Cert Prep: ISC2 Certified in Cybersecurity (CC)

Business continuity planning

- [Instructor] Business Continuity Planning is one of the core responsibilities of the cybersecurity profession. Business continuity efforts are a collection of activities designed to keep a business running in the face of adversity. And this adversity may come in the form of a small scale incident such as a single system failure or a catastrophic incident such as an earthquake or tornado. The focus of business continuity is keeping operations running. And because of this, Business Continuity Planning is sometimes referred to as Continuity of Operations Planning or COOP. While many organizations place responsibility for business continuity with operational engineering teams, business continuity is a core security concept because it's the primary control that supports the security objective of availability. Remember, that's one of the big three objectives of information security, confidentiality, integrity, and availability. When an organization begins a business continuity effort, it's easy to quickly become overwhelmed by the many possible scenarios and controls that the project must consider. For this reason, the team developing a business continuity plan should take the time upfront to carefully define their scope. They should answer questions like, what business activities will be covered by the plan? What type of systems will the plan cover? And what types of controls will it consider? The answers to these questions will help make critical prioritization decisions down the road. Continuity planners use a tool known as a Business Impact Assessment or BIA to help make these decisions. The BIA is a risk assessment that uses a quantitative or qualitative process. It begins by identifying the organization's mission essential functions and then traces those backwards to identify the critical IT systems that support those processes. Once planners have identified the affected IT systems, they then identify the potential risks to those systems and conduct their risk assessment. The output of a Business Impact Assessment is a prioritized listing of risks that might disrupt the organization's business such as the one shown here. Planners can use this information to help select controls that mitigate the risks facing the organization within acceptable expense limits. For example, notice the risks in this scenario are listed in descending order of expected loss. It makes sense to place the highest priority on addressing the risk at the top of the list, hurricane damage to a data center, but the organization must then make decisions about control implementation that factor in cost. For example, if a $50,000 flood prevention system would reduce the risk of hurricane damage to the data center by 50%, purchasing that system is probably a good decision because it has an expected payback period of less than one year. In a cloud-centric environment, Business Continuity Planning becomes a collaboration between cloud service providers and the customer. For example, the risk of a hurricane damaging a data center may be mitigated by the service provider building a flood prevention system but it also may be mitigated by the customer choosing to replicate a service across data centers, availability zones, and geographic regions.

Contents