CCT 316: CrowdStrike, Signal, And Identify, Analyze, and Prioritize Business Continuity (CISSP Domain 1.8) - Part 2

Check us out at:  https://www.cisspcybertraining.com/

Get access to 360 FREE CISSP Questions:  https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout

Get access to my FREE CISSP Self-Study Essentials Videos:  https://www.cisspcybertraining.com/offers/KzBKKouv

A quiet identity revolution is underway, and it’s not about people. CrowdStrike’s move to acquire Signal shines a light on the fastest‑growing attack surface in modern environments: non‑human identities. From AI agents and APIs to service and machine accounts, these credentials outnumber employees, hold powerful permissions, and often live outside traditional IAM hygiene. We unpack why this matters now, how it reshapes identity security strategy, and what it means for your Business Impact Analysis and continuity planning.

We walk through a clear, exam‑ready BIA flow that translates risk into action. You’ll learn how to frame impact categories, build time‑based escalation paths, and set realistic RTO, RPO, and maximum tolerable downtime in partnership with the business. We dig into prioritization drivers—safety of life, legal mandates, revenue exposure, and customer obligations—and show how to avoid the trap of “non‑essential” processes that quietly block recovery. Along the way, we map threats, vulnerabilities, and controls, then score risk with likelihood and impact using real sources like historical incidents and threat intelligence.

From there, we get practical: process workarounds, technology redundancy, workforce continuity, and supply chain resilience with alternate vendors and stockpiles. We compare hot, warm, and cold sites to cloud‑based recovery, and we stress selection criteria like cost, risk tolerance, and whether strategies actually hit your recovery targets. Finally, we cover governance and communication: executive approvals, confidentiality of plans, testing from tabletop to full interruption, vital records protection, and smooth transitions from life safety to business operations. The throughline is simple and powerful: business impact drives recovery priorities, not technology. Subscribe, share with a teammate who owns service accounts, and leave a quick review to help others find the show.

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

TRANSCRIPT

Good morning everybody. It's Sean Griber with CISSP Cyber Training and hope you all are having a beautifully blessed day today. Today is Monday, and we are going to be talking about the actually we're going to be getting into part two of domain 1.8 from last week. It was a long one, so rather than putting all that in one podcast, we decided to put it, we I decided to put it into two. So pretty excited about that. That's going to be a great thing. I think you can really enjoy the rest of this episode. So it'll be awesome. But before we get into that, I had actually wanted to show an article. If you're watching the video, you can see it. If not, we'll talk about it. But uh CSO magazine had a really great article around the CrowdStrike acquisition of Signal. Now, this is a really cool thing, and I feel that CrowdStrike obviously is taking its market share quite substantially. I remember when CrowdStrike got started, and now that it's the position of their multi, multi-billion dollar company, and they're continuing to grow. Now, Signal's development and signal's growth, or I should say acquisition, is really designed to help give an additional capability to CrowdStrike that I've I personally feel is a well-needed and highly sought after, at least not now, it will be in the short term, the related around non or human and non-human identities. Now it's going to obviously be looking at human identities, but it's one of its big factors that this capability is going to be doing is looking at non-human and securing those identities as well, such as AI agents, APIs, service accounts, and machine identities. This is an important part because it does outnumber, those accounts outnumber most human accounts out there. And the other thing is, is from a red team perspective, I would take advantage of these all the time. Day in, day out, you try to do it as much as you possibly can. So this is a really big deal. As we're seeing more and more of these tools are getting into this space, that uh they're trying to take up this AI capability as well as trying to manage these service to account type X accounts that are out there. And one example is that when I was a former CISO, we would have multi-service accounts, and every year I would go through and look at what service accounts that were there, what local admin accounts were there, what non or machine to machine accounts were there. And all of that is a very laborious process that is actually quite painful and in many cases it never gets done really to the level it should, just because in in so many cases people just don't have the time to do it. So this is gonna be a really great acquisition. They're paying 740 million. Um, like I say, I've I I told my wife this. I should have gotten into some of these security tools spaces because I had some friends that were gonna look to bring me in on some of them. And my wife goes, Why didn't you do that? And I said, Because you wanted me to be home and not like on the road all the time. She said, Well, yeah, that's true. So it's what it is, right? You you make choices in your life for based on what you want, and the dear Lord will provide what he needs to provide. So I can't complain. I'm very happy. Money doesn't make you happy. Uh, it does make things easier, but it doesn't make you happy. Uh, strategic positioning, one thing about it as well, they're gonna be rather than replacing existing IAM tools from vendors such as Microsoft and Okta, CrowdStrike Signal will integrate and fill in the gaps around this. So I think that's really, really good. Um, the more we can blend these things together, the better off it's gonna be for the entire ecosystem. So supposedly this is gonna happen Q1 of this year. Obviously, it's been in the works for quite some time, uh, but it's gonna be paid mostly with cash and a little bit of stock. So, very, very, very interesting. And again, I'm excited about to see how this plays out. It's also gonna put some other security vendors a little bit on notice that they're gonna have to up their game even more than what they were doing before. So they're gonna have to probably spend some of their cash that they have sitting in their coffers. So, quickly before I get into domain 1.8 part two, but do uh we want to make sure that you guys are connected with CISSP Cyber Training. This is the place that you can go to get the best information you need to pass the CISSP exam the first time. And again, I've got all kinds of great stuff out there. I've got free content, I've got uh content that's designed specifically for individuals that just want to do self-study. I also have a mentorship program and I have deep dive uh training for your CISSP as well. This is all available to you at CISSP Cyber Training. I've got plenty of hours for you to be able to listen to this while you're on the train, while you're in your car. You can actually have over 1,500 questions. I have helped thousands of people in their training adventures in with the CISSP and beyond. So again, go to CISSP Cyber Training and check it out. A lot of great stuff. Sign up for my free questions, easy peasy, lemon squeezy. Not a big deal. You guys will really enjoy it and it'll help you on your CISSP path. All right, let's get into part two of domain 1.8. Business impact analysis. So the purpose of a BIA, this is to identify critical processes with your company. Quantify impact of disruption over time, those are an important part. So you want to make sure you understand the processes, and then what is it gonna cause for a disruption over time? Impact categories. So there's also some categories in which it can impact your BIA, such as financial loss, operational degradation. If you're losing money, that's gonna be a part that's gonna be called out within your BIA. Is this how much of an impact will this have on my company? Operational degradation, how much is this going to affect my company in that I can't produce and I can't have an operational plan? Your legal and regulatory penalties that are associated with it as well. If you don't comply with this, how much is this going to cost you in the long run? All of those are key factors in your overall BIA development. Reputational damage as well as health and safety impacts. All of those are key categories that are gonna be part of your business impact analysis and your business impact analysis plan. Now with a BIA, you're gonna have time-based impact analysis. This is where isn't going to impact going to have escalation at X. So what that means is that so we have, and if you're looking at the video, we have three different tiers set up 0 to 24, 24 to 72, and 72 plus. These are all in hours. So if an impact hits within 0 to 24 hours, what is going to happen? If it reaches X, 25 hours, you are then going to escalate. What are you going to do? And then if it reaches Y, which is 72 hours, what are you going to do? These are impact escalation paths. Now, also to keep in mind, in the moment that you have an event, there is the possibility that with due to regulatory requirements, you have to give some sort of legal notice to your the regulators about what has occurred. So those are the different pieces that are going to have to be baked into your overall BIA as well. Now there's key metrics: there's recovery time objective, recovery point objective, and maximum tolerable downtime. Your RTO and your RPO are key factors in any sort of metric that you need for your business. I mean, dealing with any sort of business response and business capability, RTO and RPO are the key things. The other pieces is meet maximum tolerable downtime. Or is it a maximum tolerable downtime for the business? You need to make sure you get very clear on that with your company on what is it. If it's a critical server, what is the maximum tolerable downtime it can be down? But if the business unit says the most our company can be down is maybe six days. Then you need to make sure you understand that. But you also need to understand that as critical servers, the maximum time they can be down is two hours, for example. Say there's like a an air exchanger, and this air exchanger is a critical system that keeps poisonous gas out of X. It can go down for only a couple minutes, and that's it before then things start blowing up. Then you need to make sure that is a critical system, and the maximum tolerable downtime on that is five hours. Or is it is not five hours, is is 20 minutes. Whatever that number is, you need to come up with it and work with your teams on that. Now keep in mind it's not you coming up with this. This is the you working with a company to come up with the actual number that's resolved. Now you need to identify your business priorities. This is a process critical ranking. Mission critical, essential, not essential. You need to talk to your business and figure out what is mission critical for it to occur, what is specifically essential that must be in place for your mission critical pieces to happen. And if it's not essential, eh, you're not gonna worry about it. The problem is what you're gonna learn is the non-essential things sometimes will bite you because they're telling you the business is saying it's not essential, but it's actually more essential slash mission critical. And that's when you find those out in the tabletop exercises in many ways. Prioritization drivers, uh, you need to look at things such as safety of life, legal and regulatory mandates that are there for your company, uh a 72-hour part that I mentioned before, revenue impact, how much is that going to impact your company, and then customer obligations. So all of those are big factors in how you prioritize what you do in your business continuity plan. I we all of those were a big factor, huge factor with the company that I used to work with. And we had to go through and have good, tight controls on each and every one of those. Output is rank a list of business processes that are critical to your organization, and you rank them from best from the first one you got to focus on to one that you don't. Justification justification for each priority, you need to make sure you have that in place as well. And that's the output that is provided through this program. Now, risk identification, you need to think of some different factors around risk identification, such as natural disasters, cyber incidents, supply chain disruptions. That's a big one. You're gonna see more and more and more of supply chain disruptions. Human threats, such as insider or labor disruptions, and then infrastructure failures. Those are some of the threat categories that you need to be aware of when you're developing your BCP plan. So, again, natural disasters, cyber incidents, supply chain, human threats, or infrastructure failures. You'll do a vulnerability assessment. This is where you'll a process to look for weaknesses within your company, technological discrepancies that may be out there, and then geographical concentration again for that is done through this vulnerability assessment. You'll you look at existing controls such as preventative, detective, and corrective controls that you have that will all be in place to help reduce or mitigate some of the risk that you have. So again, preventive, detective, and corrective controls. Now your risk assessment is going to be based on likelihood, the likelihood of what's actually going to occur. Now that if you're of the event occurring. So an evaluation can occur in a couple different ways. One is historical data. You can use, I know that this boiler goes down every year. Okay? I know that. That's a likelihood that that does it. It may be a year, it may be 12 months, it may be 11 months. Oh, that's 12 months is a year. It might be 11 months, it might be 15 months. It but realistically, it averages about a year. So then you also have environmental factors that are affecting this, and then threat intelligence. All of those will help bake into the overall likelihood of something occurring. So risk scoring is done based on likelihood times impact. Impact would be how much of an impact would that be to your organization, both from a financial standpoint or potentially from a revenue standpoint or from a personnel standpoint. Risk treatment options could be to mitigate, transfer, accept, or avoid. Those are all the three aspects, and you do this on a daily basis, whether you realize it or not, when it comes to insurance. Do you mitigate the risk by uh I buy insurance? Or I should say that's transferring. I transfer the risk when I buy insurance. I mitigate the risk because I put a control in place to mitigate that risk. Um, an example would be if there's electrical stuff on the ground. I wear rubber boots and I use rubber gloves when I'm picking up some sort of electrical wire. And I also ensure that the power is turned off. That would be mitigation. Transferring would be if you're buying insurance for something to ensure that they're taking on the risk for what you have. Uh you accept the risk. You may say, you know what, I don't care. It's I can't do much about it. I'm just going to accept that risk. It is what it is. And then avoid could be, you know what, I'm not going to do X because of Y. So therefore, I'm avoiding that risk altogether. So those are different kinds of risk treatment options that you can that will be involved when you're figuring out your BIA. Management decision point, this is where risk acceptance requires executive approval. You as a security professional cannot go, oh yeah, I accept the risk. It's not a big deal. No worries. Uh, you can't do that, right? Um, unless you're a company of one and you are the company. Yeah, then you can do it. But if you're not, you as a cybersecurity professional can give recommendations, but someone who has the decision rights to make that decision is the one that has to do it. And it has to be documented. If acceptance is, if the CEO says, I'm just going to accept that risk, that's okay. That's fine. That's his or her responsibility and what they can do. But it needs to be documented that they are accepting the risk that's been associated. Impact analysis, this is where you're dealing with quantitative and qualitative impacts. So a quantitative impact would be revenue loss per day or hour, or specifically regulatory fines. It's a number, right? It's something that is you can, it's tangible. Qualitative impacts would be brand trust, customer churn, employee morale. Things are more squishy, those are your qualitative impacts. If your quantitative gives you a number, qualitative is giving you something squishy. Brand trust, churn, morale. Cascading effects is you have downstream business disruptions can have cascading effects, right? So something upstream happens and say your supply chain goes down, you can't make the product. How does that cascade down through your downstream businesses? If you have businesses, bad. If you deal with customers and you have obligations, bad, bad. If you have um you're not making money, that's triple bad, right? You have all these different cascading effects that can happen in the event that there is a disruption. It can also affect your market confidence. Hey, company XYZ stinks, they they can't keep their stuff together, they're having constant issues, they are not good. That would affect your potential market confidence as well. So all those are a big factor in what you're doing. Continuity planning. So your process level continuities, continuity plans is a manual workaround and they provide alternative workflows for you. Uh, that's that's an important part of you have process level plans, and these are plans that are set up. If I'm picking up a widget and I'm tweaking that widget, then I have a plan specifically for that specific process. These are manual workarounds, and they are alternative workflows, what your overall plan is. It's designed as a backup to the backup, like we mentioned earlier. That is your process level continuity plans. Technological continuity is do you have backup systems? Do you have redundant systems? Do you have uh firewalls that have HA pairs, high availability pairs? That would be a technological continuity plan. Those are all pieces that you would have in place for technology. Workforce continuity is do you have remote work strategies? Do you have split teams? Uh, do you have the ability to hire people outside of your organization to be able to plus up in the event that there's an issue? All of those kinds of aspects related to workforce continuity. And then supply chain continuity of alternate vendors. Okay, if you only have one vendor that does one thing, that's not continuity for your supply chain. You need to have the alternative vendors. Now you may not have that ability to do that, right? There might be limited vendors on what you can do, but you need to have a good plan related to this. Stockpiling critical materials, you need to do you have to have a plan and a warehouse set up to stockpile maybe your raw materials to make your business run. Important part to just understand and discern in what you're trying to accomplish. Strategy development. So you need to have recovery strategies in place. You have your hot, warm, cold sites, you have your cloud-based recoveries, and you have your reciprocal agreements between that. What is that set up? Do you need physical locations that has a hot site that's ready to go all the time? Do you have a physical location that just needs a cold site? That everything, the wires are all run, everything's there, but I have the time to flip on the power and get everything in place. Do you have a cloud-based recovery? Are you going to have your cloud environment replicate to another availability zone, another region? Do you have reciprocal agreements in place as well? So all of that is available through the different types of strategy development. Strategy selection criteria, cost versus benefit. Is it the cost it's going to cost me? Is it worth the benefit? Is the juice worth the squeeze? You got to kind of have that kind of conversation and you have to have an understanding around that. Your recovery objectives, are they going to be met based on this recovery plan that you have in place? If it's like, eh, maybe, then you probably need to reevaluate your strategy. If it is, yeah, no problem. This takes exactly what we need, we're good. Hey, then press. You're fine. Risk tolerance, also, does this meet your risk tolerance that you have? Does this end up if your risk tolerance is I've got a high risk tolerance, and you know what? I if we're not, if we're at a cold site right now for our DR plan and I don't have it ready to go, uh, that's okay because my risk tolerance is high. However, if my risk tolerance is low and I don't have my DR location set up and ready to go, then that would probably be bad because if something does go poorly, then you're not going to be prepared in the time frame that business is expecting you to. So you need to understand your risk tolerance when you're actually figuring out your overall strategy for your company. Alignment, you must support BIA derived priorities. So anything that's in the BIA, you must support that and you must align to that because other anything outside of that, it's just you're wasting time. Continuity provisions, uh, this is where staff notification and accountability are important. Role assignments during the incidents, uh, you need to make sure people are aligned and they're aware of what's going to actually happen. You also need to make sure that the assignments have been taken care of and the incidents are ready that you could they could deal with the incidents when they come. Do you have alternate work locations for people? Uh, this would be as simple as having a hotel room for people. Or it could be a full-up, no-kidding commercial building that people have available in the event that something were to happen. Do you have access control and safety protocols in place? Do you have the beep beep where people have to beep in? Um, are you gonna have an armed guard at the door? Well, that would be really intimidating, but you are you gonna have that? And then also, do you have proper latrines, uh, facilities for people? Do you have a proper event for environmental issues like tornado shelters if you have that? Uh, those are all the types of aspects you're gonna have to consider. Infrastructure, this is where you have your power, HVAC, and network connectivity, as well as data center and cloud resilience are all part of your continuity provisions that you need to consider. Now, plan approval and implementation. This is where it gets, you gotta have this stuff in place. So you have to have formal approval. Executive sign-off needs to be involved in any sort of business continuity plan because it's going to affect his or her business. You they need to be involved in this. You cannot do this in a vacuum. The board maybe have to be aware, depending on the situation. I would highly recommend that your their board is, but that's a CEO and C level executive decision. But board awareness may be required. Implementation of activities such as training and awareness and distribution of plans. You need to make sure that everybody is aligned with what the plan is, everybody's trained on it. And then also these plans need to be distributed to the people in each of the various businesses to ensure that they understand what is going to happen. Now I say this. Any plan that is developed and forwarded to people, it needs to be under a high level of confidentiality. The reason is if this is sent out and get everybody gets access to this and it's sent to the internet, well, now the bad guys and girls know exactly what you're going to do in the event there's going to be a crisis. That's not good because they've already planned that if you're going to, I'm going to move to this building and we're going to set up shop. Well, they could, I'm not that this this is really kind of James Jason Bourne kind of stuff, but they could actually have something there in place before uh you get there to be able to, whatever they're going to do. I again, I you need to have a good plan around this, and you need to keep all of your business continuity and disaster recovery plans in a confidential status and only basically trusted with only people that need to be dealing with it. Testing and exercises, you need to have tabletop exercises, functional tests, and full interruption simulations. The tabletop exercises, we've talked a lot about those. A functional test, you may just test one aspect of your business continuity plan. And then a full interruption simulation is that facility is going down. What are we going to do? And you actually, no kidding, shut the facility or the connectivity down with the facility, and then you operate with that. Those are great. They take a lot of planning, a lot of planning. So if you're going to do it, which I highly recommend you do, uh, you need to have make sure that your BCDR plans are tight and you have a good understanding of those. Once you have those, then do full interruption simulations. But you'll obviously figure out when to do those. In most cases, they're kind of off hours kind of activities. Maintenance, make sure you have regular reviews. I would do your reviews at least annually on your BCP. Lots of stuff changes in a year. You need to have a change management integration in that, in that if you do make changes to your business continuity plans, how is that broadcast through many people? Who's getting involved in it? Again, these are really critical parts in your overall business continuity planning and implementation. Required documentation. You have a statement of importance. Declare why your BCP is critical to your organization, and you need to have that developed specifically and in most cases by the CEO and why they feel it's important. Statement of priorities. This is ranked recovery priorities derived from the BIA. If you, okay, this is a key, knock on wood, stomp your foot, key thing that you will see potentially in the in the exam, but more importantly, you will deal with on a daily basis when you have your at your company. If you don't have a list of recovery priorities, it's going to be a melee on trying to understand who gets to be brought up first. You need to develop this working with IT, develop a recovery priority specifically based on your business impact analysis. What's coming up first? Active Directory. What's coming up second? XYZ. What's coming up third? All of those things need to be derived and developed as part of your BIA. So again, statement of priorities, and that needs to be written down and everybody needs to be aligned on it. Because what's going to happen is when the balloon goes up, everybody's going to argue, I'm first. No, I'm first. I'm first. And when you put all these priorities in place and realize how long does it take to bring these things up, that also will impact your overall time to recovery. How fast can you bring your system back up online? Because if everything goes down, everything just dumps, how if it brings it back, it takes two days to bring everything back. You automatically got to tack on two days to whatever you thought you were going to do. So again, those that need to be developed. I hope I've hit hard because that caused a significant emotional event in my life multiple times. Organizational responsibilities, you need to have races for continuity roles, who does what and where. Supporting documentation, this would include your BIA reports, risk assessments, uh, test results, and approval records. All of those documentations need to be developed and done. So all that documentation is an important part of any BIA. So this is a creep key piece of slide deck that you have that I would highly recommend that your organizations have all of these. If you can say you have these, you're good, baby. You're good. If you don't have these, work to get there because they're important, extremely important, especially when dealing with regulators. Vital records program. You need to have a records program in place as well for your B uh BIA and your BCP. This is identification and protection of records essential to continued operation. And this is the, like I said before, highly confidential. You need to have this uh labeled on everything. This would be record categories, both legal and regulatory records, financial records, and occupational uh documentation or operational documentation, not occupational, operational. Protection methods, what are your backup and replication plans, offsite storage and encryption and access controls? What are all those methods in place and how are they protecting your company? And then access requirements, availability during emergencies and authorized personnel only that are allowed. You need to keep in mind if you are using single sign-on or any of these other types of abilities to use uh to access your data. Do you have the ability to use this off-site? Can you use this remotely? All of those pieces need to be considered and thought out. Emergency response guidelines, this is where you have immediate response focus. This is life safety, uh, incident stabilization, and then you need to have a good, what is our focus as a company and as a business continuity plan? Then you have a command and control plan where you have incident response leadership and escalation procedures that have already been developed and defined. You have internal communications, how will you communicate with your people, and then how will you communicate uh without to the external world, right? So you have your PR and your communications teams, how are they going to notify and talk to people? And then that's your customers, regulate regulators, and media. Who's going to be doing all that? Highly recommend that you have someone who is defined who is going to report directly to the regulators on a specific topic. Uh, make sure that's aligned with everybody. I had a situation where a young man was at a facility and he had to talk to the U.S. Coast Guard, and that was his responsibility. And legal and compliance went in a fit, saying he cannot talk to the Coast Guard. The Coast Guard says we're not talking to anybody but him. So I had to work with the HR and legal to basically go and compliance to go, okay, coach him up on what he's supposed to say and how he's supposed to say it. And they did. And those therefore, when he responds to the Coast Guard, he responds a way they wanted. Now, they would he would not talk to them directly unless Legal and Compliance had coached him and actually sent the documentation of what he's supposed to say. So there was a lot of that. But Coast Guard did not want to talk to our legal teams, they wanted to talk to him directly. So keep that in consideration. Transitions, you need to also have uh shift from emergency response to business continuity operations. How do you do that? And you need to have a plan around that as well. Okay, so as we finish this up, this is a long one, right? This is painful. There's a lot of stuff here. A CISSP exam tips, you really truly want to have business impact drives recovery priorities, not technology. So business impact drives recovery priorities, not technology. The BIA always comes before the solution selection. Okay, so you gotta figure out, you gotta do a BIA to figure out what solution are you actually gonna put in place. Risk acceptance must be documented and approved. Knock, knock. Know that word. It needs to be documented and approved. The BCM is an ongoing life cycle, not a one-time plan. What did that mean? You have to go in and review it at least on an annual basis. So all of this stuff is an important part of the overall BCP plan. Okay. All right, that's all I've got for you today. I hope you enjoy this. Again, this is a long one. I'm probably gonna break this one into two parts for the podcast, but it's a long one. And it's uh but there's a lot of incredible content here that's gonna help you get ready for the CISSP exam. Again, this content is awesome. I mean, I mean it, obviously, I'm saying I'm awesome. The content is. The content is awesome, and it's something that if you study it and you listen to it over and over and over, it will sink in so that when the tests come and you see a question, you're gonna go, oh yeah, that's it. That's the overall goal of these podcasts is to help you, and the training that I have on CISCP cyber training is to help you with understanding something. When you see it, you know it, you can then address it. So thank you guys so much for joining me today. I hope you had a great day. I hope you enjoyed this content, and we will catch you all on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes. I would greatly appreciate your feedback. Also, check out my videos that are on YouTube, and just head to my channel at CISSP Cyber Training, and you will find a flip through a fork on a copia of content to help you fast the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 363 CISSP questions to help you in your CISSP journey. Thanks again for listening.