RCR 083: Business Continuity Planning – CISSP Training and Study!
Mar 09, 2020
Description:
Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.
In this episode, Shon will talk about the following items that are included within Domain 1 (Security and Risk Management) of the CISSP Exam.
BTW - Get access to all my CISSP Training Courses here at: https://shongerber.com/
CISSP Exam Questions
Question: 129
Which of the following could lead to the conclusion that a disaster recovery plan may not be operational within the timeframe the business needs to recover?
A. )The alternate site is a warm site
B. Critical recovery priority levels are not defined
C. Offsite backups are located away from the alternate site
D. The alternate site is located 70 miles away from the primary site
Answer: B
Explanation:
From <https://www.brainscape.com/flashcards/software-development-security-976024/packs/1774328>
------------------------------------
Question: 130
What are the four domains of communication in the disaster planning and recovery process?
A. Plan manual, plan communication, primer for survival, warning and alarms
B. Plan communication, primer for survival, escalation, declaration
C. Plan manual, warning and alarm, declaration, primer for survival
D. Primer for survival, escalation, plan communication, warning and alarm
Answer: C
Explanation:
From <https://www.brainscape.com/flashcards/software-development-security-976024/packs/1774328>
------------------------------------
Question: 131
The underlying reason for creating a disaster planning and recover strategy is to
A. Mitigate risks associated with disaster.
B. Enable a business to continue functioning without impact.
C. Protect the organization’s people, place and processes.
D. Minimize financial profile.
Answer: A
Explanation: “Disaster recovery has the goal of minimizing the effects of a disaster and taking the necessary steps to ensure that the resources, personnel, and business processes are able to resume operation in a timely manner.” Pg 550 Shon Harris: All-in-One CISSP Certification
From <https://www.brainscape.com/flashcards/software-development-security-976024/packs/1774328>
------------------------------------
Want to find Shon elsewhere on the internet?
LinkedIn – www.linkedin.com/in/shongerber
Facebook - https://www.facebook.com/CyberRiskReduced/
LINKS:
- ISC2 Training Study Guide
- Online Article
TRANSCRIPT:
welcome to reduce a curious podcast episode 83 domain one business continuity planning act informative podcast join me each week is I provide the information you need to grow your cybersecurity knowledge so that you're better prepared to pass the cissp exam all right hey I hope you all are doing well this beautiful day March and it's exciting here in Wichita Kansas we have now the Wuhan or I just hit a coronaviruses now hit Wichita Kansas and so now things are changing in our environment and so hints what a better time to talk about business continuity planning actually I probably should have talked about that why did about eight six months ago but you should be planning for it now if you have a plan for it before you might want to start now it's one of those things where Aziz aspects roll into your world as a cybersecurity person that study for cissp you need to be prepared for your business continuity plan and we'll talk today little bit about how to plan and Disaster Recovery plan a little bit continuity plan for the cissp exam play with this coronavirus at your Malaysian wherever you might because as you probably know at this point it has spread all over the globe you probably need to be studying for your cissp do you might be quarantined and so therefore it's good to study for your cissp business continuity plan and how does that play out before we do one of the things I wanted to bring up as best as well as for my podcast listeners again I've been working on my ciso training for podcast listeners right now you get unlimited access to it just go to my website at stronger. Calm and you can get that for free right now until it actually gets completed what is completed now is the time to get access to it so just a little plug they're showing gerber.com so the best this article come from the cio.com and this is basically the best practices on how to create an effective business continuity plan the business continuity plan is domain one they talked briefly about it in Europe for your is c squared training manual that's there also and your cissp they will ask you some key questions around a BCP but if you understand what a business continuity plan is it's the overarching plan and inside there you would have potentially Disaster Recovery plans as a air quotes plans in place depending upon the system that you were using a disaster recovery plan will typically focus on it infrastructure IE you have a sap environment your Erp type environment needs a backup on his ability to be resilient from the event that there's a disaster so you would have a situation in place for that piece of equipment or that overall ecosystem not everything will need a disaster recovery plan that would just be mainly your critical systems and a second but the main point of it is ants that is within you you need to consider that just got a new plan refers to maintaining business functions for quick in the event of a major disruption a major disruption would be coronavirus and how would that be A disruption well in most cases it wouldn't be the medical piece of this it's actually the fact that you can't have me around other people so what would be a way to continue business operations during this time and that would be a work-from-home strategy not everybody can do that but there would be abilities that you can send parts of your Workforce home to be able to work this also could be an event that they would be a disaster where people could actually work from home as well unique in the fact that this pandemic it's the fact that you can actually work from home most it isn't like a earthquake or a tornado where it destroys things in his path is everything in the structure still up and operational it is just now your geographic location where you would be working maybe different than what it was originally was something that you do need to have that business continuity plan setup and in place procedures to instructions for an organization to follow in the face of such a disastrous what are things I'm running through right now is how do we have remote access for our employees in the event that they have to work from home and we've had these things in place but is it is documented it needs to be but a little bit of scrambling that went on because we have to document a little bit better and so therefore that's one thing you need to have in place have it available for people and so it's very seamless on all people would get an access to it business processes assets and Human Resources as well as business partners and more and one of the things that CIO, talked about is how do you deal with your partners and how do you help them gain access to this network as well do you have good plans in place to help them get this actress that they may need similarities run Dr again is it is looks very similar to visit continuity plan in on the offset of just kind of taking a quick snap shot at it you may think they're one of the same but as I mentioned earlier they're not the disaster recovery plan is for it infrastructure and its operations and is very specific is very Niche and so therefore it there there different the BCP is more or less the overall structure and constructs that you'd want to occur expect you may want to consider as well is combat talked about it which way how do you get HR involved and this would come down to any event that they would be an issue how does HR operate the necessary example that they use for example in this in this case it wouldn't be the pandemic it would be that the tornado rolls through and takes out your customer service building that the people that's gone you know how do your reps handle customer calls will they be able to work from home temporarily or from another alternate location do you stand up an alternate location stand up for the location you now potentially put a lot of group of groups of people together where I live right now they have band anybody that's 250 or more people at one location so we had the Saint Patrick Day parade that was coming up they canceled that soccer I should say football depend on what part of the world you're from football events and soccer events have been canceled due to they having lots of children together so that you need to have that kind of thought process about it I would say the pandemic probably was pretty low everybody's BCP list most of it is physical disasters such as tsunamis and tornadoes and guys any really bad movie that you would see from Hollywood something like that but didn't think about the pandemic except for if you watch the movie outbreak then they would be there but I'm getting that those are business continuity plans and those are things that you need to have him places you're looking to keep your business operational Define in a system is critical how would you recover from that I used sap as an example typically reason is sap is tied to or your SS ASAP is vendor but you are P your enterprise resource planning capability in the event that Erp solution does all of your supply chain and handles your people has all kinds of stuff built it goes down what happens to your business down for a while I don't know it depends down to you you have to have a business impact analysis done to determine what systems are critical within your organization and again that would determine if there's a sudden loss and business function usually occur a cost figure of some kind you'll get why does business continuity planning manners matter you need to stay competitive okay so if you are planning to be competitive in your space you need to have backups in the event that something with the pandemic goes out to like this you will use this as an example you don't have a work-from-home strategy so you're scrambling for weeks to try to come up with something but Ultra story ideas are critical to most companies like we've talked about over and over again most people did not think about that in the past but today oh yeah I important for your organization and use a cyber-security personyour competitor does and he or she is operational and you're not so who's got the competitive Advantage you made it be in a situation where you may not ever get back your customers because you don't have an adequate work-from-home strategy so therefore this is a good opportunity for you to learn that houses should be evaluated you could Outsource has capability to determine a good Bia you may want to decide if you know what if I'm going to look at it I do ini I don't have a plan you might be up a creek without a paddle it had to experience it we all know about experience but Lorraine O'Donnell I'm sure she was the one that came after the issue with experience as a global head of b so it's going to be good honestly I think it's really kind of interesting Endeavor in and help people understand it is their positive to this how to think about how do I utilize my people in a different forget you need to build a ra cut your Builder recovery strategy around awhile would allow all done down time for these processes and you need to figure that into your processed into your overall schema is that how much down time are you allowed to have quite interesting just because you're not physically things are not physically turned off you just lose you on your primary source and if you don' not know until you actually start doing tabletop exercises which we'll talk about later in this podcast but when you start doing a tabletop exercise you may figure out why I missed that area the best time to find it is during a tabletop not during a pandemic that's a bad time to figure it out business areas this comes out of your business continuity plan or your business impact analysis you may decide there are some key areas that are important to you than you do a Bia of those and decide yeah I need to really focus on where I need to put a disaster recovery plan in place as well identify critical functions and identify dependencies between various business areas and functions show me the anatomy of a business continuity plan they talked about in there as well they're six the talk about some calming tools that are important to them the tools a checklist that include supplies equipment do but I say the pandemic is different becaus that being satisfied be so good for a business to operate so when the four horses roll in and you got a hailstones the size of cars and you got War you got all kinds of us going on here that would not be good to keep your business operational so you better have a good PCP kind of importante you may not think of backups cuz it's really not that important will really be bad is it the Buick Key Personnel in an organization who have gone through disasters pandemic hit and then a natural disaster hits okay then you have the the four horses of the Apocalypse rolling into town and that w testing your business BCP again this comes back to tabletop room talk about black giving asking lots of questions so that again the insides are very very valuable I think they like to talk about War Stories that's the one thing I mentioned in the cio.com article was talking about war stories they work great workers are awesome and you can learn a lot of information from those y what testing is the only way to truly know if it'll work and I will also digress to the fact that testing will only tell you so much do not hang your hat do not believe totally that testing will give you everything you need because it won't but it will give you some good guidance and some insight into things you would not consider most people will laugh at it most people say at this is stupid I don't want to do itou can lose a lot of time depending on the individual listening to their Warould be bad for many reasons that would be badyou have backups and play zits it's basically the laundry list of things that you go through to make sure that you have what you tabletop very big startups I want to do it then his foolish I don't want to mess with it this is a waste of my time I could be doing more comparative but more things that would be more suitable for my comparative advantage and so you're using opportunity cost me to lose my timeneed to ensure and then work your way up okay but don't start up some easy that people go yeah Ian I don't know what you're wasting my time so you got to be a little bit of a challenge there so don't don't go to too easy on them, testicle tabletop exercises structure walkthroughs and simulations play with it just leads to a week plan and no confidence in a real incident I would agree with that way to winning a game start a disaster simulation testing can be quite involved and should be performed annually you should do that in your lie and you should have it on your calendar and you should build this up so that you people know going into a donkey restarting here we're going to work our way up and you attitude towards importance again laissez-faire the whole purpose is to have them carry outs critical business functions during an event that's what you want them to do okay so last week to ensure business continuity plan support and awareness how do you get people to support you the bosses based on the scenario like don't give up poop attitude laissez-faire attitude will not get you what you need you will do people go if they think of you think it's laissez-faire or Nike no big deal don't care then they will treated that way as welland if you can do some voodoo magic was it relates to network segmentation to kind of give you that that idea that your network is down or something along those lines very good idea as well racial capability that would be good Network segmentation if you're doing something that's physical that you are working from an operated opolis test create an environment that simulates the actual disaster so if you can what to do that now I'm also a big proponent I despise MTG I hate them they are quite painful unless you h let me see your manager must be representative how do you play must be supported from the top down the bosses have to agree with it so if they don't have any sort of understanding of that now after this pandemic going on you need to get their heads wrapped around and we need to have a plan bosses so yeahave a really good one and you have a structure plan of what you're trying to accomplish get to epidemic is great but the Opera are we missing so I think it's ization if it hasn't hit you yet in your area now is a perfect time to do a table that would help people to understand but now you need to document some of these issues structured walkthrough that each team member walks through his or her components of a plan in detail to identify weaknesses again you make them walk through what kind of issues do they have and they got to identify those I'm off the team Works to do a test with specific disaster in mine so you think about the pandemic pretty much high on your ideas right now you're probably doing a lot of that thought process right now through your cranium but you need to consider what are the other scenariosa tabletop if you do it right and you do it well they will I never thought about that now the problem is that I never thought about that and I don't do nothing about itthat your operational all time for each critical function how long can you have it down and then sick create a plan to maintain these operations and then you have to say there's a seventh and that is go back and reaffirm your plan and make sure your plan is still valid because guess what it's like anything else it was great at the moment in time that you created it and then I'll wait times change and now it's no longer effectiveGeneral steps they brought up at cio.com first one is identify the scope of your plan how big is it going to be how we start small keep it simple silly alright so kiss kiss simple the hope is that you're not the hourly worker that now is out of a job because the hourly stuff is happening so I will tell you for my Kona Ice business that I have that is very interesting right now I have no way of getting it sold stuff sold so it will just will now come up with new plans and we'll just pivot I mean that's like everything in life you just got worried about itt do it then you go bye-bye you don't do it it'll impact your bottom line or it could shut you down because of regulatory requirements may say you or words in there but I think you get the picture dad started like these losses can be Financial legal reputational this coming in from Lauren Lorraine the Lost can be Financial legal reputational or regulatory the risk of having an organization license to operate withdrawn by a regulator we're having conditions applied retrospectively or prospectively can adversely affect market value and consumer confidence I use the $10 word even know what that means but you you have a you use a different term and you may have that were up a creek without a paddle basically means your upper river and you have no paddle two paddle your way to safety and so therefore you follow the current wherever it may take you and usually it's over a cliff and then use hear them screaming as a GoDaddyusiness continuity at Experian based on this is a quote that cio.com had had an increase in consumer and Regulatory expectations for security today yes there is an organization's must understand the processes within business and the impact of the loss of these processes overtime so not a Big Ten Dollar words in there but the bottom line is that you got to have a plan and sometial hack at myself if it looks like yeah that's a critical system maybe you want to Outsource it to get better understanding of your numbers it's just something to consider Outsourcing stuff like this could be quite expensive the plant no one can delegate that responsibility to subordinates in addition to plant is likely to remain fresh and viable if Senior Management makes it a priority again if they're not bought in and going to happen you made one hit wonder and you get it done but if management isn't involved yet it'll atrophy over time it will go stale and people will not use it management is also a key in promoting user awareness if they buy in they'll tell their friends and their friends will tell their friends and so and so forth and then everybody happy like social media employees don't know about the plant will it be able to react appropriately impact on all employees giving the plan more credibility and urgency if the bosses are on board so that is the article from cio.com really good article I think they they talk about a little bit about what you should be considering and I think you should consider in your plant pull into some questions from cissp exam questions okay so the cissp exam questions for today are which of the following could lead to the conclusion that a disaster recovery plan may not be operational within the time frame the business needs to recover okay so the following is a business continuity alternate site is a website be critical recovery priority levels are not Define c offsite backup are located away from the alternate site D the alternate site is located 70 miles away from the primary site following could lead to the conclusion that a disaster recovery plan may not be operational within the timeframe what's the business needs to recovery a on the site is warm site doesn't heal time Eagle recovery priority levels are not Define c offsite backup are located way from the alternate site not doesn't do what time they the alternate site is located 70 miles away from the primary site critical recovery point which is typically your recovery Point objectives and recovery time objectives are not Define thence the time frame the business needs to recover its me gate recovery Point priority levels are not Define this comes from brainscape. Com what are the four domains of communication in a disaster planning and recovery process plant manual plant communication primer for survival warning end alarms plant communication primer for survival escalation declaration play manual warning alarm declaration primer for survival primer for survival escalation plant communication warning an alarm in the answer is C manual can have some way to alert from a morning alarm standpoint a declaration that there is a disaster and then what is your primer or your document for survival so that you will survive and you will not go the way of the dodo bird brainscape, some flashcard come out and only for me in the show notes underlying receipt DVD find reason for creating a disaster planning and Recovery strategy is to a mitigate risk associate with disaster enable business to continue functioning without impact C protect the organization's people place and processes or D minimize Financial profile the question is the underlying reason for creating a disaster planning and Recovery strategy is to mitigate the risk associated with a disaster be unable a business to continue functioning without impact see protect the organization's people place and processes or D minimize Financial profile mitigate risk associated with the disaster in there quote that they have a disaster recovery is the goal of minimize the effects of a disaster and taking the necessary steps to ensure the resources personnel and business processes are able to resume operations in a timely manner and this was from page 550 Sean Harris all-in-one cissp certification the light Sean Harrison fortunately 80 questions today all right I hope you all have a wonderful day and again go to Shawn s h o n yes my parents love me Sean Gerber Gerber calm like the baby food diet or toilet depending upon which you prefer and you can get out my c i s s o c i s s o training for free and you all have to do the only thing you have to do is give me your email address so that I can send you more free stuff that's the ultimate goal but go to Sean gerber.com I got my cissp training there I got a free exam questions and I got my ciso training is also available for you as well have a wonderful day and we will catch you on the flip side see you thanks so much for my podcast all content that I have available for you there is a cissp mini course free cissp exam questions podcast and so much more it's all available to my email subscriber so sign up if you want my personalized cissp training purchase my training courses and I'll be there to help you with your cissp need so you can pass the test the first time thanks so much for listening will catch you on the flip side
CISSP Cyber Training Academy Program!
Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification?
Let CISSP Cyber Training help you pass the CISSP Test the first time!
