CIA Introduction of Subject Matter Review

Page 2

• Overview of the importance of business continuity management.

Unforeseen Disruptive Events

Page 3

• Types of disruptive events include:

  • Floods

  • Fires

  • Hurricanes

  • Earthquakes

  • Power failures

  • Cyber intrusions (viruses, malware, denial-of-service, hacking, ransomware)

Evolution of Business Continuity Management

Page 4

• Key components:

  • Disaster Recovery Planning

  • Business Continuity Planning

  • Business Continuity Management

Definition of Terms

Page 5

• Disaster Recovery Planning: Resuming normal operations after major interruptions.

• Business Continuity Planning: Continuing business operations during computer processing disruptions.

• Business Continuity Management: A management system to protect against, reduce likelihood of, and ensure recovery from disruptive incidents.

Elements of Business Continuity Management

Page 6

• Key elements include:

  • Management Support

  • Risk Assessment and Mitigation

  • Business Impact Analysis

  • Business Recovery and Continuity Strategy

  • Business Continuity Testing and Maintenance

  • Education and Awareness

Management Support

Page 7

• Importance of management in practicing and supporting business continuity plans.

• Adequate resources must be allocated for preparation and maintenance.

Risk Assessment and Mitigation

Page 8

• Steps include:

  • Defining credible risk events (threats)

  • Assessing their effects

  • Developing risk mitigation strategies

Business Impact Analysis

Page 9

• Analyzes system requirements, functions, and interdependencies to characterize contingency requirements.

Key Steps in Business Impact Analysis

Page 10

• Identify mission/business processes and their recovery criticality.

• Determine the impact of system disruptions and acceptable downtime.

Resource Requirements and Recovery Priorities

Page 11

• Identify resources needed for recovery (facilities, personnel, equipment, etc.).

• Establish priority levels for recovery activities based on critical processes.

Maximum Tolerable Downtime (MTD)

Page 12

• MTD is the maximum time acceptable for a mission/business process outage, considering all impacts.

Recovery Time Objective (RTO)

Page 13

• RTO defines the maximum time a system resource can be unavailable before unacceptable impacts occur.

• Important for selecting appropriate technologies for recovery.

Recovery Point Objective (RPO)

Page 14

• RPO indicates the point in time to which data can be recovered after an outage.

• Reflects the amount of data loss that can be tolerated.

Business Recovery and Continuity Strategy

Page 15

• Plans include:

  • Emergency response for lifesaving and damage limitation.

  • Crisis management for communication and management activities.

  • Business Continuity Plan and Disaster Recovery Plan.

Alternative Staffing and Sourcing

Page 16

• Plans for:

  • Alternative staffing arrangements.

  • Alternative sourcing strategies (e.g., diverse suppliers, outsourcing).

  • Use of alternate processing facilities.

Types of Alternate Processing Facility

Page 17

• Hot Site: Fully operational facility available 24/7.

• Cold Site: Shell facility ready for equipment installation.

• Warm Site: Compromise between hot and cold sites, requiring some configuration.

Backup and Recovery Strategies

Page 18

• Full Backup: Captures all files.

• Incremental Backup: Captures changes since the last backup.

• Differential Backup: Captures changes since the last full backup.

High Availability Process

Page 22

• High Availability (HA) aims for 99.999% uptime.

• Involves redundancy and failover processes to minimize downtime.

Business Continuity Testing

Page 23

• Large-scale exercises should be conducted annually, including:

  • Desk checks for documentation accuracy.

  • Orientation for team roles and plan content.

  • Tabletop exercises for role understanding.

  • Communication testing with partners and employees.

Education and Awareness

Page 24

• Vital for effective BCM and execution of continuity plans.

• Documentation must be maintained to align with business