Wondershare EdrawMind
MindMap Gallery CISSP-1-Security and Risk Management
- 38
- 2
CISSP-1-Security and Risk Management
CISSP-Information System Security Professional Certification Mind Map, the main contents include information security and risk management management foundation, security governance and security system framework, information security strategy, organizational and personnel security risk management, law, ethics, compliance, BCP
Edited at 2021-11-10 12:10:04
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
CISSP-1-Security and Risk Management
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
- Recommended to you
- Outline
![Establishment and implementation of safety management system of safety management elements [Practical version]](https://edrawcloudpublicus.s3.amazonaws.com/work/5594687/2024-5-15/1715767013/thumb.png?x-oss-process=image/resize,w_300,m_lfit)
Establishment and implementation of safety management system of safety management elements [Practical version]
- 33
![Establishment and implementation of safety management system of safety management elements [Practical version]](https://edrawcloudpublicus.s3.amazonaws.com/work/5594687/2024-5-15/1715772547/thumb.png?x-oss-process=image/resize,w_300,m_lfit)
Establishment and implementation of safety management system of safety management elements [Practical version]
- 24
![Rupture discs for safety facilities [Regulations Summary]](https://edrawcloudpublicus.s3.amazonaws.com/work/5594687/2024-5-15/1715773286/thumb.png?x-oss-process=image/resize,w_300,m_lfit)
![Safety facility safety valve [working principle version]](https://edrawcloudpublicus.s3.amazonaws.com/work/5594687/2024-5-15/1715773418/thumb.png?x-oss-process=image/resize,w_300,m_lfit)
![Safety valves for safety facilities [Regulations Summary]](https://edrawcloudpublicus.s3.amazonaws.com/work/5594687/2024-5-15/1715773446/thumb.png?x-oss-process=image/resize,w_300,m_lfit)
Information Security Governance and Risk Management
information security and Risk management management basics
information
definition
Life cycle handling
information security The basic principle
Confidentiality (confidentiality)
Ensure that information is stored, used and transmitted Will not be disclosed to unauthorized users or entities
integrity (integrity)
Prevent unauthorized tampering;
Prevent authorized users from inappropriately modifying information
Maintain internal and external consistency of information
internal
external
Availability (availability)
Ensure the normal use of information and resources by authorized users or entities Will not be denied exceptions, allowing reliable and timely access to information
Opposite triplet DAD
Disclosure
Alteration
Destruction
information security CIA related technologies
Confidentiality,C
Data encryption (whole disk, database encryption)
Transmission data encryption (IPSec, SSL, PPTP, SSH)
Access control (physical and technical controls)
Integrity,I
Hash (data complete)
code signing
Configuration management (system complete)
Change control (process complete)
Access control (physical and technical controls)
Software digital signature
Transmission CRC check function (can be used for multiple layers of network transmission)
Availability,A
Redundant Array of Disks (RAID)
cluster
load balancing
Redundant data and power lines
Software and data backup
disk image
Location and off-site facilities
rollback function
Failover configuration
safely control
Ways and means
administrative control
Develop strategies, standards, measures and guidelines
Risk Management
personnel safety
Security awareness training
technical control (Logical control)
Implement and maintain logical access control mechanisms
Password and resource management
Identification and authentication methods
safety equipment
physical control
Measures to control individual access to facilities and different departments (access control, security, locks)
Protective perimeter (fences, walls, lighting)
Physical detection of intrusions
environmental control
effect
control function
Prevention (deterrence), detection, correction/recovery (backup, BCP, DRP) Compensation (Control)
Information security risk management basics
Governance, Risk Management and Compliance (GRC)
Assurance
risk management framework
Security Governance and Security System Framework
Security Control Reference Framework
IT control, COBIT
"Internal Control - Overall Framework", COSO Enterprise internal control management framework
defined to satisfy financial reporting and Five types of internal control elements for disclosure objectives
control environment
risk assessment
control activities
Information and communication
monitor
A framework for many organizations to address SOX 404 compliance
IT Service Management, ITIL (Best Practice Framework)
ITIL is a customizable IT service management framework
Information technology service management standard (ISO/IEC 20000)
5 major stages
Service strategy
service design
service transition
Service operation
Continuous service improvement
Zachman
TOGAF Enterprise Framework
SABSA security architecture framework
Security Controls Reference, NIST SP 800-53r4
2014 Critical Infrastructure Security Control Framework: NIST CyberSecurity Framework
CMMI Software Development Management (Chapter 8)
CMM
Initial, Repeatable, Defined, Managed, Optimizing
CMMI
Initial, Managed, Defined, Quantitatively Managed, Optimizing
Information security management
Two factors for the success or failure of information security: technology and management
ISO27001 (information security management system standards)
Derived from BS7799, BS7799-1 corresponds to ISO27002, BS7799-2 corresponds to ISO27001
A comprehensive set of controls consisting of information security best practices
2013 version, 14 domains, 35 categories, 114 controls
Information Security Management Model
PDCA model
Plan
Based on risk assessment results, legal and regulatory requirements, and organizational business, Determine control objectives and control measures based on operational needs
Implement, Do
Implement selected security controls.
Check
In accordance with policies, procedures, standards and laws and regulations, Conduct compliance checks on the implementation of safety measures
Measures, Act
Take countermeasures based on inspection results to improve safety conditions
information security performance
ISO27004
Information security policy, organizational and personnel security
security strategy
Security document hierarchy
policy (Policies change less frequently, procedures change more frequently)
Most General Statement on Information Security
A commitment by top management to take responsibility for information security
Describe what you want to protect and what you want to achieve
standard
Establish an enforcement mechanism for policy implementation
guideline
Similar to standards, methods to strengthen system security are recommendations.
Security baseline
Meet the minimum level of security requirements required by the policy
Procedure (procedure/steps/procedures)
Detailed steps to perform a specific task (specific)
The procedure is a detailed description (HOW) of the specific steps to perform the protection task.
security organization
Senior Management (Executive Management/CEO, CFO, COO)
Fully responsible for information security and the final person in charge of information security
Plan information security, determine goals and limited sequences, and delegate information security responsibilities
Clarify information security goals and policies to guide the direction of information security activities
Provide resources for information security activities
Make decisions on important matters
Coordinate the relationship between different links in different units of the organization
information security expert
Responsible for implementing and maintaining security as delegated by senior management (usually to the CIO)
Design, implement, manage and review the organization's security policies, standards, guidelines and procedures
Coordinate all security-related interactions between units within the organization
Chief Information Officer, CIO
Supervise and be responsible for the daily technical operations of the company
Chief Security Officer, CSO
Ensure business information assets are properly safeguarded
Play the role of internal information security coordinator and facilitator
Need to understand the organization's business objectives and guide the risk management process, Ensure the right balance between business operations and acceptable risks
Specific responsibilities:
Budget for information security activities
Development of development strategies, procedures, baselines, standards and guidelines
Develop a security awareness program
Participate in management meetings
Assist with internal and external audits
Security Steering Committee
Members are composed of people from all departments of the organization, including CEO leadership, CFO, CIO, department managers, and chief internal auditors
Meet at least once a quarter with a clear agenda
Responsibilities:
Define an organization's acceptable level of risk
Determine security goals and strategies
Addressing business needs determines the priority of security activities
Review risk assessment and audit reports
Monitor the business impact of security risks
Review of nuclear accidents involving major safety violations
Approve any significant changes to security policies and plans
The Audit Committee
Appointed by the Board of Directors to help it review and evaluate the company's internal operations, internal audit systems, and the transparency and accuracy of financial statements.
Responsible:
The integrity of the company’s financial statements and financial information
Company's internal control system
Employment and Performance of Independent Auditors
Performance of the internal audit function
Comply with legal requirements and company policies related to ethics
risk management committee
Understand the organization's risks as a whole and assist senior management in reducing risks to acceptable levels.
Study overall business risks, not just IT security risks
security plan
The organization's information security construction should be carried out according to plan, and the security management plan should be top-down.
Responsibilities:
Senior management defines organizational security policy
The middle layer completes security policies with standards, baselines, guidelines and procedures, and monitors their execution
Business managers and security specialists are responsible for implementing the configurations developed in the security unit's documentation there
End users are responsible for complying with all organization security policies
type
Strategic Plan, strategic plan
Long-term plan, e.g. 5 years
, relatively stable, defines the goals and mission of the organization
tactical plan, tactical plan
Medium term plan, e.g. 1 year
A detailed description of the tasks and progress toward achieving the goals established in the strategic plan, Such as employment plans, budget plans, etc.
operation plan, operational plan
Short-term, highly detailed plans, frequently updated
Monthly or quarterly updates such as training plans, system deployment plans, etc.
Personnel Safety (Chapter 7)
Personnel Responsibilities
data owner
Responsible for managing a certain business department and responsible for the protection and application of specific information
Have a duty of “due care”
Responsibilities
Determine the classification of data
Define security requirements and backup requirements for each classification
Define user access guidelines
Business role rather than technical role
Data manager (custodian)
The role of the IT or security department
Responsibilities
Perform regular backups of data
Regularly verify data integrity
Backup to restore data
Implement company information security policies, standards and guidelines for information security and data protection
system owner
Responsible for one or more systems, each of which may hold and process data owned by different data owners
Responsible for integrating security factors into applications and systems
Ensure system system vulnerabilities are assessed
Adopt adequate security measures to ensure system security
security administrator
Responsible for implementing, monitoring and enforcing security regulations and policies
Report to the Security Committee and Information Security Officer
Information Systems Auditor
Check the system to determine whether security requirements are met and whether security controls are effective
Provide independent guarantee for security target management
security analyst
Help develop policies, standards and guidelines and set benchmarks
Mainly at the design level, not the implementation level
user
Have application security awareness, comply with security policies, use the system appropriately, and report security incidents
Personnel recruitment control
background check
Reduce risks, reduce recruitment costs, and reduce employee turnover
Skills assessment
confidentiality agreement
Protect sensitive company information
Personnel on-the-job control
Segregation of Duties
No one person should have full control of a sensitive, valuable, or critical task from start to finish
Purpose: Less opportunity for fraud or error
Example:
In financial transactions, one person is responsible for entering, the second is responsible for checking, and the third is responsible for confirming the final transaction.
Development/Production Maintenance, Security Management/Operations/Audit, Encryption key management/key changes
knowledge segmentation
least privilege
Minimum permissions required to assign responsibilities
job rotation
Do not allow one person to hold a fixed position for too long to avoid individuals gaining too much control
Set up personnel backup to facilitate cross-training and detect fraud
compulsory leave
Forcing sensitive department personnel to take leave can effectively detect fraud, data modification, resource abuse, etc.
Personnel departure control
Disabling access rights for resigned personnel
Recycling of identifiable items
Third party personnel control
If the third party is not present but has administrator rights
Confidentiality agreements should be signed with third-party organizations and individuals
Monitor all work activities of third parties
Ensure the identity of third-party personnel is verified upon access
If a third party is present and has administrator rights
On the basis of the above measures, additional personnel background checks
Third-party personnel leave the site and need to take back relevant permissions
Add confidentiality requirements and related business terms to the contract terms with third parties.
Security awareness, training and education
Education
To provide safety professionals with the professional skills needed to work.
Way:
Theoretical guidance, seminars, reading and study, research
security insights
"Why"
Training
Teach security-related work skills, mainly to information system management and maintenance personnel
Way:
Practical guidance, lectures, case studies, experiments
acquire knowledge
"How to do"
Awareness
The general collective awareness among an organization's employees of the importance of security and controls
Way:
Video, media, posters, etc.
Send message
"What is it"
Risk Management
concept:
Identify and assess risks, reduce risks to acceptable levels, Implement appropriate mechanisms to maintain this level of process
A 100% safe environment does not exist, risk management is Benefit/cost, security/usability balance
Risk = Threat * Vulnerability * Asset Value
Risk = possibility * impact
Related elements
Assets: Information assets that have value to the organization
May cause damage to assets or organization Potential causes of a security incident
threaten
Threat modeling (STRIDE)
Threat modeling has a structured approach to Threats that can affect the system are systematically identified and evaluated.
To see who is most likely to want to attack us, you can start by brainstorming Think violently about how they can accomplish their goals, and then Propose countermeasures to prevent such attacks
vulnerability (vulnerability)
A vulnerability or weakness that exists in an asset or asset group that can be exploited by a threat Weaknesses that, once exploited, may cause damage to assets
risk
The potential for a specific threat to cause damage to an asset or group of assets by exploiting an asset's weaknesses.
possibility
Influence
Consequences, direct or indirect damage or harm caused to an organization by an unexpected event
security measures
Controls or countermeasures that limit unexpected events by preventing threats and minimizing vulnerabilities Mechanisms, methods and measures to reduce risks through impact and other means
residual risk
Risks that remain after security measures have been implemented
risk assessment (Assessment)
main mission:
Identify elements that pose risk
Assess the likelihood and impact of a risk, and ultimately evaluate the level or size of the risk
Determine the organization's ability to withstand risk
Determine strategies, objectives and priorities for risk reduction and control
Recommend risk mitigation countermeasures for implementation
method
Risk Assessment (ISO27005)
Identify risks
Analyze risks
Evaluate risk
NIST SP800-30 and SP800-66
Qualitative RA approach, focusing on IT risks
1. System classification; 2. Weakness identification; 3. Threat identification; 4. Countermeasure identification; 5. Possibility assessment; 6. Impact assessment; 7. Risk assessment; 8. Recommendation of new countermeasures; 9. Document report
OCTAVE
An autonomous information security risk assessment specification based on information asset risks, It emphasizes being asset-driven and consists of 3 stages and 8 processes.
The OCTAVE approach deploys risk management programs organization-wide and integrates with security plans
CRAMM
Basic processes: asset identification and evaluation; threat and vulnerability assessment; countermeasure selection and recommendations
FRAP
Pre-screened to focus on only those systems that truly require evaluation to reduce cost and time
Limited budget situation
STA
Create a tree of all the threats a system may face. The branches can represent things like cyber threats, Categories such as physical threats and component failures require pruning unused branches when performing RA.
FEMA
Derived from hardware analysis. Examine the potential failure of each component or module and examine the impact of failure
AS/NZS 4360
An Australian risk assessment method not used specifically for safety
evaluation process
Identify information assets
Identify the owner, custodian and user of each asset
Establish an asset list and identify information assets based on business processes
The form in which information assets exist
Electronic data: databases and data files, user manuals, etc.
Written contracts: contracts, strategic guidelines, archived documents, important business results
Software assets: application software, system software, development tools, software programs
Physical assets: magnetic media, power and air conditioning, network infrastructure, servers, etc.
Personnel: A person or role with specific capabilities and responsibilities
Services: computing and communications services, outsourcing services, other technical services
Organizational Image and Reputation: Intangible Assets
Evaluate information assets
Evaluation factors
direct loss caused by damage
The cost of asset recovery, including the labor and physical costs of detection, control, and repair
Loss of public image and reputation of the organization, loss of competitive advantage
Other losses, such as increased insurance costs
Classify assets based on importance (impact or consequences), Also consider the possible consequences of compromised confidentiality, integrity and availability.
Identify and evaluate threats
An asset may face multiple threats, and a threat may affect multiple assets.
Identify threat sources
Threat to personnel
System threats
environmental threats
natural threats
Assessing threat likelihood takes into account the motivation and capabilities of the threat source
Identify and assess weaknesses
Possible exploitable vulnerabilities for each asset
technical weakness
operational weaknesses
managerial weakness
identification pathway
Audit reports, practice reports, security inspection reports, system testing and evaluation reports
Automated vulnerability scanning tools
Risk Assessment (Evaluation)
Risk impact
risk probability
risk management strategy
Risk treatment methods
Mitigate/reduce/weaken risk (Mitigate/Reduce Risk) (upper control measures)
reduce threats
Implement malicious code controls
reduce weaknesses
Strengthen safe operation capabilities through safety awareness training
reduce impact
Disaster recovery planning and business continuity plan and make backups
avoid risk (Avoid/Risk)
transfer risk (Transfer Risk) (outsourcing/buying insurance)
accept risk (Accept Risk)
Risk control measures selection strategies
Cost-benefit analysis
Basic Principle: The Cost of Implementing Security Measures Should not be greater than the value of the asset to be protected
Countermeasure cost: purchase cost, impact on business efficiency , additional manpower and material resources, training costs, maintenance costs, etc.
Value of control = ALE before control - ALE after control - Annual cost of control
Restrictions
time constraints, technical constraints, environmental constraints
legal constraints, social constraints
Basic functions and effectiveness of protective measures
Assess residual risk
Risks that remain or remain after implementing security controls
Residual risk Rr = original risk R0 - control effectiveness R
Residual risk <= acceptable risk Rt
Quantitative risk assessment
Quantitative risk analysis attempts to provide for all elements of the risk analysis process are given specific and meaningful numbers
Cost of protective measures, asset value, business impact, threat frequency Each element, including the effectiveness of protective measures and the likelihood of vulnerability exploitation, are quantified, and finally the total risk and residual risk are calculated
Quantitative analysis steps:
Assign value to assets
Estimate potential losses for each threat
Assess threats and vulnerabilities and evaluate specific threats The impact on a specific asset, that is, EF (0% ~ 100%)
Perform threat analysis
Calculate Annual Ratio of Occurrence (ARO)
Frequency of occurrence: ARO (Annual Rate of Occurrence)
Calculated for each asset and threat Single Loss Expectation (SLE) of
SLE (single loss expectation) = asset value (asset value) × EF (exposure factor)
Calculate potential annual losses for each threat
Annual loss expectation (ALE) calculated per threat
ALE = SLE × ARO
Qualitative risk assessment
Consider various scenarios in which risks may occur and evaluate them based on different perspectives Ranking the severity of various threats and the effectiveness of various countermeasures
qualitative analysis techniques
Judgment, best practices, intuition and experience
Qualitative analysis techniques for collecting data
Group decision-making methods, delphi
survey questions
examine
Interview
Comparison of qualitative and quantitative methods
Qualitative methods and results are relatively subjective
Qualitative methods cannot establish a monetary value for cost/benefit analysis
Quantitative methods require a lot of calculations and are difficult to implement
Information classification and hierarchical management
Purpose: Describe the level of confidentiality, integrity, and availability protection required for each data set
Depending on the sensitivity of the information, the company adopts different security control measures. Ensure information is appropriately protected and prioritize security protection (while avoiding overprotection)
business company
confidential
privacy
sensitive
public
military establishment
top secret (Top Secret)
Secret
confidential (Confidential)
Sensitive but not classified
uncategorized
Legal, Ethics, Compliance
computer crime
Characteristics of computer crime:
It is difficult to investigate and collect evidence, and the evidence is easily destroyed.
Relevant laws are incomplete
Cross-regional characteristics
Statistically speaking, insiders are more likely to commit crimes
Victimized institutions sometimes fail to report for fear of affecting the normal operations of the institution and damaging users' trust in the institution.
Types of computer crime
computer assisted crime
Use of a computer as a tool to assist in the commission of a crime; Computers are not a necessary factor in crime but serve as tools to assist criminals.
Computer-targeted crime
Crimes against computers, networks and the information stored on these systems
Computer Involved Crime
The computer is not necessarily the attacker or the victim, Just happened to be involved in the attack when it happened.
computer related laws
Legal System
common law
civil law
criminal law
administrative law
civil law system
common law system
religious legal system
mixed legal system
Intellectual Property Law
trade secret
The company's ability to compete or market is critical
Not well-known, the company invested relevant resources and efforts to develop
Receive appropriate protection from the company to prevent disclosure or unauthorized use
Example:
product distribution
Program source code
Encryption Algorithm
Copyright
Legally protected rights to publicly publish, copy, display and modify most works
It does not protect the creativity of the work, but the expression of the creativity.
Example:
Program code, source code and executable files, even user interfaces
literature
painting
song melody
trademark
It protects words, names, symbols, shapes, sounds, colors that represent the company's image
Trademarks are usually registered with a trademark registration agency
A trademark is a mark of quality and credibility established by a company in its market operations.
patent
Legal recognition of patent ownership by a patent registrant or company, prohibiting unauthorized use by others or companies
Patent is valid for 20 years
Example:
drug formulations
Encryption Algorithm
Software classification
free software
shareware
open source software
commercial software
academic software
privacy
processing target
Proactively seeks to protect citizens’ personally identifiable information (PII)
Proactively seek to balance government and business needs with security concerns regarding the collection and use of PII
personal privacy
type:
right to be left alone
Protection from unreasonable rights against individuals
The right to decide what personal information may be disseminated and to whom
Issues to note:
To prevent unreasonable infringement, the bottom line is informed consent and appropriate protective measures.
To prevent the lack of appropriate methods, the bottom line is "fairness and justice" and there is an error correction mechanism.
Personal Information Use Principles
Obligations of the Personal Data Controller
Collection of personal data requires consent from the data subject and notification of purpose
Only collect data related to the purpose and use and save it only for the period required for the purpose.
Methods of data collection Methods for the purpose of data
Take reasonable measures, technical, managerial and operational measures to prevent personal information from being maliciously infringed upon, Ensure the integrity and confidentiality of data, and clear out-of-date data to prevent access by those who do not need to do relevant work.
Obligations and rights of personal data subjects
Review collected information and correct errors
data breach
Every security incident should be followed by an investigation into whether there was a data breach.
ethics
ISC2 Code of Ethics
Protect society, public interests and infrastructure, and win the necessary public confidence and trust Act with integrity, honesty, fairness, responsibility, and law-abiding Promote industry development and maintain professional reputation Diligent, responsible and professional
Computer Ethics Association
Internet Architecture Research Committee
computer crime myth
BCP&DRP requirements
BCP/DRP Overview (Chapter 7)
what is disaster
Sudden, unfortunate accidents that result in heavy losses.
include:
Natural disasters, such as earthquakes, floods, natural fires, volcanic eruptions, and severe convective weather
System/technical, such as hardware, software interruptions, system/programming errors
Supply systems, communications outages, distribution system failures, pipe ruptures
Man-made, explosion, fire, vandalism, chemical contamination, harmful code
Political, terrorist activities, riots, strikes
organizational disaster
For an organization, anything that results in critical business functions being Events that cannot be carried out within a certain period of time are considered disasters
Features:
Unplanned service outage
Prolonged service outage
The outage cannot be resolved through normal problem management procedures
Disruptions cause significant losses
two elements
The criticality of the business functions affected by the outage
length of interruption
Disaster Recovery Plan, DRP
Disaster recovery goals
Reduce the impact of disaster or business interruption
Take the necessary steps to ensure resources, people and business processes are restored as quickly as possible
tend to pay more attention to the IT level
Business Continuity Plan, BCP
business continuity goals
Ensure that the organization can still maintain business operations in the face of various situations
Solve problems from a longer-term perspective, mainly providing methods and measures for long-term production shutdowns and disaster events
Target objective
Provide timely and appropriate response in the event of emergency
Protect lives and ensure safety
Reduce impact on business
Restore critical business functions
Reduce chaos during disasters
Ensure business viability
Get “up and running” quickly after a disaster
BCP should be consistent with the organization's business objectives and be part of the overall decision-making process
The BCP should be part of the organization's security program and coordinated with other elements of the security program
Standards and best practices
NISTSP800-34
Develop a continuity planning strategy (policy)
Perform business impact analysis (BIA)
Determine preventive control methods
Develop a recovery strategy
Develop BCP
Test BCP
Maintain business continuity plan
ISO27031
ISO22301
BCP project planning
Preparatory activities before BCP project launch
Determine BCP needs, which may include targeted risk analysis to identify possible disruptions to critical systems
Understand relevant laws, regulations, industry norms, and the organization’s business and technical planning requirements to ensure that the BCP is consistent with
Appoint a BCP project leader and establish a BCP team including representatives from business and technical departments
Develop a project management plan, which should clearly define the project scope, objectives, Methods, responsibilities, tasks and progress
Convene project kick-off meeting to obtain management support
Determine the automation tools needed to collect data
Necessary skills training and awareness raising activities for facilities
BCP project leader
As the BCP project leader, the business continuity coordinator is fully responsible for project planning, Preparation, training and other work
work tasks
Communication and liaison between program development team and management
The right to direct contact and communication with everyone involved in the plan
Fully understand the impact of business interruption on the organization's business
Familiar with the needs and operations of the organization and the ability to balance the different needs of relevant departments of the organization
Easier access to senior management
Understand the organization’s business direction and senior management’s intentions
Ability to influence senior management decisions
Key Roles in the BCP Project
Recovery team, multiple teams that perform assessment, recovery, restoration and other related work after a disaster
Business unit representatives identify the organization's critical business functions and assist in the selection and development of recovery strategies
IT department
communications department
Information Security Department
legal representative
BCP strategy
The BCP plan should ultimately form a business continuity strategy framework. The terms recorded in the BCP
goals, scope, needs
Basic principles and guidelines
Duties and Responsibilities
Basic requirements for key links
The terms of the policy should be formally approved by senior management and published as organizational policy to guide business continuity efforts.
Business Impact Analysis BIA
Business Impact Analysis Overview
Identify areas that could cause significant damage or operational disruption in a disaster
BIA analysis method
Qualitative analysis to determine the impact of a disaster or disruption event in terms of severity
Quantitative analysis of the impact of a disaster or disruption event in monetary terms
BIA purpose
Assist management in understanding potential disruption impacts
Identify key business functions and the IT resources that support these functions
Assist managers in identifying gaps in organizational functional support
Sequence the recovery of IT resources
Analyze the impact of outages
Determine recovery windows for each business function
BIA process
Identify information collection techniques
Select respondents
Identify critical business functions and their supporting resources
Determine how long these features would survive if support from these resources were lost
Identify weaknesses and threats
Calculate risk for each business function
Prepare to submit BIA report
Problems
Response suggestions
BIA information analysis
Organize, Correlate, Analyze, and Confirm
Qualitative and quantitative automated tools Assist in the integration and analysis of information
Representative of the business checks and confirms the results of the information analysis
Determine the allowed interrupt time MTD
The core task of business impact analysis is to identify key business functions and The maximum allowed interruption time MTDs of its supported resources
Resources that support multiple business functions are more critical
The interruption time exceeds the maximum allowed interruption time (Maximum Tolerable Downtime) will make it difficult to restore the business, the more critical functions or resources
Sequence the recovery of critical business functions and their supporting resources based on MTDs
Determination of support resources
Identify all supporting resources for critical functions (including non-computer resources), The period of use of the resource and the impact of the lack of the resource on the function and interdependencies between resources
Disaster recovery metrics
Work Recovery Time, WRT
Work recovery time is relatively fixed
Recovery Time Objective, Recovery Time Object, RTO
Before system unavailability seriously affects the organization The maximum time allowed to be consumed
Recovery Point Objectives, Recovery Point Objectives, RPO
The point at which data must be recovered in order to continue processing. That is, the maximum amount of data loss allowed
RTO WRT=MTD