Page 758 - StudyBook.pdf
P. 758

742    Chapter 12 • Operational and Organizational Security: Policies and Disaster Recovery

                  business, while disaster recovery plans focus on restoring the technology
                  and data used by that business.




                 Business continuity planning is a proactive approach to ensuring a business will
             function normally no matter what the circumstances. If this sounds similar to a dis-
             aster recovery plan, it should. Business continuity plans are a collection of different
             plans that are designed to prevent disasters and provide insight into recovering from
             disasters when they occur. Some of the plans that may be incorporated into a busi-
             ness continuity plan include:

                  ■   Disaster Recovery Plan Provides procedures for recovering from a dis-
                      aster after it occurs

                  ■   Business Recovery Plan Addresses how business functions will resume
                      after a disaster at an alternate site (e.g., cold site, warm site, or hot site)

                  ■   Business Resumption Plan Addresses how critical systems and key
                      functions of a business will be maintained
                  ■   Contingency Plan Addresses what actions can be performed to restore
                      normal business activities after a disaster, or when additional incidents
                      occur during this process

                 Because business continuity plans focus on restoring the normal business func-
             tions of the entire business, it is important that critical business functions are identi-
             fied. Each department of a company should identify the requirements that are
             critical for them to continue functioning, and determine which functions they per-
             form that are critical to the company as a whole. If a disaster occurs, the business
             continuity plan can then be used to restore those functions.
                 Once key functions of an organization have been identified, it is important that
             budgets be created to establish how much money will be assigned to individual
             components. For example, while IT systems may be a key function, the corporate
             intranet may be a luxury and not essential to business operations. In the same light,
             while the existing server room may use biometrics to control access, the cold site
             facility may only provide a locked closet for security.This raises another important
             point: just because a system is being recovered to a previous state does not mean
             that things will be exactly the same as before.
                 In addition to threats faced by an organization, administrators should also try to
             identify vulnerabilities in existing systems.These are areas that may leave their sys-




          www.syngress.com
   753   754   755   756   757   758   759   760   761   762   763