Welcome back to the Cloud Academy presentation of the CISSP examination preparation review seminar. We're going to finish up Domain 7 - Security Operations, beginning at section 14 on slide 134. Participation in the business continuity planning. In this section we're going to examine the business continuity planning process and we're going to talk about participation in the various exercises.

Now business continuity and disaster recovery do differ rather dramatically. Business continuity focuses on the business. How can we keep the business running, not just under normal circumstances but in the face of potential hazardous, dangerous or all-encompassing outage causing events? Disaster recovery focuses on the event itself and tries its best to put the business back on its feet so that it can get back to normal operations. Now in business continuity planning, all of these were originally designed to build the program needed to be repeated on a regular basis to ensure that the plan stays current so that we can keep the business resilient and resistant to outages in the first place.

We're going to manage this like any good project and in doing so, we're going to use a tool like this. The project status report shows the various areas and what elements they're going to deal with in the plan's efforts. So we see in this grid we have data center operations, help desk, facilities, finance, operations, and process support. And then we have the various functions that they're going to have to perform in those particular areas. Like any project progress report, the gray areas show areas that need yet to be addressed and the green areas show that these areas are finished and finalized and have been committed to the final plan. And at a glance, we can tell our progress and areas that need our attention.

The organizational contingency planning program provides for the continuity of the business's critical organizational functions in the event of an interruption, which means we're putting together plans that are going to, by their very nature, be alternatives to normal processes. Whatever the outage is, we no longer are able to work as we would under normal circumstances doing the things we would normally do. That much should seem obvious, but we're going to have to plan for how we're going to do these things and there's usually alternative ways for doing almost anything. But we can't take anything for granted in this process and we must lay this out in advance of the adverse events occurring because at the time that the event occurs it's far too late.

Part of that process will be, we have to decide on the roles and who will be filling them. This contingency planning group develops, implements and maintains an enterprise contingency planning program for the company, the product of which is the plan itself. In this, we will have to define roles and tasks and areas of responsibility for managers. There will have to be various coordinator type functions and each department will have to have its piece of the total plan that is integrated with the pieces spread out to all the other departments in the location.

Now, in the process of laying out the building of the plan, it needs to be led by someone with experience, a business continuity planner, who must also have adequate information, knowledge, experience with the organization, the actual business that it's in and how things typically run. This person will act as a focal point for the company and any situation that involves the planning or the emergency response. In their role, they will be the primary point of contact. Under all circumstances, they will act as a resource even though they're acting as the leader of the plan preparation project. We need to have a secure appointment to that role so that that person knows what they're doing, they know that they're in that role with a clear assignment to those duties. There will have to be training and for this person there will have to be a back-up, an alternate, who will be following them, shadowing them throughout this entire process. They will have to assist in the design and maintenance of the alternate sites, which is information they will need that will have to be included in the plan itself. And they will be responsible for maintaining currency of all the documentation associated with this project. It should be noted that this is not the person who will lead the response effort in the face of an actual outage. That needs to be a member of management assigned that responsibility as early as possible in the process of preparing this plan.