Business continuity planning (BCP) helps to identify the organization’s exposure to internal and external threats; synthesize hard and soft assets to provide effective prevention and recovery for the organization, and maintains competitive advantage and value system integrity. BCP counteracts interruptions to business activities and should be available to protect critical business processes from the effects of major failures or disasters. It deals with the natural and man-made events and the consequences, if not dealt with promptly and effectively.
Business impact analysis (BIA) determines the proportion of impact an individual business unit would sustain subsequent to a significant interruption of computing or telecommunication services. These impacts may be financial, in terms of monetary loss, or operational, in terms of inability to deliver.
Disaster recovery plans (DRP) contain procedures for emergency response, extended backup operation, and post-disaster recovery, should a computer installation experience a partial or total loss of computer resources and physical facilities. The primary objective of the DRP is to provide the capability to process mission-essential applications, in a degraded mode, and return to normal mode of operation within a reasonable amount of time.
The candidate is expected to know the difference between BCP and DRP; BCP in terms of project scope and planning, business impact analysis, recovery strategies, recovery plan development, and implementation. Moreover, the candidate should understand disaster recovery in terms of recovery plan development, implementation, and restoration.
Key Areas of Knowledge
Understand business continuity requirements by developing and documenting project scope and plan.
Conduct business impact analysis.
1. Identify and prioritize critical business functions
2. Determine maximum tolerable downtime (MTD) and other criteria
3. Assess exposure to outages such as local, regional, and global
4. Define recovery objectives such as RTO and RPO
Develop a recovery strategy.
1. Implement a backup storage strategy such as offsite storage, electronic vaulting, and tape rotation
2. Recovery site strategies such as cold site, warm site, or hot site
Understand disaster recovery process.
1. Response
2. Personnel
3. Communications
4. Assessment
5. Restoration
6. Training
Exercise, assess, and maintain the plan (e.g., version control and distribution).
DOMAIN 9: LEGAL, REGULATIONS, INVESTIGATIONS, AND COMPLIANCE
Overview
The legal, regulations, investigations, and compliance domain addresses computer crime laws and regulations. This domain includes the investigative measures and techniques used to determine if a crime has been committed, and methods to gather evidence.
A computer crime is any illegal action where the data on a computer is accessed without permission. This includes unauthorized access or alteration of data, or unlawful use of computers and services.
Incident handling provides the ability to react quickly and efficiently to malicious technical threats or incidents.
The candidate is expected to know the methods for determining whether a computer crime has been committed; the laws that would be applicable for the crime; laws prohibiting specific types of computer crime; methods to gather and preserve evidence of a computer crime; investigative methods and techniques; and ways to address compliance.
Key Areas of Knowledge
Understand legal issues that pertain to information security internationally.
1. Computer crime
2. Licensing and intellectual property such as copyright and trademark
3. Import/export controls
4. Trans-border data flow
5. Privacy
Understand professional ethics.
1. ISC2 Code of Professional Ethics
2. Support organization’s Code of Ethics
Understand and support investigations.
1. Policy, roles, and responsibilities (e.g., rules of engagement, authorization, and scope)
2. Incident handling and response
3. Evidence collection and handling such as chain of custody and interviewing
4. Reporting and documenting
Understand forensic procedures.
1. Media analysis
2. Network analysis
3. Software analysis
4. Hardware/embedded device analysis
Understand compliance requirements and procedures.
1. Regulatory environment
2. Audits
3. Reporting
Ensure security in contractual agreements and procurement processes (e.g., cloud computing, outsourcing, and vendor governance).
DOMAIN 10: PHYSICAL AND ENVIRONMENTAL SECURITY
Overview
The physical and environmental security domain addresses the threats, vulnerabilities, and countermeasures that can be utilized to physically protect an enterprise’s resources and sensitive information. These resources include people, the facility in which they work, and the data, equipment, support systems, media, and supplies they utilize.
Physical security describes measures that are designed to deny access to unauthorized personnel (including attackers) from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts.
The candidate is e expected to know the elements involved in choosing a secure site, its design and configuration, and the methods for securing the facility against unauthorized access, theft of equipment and information, and the environmental and safety measures needed to protect people, the facility, and its resources.
Key Areas of Knowledge
Understand site and facility design considerations.
Support the implementation and operation of perimeter security (e.g., physical access control and monitoring and audit trails/access logs).
Support the implementation and operation of internal security (e.g., escort requirements/visitor control and keys and locks).
Support the implementation and operation of facilities security such as technology convergence.
1. Communications and server rooms
2. Restricted and work area security
3. Data center security
4. Utilities and heating, ventilation, and air conditioning (HVAC) considerations
5. Water issues such as leakage and flooding
6. Fire prevention, detection, and suppression
Support the protection and securing of equipment.
Understand personnel privacy and safety (e.g., duress, travel, and monitoring).