In this chapter, you will explore some important aspects of building a resilient business environment. Business resilience is the process by which prevention and recovery mechanisms are developed to deal with possible threats that a company might face. It is the ability to adapt quickly to disruptions while maintaining the ongoing business operations and safeguarding people, assets, and brand equity overall. Business resilience goes one step beyond recovering from disasters by providing post-disaster solutions to prevent expensive disruption, strengthen vulnerabilities, and sustain company operations in the face of new, unforeseen breaches.

The following topics will be covered in the chapter:

• Business Impact Analysis (BIA)
• Data backup and restoration
• System resiliency
• Business Continuity Plan (BCP)
• Disaster Recovery Plan (DRP)
• DRP – test methods
• Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
• Alternate...

An IS auditor should have a thorough understanding of the objectives of BIA. BIA is a process to determine and evaluate the impact of disruption on business processes and prepare accordingly to deal with such events.

The following are some of the important aspects of BIA:

• BIA determines critical processes that can have a considerable impact on business. It determines processes to be recovered as a priority to ensure an organization’s survival.
• In order to conduct a successful BIA, it is necessary to obtain an understanding of the organization, its key business processes, and its dependency on IT and other resources. This can be determined from the outcome of the risk assessment.
• The involvement of senior management, the IT department, and end users is critical for a successful BIA.
• The following are some of the approaches when it comes to performing a BIA:
  • Questionnaire approach: It involves the development of a detailed set of...

In information technology, a backup, or data backup, is a copy of computer data taken and generally stored in a remote location to be used later to restore the original data after a data loss event. Data loss can be the result of any number of internal or external factors, including computer viruses, hardware failure, file corruption caused by fire, natural calamities, and hacking attacks.

An organization should have a documented backup and recovery policy in place that clearly identifies the type of data and information for which backups are mandatory.

The following sections will take you through the different types of backup strategies.

Types of Backup Strategy

The backup policy should be approved by senior management. It should have clear and specific instructions regarding the organization’s backup and retention procedure. The CISA Review Manual (CRM) covers the following types of backup strategies:

• Backup of the full database...

System resilience is the ability of a system to withstand a disaster and recover from it within an acceptable timeframe. This section presents a detailed discussion of application and telecommunications resiliency.

Application Resiliency – Clustering

Clustering helps to protect an application against a disaster. The aim of clustering is to provide for the high availability of the system.

Application clustering often refers to a method of managing many servers through software. Clustered servers can help to create fault-tolerant systems and provide quicker responses and more capable data management for large networks.

An application that is clustered is protected against a single point of failure.

Application clusters can be either active-passive or active-active. In an active-passive setup, an application runs only on one active node, with the other passive nodes used only if the application fails on the active node.

In an active-active cluster...

The objective of a BCP process is to manage and mitigate the risk of disaster to ensure the continuity of business operations. It is important that the BCP is reviewed and approved by senior management. This will ensure that the BCP is aligned with the business goals.

Steps of the BCP Life Cycle

The first step in preparing a BCP is to identify the processes of strategic importance for attaining the business objectives.

The following are the steps of the BCP life cycle:

1. Project and scope planning
2. Risk assessment and analysis
3. BIA
4. Business continuity strategy development
5. BCP development
6. Business continuity awareness training
7. BCP testing
8. BCP monitoring, maintenance, and update

Contents of the BCP

The plan should be well documented and written in simple language that can be understood by all. Interviewing the key personnel to determine their understanding of the BCP will help the auditor evaluate the plan’...

A Disaster Recovery Plan (DRP) is a set of documented processes to recover and protect a business’ IT infrastructure in the event of a disaster. It involves various plans for action to be taken before, during, and after a disaster.

A DRP is like insurance; you will only realize its importance when a disaster actually occurs.

The BCP versus the DRP

A CISA aspirant should be able to understand the difference between a BCP and a DRP. The objective of the BCP is to keep business operations functioning either from an alternate location or by means of alternative tools and processes. On the other hand, the DRP’s objective is to restore normal business operations and advance the recovery from a disaster. The BCP is the overall architecture for business continuity, whereas the DRP is regarded as a technological aspect of the BCP with more focus on IT systems and operations.

Relationship between the DRP and the BIA

The first step in preparing...

The objective of DRP testing is to ensure that recovery procedures are effective. Regular DRP testing and exercises are very important in determining the continued adequacy and effectiveness of the DRP. It helps to validate the compatibility of the offsite facility with the organization in case of a disaster. The following are some important methods for testing a DRP.

Checklist Review

This test is performed prior to a real test. A checklist is provided to all members of the recovery team for review. This checklist is updated regularly.

Structured Walkthrough

This includes a review of the DRP on paper. Team members review each step to evaluate the effectiveness of the DRP. The gaps, deficiencies, and constraints identified are addressed to improve the plan.

Tabletop Test

A tabletop test is conducted with the aim of practicing the coordination of efforts and the implementation of communication methodology among the relevant members of the recovery...

The RTO and RPO are crucial to designing a disaster recovery strategy. Hence, these two are extremely important aspects to understand from the exam perspective RTO.

The RTO is a measure of the organization’s tolerance to system downtime. In other words, the RTO is the extent of the acceptable system downtime. For example, an RTO of 2 hours indicates that an organization will not be overly impacted if its system is down for up to 2 hours.

RPO

The RPO is a measure of the organization’s tolerance to data loss. In other words, the RPO is the extent of acceptable data loss. For example, an RPO of 2 hours indicates that an organization will not be overly impacted if it loses data for up to 2 hours.

The following figure further explains each of them:

Figure 8.3: RTO and RPO

The following practical examples will help you better understand the preceding diagram:

Example...

An alternate recovery site is a separate location used for business operations when these cannot be carried out at the primary site (normal operating location) after a disaster has occurred.

In the aftermath of an incident, the primary site may not be available for business operations. To address such scenarios, organizations should have arrangements for the resumption of services from an alternate site to ensure the continuity of business operations. Many organizations cannot afford the discontinuity of business processes even for a single day, so they need to invest heavily in an alternate recovery site. These arrangements will vary according to the needs of the particular business.

From the CISA exam perspective, candidates should have an understanding of the following alternate recovery sites:

Figure 8.4: Types of alternate recovery sites

We will now explore each of the preceding alternate sites in detail.

Mirrored...

In this chapter, you explored various aspects of business resiliency, including BIA, data backups, BCP and DRP plans, and testing methodologies. You also learned about various processes to evaluate an organization’s ability to continue business operations.

You have now acquired the relevant knowledge and skills required should business resilience appear in the CISA exam, along with a number of practical aspects like to derive RTO and RPO.

The following are some important points that you covered in this chapter:

• A BIA determines the impact arising from the unavailability of each system. The more critical the system, the higher the impact. A BIA is conducted on the basis of input from the business process owner.
• Once the critical applications have been identified through the BIA, the next step is to develop a strategy to recover the critical assets as soon as possible for the continuity of business operations. The BCP is the next step once the strategy...

Before you proceed to Chapter 9, Information Asset Security and Control, it is recommended that you solve the practice questions from this chapter first. These chapter review questions have been carefully crafted to reinforce the knowledge you have gained throughout this chapter. By engaging with these questions, you will solidify your understanding of key topics, identify areas that require further study, and build your confidence before moving on to new concepts in the next chapter.

Note

A few of the questions may not be directly related to the topics in the chapter. They aim to test your general understanding of information systems concepts instead.

The following image shows an example of the practice questions interface.

Figure 8.5: CISA practice questions interface

To access the end-of-chapter questions from this chapter, follow these steps:

1. Open your web browser and go to https://packt.link/GXnvJ. You will see...