Business Requirements Analysis

Question 1

What is different about health and human safety risks?

Answer 1

It is legal and defensible to accept risks higher than the norm, or greater than your competitors, except risks to health and human safety; these risks must be addressed to the industry standard or the regulatory scheme to which your organization adheres.

Question 2

BCDR Plans

Answer 2

plans to follow in the event of an outage or disaster

Question 3

List BCDR architectures in cloud

Answer 3

1. On prem, cloud as BCP/DRP - if on prem fails, the failover location is a CSP
2. Cloud consumer, primary CSP for BCP/DRP - if part of the cloud provider fails, failover goes to the same CSP at a different location
3. Cloud consumer, alternate BCP/DRP - if part of the cloud provider fails, failover goes to a different cloud provider

Question 4

What is a logical sequence of considerations for BCDR strategy?

Answer 4

1. Location - BCDR plans depends on location of the calamity. May require remote location (e.g. flooding, fire, earthquake)
2. Failover Architecture - components need to replicate to the same architecture in different location
3. Data Replication - maintain a same or less up to date copy of the required data in a different location
4. Functionality replication - recreate the same processing capacity in a different location
5. Event Anticipation - tooling, functionality and process leading up to the failover response (how and when do you failover)
6. Failover Capability - failover capability requires some type of load balancer to redirect user service request to the appropriate service
7. Return to Normal - end of the disaster recovery strategy

Question 5

Asset

Answer 5

Assets can be tangible (HW/SW) or intangible (process, software code, public opinion)

Question 6

BIA, What is it? How do you do it? Considerations?

Answer 6

Business Impact Analysis - an assessment of the priorities given to each asset and process within an organization

determine a value for every asset (usually in terms of money, but sometimes according to priority/rank, customer perception, or other measures), what it would cost the organization if we lost that asset (either temporarily or permanently), what it would cost to replace or repair that asset, and any alternate methods for dealing with that loss.

Considers the effect or impact any harm or loss of each asset might mean to the organization

Identifies critical paths and single points of failure

Look up and down the chain of dependencies

1. Downstream liabilities (if others depend on you, e.g power company)
2. Upstream liabilities (if you depend on others, e.g. vendors, suppliers)

Question 7

How and who should assign valuation/cost in BIA?

Answer 7

Cost can be assigned in various ways including insured value, replacement cost, etc.

Data owners/Line of business manager assign value

Question 8

BIA vs. BCDR

Answer 8

You do BIA well before BCP and/or DRP

Question 9

What is the cloud customer always legal liable for?

According to who/what?

Answer 9

according to most of the world’s privacy laws and regulations, the cloud customer is always ultimately legally liable for any loss of data. This is true even if the cloud provider demonstrates negligence or malice.

Question 10

RPO

Answer 10

Recovery Point Objective - goal for how recent your latest backup/snapshot was or point to rollback to

Amount of data the organization can afford to lose before it impacts business operations

Question 11

MTD

AKA

Answer 11

Maximum Tolerable Downtime - Maximum amount of time a business can tolerate an outage before the incident causes business failure
MAD - Max Allowable Downtime

Question 12

RTO

Answer 12

Recovery Time Objective - Time needed to get the critical functions running again (recovery)

Question 13

WRT

Answer 13

Work Recovery Time - Time needed to configure and to verify the integrity of the recovered system

Question 14

How does RTO, WRT, and MTD relate?

Answer 14

RTO + WRT <= MTD

Question 15

Mean Time To Restore/Repair (MTTR)

Answer 15

The average time it takes to restore or repair

Question 16

Mean Time Between Failures

Answer 16

A measure of how reliable a hardware product is; average time between failures of a HW product

Question 17

Vertical Analysis

Answer 17

To prioritize the assets and critical systems within a business unit. Collect information in each department, then categorize the assets within each department

Question 18

Horizontal Analysis

Answer 18

Prioritize the business units (departments) themselves; Steering committee collects the data but senior management makes the final prioritization

Question 19

BCDR Testing Steps In Order with desc

Answer 19

1. Checklist or Desk Check - give each dept a COPY of the PLAN and have them run through the checklist to make sure all relevant points are covered, check phone #, equipment locations, etc.
2. Table-Top Review - Representatives get together in a meeting and review the plan collectively without actually performing the actions
3. Structured Walk through - Team members physically walk to each location they will need to visit for response activities, then verbally review each step to assess its effectiveness. This will help identify flaws in the plan
4. Simulation Test - Practice drill mobilizing the personnel. Done on simulated systems in a sandbox env in attempt to reach RTO
5. Parallel test - Operational test at the alternate site running parallel to production
6. Full Interruption - Shut down the production environment (home site) and run live environment at the alternate site

Question 20

What do you need to have prior to running Full-Interruption step of BCDR testing?

Answer 20

1. Written management approval

2. At least parallel testing beforehand (make sure alt site is operationally prepared)

Question 21

Recovery in BCDR

Answer 21

RecOVERing an OPERATIONAL state as soon as possible once a disaster has been declared. Going OVER to the alternate site.

Question 22

Restoration

Answer 22

Migrating the business back from recovery mode. Going back to the ORGINAL site.

Remember by restORation

Question 23

What is the order of operations in Recovery vs Restoration

Answer 23

During the disaster, the MOST CRITICAL processes are recovered first

During the return to normal or restoration, the LEAST CRITICAL processes are sent back first

Question 24

This is where the workbook stops and the book purchased begins

Question 25

What should cloud customers ensure of all assets in their BYOD infrastructure that access the cloud?

Answer 25

be protected with some form of anti-malware/security software have remote wipe/remote lock capability in the event of loss/theft, with the user granting written permission to the organization to wipe/lock via a signed authorized use policy utilize some form of local encryption be secured with strong access controls (a password, or perhaps a biometric) in a multifactor configuration have and properly employ VPN solutions for cloud access have some sort of data loss, leak prevention, and protection (DLP) solution installed consider containerization software options for personally owned user devices as a means to isolate their personal data from the organization’s information

Question 26

What should encryption be utilized for in the cloud data center or when cloud providers and users are communicating?

Answer 26

In the cloud data center for: - data at rest, which includes long-term storage/archiving/backups, protecting near-term stored files (such as snapshots of virtualized instances), preventing unauthorized access to specific datasets by authorized personnel (for instance, - securing fields in databases so that database admins can manage software but not modify/view content); -secure sanitization (cryptographic erasure/cryptoshredding) In communications between cloud providers and users for: creating secure sessions, ensuring the integrity and confidentiality of data in transit

Question 27

Layered Defense AKA Description

Answer 27

defense in depth it is the practice of having multiple overlapping means of securing the environment with a variety of methods. These should include a blend of administrative, logical, technical, and physical controls.

Question 28

From a cloud provider perspective, what should a layered defense should entail?

Answer 28

Strong personnel controls involving background checks and continual monitoring Technological controls such as encryption, event logging, and access control enforcement Physical controls related to both the overall campus, the various facilities, the areas within the data center where data is processed and stored, individual racks and particular devices, and portable media entering and leaving the campus Governance mechanisms and enforcement, such as strong policies and regular, thorough audits

Question 29

From a cloud customer perspective, what should a layered defense should entail?

Answer 29

Training programs for staff and users that include good coverage of security topics Contractual enforcement of policy requirements Use of encryption and logical isolation mechanisms on BYOD assets Strong remote access control methods, perhaps including multifactor authentication

Question 30

Cloud Planning

Answer 30

1. Screen Applications for Cloud feasibility and benefits 2. Identify candidate applications for the cloud 3. Describe characteristics of each candidate application 4. Document current infrastructure implementation 5. Determine organization constraints 6. Identify the best candidate for cloud migration 7. Plan cloud migration 8. Realize capacity requirements in the cloud 9. Compare and select cloud providers 10. Perform ROI analysis 11. Generate migration roadmap