In an executive meeting, the vice president (VP) of manufacturing, the data owner of the material requirement planning (MRP), and the VP of sales, the data owner of the online shopping website, are justifying the criticality of the underlying information systems that process their data and support their business processes. Both of them believe their business processes are more critical and should be recovered first in case of a disaster. As a CISO, how should you do?

A. Facilitate the process for the determination of the maximum tolerable downtime, and invite the VP of information technology to commit to the recovery time objective and recovery point objective.
B. Take importance and urgency into consideration, and implement a hot site for the business processes with higher priority while a code site for the ones with lower priority.
C. Prepare a disaster recovery plan (DRP) based on the recovery time objective and recovery point objective.
D. Prepare a business continuity plan (BCP) and a business case with alternatives to implement a hot site to support both MRP and the online shopping website.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Facilitate the process for the determination of the maximum tolerable downtime, and invite the VP of information technology to commit to the recovery time objective and recovery point objective.

This question is designed based on the Topic 1.7 Identity, analyze, and prioritize Business Continuity (BC) requirements in Domain 1 of the CISSP exam outline.

Enterprises are doing business to deliver value, or business is all about delivering value. Common factors affecting value delivery are people, process, technology, and so forth. A process delivering value is commonly called a business process. The basic idea behind the concept of business continuity is to recover critical business processes subject to the limited enterprise resources available in case of a disruptive incident or disaster.

Based on the statements above, we can conclude some key points as follows:

1. Information technology (IT) is “one” of the most critical factors of business continuity.
2. The scope of business continuity planning includes critical business processes and the underlying information systems.
3. Business people identify or determine critical business processes first, then the underlying information systems by IT people. The criticality of a business process is evaluated by the maximum tolerable downtime (MTD); a process with 2-hour MTD is apparently much more critical than the one with 2-day MTD.
4. Information systems should be recovered by IT people based on the business requirements specified by the business people and negotiated with IT people; specifically, recovery time objective (RTO) and recovery point objective (RPO).
5. Business and IT people work together to achieve the goal of business continuity. A business continuity plan (BCP) as a master plan is the output of business continuity planning that usually includes a disaster recovery plan (DRP) as a sub-plan prepared by IT people.

It’s ineffective for IT people to conduct any disaster recovery planning before the critical business processes are determined, not to mention making decisions on alternative sites, e.g., mirror site, hot site, warm site, or code site, you name it.

The essence of business impact analysis (BIA) is to identify critical business processes and the impact in case of a disaster. MTDs of business processes are the most important output of BIA. RTO and RPO are objectives guiding the DRP; both of them are derived from MTD and negotiated between the business and IT people. In other words, RTO and RPO are commitments of IT to the business to fulfill the MTD requirement.

So, what about the business continuity planning process and the role of CISO? They vary from business to business. It’s not uncommon for a CISO as a coordinator or facilitator to facilitate the BIA process. This reemphasizes the importance of the R&R of CISO.

I won’t recommend Answer B, C, and D as the correct answers mainly because the decision about the hot site or cold site is made before the critical business processes are identified and not justified with any cost/benefit analysis.