Code Red : Part 2 , DRP , DRP Testing, Backup &Recovery

🎯 Concept Focus:

This is a 2 part series

Part 1 : Link here

• Incident Management

• Incident Reponse

• BIA

• BCP

Part 2 : This Article

• DRP

• Backup & Recovery

• Key Terms to Remember

Credit For Info : CISM Learning Material by ISACA and Pete Zerger Vidoes

---

Disaster Recovery Plan

• A DRP is generally a part of BCP. But the main focus is Restoring IT systems, services, and data after a disaster (failures, attacks, natural events).

• The main purpose is to Get critical technology operational again to support business recovery.

• A key component within the overall Business Continuity effort.

DRP activates after a disaster occurs

DR technical focus , BC business focus

Phases of DRP (by ISACA)

1. Conducting a risk assessment and business impact analysis (BIA)

2. Defining a response and recovery strategy

3. Documenting DR and business recovery plans

4. Training teams in these procedures

5. Updating and testing the plans regularly

6. Auditing the plans to ensure they remain appropriate and effective

---

DRP Contains

DRP should be written in clear, simple language and is easily accessible (keep copies offsite!).

• Activation triggers

• Roles/responsibilities

• Contact lists

• Step-by-step procedures

• Resource inventory

• Evacuation plans

• Communication strategy

---

Recovery Operations

Once a temporary or alternate DR site is operational, the BC team monitors the progress of restoring the primary site.

They also conduct tests to determine if it is safe to switch back. Returning to the primary site

After confirming it can operate normally, they transition operations back.

---

Key Considerations while choosing Recovery Sites

• Selection Critical Drivers

• Business needs (from BIA), RTO/RPO targets, budget, risk profile.

• Geographical Separation - ensure recovery site won’t be hit by the same disaster.

• Other Considerations Compliance rules, proximity to other hazards

---

Types of Recovery Sites

Hot Site

• Allows you to keep servers and a live backup site up and running in the event of a disaster. You replicate your production environment in that data center.

• Cost = High Effort = Low

• This allows for an immediate cutover in case of disaster at your primary site. A hot site is a must for mission critical sites

Cold Site

• Site with space, power, and network connectivity that’s ready and waiting for whenever you might need it.

• Cost = low Effort = Hight

• Engineering and logistical support teams can readily help you move your hardware into the data center and get you back up and running.

Warm Site

• A Site that allows you to pre-install your hardware and pre configure your bandwidth needs.

• Cost = Medium Effort = Medium

• If disaster strikes, all you have to do is load your software and data to restore your business systems

Mirror Site

An identical, active site operating concurrently (a type of hot site).

Mobile Site

Site Duplicate Self-contained, relocatable units (e.g., trailers). sites

Reciprocal Arrangements

Arrangements with other organizations to support during disaster

---

Backup Strategies

An RPO is taken as a basis to decide the backup Strategy that will be used.

---

Testing IR and BC and DR Plans

Periodic testing ensures plans can still be executed as designed and documented to

Identify Gaps (procedures, roles, risks)

Verify Assumptions (resources, dependencies)

Evaluate Strategies (are they still effective?)

Check Documentation (accuracy, usability)

---

Types of Testing for BC and DR Plans

Test Results must be evaluated for

Plan Completeness & Accuracy

Personnel Performance & Role Execution

Training Effectiveness & Awareness

Team & Supplier Coordination

Backup Site Capacity & Capability

Vital Records Retrieval

Equipment & Supplies Availability

Overall Operational Performance during test

---

Key Terms

RTO (Recovery Time Objective): How QUICKLY must IT be restored?

RPO (Recovery Point Objective): How much DATA LOSS is acceptable? in terms of Time

AIW (Acceptable Interruption Window): Max tolerable business process downtime.

MTD (Maximum Tolerable Downtime): Absolute longest the business can survive disruption.

SDO (Service Delivery Objective): Minimum service level needed during recovery.

---

🧠 Brain Ticklers

Q1. Neuromesh is redesigning its DRP after the payments engine suffered a regional outage.
The BIA defines the following requirements:

• RTO: 15 minutes

• RPO: Near-zero data loss

• Transactions per second are very high

• Regulators require continuity of critical clearing operations

Which recovery site BEST meets these constraints?

A. Cold site
B. Warm site with periodic replication
C. Hot site with synchronous replication
D. Alternate processing facility with manual fallback procedures

---

Q2. A fire suppression system activates in Neuromesh’s main datacenter.
Servers are still running but environmental controls are offline.
The incident manager is unsure whether to activate DRP or continue incident response.

Which factor should MOST influence the decision to activate DRP?

A. Whether senior management has declared a crisis
B. Whether MTD (Maximum Tolerable Downtime) is at risk
C. Whether the incident was caused by a physical hazard
D. Whether insurance requires DR activation

---

Q3. Neuromesh wants to test how well systems run at an alternate location without shutting down the primary production environment.

Which DRP test type is MOST appropriate?

A. Full interruption test
B. Parallel test
C. Simulation test
D. Walkthrough test

---

Q4. Neuromesh contracted a warm site for a mid-critical HR system.
During a DR drill, the team discovers the warm site is missing updated application configurations and cannot restore within the 4-hour RTO.

What is the MOST likely root cause?

A. Warm sites do not support any pre-installed hardware
B. Configuration data was not included in the replication scope
C. Warm sites require synchronous real-time replication by default
D. The RTO was calculated incorrectly in the BIA

---

Q5. During a full interruption test, Neuromesh shuts down the primary datacenter and shifts entirely to the DR site.
The shift succeeds, but restoring operations back to the primary site takes 18 hours longer than expected because the team has no clear procedure for “failback.”

Which DRP component was MOST likely missing?

A. Communication plan
B. Restoration and reconstitution steps
C. Incident escalation criteria
D. Risk register alignment

---

Follow the Series - Code Red Part 1

#CISSP #CyberSecurity #InfoSec #SecurityLeadership #WomenInCyberforce #WomenInTech #AnyaInCyberSecurity #FromDevToDefender #TechLeadership #DevSecOps #CISSPDomains #BCP #DRP

Credit : I have used information from CISM preparation material. Peter Zergers Videos if you want to learn in detail