Domain 3 · 3.4 Resilience & Recovery

3.4.3 Continuity & Capacity Planning

17 min

Continuity and capacity planning refers to the proactive strategies and resource management required to ensure that mission-essential functions remain available during and after a disruptive event.

Business Impact Analysis (BIA) The BIA is the foundational step of contingency planning, used to identify critical systems and the potential consequences of their disruption. - Mission-Essential Functions: Identifying the core workflows that the organization depends on to operate. - Resource Requirements: Evaluating the specific tools, hardware, and interdependencies required to resume business processes. - Criticality Assessment: Determining which systems must be recovered first based on their impact on the organization's survival. - Identification of Critical Systems: Validating the hardware and software assets that support essential business functions.

Recovery Metrics and Continuity To bridge the gap between security and functionality, organizations must establish clear timelines for restoration. - RTO (Recovery Time Objective): The maximum amount of time a system can be down before the organization suffers unacceptable consequences. - RPO (Recovery Point Objective): The maximum amount of data loss measured in time (e.g., losing four hours of data). - MTTR (Mean Time to Repair): The average time required to fix a failed component. - MTBF (Mean Time Between Failures): A measure of system reliability and predicted lifespan. - Redundancy: Implementing hardware and power backups to ensure high availability and eliminate single points of failure.

Governance and Data Roles Ensuring continuity requires clear accountability for data integrity and protection, often governed by frameworks like GDPR. - Data Controller: The entity or individual responsible for determining the purposes and means of processing PII (Personally Identifiable Information). - Data Processor: The entity that handles data on behalf of the controller, following their specific guidelines. - Data Custodian: The technical role responsible for managing the actual storage, transport, and security of the data set. - Data Owner: Usually a senior executive who is ultimately responsible for the data and decides who can access it.

Capacity Planning Capacity planning ensures that the infrastructure has the resources to handle current and future workloads without compromising availability. - Vulnerability Scans: Regular assessments to ensure that capacity-related patches or configurations do not introduce security gaps. - Functionality vs. Security: A balance must be maintained so that security controls do not consume so many resources that the system becomes unavailable. - Resource Monitoring: Tracking CPU, memory, and bandwidth to prevent outages caused by exhaustion.

Quick recall - BIA Focus: Identifying mission-essential functions and critical systems. - Availability: The "A" in the CIA triad; ensures functional systems are accessible to authorized users. - GDPR Roles: The Controller mandates the rules; the Processor executes the work; the Custodian handles technical maintenance. - Trigger words: "Criticality," "Interdependencies," "Maximum tolerable downtime," and "NIST SP 800-34."