Contingency Planning

Question 1

What is Contingency Planning (CP)?

Answer 1

Overall planning for unexpected events that threaten information assets and security.

Goal: Restore normal operations with minimum cost and disruption after an incident.

Question 2

Give examples of events covered by contingency planning.

Answer 2

Server/disk failure
Hacker break-in
DoS
Ransomware
Malware
Natural disasters
Extended power failure
Employee error or sabotage.

Question 3

How does contingency planning relate to Risk Management and ISMS?

Answer 3

It is a key part of the Information Security Management System (ISMS). It is reactive (response & recovery after controls fail) and complements preventive controls from risk management

Question 4

What are the three main plans that make up Contingency Planning?

Answer 4

Incident Response Planning (IRP)
Disaster Recovery Planning (DRP)
Business Continuity Planning (BCP)

Question 5

What is the purpose of a Business Impact Analysis (BIA)?

Answer 5

Identify critical processes, assess impact of disruptions, and determine recovery priorities (assuming controls have failed and an attack succeeded)

Question 6

List the 5 key stages of BIA

Answer 6

1) Threat attack identification
2) Business unit analysis
3) Attack success scenarios
4) Potential damage assessment
5) Subordinate plan classification

Question 7

Example of threat damage classification

Answer 7

Negligible – no significant cost of damage
Minor - A non-negligible event with no material or financial impact on the business
Major - Impacts one or more departments and may impact outside clients
Crisis - Has a major material or financial impact on the business

Minor, major and crisis events should be documented and tracked to repair

Question 8

What classification is used to determine the criticality of business processes and services?

Answer 8

Critical $$$ — Cannot be performed manually; very low interruption tolerance
Vital $$ — Manual for very short time only
Sensitive $ — Manual possible for longer, but higher cost
Nonsensitive ¢ — Manual for extended time, low cost

Question 9

What is done to estimate potential damage assessment?

Answer 9

Estimate cost of best, worst, most likely outcomes by preparing an attack scenario end case

Question 10

What are RPO and RTO?

Answer 10

RPO (Recovery Point Objective): Maximum acceptable data loss (how far back in time).

RTO (Recovery Time Objective): Maximum acceptable downtime before recovery.

Question 11

Define these recovery terms: Interruption window, Service Delivery Objective (SDO), Maximum Tolerable Outage

Answer 11

Interruption window: Time the organization can wait before resuming operations.

SDO: Acceptable service level during alternate mode.

Maximum Tolerable Outage: Maximum time allowed in alternate mode.

Question 12

What is an Incident Response Plan (IRP)? Focus?

Answer 12

Set of procedures triggered when an incident is confirmed.
Focus: Detection and response of an incident. It is a reactive measure.

Question 13

What is an “incident” in IRP?

Answer 13

A directed attack with realistic chance of success that threatens CIA of information assets.

Question 14

List the 6 stages of Incident Response

Answer 14

1) Preparation
2) Identification
3) Containment & Escalation
4) Analysis & Eradication
5) Recovery
6) Lessons Learned

Question 15

Name common incident indicators.

Answer 15

Loss of CIA
Policy/law violations
Reports from users, IDS, antivirus, system administrators

Question 16

Give examples of incident containment strategies.

Answer 16

Focus on stopping the incident, recovering control of the systems:

Disconnect circuits
Block traffic (firewall rules)
Disable accounts
Shut down compromised services/servers

Question 17

What are key steps in initiating incident recovery?

Answer 17

Assess damage (preserve evidence)
Fix vulnerabilities
Upgrade/replace controls
Restore from backups
Monitor closely
Rebuild user confidence.

Question 18

What is Disaster Recovery Planning (DRP)? Focus?

Answer 18

Preparation for and recovery from a disaster (natural or man-made).

Focus: Restore operations at the primary site after disaster.

Question 19

When is DRP typically activated?

Answer 19

When an incident becomes uncontainable or damage is severe.

Question 20

How to plan for a disaster?

Answer 20

Scenario development and impact analysis are used to categorise the level of threat of each potential disaster

DRP must be tested regularly

Question 21

List important elements that should be in a DRP.

Answer 21

Clear roles/responsibilities
Alert roster + notification
Priorities, documentation
Mitigation steps
Alternative implementations

Question 22

DRP Contents

Answer 22

Pre-incident readiness
Declaration of disaster
Evacuation
Contact lists (IRT, vendors, insurance, recovery sites, law enforcement)
Step-by-step recovery procedures
Resource requirements

Question 23

What is Business Continuity Planning (BCP)? Focus?

Answer 23

Ensures critical business functions continue during a disaster. Usually owned by the CEO.

Focus: Continue critical operations at alternate site.

Question 24

How do DRP and BCP work together?

Answer 24

They run concurrently. DRP restores the primary site; BCP maintains critical functions at an alternate site.

Question 25

Compare Hot Site, Warm Site, and Cold Site.

Answer 25

Hot Site: Fully configured, ready in hours. Warm Site: Infrastructure ready in days (no/low powered main computer). Cold Site: Basic facility only, ready in weeks.

Question 26

Name other alternate recovery strategies.

Answer 26

Duplicate/redundant facility Reciprocal agreement with another organization Mobile site (trailer w/ comms)

Question 27

What is the typical timeline for IRP, DRP, and BCP?

Answer 27

IRP: Hours (Detection → Reaction → Recovery → Resolved) DRP: Days (Restore primary site) BCP: Days (Alternate site operations)

Question 28

Why is contingency planning important?

Answer 28

It helps restore operations quickly after incidents, minimizes cost and disruption, and is essential when preventive controls fail.