 Hello, I'm Claude Williams. I am privileged to present the official preparation content of the Certified Disaster Recovering Engineer or CDRE. The course and certification are developed, administered, and delivered by Mile 2. Mile 2 is a global education company with courses and certifications targeted to help professionals develop and demonstrate IT and security skills. The CDRE is one important credential in a robust portfolio of certifications that meet industry standards. The Certified Disaster Recovery Engineer course is delivered in four phases, pre-planning, planning, post-planning, and the course conclusion. In the pre-planning phase, we will discuss disaster recovery project initiation and functional requirements concepts to include business impact analysis and risk evaluation. In the planning phase, we will discuss design and development and implementation concepts including emergency response and operations, IT recovery and resiliency, implementing business continuity planning, or BCP, and awareness and training. In the post-planning phase, we will discuss the critical concepts of testing and exercising plans. The outcomes from testing becomes one of the vectors by which we maintain appropriate plans. Thus, we will discuss plan maintenance and plan execution techniques. At the conclusion of the course, we will discuss some well-recognized cyber attacks that drive the requirements for business continuity and disaster recovery. We will finish up with a brief review that emphasizes those concepts you are required to have well-comprehended in order to successfully pass the CDRE exam. Speaking of the exam, the following details the examination experience. There are 100 multiple-choice questions with only one answer for each, either A, B, C, or D. In other words, none of the questions will require you to choose all of the above or select two out of four answers. The candidate is given two hours to complete the exam. A question with no marked answer is considered incorrect and will be graded as such, so be sure to answer all the questions. The results will be provided immediately upon exam completion. Business continuity planning is one of the major spokes on the business assurance wheel, with business requirements forming the center. Without understanding the business mission, drivers, applicable laws and regulations, and overall strategy, business continuity planning will be inadequate and incapable of providing true business value. With a perspective formulated from risk management and a business impact assessment, a process for continuity, resiliency, and recovery can properly be fashioned for an organization. Since many professionals use terms of business continuity planning ambiguously, let's get the technical definitions of some common terminology clarified for our discussions. Business continuity is defined as the activities that ensure critical business functions will be available, and is manifest in an organization's methodical approach to conducting day-to-day business. Business resiliency is the ability of an organization and its resources to absorb the impact of an incident and continue to provide a minimum acceptable level of service. Business recovery is a small subset of business continuity that manifests as the process, policies, and procedures related to preparing for recovery and continuation of technology infrastructure after a natural or human-induced disaster. Of course, the concepts of business continuity planning have a direct relationship to another spoke on the business assurance wheel called security. There are three main security principles, confidentiality, integrity, and availability, more commonly referred to as the acronym C-I-A. The concepts of business continuity planning directly meet the principle of availability with a lesser regard to integrity. Thus, it is important organizations understand the need to integrate business continuity planning with the security strategy. You might ask, what is a disaster? By strict definition, a disaster is a calamitous event, especially one occurring suddenly and causing great loss of life, damage, or hardship. A disaster can be the result of nature, like floods, severe weather, or earthquakes. A disaster can also be human-induced. In other words, an anthropogenic hazard, such as negligence, errors, crime, or terrorism. In more technical and practical terms, a disaster is any event that causes business or technology function disruption that if sustained could lead to business failure. The disruption could result from severe physical or perceived damage and or prolonged interruption of capabilities, such as a destroyed processing facility, a power outage, a flu outbreak, or violation of regulatory requirements. A critical function of business is defined as a function that if disrupted for a significant period of time could result in severe damage and loss to the organization and ultimately lead to business failure. In other words, critical business functions are the arteries and veins of a business that if disrupted could lead to the organization's demise. Thus, business continuity planning is a matter of business survival, addressing availability and in cases, integrity of critical functions. In 2005, business continuity planning saw growth in organizational awareness, penetrating all the way down to the smallest of companies, as evidenced by Brett Kane's comments that year, the VP and General Manager of Citrix Online. Based on a survey Citrix sponsored, he stated, in view of recent threats to business operations from Hurricane Katrina to the Asian bird flu, we're not surprised that a number of small companies are moving continuity planning higher on their to-do list. Business continuity planning is defined as a proactive planning that facilitates the rapid recovery of business operations to reduce the overall impact of a disaster while ensuring the continuity of critical business functions during and after a disaster. Furthermore, business continuity planning contains specific tasks, activities, guidelines, and procedures required to enable continuous delivery of products and services in the event of a disruption to mission-critical IT systems and application processes. A business continuity program will help an organization maintain the resiliency, robustness, and redundancy of its systems, assets, and services. These business continuity terms can be a bit abstruse, so why don't we take a minute to provide them with some much-needed clarity. The word resiliency is defined as the ability of an organization and its resources to absorb the impact of an incident and continue to provide a minimum acceptable level of service. Robustness is the ability of a system to cope with errors without compromise of its initial stable configuration. And redundancy is the duplication of critical components or functions of a system with the intention of increasing reliability, such as a backup mechanism. A business continuity program provides procedures and mechanisms for prevention, response, continuity, and recovery prior to, during, and after disruption. Business continuity planning is vital to the survival of organizations in the post-911 world. Business continuity planning is included as a fundamental cornerstone of a sound emergency preparedness and security program. Business continuity planning enables organizations to survive disruption, including incidents, emergencies, outages, and disasters, while continuing to deliver their critical products and services. According to that same study in 2005 by Citrix Online, four years after the tragedy of 9-11, fewer than one-third of U.S. businesses say that they are ready with a business continuity plan if a disaster strikes. Yet, 34% indicated that business continuity is more important today than it was five years ago, citing an increased threat of terrorism, natural disasters, and economic fluctuations, as well as greater business volume. This shows that it has taken a number of catastrophic events beyond 9-11 to firmly place business continuity planning in the high-priority category for most organizations. Some of the additional events that formed the epitists for business continuity planning today are the Northeast Blackout of 2003, the Asian bird flu scare, which became news as early as the same year, Hurricane Katrina in 2005, and most recently Hurricane Sandy. As previously mentioned, disaster recovery is a subset of business continuity. Business continuity involves planning for the continuation of critical aspects of business processes in the midst of disruptive events. Disaster recovery focuses on the IT capabilities and technology systems that support business functions. Disaster recovery planning, or DRP, basically addresses detailed guidelines, procedures, and job steps to recover each specific system from a point of failure in order of critical business functions' priority, sequentially or concurrently. DRP is defined as the procedures for emergency response and extended backup operations and post-disaster recovery when the computer installation suffers loss of computer resources and physical facilities. In practice, the business continuity plans are considered deficient if disaster recovery plans are missing or incomplete. Just like physical security concepts, business continuity planning concepts focus on preservation of life as the top priority, then business survival processes and systems. Thus, the business continuity plans must place an emphasis on emergency response to avoid or minimize injury to personnel and then company assets. Emergency response is an organization's planned and coordinated response to a disaster event in an effective and timely manner. BCP and DRP are closely related practices that describe an organization's preparations for unforeseen risks to continued operations. The trend of combining business continuity and disaster recovery into a single term has resulted from a growing recognition that both business executives and technology executives need to be closely collaborating instead of developing plans in isolation. Integration has become essential to meet the requirements of minimizing the impact of strategic and operational risks related to disruption. As mentioned, preservation of life is the first goal in business continuity and disaster recovery planning. Additional goals are to reduce risk of financial loss, improve an organization's ability to recover and restore processes and systems while mitigating the effects of a disaster, improve responsiveness to unexpected events, ease confusion during a crisis, and get people back to their normal work routines expeditiously. Because the risks that are being planned for are usually categorized as high impact below probability, it's hard to gain commitment from senior management. Thus, a business case must be made to justify the allocation of resources. The business case must validate vulnerabilities, express regulatory legal and contractual obligations, detail current status of recovery plans and deficiencies, and incorporate recommendations from experts. Very rudimentary reasoning for business continuity planning is grounded in Ruten's law, which states that when a crisis force is choosing among alternatives, most people will choose the worst possible one. Certainly, we cannot ignore Murphy's law here as well, which states anything that could go wrong will go wrong. Both laws are extremely germane to why organizations should undertake a methodical process of preparing for disaster events. Unfortunately, as evidenced by the operational and financial losses resulting from over a decade of major disasters suffered by our nation, a minority of companies have business continuity plans, and of the companies that do, those plans are neither realistic nor workable, and people will not support a plan they don't believe in. Some serious challenges to effective business continuity planning are, one, lack of senior management support. Senior management will always be reluctant to spend money on low probability events, no matter how high the associated impact may be. Two, lack of time. Staff always seems to be overworked and underpaid. Finding the time to research, design, develop, and implement business continuity components can be arduous and met with great resistance. This challenge can only be overcome when the challenge of senior management support has been successfully addressed. Three, capital expense. Depending on recovery time objectives, recovery point objectives, and other relevant metrics, continuity solutions can be very expensive to implement and maintain. Four, poorly defined plans. Without proper understanding of business requirements, strategy and architecture, and the risk landscape, business continuity plans have little opportunity to meet stakeholders' expectations. Five, lack of training and testing. During a disaster event, people need to quickly move from chaos to some sense of order. Even with written plans and procedures, personnel must be well trained, otherwise the resultant activities have little probability of success. Furthermore, without proper testing, there is little to no confidence by management in the appropriateness and completeness of the plans and the planning process. Six, complexity of technology. The technologies involved in timely response and recovery tend to be expensive and complex. Seven, lack of qualified staff. With respect to the previously mentioned challenge, the need for qualified staff is imperative to successfully implement plans and execute associated tactics and technologies. Such staff can be expensive due to the requirement for prerequisite skills in adequate training. And finally, eight, frustration, lack of direction. Due to the previously mentioned challenges, frustration by management and staff can set in if appropriate direction and objectives have not been established and effectively communicated. Now, let's move into the meat of the course. There are seven widely accepted phases to business continuity planning. One, project initiation phase. Two, functional requirements phase. Three, design and development phase. Four, implementation phase. Five, testing and exercising phase. Six, maintenance and updating phase. And seven, execution phase. Of course, our discussion will begin at the top with the project initiation phase. During the project initiation phase, project requirements and structure are being discerned. The focus at this phase is to understand the background underlining the need for such a project. The project scope, objectives, goals and teams required to address the different interrelated activities of business continuity planning development, implementation and maintenance. The outcomes of the project initiation phase of business continuity planning are to, one, establish the need for business continuity planning. Two, get executive management support. Three, establish a business continuity planning governance structure. Four, create a work plan. Five, report to management to obtain approval. And six, establish management capabilities to sustain the business continuity and disaster recovery program. The reason for establishing a business continuity program within an organization can be as straightforward as legislative, regulatory and contractual obligations to do so. More qualitative reasons for the need for a business continuity program can be expressed as increased liabilities and more time sensitive business processes. As previously stated, business continuity planning is about business survival. Given five businesses that experience a disaster event or an extended disruption, two will suffer immediate and complete business failure and a third business will fail within two years of the event. In other words, sixty percent of businesses that experience a disaster will cease operations within two years. Gaining commitment from management requires a well-crafted business case promoting the benefits of a mature business continuity and disaster recovery program. The business continuity manager should detail how the program maps to the business mission, mandates goals and objectives. Without management's commitment, it is impossible to get adequate resources to establish and maintain a business continuity program. Obtaining senior management's commitment ensures cooperation from all areas of the organization, minimizing possible resistance from departments within the organization. A business continuity program structure commensurate with corporate governance is essential to establish clear lines of authority and accountability as well as responsibility and will enable senior managers to sort out competing interests. Business continuity governance must include some form of a business continuity planning steering committee to allow internal stakeholders a sense of ownership regarding business continuity strategy and high-level tactics. The steering committee, along with other business continuity management, is primarily responsible for development of a business continuity plan policy that defines the characteristics of a business continuity and disaster recovery program including scope, mission and other related policies. Once this project will begin the process of inserting a business continuity function into the organization, the business continuity planning policy developed during project initiation must provide a framework for plan development, recovery strategies and notification. The policy should, at a high level, identify critical services and their related time sensitivity. The business continuity program will be highly visible and a bit invasive to implement. Thus, the need for clearly defined roles and responsibilities from the strategic levels to the operational levels of business, including the board of directors and executive management, the steering committee, the risk compliance officer, business continuity coordinator, disaster recovery coordinator, the IT department, the security function and the other operational departments. The policy should distinctly and unambiguously outline these roles and responsibilities, including how the business continuity and disaster recovery teams and business continuity working groups are to conduct activities. Once the policy has been developed, it must be communicated. Effective communication is critical to business continuity planning, governance and program management. Thus, the policy itself must also define a communication strategy. In this phase, a planning team develops a work plan outlining the activities necessary to implement the business continuity project. The plan must be mapped to the business of the organization and based on the worst case scenarios such as the loss of facility, IT capabilities, communications, operational departments and works in process. This plan assists business continuity management with identifying high level resource requirements like staff, consultants, training, time and software. Once high level resources are identified, budget development can begin with a focus on plan development, planning expenses, post planning exercises and recovery expenses. The plan, including the budget, must be well documented and presented for management's approval. Before the business continuity program can be implemented, senior management must approve both the business continuity policy, which includes the proposed governance structure and the business continuity plan, which includes the budget. Management must carefully evaluate the projected program costs compared to the perceived value of the program to the organization. In addition, management must carefully consider proposed and collateral organizational changes in operations and agendas. Once executive management approves the business continuity policy and the business continuity work plan, the business continuity manager kicks off the project by meeting with key organizational persons to ensure effective communication of roles and responsibilities. As the project proceeds, the business continuity planning team should implement the outline communication strategy with a regular feedback schedule which should 1. Report progress, issues and or changes required on an ongoing basis, 2. Create scope creep and 3. Produce status reports of key elements to send to the steering committee. The success of the program is dependent upon the people that implement the program's activities and capabilities. To enforce adoption and continued support, implementers must feel included in business continuity solutions design. The communication tactics must help to assess people's experience that would be beneficial to the program, help to develop allies, help to demonstrate the program's value to the business and ensure that the goals of the program are consistently promoted. The business continuity and disaster recovery program has a distinct life cycle as illustrated in the current graphic. The illustration depicts general business continuity phases on the inside and interrelated business continuity processes on the outside. A business continuity program must be justified, which can be achieved by conducting both a business impact analysis and a risk assessment. The business continuity architecture is manifest in the business continuity strategy development and disaster recovery planning. Implementation of business continuity capabilities must include training, drilling and testing. As an integral part of business continuity management, capabilities must be reviewed, audited and when prudent, adjusted. As the name denotes, this is a cyclical management function which requires that such a program continue to justify its investment by consistently demonstrating how it is vital to addressing business operations risk. In summary, in this section we discussed, the certified disaster recovery engineer exam experience, the phases of business continuity planning, the reasons why business continuity and disaster recovery planning are important to each organization, the differences in terminology including continuity, resiliency and disaster recovery. The objectives of the first phase project initiation of the business continuity planning model including establishing the need for business continuity planning, getting executive management support, establishing a governance structure, creating a work plan, obtaining management's approval and managing the business continuity and disaster recovery program. Lastly, a high level overview of the business continuity program management life cycle was provided.