PART 5 – CISA Domain2 – Governance and Management of IT
What is the criticality analysis and system classification?
What are the components in Business Continuity Planning?
What is Plan testing?

13. Criticality analysis and classification of systems:
Critical – These functions are essential and cannot be performed unless they’re replaced by identical capabilities
Vital – These functions are possible to be performed manually but only for a short time (usually five or less days).
Sensitive – These functions are possible to be performed manually, at a reasonable cost and for a longer period of time. They can be done manually, but it is usually a complex process that requires additional staff.
Non-sensitive – These functions can be interrupted for a prolonged period of time at little to no cost to the company and require little to no catching up once they are restored.
Here are some points to keep in mind:
Human Resource/People are the first resource that must be protected when designing continuity plans provisions and processes
BCP scope is the first step in a business continuity life cycle. Next comes Risk assessment
This insurance covers employees who commit dishonesty or fraud.
14. Components of Business Continuity Planning
Business Continuity Planning (BCP – Provides procedures to sustain mission/business operations while recovering after a significant disruption
Continuity Operations Plan (COOP – Provides guidance and procedures to support an organization’s MEFs, (Mission Essential Functions), at an alternate site for up 30 days.
Plan for business resumption – Provides procedures to relocate information systems operations to another location.
Continuity plan/IT contingency plan
Plan for crisis communications
Incident response plan
Plan for transportation
Occupant emergency plan (OEP)
Evacuation and an emergency plan for relocation
Here are some points to keep in mind:
The Business Continuity Coordinator, or any backup personnel identified in the succession plans, is authorized to declare a disaster.
The Board of Directors is responsible for creating contingency plans across the organization.
15.Plan Testing:
Schedule should be made at a time that minimizes disruptions to normal operations
It is important that key members of the recovery team are involved in the testing process and given the time to give their best effort.
All critical components should be addressed and simulations of primetime processing conditions should be used, even if the test takes place in the evening.
Plan Execution: Pre-test, Test, Post-Test
Types of tests
Paper test/desk-based evaluation – This is a paper walk-through of a plan that involves major players in its execution and who think about what might happen in a particular kind of service disruption.
Preparation test – This is usually a localized version a full test where actual resources are used in the simulation of an system crash
Full operational testing–This is the first step towards a service disruption. Before attempting to shut down operations completely, the organization should have thoroughly tested the plan on paper.

Part 1, Part 2, Part 3 and Part 4, Part 5,