28 August 2025
ISC2 CC Domain 2
by
Domain 2: Incident Response, Business Continuity, and Disaster Recovery
This summary captures my understanding of incident response, business continuity, and disaster recovery concepts, written for professional portfolio purposes.
Key Terms
- Breach: Occurs when someone accesses data or systems without proper authorization, or goes beyond their allowed access.
- Event: Any observable occurrence within a system or network.
- Exploit: Using a vulnerability to launch an attack.
- Incident: An event that affects the confidentiality, integrity, or availability of systems.
- Intrusion: A security event in which an unauthorized party gains, or attempts to gain, access to systems.
- Threat: A potential occurrence or situation that could negatively impact systems.
- Vulnerability: A weakness or gap in a system that could be exploited.
- Zero-Day Vulnerability: A previously unknown weakness that attackers may exploit before it is patched.
Goals of Incident Response
- Prioritize the safety and well-being of people first.
- Be prepared with a documented Incident Response Plan (IRP).
- Minimize disruption and help the organization continue essential operations.
Business Continuity (BC)
Purpose: Ensure critical business operations can continue during an incident or disruption.
Essential Elements of a BC Plan:
- Contact lists and backup numbers for key personnel
- Immediate safety and response procedures
- Notification systems or call trees
- Guidance for leadership and delegation of authority
- Criteria for activating the plan
- Contact details for critical partners (vendors, suppliers, customers)
Practical Example:
- A fire damages one department, but other areas continue functioning.
- Temporary solutions allow critical tasks to continue, such as customer service handling main operations.
- A short-term disruption is manageable if financial reserves and contingency plans support ongoing operations.
Key Focus: Communication, backup procedures, structured checklists, and coordination with management, supply chain, and authorities.
Incident Response Plan (IRP) Framework
1. Preparation:
- Develop and approve a formal policy
- Identify critical assets and systems
- Train staff and assign roles
- Establish primary and backup communication channels
2. Detection & Analysis:
- Monitor all potential attack vectors
- Evaluate incidents using threat intelligence
- Prioritize responses based on severity
- Maintain consistent documentation
3. Containment, Eradication & Recovery:
- Collect and preserve evidence
- Select an appropriate containment strategy
- Identify attackers when possible
- Isolate affected systems to prevent further damage
4. Post-Incident Activities:
- Review the incident and document lessons learned
- Improve processes based on findings
- Ensure proper retention of evidence
Disaster Recovery (DR)
Purpose: Restore IT systems, communications, and other critical infrastructure following a disruption.
Difference Between BCP and DRP:
- Business Continuity Plan (BCP): Focuses on maintaining essential business functions during a disruption.
- Disaster Recovery Plan (DRP): Focuses on restoring IT systems and communication channels after a disruption.
DRP Components:
- Executive summary providing a high-level overview
- Department-specific action plans
- Technical instructions for IT personnel
- Full documentation accessible to the DR team
Checklists:
- Step-by-step recovery guides for DR teams
- Technical instructions for IT personnel to set up alternate sites
- Simplified instructions for managers and PR staff to communicate effectively
Key Takeaways
- Incident response, business continuity, and disaster recovery strengthen organizational resilience.
- Clear procedures, defined roles, and effective communication are critical.
- Proper planning ensures essential operations can continue, even at reduced capacity, during and after disruptions.
tags: