BC, DR, and IR Event Handling Drill
Key Takeaways
- Business continuity keeps critical operations running, disaster recovery restores technology services, and incident response handles security events.
- A good first action depends on the event: protect life, contain active compromise, preserve evidence, or activate continuity plans.
- RTO is the target time to restore service, while RPO is the acceptable amount of data loss measured in time.
- Incident handling typically moves through preparation, detection, analysis, containment, eradication, recovery, and lessons learned.
- Communication should follow the plan, use approved contacts, and avoid unsupported claims during an event.
BC, DR, and IR Event Handling Drill
Business continuity, disaster recovery, and incident response overlap, but they are not the same. Business continuity keeps essential business processes operating during disruption. Disaster recovery restores technology and facilities after a disruptive event. Incident response identifies, contains, eradicates, and recovers from security incidents while preserving useful evidence and reducing damage. In an integrated exam scenario, the question may ask for the next best action, so the timing matters.
Lab Scenario
At 8:15 a.m., employees report that shared drives show ransom notes. At 8:20 a.m., the phone system begins failing. At 8:25 a.m., a facilities alert reports smoke near the server room. At 8:30 a.m., a customer asks whether personal data has been exposed. Several teams want different actions immediately.
Do not choose a single memorized step for all events. Life safety comes before equipment. Active ransomware requires containment. Recovery requires known-good backups and priorities. Customer communication requires facts and approved messaging. The strongest answer follows the plan and uses the right role for the decision.
Decision Table
| Event clue | Best immediate focus | Reason |
|---|---|---|
| Smoke, fire, or physical danger | Life safety and emergency procedures | People come before systems |
| Ransom notes appearing on file shares | Contain affected systems and preserve evidence | Stop spread and support analysis |
| Critical service unavailable | Activate continuity or recovery plan | Maintain essential operations |
| Media asks for details during investigation | Use approved communications process | Avoid speculation and unauthorized disclosure |
| Backups exist but were never tested | Treat recovery confidence as low | Backups are only useful if restorable |
RTO and RPO Drill
RTO is the recovery time objective: how long the business can tolerate a service being down. RPO is the recovery point objective: how much data loss, measured in time, is acceptable. If payroll has an RTO of 8 hours, the recovery plan should restore payroll within that target. If payroll has an RPO of 1 hour, backups or replication should support losing no more than about one hour of data. These are business requirements, not random technical preferences.
In the ransomware scenario, restoring the most visible server first may be wrong if another service has a shorter RTO. A public website may matter, but payroll, patient care, order processing, or safety systems may have higher priority depending on the organization. Good recovery follows documented priorities.
Incident Response Flow
| Phase | Practical action |
|---|---|
| Preparation | Plans, contacts, logging, tools, backups, training |
| Detection and analysis | Validate alert, scope affected systems, identify indicators |
| Containment | Isolate hosts, block malicious traffic, disable abused accounts |
| Eradication | Remove malware, close exploited weaknesses, reset credentials |
| Recovery | Restore from known-good sources and monitor closely |
| Lessons learned | Update controls, procedures, training, and documentation |
Containment is not the same as eradication. Pulling a system from the network may contain spread, but it does not prove the attacker is gone. Restoring from backup before closing the entry point may lead to reinfection. Publicly promising that no data was exposed before analysis is complete creates legal and trust risk.
Multi-Domain Drill
For each event, connect the domain concepts. Ransomware affects availability and possibly confidentiality. Least privilege can limit spread. Network segmentation can contain impact. Backups and DR support recovery. Security operations triage validates alerts. Governance defines who declares an incident and who contacts customers, regulators, insurers, or law enforcement.
The exam-friendly answer is calm and procedural: protect people, contain active harm, preserve evidence, communicate through approved channels, restore according to business priorities, and improve the plan after the event.
During a suspected ransomware incident, several file servers are actively encrypting shared data. What is the best immediate security action?
A system has an RTO of 4 hours. What does that mean?
Which activity belongs most clearly in lessons learned after an incident?