BC, DR, and IR Event Handling Drill

Three Disciplines, One Timeline

Business continuity, disaster recovery, and incident response overlap but are distinct. Business continuity (BC) keeps essential business processes operating during disruption. Disaster recovery (DR) restores technology and facilities after a disruptive event. Incident response (IR) identifies, contains, eradicates, and recovers from security incidents while preserving useful evidence. In an integrated CC item, the question usually asks for the next best action, so timing decides the answer. This domain is only 10 percent of the exam, but it pairs constantly with Security Operations and Network Security in scenario items.

Lab Scenario

At 8:15 a.m., employees report ransom notes on shared drives. At 8:20 a.m., the phone system begins failing. At 8:25 a.m., a facilities alert reports smoke near the server room. At 8:30 a.m., a customer asks whether their personal data was exposed. Several teams want to act at once.

Do not apply one memorized step to every event. Life safety comes before equipment. Active ransomware needs containment. Recovery needs known-good backups and documented priorities. Customer communication needs verified facts and approved messaging. The strongest answer follows the plan and routes each decision to the right role.

Event-Clue Decision Table

RTO and RPO Drill

Recovery time objective (RTO) is how long a service can be down before the business is harmed. Recovery point objective (RPO) is how much data loss, measured in time, is acceptable. If payroll has an RTO of 8 hours, the recovery plan must restore payroll within 8 hours. If payroll has an RPO of 1 hour, backups or replication must limit data loss to about one hour. These are business requirements, not arbitrary technical preferences.

In the ransomware scenario, restoring the most visible server first can be wrong if another service has a shorter RTO. A public website matters, but payroll, patient care, order processing, or safety systems may rank higher depending on the organization. Recovery follows documented priorities, not whoever shouts loudest.

Incident Response Flow

Containment is not eradication. Pulling a host off the network contains spread but does not prove the attacker is gone. Restoring from backup before closing the entry point invites reinfection. Publicly promising that no data was exposed before analysis finishes creates legal and trust risk.

Multi-Domain Drill and Traps

Connect each event to the domains. Ransomware threatens availability and possibly confidentiality. Least privilege limits spread. Network segmentation contains impact. Backups and DR enable recovery. Security operations triage validates the alert. Governance defines who declares the incident and who notifies customers, regulators, insurers, or law enforcement.

Plan Documents and Supporting Concepts

CC expects you to recognize the documents that drive these disciplines. A business impact analysis (BIA) identifies critical processes and their dependencies, then sets the RTO and RPO targets that recovery plans must meet. A BC plan keeps critical functions running, often through alternate sites, manual workarounds, or relocated staff. A DR plan focuses on restoring IT and facilities. An IR plan defines roles, the activation trigger, and the escalation and notification path.

Know the recovery-site options, because they appear as distractors:

• A hot site is fully equipped and near-instantly available, with the highest cost and the shortest RTO.
• A warm site has hardware and connectivity but needs configuration and data restoration before use.
• A cold site is space and power only; it is cheapest but slowest to bring online.

Match the site to the RTO: a service that must return in minutes needs a hot site, while a process with a multi-day RTO can tolerate a cold site. The same logic governs backup strategy: a one-hour RPO usually requires frequent backups or replication, not a single nightly tape.

Common Traps

Watch for answers that delete logs to "free disk space" (destroys evidence), that restore everything before finding the entry point (reinfection), or that announce conclusions before analysis. Also reject options that activate the wrong discipline, such as launching a full DR failover for a contained single-host malware alert, or treating a life-safety emergency as merely a recovery exercise. The exam-friendly response is calm and procedural: protect people, contain active harm, preserve evidence, communicate through approved channels, restore by business priority and documented RTO order, then improve the plan in lessons learned.