Master strategic BCDR governance. Train your ability to sequence disaster recovery lifecycle phases correctly and align IT resilience directly with business impact metrics.
You are the CISO of FinTrust Global, a mid-sized financial technology firm. A recent external audit presented a critical finding to the Board of Directors: several Tier-1 payment processing applications currently have no documented Disaster Recovery (DR) plans. The Audit Committee has mandated an immediate remediation roadmap.
FinTrust's core applications process millions of dollars daily. Extended downtime violates Service Level Agreements (SLAs) with partner banks, potentially triggering massive contractual penalties and regulatory scrutiny from financial authorities.
To address the audit, your team has just completed a comprehensive Business Impact Analysis (BIA) with all business unit leaders, successfully defining the Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for all critical applications.
You are in a steering committee meeting to determine the next phase of the remediation project. The CIO is eager to immediately authorize Capital Expenditure (CapEx) for a secondary hot site to ensure maximum uptime. The CFO is asking to recalculate financial risk metrics. You must guide the committee to the procedurally correct next step to ensure the audit finding is directly addressed without wasting budget.
The organization has an audit finding specifically citing a lack of disaster recovery plans. While the BIA has established the impact and recovery targets, the actual technical roadmap to achieve those targets still does not exist.
The business (CIO) often wants to skip straight to procurement (buying a hot site) to feel secure. Governance dictates that procurement must be driven by documented strategy. You cannot buy or build the right infrastructure until you have a plan that dictates exactly what that infrastructure needs to do.
If you build a hot site before creating the recovery plans, you risk massive over-provisioning (wasting money on non-critical apps) or under-provisioning (failing to meet the BIA's RTO for critical apps). The technology recovery plan bridges the gap between the BIA's requirements and the eventual physical implementation.
(A) Create technology recovery plans is the BEST answer because it represents the strict procedural sequence in BCDR governance. The BIA provides the metrics (RTO/RPO). The immediate next step is to formulate the actual recovery strategies and plans for those specific technologies based directly on the BIA's output.
Sequential Governance: A mature CISO enforces strict sequencing: 1. Risk Assessment (What threats exist?) → 2. BIA (What is the business impact and what are the recovery targets?) → 3. Recovery Strategies & Plans (How will IT meet those targets?) → 4. Implementation/Procurement (Building the hot/warm sites) → 5. Testing & Maintenance. Skipping steps guarantees budget waste and audit failure.
Continue testing your strategic governance skills with more CCISO scenarios.
Explore more CCISO simulations