Hot Site · Warm Site
Cold Site · Cloud/Mobile

Scenario: A stock exchange's trading platform processes $2 billion in transactions per hour. The BIA determines that any outage exceeding 15 minutes causes regulatory penalties, contractual defaults, and massive reputational damage. The MTD is set at 30 minutes.

Recovery site required: Hot Site. An RTO of under 15 minutes (to stay comfortably within the 30-minute MTD) can only be achieved with a hot site. Real-time data replication ensures RPO of near zero. Automated failover redirects traffic in under 60 seconds.

Architecture: Active-active deployment across two geographically separated data centers. Both are always live. If one fails, the other absorbs 100% of load with no manual intervention.

CISSP note: "Life-safety," "financial trading," "real-time," "zero data loss," or "sub-hour RTO" are all hot site signals. The cost is justified by the business impact analysis showing millions in losses per minute of downtime.

Scenario: A regional insurance company's claims processing system handles 500 claims per day. The BIA finds that the business can function for up to 48 hours using manual processes before customer impact becomes severe. MTD is 48 hours. An 8-hour RPO is acceptable — adjusters can re-enter a day's claims from paper records.

Recovery site required: Warm Site. The company contracts a commercial warm site. Servers are pre-installed and powered on. After a disaster is declared, IT staff arrive within 2 hours, configure systems using pre-staged images, and restore the previous night's backup. RTO: approximately 12 hours. WRT: 4 hours. Total: 16 hours — well within the 48-hour MTD.

Cost justification: A hot site would cost 4× more for a system that only needs 12-hour RTO. A cold site risks exceeding the 48-hour MTD if hardware procurement delays occur.

CISSP note: "Moderate cost," "acceptable data loss of hours," "RTO measured in hours," and "hardware in place but needs configuration" all point to warm site as the most cost-effective appropriate choice.

Scenario: A state agency maintains a historical records archive. Citizens can request records, but the BIA finds that a 2-week outage is tolerable — records requests are non-urgent and can be queued. The agency has a very constrained IT budget.

Recovery site required: Cold Site. The agency contracts a cold site facility with power, HVAC, and network connectivity. Monthly offsite backup tapes are stored at the facility. In the event of a disaster, the agency procures commodity server hardware (available within 3–5 days), ships it to the cold site, installs the OS and archive application, and restores from backup tapes. Total RTO: approximately 7–10 days — within the 2-week MTD.

Cold site risk: Hardware availability cannot always be guaranteed. Backup tapes must be regularly tested. If the disaster occurs the day before a scheduled backup, up to a month of record requests may need re-entry.

CISSP note: "Lowest cost," "tolerant of long outage," "non-critical function," or "MTD of weeks" are cold site signals. If the MTD is tight, cold site is a risk.

Parallel Test Scenario: A bank wants to validate that its warm site can actually process transactions. The DR team activates the warm site, restores backups, configures systems, and processes simulated transactions — all while the primary site continues serving real customers. Both sites run simultaneously. Any discrepancies are identified and corrected. Primary site stays live the entire time: no production risk.

Full Interruption Test Scenario: A hospital decides to conduct its most rigorous DR test. On a Saturday night (lowest patient census), the primary data center is shut down. All clinical systems must failover to the hot site. Staff must authenticate via the DR site, access patient records, process orders. After 4 hours, primary systems are restored. The test reveals that one medical device interface failed to failover correctly — a gap fixed before a real disaster could exploit it.

Key distinction: Parallel = both sites running (safe). Full interruption = primary actually down (risky but most valid).

CISSP note: If the question says "most thorough" or "highest confidence" test — Full Interruption. If it says "avoids disrupting production" — Parallel. Full interruption is rarely done because of the operational risk.

Scenario: A retail company's CISO conducts a BIA before designing the DR strategy. The BIA interviews reveal:

• Order management system: business can process orders manually for 4 hours before customer complaints become severe. MTD = 4 hours.
• HR payroll system: payroll runs weekly; a 5-day outage is tolerable. MTD = 5 days.
• Marketing analytics: non-critical; could be down 30 days. MTD = 30 days.

BIA output drives strategy:
• Order management → Hot site, real-time replication (RTO = 1 hour, RPO = 15 minutes)
• Payroll → Warm site, daily backup (RTO = 24 hours, RPO = 24 hours)
• Marketing analytics → Cold site or cloud DR on-demand (RTO = 1 week)

CISSP note: Not all systems need the same recovery tier. The BIA output is a prioritized, tiered list. Applying hot site protection to non-critical systems wastes budget. The CISSP expects candidates to match recovery tier to business impact, not to apply one-size-fits-all solutions.

Scenario: Two competing law firms — Smith & Partners and Jones LLC — agree to host each other's operations in the event of a disaster. Smith will provide 20 workstations and server rack space to Jones during a Jones disaster, and vice versa. No commercial DR site is needed.

Benefits: Very low cost (often free). Both parties already understand the legal/professional context. May include shared backup storage agreements.

Critical risks tested on CISSP:
1. Simultaneous disaster — A regional earthquake affects both firms. Neither can host the other. The agreement provides zero protection.
2. Confidentiality conflict — Smith & Partners staff operating from Jones LLC's space may be exposed to opposing client files. Attorney-client privilege risks.
3. Capacity conflict — Jones is acquired and doubles in size. The 20 workstations Smith promised are now insufficient.
4. No legal enforcement — If Jones declines to honor the agreement, Smith has no contractual remedy.

CISSP note: Mutual aid agreements are the most vulnerable to the "simultaneous disaster" trap. Always identify this as a key limitation when the exam presents this option.