3.4 Resilience & recovery
📘CompTIA Security+ (SY0-701)
1. What is Capacity Planning?
Capacity planning is the process of ensuring that an organization has enough resources (people, technology, and infrastructure) to handle current workloads and future growth — even during failures or increased demand.
In resilience and recovery, capacity planning ensures that systems remain operational and business functions continue even during high usage, disasters, or system failures.
If capacity is not planned properly, the organization could face downtime, performance issues, or inability to recover quickly from incidents.
2. Goals of Capacity Planning
- Ensure continuous availability of critical systems.
- Avoid bottlenecks (too many users or data for available resources).
- Support scalability (easy to add more capacity when needed).
- Maintain resilient operations under normal and disaster conditions.
- Meet service level agreements (SLAs) — commitments about uptime and performance.
3. Components of Capacity Planning
Capacity planning involves three main areas:
A. People (Human Resources Capacity)
People are a vital part of resilience and recovery. Capacity planning for people ensures there are enough trained staff to support critical IT and security operations during both normal and emergency conditions.
Key considerations:
- Staffing levels: Make sure there are enough employees to handle security monitoring, incident response, and recovery operations 24/7.
- Skill sets: Ensure staff are trained in system recovery, backup procedures, cybersecurity tools, and business continuity plans.
- Cross-training: Employees should be trained to perform multiple roles in case key staff are unavailable during a disaster.
- Succession planning: Identify backups for critical roles, so operations continue smoothly.
- On-call rotation: Maintain an on-call team to respond to emergencies any time.
Example in IT context:
If a data center experiences a power failure, there must be enough trained technicians and system administrators ready to restore systems quickly according to the organization’s disaster recovery plan.
B. Technology (Systems and Applications Capacity)
This area focuses on hardware, software, and digital systems. Technology capacity planning ensures IT systems can handle current and future workloads without performance degradation or system failure.
Key considerations:
- Server and storage capacity: Systems should have enough CPU, memory, and disk space to handle normal load plus sudden spikes (like high user activity or data processing).
- Network bandwidth: Ensure enough network capacity for business operations, remote access, and backup traffic.
- Application scaling: Applications should be able to scale horizontally (adding more servers) or vertically (upgrading resources).
- Cloud elasticity: Use cloud environments that can automatically scale resources when demand increases.
- Backup and recovery systems: Verify backup solutions can handle the size of data being backed up, and restore it within the recovery time objective (RTO).
- Monitoring tools: Use monitoring to track usage trends and predict when upgrades are needed.
Example in IT context:
If an organization’s web application traffic doubles due to new customers, the servers and databases must be able to handle the extra load without downtime.
C. Infrastructure (Physical and Environmental Capacity)
Infrastructure includes the physical and environmental systems that support IT operations — such as power, cooling, buildings, and network connections.
Proper infrastructure capacity ensures that physical systems can support IT and personnel needs even during disasters.
Key considerations:
- Power supply: Have enough power for all systems, with backup generators or uninterruptible power supplies (UPS) to handle outages.
- Cooling systems: Ensure data centers have proper air conditioning to prevent overheating during high usage.
- Network redundancy: Use multiple internet and network connections to maintain connectivity if one fails.
- Facility space: Enough space for new servers, networking equipment, and disaster recovery setups.
- Geographic redundancy: Spread infrastructure across multiple locations to reduce the impact of natural disasters or regional outages.
Example in IT context:
A data center might use two separate power lines from different providers and backup generators to ensure continuous operation during a power failure.
4. Capacity Planning and Business Continuity
Capacity planning directly supports Business Continuity (BC) and Disaster Recovery (DR):
- Business Continuity: Ensures the organization keeps functioning during disruptions.
- Disaster Recovery: Ensures quick restoration of systems and data after an incident.
Without proper capacity, recovery efforts might fail, or systems might not handle the load when switching to backup sites or cloud systems.
5. Capacity Planning Steps
- Assess current resources – Identify what people, technology, and infrastructure are currently available.
- Forecast future demand – Estimate future workload based on business growth or user demand.
- Identify gaps – Compare current capacity to future needs to find weak areas.
- Develop a plan – Add or upgrade resources, train personnel, or improve redundancy.
- Test and review – Regularly test systems (like failover and load testing) to ensure capacity meets recovery objectives.
- Monitor and adjust – Use continuous monitoring to adapt to changes in workload or technology.
6. Capacity Planning Metrics and Tools
Metrics to track:
- CPU, RAM, and disk utilization percentages
- Network bandwidth usage
- Mean Time to Recovery (MTTR)
- Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
- User-to-staff ratio for support
- System uptime and availability percentages
Tools used:
- Network and server monitoring software (e.g., Nagios, Zabbix, SolarWinds)
- Cloud management dashboards
- Capacity management tools integrated in virtualization or cloud platforms
7. Exam Tips for CompTIA Security+ (SY0-701)
✅ Understand that capacity planning ensures availability and resilience — it’s not only about adding hardware but balancing people, technology, and infrastructure.
✅ Know that scalability and redundancy are major parts of capacity planning.
✅ Be able to explain how human resource planning supports business continuity.
✅ Remember that inadequate capacity can lead to downtime, system crashes, or inability to recover quickly after an incident.
✅ Expect scenario questions such as:
- “Which part of capacity planning involves cross-training staff?” → People
- “What ensures servers can handle increased web traffic?” → Technology
- “What prevents downtime during a power outage?” → Infrastructure
Summary
| Aspect | Purpose | Examples in IT |
|---|---|---|
| People | Ensure enough trained staff for operations and recovery | Cross-training, on-call teams |
| Technology | Ensure systems can handle load and scale as needed | Server upgrades, cloud scaling, backups |
| Infrastructure | Ensure physical support and redundancy | Power backup, cooling, network redundancy |
In Short
Capacity planning in resilience and recovery ensures that:
- People are available and trained,
- Technology can scale and perform, and
- Infrastructure can support operations even in disasters.
It’s a proactive strategy to maintain uptime, prevent failures, and guarantee smooth recovery.
