1 / 18

13. Business Continuity & Disaster Recovery Planning

ISA 562 Internet Security Theory & Practice. 13. Business Continuity & Disaster Recovery Planning. Objectives. Response to save business and human life Recovery activities after a disaster to normal operations Recovery plans to resume interrupted critical business. 2. Introduction.

Download Presentation

13. Business Continuity & Disaster Recovery Planning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ISA 562Internet Security Theory & Practice 13. Business Continuity & Disaster Recovery Planning

  2. Objectives Response to save business and human life Recovery activities after a disaster to normal operations Recovery plans to resume interrupted critical business 2

  3. Introduction • Need to process critical business systems in the event of disruption to normal business data processing operations. • Ensure the availability of critical information system resources in the event of an expected network interruption or disaster • Many kinds of plans • Contingency plans, Business Continuity Planning (BCP), Disaster Recovery Planning (DRP) 3

  4. BCP and DRP Life cycle • Steps of BCP and DRP project life cycle • Project Scope Development and planning • Business Continuity analysis (BIA) and functional requirements ( for BIA steps, please see the book) • Business Continuity and Recovery Strategy • Plan Design and Development • Restoration • Feedback 4

  5. Project Scope and Development Planning • Higher management’s commitment to go through the different steps of the project. • Deliverables • Project scope definition • Producing a Project plan • Dedicating a steering committee for the project • The BCP should be aligned with the organization's mission • Business continuity steering committee should • know the mission statement in order to place the scope • should have required authorization • Resources requirement need to be know at this stage • Budget requirements are estimated and validated • Personnel availability • Knowing key points of contact or personnel in an emergency 5

  6. Business Impact Analysis (BIA) • Evaluates all business functions against a common criterion to assess potential impacts to the business by an interruption • The following fall under the BIA • Preparing a BIA format • Assess Potential impacts • Prioritize: very important for business functions • Elements to consider • Analysis of different threats for the business • Identification of critical business functions and units • Emergency Assessment • 3rd party considerations 6

  7. Different cases which need to be considered • Threats analysis • Human Made threats, Natural threats, IT threats Etc • Identify critical business functions: some characteristics • Time Sensitivity, Data Integrity, Etc • Their impact on business: Financial & Operational Impact , Reputation etc • Emergency Assessment • Affected Areas • Alerting procedures • Security and safety procedures and guidelines • Etc • 3rd party considerations • Need to look at Down stream liabilities and upstream impacts • Compliance requirements, SLA Agreements, etc 7

  8. Business Continuity and recovery Strategy • Business Unit Priorities: Business units are examined for BIA identified critical functions • Critical processes and functions are reviewed by the Steering committee and establishes priorities • The Committee looks at the minimum resources required for the identified functions • Priorities are documented • Recovery time Objective (RTO) is the assed time by which a critical function must be recovered • Recovery point objective (RPO) measures data integrity requirement or the tolerance for the amount of data loss • Cost/Benefit analysis 8

  9. Recovery Alternatives • Three approaches for recovery • Dedicated site operated by the organization • Multiple processing centers • Commercially leased facility • Hot site / cost high • Worm site / cost moderate • Cold site / cost lowest • Agreement with an Internal or external facility • Identify organizations with equivalent IT configurations and backup technologies and establish an agreement • Types of agreements • Reciprocal or Mutual Aid • Contingency • Service Bureau 9

  10. Backup • Strategies • Replication • Storage Area network • Electronic Vaulting, etc • Location and Storage Criteria • Maybe stored in several locations for different purposes • On-site storage, Off-site storage, Near-site storage • Resilience Strategies • Improve an organization's continuity and resilience • IT and Site Resilience etc 10

  11. Plan Design Development • Emergency Response Procedures • Life , Health & safety • Damage Assessment • Event Reporting • Disaster Declaration, etc • Personnel Notifications • List of people to notify • Defining the role of the Executive crisis Management • Executive Succession Planning, etc • Backup and off-site storage • Inventory list is compiled and documented • Facility Accessibility and Resilience • Communication in Emergency • Emergency and Business communication system should be in place • Data communication priorities in networks should be agreed upon 11

  12. Plan Design Development (Continued) • Alterative site considerations • The ability to support the required infrastructure, environmental and space demands should be analyzed: Utilities, Communications, etc • Logistics and supplies • How resources are acquired or procured, transported and maintained • Personnel and materials transportation • Remote worker environment activation • Emergency funds access, etc • Documentation • BCP & DRP activation and de-activation plans and procedures are documented • Activity and status reports • Checklists etc • Business Continuity and resumption planning • Contracts for emergency vendor services • Risk Avoidance and mitigation planning • Emergency business Recovery procedures 12

  13. Implementation • Includes Training, Testing, Recovery and Audit • Training • Increasing the organization's awareness of the BC and DR business case • Different kinds of training for different attendees • All people training, Operation teams, Recovery teams etc • Testing • Confirms that the plan meets its emergency, recovery and restoration objectives • Measures the accuracy of the plans • Allow management to evaluate personnel readiness for an adverse event 13

  14. Implementation (continued) • Test Plans • Each time tests are scheduled, a test plan should be written, it should contain • Objectives and success criteria • Details • Schedule • Post-test review • Test types • Several test types exists which server different purposes • Checklist test • Structured walk-through • Simulation • Parallel testing • Testing follow-up • Identifying existing deficiencies • Plan should be routinely assessed • Should be scheduled for testing for example annually 14

  15. Implementation (continued) • Recovery procedures • Site migration • Local Recovery procedures • Transfer and recovery, etc. • Audit • Ensures an organization has an effective BC and DR capability • Measures compliance • Addressing audit findings 15

  16. Restoration • Restoration of primary location • Primary facility must be stabilized and secured and then more detailed damage assessment is conducted • Procurement • Has an essential role in supporting restoration • Consolidating acquisitions and Disposition • Costs reporting • Data Recovery • Reversal procedures • Business process recovery point • Journal and process synchronization • Relocation to primary site • Restoration order and prioritization • End of disaster declaration 16

  17. Feedback and plan management • Post-recovery reporting • Identification or remediation of plan gaps • Record Lessons learned • Performance metric review • Plan review and evaluation • Training of key personnel • Communication • Plan distribution • Communicate the plan to stakeholders 17

  18. References ISC2 CBK Material CISSP-All-in-one book 18

More Related