280 likes | 518 Views
Business Continuity Planning and Disaster Recovery Planning. Ref. CISSP exam guide W.lilakiatsakun. Business Continuity Planning and Disaster Recovery Planning (1).
E N D
Business Continuity Planning and Disaster Recovery Planning Ref. CISSP exam guide W.lilakiatsakun
Business Continuity Planning and Disaster Recovery Planning (1) • DRP is the process of regaining access to the data, hardware and software necessary to resume critical business operations after a natural or human-induceddisaster. • DRP is part of a larger process known as business continuity planning (BCP). • Disaster recovery is the process by which you resume business after a disruptive event.
Business Continuity Planning and Disaster Recovery Planning (2) • The event might be • something huge-like an earthquake or the terrorist attacks on the World Trade Center • something small, like malfunctioning software caused by a computer virus. • Many business executives are prone to ignoring "disaster recovery" because disaster seems an unlikely event.
Business Continuity Planning and Disaster Recovery Planning (3) • All BC/DR plans need to encompass • How employees will communicate • Where they will go • How they will keep doing their jobs. • The details can vary greatly, depending on the size and scope of a company and the way it does business.
Eventsthatnecessitatedisasterrecovery • Naturaldisasters • Fire • Powerfailure • Terroristattacks • Organizedordeliberatedisruptions • Theft • Systemand/orequipmentfailures • Humanerror • Computerviruses • Testing
Business Continuity Steps (1) 1 Develop the continuity planning policy statement - Write a policy that provides the guidance necessary to develop a BCP and assigns authority to the necessary roles to carry out these tasks 2 Conduct the business impact analysis (BIA) - Identify critical functions and systems and allow the organization to prioritize them on necessity. -Identify vulnerabilities, threats and calculate risks - Calculate MTD (Maximum Tolerable Downtime) for resources
Business Continuity Steps (2) 3 Identify preventive controls • Identify and implement controls and countermeasures to reduce the organization’s risk level in an economical manner 4 Develop recovery strategies • Formulate methods to ensure that systems and critical function can be brought online quickly
Business Continuity Steps (3) 5 Develop the contingency plan • Write procedure and guidelines for how the organization can still stay functional in a cripple state 6 Test the plan and conduct training and exercise • Test the plan to identify deficiencies in the BCP and conduct training to properly prepare individuals on their expected task 7 Maintain plan • Put in place steps to ensure the BCP is a living document that is upgraded regularly
Initiation (1) • Identified a business continuity coordinator (leader for the BCP team) • Setup a BCP committee might consist of representative from • Business units • Senior management • IT department • Security department • Communications department • Legal department
Initiation (2) • At this phase, the team works with management to develop the continuity planning policy statement • Layout the scope of the BCP project • Team member roles • Goal of the project
BCP Requirement • The major requirement is management support • Work best in a top-down approach • Management should be driving the project • It is important that management set the overall goals of continuity planning • It should help set priorities of what should be dealt first
Business Impact Analysis (1) • The BCP committee must identify the threats to the company and map them to the following characteristics • Maximum tolerable downtime • Operational disruption and productivity • Financial consideration • Regulatory responsibilities • Reputation
Business Impact Analysis (2) • Data would gather from interviewing, surveying, workshops and etc • Threat can be manmade, natural or technical • The committee needs to step through scenarios that could produce the following results • Equipment malfunction • Unavailable utilities (Power, Communication) • Software or data corruption
Business Impact Analysis (3) • Loss criteria must applied to the individual threats • Loss in reputation and public confidence • Loss of competitive advantages • Increase in operational expenses • Violations of contract agreement • Violations of legal and regulatory requirement • Delays income costs • Loss in revenue • Loss in productivity
Business Impact Analysis (4) • Example of Maximum Tolerable Downtime (MTD) • Nonessential 30 days • Normal 7 days • Important 72 hours • Urgent 24 hours • Critical Minute to hours
Business Impact Analysis (5) • Interdependencies • Business function might depend on the other functions • BCP team should carried out these tasks • Define essential business function and support departments • Identifies interdependencies • Discover all possible disruption that could affect the mechanism • Identify and document potential threats • Gather quantitative and qualification information pertaining to those threat • Provide alternative methods for restoring • Provide a brief statement of rationale for each threat and corresponding information
BIA Steps (1) • 1 Select individuals to interview for data gathering • 2 Create data-gathering techniques (surveys, questionnaires, qualitative and quantitative approaches) • 3 Identify the company ‘s critical business function • 4 Identify the resources that these functions depend upon
BIA Steps (2) • 5 Calculate how long these functions can survive without these resources • 6 Identify vulnerabilities and threats to these function • 7 Calculate risk for each different business function • 8 Document findings and report them to management
Preventive Controls • Reduce impact and mitigate risks • Example of preventive measures • Redundant servers and communication links • Power lines coming in through different transformers • UPS and generators • Data backup • Fire detection
Recovery strategies • Business process recovery • Business process is back to work • Facility recovery • Cold site/ Warm site/ Hot site • Supply and technology recovery • Network /computer /human resources • User environment recovery • Most critical department gets back first • Data recovery • Data Back up
Developing the BCP (1) • Define goals of the plan and goals must contain certain key information such as • Responsibility • Each individual should have their responsibilities spell out in writing to ensure a clear understanding in a chaotic situation • Authority • In time of crisis, it is important to know who is in charge • Clear cut authority will aid in reducing confusion and increase coorperation
Developing the BCP (2) • Priorities • It is necessary to know which department come online first which second and so on • Along with the priorities of department, the priorities of systems, information and program must be established • Implement and testing
Developing the BCP (3) • Documenting the following • Procedures • Recovery solutions • Roles and tasks • Emergency response
Testing plan (1) • Checklist test • Forget anything ? • Structured walk-through test • Discussion by representatives • Simulation test • Ensure that specific steps were not left out and certain threats were not overlooked • Raise awareness of people involved
Testing plan (2) • Parallel test • Ensure that the specific systems can actually perform adequately at the alternate off site facility • Full interruption test • Ensure that everything will be recovered as planned • It can reveal many holes that need to be fixed
Maintaining the plan • Organization can keep the plan updated by taking the following actions • Make business continuity a part of business decision • Insert the maintenance responsibilities into job descriptions • Include maintenance in personnel evaluation • Perform internal audits that include disaster recovery and continuity documentation and procedures • Perform regular drills that use the plan • Integrate BCP into the current change management process