Business continuity planning and disaster recovery planning
1 / 26

Business Continuity Planning and Disaster Recovery Planning - PowerPoint PPT Presentation

  • Uploaded on

Business Continuity Planning and Disaster Recovery Planning. Ref. CISSP exam guide W.lilakiatsakun. Business Continuity Planning and Disaster Recovery Planning (1).

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Business Continuity Planning and Disaster Recovery Planning' - ovid

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Business continuity planning and disaster recovery planning 1
Business Continuity Planning and Disaster Recovery Planning (1)

  • DRP is the process of regaining access to the data, hardware and software necessary to resume critical business operations after a natural or human-induceddisaster.

  • DRP is part of a larger process known as business continuity planning (BCP).

  • Disaster recovery is the process by which you resume business after a disruptive event.

Business continuity planning and disaster recovery planning 2
Business Continuity Planning and Disaster Recovery Planning (2)

  • The event might be

    • something huge-like an earthquake or the terrorist attacks on the World Trade Center

    • something small, like malfunctioning software caused by a computer virus.

  • Many business executives are prone to ignoring "disaster recovery" because disaster seems an unlikely event.

Business continuity planning and disaster recovery planning 3
Business Continuity Planning and Disaster Recovery Planning (3)

  • All BC/DR plans need to encompass

    • How employees will communicate

    • Where they will go

    • How they will keep doing their jobs.

  • The details can vary greatly, depending on the size and scope of a company and the way it does business.

Events that necessitate disaster recovery
Events (3)thatnecessitatedisasterrecovery

  • Naturaldisasters

  • Fire

  • Powerfailure

  • Terroristattacks

  • Organizedordeliberatedisruptions

  • Theft

  • Systemand/orequipmentfailures

  • Humanerror

  • Computerviruses

  • Testing

Business continuity steps 1
Business Continuity Steps (1) (3)

1 Develop the continuity planning policy statement

- Write a policy that provides the guidance necessary to develop a BCP and assigns authority to the necessary roles to carry out these tasks

2 Conduct the business impact analysis (BIA)

- Identify critical functions and systems and allow the organization to prioritize them on necessity.

-Identify vulnerabilities, threats and calculate risks

- Calculate MTD (Maximum Tolerable Downtime) for resources

Business continuity steps 2
Business Continuity Steps (2) (3)

3 Identify preventive controls

  • Identify and implement controls and countermeasures to reduce the organization’s risk level in an economical manner

    4 Develop recovery strategies

  • Formulate methods to ensure that systems and critical function can be brought online quickly

Business continuity steps 3
Business Continuity Steps (3) (3)

5 Develop the contingency plan

  • Write procedure and guidelines for how the organization can still stay functional in a cripple state

    6 Test the plan and conduct training and exercise

  • Test the plan to identify deficiencies in the BCP and conduct training to properly prepare individuals on their expected task

    7 Maintain plan

  • Put in place steps to ensure the BCP is a living document that is upgraded regularly

Initiation 1
Initiation (1) (3)

  • Identified a business continuity coordinator (leader for the BCP team)

  • Setup a BCP committee might consist of representative from

    • Business units

    • Senior management

    • IT department

    • Security department

    • Communications department

    • Legal department

Initiation 2
Initiation (2) (3)

  • At this phase, the team works with management to develop the continuity planning policy statement

    • Layout the scope of the BCP project

    • Team member roles

    • Goal of the project

Bcp requirement
BCP Requirement (3)

  • The major requirement is management support

  • Work best in a top-down approach

    • Management should be driving the project

  • It is important that management set the overall goals of continuity planning

    • It should help set priorities of what should be dealt first

Business impact analysis 1
Business Impact Analysis (1) (3)

  • The BCP committee must identify the threats to the company and map them to the following characteristics

    • Maximum tolerable downtime

    • Operational disruption and productivity

    • Financial consideration

    • Regulatory responsibilities

    • Reputation

Business impact analysis 2
Business Impact Analysis (2) (3)

  • Data would gather from interviewing, surveying, workshops and etc

  • Threat can be manmade, natural or technical

  • The committee needs to step through scenarios that could produce the following results

    • Equipment malfunction

    • Unavailable utilities (Power, Communication)

    • Software or data corruption

Business impact analysis 3
Business Impact Analysis (3) (3)

  • Loss criteria must applied to the individual threats

    • Loss in reputation and public confidence

    • Loss of competitive advantages

    • Increase in operational expenses

    • Violations of contract agreement

    • Violations of legal and regulatory requirement

    • Delays income costs

    • Loss in revenue

    • Loss in productivity

Business impact analysis 4
Business Impact Analysis (4) (3)

  • Example of Maximum Tolerable Downtime (MTD)

    • Nonessential 30 days

    • Normal 7 days

    • Important 72 hours

    • Urgent 24 hours

    • Critical Minute to hours

Business impact analysis 5
Business Impact Analysis (5) (3)

  • Interdependencies

    • Business function might depend on the other functions

  • BCP team should carried out these tasks

    • Define essential business function and support departments

    • Identifies interdependencies

    • Discover all possible disruption that could affect the mechanism

    • Identify and document potential threats

    • Gather quantitative and qualification information pertaining to those threat

    • Provide alternative methods for restoring

    • Provide a brief statement of rationale for each threat and corresponding information

Bia steps 1
BIA Steps (1) (3)

  • 1 Select individuals to interview for data gathering

  • 2 Create data-gathering techniques (surveys, questionnaires, qualitative and quantitative approaches)

  • 3 Identify the company ‘s critical business function

  • 4 Identify the resources that these functions depend upon

Bia steps 2
BIA Steps (2) (3)

  • 5 Calculate how long these functions can survive without these resources

  • 6 Identify vulnerabilities and threats to these function

  • 7 Calculate risk for each different business function

  • 8 Document findings and report them to management

Preventive controls
Preventive Controls (3)

  • Reduce impact and mitigate risks

  • Example of preventive measures

    • Redundant servers and communication links

    • Power lines coming in through different transformers

    • UPS and generators

    • Data backup

    • Fire detection

Recovery strategies
Recovery strategies (3)

  • Business process recovery

    • Business process is back to work

  • Facility recovery

    • Cold site/ Warm site/ Hot site

  • Supply and technology recovery

    • Network /computer /human resources

  • User environment recovery

    • Most critical department gets back first

  • Data recovery

    • Data Back up

Developing the bcp 1
Developing the BCP (1) (3)

  • Define goals of the plan and goals must contain certain key information such as

    • Responsibility

      • Each individual should have their responsibilities spell out in writing to ensure a clear understanding in a chaotic situation

    • Authority

      • In time of crisis, it is important to know who is in charge

      • Clear cut authority will aid in reducing confusion and increase coorperation

Developing the bcp 2
Developing the BCP (2) (3)

  • Priorities

    • It is necessary to know which department come online first which second and so on

    • Along with the priorities of department, the priorities of systems, information and program must be established

  • Implement and testing

Developing the bcp 3
Developing the BCP (3) (3)

  • Documenting the following

    • Procedures

    • Recovery solutions

    • Roles and tasks

    • Emergency response

Testing plan 1
Testing plan (1) (3)

  • Checklist test

    • Forget anything ?

  • Structured walk-through test

    • Discussion by representatives

  • Simulation test

    • Ensure that specific steps were not left out and certain threats were not overlooked

    • Raise awareness of people involved

Testing plan 2
Testing plan (2) (3)

  • Parallel test

    • Ensure that the specific systems can actually perform adequately at the alternate off site facility

  • Full interruption test

    • Ensure that everything will be recovered as planned

    • It can reveal many holes that need to be fixed

Maintaining the plan
Maintaining the plan (3)

  • Organization can keep the plan updated by taking the following actions

    • Make business continuity a part of business decision

    • Insert the maintenance responsibilities into job descriptions

    • Include maintenance in personnel evaluation

    • Perform internal audits that include disaster recovery and continuity documentation and procedures

    • Perform regular drills that use the plan

    • Integrate BCP into the current change management process