1 / 64

BCP

2. Introduction. The Problem - Reasons for BCPPrinciples of BCPDoing BCPThe stepsWhat is includedThe stages of an incident. 3. Definitions. A contingency plan is:?A plan for emergency response, backup operations, and post-disaster recovery maintained by an activity as a part of its security pr

gates
Download Presentation

BCP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. 1 BCP/ DRP

    2. 2 Introduction The Problem - Reasons for BCP Principles of BCP Doing BCP The steps What is included The stages of an incident

    3. 3 Definitions A contingency plan is: “A plan for emergency response, backup operations, and post-disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation…” (National Computer Security Center 1988) Approx. 35% of companies have no plans

    4. 4 Definitions of BCP Disaster Recovery Business Continuity Planning End-user Recovery Planning Contingency Planning Emergency Response Crisis Management The goal is to assist the organization/business to continue functioning even though normal operations are disrupted Includes steps to take Before a disruption During a disruption After a disruption

    5. 5 Reasons for BCP It is better to plan activities ahead of time rather than to react when the time comes “Proactive” rather than “Reactive” Take the correct actions when needed Allow for experienced personnel to be absent

    6. 6 Reasons for BCP Maintain business operations Saves time, mistakes, stress and $$ Keep the money coming in Short and long term loss of business Have necessary materials, equipment, information on hand Planning can take up to 3 years

    7. 7 Reasons for BCP Effect on customers Public image Loss of life

    8. 8 Reasons for BCP Legal requirements ‘77 Foreign Corrupt Practices Act/protection of stockholders Management criminally liable Defense Investigative Service Legal and Regulatory sanctions, civil suits

    9. 9 Definitions Due Care minimum and customary practice of responsible protection of assets that reflects a community or societal norm Due Diligence prudent management and execution of due care Vulnerabilities? Improper access to data - controls not granular enough Invalid data - Update permitted to the wrong/too many people Vulnerabilities? Improper access to data - controls not granular enough Invalid data - Update permitted to the wrong/too many people

    10. 10 The Problem Utility failures Intruders Fire/Smoke Water Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes) Heat/Humidity Electromagnetic emanations Hostile activity Technology failure

    11. 11 Recent Disasters Earthquakes ‘89 San Francisco ‘94 Los Angeles ‘95 Kobe, JP Fires ‘95 Malden Mills, Lawrence, MA ‘97 Iron Mountain Record Center, Brunswick, NJ

    12. 12 Recent Disasters Power ‘99 East coast heat/drought brownouts Floods ‘97 Midwest floods Storms ‘92 Hurricane Andrew Hardware/Software Year 2000 9/11

    13. 13 The Problem Failure to keep operating Fortune 1000 study Average loss $78K, up to $500K 65% failing over 1 week never reopen Loss of market share common

    14. 14 Threats to Data Integrity Errors & omissions 50% Fire, water, electrical 25% Dishonest employees 10% Disgruntled employees 10% Outsider threats 5%

    15. 15 The Controls Least Privilege Information security Redundancy Backed up data Alternate equipment Alternate communications Alternate facilities Alternate personnel Alternate procedures

    16. 16 The Steps in a BCP - Initiation Project initiation Executive commitment and support MOST CRITICAL Business case to obtain support Sell the need for DRP (price vs benefit) Build and maintain awareness On-going testing & maintenance Top down approach Project planning, staffing Local support/responsibility

    17. 17 The Steps in a BCP - 1 Impact Assessment (Impact Analysis/Vulnerability Assessment/Current State Assessment/Risk Assessment ) Purpose Identify risks Identify business requirements for continuity Quantify impact of potential threats Balance impact and countermeasure cost Establish recovery priorities

    18. 18 Benefits - 1 Relates security objectives to organization mission Quantifies how much to spend on security measures Provides long term planning guidance Site selection Building design HW configuration SW Internal controls Criteria for contingency plans Security policy Protection requirements Significant threats Responsibilities

    19. 19 The Steps in a BCP - 1 Risk Assessment Potential failure scenarios Likelihood of failure Cost of failure (loss impact analysis) Dollar losses Additional operational expenses Violation of contracts, regulatory requirements Loss of competitive advantage, public confidence Assumed maximum downtime (recovery time frames) Rate of losses Periodic criticality Time-loss curve charts

    20. 20 The Steps in a BCP - 1 Risk Assessment/Analysis Potential failure scenarios (risks) Likelihood of failure Cost of failure, quantify impact of threat Assumed maximum downtime Annual Loss Expectancy Worst case assumptions Based on business process model? Or IT model? Identify critical functions and supporting resources Balance impact and countermeasure cost Key - Potential damage Likelihood

    21. 21 Definitions Threat any event which could have an undesirable impact Vulnerability absence or weakness of a risk-reducing safeguard, potential to allow a threat to occur with greater frequency, greater impact, or both Exposure a measure of the magnitude of loss or impact on the value of the asset Risk the potential for harm or loss, including the degree of confidence of the estimate

    22. 22 Definitions Quantitative Risk Analysis quantified estimates of impact, threat frequency, safeguard effectiveness and cost, and probability Powerful aid to decision making Difficult to do in time and cost Qualitative Risk Analysis minimally quantified estimates Exposure scale ranking estimates Easier in time and money Less compelling Risk Analysis is performed as a continuum from fully qualitative to less than fully quantitative

    23. 23 Results Loss impact analysis Recovery time frames Essential business functions Information systems applications Recommended recovery priorities & strategies Goals Understand economic & operational impact Determine recovery time frame (business/DP/Network) Identify most appropriate strategy Cost/justify recovery planning Include BCP in normal decision making process

    24. 24 Risk Management Team Management - Support DP Operations Systems Programming Internal Audit Physical Security Application owners Application programmers

    25. 25 Preliminary Security Exam Asset costs Threat survey Personnel Physical environment HW/SW Communications Applications Operations Natural disasters Environment Facility Access Data value

    26. 26 Preliminary Security Exam Asset costs Threat survey Existing security measures Management review Threat survey: Personnel; physical environ; HW/SW; Communications; Applications, Operations; natural disasters; Facility; AccessThreat survey: Personnel; physical environ; HW/SW; Communications; Applications, Operations; natural disasters; Facility; Access

    27. 27 Threats Unauthorized access Hardware failure Utility failure Natural disasters Loss of key personnel Human errors Neighborhood hazards Tampering Disgruntled employees Emanations Safety Cascading of errors Ineffective application security; Ineffective application security;

    28. 28 Risk Analysis Steps 1 - Identify essential business functions Dollar losses or added expense Contract/legal/regulatory requirements Competitive advantage/market share Interviews, questionnaires, workshops 2 - Establish recovery plan parameters Prioritize business functions 3 - Gather impact data/Threat analysis Probability of occurrence, source of help Document business functions Define support requirements Document effects of disruption Determine maximum acceptable outage period Create outage scenarios 1 week, 3 week, 6 months Maintain v do some business1 week, 3 week, 6 months Maintain v do some business

    29. 29 Risk Analysis Steps 4 - Analyze and summarize Estimate potential losses Destruction/theft of assets Loss of data Theft of information Indirect theft of assets Delayed processing Consider periodicity Combine potential loss & probability Magnitude of risk is the ALE (Annual Loss Expectancy) Guide to security measures and how much to spend

    30. 30 Results Significant threats & probabilities Critical tasks & loss potential by threat Remedial measures Greatest net reduction in losses Annual cost

    31. 31 Information Valuation Information has cost/value Acquire/develop/maintain Owner/Custodian/User/Adversary Do a cost/value estimate for Cost/benefit analysis Integrate security in systems Avoid penalties Preserve proprietary information Business continuity Circumstances effect valuation timing Ethical obligation to use justifiable tools/techniques

    32. 32 Conditions of Value Exclusive possession Utility Cost of creation/recreation Liability Convertibility/negotiability Operational impact Market forces Official value Expert opinion/appraisal Bilateral agreement/contract

    33. 33 Scenario development A specific threat (potential event/act) in which assets are subject to loss Write scenario for each major threat Credibility/functionality review Evaluate current safeguards Finalize/Play out Prepare findings

    34. 34 The Steps in a BCP - 2 Strategy Development (Alternative Selection) Management support Team structure Strategy selection Cost effective Workable

    35. 35 The Steps in a BCP - 3 Implementation (Plan Development) Specify resources needed for recovery Make necessary advance arrangements Mitigate exposures

    36. 36 The Steps in a BCP - 3 Risk Prevention/Mitigation Risk management program Security - physical and information (access) Environmental controls Redundancy - Backups/Recoverability Journaling, Mirroring, Shadowing On-line/near-line/off-line Insurance Emergency response plans Procedures Training

    37. 37 The Steps in a BCP - 3 Decision Making Cost effectiveness Total cost Human intervention requirements Manual functions are weakest Overrides and defaults Shutdown capability Default to no access Design openness Least Privilege Minimum information Visible safeguards

    38. 38 The Steps in a BCP - 3 Decision Making Independence of controller and subject Universality Compartmentalization, defense in depth Completeness Instrumentation Acceptance Sustainability Auditability Accountability Recovery

    39. 39 Remedial Measures Alter environment Erect barriers Improve procedures Early detection Contingency plans Risk assignment (insurance) Agreements Stockpiling Risk acceptance

    40. 40 Remedial Measures Fire Detection, suppression Water Detection, equipment covers, positioning Electrical UPS, generators Environmental Backups Good housekeeping Backup procedures Emergency response procedures

    41. 41 The Steps in a BCP - 3 Plan Development Specify resources needed for recovery Team-based Recovery plans Mitigation steps Testing plans Prepared by those who will carry them out

    42. 42 Included in a BCP Off-site storage Trip there - secure? Timely? Physical layout of site Fire protection Climate controls Security access controls Backup power

    43. 43 Included in a BCP Alternate site Hot/Warm/Cold(Shell) sites Reciprocal agreements/Multiple sites/Service bureaus Trip there - secure? Timely? Physical layout of site Fire protection Climate controls Security access controls Backup power Agreements

    44. 44 Included in a BCP Backup processing Compatibility Capacity Journaling - maintaining audit records Remote journaling - to off-site location Shadowing - remote journaling and delayed mirroring Mirroring - maintaining realtime copy of data Electronic vaulting - bulk transfer of backup files

    45. 45 Included in a BCP Communications Compatibility Accessibility Capacity Alternatives

    46. 46 Included in a BCP Work space Accessibility Capacity Environment

    47. 47 Included in a BCP Office equipment/supplies/documentation Security Critical business processes/Management Testing Vendors - Contact info, agreements Teams - Contact info, transportation Return to normal operations Resources needed

    48. 48 Complications Media/Police/Public Families Fraud Looting/Vandalism Safety/Legal issues Expenses/Approval

    49. 49 The Steps in a BCP - Final Plan Testing Proves feasibility of recovery process Verifies compatibility of backup facilities Ensures adequacy of team procedures Identifies deficiencies in procedures Trains team members Provides mechanism for maintaining/updating the plan Upper management comfort

    50. 50 The Steps in a BCP - Final Plan Testing Desk checks/Checklist Structured Walkthroughs Life exercises/Simulations Periodic off-site recovery tests/Parallel Full interruption drills

    51. 51 The Steps in a BCP - Final Test Hardware Software Personnel Communications Procedures Supplies/forms Documentation Transportation Utilities Alternate site processing Security

    52. 52 The Steps in a BCP - Final Test Purpose (scenario) Objectives/Assumptions Type Timing Schedule Duration Participants Assignments Constraints Steps

    53. 53 The Steps in a BCP - Final Alternate Site Test Activate emergency control center Notify & mobilize personnel Notify vendors Pickup and transport tapes supplies documentation Install (Cold and Warm sites) Verify Run Shut down/Clean up Document/Report

    54. 54 The Steps in a BCP - Final Plan Update and Retest cycle (Plan Maintenance) Critical to maintain validity and usability of plan Environmental changes HW/SW/FW changes Personnel Needs to be included in organization plans Job description/expectations Personnel evaluations Audit work plans

    55. 55 BCP by Stages - Recap Initiation Current state assessment Develop support processes Training Impact Assessment Alternative selection Recovery Plan development Support services continuity plan development Master plan consolidation Testing strategy development Post transition transition plan development

    56. 56 BCP by Stages Implementation planning Quick Hits Implementation, testing, maintenance

    57. 57 End User Planning DP is critical to end users Difficult to use manual procedures Recovery is complex Need to plan manual procedures recovery of data/transactions procedures for alternate site operation procedures to return to normal

    58. 58 The Real World DR plans normally involve Essential DP platforms/systems only A manual on the shelf written 2-3 years ago Little or no user involvement No provision for business processes No active testing Resource lists and contact information that do not match current realities

    59. 59 Stages in an Incident Disaster interruption affecting user operations significantly

    60. 60 Stages in an Incident Initial/Emergency response Purpose Ensure safety of people Prevent further damage Activate emergency response team Covers emergency procedures for expected hazards Safety essential Emergency supplies Crisis Management plan - decision making

    61. 61 Stages in an Incident Impact assessment Activate assessment team Determine situation What is affected? Decide whether to activate plan

    62. 62 Stages in an Incident Initial recovery Initial recovery of key areas at alternate site Detailed procedures Salvage/repair - Clean up

    63. 63 Stages in an Incident Return to normal/Business resumption Return to operation at normal site “Emergency” is not over until you are back to normal Requires just as much planning - Parallel operations

    64. 64 Final Thoughts Do you really want to activate a DR/BCP plan? Prevention Planning

    65. 65 BCP/ DRP Questions ?

More Related