1 / 35

Information Systems Security

Information Systems Security. Business Continuity Planning Domain #6. Pieces of the BCP. Disaster Recovery Planning How to survive the disaster Emergency response responsibilities Recovery procedures Business Continuity Planning How to stay in business crippled

halden
Download Presentation

Information Systems Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Systems Security Business Continuity Planning Domain #6

  2. Pieces of the BCP • Disaster Recovery Planning • How to survive the disaster • Emergency response responsibilities • Recovery procedures • Business Continuity Planning • How to stay in business crippled • Continuity of critical business functions • Reduce overall impact of interruption

  3. Processes of the BCP Plan • Project Initiation Phase • Current State Assessment Phase • Design and Development Phase • Implementation Phase • Management Phase • REPEAT, REPEAT, REPEAT

  4. Project Initiation • Gain support of management • Show cost versus benefit • Regulatory requirements • Ramifications of others not having a plan • Current vulnerability analysis

  5. Current State Assessment • Threat Analysis • Business Impact Assessment • Continuity Planning Process Assessment • Benchmark or Peer Review

  6. Design and Development • Develop appropriate continuity strategy • Develop crisis management plan • Develop infrastructure • Design initial acceptance testing • Plan for resource acquisition

  7. Implementation • Deploy continuity plan • Perform short-term and long-term testing • Program maintenance • Program training and awareness • Program management process

  8. Senior Management’s Role • Due diligence and due care • Drive all phases of the plan • Consistent support and final approval • Ensure that testing takes place • Constructing a budget

  9. BCP Team • Minimum key personnel should be: • Member of each key department • Member of support staff • IT reps • Security reps • Legal reps • Senior management

  10. BCP Committee • Carries out risk assessment and analysis • Analysis to be carried out before plan is developed • Execute • Business impact analysis • Development plan • Testing and plan maintenance

  11. Risk Assessment • ID critical business functions • ID resources these functions depend upon • Calculate life expectancy w/o resources • ID vulnerabilities and threats to these functions • Calculate risks to these functions • Develop backup plans for these functions • Develop recovery plans for these functions

  12. Types of Analyses • Quantitative • Involves the use of numbers and formulas to reach a decision • Qualitative • Involves the use of non-numerical factors such as emotions, confidence, workforce stability, and other concerns into account

  13. Identify Priorities • Activities that are most essential to your day-to-day operations • Maximum Tolerable Downtime (MTD) • Maximum length of time a business function can be inoperable without causing irreparable harm to the business

  14. Identify Business Risks • Natural Disasters • Storms, hurricanes, earthquakes, volcanoes… • Man Made • Terrorist/wars/civil unrest • Theft/vandalism • Fire/explosion/building collapse • Power outages

  15. ID Critical Functions Resources • Specific types of technology • Necessary software • Electrical power • Network/physical production environment • Safe environment for workers • Access to outside entities • Communication lines

  16. Likelihood Assessment • Business Impact Assessment (BIA) identifies the likelihood that each risk will occur • Expressed in terms of an annualized rate of occurrence (ARO) that reflects the number of times a business expects to experience a given disaster each year

  17. Impact Assessment • Exposure Factor (EF) is the amount of damage that the risk poses to the asset • Single loss expectancy (SLE) is the $ loss that is expected each time the risk materializes • Annualized loss expectancy (ALE) is the $ loss that is expected to occurs as a result of the risk over the period of a year

  18. Example • Fire at Building • Building value of $500,000 • Exposure factor of 70% • Occurs once every 30 years • What is the ALE?

  19. Qualitative Assessment • Loss of confidence and goodwill among your clients • Loss of employees due to down time • Social/ethical responsibilities to the community • Negative publicity

  20. Resource Prioritization • Create a list of all of the risks you analyzed during the BIA process and sort them in descending order by the ALE • Results of the quantitative or qualitative analysis may justify a risk as having a higher priority based on business impact

  21. Continuity Strategy • Focuses on the development and implementation of a continuity strategy to minimize the impact realized risks might have on protected assets • Consider the MTD and decide which risks are acceptable • Bridge the gap between BIA and Continuity

  22. Provisions and Processes • People • Ensure that people within your organization are safe before, during, and after an emergency • Building/facilities • Infrastructure

  23. Buildings/facilities • Hardening provisions • Reinforce structure, patch roofs, etc • Alternate sites • Hot Site • Ready for data processing in a few hours of less • Contains all necessary systems, devices • Just needs people & data • Annual tests are conducted • Most expensive subscription option

  24. More Sites • Warm Site • Ready for data processing in 12 hours or longer • Some peripheral devices • Needs software, people, data, and computers • Better choice for proprietary hardware/software • Less expensive than hot sites

  25. More Sites • Cold Site • Empty building • No equipment • Electrical wiring, A/C, plumbing, and flooring • Two weeks or longer for operational status • Least expensive

  26. Testing Offsite Facility • Hardware should be compatible • Software should be compatible • Type of database transfer • Remote mirroring/database shadowing • Remote journaling • Electronic vaulting • Test data backups • Full, incremental, differential

  27. BCP Plan Approval • Gain top level management endorsement • Be prepared with explanations of purpose • Planning team should contain top level executive • Helps to get final approval

  28. Testing and Drills • Test Characteristics • Indicate if company can actually recover • At least annually • Identify areas of weakness • Drills • Create a disaster scenario • Create goals to be accomplished • Run drill and report findings to management

  29. BCP Tests • Checklist tests • Copies of BCP distributed to functional manager • Review part of plan that addresses their area • Simplest but most crucial • Structured walk through • Functional managers meet to go through plan • Simulation • Carry out the disaster scenario • Continues up to actual relocation to offsite • Response measures are tested

  30. BCP Tests • Parallel • Some systems are transported to the offsite facility for parallel processing • Actually relocate personnel where they perform their disaster recovery tasks • Full interruption test • Original site shuts down • All processing takes place at offsite

  31. What is Success? • Response within an acceptable timeframe • Operations at alternate location adequate • Backups successfully restored • Emergency personnel reached within acceptable time frame • Team members aware of current plan and able to perform associated duties • Plan is current and relevant

  32. BCP Plan can Become Outdated • Technology changes • Company merges or splits • Plan in not properly maintained • Personnel turnover • No person or group made responsible • Plan not audited • No change control tool

  33. BCP Phases • Business Impact Analysis • Strategy Development • Plan Development • Implementation • Testing • Maintenance

  34. Are We There Yet? • 2005 Survey indicates: • Less than 15% of companies prepared for disaster • 40% of companies would be out of business permanently if closed for a week

  35. Legislative Issues • Health Insurance Portability and Accountability Act (HIPPA) • Gramm – Leach – Briley Act (GLB) • Patriot Act • Electronic Communications Privacy Act (ECPA)

More Related