business continuity planning n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Business Continuity Planning PowerPoint Presentation
Download Presentation
Business Continuity Planning

Loading in 2 Seconds...

play fullscreen
1 / 66

Business Continuity Planning - PowerPoint PPT Presentation


  • 90 Views
  • Uploaded on

Business Continuity Planning. The Problem - Reasons for Business Continuity Planning - BCP Principles of BCP Doing BCP The steps What is included The stages of an incident. Definitions. A contingency plan is:

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Business Continuity Planning' - marnin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
business continuity planning
Business Continuity Planning
  • The Problem - Reasons for Business Continuity Planning - BCP
  • Principles of BCP
  • Doing BCP
    • The steps
    • What is included
    • The stages of an incident

LTU CISP Security

definitions
Definitions

A contingency plan is:

“A plan for emergency response, backup operations, and post-disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation…”

(National Computer Security Center 1988)

1997-98 survey >35% of companies have no plans

LTU CISP Security

definitions of bcp
Definitions of BCP
  • Disaster Recovery
  • Business Continuity Planning
  • End-user Recovery Planning
  • Contingency Planning
  • Emergency Response
  • Crisis Management

The goal is to assist the organization/business to continue functioning even though normal operations are disrupted

Includes steps to take

    • Before a disruption
    • During a disruption
    • After a disruption

LTU CISP Security

reasons for bcp
Reasons for BCP
  • It is better to plan activities ahead of time rather than to react when the time comes
    • “Proactive” rather than “Reactive”
    • Take the correct actions when needed
    • Allow for experienced personnel to be absent

LTU CISP Security

reasons for bcp1
Reasons for BCP
  • It is better to plan activities ahead of time rather than to react when the time comes

“Proactive” rather than “Reactive”

  • Maintain business operations
    • Keep the money coming in
    • Short and long term loss of business
    • Have necessary materials, equipment, information on hand
    • Saves time, mistakes, stress and $$
    • Planning can take up to 3 years

LTU CISP Security

reasons for bcp2
Reasons for BCP
  • It is better to plan activities ahead of time rather than to react when the time comes

“Proactive” rather than “Reactive”

  • Maintain business operations
    • Keep the money coming in
    • Short and long term loss of business
  • Effect on customers
    • Public image
    • Loss of life

LTU CISP Security

reasons for bcp3
Reasons for BCP
  • It is better to plan activities ahead of time rather than to react when the time comes

“Proactive” rather than “Reactive”

  • Maintain business operations
    • Keep the money coming in
    • Short and long term loss of business
  • Effect on customers
  • Legal requirements
    • ‘77 Foreign Corrupt Practices Act/protection of stockholders
      • Management criminally liable

LTU CISP Security

reasons for bcp4
Reasons for BCP
  • It is better to plan activities ahead of time rather than to react when the time comes

“Proactive” rather than “Reactive”

  • Maintain business operations
    • Keep the money coming in
    • Short and long term loss of business
  • Effect on customers
  • Legal requirements
    • ‘77 Foreign Corrupt Practices Act/protection of stockholders
    • Federal Financial Institutions Examination Council (FFIEC)
    • FCPA SAS30 Audit Standards
    • Defense Investigative Service
    • Legal and Regulatory sanctions, civil suits

LTU CISP Security

definitions1
Definitions

Due Care

  • minimum and customary practice of responsible protection of assets that reflects a community or societal norm

Due Diligence

  • prudent management and execution of due care

LTU CISP Security

the problem
The Problem
  • Utility failures
  • Intruders
  • Fire/Smoke
  • Water
  • Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes)
  • Heat/Humidity
  • Electromagnetic emanations
  • Hostile activity
  • Technology failure

LTU CISP Security

recent disasters
Recent Disasters
  • Bombings
    • ‘92 London financial district
    • ‘93 World Trade Center, NY
    • ‘93 London financial district
    • ‘95 Oklahoma City
    • ’01 World Trade Center, NY (9/11)
  • Earthquakes
    • ‘89 San Francisco
    • ‘94 Los Angeles
    • ‘95 Kobe, JP
  • Fires
    • ‘95 Malden Mills, Lawrence, MA
    • ‘96 Credit Lyonnais, FR
    • ‘97 Iron Mountain Record Center, Brunswick, NJ

LTU CISP Security

recent disasters1
Recent Disasters
  • Power
    • ‘92 AT&T
    • ‘96 Orrville, OH
    • ‘99 East coast heat/drought brownouts
  • Floods
    • ‘97 Midwest floods
  • Storms
    • ‘92 Hurricane Andrew
    • ‘93 Northeast Blizzard
    • ‘96 Hurricanes Bertha, Fran
    • ‘98 Florida tornados
  • Hardware/Software
    • Year 2000

LTU CISP Security

the problem1
The Problem
  • Utility failures
  • Intruders
  • Fire/Smoke
  • Water
  • Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes)
  • Heat/Humidity
  • Electromagnetic emanations
  • Hostile activity
  • Technology failure
  • Failure to keep operating

Fortune 1000 study

    • Average loss $78K, up to $500K
    • 65% failing over 1 week never reopen
    • Loss of market share common

LTU CISP Security

threats
Threats
  • From Data Pro reports
    • Errors & omissions 50%
    • Fire, water, electrical 25%
    • Dishonest employees 10%
    • Disgruntled employees 10%
    • Outsider threats 5%

LTU CISP Security

the controls
The Controls
  • Least Privilege
    • Information security
  • Redundancy
    • Backed up data
    • Alternate equipment
    • Alternate communications
    • Alternate facilities
    • Alternate personnel
    • Alternate procedures

LTU CISP Security

the steps in a bcp initiation
The Steps in a BCP - Initiation
  • Project initiation
    • Business case to obtain support
    • Sell the need for DRP (price vs benefit)
    • Build and maintain awareness
    • On-going testing & maintenance
    • Top down approach
    • Executive commitment and support MOST CRITICAL
    • Project planning, staffing
      • Local support/responsibility

LTU CISP Security

the steps in a bcp 1
The Steps in a BCP - 1
  • Impact Assessment (Impact Analysis/Vulnerability Assessment/Current State Assessment/Risk Assessment )

Purpose

    • Identify risks
    • Identify business requirements for continuity
    • Quantify impact of potential threats
    • Balance impact and countermeasure cost
    • Establish recovery priorities

LTU CISP Security

benefits
Benefits
  • Relates security objectives to organization mission
  • Quantifies how much to spend on security measures
  • Provides long term planning guidance
    • Building design
    • HW configuration
    • SW
    • Internal controls
    • Criteria for contingency plans
    • Security policy
    • Site selection
      • Protection requirements
      • Significant threats
      • Responsibilities

LTU CISP Security

the steps in a bcp 11
The Steps in a BCP - 1
  • Risk Assessment
    • Potential failure scenarios
    • Likelihood of failure
    • Cost of failure (loss impact analysis)
      • Dollar losses
      • Additional operational expenses
      • Violation of contracts, regulatory requirements
      • Loss of competitive advantage, public confidence
    • Assumed maximum downtime (recovery time frames)
      • Rate of losses
      • Periodic criticality
      • Time-loss curve charts

LTU CISP Security

the steps in a bcp 12
The Steps in a BCP - 1
  • Risk Assessment/Analysis
    • Potential failure scenarios (risks)
    • Likelihood of failure
    • Cost of failure, quantify impact of threat
    • Assumed maximum downtime
    • Annual Loss Expectancy
    • Worst case assumptions
    • Based on business process model? Or IT model?
    • Identify critical functions and supporting resources
    • Balance impact and countermeasure cost
  • Key -
    • Potential damage
    • Likelihood

LTU CISP Security

definitions2
Definitions
  • Threat
    • any event which could have an undesirable impact
  • Vulnerability
    • absence or weakness of a risk-reducing safeguard, potential to allow a threat to occur with greater frequency, greater impact, or both
    • Exposure
    • a measure of the magnitude of loss or impact on the value of the asset
  • Risk
    • the potential for harm or loss, including the degree of confidence of the estimate

LTU CISP Security

definitions3
Definitions
  • Quantitative Risk Analysis
    • quantified estimates of impact, threat frequency, safeguard effectiveness and cost, and probability
    • Powerful aid to decision making
    • Difficult to do in time and cost
  • Qualitative Risk Analysis
    • minimally quantified estimates
    • Exposure scale ranking estimates
    • Easier in time and money
    • Less compelling
  • Risk Analysis is performed as a continuum from fully qualitative to less than fully quantitative

LTU CISP Security

results
Results
  • Loss impact analysis
  • Recovery time frames
    • Essential business functions
    • Information systems applications
  • Recommended recovery priorities & strategies
  • Goals
    • Understand economic & operational impact
    • Determine recovery time frame (business/DP/Network)
    • Identify most appropriate strategy
    • Cost/justify recovery planning
    • Include BCP in normal decision making process

LTU CISP Security

risk management team
Risk Management Team
  • Management - Support
  • DP Operations
  • Systems Programming
  • Internal Audit
  • Physical Security
  • Application owners
  • Application programmers

LTU CISP Security

preliminary security exam
Preliminary Security Exam
  • Asset costs
  • Threat survey
    • Personnel
    • Physical environment
    • HW/SW
    • Communications
    • Applications
    • Operations
    • Natural disasters
    • Environment
    • Facility
    • Access
    • Data value

LTU CISP Security

preliminary security exam1
Preliminary Security Exam
  • Asset costs
  • Threat survey
  • Existing security measures
  • Management review

LTU CISP Security

threats1
Threats
  • Illogical processing
  • Translation of user needs (technical requirements)
  • Inability to control technology
  • Equipment failure
  • Incorrect entry of data
  • Concentration of data
  • Inability to react quickly
  • Inability to substantiate processing
  • Concentration of responsibilities
  • Erroneous/falsified data
  • Misuse
  • Hardware failure
  • Utility failure
  • Natural disasters
  • Loss of key personnel
  • Human errors
  • Neighborhood hazards
  • Tampering
  • Disgruntled employees
  • Emanations
  • Unauthorized access
  • Safety
  • Improper use of technology
  • Repetition of errors
  • Cascading of errors

LTU CISP Security

threats2
Threats
  • Uncontrolled system access
  • Ineffective application security
  • Operations procedural errors
  • Program errors
  • Operating system flaws
  • Communications system failure
  • Utility failure

LTU CISP Security

risk analysis steps
Risk Analysis Steps
  • 1 - Identify essential business functions
    • Dollar losses or added expense
    • Contract/legal/regulatory requirements
    • Competitive advantage/market share
    • Interviews, questionnaires, workshops
  • 2 - Establish recovery plan parameters
    • Prioritize business functions
  • 3 - Gather impact data/Threat analysis
    • Probability of occurrence, source of help
    • Document business functions
    • Define support requirements
    • Document effects of disruption
    • Determine maximum acceptable outage period
    • Create outage scenarios

LTU CISP Security

risk analysis steps1
Risk Analysis Steps
  • 4 - Analyze and summarize
    • Estimate potential losses
      • Destruction/theft of assets
      • Loss of data
      • Theft of information
      • Indirect theft of assets
      • Delayed processing
      • Consider periodicity
    • Combine potential loss & probability
    • Magnitude of risk is the ALE (Annual Loss Expectancy)
    • Guide to security measures and how much to spend

LTU CISP Security

results1
Results
  • Significant threats & probabilities
  • Critical tasks & loss potential by threat
  • Remedial measures
    • Greatest net reduction in losses
    • Annual cost

LTU CISP Security

information valuation
Information Valuation
  • Information has cost/value
    • Acquire/develop/maintain
    • Owner/Custodian/User/Adversary
  • Do a cost/value estimate for
    • Cost/benefit analysis
    • Integrate security in systems
    • Avoid penalties
    • Preserve proprietary information
    • Business continuity
  • Circumstances effect valuation timing
  • Ethical obligation to use justifiable tools/techniques

LTU CISP Security

conditions of value
Conditions of Value
  • Exclusive possession
  • Utility
  • Cost of creation/recreation
  • Liability
  • Convertibility/negotiability
  • Operational impact
  • Market forces
  • Official value
  • Expert opinion/appraisal
  • Bilateral agreement/contract

LTU CISP Security

scenario
Scenario
  • A specific threat (potential event/act) in which assets are subject to loss
  • Write scenario for each major threat
  • Credibility/functionality review
  • Evaluate current safeguards
  • Finalize/Play out
  • Prepare findings

LTU CISP Security

the steps in a bcp 2
The Steps in a BCP - 2
  • Strategy Development (Alternative Selection)
    • Management support
    • Team structure
    • Strategy selection
      • Cost effective
      • Workable

LTU CISP Security

the steps in a bcp 3
The Steps in a BCP - 3
  • Implementation (Plan Development)
    • Specify resources needed for recovery
    • Make necessary advance arrangements
    • Mitigate exposures

LTU CISP Security

the steps in a bcp 31
The Steps in a BCP - 3
  • Risk Prevention/Mitigation
    • Security - physical and information (access)
    • Environmental controls
    • Redundancy - Backups/Recoverability
      • Journaling, Mirroring, Shadowing
      • On-line/near-line/off-line
    • Insurance
    • Emergency response plans
    • Procedures
    • Training
    • Risk management program

LTU CISP Security

the steps in a bcp 32
The Steps in a BCP - 3
  • Decision Making
    • Cost effectiveness
      • Total cost
    • Human intervention requirements
      • Manual functions are weakest
    • Overrides and defaults
      • Shutdown capability
      • Default to no access
    • Design openness
    • Least Privilege
      • Minimum information
      • Visible safeguards
    • Entrapment
      • Selected vulnerabilities made attractive

LTU CISP Security

the steps in a bcp 33
The Steps in a BCP - 3
  • Decision Making
    • Universality
    • Compartmentalization, defense in depth
    • Isolation
    • Completeness
    • Instrumentation
    • Independence of controller and subject
    • Acceptance
    • Sustainability
    • Auditability
    • Accountability
    • Recovery

LTU CISP Security

remedial measures
Remedial Measures
  • Alter environment
  • Erect barriers
  • Improve procedures
  • Early detection
  • Contingency plans
  • Risk assignment (insurance)
  • Agreements
  • Stockpiling
  • Risk acceptance

LTU CISP Security

remedial measures1
Remedial Measures
  • Fire
    • Detection, suppression
  • Water
    • Detection, equipment covers, positioning
  • Electrical
    • UPS, generators
  • Environmental
    • Backups
  • Good housekeeping
  • Backup procedures
  • Emergency response procedures

LTU CISP Security

the steps in a bcp 34
The Steps in a BCP - 3
  • Plan Development
    • Specify resources needed for recovery
    • Team-based
    • Recovery plans
    • Mitigation steps
    • Testing plans
    • Prepared by those who will carry them out

LTU CISP Security

included in a bcp
Included in a BCP
  • Off-site storage
    • Trip there - secure? Timely?
    • Physical layout of site
    • Fire protection
    • Climate controls
    • Security access controls
    • Backup power

LTU CISP Security

included in a bcp1
Included in a BCP
  • Off-site storage
  • Alternate site
    • Reciprocal agreements/Multiple sites/Service bureaus
    • Hot/Warm/Cold(Shell) sites
    • Trip there - secure? Timely?
    • Physical layout of site
    • Fire protection
    • Climate controls
    • Security access controls
    • Backup power
    • Agreements

LTU CISP Security

included in a bcp2
Included in a BCP
  • Off-site storage
  • Alternate site
  • Backup processing
    • Compatibility
    • Capacity
    • Journaling - maintaining audit records
      • Remote journaling - to off-site location
    • Shadowing - remote journaling and delayed mirroring
    • Mirroring - maintaining realtime copy of data
    • Electronic vaulting - bulk transfer of backup files

LTU CISP Security

included in a bcp3
Included in a BCP
  • Off-site storage
  • Alternate site
  • Backup processing
  • Communications
    • Compatibility
    • Accessibility
    • Capacity
    • Alternatives

LTU CISP Security

included in a bcp4
Included in a BCP
  • Off-site storage
  • Alternate site
  • Backup processing
  • Communications
  • Work space
    • Accessibility
    • Capacity
    • Environment

LTU CISP Security

included in a bcp5
Included in a BCP
  • Off-site storage
  • Alternate site
  • Backup processing
  • Communications
  • Work space
  • Office equipment/supplies/documentation
  • Security
  • Critical business processes/Management
  • Testing
  • Vendors - Contact info, agreements
  • Teams - Contact info, transportation
  • Return to normal operations
  • Resources needed

LTU CISP Security

complications
Complications
  • Media/Police/Public
  • Families
  • Fraud
  • Looting/Vandalism
  • Safety/Legal issues
  • Expenses/Approval

LTU CISP Security

the steps in a bcp finally
The Steps in a BCP - Finally
  • Plan Testing
    • Proves feasibility of recovery process
    • Verifies compatibility of backup facilities
    • Ensures adequacy of team procedures
      • Identifies deficiencies in procedures
    • Trains team members
    • Provides mechanism for maintaining/updating the plan
    • Upper management comfort

LTU CISP Security

the steps in a bcp finally1
The Steps in a BCP - Finally
  • Plan Testing
    • Desk checks/Checklist
    • Structured Walkthroughs
    • Life exercises/Simulations
    • Periodic off-site recovery tests/Parallel
    • Full interruption drills

LTU CISP Security

the steps in a bcp finally2
The Steps in a BCP - Finally
  • Test
    • Software
    • Hardware
    • Personnel
    • Communications
    • Procurement
    • Procedures
    • Supplies/forms
    • Documentation
    • Transportation
    • Utilities
    • Alternate site processing
    • Security

LTU CISP Security

the steps in a bcp finally3
The Steps in a BCP - Finally
  • Test
    • Purpose (scenario)
    • Objectives/Assumptions
    • Type
    • Timing
    • Schedule
    • Duration
    • Participants
      • Assignments
    • Constraints
    • Steps

LTU CISP Security

the steps in a bcp finally4
The Steps in a BCP - Finally
  • Alternate Site Test
  • Activate emergency control center
  • Notify & mobilize personnel
  • Notify vendors
  • Pickup and transport
    • tapes
    • supplies
    • documentation
  • Install (Cold and Warm sites)
  • IPL
  • Verify
  • Run
  • Shut down/Clean up
  • Document/Report

LTU CISP Security

the steps in a bcp finally5
The Steps in a BCP - Finally
  • Plan Update and Retest cycle (Plan Maintenance)
    • Critical to maintain validity and usability of plan
      • Environmental changes
      • HW/SW/FW changes
      • Personnel
    • Needs to be included in organization plans
      • Job description/expectations
      • Personnel evaluations
      • Audit work plans

LTU CISP Security

bcp by stages
BCP by Stages
  • Initiation
  • Current state assessment
  • Develop support processes
  • Training
  • Impact Assessment
  • Alternative selection
  • Recovery Plan development
  • Support services continuity plan development
  • Master plan consolidation
  • Testing strategy development
  • Post transition plan development

LTU CISP Security

bcp by stages1
BCP by Stages
  • Implementation planning
  • Quick Hits
  • Implementation, testing, maintenance

LTU CISP Security

end user planning
End User Planning
  • DP is critical to end users
  • Difficult to use manual procedures
  • Recovery is complex
  • Need to plan
    • manual procedures
    • recovery of data/transactions
    • procedures for alternate site operation
    • procedures to return to normal

LTU CISP Security

the real world
The Real World
  • DR plans normally involve
    • Essential DP platforms/systems only
    • A manual on the shelf written 2-3 years ago
    • Little or no user involvement
    • No provision for business processes
    • No active testing
    • Resource lists and contact information that do not match current realities

LTU CISP Security

stages in an incident
Stages in an Incident
  • Disaster
    • interruption affecting user operations significantly

LTU CISP Security

stages in an incident1
Stages in an Incident
  • Disaster
  • Initial/Emergency response
    • Purpose
      • Ensure safety of people
      • Prevent further damage
    • Activate emergency response team
    • Covers emergency procedures for expected hazards
    • Safety essential
    • Emergency supplies
    • Crisis Management plan - decision making

LTU CISP Security

stages in an incident2
Stages in an Incident
  • Disaster
  • Initial response
  • Impact assessment
    • Activate assessment team
    • Determine situation
      • What is affected?
    • Decide whether to activate plan

LTU CISP Security

stages in an incident3
Stages in an Incident
  • Disaster
  • Initial response
  • Impact assessment
  • Initial recovery
    • Initial recovery of key areas at alternate site
    • Detailed procedures
    • Salvage/repair - Clean up

LTU CISP Security

stages in an incident4
Stages in an Incident
  • Disaster
  • Initial response
  • Impact assessment
  • Initial recovery
  • Return to normal/Business resumption
    • Return to operation at normal site
    • “Emergency” is not over until you are back to normal
    • Requires just as much planning - Parallel operations

LTU CISP Security

special cases
Special Cases
  • Y2K
    • Incidents will happen in a particular time frame
    • Alternate sites won’t help
    • Redundant equipment won’t help
    • Backups won’t help
    • Involves automated equipment and services

LTU CISP Security

final thoughts
Final Thoughts
  • Do you really want to activate a DR/BCP plan?
    • Prevention
    • Planning

LTU CISP Security