1 / 204

Business Continuity

Business Continuity. Business Impact Analysis. Stages BCP/DRP. Develop contingency planning policy Conduct business impact analysis (BIA) Identify preventive controls Develop recovery strategies Develop contingency plan Test the plan and train personnel Maintain the plan. Exploit.

Download Presentation

Business Continuity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Business Continuity Naresh Gandhi FCA, D.I.S.A. (ICAI)

  2. Business Impact Analysis Naresh Gandhi FCA, D.I.S.A. (ICAI)

  3. Stages BCP/DRP • Develop contingency planning policy • Conduct business impact analysis (BIA) • Identify preventive controls • Develop recovery strategies • Develop contingency plan • Test the plan and train personnel • Maintain the plan Naresh Gandhi FCA, D.I.S.A. (ICAI)

  4. Exploit Threats Vulnerabilities Expose Increase Protect Against Increase Reduce Controls Risks Assets Indicate Increase Have Met By Security Arrangements Asset Value Potential Impact on Business Naresh Gandhi FCA, D.I.S.A. (ICAI)

  5. Risk Analysis • A pre-requisite to complete and meaningful DRP program • It is assessment of threats to assets • Determination of protection required to safe guard the assets Naresh Gandhi FCA, D.I.S.A. (ICAI)

  6. Risk Assessment Process • Identification of assets • Identifying threats to these assets and assessing their likelihood • Identifying vulnerabilities and assessing how easily they might be exploited • Correlate threats to assets • Ranking of risks • Identifying the protection provided by the controls in place Naresh Gandhi FCA, D.I.S.A. (ICAI)

  7. Risk Management The process of identifying, controlling and minimizing or eliminating risks that may affect information systems for acceptable cost Naresh Gandhi FCA, D.I.S.A. (ICAI)

  8. Risk Management - Direction • Reducing the risk • Avoiding the risk • Transferring the risk • Accepting the risk Naresh Gandhi FCA, D.I.S.A. (ICAI)

  9. Degree of Assurance Required • It is not possible to achieve total security • There will always be a residual risk • What degree of residual risk is acceptable to the organization? Naresh Gandhi FCA, D.I.S.A. (ICAI)

  10. Risk Management • Defining an acceptable level of residual risk • Constantly reviewing threats and vulnerabilities • Reviewing of existing controls • Applying additional controls • Introducing policy and procedures Naresh Gandhi FCA, D.I.S.A. (ICAI)

  11. What are Assets? An asset is something to which an organization directly assigns value and hence for which the organization requires protection Naresh Gandhi FCA, D.I.S.A. (ICAI)

  12. Examples of Asset • Information • data files • user manuals etc. • Software • application and system software etc. • Services • communications • technical etc. • Company image and reputation Naresh Gandhi FCA, D.I.S.A. (ICAI)

  13. Examples of Asset • Documents • contracts • guidelines etc • Hardware • computer • magnetic media etc. • People • personnel • customers etc. Naresh Gandhi FCA, D.I.S.A. (ICAI)

  14. Assets Physical Logical • Data • Information • Software • Documentation • People • Hardware • Facilities • Documentation • Supplies Naresh Gandhi FCA, D.I.S.A. (ICAI)

  15. Some Assets physical assets personnel assets intellectual property trade secrets corporate information financial information market research strategic planning customer lists vendor lists contact lists information systems R & D information communications meetings future directions Naresh Gandhi FCA, D.I.S.A. (ICAI)

  16. Assets Valuation • Would depend on • Business impact on loss of asset • Period of time for which asset is unavailable • Valuation of the competitor • Value of information rather than replacement of hardware Naresh Gandhi FCA, D.I.S.A. (ICAI)

  17. What is a Risk? The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to assets Naresh Gandhi FCA, D.I.S.A. (ICAI)

  18. Ranking of Risks Protection of asset should be on the basis of their criticality • How long can I continue without my asset • What is the loss to business if asset is not there • Can I continue operations otherwise Naresh Gandhi FCA, D.I.S.A. (ICAI)

  19. Outage Impact & Allowable Outage Times Naresh Gandhi FCA, D.I.S.A. (ICAI)

  20. System Ranking • Critical • Only automated • Low tolerance to interruption • High cost of interruption • Vital • Level of tolerance is high • Can be operated manually for limited period • Cost of interruption is low Naresh Gandhi FCA, D.I.S.A. (ICAI)

  21. System Ranking • Sensitive • Can performed manually for extended time period • Additional resources required • Non Critical • Can remain inoperative • Data is not restored Naresh Gandhi FCA, D.I.S.A. (ICAI)

  22. Formulae for Comparing Risks Naresh Gandhi FCA, D.I.S.A. (ICAI)

  23. Threat • A declaration of the intent to inflict harm, pain or misery • Potential to cause an unwanted incident, which may result in harm to a system or organization and its assets • Intentional or accidental, man-made or an act of God • Assets are subject to many kinds of threats which exploits vulnerabilities Naresh Gandhi FCA, D.I.S.A. (ICAI)

  24. Types of Threat Man made Threats • Errors • Sabotage • Bombs • Strikes • Terrorist Attack • Competitors Naresh Gandhi FCA, D.I.S.A. (ICAI)

  25. Type of Threats Man made Threats • Disgruntled employees • Ex-employees • Hackers • Cracker • Fire Naresh Gandhi FCA, D.I.S.A. (ICAI)

  26. Type of Threats Natural Threats • Floods • Hurricanes • Tornadoes • Earth-quakes • Fire • Lightning Naresh Gandhi FCA, D.I.S.A. (ICAI)

  27. Type of Threats • Technological • Deliberate threats • Accidental threats • Threat frequency Naresh Gandhi FCA, D.I.S.A. (ICAI)

  28. Threat Likelihood • Low • Less likely to occur • Medium • some history of occurrence • High • Good possibility of occurrence Naresh Gandhi FCA, D.I.S.A. (ICAI)

  29. Impact of Threat • Loss of money • Loss of reputation or goodwill • Opportunities missed • Litigation • Threat on personnel • Break-ins or Hacks • Lost confidence • Business interruption • Reduced efficiency Naresh Gandhi FCA, D.I.S.A. (ICAI)

  30. Vulnerability • A vulnerability is a weakness/hole in an organization’s information security • A vulnerability in itself does not cause harm • It is merely a condition or set of conditions that may allow a threat to affect an asset • A vulnerability if not managed, will allow a threat to materialize Naresh Gandhi FCA, D.I.S.A. (ICAI)

  31. Vulnerabilities Absence of key personnel Unstable power grid Unprotected cabling lines Lack of security awareness Wrong allocation of password rights Insufficient security training No firewall installed Unlocked door Password same as userid Poor choice of password New technology Naresh Gandhi FCA, D.I.S.A. (ICAI)

  32. Controls • Controls are applied to • mitigate risk • bring to acceptable level • accept the risk • Controls should be cost effective Naresh Gandhi FCA, D.I.S.A. (ICAI)

  33. Control Selection Which Control? Naresh Gandhi FCA, D.I.S.A. (ICAI)

  34. Control Selection • Risk • Degree of assurance required • Cost • Ease of Implementation • Servicing • Legal and regulatory requirements • Customer and other contractual requirements Naresh Gandhi FCA, D.I.S.A. (ICAI)

  35. Control Selection - Cost • Budget limitations • Does the cost of applying the control outweigh the value of the asset • May have to select Best Value range of controls Naresh Gandhi FCA, D.I.S.A. (ICAI)

  36. Control - Ease of Implementation • Does environment support control • How long will the control take to implement • Is the control readily available Naresh Gandhi FCA, D.I.S.A. (ICAI)

  37. Control - Servicing • Are skills available to manage controls • Are upgrades readily available • Is equipment supported by local engineers or suppliers Naresh Gandhi FCA, D.I.S.A. (ICAI)

  38. Controls The policies, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected Naresh Gandhi FCA, D.I.S.A. (ICAI)

  39. Power Outage Mitigation • Provide one hour of uninterrupted power on all servers used internally • Provide eight hour of uninterrupted power on all web server and support hardware • Replace desktop systems with laptops where possible • Alternate power supply • DG Set • UPS/voltage regulators Naresh Gandhi FCA, D.I.S.A. (ICAI)

  40. Fire Damage • Automatic and manual fire alarms at strategic locations • Fire extinguishers at strategic locations • Halon or CO2 or water? • Automatic fire sprinkler system • Control panels • Automatic fire proof doors • Master switches both inside and outside IS facility • Wiring in closets Naresh Gandhi FCA, D.I.S.A. (ICAI)

  41. Water Damage • IS facility should not be on the ground floor • Water proof ceilings, walls and floors • Drainage systems • Water alarms • Dry pipe sprinkler system • Cover hardware with protective fabric Naresh Gandhi FCA, D.I.S.A. (ICAI)

  42. Controls of the Last Resort (Insurance) • IS equipment and facility • Media reconstruction (Software) • Extra expense • Business interruption • Valuable papers and Records • Errors and omissions • Fidelity coverage • Media transportation • Extra Equipment Coverage • Specialized Equipment Coverage • Civil Authority Naresh Gandhi FCA, D.I.S.A. (ICAI)

  43. What is a contingency? • An event with a potential to disrupt computer operations, critical missions and business functions • Reasons: • Power outage • Hardware failure • Fire • Storms Naresh Gandhi FCA, D.I.S.A. (ICAI)

  44. What is a Disaster? • A contingency event which is very destructive • Disasters results from threats Naresh Gandhi FCA, D.I.S.A. (ICAI)

  45. Phases of Disaster • Crisis Phase • Emergency Response Phase • Recovery Phase • Restoration Phase Naresh Gandhi FCA, D.I.S.A. (ICAI)

  46. Disasters • New York WTC collapse • Gujrat earthquake • Power Outage knocks out a data server • Sprinkler system leaks • Chemical spills from a tanker Naresh Gandhi FCA, D.I.S.A. (ICAI)

  47. Nasdaq Story 11 Sept, 01 • I Liberty Plaza Head Quarter of Nasdaq is across the street from WTC • CIO Gregor Bailar provides an inside look at how Nasdaq got back up and running after the Sept. 11 tragedy • What was happening at 1 Liberty? • They began evacuating after the first plane hit. Our security guards on their own accord evacuated our floor at least, so most of our people were on the ground when the second plane hit Naresh Gandhi FCA, D.I.S.A. (ICAI)

  48. Nasdaq Story 11 Sept, 01 Halting the market wasn't a step you could take lightly "Yes, halt the market." Naresh Gandhi FCA, D.I.S.A. (ICAI)

  49. Nasdaq Story 11 Sept, 01 How did the command center operate? The first thing we had to understand was our personnel situation Then we broadened the investigation to learn who was affected among our traders Then we had to understand the situation from a physical perspective Naresh Gandhi FCA, D.I.S.A. (ICAI)

  50. Nasdaq Story 11 Sept, 01 How did the command center operate? Did we lose a building? Did we lose a data center? Did we lose connectivity? What have we got in the way of physical damage that's going to take a long time to restore? Naresh Gandhi FCA, D.I.S.A. (ICAI)

More Related