06 - Business Continuity and Disaster Recovery
-
Upload
geniusblue -
Category
Documents
-
view
220 -
download
0
Transcript of 06 - Business Continuity and Disaster Recovery
-
8/3/2019 06 - Business Continuity and Disaster Recovery
1/22
Business Continuity andBusiness Continuity andDisaster RecoveryDisaster Recovery
1
-
8/3/2019 06 - Business Continuity and Disaster Recovery
2/22
Learning ObjectivesLearning Objectives
1. Business recovery and DRP
2. Auditing business continuity
2
-
8/3/2019 06 - Business Continuity and Disaster Recovery
3/22
Business Continuity ProcessBusiness Continuity Process
A process designed to reduce the
organization's business risk arising from
an unexpected disruption of the criticalfunctions/operations (manual or
automated) necessary for the survival of
the organization
Responsibility of senior management
3
-
8/3/2019 06 - Business Continuity and Disaster Recovery
4/22
Consideration in BCPConsideration in BCP
y Those critical operations that are
necessary to the survival of the
organization
y The human/material resources supporting
them
4
-
8/3/2019 06 - Business Continuity and Disaster Recovery
5/22
Business Continuity ProcessBusiness Continuity Process
y A realistic objective is to ensure the survival of an
organization by establishing a culture that will
identify and manage those risks that could cause it
to suffer, such as :
Inability to maintain critical customer services
Damage to market share, image, reputation or
brand
Failure to protect the company assets, includingintellectual properties and personnel
Business control failure
Failure to meet legal or regulatory requirements
5
-
8/3/2019 06 - Business Continuity and Disaster Recovery
6/22
Besides the Plan for the ContinuityBesides the Plan for the Continuity
of Operations, the BCPI
ncludesof Operations, the BCPI
ncludes
y The DRP that is used to recover a facility
rendered inoperable, including relocating
operations into a new location
y The restoration plan that is used to
return operations to normality whetherin a restored or new facility
6
-
8/3/2019 06 - Business Continuity and Disaster Recovery
7/22
Purpose of BCP/DRPPurpose of BCP/DRP
y To enable a business to continue offering
critical services in the event of a
disruption and to survive a disastrousinterruption to their activities.
y
Rigorous planning and commitment ofresources is necessary to adequately plan
for such an event
7
-
8/3/2019 06 - Business Continuity and Disaster Recovery
8/22
Preparing a New BCPPreparing a New BCP
y The operations part of the BCP should address all
functions and assets required to continue as a
viable organization. The extent of provisioning for
alternate facilities that should be pursued isultimately a business decision based on risk
management.
y Focus is on the availability of the key businessprocesses to continue operations should any kind
of disruption arise.
8
-
8/3/2019 06 - Business Continuity and Disaster Recovery
9/22
IS BCP/DRPIS BCP/DRP
y A major component of an organization's overall
business continuity and disaster recovery strategy
y Therefore, there should be a ready-to-start
reserved facility to support these operations in
case of a disruption if the business cannot function
without ongoing information processing
y If it is a separate plan, the IS plan must be
consistent with and support the corporate BCP
9
-
8/3/2019 06 - Business Continuity and Disaster Recovery
10/22
IS BCP/DRPIS BCP/DRP
y Identifies what the business will do in the
event of a disaster
y For example :
Where will employees report to work
How will orders be taken while the
computer system is being restoredWhich vendors should be called to provide
needed supplies
10
-
8/3/2019 06 - Business Continuity and Disaster Recovery
11/22
IT DRPIT DRPy A subcomponent ofIS BCP
y This typically details the process IT personnel will use to
restore the computer systems
y Based upon the results of the risk analysis, management may
not see a tangible cost benefit for restoring certain
applications in the event of a disaster
y The quality ofIS elements is essential for IS disaster
recovery, and it is therefore recommended that the
organization has an information security management system
(ISMS) implemented to maintain the integrity, confidentiality
and availability ofIS
11
-
8/3/2019 06 - Business Continuity and Disaster Recovery
12/22
Disaster and Other DisruptivenessDisaster and Other Disruptiveness
y Disasters are disruptions that cause critical
information resources to be inoperative for a
period of time, adversely impacting organizational
operations
y The disruption could be a few minutes to several
months, depending on the extent of damage to the
information resource
y Most important, disasters require recovery efforts
to restore operational status.
12
-
8/3/2019 06 - Business Continuity and Disaster Recovery
13/22
Cause of DisasterCause of Disaster
y By natural calamity
Including expected services are no
longer supplied to the company due to anatural disaster or other cause
y By events precipitated by human beings
13
-
8/3/2019 06 - Business Continuity and Disaster Recovery
14/22
Other DisruptivenessOther Disruptiveness
y System malfunctions
y Accidental file deletions
y Network denial of service (DoS) attacks,
y Intrusions
y Viruses
14
-
8/3/2019 06 - Business Continuity and Disaster Recovery
15/22
A Good BCP for Disaster andA Good BCP for Disaster and
Other DisruptivenessOther Disruptivenessy Take into account all types of events impacting critical IS processing
facilities and end users' normal organizational operation functions
y For worst-case scenarios, short-term and long-term fallback
strategies are required
y For the short term, an alternate processing facility may be needed
to satisfy immediate operational needs, as in the case of a major
natural disaster
y In the long term, a new permanent facility must be identified for
disaster recovery and equipped to provide for continuation ofIS
processing services on a regular basis
15
-
8/3/2019 06 - Business Continuity and Disaster Recovery
16/22
BCP Process LifeBCP Process Life--Cycle PhasesCycle Phases
y Creation of a business continuity policy
y Business impact analysis
y Classification of operations and criticality analysis
y Identification ofIS processes that support critical organizational
functions
y Development of a BCP and IS disaster recovery procedures
y Development of resumption procedures
y Training and awareness program
y Testing and implementation of plan
y Monitoring 16
-
8/3/2019 06 - Business Continuity and Disaster Recovery
17/22
Recovery Point Objective and Recovery Time ObjectiveRecovery Point Objective and Recovery Time Objective
y
The RPO is determined based on the acceptable data loss in caseof disruption of operations
y It indicates the earliest point in time in which it is acceptable to
recover the data
y For example, if the process can afford to lose the data up to four
hours before disaster, then the latest backup available should be up
to four hours before disaster or interruption, and the transactions
during RPO and interruption need to be entered after recovery
(known as catch-up data.)
y The RTO is determined based on the acceptable downtime in case
of a disruption of operations. It indicates the earliest point in time
at which the business operations must resume after disaster
17
-
8/3/2019 06 - Business Continuity and Disaster Recovery
18/22
Relationship Between RTO and RPORelationship Between RTO and RPO
18
-
8/3/2019 06 - Business Continuity and Disaster Recovery
19/22
RPO & RTORPO & RTO
y Both of these concepts are based on time parameters. The
lower the time requirements, the higher the cost of recovery
strategies, i.e., if the RPO is in minutes (lowest possible
acceptable data loss), then data mirroring or duplexing
should be implemented as the recovery strategy.
y If the RTO is lower, then the alternate site might be
preferred over a hot-site contract.
y Also, the lower the RTO, the lower the disaster tolerance.
Disaster tolerance is the time gap within which the business
can accept the nonavailability ofIT critical services.
19
-
8/3/2019 06 - Business Continuity and Disaster Recovery
20/22
Auditing Business ContinuityAuditing Business Continuity
y Understanding and evaluating business continuity
strategy and its connection to business objectives
y
Reviewing the BIA to ensure that it reflects currentbusiness practices and known threats
y Evaluating the BCPs to determine their adequacy
and currency, by reviewing the plans and comparingthem to appropriate standards and/or government
regulations including the RTO, RPO etc., defined by
the BIA
20
-
8/3/2019 06 - Business Continuity and Disaster Recovery
21/22
Auditing Business ContinuityAuditing Business Continuity
y Verifying that the BCPs are effective, by reviewing the
results from previous tests performed by IS and end-
user personnel
y Evaluating offsite storage to ensure its adequacy, by
inspecting the facility and reviewing its contents and
security and environmental controls
y Verifying the arrangements for transporting backupmedia to ensure that they meet the appropriate
security requirements
21
-
8/3/2019 06 - Business Continuity and Disaster Recovery
22/22
Auditing Business ContinuityAuditing Business Continuity
y Evaluating the ability ofIS and user personnel to respond
effectively in emergency situations, by reviewing emergency
procedures, employee training and results of their tests and
drills
y Ensuring that the process of maintaining plans is in place and
effective and covers both periodic and unscheduled revisions
y Evaluating whether the business continuity manuals and
procedures are written in a simple and easy to understand
manner. This can be achieved through interviews and
determining whether all the stakeholders understand their
roles and responsibilities with respect to business continuity
strategies.22