13. Business Continuity& Disaster Recovery Planning
-
Upload
chidseymatt -
Category
Documents
-
view
223 -
download
0
Transcript of 13. Business Continuity& Disaster Recovery Planning
-
8/11/2019 13. Business Continuity& Disaster Recovery Planning
1/18
1
13. Business Continuity &Disaster Recovery Planning
ISA 562
Internet Security Theory & Practice
-
8/11/2019 13. Business Continuity& Disaster Recovery Planning
2/18
2
Objectives
Response to save business and human life
Recovery activities after a disaster to normal
operations Recovery plans to resume interrupted critical
business
-
8/11/2019 13. Business Continuity& Disaster Recovery Planning
3/18
Introduction
Need to process critical business systems in theevent of disruption to normal business dataprocessing operations.
Ensure the availability of critical informationsystem resources in the event of an expectednetwork interruption or disaster
Many kinds of plans
Contingency plans, Business Continuity Planning(BCP), Disaster Recovery Planning (DRP)
3
-
8/11/2019 13. Business Continuity& Disaster Recovery Planning
4/18
BCP and DRP Life cycle
Steps of BCP and DRP project life cycle Project Scope Development and planning
Business Continuity analysis (BIA) and functionalrequirements ( for BIA steps, please see the book)
Business Continuity and Recovery Strategy
Plan Design and Development
Restoration
Feedback
4
-
8/11/2019 13. Business Continuity& Disaster Recovery Planning
5/18
Project Scope and Development Planning
Higher managements commitment to go through thedifferent steps of the project. Deliverables
Project scope definition Producing a Project plan
Dedicating a steering committee for the project The BCP should be aligned with the organization's mission Business continuity steering committee should
know the mission statement in order to place the scope should have required authorization
Resources requirement need to be know at this stage Budget requirements are estimated and validated Personnel availability Knowing key points of contact or personnel in an emergency
5
-
8/11/2019 13. Business Continuity& Disaster Recovery Planning
6/18
Business Impact Analysis (BIA)
Evaluates all business functions against acommon criterion to assess potential impacts tothe business by an interruption
The following fall under the BIA
Preparing a BIA format Assess Potential impacts
Prioritize: very important for business functions
Elements to consider Analysis of different threats for the business Identification of critical business functions and units
Emergency Assessment
3rdparty considerations
6
-
8/11/2019 13. Business Continuity& Disaster Recovery Planning
7/18
Different cases which need to be considered
Threats analysis Human Made threats, Natural threats, IT threats Etc
Identify critical business functions: some characteristics Time Sensitivity, Data Integrity, Etc
Their impact on business: Financial & Operational Impact , Reputation etc
Emergency Assessment Affected Areas Alerting procedures Security and safety procedures and guidelines Etc
3rdparty considerations Need to look at Down stream liabilities and upstream impacts
Compliance requirements, SLA Agreements, etc
7
-
8/11/2019 13. Business Continuity& Disaster Recovery Planning
8/18
Business Continuity and recovery Strategy
Business Unit Priorities: Business units areexamined for BIA identified critical functions
Critical processes and functions are reviewed by theSteering committee and establishes priorities
The Committee looks at the minimum resources requiredfor the identified functions
Priorities are documented
Recovery time Objective (RTO) is the assed time bywhich a critical function must be recovered
Recovery point objective (RPO) measures data integrityrequirement or the tolerance for the amount of data loss
Cost/Benefit analysis
8
-
8/11/2019 13. Business Continuity& Disaster Recovery Planning
9/18
Recovery Alternatives
Three approaches for recovery Dedicated site operated by the organization
Multiple processing centers
Commercially leased facility Hot site / cost high
Worm site / cost moderate
Cold site / cost lowest
Agreement with an Internal or external facility Identify organizations with equivalent IT configurations and
backup technologies and establish an agreement Types of agreements
Reciprocal or Mutual Aid
Contingency
Service Bureau
9
-
8/11/2019 13. Business Continuity& Disaster Recovery Planning
10/18
Backup
Strategies Replication
Storage Area network
Electronic Vaulting, etc
Location and Storage Criteria Maybe stored in several locations for different purposes
On-site storage, Off-site storage, Near-site storage
Resilience Strategies Improve an organization's continuity and resilience
IT and Site Resilience etc
10
-
8/11/2019 13. Business Continuity& Disaster Recovery Planning
11/18
Plan Design Development Emergency Response Procedures
Life , Health & safety Damage Assessment Event Reporting Disaster Declaration, etc
Personnel Notifications List of people to notify Defining the role of the Executive crisis Management Executive Succession Planning, etc
Backup and off-site storage Inventory list is compiled and documented
Facility Accessibility and Resilience Communication in Emergency
Emergency and Business communication system should be in place Data communication priorities in networks should be agreed upon
11
-
8/11/2019 13. Business Continuity& Disaster Recovery Planning
12/18
Plan Design Development (Continued)
Alterative site considerations The ability to support the required infrastructure, environmental and space
demands should be analyzed: Utilities, Communications, etc
Logistics and supplies How resources are acquired or procured, transported and maintained
Personnel and materials transportation Remote worker environment activation Emergency funds access, etc
Documentation BCP & DRP activation and de-activation plans and procedures are
documented Activity and status reports Checklists etc
Business Continuity and resumption planning Contracts for emergency vendor services Risk Avoidance and mitigation planning Emergency business Recovery procedures
12
-
8/11/2019 13. Business Continuity& Disaster Recovery Planning
13/18
Implementation
Includes Training, Testing, Recovery and Audit Training
Increasing the organization's awareness of the BC and DRbusiness case
Different kinds of training for different attendees All people training, Operation teams, Recovery teams etc
Testing Confirms that the plan meets its emergency, recovery and
restoration objectives Measures the accuracy of the plans
Allow management to evaluate personnel readiness for anadverse event
13
-
8/11/2019 13. Business Continuity& Disaster Recovery Planning
14/18
Implementation (continued)
Test Plans Each time tests are scheduled, a test plan should be written, itshould contain
Objectives and success criteria Details Schedule Post-test review
Test types Several test types exists which server different purposes
Checklist test Structured walk-through Simulation
Parallel testing Testing follow-up
Identifying existing deficiencies Plan should be routinely assessed Should be scheduled for testing for example annually
14
-
8/11/2019 13. Business Continuity& Disaster Recovery Planning
15/18
Implementation (continued)
Recovery procedures Site migration
Local Recovery procedures
Transfer and recovery, etc.
Audit
Ensures an organization has an effective BC and DRcapability
Measures compliance
Addressing audit findings
15
-
8/11/2019 13. Business Continuity& Disaster Recovery Planning
16/18
Restoration
Restoration of primary location Primary facility must be stabilized and secured and then
more detailed damage assessment is conducted
Procurement Has an essential role in supporting restoration Consolidating acquisitions and Disposition Costs reporting
Data Recovery Reversal procedures Business process recovery point Journal and process synchronization
Relocation to primary site Restoration order and prioritization End of disaster declaration
16
-
8/11/2019 13. Business Continuity& Disaster Recovery Planning
17/18
Feedback and plan management
Post-recovery reporting Identification or remediation of plan gaps
Record Lessons learned
Performance metric review
Plan review and evaluation
Training of key personnel
Communication
Plan distribution Communicate the plan to stakeholders
17
-
8/11/2019 13. Business Continuity& Disaster Recovery Planning
18/18
References
ISC2 CBK Material CISSP-All-in-one book
18