By Tareq Hanaysha , MISSM Candidate

ISSM 511 -Introduction to Information Systems Security

Concordia University College Of Alberta

2/18/2015DR & BCP 1

2/18/2015DR & BCP 2

1. Introduction & Definition of DR and BCP2.Diefferences and purposes3.DR & BCP Objectives4. Major Component of DR & BCP5. Best Practices6.Refrences6.Conclusion

2/18/2015DR & BCP 3

Planning for the worst while hoping that it won’t happen is something that all security professionals do, disaster recovery for business continuity has always been a key part for the job .

disaster: is any event that has a significant impact on an enterprise's ability to conduct normal business like earthquakes, extreme weather, other natural disasters, pandemics and terrorism.

Disaster Recovery Plan: Includes the information and procedures needed to resume an organization's operation after some sort of disaster. Sometimes the plan is split into several plans, one to address recoverable disasters (e.g., loss of a server) and a more comprehensive business continuity plan for use in total loss situations.

SIMILAR TERMS: Contingency Plan, Business Resumption Plan, Continuity Plan

2/18/2015DR & BCP 4

Business Continuity :is the enterprise-wide proactive business process by which we manage the risks we operate within.

It addresses all aspects of the business: People, Processes, Resources and Technology (PPRT)

The goal is: preventing or mitigating the risks we can and preparing for recovery from those we cannot, or choose not to prevent.

Business continuity plans: are designed to help organisations protect themselves from the losses to infrastructure and resources caused by natural disasters, pandemics and terrorism.

Preparation is the key: You fight like you train!

SIMILAR TERMS: Contingency Planning, Business Resumption Planning, Corporate Contingency Planning, Business Interruption Planning, Disaster Preparedness.

2/18/2015DR & BCP 5

Plan Purpose Scope

Business Continuity Plan (BCP)

Provide procedures for sustaining essential business operations while recovering from a significant disruption

Addresses business processes; IT addressed based only on its support for business process

Disaster Recovery Plan (DRP)

Provide detailed procedures to facilitate recovery of capabilities at an alternate site

Often IT-focused; limited to major disruptions with long-term effects

2/18/2015DR & BCP 6

1. Limit severity of the event and the magnitude of loss

2. Minimize extent of the interruption

3. Identify critical resources

4. Identify critical functions

5. Define a process to protect critical resources

6. Define alternatives for continuing critical functions

7. Minimize decision making during a crisis

8. Train personnel

9. Continual review and maintenance

10. Integration of Business Continuity with Enterprise Strategic Planning

2/18/2015DR & BCP 7

Disaster recovery planning

components :

1. Establishment of the Recovery Team(s)

2. Development of Recovery Procedures

3. Training of the Recovery Team(s)

4. Change Management to keep plan current

5. Provision of Necessary Resources (Beans, Bombs and

Bubbas…)

6. Arrangement for alternate technology

platform, and retrieval of backup data

2/18/2015DR & BCP 8

Business Continuity Plan

Component

1. Establishment of Cross-Functional

Team(s)

2. Inventory of People, Processes,

Resources and Technology (PPRT)

3. Risk/Threat Identification and

Categorization

4. Impact Analysis and Loss Estimation

5. Prevention, Mitigation and

Recovery Strategizing

6. Gap Analysis and Resolution

Planning

2/18/2015DR & BCP 9

Plan Scope and Support

Senior Management Support (tone at the top)

Defined objectives, policies, scope and success factors and requirements

Standard terms and assumptions

Project plan and budget

Risk Analysis

Risks – Quantitative and Qualitative

Threats – Natural and Man Made

Vulnerabilities – Possibilities of threats occurring have been taken into account

Figure 2-1 Contingency Planning as an Element of Risk Management Implementation

2/18/2015DR & BCP 10

Business Impact Analysis

Time criticality

RTO & RPO

Critical Business Units/Functions

Results based on established quantitative and qualitative metrics

Recovery Strategies

Reasonable strategies identified

Advantages and Disadvantages

Cost vs. Benefit

Business unit buy-in

The BCP Plan

Scope and Objective

Business Recovery Organization

Escalation, Notification, Activation

Resumption, Recovery, Restoration

Maintenance, Testing

2/18/2015DR & BCP 11

Plan Maintenance

Defined timetables

Version control

Changes

Plan Testing

Periodic and methodical

Address major components

Goals objectives for each test

Monitor, analyze, report

Training and AwarenessPlan existenceResponsibilitiesVarious training methods

2/18/2015DR & BCP 12

Thinking systematically about risk, mitigating risks, and proactively

planning an optimized BCM program is something every company, large

or small, can and should do.

2/18/2015DR & BCP 13

NIST: National Institute of Standards and Technology.

Many Sample DRPs can be seen at www.drj.com. Planning, a chapter of the book Disaster Recovery Planning: Preparing For The Unthinkable by Jon Toigo.

www.disasterrecoveryworld.com is a commercial site that also provides excellent resources, and explains the COBRA method of analysis.

www.crisis-management-and-disaster-recovery.com

Business continuity planning / management (BCM) from wikipedia.org

2/18/2015DR & BCP 14