Naresh Gandhi FCA, D.I.S.A. (ICAI). Business Impact Analysis.

Naresh Gandhi FCA, D.I.S.A. (ICAI)


Business Impact Analysis


Stages BCP/DRP

Develop contingency planning policy

Conduct business impact analysis (BIA)

Identify preventive controls

Develop recovery strategies

Develop contingency plan

Test the plan and train personnel

Maintain the plan


Threats

Potential Impact on Business

Vulnerabilities

AssetsRisksControls

SecurityArrangements Asset Value

Prot

ect

Agai

nst

Met By

Exploit

Reduce

Indicate

Incr

ease Expose

Hav

e

Increase

Increase


Risk Analysis

A pre-requisite to complete and meaningful DRP program

It is assessment of threats to assets

Determination of protection required to safe guard the assets


Risk Assessment Process

Identification of assetsIdentifying threats to these assets and assessing their likelihoodIdentifying vulnerabilities and assessing how easily they might be exploitedCorrelate threats to assetsRanking of risksIdentifying the protection provided by the controls in place


Risk Management

The process of identifying, controlling and minimizing or eliminating risks that may affect information systems for acceptable cost


Risk Management - Direction

Reducing the risk

Avoiding the risk

Transferring the risk

Accepting the risk


Degree of Assurance Required

It is not possible to achieve total security

There will always be a residual risk

What degree of residual risk is acceptable to the organization?


Risk Management

Defining an acceptable level of residual risk

Constantly reviewing threats and vulnerabilities

Reviewing of existing controls

Applying additional controls

Introducing policy and procedures


What are Assets?

An asset is something to which an organization directly assigns value and hence for which the organization requires protection


Examples of Asset

Information data filesuser manuals etc.

Softwareapplication and system software etc.

Servicescommunicationstechnical etc.

Company image and reputation


Examples of Asset

Documentscontractsguidelines etc

Hardwarecomputermagnetic media etc.

Peoplepersonnelcustomers etc.


Assets

PhysicalLogical

•Data• Information•Software •Documentation

•People•Hardware•Facilities •Documentation •Supplies


Some Assets

physical assets

personnel assets

intellectual property

trade secrets

corporate information

financial information

market research

strategic planning

customer listsvendor listscontact listsinformation systemsR & D informationcommunicationsmeetingsfuture directions


Assets Valuation

Would depend on

Business impact on loss of asset

Period of time for which asset is unavailable

Valuation of the competitor

Value of information rather than replacement of hardware


What is a Risk?

The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to assets


Ranking of Risks

Protection of asset should be on the basis of their criticality

How long can I continue without my asset

What is the loss to business if asset is not there

Can I continue operations otherwise


Outage Impact & Allowable Outage Times

R e s o u r c e O u t a g e Im p a c t A l l o w a b l eO u t a g e T im e

AuthenticationServer

User could not access Inventory System 8 hours

Database Server User could not access Inventory System 8 hours

E-mail Server User could not send e-mail 2 days5 DesktopComputers

User could not access Inventory System 8 hours

Hub User could not access Inventory System 8 hoursNetwork Cabling User could not access Inventory System 8 hoursElectric P ower User could not access Inventory System 8 hoursP rinter User could not produce Inventory Reports 4 days


System Ranking

CriticalOnly automated

Low tolerance to interruption

High cost of interruption

VitalLevel of tolerance is high

Can be operated manually for limited period

Cost of interruption is low


System Ranking

SensitiveCan performed manually for extended time period

Additional resources required

Non CriticalCan remain inoperative

Data is not restored


Formulae for Comparing Risks

Asset Cost

A

Likelihood of Threat

OccurrenceB

Vulnerability C

Measure of Risk

D A+B+C

3

Risk Ranking

E

4 5 3 4 High 3 3 3 3 Moderate 5 5 5 5 Very High 4 1 1 2 Low

1 1 1 1 Very Low


Threat

A declaration of the intent to inflict harm, pain or miseryPotential to cause an unwanted incident, which may result in harm to a system or organization and its assetsIntentional or accidental, man-made or an act of GodAssets are subject to many kinds of threats which exploits vulnerabilities


Types of Threat

Man made ThreatsMan made ThreatsErrorsSabotageBombsStrikesTerrorist AttackCompetitors


Type of Threats

Man made Man made ThreatsThreats

Disgruntled employeesEx-employeesHackersCrackerFire


Type of Threats

Natural ThreatsNatural ThreatsFloodsHurricanesTornadoesEarth-quakesFireLightning


Type of Threats

Technological

Deliberate threats

Accidental threats

Threat frequency


Threat Likelihood

Low Less likely to occur

Mediumsome history of occurrence

High Good possibility of occurrence


Impact of Threat

Loss of moneyLoss of reputation or goodwillOpportunities missedLitigationThreat on personnelBreak-ins or HacksLost confidenceBusiness interruptionReduced efficiency


Vulnerability

A vulnerability is a weakness/hole in an organization’s information security

A vulnerability in itself does not cause harm

It is merely a condition or set of conditions that may allow a threat to affect an asset

A vulnerability if not managed, will allow a threat to materialize


Vulnerabilities

Absence of key personnel

Unstable power grid

Unprotected cabling lines

Lack of security awareness

Wrong allocation of password rights

Insufficient security trainingNo firewall installedUnlocked doorPassword same as useridPoor choice of passwordNew technology


Controls

Controls are applied to mitigate risk

bring to acceptable level

accept the risk

Controls should be cost effective


Control Selection

Which Control?


Control Selection

Risk

Degree of assurance required

Cost

Ease of Implementation

Servicing

Legal and regulatory requirements

Customer and other contractual requirements


Control Selection - Cost

Budget limitations

Does the cost of applying the control outweigh the value of the asset

May have to select Best Value range of controls


Control - Ease of Implementation

Does environment support control

How long will the control take to implement

Is the control readily available


Control - Servicing

Are skills available to manage controls

Are upgrades readily available

Is equipment supported by local engineers or suppliers


Controls

The policies, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected


Power Outage Mitigation

Provide one hour of uninterrupted power on all servers used internallyProvide eight hour of uninterrupted power on all web server and support hardwareReplace desktop systems with laptops where possibleAlternate power supplyDG SetUPS/voltage regulators


Fire Damage

Automatic and manual fire alarms at strategic locationsFire extinguishers at strategic locations

Halon or CO2 or water?

Automatic fire sprinkler systemControl panelsAutomatic fire proof doorsMaster switches both inside and outside IS facilityWiring in closets


Water Damage

IS facility should not be on the ground floor

Water proof ceilings, walls and floors

Drainage systems

Water alarms

Dry pipe sprinkler system

Cover hardware with protective fabric


Controls of the Last Resort (Insurance)

IS equipment and facility Media reconstruction (Software)Extra expenseBusiness interruptionValuable papers and RecordsErrors and omissionsFidelity coverageMedia transportationExtra Equipment CoverageSpecialized Equipment CoverageCivil Authority


What is a contingency?

An event with a potential to disrupt computer operations, critical missions and business functionsReasons:

Power outageHardware failureFireStorms


What is a Disaster?

A contingency event which is very destructive

Disasters results from threats


Phases of Disaster

Crisis Phase

Emergency Response Phase

Recovery Phase

Restoration Phase


Disasters

New York WTC collapse

Gujrat earthquake

Power Outage knocks out a data server

Sprinkler system leaks

Chemical spills from a tanker


Nasdaq Story 11 Sept, 01

I Liberty Plaza Head Quarter of Nasdaq is across the street from WTCCIO Gregor Bailar provides an inside look at how Nasdaq got back up and running after the Sept. 11 tragedyWhat was happening at 1 Liberty?

They began evacuating after the first plane hit. Our security guards on their own accord evacuated our floor at least, so most of our people were on the ground when the second plane hit



Halting the market wasn't a step you Halting the market wasn't a step you could take lightlycould take lightly

"Yes, halt the market."



How did the command center operate?How did the command center operate?

The first thing we had to understand was our personnel situationThen we broadened the investigation to learn who was affected among our tradersThen we had to understand the situation from a physical perspective




Did we lose a building? Did we lose a data center? Did we lose connectivity? What have we got in the way of physical damage that's going to take a long time to restore?




Next we needed to know the regulatory situation: Are people trading today? What's the landscape of the trading industry? It was literally in that order



Some of your traders were in trouble, but Some of your traders were in trouble, but Nasdaq's systems were all up?Nasdaq's systems were all up?

Nasdaq is highly redundantWe have servers in different buildingsEvery single one of our traders is connected to two different Nasdaq points of presence or connection centers



Some of your traders were in trouble, but Some of your traders were in trouble, but Nasdaq's systems were all up?Nasdaq's systems were all up?

There are four connection centers alone in downtown Manhattan20 connection centers around the United StatesEvery single server connects to two of those centers through two different paths, and often through two different vendors



How did you prepare for Monday?How did you prepare for Monday?

We started industrywide testing on Saturday at 7 or 8 in the morning, and by 11:30 that morning, we had achieved 98 percent of the volume. And then on Sunday we did a half-day of retesting with people who wanted to add a little more volume capability.



What did Nasdaq lose over the downtime What did Nasdaq lose over the downtime and what did it cost to get back up?and what did it cost to get back up?

We have interruption insurance, so we hope to recover most of it, but it's in the millions, and it could crest tens of millions



What were the Disaster recovery lessons for What were the Disaster recovery lessons for Nasdaq?Nasdaq?

We learned that distributed systems are really good. You have to think about how your business has concentrated people or operational centers in certain places. You've got to consider if it's the wisest distribution. We feel we were lucky having some folks in Connecticut and some in Maryland. Even if we had lost some of our senior management at 1 Liberty Plaza, we would have still had a senior team



After living through this, what would you After living through this, what would you advise other CIOs to consider?advise other CIOs to consider?

This was a true test of people's backup strategiesDid you ever test your backup strategy?Have you worked out of your backup center?




Do you know how to get people there?

Do you know the critical phone numbers?

A lot of people don't have phone numbers as part of their continuity of business plan




I think people will have to look very carefully at their backup strategies and see whether they can communicate with everybody easily, whether the phone numbers are not stored in that same




building that could experience the Disaster, and whether they've got hot backupsHot backups are going to be much more popular than they have been in the past


Yellow line shows normal traffic


How did AT&T Control

141 video display screens show the status of all the networksNetwork managers put controls on the network to slow down the flow of inbound callsKeep circuits available for outbound callingAs a result, the AT&T long distance network carried a record 431 million call attempts on Sept. 11, 101 million more than the previous high-traffic day


Business Continuity Plan

The BCP focuses on sustaining an organization’s business functions during and after a disruption


Disaster Recovery Plan

The DRP applies to major, usually catastrophic, events that deny access to the normal facility for an extended period


Type of Plans

Business Recovery PlanAddresses restoration of business processes but lacks procedures

Continuity Of Operations PlanAddresses restoring H.Q. level issues at an alternate site


Type of Plans

Crisis Communication PlanA plan responsible for public communications

IT Contingency Plan Plan for each major application

Occupant Emergency Plan Response Procedures for Occupants

Test planIdentifies deficiency in different Plans


Cyber Incident Response Plan

The IRP defines strategies to detect, respond to and limit consequences of malicious cyber incident


Category of Disaster

Minor disruption

Serious disruption

Major disruption

Catastrophic disruption



Minor disruptionNo damage or loss

Temporary power failure or fluctuation

Communication failure

Unavailability of non critical personnel



Serious disruptionRepairable damage to equipment, office area, data, records, software

Equipment breakdown

Failure of AC

Human error



Major disruptionDestruction of equipment, office area, data

Complete loss of equipment

Structural mishap

Malicious loss of data



Catastrophic DisasterTotal loss of office area, data or people due to natural Disaster like fire, flood etc.

Complete destruction of personnel

Complete destruction of facilities


What is a Disaster Recovery Plan?

A plan that provides vital pre planned A plan that provides vital pre planned frame-workframe-work

for initiating recovery operationsprovides guidance for damage assessmentplanned actions to resume critical IS and functional activitiesrestore full business operationsminimum delay and disruption


Coping with Emergencies

Idea of DRP is to think before actual happenings:

How likely is the happening

What can be done on happening

What can be done to lessen their likelihood

What can be done to prepare for these events


DRP - Key Issues

How to develop the plan

How to test the plan

How to maintain

How to keep continuity of operations


DRP Overview

A total plan for all departments integrated togetherMust be written, tested and documentedClear assignment of responsibilities to employeesIt should address

main frame computermini computermicro computer


DRP Overview

It should address...networks

automated operations

semi automated operations

manual operation


Why Disaster Recovery Plan

To respond to Disasters of any type

To curtail revenue loss

To avoid loss of critical data

To maintain competitive edge

To maintain employee productivity


DRP - Phases

Identifying threats and vulnerabilities

Developing the contingency plan

Conducting tasks and drills

Updating and maintaining the plan


Ranking of Objectives of DRP

Protection of organizations employees and public

Minimizing the financial impact

Limiting extent of damage

Reducing physical damage


Planning Responsibilities

Prime responsibility for developing, maintaining, executing contingency plan is with senior management

Recommended approach to planning is by teams


BCP Techniques

DRP PlanTop down approach


BCP Techniques - DRP Plan

Top down approach - it involves Senior management

Line management

IS management

System auditors

End user


BCP Techniques - DRP Plan Steps

Conduct impact analysis

Plan design

Plan development

Plan Implementation

Plan testing

Plan Maintenance


BCP Techniques

Ongoing maintenance Combination of top down and bottom up approach


BCP Techniques

Why do we require plan?Why do we require plan?Responsibility to

shareholders

customers

suppliers

employees

legal


BCP Techniques

What can go wrong in a planning What can go wrong in a planning process?process?

Technical aspects

Back-up employees

Functional user operations

Selection of DRP team


BCP Techniques

Application System Application System

PrioritizationPrioritizationCritical application systems

Prioritize item

Conduct impact analysis

Prioritization to be based on importance to the organization and not to individual


BCP Techniques

What can go wrong in system What can go wrong in system prioritization?prioritization?Majority of the system may not be critical

Most business user claim their system qualify as critical


BCP Techniques

Planning CommitteePlanning CommitteeResponsible for developing DRP

Knowledgeable members

Specific assignments


BCP Techniques

Planning Committee MembersPlanning Committee MembersKnowledgeable members

Project leaders

Well versed with IS requirements

From security, fire, operations, production control, legal, audit, users, tele-communication, network, system and application programming


BCP Techniques

Recovery Capability AssessmentRecovery Capability AssessmentCurrent security

Disaster recovery capabilities

Weaknesses

Analysis

Recommend prioritized actions


BCP Techniques

Plan Development AlternativesPlan Development AlternativesIn-house

Ready made software package

Hire consultants

Combination of the above


BCP Techniques

Plan requirement analysisHardwareSystem softwarePersonnel'sTelecommunicationsBackup data fileVendor support availabilitySecurity


BCP Techniques

Plan requirement analysis Office equipment

Logistics

Storage

Funding

Purchase orders


BCP Techniques

Planning document contentsPurpose and scopeTesting and Recovery proceduresVendors with address and tele nos.Location of contingency planProcedure for post recoveryEmergency recovery team members with responsibilityPhone list for fire, police, hardware, software, major suppliers and customers


BCP Techniques

Planning document contents Contact person with address at backup location

Description and configuration of hardware and software

Backup contractual agreements

Application system job priorities

Logistics

Insurance carrier phone nos.


Contingency Planning Process - Steps

Identifying the critical functionsIdentifying the resources supporting critical functionsAnticipating potential contingencies or DisastersSelecting contingency planning strategy

Emergency responseRecoveryResumption


Contingency Planning Process - Steps

Implementing the contingency strategyImplementation

Documenting

Training

Testing and revising the strategy


Disaster Recovery Teams

Emergency action teamDisaster assessment teamRecovery management teamPublic Relations teamOff-site storage teamSoftware teamApplication team

Security teamCommunication teamTransportation teamFacilities teamAdministration teamOperation teamProcurement teamSalvage teamStaff Coordination team


Activating the Plan

Recognize an emergency

Contact the proper authoritySpecific nature of the emergency

Time of the emergency

Location of the emergency

Extent of damage or status of the emergency

Danger or injuries to people

Cause of the emergency


Activating the Plan

Activate the plan

Gather the response team

Brief the response team

Activate emergency command centerCommunications equipment

Personal protective equipment (First Aid Kits)

Records and information needed to respond

Reference manuals, including maps


Activating the Plan

Activate emergency command centerEmergency communication directoryBack-up power supply, including fuelOffice supplies, including computers with internet accessAM/FM radios, cable televisionFood, water, and other personal supplies to last several daysMessage boards, overhead projectors and other presentation materials and equipment


Activation of the Plan

Maintain communication Initiate recovery activitiesAssemble a damage assessment teamGather initial damage estimates

Facility structural damageDamage to products, materials, or supplies, including records and informationDamage to vehicles or equipmentDamage to property



Gather initial damage estimatesPersonal injuriesCosts to recover (materials and supplies)Costs to recover (repairs and maintenance)Costs to recover (labor)Loss of revenue

Compile information into a reportInitial Damage Assessment Report


Facility Damaged:

Location:(Attach map with clearly marked location and travel route to site, If needed)

Describe Damage or Injuries:

List Work Needed to Repair Sites:

List Work that has been completed: (Attach activity report if any work has been completed)

Estimated Cost:(Develop a detailed breakdown of personnel, equipment, and materials for complete damage assessment; include estimate of any loss of revenue)

Notes/Comments:

Damage Report Completed By:

Dated:

Facility Damaged:

Location:(Attach map with clearly marked location and travel route to site, If needed)

Describe Damage or Injuries:

List Work Needed to Repair Sites:

List Work that has been completed: (Attach activity report if any work has been completed)

Estimated Cost:(Develop a detailed breakdown of personnel, equipment, and materials for complete damage assessment; include estimate of any loss of revenue)

Notes/Comments:

Damage Report Completed By:

Dated:

Initial Damage Assessment Report



Train the damage assessment teamInitiate security activities

Issuing identification badges to employees and other authorized personnelLocking doors if personnel cannot monitor the facility during an emergencyInstalling signs designating secured or restricted areaPlacing a sign-in sheet at the command center and logging time in/outCreating a list of authorized personnel and monitoring it



Initiate security activitiesEnsuring that personnel know who is authorized to make decisionsMaintaining supplies to board up windows quicklySecuring cash operations immediatelyAsking for police assistanceAsking a neighbor to help monitor securityNotify recovery siteNotify impacted staffFile insurance claimsPrimary site proceduresReturn to normal operationsPost recovery analysis

Activate Contingency Arrangements


Develop Recovery Priorities

Resource Recovery Priority

Authentication Server HighDatabase Server High5 Desktop Computers High1 Hub HighE-mail Server MediumP rinter MediumRemaining Desktop Computers (45) LowRemaining Hub (5) Low


Recovery AlternativeCentralized Systems

Hot SiteWarm SiteCold SiteMobile SiteMirrored SiteDuplicate Information Processing FacilityReciprocal AgreementCommercial Service Bureaux


Recovery Alternatives

Hot SiteHot SiteFully configured

Ready for operations

Intended for emergency operations

Use for limited time operations

Most expensive



Warm SiteWarm SitePartially configured

Without CPU

Less expensive then hot site



Cold SiteCold SiteOnly basic environment

Activation takes several weeks

Least expensive



Mobile SiteMobile SiteEmpty shell facilities

Transportable

Available on lease through vendors



Mirrored SiteMirrored SiteFully redundant

Real time information mirroring

Identical to primary site

Most expensive to maintain



Duplicate Information Processing Duplicate Information Processing FacilitiesFacilities

Dedicated self developed recovery sites

Backup of critical applications

Site chosen to be away from primary site

Resource availability to be assured

Regular testing



Reciprocal agreementsagreements between organizations with similar equipments or applications

low cost

configuration compatibility


Service Bureaus/ASPs

Emergency processing services

Application specific


Alternate Site Selection Criteria

S it e C o s t H a r d w a r eE q u ip m e n t

T e l e C o m -m u n ic a t io n

S e t u pT im e

L o c a t io n

Cold Site Low None None Long Fixed

Warm Site Medium P artial P artial/Full Medium FixedHot Site Medium/High Full Full Short Fixed

Mobile Site High Dependent Dependent Dependent Not FixedMirrored Site High Full Full None Fixed


Telecommunication Network Backup

RedundancySurplus capacity created for extra load/failure

Alternative RoutingRouting by means of alternate medium

Diverse RoutingSplit or duplicate cable sheet


Telecommunication Network Backup

Last mile circuit protectionLocal communication loops

Long haul network diversityT1 circuits between network carriers for automatic re-routing in case of failures

Voice Recovery


Data Recovery Plan

Critical

Vital

Sensitive

Non Critical


Backup Techniques

Full Backup

Incremental Backup

Differential Backup


Backup Methods

Floppy Diskettes

Compact Disk

Replication

Internet Backup


Removable Cartridges

Tape Drives

Networked Disk

Remote Mirroring

Backup Methods


Answer the following

Where will media be stored?

What data should be backed up?

How frequent are backups conducted?

How quickly the backups are retrieved in the event of an emergency?

Who is authorized to retrieve the media?

How long will it take to retrieve the media?

Where will the media be delivered?


Answer the following

Who will restore the data from the media?

What is the tape-labeling scheme?

How long will the backup media be retained?

When the media are stored onsite, what environmental controls are provided to preserve the media?

What types of tape readers are used at the alternate site?


Backup Media Library

It should containBackup of tapes, disks, master and transaction files

Backup copies of current application software

Upto date copy of contingency plan

Upto date operation manuals, system and program documentation

Each facility must have backup media library


Backup Media Library

Should be at some distance from main facility

Subject to physical and environmental control


Backup Procedures

What can go wrongWhat can go wrongMay contain only magnetic or electronic record not paper record

Access not available at all time

Critical data may not be stored


Backup Procedures

Determining Backup PrioritiesDetermining Backup PrioritiesPostpone less urgent task

Identify in advance critical function

Eliminate or postpone non-urgent portion of record keeping


Plan Testing

Scope

Time-frame

Teams

Objectives

Methodology

Conduct

Evaluation

Weaknesses

Improvement

Revision


Phases of Testing

Pre test

Test

Post Test


Type of Tests

Checklist test

Structured walk through test

Simulation test

Parallel test

Full interruption test


Result Analysis

Time

Amount

Count

Accuracy


Test Examples

Contact every level of call tree successfully within 1 hourRestore critical system off-site within 48 hoursEvacuate building in 15 minutesContact key vendors within 1 hourFire drills carried selectivelyCheck jockey pump pressure

Notify participants in advance


Awareness and Training

Walkthrough SessionScenario WorkshopSimulation of a Live Test


BCP Maintenance

Strategy as per changing need of the business

New applications documented

Change in critical applications

Change in hardware or software environment

Plan maintenance methods


BCP Maintenance

Schedule for periodic review and maintenance

Review of revisions

Conducting scheduled and unscheduled tasks

Training recovery personnel

Maintaining rounds

Updating personnel changes


Record of Change

P a g e N o . C h a n g eC o m m e n t

D a t e o fC h a n g e

S ig n a t u r e


Law And Standards


HIPAA

Documented Practices for data protection and continuity of operations for health care industry


GBL And The Expedited Funds Availability Act

Standards for safeguarding security, confidentiality of customer records


Sarbanes-Oxley Act

An Act for protecting investors by improving reliability of corporate disclosures and internal control


GASSP

Principles supporting the Generally Accepted Accounting Principles and similar models


Information TechnologyInfrastructure Library

A collection of best practices in IT service management


Basel Committee On e-Banking

Principles for effective capacity, business continuity and contingency planning of e-banking systems and services


Basel II Capital Accord

Encourage financial firms to be more proactive and forward looking in financial activities


SAS 70

Internationally recognized auditing standard for service organization


COBIT

A framework resulting in control objectives considered to be good or best practices


Strategies For Networked Systems


Strategies

Eliminating single points of failure Redundant Cabling and DevicesRemote AccessWireless LANs


Strategies For Fault Tolerant Implementation


RAID

A system which uses multiple hard drives to share or replicate data among the drivesA system that combines multiple hard drives into a single logical unit


BENEFITS

Higher data security

Fault tolerance

Improved availability

Increased, Integrated capacity

Improved performance

RAID


Data redundancy techniquesMirroringParityStripping

RAID


MIRRORING

Data in the system is written simultaneously to two hard disks instead of one

RAID


RAID

MIRRORING


RAID

MIRRORING

AdvantagesData redundancy

Fast recovery

DisadvantagesExpensive


RAID

Duplexing

Data in the system is written simultaneously to two hard disks with separate controllers


RAID

Disk Duplexing


STRIPINGA data element is broken into multiple pieces at bytes level or in blocks

RAID


RAID

STRIPING


It involves the use of parity information, which is redundancy information calculated from the actual data values

RAID

PARITY


RAID-0Technique : stripping without parity

Files broken into stripes

No redundancy

Storage efficiency: 100% if drives identical

Minimum of 2 hard disk required

Fault tolerance none

Cost lowest of all RAID levels

Recommended uses non critical data

RAID LEVELS


RAID-0

This illustration shows how files of different sizes are distributed between the drives on a four-disk, 16 kiB stripe size RAID 0 array. The red file is 4 kiB in size; the blue is 20 kiB; the green is 100 kiB; and the magenta is 500 kiB.


Functions of EDI

RAID-1Technique: mirroring

Exactly 2 hard disks

Fault tolerance very good

Storage efficiency: 50% if drives identical

Cost Relatively high

Recommended uses for applications requiring high fault tolerance eg.Accounting and other financial data.

RAID LEVELS


RAID-1

Illustration of a pair of mirrored hard disks, showing how thefiles are duplicated on both drives.


Functions of EDI

RAID-2Technique used Bit level striping with ECC

Hard disk requirements-10 data disks & 4 ECC disks

Random read performance: Fair

Random write performance: Poor

Fault tolerance only fair

Cost very expensive

Recommended use- not used in modern systems

RAID LEVELS


RAID-3Technique: Byte level striping with dedicated parityMinimum 3 hard disks Random read performance: GoodRandom write performance: PoorArray Capacity: Size of smallest drive*(no. of drives-1)Fault tolerance goodCost: ModerateRecommended uses: Applications working with large files that require high transfer performance

RAID LEVELS


RAID-3

This illustration shows how files of different sizes are distributed between the drives on a four-disk, byte-striped RAID 3 array. The red file is 4 kiB in size; the blue is 20 kiB;the green is 100 kiB; and the magenta is 500 kiB,. Notice that the files are evenly spread between three drives, with the fourth containing parity information (shown in dark gray)


RAID-4Technique used: Block level striping with dedicated parityRandom read performance: GoodRandom write performance: FairArray Capacity: Size of smallest drive*(no. of drives-1)Minimum 3 hard disksFault tolerance goodCost: ModerateRecommended uses: Not commonly used

RAID LEVELS


RAID-4

This illustration shows how files of different sizes are distributed betweenthe drives on a four-disk RAID 4 array using a 16 kiB stripe size. The red file is 4 kiB in size; the blue is 20 kiB; the greenis 100 kiB; and the magenta is 500 kiB, Notice that as with RAID 3, the files are evenly spread betweenthree drives, with the fourth containing parity information (shown in gray).


RAID-5Technique used: Block level striping with distributed parityOne of the most popular RAID levelRandom read performance: Very GoodRandom write performance: Only Fair Array Capacity: Size of smallest drive*(no. of drives-1)Minimum 3 hard disksFault tolerance goodCost: ModerateRecommended uses: ERP, Relational database applications & other business systems

RAID LEVELS


RAID-5

This illustration shows how files of different sizes are distributedbetween the drives on a four-disk RAID 5 array using a 16 kiB stripesize.The red file is 4 kiB in size; the blueis 20 kiB; the green is 100 kiB; and the magenta is 500 kiB,


RAID LEVELS

RAID-6Technique used: Block level striping with dual distributed parityMinimum 4 hard disksRandom read performance: Very GoodRandom write performance: PoorArray Capacity: Size of smallest drive*(no. of drives-2)Fault tolerance very goodCost: HighSpecialized controllerRecommended uses: Same as RAID5 But not popular as cost high


RAID-6

This illustration shows how files of different sizes are distributedbetween the drives on a four-disk RAID 6 array using a 16 kiB stripesize.The red file is 4 kiB in size; the blueis 20 kiB; the green is 100 kiB; and the magenta is 500 kiB,


RAID LEVELS

RAID-7Proprietary product of Storage Computer CorporationHard disk dependsRandom read performance: Very GoodRandom write performance: Very GoodArray Capacity: DependsFault tolerance very goodCost: Very HighSpecialized controllerRecommended uses: Not popular as cost high


MULTIPLE(NESTED) RAID LEVELS

RAID-0+1 & RAID-10Technique used: Mirroring & Striping without parityMost popular of the multiple RAID LevelsMinimum 4 Hard disks Availability very good for RAID-01,excellent for RAID-10Random read performance: very goodRandom write performance: goodFault tolerance very goodCost: HighRecommended uses: Often used in place of RAID-1 or RAID-5 for higher performance


RAID 0+1


RAID 10


Strategies for Data communications

Dial upCircuit ExtensionOn demand service from the carriersDiversification of servicesMicrowave communicationsVSAT


Strategies for Voice communications

Cellular phone backup

Carrier call rerouting systems

Backup PBX systems


Electronic vaulting

Electronic vaulting is the ability to store and retrieve backup electronically in a site remote from the primary computer centre


Remote Journaling

Parallel processing of transactions to an alternate site


Database shadowing

Duplicating the database sites to multiple servers


Back up strategies

Dual Recording

Dumping

Logging Input Transactions

Logging Beforeimages

Logging Afterimages


NETWORK ATTACHED STORAGE

A class of systems that provide file services to host computers

Dedicated storage solution that is attached to a network topology


STORAGE AREA NETWORK

A network of storage disks

It connects multiple computers to a centralized pool of disk storage

Fibre Channel Technology


AdvantagesCentralization of storage

Storage & server resources grow independently

Data transfer directly from device to device

STORAGE AREA NETWORK


Server Load Balancing

It consists of distributing user activity across a network so that no single server

is overloaded Enables application to operate even if one of the server is down


Server Load Balancing

Load Balancing done by load balancers

Routers & switches with application specific integrated circuits


IS Audit Technique

Role of AuditorObserver

Reviewer

Reporter


Review of BCP

Current copy of BCP

Evaluation of documented procedures

Critical application identified

All application reviewed

Support of critical applications

Review of BCP personnel, vendors, hot site contents, back-up contents


Review of BCP

Interview key members

Evaluation of emergency procedures

Written procedures of recovery teams


Audit Procedure

Interview personnel and reading documentsRisk analysis documents

Disaster recovery requirement documents

Disaster recovery training documents

Disaster recovery plan testing documents

Disaster recovery plan maintenance procedures

Alternative processing contracts with back-up facilities

Third party audit reports


Audit Procedure

Risk analysisCritical application identifications

Classification of critical data

Minimum hardware configuration

Existing file backup procedures

Record retention and rotation schedules


Audit Procedure

Off-site storage facilitiesCommercialPrivateVerify financial background and reputationVisit the facilityAssess the storage standardsMethod of separation of mediaMode of transportation of media


Audit Procedure

Off-site storage facilities ...Review flow of media in and out

Visitors access

Terms and conditions of vendors

Confidentiality of data

Periodic inventory of media

Other physical and environmental controls


Audit Procedure

Plan DocumentsNo of subscriber and capacity of computer in backup facility

Fee structure of vendor

Off-site media storage facility

Liability of vendors for loss or damage at off-site

Name, addresses Tele Nos. of recovery team members

Transportation arrangements


Audit Procedure

Plan Documents …Equipments and supports

Emergency team instructions for evacuations and recovery

Tele Nos. of hardware, software supply vendors

Procedures to handle bombs or arson threats

Plan testing procedures

Network configuration diagram and documentation


Audit Objectives

Adequacy of risk analysisAdequacy of off-site storage facilitiesDRP documents is complete, clear and under- standable Adequacy of management preparednessAdequacy of plan maintenance procedures


Audit Objectives

Identify problems, concerns

Make cost effective recommendations

Identify over secured and under secured activities


Thanks...

Naresh Gandhi FCA, D.I.S.A. (ICAI). Business Impact Analysis.

Documents

Transcript of Naresh Gandhi FCA, D.I.S.A. (ICAI). Business Impact Analysis.