Business Continuity Planning

1
Business Continuity Planning

• The Problem - Reasons for Business Continuity
  Planning - BCP
• Principles of BCP
• Doing BCP
• The steps
• What is included
• The stages of an incident

2
Definitions

• A contingency plan is
• A plan for emergency response, backup
  operations, and post-disaster recovery maintained
  by an activity as a part of its security program
  that will ensure the availability of critical
  resources and facilitate the continuity of
  operations in an emergency situation
• (National Computer Security Center 1988)
• 1997-98 survey gt35 of companies have no plans

3
Definitions of BCP

• Disaster Recovery
• Business Continuity Planning
• End-user Recovery Planning
• Contingency Planning
• Emergency Response
• Crisis Management
• The goal is to assist the organization/business
  to continue functioning even though normal
  operations are disrupted
• Includes steps to take
• Before a disruption
• During a disruption
• After a disruption

4
Reasons for BCP

• It is better to plan activities ahead of time
  rather than to react when the time comes
• Proactive rather than Reactive
• Take the correct actions when needed
• Allow for experienced personnel to be absent

5
Reasons for BCP

• It is better to plan activities ahead of time
  rather than to react when the time comes
• Proactive rather than Reactive
• Maintain business operations
• Keep the money coming in
• Short and long term loss of business
• Have necessary materials, equipment, information
  on hand
• Saves time, mistakes, stress and
• Planning can take up to 3 years

6
Reasons for BCP

• It is better to plan activities ahead of time
  rather than to react when the time comes
• Proactive rather than Reactive
• Maintain business operations
• Keep the money coming in
• Short and long term loss of business
• Effect on customers
• Public image
• Loss of life

7
Reasons for BCP

• It is better to plan activities ahead of time
  rather than to react when the time comes
• Proactive rather than Reactive
• Maintain business operations
• Keep the money coming in
• Short and long term loss of business
• Effect on customers
• Legal requirements
• 77 Foreign Corrupt Practices Act/protection of
  stockholders
• Management criminally liable

8
Reasons for BCP

• It is better to plan activities ahead of time
  rather than to react when the time comes
• Proactive rather than Reactive
• Maintain business operations
• Keep the money coming in
• Short and long term loss of business
• Effect on customers
• Legal requirements
• 77 Foreign Corrupt Practices Act/protection of
  stockholders
• Federal Financial Institutions Examination
  Council (FFIEC)
• FCPA SAS30 Audit Standards
• Defense Investigative Service
• Legal and Regulatory sanctions, civil suits

9
Definitions

• Due Care
• minimum and customary practice of responsible
  protection of assets that reflects a community or
  societal norm
• Due Diligence
• prudent management and execution of due care

10
The Problem

• Utility failures
• Intruders
• Fire/Smoke
• Water
• Natural disasters (earthquakes, snow/hail/ice,
  lightning, hurricanes)
• Heat/Humidity
• Electromagnetic emanations
• Hostile activity
• Technology failure

11
Recent Disasters

• Bombings
• 92 London financial district
• 93 World Trade Center, NY
• 93 London financial district
• 95 Oklahoma City
• 01 World Trade Center, NY (9/11)
• Earthquakes
• 89 San Francisco
• 94 Los Angeles
• 95 Kobe, JP
• Fires
• 95 Malden Mills, Lawrence, MA
• 96 Credit Lyonnais, FR
• 97 Iron Mountain Record Center, Brunswick, NJ

12
Recent Disasters

• Power
• 92 ATT
• 96 Orrville, OH
• 99 East coast heat/drought brownouts
• Floods
• 97 Midwest floods
• Storms
• 92 Hurricane Andrew
• 93 Northeast Blizzard
• 96 Hurricanes Bertha, Fran
• 98 Florida tornados
• Hardware/Software
• Year 2000

13
The Problem

• Utility failures
• Intruders
• Fire/Smoke
• Water
• Natural disasters (earthquakes, snow/hail/ice,
  lightning, hurricanes)
• Heat/Humidity
• Electromagnetic emanations
• Hostile activity
• Technology failure
• Failure to keep operating
• Fortune 1000 study
• Average loss 78K, up to 500K
• 65 failing over 1 week never reopen
• Loss of market share common

14
Threats

• From Data Pro reports
• Errors omissions 50
• Fire, water, electrical 25
• Dishonest employees 10
• Disgruntled employees 10
• Outsider threats 5

15
The Controls

• Least Privilege
• Information security
• Redundancy
• Backed up data
• Alternate equipment
• Alternate communications
• Alternate facilities
• Alternate personnel
• Alternate procedures

16
The Steps in a BCP - Initiation

• Project initiation
• Business case to obtain support
• Sell the need for DRP (price vs benefit)
• Build and maintain awareness
• On-going testing maintenance
• Top down approach
• Executive commitment and support MOST CRITICAL
• Project planning, staffing
• Local support/responsibility

17
The Steps in a BCP - 1

• Impact Assessment (Impact Analysis/Vulnerability
  Assessment/Current State Assessment/Risk
  Assessment )
• Purpose
• Identify risks
• Identify business requirements for continuity
• Quantify impact of potential threats
• Balance impact and countermeasure cost
• Establish recovery priorities

18
Benefits

• Relates security objectives to organization
  mission
• Quantifies how much to spend on security measures
• Provides long term planning guidance
• Building design
• HW configuration
• SW
• Internal controls
• Criteria for contingency plans
• Security policy
• Site selection
• Protection requirements
• Significant threats
• Responsibilities

19
The Steps in a BCP - 1

• Risk Assessment
• Potential failure scenarios
• Likelihood of failure
• Cost of failure (loss impact analysis)
• Dollar losses
• Additional operational expenses
• Violation of contracts, regulatory requirements
• Loss of competitive advantage, public confidence
• Assumed maximum downtime (recovery time frames)
• Rate of losses
• Periodic criticality
• Time-loss curve charts

20
The Steps in a BCP - 1

• Risk Assessment/Analysis
• Potential failure scenarios (risks)
• Likelihood of failure
• Cost of failure, quantify impact of threat
• Assumed maximum downtime
• Annual Loss Expectancy
• Worst case assumptions
• Based on business process model? Or IT model?
• Identify critical functions and supporting
  resources
• Balance impact and countermeasure cost
• Key -
• Potential damage
• Likelihood

21
Definitions

• Threat
• any event which could have an undesirable impact
• Vulnerability
• absence or weakness of a risk-reducing safeguard,
  potential to allow a threat to occur with greater
  frequency, greater impact, or both
• Exposure
• a measure of the magnitude of loss or impact on
  the value of the asset
• Risk
• the potential for harm or loss, including the
  degree of confidence of the estimate

22
Definitions

• Quantitative Risk Analysis
• quantified estimates of impact, threat frequency,
  safeguard effectiveness and cost, and probability
• Powerful aid to decision making
• Difficult to do in time and cost
• Qualitative Risk Analysis
• minimally quantified estimates
• Exposure scale ranking estimates
• Easier in time and money
• Less compelling
• Risk Analysis is performed as a continuum from
  fully qualitative to less than fully quantitative

23
Results

• Loss impact analysis
• Recovery time frames
• Essential business functions
• Information systems applications
• Recommended recovery priorities strategies
• Goals
• Understand economic operational impact
• Determine recovery time frame (business/DP/Network
  )
• Identify most appropriate strategy
• Cost/justify recovery planning
• Include BCP in normal decision making process

24
Risk Management Team

• Management - Support
• DP Operations
• Systems Programming
• Internal Audit
• Physical Security
• Application owners
• Application programmers

25
Preliminary Security Exam

• Asset costs
• Threat survey
• Personnel
• Physical environment
• HW/SW
• Communications
• Applications
• Operations
• Natural disasters
• Environment
• Facility
• Access
• Data value

26
Preliminary Security Exam

• Asset costs
• Threat survey
• Existing security measures
• Management review

27
Threats

• Illogical processing
• Translation of user needs (technical
  requirements)
• Inability to control technology
• Equipment failure
• Incorrect entry of data
• Concentration of data
• Inability to react quickly
• Inability to substantiate processing
• Concentration of responsibilities
• Erroneous/falsified data
• Misuse

• Hardware failure
• Utility failure
• Natural disasters
• Loss of key personnel
• Human errors
• Neighborhood hazards
• Tampering
• Disgruntled employees
• Emanations
• Unauthorized access
• Safety
• Improper use of technology
• Repetition of errors
• Cascading of errors

28
Threats

• Uncontrolled system access
• Ineffective application security
• Operations procedural errors
• Program errors
• Operating system flaws
• Communications system failure
• Utility failure

29
Risk Analysis Steps

• 1 - Identify essential business functions
• Dollar losses or added expense
• Contract/legal/regulatory requirements
• Competitive advantage/market share
• Interviews, questionnaires, workshops
• 2 - Establish recovery plan parameters
• Prioritize business functions
• 3 - Gather impact data/Threat analysis
• Probability of occurrence, source of help
• Document business functions
• Define support requirements
• Document effects of disruption
• Determine maximum acceptable outage period
• Create outage scenarios

30
Risk Analysis Steps

• 4 - Analyze and summarize
• Estimate potential losses
• Destruction/theft of assets
• Loss of data
• Theft of information
• Indirect theft of assets
• Delayed processing
• Consider periodicity
• Combine potential loss probability
• Magnitude of risk is the ALE (Annual Loss
  Expectancy)
• Guide to security measures and how much to spend

31
Results

• Significant threats probabilities
• Critical tasks loss potential by threat
• Remedial measures
• Greatest net reduction in losses
• Annual cost

32
Information Valuation

• Information has cost/value
• Acquire/develop/maintain
• Owner/Custodian/User/Adversary
• Do a cost/value estimate for
• Cost/benefit analysis
• Integrate security in systems
• Avoid penalties
• Preserve proprietary information
• Business continuity
• Circumstances effect valuation timing
• Ethical obligation to use justifiable
  tools/techniques

33
Conditions of Value

• Exclusive possession
• Utility
• Cost of creation/recreation
• Liability
• Convertibility/negotiability
• Operational impact
• Market forces
• Official value
• Expert opinion/appraisal
• Bilateral agreement/contract

34
Scenario

• A specific threat (potential event/act) in which
  assets are subject to loss
• Write scenario for each major threat
• Credibility/functionality review
• Evaluate current safeguards
• Finalize/Play out
• Prepare findings

35
The Steps in a BCP - 2

• Strategy Development (Alternative Selection)
• Management support
• Team structure
• Strategy selection
• Cost effective
• Workable

36
The Steps in a BCP - 3

• Implementation (Plan Development)
• Specify resources needed for recovery
• Make necessary advance arrangements
• Mitigate exposures

37
The Steps in a BCP - 3

• Risk Prevention/Mitigation
• Security - physical and information (access)
• Environmental controls
• Redundancy - Backups/Recoverability
• Journaling, Mirroring, Shadowing
• On-line/near-line/off-line
• Insurance
• Emergency response plans
• Procedures
• Training
• Risk management program

38
The Steps in a BCP - 3

• Decision Making
• Cost effectiveness
• Total cost
• Human intervention requirements
• Manual functions are weakest
• Overrides and defaults
• Shutdown capability
• Default to no access
• Design openness
• Least Privilege
• Minimum information
• Visible safeguards
• Entrapment
• Selected vulnerabilities made attractive

39
The Steps in a BCP - 3

• Decision Making
• Universality
• Compartmentalization, defense in depth
• Isolation
• Completeness
• Instrumentation
• Independence of controller and subject
• Acceptance
• Sustainability
• Auditability
• Accountability
• Recovery

40
Remedial Measures

• Alter environment
• Erect barriers
• Improve procedures
• Early detection
• Contingency plans
• Risk assignment (insurance)
• Agreements
• Stockpiling
• Risk acceptance

41
Remedial Measures

• Fire
• Detection, suppression
• Water
• Detection, equipment covers, positioning
• Electrical
• UPS, generators
• Environmental
• Backups
• Good housekeeping
• Backup procedures
• Emergency response procedures

42
The Steps in a BCP - 3

• Plan Development
• Specify resources needed for recovery
• Team-based
• Recovery plans
• Mitigation steps
• Testing plans
• Prepared by those who will carry them out

43
Included in a BCP

• Off-site storage
• Trip there - secure? Timely?
• Physical layout of site
• Fire protection
• Climate controls
• Security access controls
• Backup power

44
Included in a BCP

• Off-site storage
• Alternate site
• Reciprocal agreements/Multiple sites/Service
  bureaus
• Hot/Warm/Cold(Shell) sites
• Trip there - secure? Timely?
• Physical layout of site
• Fire protection
• Climate controls
• Security access controls
• Backup power
• Agreements

45
Included in a BCP

• Off-site storage
• Alternate site
• Backup processing
• Compatibility
• Capacity
• Journaling - maintaining audit records
• Remote journaling - to off-site location
• Shadowing - remote journaling and delayed
  mirroring
• Mirroring - maintaining realtime copy of data
• Electronic vaulting - bulk transfer of backup
  files

46
Included in a BCP

• Off-site storage
• Alternate site
• Backup processing
• Communications
• Compatibility
• Accessibility
• Capacity
• Alternatives

47
Included in a BCP

• Off-site storage
• Alternate site
• Backup processing
• Communications
• Work space
• Accessibility
• Capacity
• Environment

48
Included in a BCP

• Off-site storage
• Alternate site
• Backup processing
• Communications
• Work space
• Office equipment/supplies/documentation
• Security
• Critical business processes/Management
• Testing
• Vendors - Contact info, agreements
• Teams - Contact info, transportation
• Return to normal operations
• Resources needed

49
Complications

• Media/Police/Public
• Families
• Fraud
• Looting/Vandalism
• Safety/Legal issues
• Expenses/Approval

50
The Steps in a BCP - Finally

• Plan Testing
• Proves feasibility of recovery process
• Verifies compatibility of backup facilities
• Ensures adequacy of team procedures
• Identifies deficiencies in procedures
• Trains team members
• Provides mechanism for maintaining/updating the
  plan
• Upper management comfort

51
The Steps in a BCP - Finally

• Plan Testing
• Desk checks/Checklist
• Structured Walkthroughs
• Life exercises/Simulations
• Periodic off-site recovery tests/Parallel
• Full interruption drills

52
The Steps in a BCP - Finally

• Test
• Software
• Hardware
• Personnel
• Communications
• Procurement
• Procedures
• Supplies/forms
• Documentation
• Transportation
• Utilities
• Alternate site processing
• Security

53
The Steps in a BCP - Finally

• Test
• Purpose (scenario)
• Objectives/Assumptions
• Type
• Timing
• Schedule
• Duration
• Participants
• Assignments
• Constraints
• Steps

54
The Steps in a BCP - Finally

• Alternate Site Test
• Activate emergency control center
• Notify mobilize personnel
• Notify vendors
• Pickup and transport
• tapes
• supplies
• documentation
• Install (Cold and Warm sites)
• IPL
• Verify
• Run
• Shut down/Clean up
• Document/Report

55
The Steps in a BCP - Finally

• Plan Update and Retest cycle (Plan Maintenance)
• Critical to maintain validity and usability of
  plan
• Environmental changes
• HW/SW/FW changes
• Personnel
• Needs to be included in organization plans
• Job description/expectations
• Personnel evaluations
• Audit work plans

56
BCP by Stages

• Initiation
• Current state assessment
• Develop support processes
• Training
• Impact Assessment
• Alternative selection
• Recovery Plan development
• Support services continuity plan development
• Master plan consolidation
• Testing strategy development
• Post transition plan development

57
BCP by Stages

• Implementation planning
• Quick Hits
• Implementation, testing, maintenance

58
End User Planning

• DP is critical to end users
• Difficult to use manual procedures
• Recovery is complex
• Need to plan
• manual procedures
• recovery of data/transactions
• procedures for alternate site operation
• procedures to return to normal

59
The Real World

• DR plans normally involve
• Essential DP platforms/systems only
• A manual on the shelf written 2-3 years ago
• Little or no user involvement
• No provision for business processes
• No active testing
• Resource lists and contact information that do
  not match current realities

60
Stages in an Incident

• Disaster
• interruption affecting user operations
  significantly

61
Stages in an Incident

• Disaster
• Initial/Emergency response
• Purpose
• Ensure safety of people
• Prevent further damage
• Activate emergency response team
• Covers emergency procedures for expected hazards
• Safety essential
• Emergency supplies
• Crisis Management plan - decision making

62
Stages in an Incident

• Disaster
• Initial response
• Impact assessment
• Activate assessment team
• Determine situation
• What is affected?
• Decide whether to activate plan

63
Stages in an Incident

• Disaster
• Initial response
• Impact assessment
• Initial recovery
• Initial recovery of key areas at alternate site
• Detailed procedures
• Salvage/repair - Clean up

64
Stages in an Incident

• Disaster
• Initial response
• Impact assessment
• Initial recovery
• Return to normal/Business resumption
• Return to operation at normal site
• Emergency is not over until you are back to
  normal
• Requires just as much planning - Parallel
  operations

65
Special Cases

• Y2K
• Incidents will happen in a particular time frame
• Alternate sites wont help
• Redundant equipment wont help
• Backups wont help
• Involves automated equipment and services

66
Final Thoughts

• Do you really want to activate a DR/BCP plan?
• Prevention
• Planning