Business Continuity Planning and Disaster Recovery Planning

1
Business Continuity Planning and Disaster
Recovery Planning

• Ref. CISSP exam guide
• W.lilakiatsakun

2
Business Continuity Planning and Disaster
Recovery Planning (1)

• DRP is the process of regaining access to the
  data, hardware and software necessary to resume
  critical business operations after a natural or
  human-induced disaster.
• DRP is part of a larger process known as business
  continuity planning (BCP).
• Disaster recovery is the process by which you
  resume business after a disruptive event.

3
Business Continuity Planning and Disaster
Recovery Planning (2)

• The event might be
• something huge-like an earthquake or the
  terrorist attacks on the World Trade Center
• something small, like malfunctioning software
  caused by a computer virus.
• Many business executives are prone to ignoring
  "disaster recovery" because disaster seems an
  unlikely event.

4
Business Continuity Planning and Disaster
Recovery Planning (3)

• All BC/DR plans need to encompass
• How employees will communicate
• Where they will go
• How they will keep doing their jobs.
• The details can vary greatly, depending on the
  size and scope of a company and the way it does
  business.

5
Events that necessitate disaster recovery

• Natural disasters
• Fire
• Power failure
• Terrorist attacks
• Organized or deliberate disruptions
• Theft
• System and/or equipment failures
• Human error
• Computer viruses
• Testing

6
Business Continuity Steps (1)

• 1 Develop the continuity planning policy
  statement
• - Write a policy that provides the guidance
  necessary to develop a BCP and assigns authority
  to the necessary roles to carry out these tasks
• 2 Conduct the business impact analysis (BIA)
• - Identify critical functions and systems and
  allow the organization to prioritize them on
  necessity.
• -Identify vulnerabilities, threats and calculate
  risks
• - Calculate MTD (Maximum Tolerable Downtime) for
  resources

7
Business Continuity Steps (2)

• 3 Identify preventive controls
• Identify and implement controls and
  countermeasures to reduce the organizations risk
  level in an economical manner
• 4 Develop recovery strategies
• Formulate methods to ensure that systems and
  critical function can be brought online quickly

8
Business Continuity Steps (3)

• 5 Develop the contingency plan
• Write procedure and guidelines for how the
  organization can still stay functional in a
  cripple state
• 6 Test the plan and conduct training and exercise
• Test the plan to identify deficiencies in the BCP
  and conduct training to properly prepare
  individuals on their expected task
• 7 Maintain plan
• Put in place steps to ensure the BCP is a living
  document that is upgraded regularly

9
Initiation (1)

• Identified a business continuity coordinator
  (leader for the BCP team)
• Setup a BCP committee might consist of
  representative from
• Business units
• Senior management
• IT department
• Security department
• Communications department
• Legal department

10
Initiation (2)

• At this phase, the team works with management to
  develop the continuity planning policy statement
• Layout the scope of the BCP project
• Team member roles
• Goal of the project

11
BCP Requirement

• The major requirement is management support
• Work best in a top-down approach
• Management should be driving the project
• It is important that management set the overall
  goals of continuity planning
• It should help set priorities of what should be
  dealt first

12
Business Impact Analysis (1)

• The BCP committee must identify the threats to
  the company and map them to the following
  characteristics
• Maximum tolerable downtime
• Operational disruption and productivity
• Financial consideration
• Regulatory responsibilities
• Reputation

13
Business Impact Analysis (2)

• Data would gather from interviewing, surveying,
  workshops and etc
• Threat can be manmade, natural or technical
• The committee needs to step through scenarios
  that could produce the following results
• Equipment malfunction
• Unavailable utilities (Power, Communication)
• Software or data corruption

14
Business Impact Analysis (3)

• Loss criteria must applied to the individual
  threats
• Loss in reputation and public confidence
• Loss of competitive advantages
• Increase in operational expenses
• Violations of contract agreement
• Violations of legal and regulatory requirement
• Delays income costs
• Loss in revenue
• Loss in productivity

15
Business Impact Analysis (4)

• Example of Maximum Tolerable Downtime (MTD)
• Nonessential 30 days
• Normal 7 days
• Important 72 hours
• Urgent 24 hours
• Critical Minute to hours

16
Business Impact Analysis (5)

• Interdependencies
• Business function might depend on the other
  functions
• BCP team should carried out these tasks
• Define essential business function and support
  departments
• Identifies interdependencies
• Discover all possible disruption that could
  affect the mechanism
• Identify and document potential threats
• Gather quantitative and qualification information
  pertaining to those threat
• Provide alternative methods for restoring
• Provide a brief statement of rationale for each
  threat and corresponding information

17
BIA Steps (1)

• 1 Select individuals to interview for data
  gathering
• 2 Create data-gathering techniques (surveys,
  questionnaires, qualitative and quantitative
  approaches)
• 3 Identify the company s critical business
  function
• 4 Identify the resources that these functions
  depend upon

18
BIA Steps (2)

• 5 Calculate how long these functions can survive
  without these resources
• 6 Identify vulnerabilities and threats to these
  function
• 7 Calculate risk for each different business
  function
• 8 Document findings and report them to management
  

19
Preventive Controls

• Reduce impact and mitigate risks
• Example of preventive measures
• Redundant servers and communication links
• Power lines coming in through different
  transformers
• UPS and generators
• Data backup
• Fire detection

20
Recovery strategies

• Business process recovery
• Facility recovery
• Supply and technology recovery
• User environment recovery
• Data recovery

21
Developing the BCP (1)

• Define goals of the plan and goals must contain
  certain key information such as
• Responsibility
• Each individual should have their
  responsibilities spell out in writing to ensure a
  clear understanding in a chaotic situation
• Authority
• In time of crisis, it is important to know who is
  in charge
• Clear cut authority will aid in reducing
  confusion and increase corperation

22
Developing the BCP (2)

• Priorities
• It is necessary to know which department come
  online first which second and so on
• Along with the priorities of department, the
  priorities of systems, information and program
  must be established
• Implement and testing

23
Developing the BCP (3)

• Documenting the following
• Procedures
• Recovery solutions
• Roles and tasks
• Emergency response

24
Testing plan (1)

• Checklist test
• Forget anything ?
• Structured walk-through test
• Discussion by representatives
• Simulation test
• Ensure that specific steps were not left out and
  certain threats were not overlooked
• Raise awareness of people involved

25
Testing plan (2)

• Parallel test
• Ensure that the specific systems can actually
  perform adequately at the alternate off site
  facility
• Full interruption test
• Ensure that everything will be recovered as
  planned
• It can reveal many holes that need to be fixed

26
Maintaining the plan

• Organization can keep the plan updated by taking
  the following actions
• Make business continuity a part of business
  decision
• Insert the maintenance responsibilities into job
  descriptions
• Include maintenance in personnel evaluation
• Perform internal audits that include disaster
  recovery and continuity documentation and
  procedures
• Perform regular drills that use the plan
• Integrate BCP into the current change management
  process