Business Continuity Planning and Disaster Recovery Planning - PowerPoint PPT Presentation

1 / 40
About This Presentation
Title:

Business Continuity Planning and Disaster Recovery Planning

Description:

Provide documentation during crisis and for new employees. 9-22-99. 11 ... Subscription services commercial services provide backup facility for fee ... – PowerPoint PPT presentation

Number of Views:464
Avg rating:3.0/5.0
Slides: 41
Provided by: markls9
Category:

less

Transcript and Presenter's Notes

Title: Business Continuity Planning and Disaster Recovery Planning


1
ISSAColorado Springs ChapterDomain 8
  • Business Continuity Planning and Disaster
    Recovery Planning

2
Objective
  • The objective of this presentation is to
    understand
  • the difference between business continuity
    planning and disaster recovery planning
  • business continuity planning in terms of plan
    setup and scope, impact analysis, recovery
    strategies, plan development and implementation
  • disaster recovery planning in terms of plan
    development, implementation, and restoration
  • The information for this domain represents
    approximately 7 of the CISSP exam content.

3
The CIA triad
  • Where does BCP / DRP fit
  • Confidentiality.
  • Integrity.
  • Availability.

4
Key Areas of KnowledgeBusiness Continuity
Planning
  • Project Scope and Planning
  • Business Impact Assessment
  • Containment Strategy
  • Recovery Strategy
  • Processing Agreements
  • Recovery Plan Development
  • Backups and Off-site Storage
  • Software Escrow Arrangements
  • External Communications
  • Utilities
  • Logistics and Supplies
  • Fire and Water Protection
  • Documentation
  • Implementation
  • Work Group Recovery
  • Recovery Techniques
  • Develop a recovery Strategy
  • Training/Testing/Maintenance

5
Key Terms
  • Business Continuity Planning
  • Business Continuity Plan and Planning
  • Business Impact Analysis
  • Business Resumption Planning
  • Contingency plan
  • Continuity of operation plan
  • Crisis Communication plan
  • Critical system
  • Critical business Functions
  • Cyber Incident Response pan
  • Disaster Recover plan planning
  • Infrastructure
  • Network Contingency planning
  • Occupant Emergency plan

6
BCP / DRP
  • Business continuity planning and disaster
    recovery planning cover the preparation of
    specific actions needed to preserve and or
    recover critical business functions in the event
    of a disruption to normal business operations.

7
Definitions
  • Business Continuity Planning (BCP)
  • Facilitate recovery measures to quickly reduce
    overall impact of disaster and ensure consistent
    operation of critical business functions through
    project scoping, impact analysis, and recovery
    strategies
  • Maintaining a minimum level of service until
    business as usual can be resumed

8
Definitions
  • Disaster Recovery Planning (DRP)
  • Procedures for emergency response, extended
    recovery operations and post-disaster recovery
    when data processing installation suffers loss of
    computer resources and physical facilities
  • Restoring the operation to business as usual as
    quickly and efficiently as possible

9
BIA and expectations
  • Business Impact Assessment determines the
    proportion of impact an individual business unit
    would sustain subsequent to a significant
    interruption of computing or telecommunication
    services. These impacts may be financial, in
    terms of monetary loss, or operational, in terms
    of inability to deliver.
  •  The candidate will be expected to know the
    difference between business continuity planning
    and disaster recovery business continuity
    planning in terms of project scope and planning,
    business impact analysis, recovery strategies,
    recovery plan development, and implementation.
    The candidate should understand disaster recovery
    in terms of recovery plan development,
    implementation and restoration.

10
Goals
  • What will the plan do?
  • Minimize loss.
  • Minimize outage time.
  • Plan will provide policies and procedures that
    will help avoid confusion and further damage.
  • Provide documentation during crisis and for new
    employees.

11
Continuum of Planning
  • Backup Plan
    Business Continuity Disaster Recovery
  • Expected Unexpected Catastrophic
  • As conditions deteriorate, the level of effort
    increases. Unfortunately, as the scope of the
    problem increases, generally the less attention
    paid to planning and testing.

12
Some History
  • The focus has changed over time
  • 1970s Focus on info systems.
  • 1980s Alternate mainframe sites.
  • 1990s Include recovery of networks
  • 2000 Enterprise wide approach
  • Business Process
  • Facility, data and systems
  • Post Y2K, security and 911 efforts

13
9-11 Lessons Learned
  • Distance is key
  • Tape recovery is not effective
  • All applications are critical
  • Inconsistent backup is no backup at all
  • People-dependent processes do not suffice

14
9-11 Lessons Learned
  • Two sites are not enough
  • Companies that relied on tape or third-party
    provider found in many cases they had difficulty
    meeting their recovery time objectives
  • People are irreplaceable so is information
  • All disasters are possible

15
Basic Planning Requirements
  • Vulnerability Assessment
  • Identify Critical Business Functions
  • Identify Off-site Storage Facility
  • Obtain Management Commitment

16
Management Role
  • Plans are a management responsibility
  • Can be delegated
  • Must be supported

Else guaranteed failure
17
Vulnerability Assessment
  • Objectives
  • identify business requirements for business
    continuity
  • establish recovery business and systems priorities

18
Vulnerability Assessment
  • Major Activities
  • conduct process dependency assessment
  • develop business function outage scenarios
  • describe operational and financial impact of
    disruption
  • prepare and present analysis and recommendations
    for each scenario

19
Vulnerability Assessment
  • Goals
  • understand economic and operational impact of
    business disruption
  • determine recovery time-frame for critical
    applications
  • identify most appropriate recovery strategy
  • cost-justify recovery planning efforts and
    facilities
  • bring contingency planning into normal business
    decision-making process

20
Business Impact Assessment
  • Objectives
  • document business processes and transaction
    statistics
  • define essential business functions that support
    requirements to maintain critical processes
  • identify business function interdependencies
  • document effects of disruption over time
  • describe alternate procedures available and
    percent workload accommodated
  • understand adverse effects of alternate
    procedures
  • identify buildup of processing backlog
  • decide maximum acceptable outage period

21
Critical Business Functions
  • Identifying critical business functions
  • timeliness criteria time dependent losses
    during outage
  • contingency plans may not be required if lengthy
    interruption acceptable
  • composite time-loss curves will show total
    business impact
  • need to service critical business units
  • support for emergency management team
  • support for DRP planning process

22
Critical Business Functions
  • Identifying critical business functions
    (continued)
  • loss criteria for decision process
  • direct dollar losses
  • added operational expense
  • poor business decisions
  • violation of contract agreements
  • violation of regulatory requirements
  • loss of competitive advantage
  • loss of public confidence

23
Financial Impact Analysis
  • Calculate single event losses
  • Calculate expected direct costs
  • outages of various duration
  • lost revenue
  • expense of implementing alternative procedures
  • delayed income costs
  • backlog elimination expenses
  • Add estimated indirect costs
  • lost productivity
  • errors
  • Summarize direct financial impact

24
Operational Impact Analysis
  • Summarize
  • business function
  • supporting applications
  • application interdependencies
  • recovery time frame
  • brief statement of rationale
  • Sequence into recovery priority order
  • Summarize recovery priorities by application

25
Environment
  • The BCP covers all aspects of the org
  • Personnel.
  • Facilities.
  • Infrastructure.
  • Support Systems.
  • Information Systems.
  • Involves every department.

26
MTD
  • Maximum Tolerable Downtime
  • Non-essential 30 days
  • Normal 7 days
  • Important 72 hours
  • Urgent 24 hours
  • Critical / Essential less than 3 hours (99999)

27
Continuity Strategies
  • Backup
  • Remote journaling
  • Distributive processing
  • Site selection
  • Planning

28
Off-site Storage Facility
  • Off-site storage requirements
  • Physical layout efficient and secure
  • Fire resistant construction
  • Fire detection and suppression
  • Temperature and humidity monitoring and control
  • Security access control
  • Backup power
  • Records retrieval access
  • Site protected from environmental dangers
  • Transport services
  • Storage for other than tape media

29
Elements of business continuity planning
  • Awareness and Discovery
  • Contingency Planning Goals
  • Statement of importance
  • Statement of priorities
  • Statement of organizational responsibility
  • Statement of urgency and timing
  • Risk Assessment
  • Vital Records Program
  • Emergency Response Guidelines
  • Emergency Response Procedures
  • Mitigation
  • Preparation
  • Testing

30
BCP/DRP Events
  • Bombings
  • Explosions
  • Earthquakes
  • Fires
  • Floods
  • Power Outages
  • Other utility failures
  • Storms
  • Hardware/Software Failures
  • Strikes
  • Testing Outages
  • Hazard Material Spills
  • Employee evacuation/unavailability

31
BusinessContinuity Planning
  • Restoration of normal operations
  • emergency not over until back in primary site
  • return from alternate site also a risk
  • planning different from recovery plan

32
DisasterRecovery Planning
  • Plans - directly supports an organizations goal
    of continued operations
  • recovery of the data center - disaster recovery
    planning
  • recovery of business operations that depend on
    the mainframe end-user contingency planning
  • recovery of business location business
    resumption planning
  • recovery of business processes business
    resumption planning

33
Recovery Strategies
  • What will you have to recover
  • Business (critical equipment and people)
  • Facility (building, supplies, comms, trans)
  • Users (manual procedures, home issues)
  • Technical (configs, equipment)
  • Software / Data (backups, forensics)

34
Recovery Process
  • Moving back into normal operations
  • Respond to disaster
  • Recover Critical Functions
  • Recover Non-critical Functions
  • Salvage and Repair
  • Return to primary site
  • Reverse order of criticality

35
Alternate Sites
  • Reciprocal/mutual aid agreements
  • Subscription services commercial services
    provide backup facility for fee
  • Cold site conditioned environment and ready for
    power/communication hookups
  • Warm site minimal equipment needed for setup of
    delivered processor
  • Hot site complete data processing environment
    with hardware and software installed and
    maintained
  • Multiple centers distributing DP workload over
    2 or more facilities

36
Recovery Plan Testing
  • Checklist copies of plan distributed to
    functional areas
  • each area reviews plan and checks off points
    included
  • ensure plan addresses all concerns and activities
  • Structured walk-through functional
    representatives meet to review plan in detail
    where each procedural step is addressed

37
Recovery Plan Testing
  • Simulation all operational and support
    functions meet to practice execution of the plan
    based on a scenario that is played out to test
    the reaction of all functions to various stimuli
  • only those materials expected to be available in
    an actual disaster incident are allowed
  • simulation continues up to the point of actual
    relocation to alternate site and actual shipment
    of replacement equipment

38
Recovery Plan Testing
  • Parallel - operational test
  • critical systems are run at the alternate site
  • results are compared with actual processing
    results
  • ensure that critical systems will run at
    alternate site
  • Full-interruption normal operations shut down
  • processing conducted at alternate site

39
Summary
  • Plans are a management responsibility
  • Business Continuity Planning (BCP)
  • Disaster Recovery Planning (DRP)

40
Questions?
Write a Comment
User Comments (0)
About PowerShow.com