Business Continuity

1
Business Continuity
2
Business Continuity

• Continuity strategy
• Business impact
• Incident response
• Disaster recovery
• Business continuity

3
Continuity Strategy

• Contingency planning
• Incident response planning
• Disaster recovery planning
• Business continuity planning

4
Contingency Planning

• Contingency planning consists of
• Incident response plan
• Disaster recovery plan
• Business continuity plan
• Incident response involves
• Notification of key people
• Documenting the incident
• Contain the damage due to the incident

5
Contingency Planning Diagram
6
Contingency Planning Timeline
7
Contingency Planning

• Primary goal is to restore all systems to
  pre-failure level
• CP requires support of
• Upper level management
• IT people
• Security people

8
Business Impact Analysis

• BIA is the first step in CP
• Takes off from where risk assessment ended
• Main steps in BIA are
• Threat attack identification
• Business unit analysis
• Attack success scenarios
• Potential damage assessment
• Subordinate plan classification

9
Business Impact Analysis

• Threat identification includes
• Attack name and description
• Known vulnerabilities
• Indicators preceding an attack
• Information assets at risk from the attack
• Damage estimates

10
Business Impact Analysis

• Business Unit Analysis includes
• Prioritization of business functions
• Identify critical business units
• Attack success scenario includes
• Known methods of attack
• Indicators of attack
• Broad consequences

11
Business Impact Analysis

• Potential damage assessment includes
• Actions needed immediately to recover from the
  attack
• Personnel who will do the restoration
• Cost estimates for management use
• Subordinate plan classification includes
• Classification of attack as disastrous or
  non-disastrous
• Disastrous attacks require disaster recovery plan
• Non-disastrous attacks require incident response
  plan
• Most attacks are non-disastrous, e.g., blackout

12
Business Impact Analysis Diagram
13
Incident Response Plan

• Responsible people aware of IR plan details
• Periodic testing of IR plan as a desktop exercise
• Goals to remember (Richard Marcinko)
• More sweat in training means less bleeding in
  combat
• Preparation hurts
• Lead from the front and not the rear
• Keep it simple
• Never assume
• You get paid for results not your methods

14
Incident Response Plan

• Incidents are usually detected from complaints to
  help desk
• Security administrators may receive alarms based
  on
• Unfamiliar files
• Unknown processes
• Unusual resource consumption
• Activities at unexpected times
• Use of dormant accounts

15
Incident Response Plan

• Additional incidence indicators
• IDS system detects unusual activity
• Presence of hacker tools such as sniffers and
  keystroke loggers
• Partners detect an attack from the organization
  system
• Hacker taunts
• How to classify an incident as a disaster?
• Organizational controls for an incident are
  ineffective
• Level of damage to the system is severe

16
Incident Response Plan

• Incident reaction involves
• Notifying proper personnel
• Involves notifying people on the alert roster
• Notification could be accomplished using a
  predefined tree structure
• Notification is pre-scripted to activate relevant
  portions of the incident response plan
• Designated personnel start documenting the
  incident

17
Incident Response Plan

• Activate incident containment strategies such as
• Take system offline
• Disable compromised accounts
• Reconfigure firewall as needed
• Shut down specific applications such as email or
  database
• Might necessitate shutting down the system
  completely

18
Incident Response Plan

• Post-incident actions
• Preserve evidence
• Activate recovery procedures
• Assess damage

19
Disaster Recovery planning

• Prioritize recovery of components
• Crisis management
• Activate recovery from backup data

20
Business Continuity

• Service Level Agreements
• Software escrow
• ISO 17799 addresses business continuity
  management
• Cold / warm / hot site
• Restoration vs. recovery
• FARM (Functional Area Recovery Management)
  specifies plans for operational area recovery

21
References

• Disaster recovery planning exchange
  http//www.drie.org/bcaw2k5/DCEOAdvice.doc
• Disaster Recovery http//www.dri.ca/
• COBRA
• http//www.ca-systems.zetnet.co.uk/risk/

22
References

• Natural Disasters preparedness http//www.colorado
  .edu/hazards/informer/informerupdate.pdf
• Crisis management http//security1.gartner.com/sto
  ry.php.id.152.jsp
• Business Continuity Plan glossary
  http//www.drj.com/glossary/glossleft.htm
• Avaya white paper on Business Continuity
  http//www1.avaya.com/enterprise/whitepapers/lb225
  8.pdf