Disaster Recovery, Business Continuity, and Organizational Policies

1
Disaster Recovery, Business Continuity, and
Organizational Policies

• Chapter 19

2
Objectives

• Describe the various ways backups are conducted
  and stored.
• Explain different strategies for alternative site
  processing.
• Describe the various components of a business
  continuity plan.
• Explain how policies and procedures play a daily
  role in addressing the security needs of an
  organization.

3
Key Terms

• Acceptable use policy (AUP)
• Business continuity plan (BCP)
• Business impact assessment (BIA)
• Cold site
• Delta backup
• Differential backup
• Disaster recovery plan (DRP)

4
Key Terms (continued)

• Due care
• Due diligence
• Fault tolerance
• Full backup
• High availability
• Hot site
• Incident response policy
• Incremental backup

5
Key Terms (continued)

• Least privilege
• Mutual aid agreement
• Policies
• Procedures
• Separation of duties
• Service level agreement (SLA)
• Standards
• Warm site

6
Disaster Recovery

• Organizations face a variety of disaster
  scenarios.
• Disasters can be caused by nature or manmade
  events.
• Disaster recovery plans consider all types of
  organizational disruption.
• Different disruptions will require different
  recovery strategies.

7
Disaster Recovery Plans (DRP) / Process

• DRPs intended to minimize disaster impact.
• Defines the data, resources, and necessary steps
  to restore critical organizational processes.
• Planning process, initial phase
• Consider needed resources to perform the
  companys mission.
• Identify critical functions.

8
Disaster Recovery Plans / Process (continued)

• Initial phase yields the business impact
  assessment (BIA).
• Continued planning includes
• Outline of processes and procedures to restore an
  organizations critical operations
• Prioritized according to criticality for restoral

9
Category Level of the Functions Need How Long Can the Organization Last Without the Function
Critical Absolutely essential for operations. Without the function, the basic mission of the organization cannot occur. The function is needed immediately. The organization cannot function without it.
Necessary for normal processing Required for normal processing, but the organization can live without it for a short period of time. Can live without it for at most 30 days before your organization is severely impacted.
Desirable Not needed for normal processing but enhances the organizations ability to conduct its mission efficiently. Can live without the function for more than 30 days, but it is a function that will eventually need to be accomplished when normal operations are restored.
Optional Nice to have but does not affect the operation of the organization. Not essential, and no subsequent processing will be required to restore this function.
Consider eliminating No discernable purpose for the function. No impact to the organization the function is not needed for any organizational purpose.
10
Business Continuity Plan (BCP)

• Focuses on continued operation of a business in
  extenuating circumstances.
• Stronger emphasis placed on critical systems.
• Will describe the functions that are most
  critical, based on a previously conducted BIA.
• Will describe the order in which functions should
  be returned to operation.
• Describes what is needed for the business to
  continue to operate.

11
Backups

• Critical part of BCP and BRP
• Provides valid, uncorrupted data for restoration
• Good backups include all needed files
• Applications, operations systems, and utilities

12
What Needs to Be Backed Up?

• Data
• Application programs
• Operating systems
• Utilities for the hardware platform
• Personnel, equipment, and electrical power must
  also be part of the plan.
• Backup plan should back up the files that change
  more often than the files that do not chance
  much.

13
Backup Strategy

• Backup considerations
• Size of the resulting backup
• Media used for the backup
• How long backups will be stored
• Four types of backups
• Full, differential, incremental, delta

14
Backup Types

• Full backup
• All files copied onto the storage media
• Differential backup
• Files that have changed since last full backup
• Incremental backup
• Files since last for full or incremental backup
• Delta backup
• Portions of files changed since last backup

15
Characteristics of Different Backup Types
Full Differential Incremental Delta
Amount of Space Large Medium Medium Small
Restoration Simple Simple Involved Complex
16
Backup Frequency / Retention

• Base frequency on time organization can survive
  without current data.
• Base retention on operational environment and
  frequency of backups.
• Retention strategy should avoid putting all
  backups in one location.
• Ideally an offsite location will also be used.

17
Alternative Sites

• Should be considered in BCP / DRP
• Three types of sites
• Hot site Fully configured environment that can
  be operational immediately
• Warm site Partially configured, lacks more
  expensive computing components
• Cold site Basic environmental controls but few
  computing components

18
Utilities

• Power failures may disrupt operations
• UPSs provide enough power to allow systems to be
  shutdown gracefully.
• Backup generator may be necessary for sustained
  power needs.
• Other utilities like telephone and Internet
  should be considered.

19
Secure Recovery

• Provide power, communications, and technical
  support.
• Offer a secure operating environment.
• Provide restoration of critical files and data.

20
Cloud Computing

• Allows for the contracting of functions like
  e-mail and file storage to third parties
• Can be more cost effective but also comes with
  inherent risks

21
High Availability and Fault Tolerance

• High availability is the ability to maintain
  availability during disruptive events.
• Fault tolerance is the mirrored system that takes
  over if a fault occurs.
• Single point of failure is the point in a
  critical operation that would cause the entire
  operation to fail if it failed.

22
Increasing Reliability

• RAID can mitigate availability problems caused by
  disk failures.
• Redundant systems and spare parts also serve to
  decrease availability issues.
• RAIDs
• 0 no redundancy, improved performance
• 1 mirrored drives, expensive
• 5 spread across disks with parity, inexpensive
  redundancy

23
Spare Parts and Redundancy

• Common applications of redundancy
• Redundant servers
• Redundant connections
• Redundant ISPs
• Spare parts

24
Computer Incident Response Teams (CIRT)

• Investigate incidents, advise on how to proceed.
• CIRTs should consist of permanent and ad hoc team
  members.
• Details of CIRT team should be finalized before
  an incident occurs.

25
Test, Exercise, and Rehearse

• DRP should be practiced periodically.
• Reveals potential flaws in the plan
• Exercise to practice procedures.
• Test to grade performance.
• Evaluate performance and make improvements as
  needed.

26
Policies and Procedures

• Policies are high-level, broad statements of what
  an organization wants to accomplish.
• Procedures are generally step-by-step
  instructions on how to implement policy.
• Standards are mandatory elements regarding the
  implementation of policy.

27
Security Policies

• Security policies define high-level goals for
  security for an organization.
• Other more specific policies include
• Acceptable use policy
• Internet usage policy
• Email usage policy
• Due care and due diligence

28
Additional Security Policies

• Prudent person principle
• Separation of duties
• Need to know and least privilege
• Password management
• Disposal and destruction
• Change management policy
• Classification of information

29
Privacy

• Privacy policy should be completed detailing how
  information is safeguarded.
• Privacy is enforced by law for some
  organizations.
• Personally Identifiable Information (PII) is
  becoming increasingly important to safeguard.

30
Service Level Agreement

• Agreement between two entities that specifies
• Minimum levels of service
• Penalties for failing to meet specified service
  levels
• May also define service providers responsibility
  in a BCP or DRP

31
Human Resources Policies

• People are the weakest link in security.
• Specific policies should be developed regarding
• New hire screening processes
• Periodic review process for current employees
• Employee termination process
• Mandatory vacation to uncover wrongdoing

32
Code of Ethics

• Describes expected behavior from a high-level
  standpoint
• Sets tone for employee conduct
• Encourages integrity and high ethical standards

33
Incident Response Policies and Procedures

• Several phases should be covered in an incident
  response policy
• Preparation
• Detection
• Containment and eradication
• Recovery
• Follow-up actions

34
Incident Response Preparation

• Preparation activities
• Determine points of contact.
• Train employees for understanding.
• Establish the incident response team.
• Acquire needed equipment.
• Complete and specialized training needed.

35
Incident Response Detection, Containment, and
Eradication

• Detection activities
• Determine if an incident has occurred work with
  network and system administrators.
• Containment and eradication activities
• Contain the intruder decide about prosecution.
• Restore operations without destroying evidence.
• Update antivirus and network peripherals as
  needed.
• Take steps to prevent future incidents (patching,
  etc.).

36
Incident Response Recovery

• Recovery activities
• Assess the situation to determine what actually
  occurred.
• Begin recovery based on assessment.
• May involve use of BCP to return business back to
  normal operation.

37
Incident Response Follow-Up Actions

• Follow-up activities
• Report on the incident to senior management.
• Report should address what happened and how it
  was addressed.
• Give recommendation to prevent future incidents.

38
Chapter Summary

• Describe the various ways backups are conducted
  and stored.
• Explain different strategies for alternative site
  processing.
• Describe the various components of a business
  continuity plan.
• Explain how policies and procedures play a daily
  role in addressing the security needs of an
  organization.