13. business continuity& disaster recovery planning

8/11/2019 13. Business Continuity& Disaster Recovery Planning

1/18

1

13. Business Continuity &Disaster Recovery Planning

ISA 562

Internet Security Theory & Practice


2/18

2

Objectives

Response to save business and human life

Recovery activities after a disaster to normal

operations Recovery plans to resume interrupted critical

business


3/18

Introduction

Need to process critical business systems in theevent of disruption to normal business dataprocessing operations.

Ensure the availability of critical informationsystem resources in the event of an expectednetwork interruption or disaster

Many kinds of plans

Contingency plans, Business Continuity Planning(BCP), Disaster Recovery Planning (DRP)

3


4/18

BCP and DRP Life cycle

Steps of BCP and DRP project life cycle Project Scope Development and planning

Business Continuity analysis (BIA) and functionalrequirements ( for BIA steps, please see the book)

Business Continuity and Recovery Strategy

Plan Design and Development

Restoration

Feedback

4


5/18

Project Scope and Development Planning

Higher managements commitment to go through thedifferent steps of the project. Deliverables

Project scope definition Producing a Project plan

Dedicating a steering committee for the project The BCP should be aligned with the organization's mission Business continuity steering committee should

know the mission statement in order to place the scope should have required authorization

Resources requirement need to be know at this stage Budget requirements are estimated and validated Personnel availability Knowing key points of contact or personnel in an emergency

5


6/18

Business Impact Analysis (BIA)

Evaluates all business functions against acommon criterion to assess potential impacts tothe business by an interruption

The following fall under the BIA

Preparing a BIA format Assess Potential impacts

Prioritize: very important for business functions

Elements to consider Analysis of different threats for the business Identification of critical business functions and units

Emergency Assessment

3rdparty considerations

6


7/18

Different cases which need to be considered

Threats analysis Human Made threats, Natural threats, IT threats Etc

Identify critical business functions: some characteristics Time Sensitivity, Data Integrity, Etc

Their impact on business: Financial & Operational Impact , Reputation etc

Emergency Assessment Affected Areas Alerting procedures Security and safety procedures and guidelines Etc

3rdparty considerations Need to look at Down stream liabilities and upstream impacts

Compliance requirements, SLA Agreements, etc

7


8/18

Business Continuity and recovery Strategy

Business Unit Priorities: Business units areexamined for BIA identified critical functions

Critical processes and functions are reviewed by theSteering committee and establishes priorities

The Committee looks at the minimum resources requiredfor the identified functions

Priorities are documented

Recovery time Objective (RTO) is the assed time bywhich a critical function must be recovered

Recovery point objective (RPO) measures data integrityrequirement or the tolerance for the amount of data loss

Cost/Benefit analysis

8


9/18

Recovery Alternatives

Three approaches for recovery Dedicated site operated by the organization

Multiple processing centers

Commercially leased facility Hot site / cost high

Worm site / cost moderate

Cold site / cost lowest

Agreement with an Internal or external facility Identify organizations with equivalent IT configurations and

backup technologies and establish an agreement Types of agreements

Reciprocal or Mutual Aid

Contingency

Service Bureau

9


10/18

Backup

Strategies Replication

Storage Area network

Electronic Vaulting, etc

Location and Storage Criteria Maybe stored in several locations for different purposes

On-site storage, Off-site storage, Near-site storage

Resilience Strategies Improve an organization's continuity and resilience

IT and Site Resilience etc

10


11/18

Plan Design Development Emergency Response Procedures

Life , Health & safety Damage Assessment Event Reporting Disaster Declaration, etc

Personnel Notifications List of people to notify Defining the role of the Executive crisis Management Executive Succession Planning, etc

Backup and off-site storage Inventory list is compiled and documented

Facility Accessibility and Resilience Communication in Emergency

Emergency and Business communication system should be in place Data communication priorities in networks should be agreed upon

11


12/18

Plan Design Development (Continued)

Alterative site considerations The ability to support the required infrastructure, environmental and space

demands should be analyzed: Utilities, Communications, etc

Logistics and supplies How resources are acquired or procured, transported and maintained

Personnel and materials transportation Remote worker environment activation Emergency funds access, etc

Documentation BCP & DRP activation and de-activation plans and procedures are

documented Activity and status reports Checklists etc

Business Continuity and resumption planning Contracts for emergency vendor services Risk Avoidance and mitigation planning Emergency business Recovery procedures

12


13/18

Implementation

Includes Training, Testing, Recovery and Audit Training

Increasing the organization's awareness of the BC and DRbusiness case

Different kinds of training for different attendees All people training, Operation teams, Recovery teams etc

Testing Confirms that the plan meets its emergency, recovery and

restoration objectives Measures the accuracy of the plans

Allow management to evaluate personnel readiness for anadverse event

13


14/18

Implementation (continued)

Test Plans Each time tests are scheduled, a test plan should be written, itshould contain

Objectives and success criteria Details Schedule Post-test review

Test types Several test types exists which server different purposes

Checklist test Structured walk-through Simulation

Parallel testing Testing follow-up

Identifying existing deficiencies Plan should be routinely assessed Should be scheduled for testing for example annually

14


15/18

Implementation (continued)

Recovery procedures Site migration

Local Recovery procedures

Transfer and recovery, etc.

Audit

Ensures an organization has an effective BC and DRcapability

Measures compliance

Addressing audit findings

15


16/18

Restoration

Restoration of primary location Primary facility must be stabilized and secured and then

more detailed damage assessment is conducted

Procurement Has an essential role in supporting restoration Consolidating acquisitions and Disposition Costs reporting

Data Recovery Reversal procedures Business process recovery point Journal and process synchronization

Relocation to primary site Restoration order and prioritization End of disaster declaration

16


17/18

Feedback and plan management

Post-recovery reporting Identification or remediation of plan gaps

Record Lessons learned

Performance metric review

Plan review and evaluation

Training of key personnel

Communication

Plan distribution Communicate the plan to stakeholders

17


18/18

References

ISC2 CBK Material CISSP-All-in-one book

18

13. business continuity& disaster recovery planning

Documents