what is business continuity planning-bcp
DESCRIPTION
business continuity planning, bcp or Disaster recovery Planning,DRP , how to audit ,what is the needTRANSCRIPT
Disaster Recovery And Business Continuity
Adv. Prashant Mali [BSc.(Phy.), MSc.(Comp. Sci.),CNA, LLB]Cyber Law ,Cyber Security & IPR Expert
www.cyberlawconsulting.com
Session Overview
What is Business Continuity Planning (BCP) or Disaster Recovery Planning ( DRP)?
Need for BCP / DRPObjectives of BCP/DRPPlanning & Implementing BCP/DRP
www.cyberlawconsulting.com
What is BCP or DRP ?
BCP, the primarily the responsibility of senior management,
Is collection of plans, policies and procedures to improve the ability of organisation to continue its normal business operations under adverse or disastrous conditions
So as to decrease the loss due to such adverse of disastrous conditions
www.cyberlawconsulting.com
Need for BCP / DRP
Organizational Strategies & Standards
Events beyond human control like, earthquake, bomb blast, etc.
Business should continueLegal & Statutory requirementsCompetition
www.cyberlawconsulting.com
Objectives of BCP
Plan for continuity of business under disaster and non-disaster events
Limiting the tangible & Intangible losses of disaster events
Most often, in the event of a disaster, it is survival and not business as usual. So, should aim at normal business resumption
www.cyberlawconsulting.com
Testing & evaluation of BCPTraining & test personnel for the
adverse conditionsMaintenance & Currency of BCP
…Objectives of BCP
OtherEnables management to quantify and
qualify the resources like personnel, facilities etc.
Manage the resources to support the required operational commitment
Test the awareness and skills of the personnel in such events.
…Objectives of BCP
BCP – DRP
A business continuity plan aims to sustain mission critical business processes when an unforeseen interruption occurs
A disaster recover plan is a comprehensive statement of consistent actions to be taken before, during and after a disruptive event that causes a significant loss occurs
www.cyberlawconsulting.com
Steps in BCP
Establish a BCP workgroupDevelop high-level BCP
strategyDevelop master schedule
and milestonesObtain management
support
Initiate
Perform Risk
Assessment
Choose Recovery strategy
Test and Validate
www.cyberlawconsulting.com
…Steps in BCP
Perform a risk assessment exercise
Identify threats and exposures to each of the core business processes
Initiate
Perform Risk
Assessment
Choose Recovery strategy
Test and Validate
www.cyberlawconsulting.com
…Steps in BCP
Identify recovery strategyDefine notification
procedures andProcedures activating
contingency plansEstablish business recovery
teams for each core business process
Initiate
Perform Risk
Assessment
Choose Recovery strategy
Test and Validate
www.cyberlawconsulting.com
…Steps in BCP
Validate the company’s business continuity plans
Develop and document contingency test plans
Prepare and execute testsUpdate disaster recovery
plans and procedures
Initiate
Perform Risk
Assessment
Choose Recovery strategy
Test and Validate
www.cyberlawconsulting.com
What is a disaster ?
Disaster is a event that could affect the continuity of normal business operation of organisation
Categorizations of Disaster Events Disaster
Results unavailability of entire processing facility
Longer duration usually more than > 1 day
…Disaster
CatastropheResults in full/major destruction of
processing facilityAlternate processing facility can be
temporarily utilizedBut, needs new permanent facility
Non-DisasterShort term unavailability of the systems or
filesDisruption is temporary and easy to
restore
Business Continuity Plan
Defining strategy and policy by senior management
Identifying and prioritizing critical business functions by doing business impact analysis and involving end users
Identifying disaster events and evaluating its impacts
Identifying and evaluating recovery alternatives
…Business Continuity Plan
Identifying and assigning responsibilities to adequate personnel
Testing and correcting the Business Continuity Plan
Reviewing and Maintaining the Business Continuity Plan
www.cyberlawconsulting.com
Teams and Responsibilities
Emergency Action Team First response team – Bucket Team Fire wardens Deals with fire and other emergency
scenarios Orderly evacuation of personnel Securing of human life
www.cyberlawconsulting.com
…Teams
Damage Assessment Team Assess the extent of damage Members with ability to assess damage,
estimate recovery time Knowledge of test equipment, networks,
systems, safety regulations and procedures
Identify cause of disaster, impact and predict downtime
www.cyberlawconsulting.com
…Teams
Emergency Management Team Coordinating activities of all other
teams and handles key decision making Determine the activation of BCP Arrangement of finance for recovery Legal matters Public relations Media
www.cyberlawconsulting.com
…Teams
Off-Site Storage Team Obtaining, packaging and shipping media
and records to the recovery facilities Establishing and overseeing an off-site
storage schedule for information created during operations at the recovery site
Software Team Restore system, loading and testing OS Resolving system level problems
…Teams
Applications Teams Restores user packs and applications
programs Monitoring application performance and
database integritySecurity Team
Monitor security system and comm. links Resolve security conflicts Installation and functioning of sec. package
www.cyberlawconsulting.com
…Teams
Emergency Operations Team Shift operators and shift supervisors
reside at the recovery site Manage operations during recovery Coordinating hardware installation
Network Recovery Team Rerouting wide area voice and data
comm. Traffic
www.cyberlawconsulting.com
…Teams
Network Recovery Team Reestablishing host network control and
access Provide on-going support data
communications and overseas communications integrity
Communications Team Work in conjugation with remote network
recovery team
www.cyberlawconsulting.com
…Teams
Communications Team Soliciting and installing communications
hardware Work with local exchange carriers and
gateway vendorsTransport Team
Coordinating company employees to the site Also help in contacting, scheduling and
arranging lodgings
…Teams
User Hardware Team Delivery and installation of terminal.
Printers, typewriters, photocopiers and other necessary equipment
Facilitate salvage effortsData Preparation and Records Team
Updates applications Oversea contract data-entry personnel Record salvage
…Teams
Administrative Support Team Clerical support to the other teams Accounting, payroll
Supplies Team Coordinating logistics Office and computer supplies
www.cyberlawconsulting.com
…Teams
Salvage Team Manage relocation project More detailed analysis of damage Provides information to make decision
about reconstruction or relocation Insurance claims Immediate records salvage
Paper documents and electronic media
www.cyberlawconsulting.com
…Teams
Relocation Team Coordinates the process of moving from
the hot site to a new location or to the restored original location
Relocation of information system, processing operations, communication traffic and user operations
Monitor transition to normal service levels
www.cyberlawconsulting.com
IS Auditor’s Role in BCP
Offering suggestions for selecting right strategy
Can be facilitator as he or she has thorough understanding of BCP
www.cyberlawconsulting.com
Policy Implementation
What constitutes disaster?Who will decide or declare it?When can it happen?How to identify a disaster?How to estimate (time, efforts,
resources)The overall budget should provide
for it
Business Continuity Planning
Gather all the relevant facts Obtain reports on historical eventsMake risk analysis / impact
analysis needs to be reviewed periodically
Ascertain Legal liabilities Budgeting and obtaining
management approval
...BCP
Align with other policies / procedures.
Options available: In house Auditors Consultants
Business Impact Analysis
Identify critical information resources for business continuity
Prioritization of critical systemsDetermine critical recovery time and
tolerance in monetary termsSystem rankingNeeds involvement of IS personnel
and end users
Risk Ranking
It is prioritization of systems on basis of systems criticality and impact on business continuity
Sensitivity of an application is equal to that of most sensitive data
Users has varying degree of tolerance -cost
As processes become more automated and more integrated, the ability to prioritize systems more difficult
Classification of Systems
Critical (level 1) Cannot be processed manually but must be
processed on schedule
Vital (level 2) Can be processed manually but for a short
period of time
Sensitive (level 3) Can be done manually for a long period of
time
Non Critical www.cyberlawconsulting.com
Critical Recovery Time
Critical Recovery Time Period Is a time frame within which business
should resume Before suffering significant losses.
Depends on nature of business e.g. Banks, broking house, mfg. house
Depends on time of year or hour of business when disaster occurs
www.cyberlawconsulting.com
Critical applications, systems software and data should be recovered first
Do not ignore desktop or end-user applications and utilities like spread sheet, notepad, etc.
…Critical Recovery Time
www.cyberlawconsulting.com
Insurance
Equipment and Facility insurance Loss or damage to property, including
IS Equipment and facilities
Business interruption insurance Loss due to a disaster Continuing expenses during the time
the company is unable to operate
…Insurance
Extra Expense Extremely important add-on to property
coverage Covers expenses incurred to avoid or
minimise the suspension of business
Professional Liability Errors and Omissions
…Insurance
Extra Equipment Coverage If the system is not adequately covered Various types of equipment breakdown
Data Reconstruction Time spent on data restoration Not value of data
Specialised Equipment Coverage Anything that doesn’t fit in usual insurance
coverage
…Insurance
Valuable Papers and Records Against direct physical loss or damage Covers cost of recreating document,
data reentry
Fidelity Coverage Loss of organisational assets due to
theft, forgery and fraud
www.cyberlawconsulting.com
…Insurance
Civil Authorities Civil authority prevents use of assets
Media Transit Damage or loss during physical
shipment of data
www.cyberlawconsulting.comwww.cyberlawconsulting.com
How to Implement BCP?
Identification of Threats
Implementing Plan
Various Teams Involved
Disaster Recovery plan
Maintenance of BCP
www.cyberlawconsulting.com
Identification of Threats
External ThreatsNatural Calamities like earthquake, flood,
fireHardware suppliers - Unreliable or
incompatible h/wSoftware Suppliers - Erroneous s/w. poor
documentationContractors - e.g. untimely provision of
serviceOther resources - e.g. communication
services
www.cyberlawconsulting.com
…Identification of Threats
Competitors - e.g. Sabotage, lawsuits, fair and unfair competition
Debt & equity holders - e.g. financial distress through foreclosure on claims.
Unions - e.g. strikes, sabotage
www.cyberlawconsulting.com
Government - e.g Financial distress through onerous regulation
Environmentalist - e.g. Unfavorable publicity
Criminals / hackers - e.g. Theft, extortion
…Identification of Threats
www.cyberlawconsulting.com
Internal ThreatsManagement
Failure to provide resources Inadequate planning an control
Employees Errors Improper usr of facilities and services Theft, fraud, sabotage
…Identification of Threats
Unions
Strikes or harassment
Unreliable systems
H/w failure, S/w failure
…Identification of Threats
Major Security threats
Major Security threats• Fire• Water• Energy variations • Structural damage• Pollution due to smoke,chemicals• Unauthorised intrusion• Viruses and worms• Misuse of software,data and services
Implementing Plan
Inventory ProcessWho should be involved?
Staff from concerned department Purchase department Personal /HRD department Finance / accounts department Engineering / technical depts. Administration department
Implementing Plan
Inventory ProcessWhat should be inventorised?
Manpower (specific for BCP /DRP ).. Who possesses special skills?
Building, plant & machinery, furniture & fixtures
Communications equipment & facilities e.g. telephone systems, modems, wiring systems, controllers, switches
Electrical equipment and facilities, wiring
…Implementing Plan
Computer equipment and peripherals Computer data & software such as
O.S.,utilities ( defragmentation, forming etc. ), application s/w
Back-up facilities Stationary items e.g. computer
stationary Specific consumables e.g. printer
ribbons, cartridges Documents, forms and registers
www.cyberlawconsulting.com
Disaster Recovery Plan
Disaster Recovery Plan consists of Emergency Plan Backup Plan Recovery Plan Test Plan
www.cyberlawconsulting.com
Emergency Plan
Specifies emergencies and immediate actions to be taken
Who is to be notified e.g. management, police
What activities to be undertaken shutdown of equipment termination of power
www.cyberlawconsulting.com
…Emergency Plan
Evacuation procedures requiredReturn Procedures
www.cyberlawconsulting.comwww.cyberlawconsulting.com
Backup Plan
Personal - Training & Rotation of staff… so that the function does not become person specifics
Hardware and peripherals - Redundancy
Facilities (such as transportation, telecommunication etc.) - arrangement with other companies
www.cyberlawconsulting.com
...Backup Plan
Documentation Operating procedures, systems and program
documentation, special procedures, input source documents, output documents
A copy of current BCP plan at backup site & backup plan at current site
A copy of all important legal documents to be available at backup site
...Backup Plan
Supplies - stationary, ribbons etcData / Information - inventory of
files, data Sensitive data to be stored in fire-proof
magnetic media container Automated backups as far as possible Backup, its restoration, retention and
purging
...Backup Plan
Software backup Systems s/w & Application software current Program patches for all backup
locationsElectronic Vaulting
Alternative Site options
Hot Site Fully Configured, ready to operate If owned… computer hardware and
data/software is available If shared… computer hardware / O.S. is
available, data & application software may have to be loaded
Expensive option can be used initially for short period
...Alternative Sites Options
Warm Site Partially configured, with network
connection and selected peripheral equipment but without the main computer
Cold Site Basic environment is available
Duplicate Information processing facility Dedicated self-developed
www.cyberlawconsulting.com
...Alternative Sites Options
Reciprocal agreement Two or more organisation agree to
provide backup facilities Low cost Often informal in nature and cannot be
enforced legally Confidentiality could be a concern
www.cyberlawconsulting.com
Contract with Alternative site
Configurations H/w, s/w whether adequate at all times?
Speed of availability How early facility will be available?
Subscribers per site Whether limited number of subscribers?
Preference Priority in case of global disaster
www.cyberlawconsulting.com
...Contract
Usage period How long the facility shall be available?
Warranties Any liability limitations? e.g. lack of electricity.
Provision for generator
Testing Whether testing is allowed at alternate site?
...Contract
Reliability Technical and financial reliability
Insurance coverage at alternate site .. your insurance policy should also cover h/w, s/w etc. at alternate site
Alternate hardware facilities
Vendor or third-party Vendor may not immediately supply in
crisis Buy from used h/w market.. Mostly
applicable abroad Vendor supply can be best ensured at
the time of moving from hot site to warm / cold site in phased manner
Telecommunication Network
Susceptible to.. The same natural disasters Also sensitive to unique disastrous
events e.g. cable cuts, central switching office disasters,hacking etc.
Organisation’s responsibility and not that of Local Exchange Carrier (LEC)
...Telecommunication Networks
Backing up of telecommunication facilities such as Telephone voice circuits LAN, WAN Third party EDI providers UPS for telecom equipment
Critical capacity requirement be identified
www.cyberlawconsulting.com
Methods of Telecom Continuity
Redundancy Extra capacity is provided
Alternative Routing Routing via alternating medium e.g.
copper, fiber optic Involves use of different networks,
circuit or end points Use of couriers as an alternative to
electronic transmission.
www.cyberlawconsulting.com
...Methods
Diverse Routing Mix of redundancy and alternate routing Therefore time consuming and costly Generally alternative and diverse
routing is over terrestrial media and therefore is subject to risk of decaying
...Methods
Long Haul Network Diversity Alternate/redundancy/diverse routing
for LECs“Last Mile” Circuit Protection
Alternate or redundancy for “last mile”Voice recovery
Voice communication maybe necessary in financial and other retail service
Recovery Plan
Refers to procedures to restore original siteDepends on type of disaster whether localised
or globalSpecific responsibilities and prioritiesFunction of Salvage team
makes more detailed assessment of damage provides information for filing insurance
Relocation team manages the relocation
Test Plan
To identify deficiencies in emergency, backup and recovery plans
Most tests falls short of a full-scale test of all operations
Should be comprehensiveMust be scheduled properlyKey recovery team members should be
involved
www.cyberlawconsulting.com
Test Execution
Pretest Test Post-test
Other types of test Paper test Preparedness test Full Operational test
Document for all scenarios
Analysis of the Results
Quantify results rather than evaluating only observationsMeasures for Quantification
Recovery Time spentvolume of work performed at alternate siteAccuracywww.cyberlawconsulting.com
BCP Maintenance
Responsibility of BCP Co-ordinator Should reflect changing
environment Changes in business strategy may alter
significance of critical application New applications may be developed Changes in S/w or H/w environment Plan updating should be prompt
Maintenance schedule be prepared
www.cyberlawconsulting.com
Auditing BCP / DRP
Check for policy and support from senior management for BCP
Check whether risk assessment is proper
Evaluating ability of personnel - IS & users to respond to disaster
Dependency on third party service providers for business continuity purposes is a major concern
www.cyberlawconsulting.com
...Auditing
Evaluate BCP / DRP for their adequacy and currency May not exist May partially meet requirements Fully meets requirements
Evaluate the test results - If possible, simulate few tests
Check the inventories
www.cyberlawconsulting.com
...Auditing
Evaluate the contract with back up site vendors
Check whether plan addresses upload of data manually processed to computer system on resuming to normalcy
Evaluate security at back up facility & off-site data storage site
Review insurance coverage.
www.cyberlawconsulting.com
Any Questions?
Thank You
Contact: [email protected]
[email protected] Cell: (91)(9821763157)
www.cyberlawconsulting.com