what is business continuity planning-bcp

Disaster Recovery And Business Continuity

Adv. Prashant Mali [BSc.(Phy.), MSc.(Comp. Sci.),CNA, LLB]Cyber Law ,Cyber Security & IPR Expert

www.cyberlawconsulting.com

Session Overview

What is Business Continuity Planning (BCP) or Disaster Recovery Planning ( DRP)?

Need for BCP / DRPObjectives of BCP/DRPPlanning & Implementing BCP/DRP


What is BCP or DRP ?

BCP, the primarily the responsibility of senior management,

Is collection of plans, policies and procedures to improve the ability of organisation to continue its normal business operations under adverse or disastrous conditions

So as to decrease the loss due to such adverse of disastrous conditions


Need for BCP / DRP

Organizational Strategies & Standards

Events beyond human control like, earthquake, bomb blast, etc.

Business should continueLegal & Statutory requirementsCompetition


Objectives of BCP

Plan for continuity of business under disaster and non-disaster events

Limiting the tangible & Intangible losses of disaster events

Most often, in the event of a disaster, it is survival and not business as usual. So, should aim at normal business resumption


Testing & evaluation of BCPTraining & test personnel for the

adverse conditionsMaintenance & Currency of BCP

…Objectives of BCP

OtherEnables management to quantify and

qualify the resources like personnel, facilities etc.

Manage the resources to support the required operational commitment

Test the awareness and skills of the personnel in such events.

…Objectives of BCP

BCP – DRP

A business continuity plan aims to sustain mission critical business processes when an unforeseen interruption occurs

A disaster recover plan is a comprehensive statement of consistent actions to be taken before, during and after a disruptive event that causes a significant loss occurs


Steps in BCP

Establish a BCP workgroupDevelop high-level BCP

strategyDevelop master schedule

and milestonesObtain management

support

Initiate

Perform Risk

Assessment

Choose Recovery strategy

Test and Validate


…Steps in BCP

Perform a risk assessment exercise

Identify threats and exposures to each of the core business processes

Initiate

Perform Risk

Assessment


Test and Validate


…Steps in BCP

Identify recovery strategyDefine notification

procedures andProcedures activating

contingency plansEstablish business recovery

teams for each core business process

Initiate

Perform Risk

Assessment


Test and Validate


…Steps in BCP

Validate the company’s business continuity plans

Develop and document contingency test plans

Prepare and execute testsUpdate disaster recovery

plans and procedures

Initiate

Perform Risk

Assessment


Test and Validate


What is a disaster ?

Disaster is a event that could affect the continuity of normal business operation of organisation

Categorizations of Disaster Events Disaster

Results unavailability of entire processing facility

Longer duration usually more than > 1 day

…Disaster

CatastropheResults in full/major destruction of

processing facilityAlternate processing facility can be

temporarily utilizedBut, needs new permanent facility

Non-DisasterShort term unavailability of the systems or

filesDisruption is temporary and easy to

restore

Business Continuity Plan

Defining strategy and policy by senior management

Identifying and prioritizing critical business functions by doing business impact analysis and involving end users

Identifying disaster events and evaluating its impacts

Identifying and evaluating recovery alternatives

…Business Continuity Plan

Identifying and assigning responsibilities to adequate personnel

Testing and correcting the Business Continuity Plan

Reviewing and Maintaining the Business Continuity Plan


Teams and Responsibilities

Emergency Action Team First response team – Bucket Team Fire wardens Deals with fire and other emergency

scenarios Orderly evacuation of personnel Securing of human life


…Teams

Damage Assessment Team Assess the extent of damage Members with ability to assess damage,

estimate recovery time Knowledge of test equipment, networks,

systems, safety regulations and procedures

Identify cause of disaster, impact and predict downtime


…Teams

Emergency Management Team Coordinating activities of all other

teams and handles key decision making Determine the activation of BCP Arrangement of finance for recovery Legal matters Public relations Media


…Teams

Off-Site Storage Team Obtaining, packaging and shipping media

and records to the recovery facilities Establishing and overseeing an off-site

storage schedule for information created during operations at the recovery site

Software Team Restore system, loading and testing OS Resolving system level problems

…Teams

Applications Teams Restores user packs and applications

programs Monitoring application performance and

database integritySecurity Team

Monitor security system and comm. links Resolve security conflicts Installation and functioning of sec. package


…Teams

Emergency Operations Team Shift operators and shift supervisors

reside at the recovery site Manage operations during recovery Coordinating hardware installation

Network Recovery Team Rerouting wide area voice and data

comm. Traffic


…Teams

Network Recovery Team Reestablishing host network control and

access Provide on-going support data

communications and overseas communications integrity

Communications Team Work in conjugation with remote network

recovery team


…Teams

Communications Team Soliciting and installing communications

hardware Work with local exchange carriers and

gateway vendorsTransport Team

Coordinating company employees to the site Also help in contacting, scheduling and

arranging lodgings

…Teams

User Hardware Team Delivery and installation of terminal.

Printers, typewriters, photocopiers and other necessary equipment

Facilitate salvage effortsData Preparation and Records Team

Updates applications Oversea contract data-entry personnel Record salvage

…Teams

Administrative Support Team Clerical support to the other teams Accounting, payroll

Supplies Team Coordinating logistics Office and computer supplies


…Teams

Salvage Team Manage relocation project More detailed analysis of damage Provides information to make decision

about reconstruction or relocation Insurance claims Immediate records salvage

Paper documents and electronic media


…Teams

Relocation Team Coordinates the process of moving from

the hot site to a new location or to the restored original location

Relocation of information system, processing operations, communication traffic and user operations

Monitor transition to normal service levels


IS Auditor’s Role in BCP

Offering suggestions for selecting right strategy

Can be facilitator as he or she has thorough understanding of BCP


Policy Implementation

What constitutes disaster?Who will decide or declare it?When can it happen?How to identify a disaster?How to estimate (time, efforts,

resources)The overall budget should provide

for it

Business Continuity Planning

Gather all the relevant facts Obtain reports on historical eventsMake risk analysis / impact

analysis needs to be reviewed periodically

Ascertain Legal liabilities Budgeting and obtaining

management approval

...BCP

Align with other policies / procedures.

Options available: In house Auditors Consultants

Business Impact Analysis

Identify critical information resources for business continuity

Prioritization of critical systemsDetermine critical recovery time and

tolerance in monetary termsSystem rankingNeeds involvement of IS personnel

and end users

Risk Ranking

It is prioritization of systems on basis of systems criticality and impact on business continuity

Sensitivity of an application is equal to that of most sensitive data

Users has varying degree of tolerance -cost

As processes become more automated and more integrated, the ability to prioritize systems more difficult

Classification of Systems

Critical (level 1) Cannot be processed manually but must be

processed on schedule

Vital (level 2) Can be processed manually but for a short

period of time

Sensitive (level 3) Can be done manually for a long period of

time

Non Critical www.cyberlawconsulting.com

Critical Recovery Time

Critical Recovery Time Period Is a time frame within which business

should resume Before suffering significant losses.

Depends on nature of business e.g. Banks, broking house, mfg. house

Depends on time of year or hour of business when disaster occurs


Critical applications, systems software and data should be recovered first

Do not ignore desktop or end-user applications and utilities like spread sheet, notepad, etc.

…Critical Recovery Time


Insurance

Equipment and Facility insurance Loss or damage to property, including

IS Equipment and facilities

Business interruption insurance Loss due to a disaster Continuing expenses during the time

the company is unable to operate

…Insurance

Extra Expense Extremely important add-on to property

coverage Covers expenses incurred to avoid or

minimise the suspension of business

Professional Liability Errors and Omissions

…Insurance

Extra Equipment Coverage If the system is not adequately covered Various types of equipment breakdown

Data Reconstruction Time spent on data restoration Not value of data

Specialised Equipment Coverage Anything that doesn’t fit in usual insurance

coverage

…Insurance

Valuable Papers and Records Against direct physical loss or damage Covers cost of recreating document,

data reentry

Fidelity Coverage Loss of organisational assets due to

theft, forgery and fraud


…Insurance

Civil Authorities Civil authority prevents use of assets

Media Transit Damage or loss during physical

shipment of data

www.cyberlawconsulting.comwww.cyberlawconsulting.com

How to Implement BCP?

Identification of Threats

Implementing Plan

Various Teams Involved

Disaster Recovery plan

Maintenance of BCP


Identification of Threats

External ThreatsNatural Calamities like earthquake, flood,

fireHardware suppliers - Unreliable or

incompatible h/wSoftware Suppliers - Erroneous s/w. poor

documentationContractors - e.g. untimely provision of

serviceOther resources - e.g. communication

services


…Identification of Threats

Competitors - e.g. Sabotage, lawsuits, fair and unfair competition

Debt & equity holders - e.g. financial distress through foreclosure on claims.

Unions - e.g. strikes, sabotage


Government - e.g Financial distress through onerous regulation

Environmentalist - e.g. Unfavorable publicity

Criminals / hackers - e.g. Theft, extortion



Internal ThreatsManagement

Failure to provide resources Inadequate planning an control

Employees Errors Improper usr of facilities and services Theft, fraud, sabotage


Unions

Strikes or harassment

Unreliable systems

H/w failure, S/w failure


Major Security threats

Major Security threats• Fire• Water• Energy variations • Structural damage• Pollution due to smoke,chemicals• Unauthorised intrusion• Viruses and worms• Misuse of software,data and services

Implementing Plan

Inventory ProcessWho should be involved?

Staff from concerned department Purchase department Personal /HRD department Finance / accounts department Engineering / technical depts. Administration department

Implementing Plan

Inventory ProcessWhat should be inventorised?

Manpower (specific for BCP /DRP ).. Who possesses special skills?

Building, plant & machinery, furniture & fixtures

Communications equipment & facilities e.g. telephone systems, modems, wiring systems, controllers, switches

Electrical equipment and facilities, wiring

…Implementing Plan

Computer equipment and peripherals Computer data & software such as

O.S.,utilities ( defragmentation, forming etc. ), application s/w

Back-up facilities Stationary items e.g. computer

stationary Specific consumables e.g. printer

ribbons, cartridges Documents, forms and registers


Disaster Recovery Plan

Disaster Recovery Plan consists of Emergency Plan Backup Plan Recovery Plan Test Plan


Emergency Plan

Specifies emergencies and immediate actions to be taken

Who is to be notified e.g. management, police

What activities to be undertaken shutdown of equipment termination of power


…Emergency Plan

Evacuation procedures requiredReturn Procedures

www.cyberlawconsulting.comwww.cyberlawconsulting.com

Backup Plan

Personal - Training & Rotation of staff… so that the function does not become person specifics

Hardware and peripherals - Redundancy

Facilities (such as transportation, telecommunication etc.) - arrangement with other companies


...Backup Plan

Documentation Operating procedures, systems and program

documentation, special procedures, input source documents, output documents

A copy of current BCP plan at backup site & backup plan at current site

A copy of all important legal documents to be available at backup site

...Backup Plan

Supplies - stationary, ribbons etcData / Information - inventory of

files, data Sensitive data to be stored in fire-proof

magnetic media container Automated backups as far as possible Backup, its restoration, retention and

purging

...Backup Plan

Software backup Systems s/w & Application software current Program patches for all backup

locationsElectronic Vaulting

Alternative Site options

Hot Site Fully Configured, ready to operate If owned… computer hardware and

data/software is available If shared… computer hardware / O.S. is

available, data & application software may have to be loaded

Expensive option can be used initially for short period

...Alternative Sites Options

Warm Site Partially configured, with network

connection and selected peripheral equipment but without the main computer

Cold Site Basic environment is available

Duplicate Information processing facility Dedicated self-developed


...Alternative Sites Options

Reciprocal agreement Two or more organisation agree to

provide backup facilities Low cost Often informal in nature and cannot be

enforced legally Confidentiality could be a concern


Contract with Alternative site

Configurations H/w, s/w whether adequate at all times?

Speed of availability How early facility will be available?

Subscribers per site Whether limited number of subscribers?

Preference Priority in case of global disaster


...Contract

Usage period How long the facility shall be available?

Warranties Any liability limitations? e.g. lack of electricity.

Provision for generator

Testing Whether testing is allowed at alternate site?

...Contract

Reliability Technical and financial reliability

Insurance coverage at alternate site .. your insurance policy should also cover h/w, s/w etc. at alternate site

Alternate hardware facilities

Vendor or third-party Vendor may not immediately supply in

crisis Buy from used h/w market.. Mostly

applicable abroad Vendor supply can be best ensured at

the time of moving from hot site to warm / cold site in phased manner

Telecommunication Network

Susceptible to.. The same natural disasters Also sensitive to unique disastrous

events e.g. cable cuts, central switching office disasters,hacking etc.

Organisation’s responsibility and not that of Local Exchange Carrier (LEC)

...Telecommunication Networks

Backing up of telecommunication facilities such as Telephone voice circuits LAN, WAN Third party EDI providers UPS for telecom equipment

Critical capacity requirement be identified


Methods of Telecom Continuity

Redundancy Extra capacity is provided

Alternative Routing Routing via alternating medium e.g.

copper, fiber optic Involves use of different networks,

circuit or end points Use of couriers as an alternative to

electronic transmission.


...Methods

Diverse Routing Mix of redundancy and alternate routing Therefore time consuming and costly Generally alternative and diverse

routing is over terrestrial media and therefore is subject to risk of decaying

...Methods

Long Haul Network Diversity Alternate/redundancy/diverse routing

for LECs“Last Mile” Circuit Protection

Alternate or redundancy for “last mile”Voice recovery

Voice communication maybe necessary in financial and other retail service

Recovery Plan

Refers to procedures to restore original siteDepends on type of disaster whether localised

or globalSpecific responsibilities and prioritiesFunction of Salvage team

makes more detailed assessment of damage provides information for filing insurance

Relocation team manages the relocation

Test Plan

To identify deficiencies in emergency, backup and recovery plans

Most tests falls short of a full-scale test of all operations

Should be comprehensiveMust be scheduled properlyKey recovery team members should be

involved


Test Execution

Pretest Test Post-test

Other types of test Paper test Preparedness test Full Operational test

Document for all scenarios

Analysis of the Results

Quantify results rather than evaluating only observationsMeasures for Quantification

Recovery Time spentvolume of work performed at alternate siteAccuracywww.cyberlawconsulting.com

BCP Maintenance

Responsibility of BCP Co-ordinator Should reflect changing

environment Changes in business strategy may alter

significance of critical application New applications may be developed Changes in S/w or H/w environment Plan updating should be prompt

Maintenance schedule be prepared


Auditing BCP / DRP

Check for policy and support from senior management for BCP

Check whether risk assessment is proper

Evaluating ability of personnel - IS & users to respond to disaster

Dependency on third party service providers for business continuity purposes is a major concern


...Auditing

Evaluate BCP / DRP for their adequacy and currency May not exist May partially meet requirements Fully meets requirements

Evaluate the test results - If possible, simulate few tests

Check the inventories


...Auditing

Evaluate the contract with back up site vendors

Check whether plan addresses upload of data manually processed to computer system on resuming to normalcy

Evaluate security at back up facility & off-site data storage site

Review insurance coverage.


Any Questions?

Thank You

Contact: [email protected]

[email protected] Cell: (91)(9821763157)


what is business continuity planning-bcp

Business

continuity of business

business recovery teams

business continuityadv

recovery strategy test

bcp workgroup

disaster recovery planning

objectives of bcp plan

highlevel bcp strategy