Ch16 - 16.01 - Intro to Disaster Recovery and Business Continuity

Question 1

Business Continuity Plan (BCP)

Answer 1

A business continuity plan (BCP) is an important element in the security of your organization because it is a plan that helps ensure that business operations can continue when disaster strikes by implementing failover not only in your technology but in your business operations.

The BCP is a comprehensive document that identifies procedures for the business to recover from any disaster in an acceptable amount of time. The BCP also includes all the risks to the business and how to mitigate those risks. The end value of the BCP is that it reduces the impact of a disaster on your organization because you are prepared for the disaster and business operations can continue.

Question 2

Steps to Creating a BCP

Answer 2

1. Project Initiation

2. Business Impact Assessment/Business Impact Analysis (BIA)

Question 3

BCP - 1. Project Initiation - p1

Answer 3

The first phase of the BCP is project initiation, which involves deciding that you need a BCP and getting management to buy into the need for it. You will need the support of management because you are going to need to commit your time, and that of others, to the creation of the BCP.

To get management support, you will need to make a business case as to why a BCP is needed. The following list summarizes some of these reasons:

1. Continued Business
2. Compliance
3. Past Scenarios

Question 4

BCP - 1. Project Initiation - p2

Answer 4

Once you have the support from management, you can continue with the project initiation phase by creating a BCP committee. The BCP committee is a group of individuals from different departments within the company who are selected to represent their department and give insight to the operational requirements of that department.

Question 5

BCP - 2. Business Impact Assessment/Business Impact Analysis (BIA)

Answer 5

Once the committee has been selected, you are then ready for the next phase of
building a BCP—the business impact assessment, or BIA. The BIA is the risk assessment part of a BCP. It involves identifying critical business functions and determining the risks against those functions, and how long the company can last without those functions.

Question 6

Steps to Performing the BIA

Answer 6

1. Identify critical business functions
2. Identify resources used by functions
3. Determine allowable downtime of functions.
4. Identify threats to (those resources used by) function.
5. Determine impact of threat (Tangible vs. Intangible Impacts)
6. Determine mitigation techniques

Question 7

Steps to Performing the BIA - 1. Identify critical business functions

Answer 7

The first step in the BIA is to determine what functions are critical to the business; these functions are known as mission-essential functions. The primary method of identifying the critical functions is to identify any loss of function that would result in huge revenue loss or that would present a safety concern to employees. Another example of how to identify critical business tasks or functions is to determine whether, if the function goes down, you may be failing to meet contractual agreements or to comply with regulations, both of which could result in lawsuits against the business.

Question 8

Steps to Performing the BIA - 2. Identify resources used by functions

Answer 8

After you have identified the critical business functions, you then identify the resources each function requires. This involves identification of critical systems, which are systems that the mission-essential functions cannot do without. For example, you may have identified the sales of online
products as being a critical function to your business. This function relies on resources such as the Internet connection, web site, or product database—if any of those resources is lost, online sales cannot occur.

Question 9

Steps to Performing the BIA - 3. Determine allowable downtime of functions.

Answer 9

You next look at determining the maximum tolerable downtime (MTD) of each business function, which indicates an amount of time the business can survive without that function. The following outlines some examples of tolerable downtimes for types of functions in the business:

Nonessential services = 30 days

Normal priority services = 7 days

Important functions to the business = 72 hours

Urgent functions = 24 hours

Critical functions = within 3 hours

Question 10

Steps to Performing the BIA - 4. Identify threats to (those resources used by) function.

Answer 10

Once you have identified the different functions of the business and determined the allowable downtime, you are ready to identify the different threats against each function:

Manmade threats
These are threats such as fires, vandals, hackers, and even employee strikes.

Natural disasters
These could be floods, hurricanes, earthquakes, or anything else that is a force of nature.

Technical threats
Your company could experience loss of power for long periods, system failures, communication link failure, or device failures.

Question 11

Steps to Performing the BIA - 5. Determine impact of threat (Tangible vs. Intangible Impacts)

Answer 11

After you determine the threats against each asset, you are then ready to determine the impact that the threat would have on your business. Determining the impact is important because it helps justify the cost of the mitigation technique used to protect the asset.

Question 12

Steps to Performing the BIA - 6. Determine mitigation techniques

Answer 12

As a final step in the BIA, you will determine mitigation techniques for each of the threats you have identified in the previous steps.

Examples of mitigation techniques are performing backups, implementing fault tolerance, and implementing high-availability solutions. You can also implement redundant power and WAN links.

Question 13

BCP - 3. Develop the Plan

Answer 13

Once you have completed the BIA, focus on developing the business continuity plan, which includes the methods used to minimize downtime when a disaster strikes the organization. The many aspects to this plan include the disaster recovery plan (DRP), which is a step-by-step document that demonstrates the steps needed to recover systems from failures.

Question 14

BCP - 4. Test the Plan

Answer 14

The BCP will need to be thoroughly tested before it can be relied on in an emergency situation. You can test your BCP with different types of testing (Increase by the level of involvement):

1. Checklist review
2. Tabletop exercise/structured walkthrough
3. Simulation test
4. Parallel test
5. Full disruption test

Question 15

BCP - 4. Test the Plan - 1. Checklist review

Answer 15

With a checklist review, the BCP is distributed to the representative for each department to review and to verify that no
major components of the BCP have been left out.

Question 16

BCP - 4. Test the Plan - 2. Tabletop exercise/structured walkthrough

Answer 16

The BCP team gets together and reviews the BCP. With a tabletop exercise, the BCP team reviews recovery procedures that would be used in a disaster in order to identify anything missing in the plan. This also gives the team a chance to review everyone’s responsibilities during a disaster.

Question 17

BCP - 4. Test the Plan - 3. Simulation test

Answer 17

With a simulation test, the BCP is put to a small test by simulating different disaster scenarios. The goal is to ensure that response time is adequate and that everyone knows what to do.

Question 18

BCP - 4. Test the Plan - 4. Parallel test

Answer 18

A parallel test involves ensuring that systems can function at the alternative site and that the alternative site is actually functional.

Question 19

BCP - 4. Test the Plan - 5. Full disruption test

Answer 19

A full disruption test involves shutting down the original location and ensuring that the business can operate solely from the alternative site.

Question 20

Privacy Impact Assessment (PIA)

Answer 20

A privacy impact assessment (PIA) is a type of assessment performed by an organization that allows it to review how it handles sensitive or private information, and to address any issues that could compromise the privacy of individuals in regard to how the information is handled. The PIA is designed to ensure that the organization is following policies and is compliant with any regulations governing the organization.

Question 21

Privacy Threshold Assessment (PTA)

Answer 21

A privacy threshold assessment (PTA) is a document that is needed for each system that goes through the certification and accreditation process in order to authorize a system for use in a highly secure environment. The PTA document identifies the purpose of the system, and any personally identifiable information (PII) the system may store or process. The PTA document may also specify whether a PIA is needed for the system.

Question 22

BCP - 5. Maintain the Plan

Answer 22

The key point to remember about the BCP is that it is a living document and is never complete. You need to ensure that the document is maintained on a regular basis and includes updates that reflect changes in the organization. These changes can range from service provider contact numbers, to vendor contact information, to steps to recover systems.

Question 23

BCP in Action - After-action reports

Answer 23

After-action reports are created to inform
management about the event that occurred and the steps that were taken to help continue business operations. You also include in the report anything that should change in regard to your BCP and DRP.

Question 24

BCP in Action - Alternate processing sites

Answer 24

An alternate processing site is an alternate
site that the company has set up, or has agreements with, to run IT infrastructure to support mission-critical business functions if there is a problem with the primary site. It should be noted that the alternate processing site is typically referred to as a disaster recovery (DR) site

Question 25

BCP in Action - Alternate business practices

Answer 25

In the case of a disaster, it may be necessary to change how the company does business temporarily. In the BCP, you want to ensure that you list any alternate business practices that could be performed in place of regular business practices during the disaster recovery interval.

Question 26

Disaster Recovery Plan (DRP)

Answer 26

A big part of the business continuity plan is the disaster recovery plan (DRP), also known as a disaster recovery scheme, which is a document that covers the more technical nature of recovering your environment. The DRP contains the steps to recover from different scenarios, such as when a drive fails in a server or when an entire server crashes.

Disaster recovery is a matter of ensuring that you can help the company recover from any kind of disaster. When preparing for disaster, you need to make sure that your disaster recovery plan includes backup and restore plans, contact information for product vendors, and step-by-step instructions on how to recover each part of your information systems.

Question 27

Hot and Cold Spares

Answer 27

When preparing for recovery, organizations typically maintain spares of equipment ready to be used in case of device failures. For example, they may have a spare power supply, hard drive, or network card available in case the current one fails. By having the spare available, you don’t need to wait for a
part to be delivered to your facility after a device has failed. With a spare available, downtime is minimized. The two approaches that you can take with spares are the following:

1. Hot spares (No downtime, are powered and ready to work.)
2. Cold spares (Increases downtime because the device must be powered up before it can take over the function of the original device.

Question 28

1. Hot spares

Answer 28

A hot spare is a spare component that is typically connected and powered on in case the primary device should fail. When the primary device fails, failover kicks in, allowing the spare device to take over the workload immediately. No time is needed to
connect the device or to power on the device—hot spares are powered and ready to work.

Question 29

2. Cold spares

Answer 29

A cold spare is a device that is not powered on but has been prepared for use in the environment if needed. For example, you may have a spare server, fully cabled in the server rack, just waiting for the production server for which it is a spare to fail. If the production server fails, you simply need to power on the spare server to take its place. A cold spare increases downtime because the device must be powered up before it can take over the function of the original device.

Question 30

Recovery Site Types

Answer 30

1. Hot site:
\+ Fully operational data centers
\+ Stocked with equipment and data
\+ Available at a moment's notice
\+ Very expensive

2. Cold site:
\+ Empty data centers
\+ Stocked with core equipment, network, and environmental controls
\+ Operational in weeks or months
\+ Relatively inexpensive

3. Warm site:
\+ Not maintained in a parallel fashion
\+ Stocked with all necessary equipment and data
\+ Available in hours of days
\+ Similar in expense to hot sites

4. Exclusive site
   With an exclusive site, your company pays the full fee to have the site available when needed, and the site is dedicated to your company. It is critical that you ensure the provider is not offering the site to anyone else in case you both need it at the same time.
5. Time-shared
   With a shared alternative site, you decide to split the cost of an alternative site with another business, and if either company needs the site, it is there to be used. The problem with a shared alternative site is that you need to ensure the site can handle both businesses in case you both need it at the same time.

Question 31

Succession Planning

Answer 31

The process of ensuring that you have employees within the organization who can fill key leadership roles to ensure that the business can continue if you lose key personnel.

Question 32

IT Contingency Planning

Answer 32

The preparation of a recovery plan for

when something goes wrong with the IT systems and infrastructure.

Question 33

Mean time to restore (MTTR)

Answer 33

Also known as mean time to recovery, is the average time for a system or device to recover from a failure.

Question 34

Mean time between failures (MTBF)

Answer 34

The amount of time between failures of a system or device.

Question 35

Mean time to failure (MTTF)

Provided by Vendors

Answer 35

The amount of time a device is expected to last in production before it fails. MTTF is usually a value reported by the manufacturer on hardware, which you can use as evaluation criteria when selecting hardware.

Question 36

Recovery time objective (RTO)

Answer 36

A BCP term for the amount of time allowable before a business function must be restored to a functional state after a failure.

Question 37

Recovery point objective (RPO)

Answer 37

a BCP term to represent how much of a system is expected to be recovered. For example, your company may expect that when a system fails, you should be able to restore up to the point of failure, while another company may only expect recovery of data up to 24 hours prior to the point of failure.