Ch16 - 16.01 - Intro to Disaster Recovery and Business Continuity Flashcards
Business Continuity Plan (BCP)
A business continuity plan (BCP) is an important element in the security of your organization because it is a plan that helps ensure that business operations can continue when disaster strikes by implementing failover not only in your technology but in your business operations.
The BCP is a comprehensive document that identifies procedures for the business to recover from any disaster in an acceptable amount of time. The BCP also includes all the risks to the business and how to mitigate those risks. The end value of the BCP is that it reduces the impact of a disaster on your organization because you are prepared for the disaster and business operations can continue.
Steps to Creating a BCP
- Project Initiation
2. Business Impact Assessment/Business Impact Analysis (BIA)
BCP - 1. Project Initiation - p1
The first phase of the BCP is project initiation, which involves deciding that you need a BCP and getting management to buy into the need for it. You will need the support of management because you are going to need to commit your time, and that of others, to the creation of the BCP.
To get management support, you will need to make a business case as to why a BCP is needed. The following list summarizes some of these reasons:
- Continued Business
- Compliance
- Past Scenarios
BCP - 1. Project Initiation - p2
Once you have the support from management, you can continue with the project initiation phase by creating a BCP committee. The BCP committee is a group of individuals from different departments within the company who are selected to represent their department and give insight to the operational requirements of that department.
BCP - 2. Business Impact Assessment/Business Impact Analysis (BIA)
Once the committee has been selected, you are then ready for the next phase of
building a BCP—the business impact assessment, or BIA. The BIA is the risk assessment part of a BCP. It involves identifying critical business functions and determining the risks against those functions, and how long the company can last without those functions.
Steps to Performing the BIA
- Identify critical business functions
- Identify resources used by functions
- Determine allowable downtime of functions.
- Identify threats to (those resources used by) function.
- Determine impact of threat (Tangible vs. Intangible Impacts)
- Determine mitigation techniques
Steps to Performing the BIA - 1. Identify critical business functions
The first step in the BIA is to determine what functions are critical to the business; these functions are known as mission-essential functions. The primary method of identifying the critical functions is to identify any loss of function that would result in huge revenue loss or that would present a safety concern to employees. Another example of how to identify critical business tasks or functions is to determine whether, if the function goes down, you may be failing to meet contractual agreements or to comply with regulations, both of which could result in lawsuits against the business.
Steps to Performing the BIA - 2. Identify resources used by functions
After you have identified the critical business functions, you then identify the resources each function requires. This involves identification of critical systems, which are systems that the mission-essential functions cannot do without. For example, you may have identified the sales of online
products as being a critical function to your business. This function relies on resources such as the Internet connection, web site, or product database—if any of those resources is lost, online sales cannot occur.
Steps to Performing the BIA - 3. Determine allowable downtime of functions.
You next look at determining the maximum tolerable downtime (MTD) of each business function, which indicates an amount of time the business can survive without that function. The following outlines some examples of tolerable downtimes for types of functions in the business:
Nonessential services = 30 days
Normal priority services = 7 days
Important functions to the business = 72 hours
Urgent functions = 24 hours
Critical functions = within 3 hours
Steps to Performing the BIA - 4. Identify threats to (those resources used by) function.
Once you have identified the different functions of the business and determined the allowable downtime, you are ready to identify the different threats against each function:
Manmade threats
These are threats such as fires, vandals, hackers, and even employee strikes.
Natural disasters
These could be floods, hurricanes, earthquakes, or anything else that is a force of nature.
Technical threats
Your company could experience loss of power for long periods, system failures, communication link failure, or device failures.
Steps to Performing the BIA - 5. Determine impact of threat (Tangible vs. Intangible Impacts)
After you determine the threats against each asset, you are then ready to determine the impact that the threat would have on your business. Determining the impact is important because it helps justify the cost of the mitigation technique used to protect the asset.
Steps to Performing the BIA - 6. Determine mitigation techniques
As a final step in the BIA, you will determine mitigation techniques for each of the threats you have identified in the previous steps.
Examples of mitigation techniques are performing backups, implementing fault tolerance, and implementing high-availability solutions. You can also implement redundant power and WAN links.
BCP - 3. Develop the Plan
Once you have completed the BIA, focus on developing the business continuity plan, which includes the methods used to minimize downtime when a disaster strikes the organization. The many aspects to this plan include the disaster recovery plan (DRP), which is a step-by-step document that demonstrates the steps needed to recover systems from failures.
BCP - 4. Test the Plan
The BCP will need to be thoroughly tested before it can be relied on in an emergency situation. You can test your BCP with different types of testing (Increase by the level of involvement):
- Checklist review
- Tabletop exercise/structured walkthrough
- Simulation test
- Parallel test
- Full disruption test
BCP - 4. Test the Plan - 1. Checklist review
With a checklist review, the BCP is distributed to the representative for each department to review and to verify that no
major components of the BCP have been left out.
BCP - 4. Test the Plan - 2. Tabletop exercise/structured walkthrough
The BCP team gets together and reviews the BCP. With a tabletop exercise, the BCP team reviews recovery procedures that would be used in a disaster in order to identify anything missing in the plan. This also gives the team a chance to review everyone’s responsibilities during a disaster.
BCP - 4. Test the Plan - 3. Simulation test
With a simulation test, the BCP is put to a small test by simulating different disaster scenarios. The goal is to ensure that response time is adequate and that everyone knows what to do.
BCP - 4. Test the Plan - 4. Parallel test
A parallel test involves ensuring that systems can function at the alternative site and that the alternative site is actually functional.
BCP - 4. Test the Plan - 5. Full disruption test
A full disruption test involves shutting down the original location and ensuring that the business can operate solely from the alternative site.
Privacy Impact Assessment (PIA)
A privacy impact assessment (PIA) is a type of assessment performed by an organization that allows it to review how it handles sensitive or private information, and to address any issues that could compromise the privacy of individuals in regard to how the information is handled. The PIA is designed to ensure that the organization is following policies and is compliant with any regulations governing the organization.
Privacy Threshold Assessment (PTA)
A privacy threshold assessment (PTA) is a document that is needed for each system that goes through the certification and accreditation process in order to authorize a system for use in a highly secure environment. The PTA document identifies the purpose of the system, and any personally identifiable information (PII) the system may store or process. The PTA document may also specify whether a PIA is needed for the system.
BCP - 5. Maintain the Plan
The key point to remember about the BCP is that it is a living document and is never complete. You need to ensure that the document is maintained on a regular basis and includes updates that reflect changes in the organization. These changes can range from service provider contact numbers, to vendor contact information, to steps to recover systems.
BCP in Action - After-action reports
After-action reports are created to inform
management about the event that occurred and the steps that were taken to help continue business operations. You also include in the report anything that should change in regard to your BCP and DRP.
BCP in Action - Alternate processing sites
An alternate processing site is an alternate
site that the company has set up, or has agreements with, to run IT infrastructure to support mission-critical business functions if there is a problem with the primary site. It should be noted that the alternate processing site is typically referred to as a disaster recovery (DR) site
