Chapter 18 Disaster Recovery Planning Flashcards
What is the difference between the DRP and the BCP?
The DRP is the technical complement to the business-focused BCP.
How do you protect hard drives?
Common way to add fault tolerance and system resilence is with a RAID array.
RAID 0: Striping. Two or more disks. No fault tolerance
RAID 1: Mirroring: two disks with the same information. Fault tolerance but slower.
RAID 5: Striping with parity. Three or more disks, information divided equally, one holding parity information
RAID 6: Striping with parity. Parity stored on at least two disks. Minimum of four drives
RAID 10: RAID 1 +0. Stripe of mirrors. Two or more mirrors, with each mirror then set up as RAID 0 to increase performance. Needs at least 4 drives.
Software RAID is faily cheap. Hardware is more expensive but better performance. Typically include spare drives that can logically be added. Many support hot-swapping.
How do you protect servers?
Failover clusters can add fault tolerance. These are two or more servers, so that if one fails, the other automatically takes over. Can be more than two. For example, you could have three Web servers that share the load, with two database servers configured as a failover cluster, and then RAID arrays supporting the servers.
If you are using the cloud, your CSP may povide failover services. Consider whether you can have them located in different regions so you have regional variation, not just elasticity.
Another example of server fault tolerance–in MS, domain controllers regularly replicate AD data to each other.
What the four types of recovery under the Common Criteria?
Common Criteria include a section on trusted recovery. Four types:
–Manual recovery: If a system fails, it does not fail in a secure state. An admin must manually perform the actions necessary to implement a secured or trusted recovery
–Automated recovery: The system is able to perform trusted recovery activities to retore itself against at least one type of failure. Does not protect the entire server.
–Automated recovery without undue loss: Similar to above but includes mechanisms to ensure that specific objects are protected. Would include steps to restore data. For example, additional mechanisms to restore corrupted files, rebuild data from transaction logs, and verify the integrity of key system and security components
–Function recovery: Able to successfully complete the recovery, or the system will roll back to a secure state.
What is electronic vaulting?
Database backups are moved to a remote site using bulk transfers. Could be a hot site or a place simply intended to hold backups. There may be a significant delay between when you declare a disaster and when the database is ready for operation. Technicians will need to retrieve the backups from the electronic vault and apply them to the production system.
Insist of written definition of the service that vendors promising this will provide. Cover storage capacity, bandwidth, and time to retrieve information.
Be sure to test the setup. Do surprise tests. Remember that you could lose any information between the last backup and the disaster.
What is remote journaling?
Data transfers are performed in a more expeditious matter. Still done as bulk transfers, but usually once an hour. Instead of transferring entire database files, they transfer copies of the logs since the last transfer. Still transferred to a remote site and not applied to a live database server.
What is remote mirroring?
Maintains a live database server at the backup site, so the mirrored server can take over right away. Common for organizations that need a hot site. Very expensive–consider the infrastructure, personnel costs, and processing cost.
What is the difference between a differential and an incremental backup?
Important part of a DRP. Data copies can be stored on tape, disk, cloud, or other media. Three main types of backups:
–Full backups: Complete copy of the data. Duplicate every file on the system, regardless of the setting of the archive bit. Once backup is complete, archive bit on every file is reset to 0.
–Incremental backups: Store only those files that have been modified since the most recent full or incremental backup. Only files that have the archive bit turned on are copied; those files have their bit reset to 0.
–Differential backups: Store all files since the last full backup. Difference is that it does not change the archive bit.
In other words, if you do a full backup on Sundays, an incremental backup on Monday goes to the full backup, incremental on Tuesday goes back to Monday, etc. For differential, each backup goes back to Sunday. This means that if you need to do a restoration, if you use a differential approach, you need the last full backup and last differential. With incremental, you need all incremental backups and the last full backup.
Also need to consider where you store the data. May keep backups near the primary ops center, but you also need an offsite option. Cloud is good for this.
A common strategy is to do full backups on the weekends and either incremental or differential backups of the weekends. Specific requirements will depend on your fault tolerance and RPO.
What is a simulation test?
Similar to walk through, but also test some of the response measures, like interrupting noncritical business activities.
What is a parallel test?
Relocate personnel to the alternate recovery site so they can implement site recovery procedures. Act like they would during an actual disaster, but do not interrupt actual operations.
What is a full interruption test?
Actually shut down operations and practice shifting to the backup site. These are risky since you shut down operations, so they are very rare.
What is the difference between recovery and restoration?
Can separate these two. Recovery is bringing business operations and process back. Restoration is bringing facility and environment back. May need different teams for each. For example, DRP team focuses on recovery, and salvage team restores the primary site to operational capacity. They have different timelines.
What does NIST want to see in a lessons learned?
After any DR operation, do a lessons learned. See what worked and what did not. Gather together in person or by video. Have a neutral moderator. Do as soon as possible while memories are fresh.
NIST has a structured process:
–what happened when?
–How well did staff do?
–Were documented procedures followed?
–Were the procedures adequate?
–Did anything prevent recovery?
–What would you do differently?
–How could information-sharing be improved?
–How can you prevent similar incidents?
–What tools are needed to detect, analyze, and mitigate future incidents?
