CHAPTER 8_Business Continuity and Disaster Recovery Flashcards
Explanation Bullets: The organization can take the following steps to better ensure the continuity of its outsourcing:
- Make the ability of such companies to reliably assure continuity of products and services part of any work proposals.
- Make sure that BCP is included in contracts with such companies, and that their responsibilities and levels of service are clearly spelled out.
- Draw up realistic and reasonable service levels that the outsourced firm will meet during an incident.
- If possible, have the outsourcing companies take part in BCP awareness programs, training, and testing.
Explanation Bullets: 2. Performed the BIA
- Identified critical business functions, their resources, and MTD values
- Identified threats and calculated the impact of these threats
- Identified solutions
- Presented findings to management
Explanation Bullets: • Management Practices:
- Management Practices:
* Technical Practices:
Emphasis: executive succession planning
Organizations should already have executive succession planning in place. This means that if someone in a senior executive position retires, leaves the company, or is killed, the organization has predetermined steps to carry out to protect the company. The loss of a senior executive could tear a hole in the company’s fabric, creating a leadership vacuum that must be filled quickly with the right individual. The line-of-succes-sion plan defines who would step in and assume responsibility for this role. Many organizations have “deputy” roles. For example, an organization may have a deputy CIO, deputy CFO, and deputy CEO ready to take over the necessary tasks if the CIO, CFO, or CEO becomes unavailable.
Emphasis: Identify preventive controls
- Identify preventive controls. Once threats are recognized, identify and implement controls and countermeasures to reduce the organization’s risk level in an economical manner.
Explanations: Tertiary Sites
During the BIA phase, the team may recognize the danger of the primary backup facility not being available when needed, which could require a tertiary site. This is a secondary backup site, just in case the primary backup site is unavailable. The secondary backup site is sometimes referred to as a “backup to the backup.” This is basically plan B if plan A does not work out.
Emphasis: Standards and Best Practices
Standards and Best PracticesAlthough no specific scientific equation must be followed to create continuity plans, certain best practices have proven themselves over time. The National Institute of Standards and Technology (NIST) is responsible for developing best practices and standards as they pertain to U.S. government and military environments. It is common for NIST to document the requirements for these types of environments, and then everyone else in the industry uses their documents as guidelines. So these are “musts” for U.S. government organizations and “good to have” for other nongovernment entities.
Explanation Bullets: Business Continuity Planning
Preplanned procedures allow an organization to
- Provide an immediate and appropriate response to emergency situations
- Protect lives and ensure safety
- Reduce business impact
- Resume critical business functions
- Work with outside vendors and partners during the recovery period
- Reduce confusion during a crisis
- Ensure survivability of the business
- Get “up and running” quickly after a disaster
Emphasis: Develop the continuity planning policy statement
- Develop the continuity planning policy statement. Write a policy that provides the guidance necessary to develop a BCP, and that assigns authority to the necessary roles to carry out these tasks.
Emphasis: ISO 22301
• ISO 22301 Pending International Standard for business continuity management systems. The specification document against which organizations will seek certification.
Emphasis: recovery strategy stage
In the recovery strategy stage, the team approaches the information gathered during the BIA stage from a practical perspective. It has to figure out what the company needs to do to actually recover the items it has identified as being so important to the organization overall. In its business continuity and recovery strategy, the team closely examines the critical, agreed-upon business functions, and then evaluates the numerous recovery and backup alternatives that might be used to recover critical business operations.
Explanations: Human Resources
We have everything up and running now—where are all the people to run these systems?
Bullets: Strengths
Characteristics of the project team that give it an advantage over others
Explanation Bullets: The main parts of a risk assessment are:
- Review the existing strategies for risk management
- Construct a numerical scoring system for probabilities and impacts
- Make use of a numerical score to gauge the effect of the threat
- Estimate the probability of each threat
- Weigh each threat through the scoring system
- Calculate the risk by combining the scores of likelihood and impact of each threat
- Get the organization’s sponsor to sign off on these risk priorities
- Weigh appropriate measures
- Make sure that planned measures that alleviate risk do not heighten other risks
- Present the assessment’s findings to executive management
Emphasis: Enterprise-Wide BCP
Enterprise-Wide BCPThe agreed-upon scope of the BCP will indicate if one or more facilities will be included in the plan. Most BCPs are developed to cover the enterprise as a whole, instead of dealing with only portions of the organization. In larger organizations, it can be helpful for each department to have its own specific contingency plan that will address its specific needs during recovery. These individual plans need to be compatible with the enterprise-wide BCP.
Emphasis: BS 25999
• BS 25999 The British Standards Institute’s (BSI) standard for business continuity management (BCM). This BS standard has two parts:
Explanations: BCP Project Components
Before everyone runs off in 2,000 different directions at one time, let’s understand what needs to be done in the project initiation phase. This is the phase in which the company really needs to figure out what it is doing and why. So, after someone gets the donuts and coffee, let’s get down to business.
Explanations: Recovery Strategies
Up to this point, the BCP team has carried out the project initiation phase. In this phase, the team obtained management support and the necessary resources, laid out the scope of the project, and identified the BCP team. It also completed the BIA phase. This means that the committee carried out a risk assessment and analysis, which resulted in a report of the real risk level the company faces.
Explanations: Supply and Technology Recovery
At this point, the BCP team has mapped out the necessary business functions that need to be up and running and the specific backup facility option that is best for its organization. Now the team needs to dig down into the more granular items, such as backup solutions for the following:
Emphasis: Facility Recovery
Facility RecoveryDisruptions, in BCP terms, are of three main types: nondisasters, disasters, and catastrophes. A nondisaster is a disruption in service due to a device malfunction or failure. The solution could include hardware, software, or file restoration. A disaster is an event that causes the entire facility to be unusable for a day or longer. This usually requires the use of an alternate processing facility and restoration of software and data from offsite copies. The alternate site must be available to the company until its main facility is repaired and usable. A catastrophe is a major disruption that destroys the facility altogether. This requires both a short-term solution, which would be an offsite facility, and a long-term solution, which may require rebuilding the original facility.
Explanation Bullets: Warm and Cold Site Disadvantages
- Operational testing not usually available
* Resources for operations not immediately available
Explanation Bullets: Hot Site Disadvantages
- Very expensive
* Limited on hardware and software choices
Explanation Bullets: The initiation process for BCP might include the following:
- Setting up a budget and staff for the program before the BCP process begins. Dedicated personnel and dedicated hours are essential for executing something as labor-intensive as a BCP.
- Setting up the program would include assigning duties and responsibilities to the BCP coordinator and to representatives from all of the functional units of the organization.
- Senior management should kick off the BCP with a formal announcement or, better still, an organization-wide meeting to demonstrate high-level support.
- Awareness-raising activities to let employees know about the BCP program and to build internal support for it.
- Establishment of skills training for the support of the BCP effort.
- The start of data collection from throughout the organization to aid in crafting various continuity options.
- Putting into effect “quick wins” and gathering of “low-hanging fruit” to show tangible evidence of improvement in the organization’s readiness, as well as improving readiness.
Emphasis: business interruption insurance
A company could also choose to purchase a business interruption insurance policy. With this type of policy, if the company is out of business for a certain length of time, the insurance company will pay for specified expenses and lost earnings. Another policy that can be bought insures accounts receivable. If a company cannot collect on its accounts receivable for one reason or another, this type of coverage covers part or all of the losses and costs.
Explanation Bullets: The BCP team needs to understand these different steps of the company’s most critical processes. The data are usually presented as a workflow document that contains the roles and resources needed for each process. The BCP team must understand the following about critical business processes:
- Required roles
- Required resources
- Input and output mechanisms
- Workflow steps
- Required time for completion
- Interfaces with other processes
Emphasis: business continuity plan (BCP)
A disaster recovery plan (DRP) is carried out when everything is still in emergency mode, and everyone is scrambling to get all critical systems back online. A business continuity plan (BCP) takes a broader approach to the problem. It can include getting critical systems to another environment while repair of the original facilities is under way, getting the right people to the right places during this time, and performing business in a different mode until regular conditions are back in place. It also involves dealing with customers, partners, and shareholders through different channels until everything returns to normal. So, disaster recovery deals with, “Oh my goodness, the sky is falling,” and continuity planning deals with, “Okay, the sky fell. Now, how do we stay in business until someone can put the sky back where it belongs?”
Supply and Technology Recovery : At this point, the BCP team has mapped out the necessary business functions that need to be up and running and the specific backup facility option that is best for its organization. Now the team needs to dig down into the more granular items, such as backup solutions for the following:
- Network and computer equipment
- Voice and data communications resources
- Human resources
- Transportation of equipment and personnel
- Environment issues (HVAC)
- Data and personnel security issues
- Supplies (paper, forms, cabling, and so on)
- Documentation
Explanation Bullets: Single points of failure, that is, concentrations of risk that threaten business continuity
- Continuity risks from concentrations of critical skills or critical shortages of skills
- Continuity risks due to outsourced vendors and suppliers
- Continuity risks that the BCP program has accepted, that are handled elsewhere, or that the BCP program does not address
Emphasis: Conduct the business impact analysis (BIA)
- Conduct the business impact analysis (BIA). Identify critical functions and systems and allow the organization to prioritize them based on necessity. Identify vulnerabilities and threats, and calculate risks.
Explanation Bullets: In the industry, HA is usually thought about only in technology terms, but remember that there are many things that an organization needs to keep functioning. Availability of each of the following items must be thought through and planned:
- Facility
- Cold, warm, hot, redundant, rolling, reciprocal sites
- Infrastructure
- Redundancy, fault tolerance
- Storage
- RAID, Storage Area Network (SAN), mirroring, disk shadowing, cloud
- Server
- Clustering, load balancing
- Data
- Tapes, backups, vaulting, online replication
- Business processes
- People
Emphasis: Maintain the plan
- Maintain the plan. Put in place steps to ensure the BCP is a living document that is updated regularly.
Emphasis: ISO/IEC 27031:2011
• ISO/IEC 27031:2011 Guidelines for information and communications technology readiness for business continuity. This ISO/IEC standard that is a component of the overall ISO/IEC 27000 series was covered in Chapter 2.
Emphasis: Business Process Recovery
Business Process RecoveryA business process is a set of interrelated steps linked through specific decision activities to accomplish a specific task. Business processes have starting and ending points and are repeatable. The processes should encapsulate the knowledge about services, resources, and operations provided by a company. For example, when a customer requests to buy a book via an organization’s e-commerce site, a set of steps must be followed, such as these:
Emphasis: full backup
The first step is to do a full backup, which is just what it sounds like—all data are backed up and saved to some type of storage media. During a full backup, the archive bit is cleared, which means that it is set to 0. A company can choose to do full backups only, in which case the restoration process is just one step, but the backup and restore processes could take a long time.
Emphasis: Develop the contingency plan
- Develop the contingency plan. Write procedures and guidelines for how the organization can still stay functional in a crippled state.
Explanation Bullets: The process of drawing up a policy includes these steps:
- Identify and document the components of the policy.
- Identify and define policies of the organization that the BCP might affect.
- Identify pertinent legislation, laws, regulations, and standards.
- Identify “good industry practice” guidelines by consulting with industry experts.
- Perform a gap analysis. Find out where the organization currently is in terms of continuity planning, and spell out where it wants to be at the end of the BCP process.
- Compose a draft of the new policy.
- Have different departments within the organization review the draft.
- Put the feedback from the departments into a revised draft.
- Get the approval of top management on the new policy.
- Publish a final draft, and distribute and publicize it throughout the organization.
Explanation Bullets: Up until now, we have established management’s responsibilities as the following:
- Committing fully to the BCP
- Setting policy and goals
- Making available the necessary funds and resources
- Taking responsibility for the outcome of the development of the BCP
- Appointing a team for the process
Explanations: Implementing Strategies
Once the strategies have been decided upon, the BCP team needs to document them and put them into place. This moves the efforts from a purely planning stage to an actual implementation and action phase.
Emphasis: Business Continuity Institute’s Good Practice Guidelines (GPG)
• Business Continuity Institute’s Good Practice Guidelines (GPG) BCM best practices, which are broken down into the following management and technical practices:
Emphasis: salvage team
The restoration team should be responsible for getting the alternate site into a working and functioning environment, and the salvage team should be responsible for starting the recovery of the original site. Both teams must know how to do many tasks, such as install operating systems, configure workstations and servers, string wire and cabling, set up the network and configure networking services, and install equipment and applications. Both teams must also know how to restore data from backup facilities. They also must know how to do so in a secure manner, one that ensures the confidentiality, integrity, and availability of the system and data.
Bullets: Weaknesses
Characteristics that place the team at a disadvantage relative to others