D1: Business Continuity & Disaster Recovery Planning Flashcards
BCP vs. DRP
Business Continuity Planning: focuses on sustaining operations and protecting the viability of the business following a disaster, until normal business conditions can be restored. The BCP is an “umbrella” term that includes many other plans including the DRP. Long term focused.
- we’ve had a fire, now how to be keep our operations going until we get back to a state of permanence.
Disaster Recovery Planning: The goal is to minimize the effects of a disaster and to take the necessary steps to ensure that the resources, personnel and business processes are able to resume operations in a timely manner. Deals with the immediate aftermath of the disaster, and is often IT focused. Short term focused
- goal is to restore the most critical operations and processes up first
- critical = time sensitivity
- certain systems cost more money while they’re down
BCP Relationship to Risk Management
Potential Risks > Risk Assessment > Identified Risks > Security Controls > Residual Risks > Contingency Plans
Risks that weren’t considered, mitigation controls didn’t work, higher amount of residual risk, etc = BCP is the safety net that we have in place if what we factored in is NOT enough
Risk management = considered things that will likely happen. If then scenario, while BCP is for EVERYTHING else, didn’t see coming
BCP will catch anything that slips through the cracks of risk management/strategies
- main facility is compromised, so go to a backup facility
Categories of Disruptions
Non-disaster: Inconvenience; hard drive failure
- disruption of service
- device malfunction
- can recover from
- relatively small scale
Emergency/Crisis
- urgent, immediate event where there is the potential of loss of life or property
Disaster
- entire facility unusable for a day or longer
- should have a plan while operations are not possible in the facility
- ex. communication to end users, getting critical processes in place
- DRP should have these plans listed in here
Catastrophe
- destroys facility
- large scale
- at a minimum, the disaster has occurred
A company should understand and be prepared for each category
Anyone can declare an emergency, but only the coordinator can declare a disaster.
- anyone can pull the fire alarm, or trigger an emergency alarm. Only the BCP coordinator, senior manager or someone specified in the BCP can declare a disaster which will then trigger failover to another facility.
BCP Frameworks
- Standards help solve issues of inconsistency in terms, definitions and documents (within the organization)
- the exam will not reference a specific framework, but how a plan conceptualizes everything (NOT TERMS)
The following institutes will provide guidance on BCP/DRP:
- DRII (disaster Recovery Institute International)
- NIST 800-34 rev 1
- ISO 27031
- BCI GPG (Business Continuity International Good - Practice Guidelines
- ISC2.org Four Processes of Business Continuity*****
REVIEW THIS FOR THE EXAM!!!!!!
NIST 7 Phases of Business Continuity Planning
- BCP Policy: get it from senior management; this is a part of business initiation, buy-in from senior management (support and general approach)
- Business Impact Analysis: before we start writing our plan, we need to understand the organization. “know your business” and critical
- ID Preventative Controls: what controls do we already have in place. How effective are those controls, residual risk
- Create Contingency Strategies
- Develop on IS Contingency Plan
- Testing, training and exercises
- Maintenance
NIST SP 800-34 revision 1
Continuity policy BIA Identify preventative controls create contingency strategies develop BCP exercise, test, and drill maintain
ISC2 Four Business Continuity Planning Processes
- Project scope and planning
- what’s the business like
- who’s on the team - Business impact assessment
- the most important document in the BCP - Continuity planning
- Approval implementation
BCP Step 1: Project Scope and Planning
Acquire BCP policy statement form senior management
Business Organization Analysis: structured analysis of the business organizational assets, including cross-functional department input
BCP Team Creation, including Project manager. Should be cross-functional team, including representation of senior management
- An assessment of the resources available and commitment to support the BCP process from Senior Management
- An analysis of the legal and regulatory landscape that goes on an organization’s response to a catastrophic event.
Business Organizational Analysis
BOA provides the groundwork necessary to help identify potential members of the BCP team as well as provides the foundation for the remainder of the BCP processes
BOA evaluates considerations such as
- operational departments that are responsible for the core services
- critical support services
- senior executives and other key individuals essential for the ongoing viability of the organization
BCP Team Selection
MUST BE CROSS-FUNCTIONAL!
Representatives from each of the organization’s departments responsible for the core services performed by the business
Representatives from the key support departments identified by the organizational analysis
IT representatives with technical expertise in areas covered by the BCP
Security representatives with knowledge of the BCP process
Legal representatives familiar with corporate, legal, regulatory and contractual responsibilities
Representatives from senior management
BCP Assess Resource Needs
BCP Development
- the BCP team will require some resources to perform the four elements of the BCP process. It’s more than likely that the major resource will be effort expended by the BCP team and the support staff they call on to assist in the development of the plan
BCP Testing, Training and Maintenance
- The testing, training and maintenance phases of BCP will require some hardware and software commitments, but once again, the major commitment in this phase will be effort on the part of the employees involved in those activities
BCP Implementation
- When disaster strikes and the BCP team deems it necessary to conduct a full-scale implementation of the BCP, this implementation will require significant resources. This includes a large amount of effort
BCP - Legal and Regulatory Compliance
Senior management has the ultimate legal responsibility. They may be:
- held responsible and liable under various laws and regulations
- sued by their stockholders if not managing with due diligence and due care
- sued by employees or families in the event of injury or loss of life
If senior management doesn’t have full buy-in to support the BCP process, what would be your best argument to convince them?
Liability, non-compliance, fines - things that hit the pocketbook, regulations, legal requirements - in the event of a failure in the BCP planning
BCP Step 2: Business Impact Analysis
- identifies and prioritizes all business processes/resources based on criticality
- risk identification: internal vs. 3rd party and probability, impact
- categorizes process/resources based on criticality
- defines quantitative metrics to assist with prioritizing recovery focus - RPO, RTO, SLOs
- BIA will help prioritize recovery priorities
BCP Step 2: Business Impact Analysis: Identify priorities
- create an in-depth list of business processes and their impact on the organization
- often delegated to individual departments for accuracy and buy-in
Criticality is driven by the amount of loss the organization will suffer if the resource is unavailable:
- MTD/MTO: Maximum Tolerable Downtime/Outage: Longest time the function can be inoperable before causing a loss to senior management that is unacceptable
EX: domain controller 1 has a MTD of 2 hours (facilitates logins).
- if the DC is physically destroyed, it will take a certain amount of time to physically replace the box (RTO) and restore services (another metric - work recovery time) WRT
- RTO Recovery Time Objective: This is the amount of time in which you think you can feasibly recover the function in the event of a disruption (must be less than MTD)
- RPO Recovery Point Objective: Tolerance for data loss, how much data willing to lose
Flow of BCP Planning
Policy > Senior Management > Team together > BIA > so on
Goals of the BIA
Document the flow
Identify critical resources from senior management (business owners/process owners aka shouldn’t be an IT centered event) > Interruption windows > recovery metrics
Service Level Agreement vs. Operational Level Agreement
OLA - what the org commits for maintenance and delivery; interdepartmental
SLA: between vendor and client; legally binding and contractually binding
BCP Step 2: BIA Risk Associated with Procurements and the Cloud
Guarantees are documented in the SLAs
Verify controls in place to meet obligations in person or through independent audit made available as SOCs
- SOC1: financial reporting
- SOC2: security & technology; would require NDA
- SOC3: security & technology, but publicly available, if you want to assess a cloud service to use one day
Step 2: BIA Probability and Impact Assessment
Asset Value * Probability * Impact = Total Risk
Total Risk * Controls Gap = Residual Risk
Probability = ARO
Impact EF
SLE Single Loss Expectancy
ALE Annual Loss Expectancy
Some losses CANNOT be quantified
Step 2: BIA Resource Prioritization
- Qualitative Analysis can be used to prioritize risk
- Qualitative Analysis is needed to perform cost/benefit analysis and to provide justification for mitigation strategies
Step 3: Continuity Planning
Strategy development Provisions and processes Plan approval Plan implementation Training and education
Sr. management is critical, and rarely is it a one time thing
Step 3: Continuity Planning - Strategy Development
Examines the BIA for metrics and maps controls to meet the objectives
Determine appropriate responses:
- reduce
- assign/transfer
- accept
- reject
Some risks will have to be accepted (based on cost/benefit) while other require a more active strategy
Step 3: Continuity Planning: Provisions and Processes
BCP designs the specific procedures necessary to mitigate the risks to a level tha is acceptable to senior management
EXAM always make the choice that saves human life first
Three assets:
- people - first priority always
- buildings/facilities
- hardening provisions - mitigating harm to facility
- alternate sites
- mirrored
- leased sites
- – cold
- — warm
- — hot
Infrastructure
- redundancy of critical systems and services
- recovery strategies
- failover/failback
Step 3: Continuity Planning: Facility Recovery
Dedicated site owned or operated by the organization
Reciprocal agreement or memorandum of agreement with an internal or external entity - to help provide with facility recovery
Commercially leased facility
- hot: exclusive access to this site
- warm: secondary location, equipment at te location, connectivity at location
- EXAM** the most common type, can get up and running in a couple of days
- cold: cheapest location; secondary; plumbing and electricity and not much else
MOA/MOUs or SLAs should be obtained from the provider
Mirrored site = under our ownership
Step 3: Continuity Planning: Infrastructure
Infrastructure supports the critical elements of the business. Servers, systems, routers, switches, processes, architecture
High Availability
- redundancy
- resiliency
- fault tolerance
Hardened Systems
Step 4: Plan Approval and Implementation
Plan Approval
- If possible, CEO should endorse plan
- otherwise another senior officer
- indicates dedication of the business to the process of business continuity planning
Plan Implementation
- create implementation guide/ schedule
- deploy resources
- supervise maintenance of plan
Train and Educate Employees
- Distribute plan on need to know basis
- Everyone should get at least an overview
BCP Sub Plans
BCP Sub Plans Have 3 Main Purposes:
- Protect
- Crisis communication plan
- OEP - Occupant Emergency Plan - Recover
- BRP Business Recovery Plan
- DRP Disaster Recovery Plan
- Continuity of Support Plan/IT Contingency Plan - Sustain
- COOP (Continuity of Operations Plans)
BCP Sub Plans: Protect
- Crisis Communication Plans
- Purpose: Disseminate necessary information - Occupant Emergency Plan (OEP)
- Purpose: Provide coordinated procedures for minimizing loss of life or injury and protecting property damage in response to a physical threat
BCP Sub Plans: Recovery
Business Recovery Plan (BRP) aka Resumption
- Purpose: provide procedures for recovering business operations immediately following a disaster
Continuity of Support Plan / IT Contingency Plan
- Purpose: provide procedures and capabilities for recovering a major application or general support system
Cyber Incident Response Plan
- Purpose: provide strategies to detect, respond to, and limit consequences of malicious cyber incident
- Scope: focuses on information security responses to incidents affecting systems and/or networks
Disaster recovery Plan (DRP)
- Purpose: provide detailed procedures to facilitate recovery of capability at an alternate
BCP Continuity Sub Plans: Sustain
COOP: Continuity of Operations Plan
- Purpose: Provide procedures and capabilities to sustain an organization’s essential, strategic functions at an alternate site for up to 30 days. This term is sometimes used in US Government to refer to the field of Business continuity management, but per NIST 800-34, it is a unique sub-plan of the BCP. Note, BCP addresses ALL business processes, not just mission critical
Scope: Addresses the subset of an organization’s missions that are deemed most critical; usually written at headquarters and not IT focused.
Senior Executive Management Responsibilities
Senior Executive Management
- consistent support and final approval of plans
- setting the business continuity policy
- prioritizing critical business functions
- allocating sufficient resources and personnel
- providing oversight for and approving the BCP
- directing and reviewing test results
- ensuring maintenance of a current plan
Senior Functional Management Responsibilities
Senior Functional Management
- develop and document maintenance and testing strategy
- identify and prioritize mission critical systems
- monitor progress of plan development and execution
- ensure periodic tests
- create the various teams necessary to execute the plans
BCP Steering Committee
Conducts the BIA
Coordinate with department representatives
Should include:
- business units
- senior management
- IT department
- security department
- communications department
- legal department
DRP Teams
Rescue: responsible for dealing with the immediacy of disaster - employee evacuation, “crashing” the server room, etc.
Recover: Responsible for getting the alternate facility up and running and restoring the most critical services first. AKA fail-over
Salvage: responsible for the return of operations to the original or permanent facility (reconstitution)
Developing Teams
Management should appoint team members
Each member must understand the goals of the plan and be familiar with the department they are responsible for
Agreed upon prior to the event:
- who will talk to the media, customers, shareholders
- who will setup alternative communication methods
- who will setup the offsite facility
- established agreements with off-site facilities should be in place
- who will work on the primary facility
Checklist Test
Copies of plan distributed to different departments
functional managers review
Structured Walk-through (Table Top) test
Representatives from each department go over the plan
Simulation Test
Going through a disaster scenario
Continues up to the actual relocation to an offsite facility
Parallel Test
Systems moved to alternate site, and processing takes place there
Full Interruption Test
Original site shut down
All of processing moved to offsite facility
Post Incident Review
After a test or disaster has taken place:
- focus on how to improve
- what should have happened
- what should happen next
- not who’s fault it was; this is not productive
Maintaining the BCP
Keeping plan in date
- make it a part of business meetings and decisions
- centralize responsibility for updates
- part of job descriptions
- personnel evaluations
- report regularly
- audits
- as plans get revised, original copies should be retrieved and destroyed
