Video Content Lesson 6 Flashcards
Business Continuity Plans (Project Scope)
Industry and Professional Standards Legislative Compliance Overview Organization Analysis Planning Team Resource Requirements Legal Requirements
Industry and Professional Standards
National Standard on Preparedness (NFPA 1600)
ISO 17799 (Comprehensive set of controls comprising best practices in Information Security)
DSS (Defense Security Service) (Personnel Security Investigation, Industrial Security, Security Education)
NIST (National Institute of Standards and Technology)
Good Business Practice and Standard of Due Care (what would a reasonable man do under normal circumstances?)
Legislative Compliance
HIPAA (Health Insurance Portability and Accountability Act) (document retention, mandatory document destruction)
GLB (Graham-Leach-Bliley) (protect customer information from any anticipated threats or hazards)
Patriot Act (several sections that require information be available when required)
International Regulations
Industry Regulations and Requirements
Overview
Business Continuity Plan (BCP)
Ensures business can continue in the event of an interruption
4 Distinct Phases of BCP
1-Business Organization Analysis
2-Planning Team
3-Required Resource Assessment
4-Legal and Regulatory Resource Requirements
Organization Analysis
Understand business and business practices
1-Critical Business Functions
2-Tangible and Intangible Value
Identify All Stakeholders in Business Continuity Plan (Operational Departments, Critical Support Services, Senior Executives)
Planning Team
Involve personnel from various levels and areas in the organization
Consider representatives from (Core Services Departments, Critical Support Departments, IT Department, Security Department, Legal Department, Upper Management (requires support from them for time committments, interruption of regular service, budget))
Resource Requirements
Planning team must fully consider all required resources
Budget to purchase resources (Time requirements)
BCP testing, training, and maintaining phase (may require substantial equipment purchases)
BCP Implementation (to enforce business continuity because it has been interrupted)
Legal Requirements
Legal requirements may supersede business requirements
BCP may be required to be maintained according to published standards
Business may have contractual obligations to customers
BCP may be a contract stipulation
A sound BCP may satisfy due care and due diligence requirements
Business Impact Analysis
Overview Interruption Resource Prioritization Continuity Strategy BCP Approval
Overview
Identifies Critical resources and threats to those resources
1-Establish business priortie (Biggest business impact is top priority)
2-Risk assessment (identify and categorize risks, quantify as much as possible)
3-Identify Alternative means (can business be done a different way)
Interruption
Loss of revenue/profits (some losses may be unrecoverable)
Loss of reputation (can customers trust be recovered?)
Legal or regulatory violations (penalties could be severe)
Resource Prioritization
Business Unit Priorities (What business functions are the most important?)
Allocate BCP budget to most severe risks first, then countinue dow the prioritized list
Consider both qualitative and quantitative risk priority rankings
Continuity Strategy
BCP team establishes procedures to protect provisions and processes (People are highest priority-no exceptions) (protect and provide for their immediate needs)
Building and facilities (protect facilities or offer alternatives)
Infrastructure (communications, protect and provide alternatives)
BCP Approval
Put BCP together
Document BCP
Submit BCP for approval (ensure upper MGT fully endorses the plan)
Implement the BCP (Put all controls in place, Acquire and install any necessary hareward and software)
Train BCP participants
DRP Planning and Recovery
Overview Identification Crisis management Recovery Data Center Alternatives More Alternatives Processing Agreement
Overview
Disaster Recover Plan (DRP)
Restores Critical Business Functions after a disaster
The Goal is to restore to a point prior to the disaster
DRP picks up where the BCP stops
DRP covers disasters not specifically addressed in the BCP
Planning Team can be same as BCP team
Some organizations approach their BCP and DRP as a unified process
Identification
Initial step of DRP is to identify possible disasters (Consider local factors, weather, seismic events, geography)
Natural disasters (Earthquakes, Floods, Storms (Hurricans, Tornadoes, Electrical Storms), Fires)
Man-made disasters (Fires, Bombing, Power or other utility outages, Terrorism, Hardware/Software failures, Strikes, Thefts)
Crisis Management
1-Handle the Crisis First
In all cases, people are more important than the business
2-Follow the DRP (eliminates making decisions under pressure) (pilots use these)
Recovery
How will the recovery be accomplished? (Rebuild ability for business to function–Recovery time objective (How long will it take?))
Recovery point objective (at what point is the recovery consider complete?)
Maximum tolerable downtime (How long can the business afford to be down?) (May be longer than recovery time objective)
Data Center Alternatives
If We have LOST Data Center Provide infrastructure for critical business processes Identify Alternatives (Cold Site, Warm Site, Hot Site, Mobile Site, Selection Criteria) Cold Site (bare room with basics, least expensive option, requires the most work and time to restore operations, takes 24 hours or more to bring up to working condition) Warm Site (Cold Site Plus Computer Hardware, loaded basic operating software, pretty much ready to go with applying patches, etc. 12 hours to bring up) Hot Site (Facility with the same hardware and software capabilities as the primary data center, software and data are up to date, very expensive, administrators must keep both sites up to date, Short cutover time) Mobile Site (Trailer as cold site or warm site)
More Alternative
Selection Criteria (cost, maintenance overhead, maximum allowable downtime, if using warm/cold site bring system up must use all personnel and be NUMBER 1 Priority
Process Agreement
Reciprocal agreement with a similar company (each company will be backup for the other company-potentially add you if problem arrises)
Mutual Processing agreement (Similar to above but share all the time)
Recovery Plan
Emergency Response Data Backup Backup Types Off-site Storage Utilities Logistics Emergency Services
Emergency Response
Develop checklists and train personnel how to use them
Notify Personnel of emergency
Work with others (IT, management, emergency workers, law enforcment)
Data Backup
Recovery requires that a secondary copy of data exists (the purpose is to bring the data back up online)
Backups and off-site storage (real-time replication, fault-tolerant mechanisms, logs)
What must be backed up to recover from total loss? Identify it
Operating system, software, and configuration and data files MUST be available
How often do you back up? (dependent on volatility and recovery time
Replication system
Log-based replication
Backup Types
Full backup
Requires lots of
Incremental Backup (time/date stamp changed since last backup)
Differential Backup (backup to last full backup; less time to recover than using incremental backup)
Online Backup (backup while database is online)
Offline Backup (backup while database is offline)
Off-site Storage
Proper storage facility for backups
Geographically separate from primary source
Environmentally-controlled
Secure transport and storage
Enter Software Escrow arrangements (protected copies of licensed software, protection from a disaster with the software provider)
Utilities
External Communications (verify providers disaster plans)
This includes data services
Utilities (Electricity, Water, Telephone)
Logistics
Able to Transport your goods?
Bringing goods in (provider may have strike)
Emergency Services
Develop relationships with Fire, Medical, and Law Enforcement
Document everything
Make Document available and visible
Planning for RESPONSE to a Disaster
Recovery Plan Implementation
Make sure that it is formally adopted
All Personnel are fully trained
Test it
Overview
Present the plan to upper managerment
Plans success depends on top-down support
Have upper MGT announce/unveil plan
After acceptance, begin implementation process
Make sure the plan is driven by upper MGT
Training
First step in Implementation
Make sure all participants understand how to fulfill their roles in the recovery process (Assign roles, make sure that each person is confortable with their role, ensure they know how to ful their roles)
2nd Step
Conduct overall awareness campaigns (make everyone else aware of who the players are and what they will be doing should the plan be enacted)
Make sure that all personnel are kept current
Whenever configurations change, the disaster recovery plan has to be revisited, revalidated and should also change (any time any part of the plan is changed, let everyone know)
Ensure all documentation is current and easily accessible
Checklist Test
The last step is to test the plan
Checklist test is simplest and easiest test (submit checklist to each team member, each DRP team member follows all of the steps and gives feedback, functions as a test and makes every member aware of what the checklists look like)
Structured Walk-through
Next type of test (not full blown test but uses role playing around a table)
Provides opportunities for immediate feedback and open discussion
Simulation Test
Another test (takes role playing further DRP team evaluates specific scenarios and partially tests by simulating as much of the disaster as feasible without disrupting the business
Parallel Test
Next Test
Enables full processing functionality at the alternate site
Warm/Cold site and bring it up to spead
Let primary data center run but bring up alternate site to see how well it works
Full-interruption Test
The only REAL test (others simulate)
Pull plug on data center
MUST have prior upper MGT support
Can cause substantial business process interruption
