190 likes | 396 Views
ISA 562 Internet Security Theory & Practice. Domain 6: Business Continuity & Disaster Recovery Planning. Objectives. Response to save business and human life Recovery activities after a disaster to normal operations Recovery plans to resume interrupted critical business. 2. Introduction.
E N D
ISA 562Internet Security Theory & Practice Domain 6: Business Continuity & Disaster Recovery Planning
Objectives Response to save business and human life Recovery activities after a disaster to normal operations Recovery plans to resume interrupted critical business 2
Introduction • Need to process critical business systems in the event of disruption to normal business data processing operations. • Ensure the availability of critical information system resources in the event of an unexpected network interruption or disaster • Many kinds of plans • Contingency plans, Business Continuity Planning (BCP), Disaster Recovery Planning (DRP) 3
BCP and DRP Life cycle • Steps of BCP and DRP project life cycle • Project Scope Development and planning • Business Continuity analysis (BIA) and functional requirements (for BIA steps, please see the book) • Business Continuity and Recovery Strategy • Plan Design and Development • Restoration • Feedback 4
Project Scope and Development Planning • Higher management’s commitment to go through the different steps of the project. • Deliverables • Project scope definition • Producing a Project plan • Dedicating a steering committee for the project • The BCP should be aligned with the organization's mission • Business continuity steering committee should • Know the mission statement in order to place the scope • Have required authorization • Resources requirement need to be known at this stage • Budget requirements are estimated and validated • Personnel availability • Knowing key points of contact or personnel in an emergency 5
Business Impact Analysis (BIA) • Evaluates all business functions against a common criterion to assess potential impacts to the business by an interruption • The following fall under the BIA • Preparing a BIA format • Assess potential impacts • Prioritize: very important for business functions • Elements to consider • Analysis of different threats for the business • Identification of critical business functions and units • Emergency Assessment • 3rd party considerations 6
Different Items to be considered in BIA • Threats analysis • Human Made threats, Natural threats, IT threats Etc • Identify critical business functions: some characteristics • Time Sensitivity, Data Integrity, Etc • Their impact on business: Financial & Operational Impact , Reputation etc • Emergency Assessment • Affected Areas • Alerting procedures • Security and safety procedures and guidelines, Etc • 3rd party considerations • Need to look at Down stream liabilities and upstream impacts • Compliance requirements, SLA Agreements, etc 7
Business Continuity and recovery Strategy • Business Unit Priorities: Business units are examined for BIA identified critical functions • Critical processes and functions are reviewed by the Steering committee and establishes priorities • Find the minimum resources required to carry out identified functions • Priorities are documented • Recovery time Objective (RTO): is the maximum time to restore a critical function • Recovery point objective (RPO): minimum tolerable amount of data integrity • Perform a Cost/Benefit analysis 8
Recovery Alternatives • Three approaches for recovery • Dedicated site operated by the organization • Multiple processing centers • Commercially leased facility • Hot site / cost high • Worm site / cost moderate • Cold site / cost lowest • Agreement with an Internal or external facility • Identify organizations with equivalent IT configurations and backup technologies and establish an agreement • Types of agreements • Reciprocal or Mutual Aid • Contingency • Service Bureau 9
Backup • Strategies • Replication • Storage Area network • Electronic Vaulting, etc • Location and Storage Criteria • Perhaps store in several locations for different purposes • On-site storage, Near-site storage , Off-site storage. • Resilience Strategies • Improve an organization's continuity and resilience • IT and Site Resilience etc 10
Plan Design Development • Emergency Response Procedures • Life , Health & safety • Damage Assessment • Event Reporting • Disaster Declaration, etc • Personnel Notifications • List of people to notify • Defining the role of the executives in crisis management • Executive succession planning, etc • Backup and off-site storage • Inventory list is compiled and documented • Facility Accessibility and Resilience • Communication in Emergency • Emergency and Business communication system should be in place • Data communication priorities in networks should be agreed upon 11
Plan Design Development (Continued) • Alterative site considerations • The ability to support the required infrastructure, environmental and space demands should be analyzed: utilities, communications, etc • Logistics and supplies • How resources are acquired or procured, transported and maintained • Personnel and materials transportation • Remote worker environment activation • Emergency funds access, etc • Documentation • Document BCP & DRP activation and de-activation plans and procedures. • Activity and status reports • Checklists etc • Business continuity and resumption planning • Contracts for emergency vendor services • Risk avoidance and mitigation planning • Emergency business recovery procedures 12
Implementation • Includes Training, Testing, Recovery and Audit • Training • Increasing the organization's awareness of the BC and DR business case • Different kinds of training for different attendees • All people training, Operation teams, Recovery teams etc • Testing • Confirms that the plan meets its emergency, recovery and restoration objectives • Measures the accuracy of the plans • Allow management to evaluate personnel readiness for an adverse event 13
Implementation (continued) • Test Plans • Each time tests are scheduled, a test plan should be written, it should contain • Objectives and success criteria • Details • Schedule • Post-test review • Test types • Several test types exists which server different purposes • Checklist test • Structured walk-through • Simulation • Parallel testing • Testing follow-up • Identifying existing deficiencies • Plan should be routinely assessed • Should be scheduled for testing for example annually 14
Implementation (continued) • Recovery procedures • Site migration • Local Recovery procedures • Transfer and recovery, etc. • Audit • Ensures an organization has an effective BC and DR capability • Measures compliance • Addressing audit findings 15
Restoration • Restoration of primary location • Primary facility must be stabilized and secured and then more detailed damage assessment is conducted • Procurement • Has an essential role in supporting restoration • Consolidating acquisitions and Disposition • Costs reporting • Data Recovery • Reversal procedures • Business process recovery point • Journal and process synchronization • Relocation to primary site • Restoration order and prioritization • End of disaster declaration 16
Feedback and plan management • Post-recovery reporting • Identification or remediation of plan gaps • Record Lessons learned • Performance metric review • Plan review and evaluation • Training of key personnel • Communication • Plan distribution • Communicate the plan to stakeholders 17
References ISC2 CBK Material CISSP-All-in-one book 18