1 / 79

Business Continuity and Disaster Recovery Planning

Business Continuity and Disaster Recovery Planning. CISSP Guide to Security Essentials Chapter 4. Objectives. Running a business continuity and disaster recovery planning project Developing business continuity and disaster recovery plans

jolene-moon
Download Presentation

Business Continuity and Disaster Recovery Planning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Business Continuity and Disaster Recovery Planning CISSP Guide to Security Essentials Chapter 4

  2. Objectives • Running a business continuity and disaster recovery planning project • Developing business continuity and disaster recovery plans • Testing business continuity and disaster recovery plans CISSP Guide to Security Essentials

  3. Objectives (cont.) • Training users • Maintaining business continuity and disaster recovery plans CISSP Guide to Security Essentials

  4. What Is a Disaster • Any natural or man-made event that disrupts the operations of a business in such a significant way that a considerable and coordinated effort is required to achieve a recovery. CISSP Guide to Security Essentials

  5. Natural Disasters • Geological: earthquakes, volcanoes, lahars, tsunamis, landslides, and sinkholes • Meteorological: hurricanes, tornados, wind storms, hail, ice storms, snow storms, rainstorms, and lightning CISSP Guide to Security Essentials

  6. Natural Disasters (cont.) • Other: avalanches, fires, floods, meteors and meteorites, and solar storms • Health: widespread illnesses, quarantines, and pandemics CISSP Guide to Security Essentials

  7. Man-made Disasters • Labor: strikes, walkouts, and slow-downs that disrupt services and supplies • Social-political: war, terrorism, sabotage, vandalism, civil unrest, protests, demonstrations, cyber attacks, and blockades CISSP Guide to Security Essentials

  8. Man-made Disasters (cont.) • Materials: fires, hazardous materials spills • Utilities: power failures, communications outages, water supply shortages, fuel shortages, and radioactive fallout from power plant accidents CISSP Guide to Security Essentials

  9. How Disasters Affect Businesses • Direct damage to facilities and equipment • Transportation infrastructure damage • Delays deliveries, supplies, employees going to work • Communications outages • Utilities outages CISSP Guide to Security Essentials

  10. How BCP and DRP Support Security • Security pillars: C-I-A • Confidentiality • Integrity • Availability • BCP and DRP directly support availability CISSP Guide to Security Essentials

  11. BCP and DRP Differences and Similarities • BCP • activities required to ensure the continuation of critical business processes in an organization • Alternate personnel, equipment, and facilities • DRP • Assessment, salvage, repair, and eventual restoration of damaged facilities and systems CISSP Guide to Security Essentials

  12. Industry Standards Supporting BCP and DRP • ISO27001/27002: Code of Practice for Information Security Management. Section 14 addresses business continuity management. Principles, terminology and process to support business continuity management. CISSP Guide to Security Essentials

  13. Industry Standards Supporting BCP and DRP (cont.) • NIST 800-34: Contingency Planning Guide for Information Technology Systems. Seven step process for BCP and DRP projects. • NFPA 1600: Standard on Disaster / Emergency Management and Business Continuity Programs. CISSP Guide to Security Essentials

  14. Industry Standards Supporting BCP and DRP (cont.) • NFPA 1620: The Recommended Practice for Pre-Incident Planning. • HIPAA: Requires a documented and tested disaster recovery plan for patient electronic data. CISSP Guide to Security Essentials

  15. Benefits of BCP and DRP Planning • Reduced risk through risk/threat analysis • Process improvements • Improved organizational maturity • Improved availability and reliability • Marketplace advantage CISSP Guide to Security Essentials

  16. The Role of Prevention • Not prevention of the disaster itself, but prevention of surprise and disorganized response CISSP Guide to Security Essentials

  17. The Role of Prevention (cont.) • Reduction in impact of a disaster • Better equipment bracing • Better fire detection and suppression • Contingency plans that provide [near] continuous operation of critical business processes • Prevention of extended periods of downtime CISSP Guide to Security Essentials

  18. Running a BCP / DRP Project • Pre-project activities • Perform a Business Impact Assessment (BIA) • Develop resumption and recovery plans • Test resumption and recovery plans CISSP Guide to Security Essentials

  19. Pre-project Activities • Obtain executive support • Formally define the scope of the project • Choose project team members • Develop a project plan • Business Impact Analysis • Develop Contingency plans • Test plans • Develop a project charter • Purpose, executive sponsorship, scope, budget, team members, milestones CISSP Guide to Security Essentials

  20. Performing a Business Impact Analysis • Survey critical business processes • Perform threat assessment, risk analyses • Develop key metrics • Maximum tolerable downtime, recovery time objective, recovery point objective CISSP Guide to Security Essentials

  21. Performing a Business Impact Analysis (cont.) • Develop impact statements • Perform criticality analysis CISSP Guide to Security Essentials

  22. Survey In-scope Business Processes • Develop interview / intake template • Interview a rep from each department • Identify all important processes • Identify dependencies on systems, people, equipment • information consolidation • Collate data into database or spreadsheets • Gives a big picture, all-company view CISSP Guide to Security Essentials

  23. Process intake form: CISSP Guide to Security Essentials

  24. Threat and Risk Analysis • Identify threats, vulnerabilities, risks for each key process • Rank according to probability, impact, cost • Identify mitigating controls CISSP Guide to Security Essentials

  25. Threat / Risk analysis from intake form: CISSP Guide to Security Essentials

  26. Determine Maximum Tolerable Downtime (MTD) • For each business process • Identify the maximum time that each business process can be inoperative before significant damage or long-term viability is threatened • Probably an educated guess for many processes CISSP Guide to Security Essentials

  27. Determine Maximum Tolerable Downtime (cont.) • Obtain senior management input to validate data • Publish into the same database / spreadsheet listing all business processes CISSP Guide to Security Essentials

  28. Develop Statements of Impact • For each process, describe the impact on the rest of the organization if the process is incapacitated CISSP Guide to Security Essentials

  29. Develop Statements of Impact (cont.) • Examples • Inability to process payments • Inability to produce invoices • Inability to access customer data for support purposes CISSP Guide to Security Essentials

  30. Record Other Key Metrics • Examples • Cost to operate the process • Cost of process downtime • Profit derived from the process • Useful for upcoming criticality analysis CISSP Guide to Security Essentials

  31. Ascertain Current Continuity and Recovery Capabilities • For each business process(adequate, inadequate, non-existent) • Identify documented continuity capabilities • Identify documented recovery capabilities • Identify undocumented capabilities • What if the disaster happened tomorrow CISSP Guide to Security Essentials

  32. Develop Key Recovery Targets • Recovery time objective (RTO) • Period of time from disaster onset to resumption of business process • Recovery point objective (RPO) • Maximum period of data loss from onset of disaster counting backwards CISSP Guide to Security Essentials

  33. CISSP Guide to Security Essentials

  34. Develop Key Recovery Targets (cont.) • Obtain senior management buyoff on RTO and RPO • Publish into the same database / spreadsheet listing all business processes CISSP Guide to Security Essentials

  35. Sample Recovery Time Objectives CISSP Guide to Security Essentials

  36. Sample Recovery Time Objectives (cont.) CISSP Guide to Security Essentials

  37. Criticality Analysis • Rank processes by criticality criteria • MTD (maximum tolerable downtime) • RTO (recovery time objective) • RPO (recovery point objective) • Revenue loss per hour/day/week • Cost of downtime or other metrics • Qualitative criteria • Reputation, market share, goodwill CISSP Guide to Security Essentials

  38. Improve System and Process Resilience • For the most critical processes (based upon ranking in the criticality analysis) • Identify the biggest risks • Identify cost of mitigation • Can several mitigating controls be combined • Do mitigating controls follow best / common practices CISSP Guide to Security Essentials

  39. Develop Business Continuity and Disaster Recovery Plans • For the most critical processes (based upon ranking in the criticality analysis) • Develop continuity plans and recovery plans • Must meet RTO, RPO objectives • Develop budget for plan development • Develop budget for response and recovery effort • Revise as needed CISSP Guide to Security Essentials

  40. Develop Business Continuity and Disaster Recovery Plans • Select Recovery Team Members • Emergency Response • Damage Assessment and Salvage • Notification • Personnel safety • Communications • Public utilities and infrastructure • Logistics and supplies • Business resumption planning • Restoration and planning CISSP Guide to Security Essentials

  41. Select Recovery Team Members • Issues • Unable to respond • Unwilling to respond • Selection criteria • Location of residence, relative to work and other key locations • Skills and experience (determines effectiveness) • Ability and willingness to respond • Own transportation CISSP Guide to Security Essentials

  42. Select Recovery Team Members (cont.) • Selection criteria (cont.) • Health and family (determines probability to serve) • Identify backups • Other team members, external resources CISSP Guide to Security Essentials

  43. Emergency Response • Personnel safety: includes first-aid, searching for personnel, etc. • Evacuation: evacuation procedures to prevent any hazard to workers. • Asset protection: includes buildings, vehicles, and equipment. CISSP Guide to Security Essentials

  44. Emergency Response (cont.) • Damage assessment: this could involve outside structural engineers to assess damage to buildings and equipment. • Emergency notification: response team communication, and keeping management and organization staff informed. CISSP Guide to Security Essentials

  45. Damage Assessment and Salvage • Determine damage to buildings, equipment, utilities • Requires inside experts • Usually requires outside experts • Civil engineers to inspect buildings • Government building inspectors CISSP Guide to Security Essentials

  46. Damage Assessment and Salvage (cont.) • Salvage • Identify working and salvageable assets • Cannibalize for parts or other uses CISSP Guide to Security Essentials

  47. Notification • Many parties need to know the condition of the organization • Employees, suppliers, customers, regulators, authorities, shareholders, community CISSP Guide to Security Essentials

  48. Notification (cont.) • Methods of communication • Telephone call trees, web site, signage, media • Alternate means of communication must be identified CISSP Guide to Security Essentials

  49. Personnel Safety • The number one concern in any disaster response operation • Emergency evacuation • Accounting for all personnel • Administering first-aid CISSP Guide to Security Essentials

  50. Personnel Safety (cont.) • The number one concern in any disaster response operation (cont.) • Emergency supplies • Water, food, blankets, shelters • On-site employees could be stranded for several days CISSP Guide to Security Essentials

More Related