1 / 66

Business Continuity Planning

Business Continuity Planning. The Problem - Reasons for Business Continuity Planning - BCP Principles of BCP Doing BCP The steps What is included The stages of an incident. Definitions. A contingency plan is:

marnin
Download Presentation

Business Continuity Planning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Business Continuity Planning • The Problem - Reasons for Business Continuity Planning - BCP • Principles of BCP • Doing BCP • The steps • What is included • The stages of an incident LTU CISP Security

  2. Definitions A contingency plan is: “A plan for emergency response, backup operations, and post-disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation…” (National Computer Security Center 1988) 1997-98 survey >35% of companies have no plans LTU CISP Security

  3. Definitions of BCP • Disaster Recovery • Business Continuity Planning • End-user Recovery Planning • Contingency Planning • Emergency Response • Crisis Management The goal is to assist the organization/business to continue functioning even though normal operations are disrupted Includes steps to take • Before a disruption • During a disruption • After a disruption LTU CISP Security

  4. Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes • “Proactive” rather than “Reactive” • Take the correct actions when needed • Allow for experienced personnel to be absent LTU CISP Security

  5. Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes “Proactive” rather than “Reactive” • Maintain business operations • Keep the money coming in • Short and long term loss of business • Have necessary materials, equipment, information on hand • Saves time, mistakes, stress and $$ • Planning can take up to 3 years LTU CISP Security

  6. Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes “Proactive” rather than “Reactive” • Maintain business operations • Keep the money coming in • Short and long term loss of business • Effect on customers • Public image • Loss of life LTU CISP Security

  7. Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes “Proactive” rather than “Reactive” • Maintain business operations • Keep the money coming in • Short and long term loss of business • Effect on customers • Legal requirements • ‘77 Foreign Corrupt Practices Act/protection of stockholders • Management criminally liable LTU CISP Security

  8. Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes “Proactive” rather than “Reactive” • Maintain business operations • Keep the money coming in • Short and long term loss of business • Effect on customers • Legal requirements • ‘77 Foreign Corrupt Practices Act/protection of stockholders • Federal Financial Institutions Examination Council (FFIEC) • FCPA SAS30 Audit Standards • Defense Investigative Service • Legal and Regulatory sanctions, civil suits LTU CISP Security

  9. Definitions Due Care • minimum and customary practice of responsible protection of assets that reflects a community or societal norm Due Diligence • prudent management and execution of due care LTU CISP Security

  10. The Problem • Utility failures • Intruders • Fire/Smoke • Water • Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes) • Heat/Humidity • Electromagnetic emanations • Hostile activity • Technology failure LTU CISP Security

  11. Recent Disasters • Bombings • ‘92 London financial district • ‘93 World Trade Center, NY • ‘93 London financial district • ‘95 Oklahoma City • ’01 World Trade Center, NY (9/11) • Earthquakes • ‘89 San Francisco • ‘94 Los Angeles • ‘95 Kobe, JP • Fires • ‘95 Malden Mills, Lawrence, MA • ‘96 Credit Lyonnais, FR • ‘97 Iron Mountain Record Center, Brunswick, NJ LTU CISP Security

  12. Recent Disasters • Power • ‘92 AT&T • ‘96 Orrville, OH • ‘99 East coast heat/drought brownouts • Floods • ‘97 Midwest floods • Storms • ‘92 Hurricane Andrew • ‘93 Northeast Blizzard • ‘96 Hurricanes Bertha, Fran • ‘98 Florida tornados • Hardware/Software • Year 2000 LTU CISP Security

  13. The Problem • Utility failures • Intruders • Fire/Smoke • Water • Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes) • Heat/Humidity • Electromagnetic emanations • Hostile activity • Technology failure • Failure to keep operating Fortune 1000 study • Average loss $78K, up to $500K • 65% failing over 1 week never reopen • Loss of market share common LTU CISP Security

  14. Threats • From Data Pro reports • Errors & omissions 50% • Fire, water, electrical 25% • Dishonest employees 10% • Disgruntled employees 10% • Outsider threats 5% LTU CISP Security

  15. The Controls • Least Privilege • Information security • Redundancy • Backed up data • Alternate equipment • Alternate communications • Alternate facilities • Alternate personnel • Alternate procedures LTU CISP Security

  16. The Steps in a BCP - Initiation • Project initiation • Business case to obtain support • Sell the need for DRP (price vs benefit) • Build and maintain awareness • On-going testing & maintenance • Top down approach • Executive commitment and support MOST CRITICAL • Project planning, staffing • Local support/responsibility LTU CISP Security

  17. The Steps in a BCP - 1 • Impact Assessment (Impact Analysis/Vulnerability Assessment/Current State Assessment/Risk Assessment ) Purpose • Identify risks • Identify business requirements for continuity • Quantify impact of potential threats • Balance impact and countermeasure cost • Establish recovery priorities LTU CISP Security

  18. Benefits • Relates security objectives to organization mission • Quantifies how much to spend on security measures • Provides long term planning guidance • Building design • HW configuration • SW • Internal controls • Criteria for contingency plans • Security policy • Site selection • Protection requirements • Significant threats • Responsibilities LTU CISP Security

  19. The Steps in a BCP - 1 • Risk Assessment • Potential failure scenarios • Likelihood of failure • Cost of failure (loss impact analysis) • Dollar losses • Additional operational expenses • Violation of contracts, regulatory requirements • Loss of competitive advantage, public confidence • Assumed maximum downtime (recovery time frames) • Rate of losses • Periodic criticality • Time-loss curve charts LTU CISP Security

  20. The Steps in a BCP - 1 • Risk Assessment/Analysis • Potential failure scenarios (risks) • Likelihood of failure • Cost of failure, quantify impact of threat • Assumed maximum downtime • Annual Loss Expectancy • Worst case assumptions • Based on business process model? Or IT model? • Identify critical functions and supporting resources • Balance impact and countermeasure cost • Key - • Potential damage • Likelihood LTU CISP Security

  21. Definitions • Threat • any event which could have an undesirable impact • Vulnerability • absence or weakness of a risk-reducing safeguard, potential to allow a threat to occur with greater frequency, greater impact, or both • Exposure • a measure of the magnitude of loss or impact on the value of the asset • Risk • the potential for harm or loss, including the degree of confidence of the estimate LTU CISP Security

  22. Definitions • Quantitative Risk Analysis • quantified estimates of impact, threat frequency, safeguard effectiveness and cost, and probability • Powerful aid to decision making • Difficult to do in time and cost • Qualitative Risk Analysis • minimally quantified estimates • Exposure scale ranking estimates • Easier in time and money • Less compelling • Risk Analysis is performed as a continuum from fully qualitative to less than fully quantitative LTU CISP Security

  23. Results • Loss impact analysis • Recovery time frames • Essential business functions • Information systems applications • Recommended recovery priorities & strategies • Goals • Understand economic & operational impact • Determine recovery time frame (business/DP/Network) • Identify most appropriate strategy • Cost/justify recovery planning • Include BCP in normal decision making process LTU CISP Security

  24. Risk Management Team • Management - Support • DP Operations • Systems Programming • Internal Audit • Physical Security • Application owners • Application programmers LTU CISP Security

  25. Preliminary Security Exam • Asset costs • Threat survey • Personnel • Physical environment • HW/SW • Communications • Applications • Operations • Natural disasters • Environment • Facility • Access • Data value LTU CISP Security

  26. Preliminary Security Exam • Asset costs • Threat survey • Existing security measures • Management review LTU CISP Security

  27. Threats • Illogical processing • Translation of user needs (technical requirements) • Inability to control technology • Equipment failure • Incorrect entry of data • Concentration of data • Inability to react quickly • Inability to substantiate processing • Concentration of responsibilities • Erroneous/falsified data • Misuse • Hardware failure • Utility failure • Natural disasters • Loss of key personnel • Human errors • Neighborhood hazards • Tampering • Disgruntled employees • Emanations • Unauthorized access • Safety • Improper use of technology • Repetition of errors • Cascading of errors LTU CISP Security

  28. Threats • Uncontrolled system access • Ineffective application security • Operations procedural errors • Program errors • Operating system flaws • Communications system failure • Utility failure LTU CISP Security

  29. Risk Analysis Steps • 1 - Identify essential business functions • Dollar losses or added expense • Contract/legal/regulatory requirements • Competitive advantage/market share • Interviews, questionnaires, workshops • 2 - Establish recovery plan parameters • Prioritize business functions • 3 - Gather impact data/Threat analysis • Probability of occurrence, source of help • Document business functions • Define support requirements • Document effects of disruption • Determine maximum acceptable outage period • Create outage scenarios LTU CISP Security

  30. Risk Analysis Steps • 4 - Analyze and summarize • Estimate potential losses • Destruction/theft of assets • Loss of data • Theft of information • Indirect theft of assets • Delayed processing • Consider periodicity • Combine potential loss & probability • Magnitude of risk is the ALE (Annual Loss Expectancy) • Guide to security measures and how much to spend LTU CISP Security

  31. Results • Significant threats & probabilities • Critical tasks & loss potential by threat • Remedial measures • Greatest net reduction in losses • Annual cost LTU CISP Security

  32. Information Valuation • Information has cost/value • Acquire/develop/maintain • Owner/Custodian/User/Adversary • Do a cost/value estimate for • Cost/benefit analysis • Integrate security in systems • Avoid penalties • Preserve proprietary information • Business continuity • Circumstances effect valuation timing • Ethical obligation to use justifiable tools/techniques LTU CISP Security

  33. Conditions of Value • Exclusive possession • Utility • Cost of creation/recreation • Liability • Convertibility/negotiability • Operational impact • Market forces • Official value • Expert opinion/appraisal • Bilateral agreement/contract LTU CISP Security

  34. Scenario • A specific threat (potential event/act) in which assets are subject to loss • Write scenario for each major threat • Credibility/functionality review • Evaluate current safeguards • Finalize/Play out • Prepare findings LTU CISP Security

  35. The Steps in a BCP - 2 • Strategy Development (Alternative Selection) • Management support • Team structure • Strategy selection • Cost effective • Workable LTU CISP Security

  36. The Steps in a BCP - 3 • Implementation (Plan Development) • Specify resources needed for recovery • Make necessary advance arrangements • Mitigate exposures LTU CISP Security

  37. The Steps in a BCP - 3 • Risk Prevention/Mitigation • Security - physical and information (access) • Environmental controls • Redundancy - Backups/Recoverability • Journaling, Mirroring, Shadowing • On-line/near-line/off-line • Insurance • Emergency response plans • Procedures • Training • Risk management program LTU CISP Security

  38. The Steps in a BCP - 3 • Decision Making • Cost effectiveness • Total cost • Human intervention requirements • Manual functions are weakest • Overrides and defaults • Shutdown capability • Default to no access • Design openness • Least Privilege • Minimum information • Visible safeguards • Entrapment • Selected vulnerabilities made attractive LTU CISP Security

  39. The Steps in a BCP - 3 • Decision Making • Universality • Compartmentalization, defense in depth • Isolation • Completeness • Instrumentation • Independence of controller and subject • Acceptance • Sustainability • Auditability • Accountability • Recovery LTU CISP Security

  40. Remedial Measures • Alter environment • Erect barriers • Improve procedures • Early detection • Contingency plans • Risk assignment (insurance) • Agreements • Stockpiling • Risk acceptance LTU CISP Security

  41. Remedial Measures • Fire • Detection, suppression • Water • Detection, equipment covers, positioning • Electrical • UPS, generators • Environmental • Backups • Good housekeeping • Backup procedures • Emergency response procedures LTU CISP Security

  42. The Steps in a BCP - 3 • Plan Development • Specify resources needed for recovery • Team-based • Recovery plans • Mitigation steps • Testing plans • Prepared by those who will carry them out LTU CISP Security

  43. Included in a BCP • Off-site storage • Trip there - secure? Timely? • Physical layout of site • Fire protection • Climate controls • Security access controls • Backup power LTU CISP Security

  44. Included in a BCP • Off-site storage • Alternate site • Reciprocal agreements/Multiple sites/Service bureaus • Hot/Warm/Cold(Shell) sites • Trip there - secure? Timely? • Physical layout of site • Fire protection • Climate controls • Security access controls • Backup power • Agreements LTU CISP Security

  45. Included in a BCP • Off-site storage • Alternate site • Backup processing • Compatibility • Capacity • Journaling - maintaining audit records • Remote journaling - to off-site location • Shadowing - remote journaling and delayed mirroring • Mirroring - maintaining realtime copy of data • Electronic vaulting - bulk transfer of backup files LTU CISP Security

  46. Included in a BCP • Off-site storage • Alternate site • Backup processing • Communications • Compatibility • Accessibility • Capacity • Alternatives LTU CISP Security

  47. Included in a BCP • Off-site storage • Alternate site • Backup processing • Communications • Work space • Accessibility • Capacity • Environment LTU CISP Security

  48. Included in a BCP • Off-site storage • Alternate site • Backup processing • Communications • Work space • Office equipment/supplies/documentation • Security • Critical business processes/Management • Testing • Vendors - Contact info, agreements • Teams - Contact info, transportation • Return to normal operations • Resources needed LTU CISP Security

  49. Complications • Media/Police/Public • Families • Fraud • Looting/Vandalism • Safety/Legal issues • Expenses/Approval LTU CISP Security

  50. The Steps in a BCP - Finally • Plan Testing • Proves feasibility of recovery process • Verifies compatibility of backup facilities • Ensures adequacy of team procedures • Identifies deficiencies in procedures • Trains team members • Provides mechanism for maintaining/updating the plan • Upper management comfort LTU CISP Security

More Related