1 / 68

COMP38 Emergency Management and Operational Security

COMP38 Emergency Management and Operational Security. Risk Assessment DRP,BCP. Disaster Recovery Planning Process. Many people consider disaster recovery planning a mechanical process There are certainly tedious and laborious aspects to developing a plan

martha-fleming
Download Presentation

COMP38 Emergency Management and Operational Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COMP38 Emergency Management and Operational Security Risk Assessment DRP,BCP

  2. Disaster Recovery Planning Process • Many people consider disaster recovery planning a mechanical process • There are certainly tedious and laborious aspects to developing a plan • No off-the-shelf disaster recovery plan can meet the needs of all organizations • An effective plan recognizes an organization's size and other defining characteristics

  3. Basic Principles of Disaster Recovery Planning • A solid plan requires the support and participation of • Upper-level management • All business unit managers • Legal counsel • Directors of all functional departments such as Human Resources, Facilities Management, IT, and Corporate security

  4. Basic Principles of Disaster Recovery Planning • The disaster recovery plan must facilitate and allow control of communications among • Decision makers • Managers • Staff • External support organizations • Law enforcement • Emergency services • Media • All policies and procedures must be available to all departments, managers, and staff during response and recovery

  5. Basic Principles of Disaster Recovery Planning • All employees involved in disaster response and recovery must be trained to • Implement documented procedures • Address unanticipated problems • Procedures must be tested and rehearsed • Planners must continually evaluate new threats and business conditions as they develop • During disaster response and recovery, the organization must • Evaluate the effectiveness of its procedures • Monitor the physical safety and mental health of employees

  6. Recovery Function • Disaster recovery function consists of the people, departments, and support organizations that implement the plan and facilitate disaster recovery • How this function is organized depends on • The geographical dispersal of facilities within an organization • The type of facilities occupied • The number of employees • Other factors

  7. Recovery Function Staff • A centralized authority or group • Coordinates the development of disaster recovery plans • Plays a role in disaster response and recovery • Managers and staff in functional departments have enterprise-wide roles in disaster response and recovery • Department managers and representatives from business units have roles in disaster response and recovery to ensure the continued function of their business units

  8. Risk Assessment Some approaches to DRP don't include risk assessment NIST for example proceeds directly to Business Impact Assessment BIA focuses on determining what to recover first regardless of how the damage was incurred And regardless of how likely it is DRP is aimed at residual risk after a conventional TRA has been completed So no need for more risk assessment

  9. Why Risk Assessment? Focus on threats provides motivation by enumerating possible threat events Considering likelihood of events can justify expenditures on preparedness Response plans can be event oriented rather than consequence oriented Seems more realistic

  10. Why Risk Assessment? Standard threat checklists can help to ensure all consequences are considered Focus on threats leads to consideration of existing or possible mitigating controls My not have already done TRA

  11. Risk Assessment Overview Risk should be related to business functions, like revenue collection But threats are related to support resources like LANs and servers Need an inventory of support resources Detailing threats to these functions And an inventory of business functions Showing which resources support the business functions And including other information relevant to DRP These are required for the BIA in any case

  12. Facilities Many threats will affect an entire facility, like a manufacturing plant, or warehouse Leaving other facilities untouched Useful to inventory support functions on a per facility basis An exposure inventory is an annotated list of all facilities, processes, systems, and resources that an organization uses to maintain operations and sustain revenue The exposure inventory should be conducted for each facility that an organization owns or operates

  13. Facility Exposure Inventory Overview The overview shows The name and address of the facility Its main telephone number Fax number E-mail address Disaster recovery contact When the exposure inventories were last updated When the next update is scheduled Which business processes are performed at the facility Which detailed exposure inventories are attached

  14. Detailed Exposure Inventories Provide details for assets of various types at the facility including Physical facilities: Every building at a facility Employees in each building Heavy equipment in each building Light equipment in each building Installed systems: Computer networks, telephone systems, fire prevention systems, and premises security systems in each building Information technology in each building Office equipment in each building Products/parts in each building

  15. Documenting Business Processes The disaster recovery team should know which business processes are supported at every facility A product-focused organization creates or distributes physical goods A service-focused organization provides a specific service for a customer

  16. Typical Organization Processes

  17. Creating a Business Process Inventory A business process inventory is an annotated list of the key business processes needed to maintain operations

  18. Creating a Business Process Inventory A business process inventory illustrates: How a process works The facilities and buildings where it occurs The departments that perform the process The personnel who work in the departments The equipment used by the departments The installed systems on which they rely The information technology they have in place The parts and supplies that the departments need to accomplish their work

  19. Business process inventory overview Business process inventory overview is a list of the detailed business process inventories connected with each facility There may be detailed business process inventories for Revenue collection Sales Product distribution Service delivery Product manufacturing Procurement etc

  20. Detailed Business Process Inventories Each detailed inventory describes business process support requirements Support requirements are the resources needed to support each process, including physical facilities personnel heavy equipment light equipment installed systems information technology office equipment etc

  21. Threats Need to determine which threats could adversely affect assets and operations A good place to start is to study records of historic events that have affected a facility or its surrounding communities and regions This study is especially important in the case of recurring natural disasters Other threats to consider are accidental events that may damage a facility and its operations A third type of threat to consider is destructive or disruptive deliberate actions against a facility and its operations

  22. Potential Threat Inventory Threat inventory describes threats and mitigations: To an entire facility and Specifically to: Personnel Heavy equipment Light equipment Installed systems Information technology Office equipment Products or parts etc.

  23. Business Process Threats Details the potential threats to a business process, as well as specific potential threats to personnel, equipment, installed systems, and information technology Includes the actions taken or the systems in place to mitigate the threats Based on business process inventories

  24. Measuring and Quantifying Threats The key to successfully measuring the likelihood of threats being realized is to obtain data from as many sources as possible Data on natural disasters is relatively easy to obtain from historical records Accidents may be more difficult to quantify Some locations certainly have a greater number of transportation-related accidents than others, depending on road conditions and weather patterns Data on the frequency of such accidents is often available from police or public safety departments Other data on the frequency of power outages may be readily available from facility maintenance staff

  25. Threat Evaluation and Quantification Methods

  26. Compiling Risk Assessment Reports A risk assessment report describes an asset or business process that is exposed to risk, the risks themselves, and the effectiveness of existing systems designed to mitigate these risks The report may recommend which types of procedures an organization should include in its disaster recovery plan The disaster recovery planning team can use this report as a decision-making tool and as a starting point in developing disaster recovery procedures

  27. Planning Process • According to NIST: • Develop the planning policy statement • Conduct the business impact analysis (BIA) • Identify preventive controls • Develop recovery strategies • Develop the plan • Plan testing, training, and exercises • Plan maintenance. `

  28. Another Approach (#2) • Organize Team • Business Impact Analysis • Establish Roles • Develop Policies and Procedures • Document the Policies and Procedures • Develop & Implement the Plan • Test the Plan • Maintenance Phase

  29. Yet Another (#3) • Project management & initiation • Business Impact Analysis (BIA) • Recovery strategies • Plan design & development • Testing, maintenance, awareness, training

  30. Initial Step (NIST)Develop the Contingency Planning Policy Statement • Define the agency's overall DRP objectives • Establish the organizational framework and responsibilities • Provide authority and high level support • Specify targets for training, testing, maintenance

  31. Sample Policy • All HGA organizations shall develop contingency plans for each major application or general support system to meet the needs of critical IT operations in the event of a disruption extending beyond 72 hours. The procedures for execution of such a capability shall be documented in a formal contingency plan by the Contingency Planning Coordinator and shall be reviewed annually and updated as necessary by the Contingency Planning Coordinator. The procedures must account for full nightly backups to be conducted and sent to the designated off-site facility. The plan should assign specific responsibilities to designated staff or positions to facilitate the recovery and/or continuity of essential IT functions. ....

  32. Initial Step (#2)Organizing the DRP Team (#2) • The team must be a well-rounded group that represents all the functions of an organization • Requires a high-level manager as a champion • Ideally, the champion should be the CEO or a high-level manager designated by the CEO

  33. Initial Step (#3)Project Management & Initiation • Establish need (risk analysis) • Get management support • Establish team (functional, technical, Business Continuity Coordinator) • Create work plan (scope, goals, methods, timeline) • Initial report to management • Obtain management approval to proceed

  34. Identify Preventive Controls (NIST) • Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs • UPS • Generator • Fire suppression • Water sensors • Backups

  35. Recovery Strategies • NIST and # 3 call the next step Develop Recovery Strategies • #2 calls it develop policies and procedures • NIST did policy development first • Procedures in # 2 are the recovery strategy in NIST and #3

  36. Develop Recovery Strategies • Must ensure that the system may be recovered quickly and effectively following a disruption • Recovery strategies are based on MTDs and reflect recovery priorities • Different technical strategies have different costs and benefits • Choose by careful cost-benefit analysis driven by business requirements

  37. Principles for Recovery Procedures • Must • Support the critical needs of business operations • Comply with all relevant laws and regulations • Be understood by the parties responsible for implementing hem • Be approved by upper management • The plan must clearly delineate and document chain of command of the managers responsible for declaring, responding to, and recovering from a disaster

  38. Types of Strategies • Usually involve some form of redundancy • Like an alternate site • We will deal with redundancy strategies in a later lecture

  39. Document the Plan • At this stage everyone agrees its time to document the developed plan • NIST calls this “Develop the Plan” and includes assigning roles and responsibilites • # 2 calls this “Document the Plan” • # 3 calls it “Development / Implementation” • A group must be established to manage documentation and the cycles of reviews, approvals, and updates • The document must include all contact information

  40. Plan Outline • Most recovery plans will have phases something like: • Initial disaster response • Resume critical business ops • Resume non-critical business ops • Restoration (return to primary site) • Interacting with external groups (customers, media, emergency responders)

  41. NIST Phases • Notification/Activation • Recovery • Reconstitution

  42. Implementation • # 3 has this as the next step • # 2 includes it in the plan development stage • NIST doesn't mention it

  43. Implementation Activities • The final plan is distributed to all of the departments, organizations, and employees involved in disaster response and recovery • The planning team begins to intensify the internal and external awareness programs to ensure that all parties know about the plan • Executives are briefed on the plan and their roles in disaster response and recovery • Staff in all departments are trained on general and department specific procedures • Any outside services or equipment is purchased or contracted

  44. Testing • NIST has “testing, training, and exercises” as the next step • Exercises combine testing and training • # 3 has Testing, Maintenance, Awareness, Training • Awareness is a special case of training, involving all staff • Not just those with BRP responsibilities • # 2 just has testing

  45. Testing Activities • Test and rehearse parts of the plan, and eventually run a live simulation of a disaster • A disaster recovery rehearsal is a live simulation in which all departments and support organizations run through the entire disaster recovery process, just as they would during an actual disaster • Managers in eight of every 10 organizations surveyed think that testing and rehearsing disaster recovery plans is beneficial

  46. Plan Testing and Rehearsal

  47. Types of Tests • Structured walk-through • Checklist • Simulation • Full interruption rehearsal

  48. Things to Test • System recovery on an alternate platform from backup media • Coordination among recovery teams • Internal and external connectivity • System performance using alternate equipment • Restoration of normal operations • Notification procedures.

  49. Training • # 2 included this in implementation • NIST has it in the second last step “testing, training, and exercises” • # 3 includes it in the “Testing, Maintenance, Awareness, Training”

  50. Training Considerations • Annual, and for new hires, for staff with DRP responsibilities • In an emergency, staff should not have to follow the document • It might not be available • Training should cover • Purpose of the plan • Cross-team coordination and communication • Reporting procedures • Security requirements • Team-specific processes at all Phases • Individual responsibilities at all Phases

More Related