680 likes | 754 Views
COMP38 Emergency Management and Operational Security. Risk Assessment DRP,BCP. Disaster Recovery Planning Process. Many people consider disaster recovery planning a mechanical process There are certainly tedious and laborious aspects to developing a plan
E N D
COMP38 Emergency Management and Operational Security Risk Assessment DRP,BCP
Disaster Recovery Planning Process • Many people consider disaster recovery planning a mechanical process • There are certainly tedious and laborious aspects to developing a plan • No off-the-shelf disaster recovery plan can meet the needs of all organizations • An effective plan recognizes an organization's size and other defining characteristics
Basic Principles of Disaster Recovery Planning • A solid plan requires the support and participation of • Upper-level management • All business unit managers • Legal counsel • Directors of all functional departments such as Human Resources, Facilities Management, IT, and Corporate security
Basic Principles of Disaster Recovery Planning • The disaster recovery plan must facilitate and allow control of communications among • Decision makers • Managers • Staff • External support organizations • Law enforcement • Emergency services • Media • All policies and procedures must be available to all departments, managers, and staff during response and recovery
Basic Principles of Disaster Recovery Planning • All employees involved in disaster response and recovery must be trained to • Implement documented procedures • Address unanticipated problems • Procedures must be tested and rehearsed • Planners must continually evaluate new threats and business conditions as they develop • During disaster response and recovery, the organization must • Evaluate the effectiveness of its procedures • Monitor the physical safety and mental health of employees
Recovery Function • Disaster recovery function consists of the people, departments, and support organizations that implement the plan and facilitate disaster recovery • How this function is organized depends on • The geographical dispersal of facilities within an organization • The type of facilities occupied • The number of employees • Other factors
Recovery Function Staff • A centralized authority or group • Coordinates the development of disaster recovery plans • Plays a role in disaster response and recovery • Managers and staff in functional departments have enterprise-wide roles in disaster response and recovery • Department managers and representatives from business units have roles in disaster response and recovery to ensure the continued function of their business units
Risk Assessment Some approaches to DRP don't include risk assessment NIST for example proceeds directly to Business Impact Assessment BIA focuses on determining what to recover first regardless of how the damage was incurred And regardless of how likely it is DRP is aimed at residual risk after a conventional TRA has been completed So no need for more risk assessment
Why Risk Assessment? Focus on threats provides motivation by enumerating possible threat events Considering likelihood of events can justify expenditures on preparedness Response plans can be event oriented rather than consequence oriented Seems more realistic
Why Risk Assessment? Standard threat checklists can help to ensure all consequences are considered Focus on threats leads to consideration of existing or possible mitigating controls My not have already done TRA
Risk Assessment Overview Risk should be related to business functions, like revenue collection But threats are related to support resources like LANs and servers Need an inventory of support resources Detailing threats to these functions And an inventory of business functions Showing which resources support the business functions And including other information relevant to DRP These are required for the BIA in any case
Facilities Many threats will affect an entire facility, like a manufacturing plant, or warehouse Leaving other facilities untouched Useful to inventory support functions on a per facility basis An exposure inventory is an annotated list of all facilities, processes, systems, and resources that an organization uses to maintain operations and sustain revenue The exposure inventory should be conducted for each facility that an organization owns or operates
Facility Exposure Inventory Overview The overview shows The name and address of the facility Its main telephone number Fax number E-mail address Disaster recovery contact When the exposure inventories were last updated When the next update is scheduled Which business processes are performed at the facility Which detailed exposure inventories are attached
Detailed Exposure Inventories Provide details for assets of various types at the facility including Physical facilities: Every building at a facility Employees in each building Heavy equipment in each building Light equipment in each building Installed systems: Computer networks, telephone systems, fire prevention systems, and premises security systems in each building Information technology in each building Office equipment in each building Products/parts in each building
Documenting Business Processes The disaster recovery team should know which business processes are supported at every facility A product-focused organization creates or distributes physical goods A service-focused organization provides a specific service for a customer
Creating a Business Process Inventory A business process inventory is an annotated list of the key business processes needed to maintain operations
Creating a Business Process Inventory A business process inventory illustrates: How a process works The facilities and buildings where it occurs The departments that perform the process The personnel who work in the departments The equipment used by the departments The installed systems on which they rely The information technology they have in place The parts and supplies that the departments need to accomplish their work
Business process inventory overview Business process inventory overview is a list of the detailed business process inventories connected with each facility There may be detailed business process inventories for Revenue collection Sales Product distribution Service delivery Product manufacturing Procurement etc
Detailed Business Process Inventories Each detailed inventory describes business process support requirements Support requirements are the resources needed to support each process, including physical facilities personnel heavy equipment light equipment installed systems information technology office equipment etc
Threats Need to determine which threats could adversely affect assets and operations A good place to start is to study records of historic events that have affected a facility or its surrounding communities and regions This study is especially important in the case of recurring natural disasters Other threats to consider are accidental events that may damage a facility and its operations A third type of threat to consider is destructive or disruptive deliberate actions against a facility and its operations
Potential Threat Inventory Threat inventory describes threats and mitigations: To an entire facility and Specifically to: Personnel Heavy equipment Light equipment Installed systems Information technology Office equipment Products or parts etc.
Business Process Threats Details the potential threats to a business process, as well as specific potential threats to personnel, equipment, installed systems, and information technology Includes the actions taken or the systems in place to mitigate the threats Based on business process inventories
Measuring and Quantifying Threats The key to successfully measuring the likelihood of threats being realized is to obtain data from as many sources as possible Data on natural disasters is relatively easy to obtain from historical records Accidents may be more difficult to quantify Some locations certainly have a greater number of transportation-related accidents than others, depending on road conditions and weather patterns Data on the frequency of such accidents is often available from police or public safety departments Other data on the frequency of power outages may be readily available from facility maintenance staff
Compiling Risk Assessment Reports A risk assessment report describes an asset or business process that is exposed to risk, the risks themselves, and the effectiveness of existing systems designed to mitigate these risks The report may recommend which types of procedures an organization should include in its disaster recovery plan The disaster recovery planning team can use this report as a decision-making tool and as a starting point in developing disaster recovery procedures
Planning Process • According to NIST: • Develop the planning policy statement • Conduct the business impact analysis (BIA) • Identify preventive controls • Develop recovery strategies • Develop the plan • Plan testing, training, and exercises • Plan maintenance. `
Another Approach (#2) • Organize Team • Business Impact Analysis • Establish Roles • Develop Policies and Procedures • Document the Policies and Procedures • Develop & Implement the Plan • Test the Plan • Maintenance Phase
Yet Another (#3) • Project management & initiation • Business Impact Analysis (BIA) • Recovery strategies • Plan design & development • Testing, maintenance, awareness, training
Initial Step (NIST)Develop the Contingency Planning Policy Statement • Define the agency's overall DRP objectives • Establish the organizational framework and responsibilities • Provide authority and high level support • Specify targets for training, testing, maintenance
Sample Policy • All HGA organizations shall develop contingency plans for each major application or general support system to meet the needs of critical IT operations in the event of a disruption extending beyond 72 hours. The procedures for execution of such a capability shall be documented in a formal contingency plan by the Contingency Planning Coordinator and shall be reviewed annually and updated as necessary by the Contingency Planning Coordinator. The procedures must account for full nightly backups to be conducted and sent to the designated off-site facility. The plan should assign specific responsibilities to designated staff or positions to facilitate the recovery and/or continuity of essential IT functions. ....
Initial Step (#2)Organizing the DRP Team (#2) • The team must be a well-rounded group that represents all the functions of an organization • Requires a high-level manager as a champion • Ideally, the champion should be the CEO or a high-level manager designated by the CEO
Initial Step (#3)Project Management & Initiation • Establish need (risk analysis) • Get management support • Establish team (functional, technical, Business Continuity Coordinator) • Create work plan (scope, goals, methods, timeline) • Initial report to management • Obtain management approval to proceed
Identify Preventive Controls (NIST) • Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs • UPS • Generator • Fire suppression • Water sensors • Backups
Recovery Strategies • NIST and # 3 call the next step Develop Recovery Strategies • #2 calls it develop policies and procedures • NIST did policy development first • Procedures in # 2 are the recovery strategy in NIST and #3
Develop Recovery Strategies • Must ensure that the system may be recovered quickly and effectively following a disruption • Recovery strategies are based on MTDs and reflect recovery priorities • Different technical strategies have different costs and benefits • Choose by careful cost-benefit analysis driven by business requirements
Principles for Recovery Procedures • Must • Support the critical needs of business operations • Comply with all relevant laws and regulations • Be understood by the parties responsible for implementing hem • Be approved by upper management • The plan must clearly delineate and document chain of command of the managers responsible for declaring, responding to, and recovering from a disaster
Types of Strategies • Usually involve some form of redundancy • Like an alternate site • We will deal with redundancy strategies in a later lecture
Document the Plan • At this stage everyone agrees its time to document the developed plan • NIST calls this “Develop the Plan” and includes assigning roles and responsibilites • # 2 calls this “Document the Plan” • # 3 calls it “Development / Implementation” • A group must be established to manage documentation and the cycles of reviews, approvals, and updates • The document must include all contact information
Plan Outline • Most recovery plans will have phases something like: • Initial disaster response • Resume critical business ops • Resume non-critical business ops • Restoration (return to primary site) • Interacting with external groups (customers, media, emergency responders)
NIST Phases • Notification/Activation • Recovery • Reconstitution
Implementation • # 3 has this as the next step • # 2 includes it in the plan development stage • NIST doesn't mention it
Implementation Activities • The final plan is distributed to all of the departments, organizations, and employees involved in disaster response and recovery • The planning team begins to intensify the internal and external awareness programs to ensure that all parties know about the plan • Executives are briefed on the plan and their roles in disaster response and recovery • Staff in all departments are trained on general and department specific procedures • Any outside services or equipment is purchased or contracted
Testing • NIST has “testing, training, and exercises” as the next step • Exercises combine testing and training • # 3 has Testing, Maintenance, Awareness, Training • Awareness is a special case of training, involving all staff • Not just those with BRP responsibilities • # 2 just has testing
Testing Activities • Test and rehearse parts of the plan, and eventually run a live simulation of a disaster • A disaster recovery rehearsal is a live simulation in which all departments and support organizations run through the entire disaster recovery process, just as they would during an actual disaster • Managers in eight of every 10 organizations surveyed think that testing and rehearsing disaster recovery plans is beneficial
Types of Tests • Structured walk-through • Checklist • Simulation • Full interruption rehearsal
Things to Test • System recovery on an alternate platform from backup media • Coordination among recovery teams • Internal and external connectivity • System performance using alternate equipment • Restoration of normal operations • Notification procedures.
Training • # 2 included this in implementation • NIST has it in the second last step “testing, training, and exercises” • # 3 includes it in the “Testing, Maintenance, Awareness, Training”
Training Considerations • Annual, and for new hires, for staff with DRP responsibilities • In an emergency, staff should not have to follow the document • It might not be available • Training should cover • Purpose of the plan • Cross-team coordination and communication • Reporting procedures • Security requirements • Team-specific processes at all Phases • Individual responsibilities at all Phases