The Importance Of Business Continuity And Disaster

Recovery Planning

By Aqel M. AqelInformation Systems Audit & Control Association

Rolling Meadows Illinois – USA (www.isaca.org)

CISA – Coordinator / Research Director - Riyadh Chapter

Dec 2014

Why BCP & DRP

• Successful businesses expect the unexpected and plan for it.

• Disruptions to your business can result in:

• Data risk, • Revenue loss, • Failure to deliver services

• That’s why organizations need strong business continuity planning.

John Sharp, 2012, The Route Map to Business Continuity Management: Meeting the Requirements of ISO 22301’ by

A Good Plan Increases Your Chances of Recovery

Concepts and Terminology

• Business continuity describes the processes and procedures an organization must put in place to ensure that mission-critical functions can continue during and after a disaster.

• Disaster recovery refers to specific steps taken to resume operations in the aftermath of a catastrophic disaster (natural or national emergency)

Reasons behind Disasters • Environmental

Disasters

• Tornado & Hurricane

• Power Grid Failure

• Flood

• Snowstorm

• Earthquake

• Electrical storms

• Fire

• Fire

• Sink Holes

• Landslides

Man Made DisruptionsTerrorist AttackSabotage التخريب

War / TheftArson الحريق المتعمد

Labor Disputes

Equipment or System FailureInternal power failureAir conditioning failureCooling plant failureEquipment failure

IT Failures and Security BreachesCyber crimeLoss of records or dataDisclosure of sensitive informationIT system failure

More Concepts and Terminology

Recovery Point Objective (RPO) measures the ability to recover files by specifying a point in time restore of the backup copy.

Recovery Time Objective (RTO) measures the time that it takes for a system to be completely up and running in the event of a disaster.

Source: Network Servers 2011

More Concepts and Terminology

• Recovery Point Objective (RPO) measures the ability to recover files by specifying a point in time restore of the backup copy. i.e.

• Amount of data lost from failure, measured as the amount of time from a disaster event

• It's determined by the amount of time between data protection events and reflects the amount of data that potentially could be lost during a disaster recovery.

• The metric is an indication of the amount of data at risk of being lost.

• Recovery Time Objective (RTO) measures the time that it takes for a system to be completely up and running in the event of a disaster. i.e.

• Targeted amount of time to restart a business service after a disaster event.

• It is related to downtime. The metric refers to the amount of time it takes to recover from a data loss event and how long it takes to return to service.

• RTO refers then to the amount of time the system's data is unavailable or inaccessible preventing normal service.

RPO and RTO

RTO and RPO

Source: http://wikibon.org/w/images/0/04/RPO_RTO_Horison.jpg

Facts

• The US Chamber of Commerce reported that:

•the economic losses in 2011, as a result of natural disasters, reached $380 million.

• Federal Emergency Management Agency (www.fema.gov) reports:

•40-60% of businesses that close due to disaster never reopen!!

(source: https://telovations.wordpress.com/tag/revenue-lost-due-to-natural-disaster/

Facts

Source: FreeForm Dynamics 2011

• Only 23% of Respondents said: yes, there is a formal DR plan in place.

Facts

• Numbers Speaks!

Facts

Source: http://www.e-janco.com/DRP_BCP_Audit.html

Facts

Source: http://powerwindows.wordpress.com/2010/10/25/windows-geoclusters-stretch-clusters-and-recoverpointce-failover/

• Cost of downtime does not propagate linearly!

Facts

• What part of IT infrastructures are covered by BC/DR plans

Source: Howard Marks (2008) http://www.informationweek.com/practical-disaster-recovery-for-midsize-companies/d/d-id/1075012?

Facts

Source: Howard Marks (2008) http://www.informationweek.com/practical-disaster-recovery-for-midsize-companies/d/d-id/1075012?

• What are the barriers to adoption of a business continuity plan?

• Cost and complexity are

• Lack of skills is a reason as well.

Facts

http://www.crn.com/slide-shows/storage/240006796/8-surprising-disaster-recovery-stats.htm/pgno/0/7

86% of companies experienced

one or more instances of system downtime in the previous 12 months.

Downtimes lasted 2.2 days on the average and cost each business an average of $366,363 a year.

33% of businesses admitted they do not back up virtual servers as often as they do their physical servers.

PoliciesSupport

MotivationSponsoring &

follow up

ProceduresPolicies

Tools

Roles and Responsibilities

Methodologies / Best Practices

Training

ValidationAudit

ProgramsReports

Awareness

Source: Aqel M. Aqel, IT Security in your firm, what is it, & how to achieve it. (2011).

Monitoring

Execution

Leadership

Actionable model

ISO 22301

In 2012, BCI in partnership with BSI launch of ISO 22301, the new global standard for business continuity management.

ISO 22301

• Provides a comprehensive

set of controls based on BCM

best practice.

• Covets the whole BCM

lifecycle.

• Defines the strategic and

tactical capability of an

organization to plan for and

respond to incidents.

• It is generic and offers

organizations guidance on

putting their BCM systems in place.

ISO 22301 – 2012 key Clauses

• Clause 1: Scope• Clause 2: Normative References• Clause 3: Terms and Conditions• Clause 4: Context of the organization• Clause 5: Leadership• Clause 6: Planning• Clause 7: Support• Clause 8: Operation• Clause 9: Performance evaluation• Clause 10: Improvement

ISO 22301 - Clause 4: Context of the organization

ISO 22301 – Clause 5: Leadership

• Top management needs to demonstrate an ongoing commitment to the BCMS.

• Integrating the BCMS requirements into the organization’s business processes

• Providing the necessary resources for the BCMS

• Communicating the importance of effective business continuity management

• Ensuring that the BCMS achieves its expected outcomes

• Directing and supporting continual improvement

• Establish and communicate a business continuity policy

• Ensuring that BCMS objectives and plans are established

• Ensuring that the responsibilities and authorities for relevant roles are assigned

ISO 22301 – Clause 6: Planning

• Establishing strategic objectives and guiding principles for the BCMS.

• The business continuity objectives must: be consistent with the business continuity policy;

• Ttake into account the minimum level of products and services that is acceptable to the organization to achieve its objectives;

• be measurable;

• take into account applicable requirements;

• be monitored and updated as appropriate

ISO 22301 – Clause 7: Support

• Using the appropriate resources for each task. • Competent staff with relevant (and demonstrable)

• Training and supporting services

• Awareness and communication.

• Both internal and external communications of the organization must be considered in this area.

• The requirements on the creation, update and control of documented information are also specified in this clause.

ISO 22301 – Clause 8: Operation

• Business Impact Analysis (BIA):

• Risk assessment

• Business continuity strategy:

• Business continuity procedures:

• Exercising and testing

ISO 22301 – Clause 9: Performance evaluation

• ISO 22301 requires permanent monitoring of the system as well as periodic reviews to improve its operation:

• monitoring the extent to which the organization’s business continuity policy, objectives and targets are met;

• measuring the performance of the processes, procedures and functions that protect its prioritized activities;

• monitoring compliance with this standard and the business continuity objectives;

• monitoring historical evidence of deficient BCMS’ performance

• conducting internal audits at planned intervals; and

• evaluating all this in the management review at planned intervals.

ISO 22301 – Clause 10: Improvement

• Continual improvement:• all the actions taken throughout the organization to increase effectiveness

(reaching objectives) and efficiency (an optimal cost/benefit ratio) of security processes and controls to bring increased benefits to the organization and its stakeholders.

More information

• The American Institute of Certified Public Accountants (AICPA)• Information Systems Audit and Control Association (ISACA)• Association of Information Technology Professionals (AITP)• Institute of Internal Auditors (IIA)• International Association for Computer Information Systems (IACIS)• Information Systems Security Association (ISSA)• International Disaster Recovery Association (IDRA)• Business Recovery Managers Association (BRMA)• British Standards Institute (BSI)• http://www.slideshare.net/AhmedRiad2/ss-38345026

Thank you