Business Continuity Planning

LTU CISP Security 1

Business Continuity Planning

The Problem - Reasons for Business Continuity Planning - BCP

Principles of BCP Doing BCP

The stepsWhat is includedThe stages of an incident

LTU CISP Security 2

Definitions

A contingency plan is:“A plan for emergency response, backup operations,

and post-disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation…”

(National Computer Security Center 1988)

1997-98 survey >35% of companies have no plans

LTU CISP Security 3

Definitions of BCP

Disaster Recovery Business Continuity Planning End-user Recovery Planning Contingency Planning Emergency Response Crisis Management

The goal is to assist the organization/business to continue functioning even though normal operations are disrupted

Includes steps to take Before a disruption During a disruption After a disruption

LTU CISP Security 4

Reasons for BCP

It is better to plan activities ahead of time rather than to react when the time comes“Proactive” rather than “Reactive”Take the correct actions when neededAllow for experienced personnel to be absent

LTU CISP Security 5

Reasons for BCP

It is better to plan activities ahead of time rather than to react when the time comes“Proactive” rather than “Reactive”

Maintain business operations Keep the money coming in Short and long term loss of business Have necessary materials, equipment, information on hand Saves time, mistakes, stress and $$ Planning can take up to 3 years

LTU CISP Security 6

Reasons for BCP


Maintain business operations Keep the money coming in Short and long term loss of business

Effect on customersPublic imageLoss of life

LTU CISP Security 7

Reasons for BCP



Effect on customers Legal requirements

‘77 Foreign Corrupt Practices Act/protection of stockholders Management criminally liable

LTU CISP Security 8

Reasons for BCP

It is better to plan activities ahead of time rather than to react when the time comes

“Proactive” rather than “Reactive”


Effect on customers Legal requirements

‘77 Foreign Corrupt Practices Act/protection of stockholders Federal Financial Institutions Examination Council (FFIEC) FCPA SAS30 Audit Standards Defense Investigative Service Legal and Regulatory sanctions, civil suits

LTU CISP Security 9

Definitions

Due Careminimum and customary practice of

responsible protection of assets that reflects a community or societal norm

Due Diligenceprudent management and execution of due

care

LTU CISP Security 10

The Problem

Utility failures Intruders Fire/Smoke Water Natural disasters (earthquakes, snow/hail/ice, lightning,

hurricanes) Heat/Humidity Electromagnetic emanations Hostile activity Technology failure


Recent Disasters

Bombings ‘92 London financial district ‘93 World Trade Center, NY ‘93 London financial district ‘95 Oklahoma City ’01 World Trade Center, NY (9/11)

Earthquakes ‘89 San Francisco ‘94 Los Angeles ‘95 Kobe, JP

Fires ‘95 Malden Mills, Lawrence, MA ‘96 Credit Lyonnais, FR ‘97 Iron Mountain Record Center, Brunswick, NJ


Recent Disasters

Power ‘92 AT&T ‘96 Orrville, OH ‘99 East coast heat/drought brownouts

Floods ‘97 Midwest floods

Storms ‘92 Hurricane Andrew ‘93 Northeast Blizzard ‘96 Hurricanes Bertha, Fran ‘98 Florida tornados

Hardware/Software Year 2000


The Problem

Utility failures Intruders Fire/Smoke Water Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes) Heat/Humidity Electromagnetic emanations Hostile activity Technology failure

Failure to keep operatingFortune 1000 study Average loss $78K, up to $500K 65% failing over 1 week never reopen Loss of market share common


Threats

From Data Pro reportsErrors & omissions 50%Fire, water, electrical 25%Dishonest employees 10%Disgruntled employees 10%Outsider threats 5%


The Controls

Least Privilege Information security

Redundancy Backed up dataAlternate equipmentAlternate communicationsAlternate facilitiesAlternate personnelAlternate procedures


The Steps in a BCP - Initiation

Project initiation Business case to obtain support Sell the need for DRP (price vs benefit) Build and maintain awareness On-going testing & maintenance Top down approach Executive commitment and support MOST CRITICAL Project planning, staffing

Local support/responsibility


The Steps in a BCP - 1

Impact Assessment (Impact Analysis/Vulnerability Assessment/Current State Assessment/Risk Assessment )Purpose Identify risks Identify business requirements for continuity Quantify impact of potential threats Balance impact and countermeasure cost Establish recovery priorities


Benefits

Relates security objectives to organization mission Quantifies how much to spend on security measures Provides long term planning guidance

Building design HW configuration SW Internal controls Criteria for contingency plans Security policy Site selection

Protection requirements Significant threats Responsibilities



Risk AssessmentPotential failure scenariosLikelihood of failureCost of failure (loss impact analysis)

Dollar losses Additional operational expenses Violation of contracts, regulatory requirements Loss of competitive advantage, public confidence

Assumed maximum downtime (recovery time frames) Rate of losses Periodic criticality Time-loss curve charts



Risk Assessment/Analysis Potential failure scenarios (risks) Likelihood of failure Cost of failure, quantify impact of threat Assumed maximum downtime Annual Loss Expectancy Worst case assumptions Based on business process model? Or IT model? Identify critical functions and supporting resources Balance impact and countermeasure cost

Key - Potential damage Likelihood


Definitions

Threat any event which could have an undesirable impact

Vulnerability absence or weakness of a risk-reducing safeguard, potential to allow

a threat to occur with greater frequency, greater impact, or both Exposure a measure of the magnitude of loss or impact on the value of the

asset

Risk the potential for harm or loss, including the degree of confidence of

the estimate


Definitions

Quantitative Risk Analysis quantified estimates of impact, threat frequency, safeguard

effectiveness and cost, and probability Powerful aid to decision making Difficult to do in time and cost

Qualitative Risk Analysis minimally quantified estimates Exposure scale ranking estimates Easier in time and money Less compelling

Risk Analysis is performed as a continuum from fully qualitative to less than fully quantitative


Results

Loss impact analysis Recovery time frames

Essential business functions Information systems applications

Recommended recovery priorities & strategies Goals

Understand economic & operational impact Determine recovery time frame (business/DP/Network) Identify most appropriate strategy Cost/justify recovery planning Include BCP in normal decision making process


Risk Management Team

Management - Support DP Operations Systems Programming Internal Audit Physical Security Application owners Application programmers


Preliminary Security Exam

Asset costs Threat survey

Personnel Physical environment HW/SW Communications Applications Operations Natural disasters Environment Facility Access Data value


Preliminary Security Exam

Asset costs Threat survey Existing security measures Management review


Threats

Hardware failure Utility failure Natural disasters Loss of key personnel Human errors Neighborhood hazards Tampering Disgruntled employees Emanations Unauthorized access Safety Improper use of technology Repetition of errors Cascading of errors

• Illogical processing• Translation of user needs

(technical requirements)• Inability to control

technology• Equipment failure• Incorrect entry of data• Concentration of data• Inability to react quickly• Inability to substantiate

processing• Concentration of

responsibilities• Erroneous/falsified data• Misuse


Threats

Uncontrolled system access Ineffective application security Operations procedural errors Program errors Operating system flaws Communications system failure Utility failure


Risk Analysis Steps

1 - Identify essential business functions Dollar losses or added expense Contract/legal/regulatory requirements Competitive advantage/market share Interviews, questionnaires, workshops

2 - Establish recovery plan parameters Prioritize business functions

3 - Gather impact data/Threat analysis Probability of occurrence, source of help Document business functions Define support requirements Document effects of disruption Determine maximum acceptable outage period Create outage scenarios


Risk Analysis Steps

4 - Analyze and summarize Estimate potential losses

Destruction/theft of assets Loss of data Theft of information Indirect theft of assets Delayed processing Consider periodicity

Combine potential loss & probability Magnitude of risk is the ALE (Annual Loss

Expectancy) Guide to security measures and how much to spend


Results

Significant threats & probabilities Critical tasks & loss potential by

threat Remedial measures

Greatest net reduction in losses Annual cost


Information Valuation

Information has cost/value Acquire/develop/maintain Owner/Custodian/User/Adversary

Do a cost/value estimate for Cost/benefit analysis Integrate security in systems Avoid penalties Preserve proprietary information Business continuity

Circumstances effect valuation timing Ethical obligation to use justifiable tools/techniques


Conditions of Value

Exclusive possession Utility Cost of creation/recreation Liability Convertibility/negotiability Operational impact Market forces Official value Expert opinion/appraisal Bilateral agreement/contract


Scenario

A specific threat (potential event/act) in which assets are subject to loss

Write scenario for each major threat Credibility/functionality review Evaluate current safeguards Finalize/Play out Prepare findings



Strategy Development (Alternative Selection)Management supportTeam structureStrategy selection

Cost effective Workable



Implementation (Plan Development)Specify resources needed for recoveryMake necessary advance arrangementsMitigate exposures



Risk Prevention/Mitigation Security - physical and information (access) Environmental controls Redundancy - Backups/Recoverability

Journaling, Mirroring, Shadowing On-line/near-line/off-line

Insurance Emergency response plans Procedures Training Risk management program



Decision Making Cost effectiveness

Total cost Human intervention requirements

Manual functions are weakest Overrides and defaults

Shutdown capability Default to no access

Design openness Least Privilege

Minimum information Visible safeguards

Entrapment Selected vulnerabilities made attractive



Decision Making Universality Compartmentalization, defense in depth Isolation Completeness Instrumentation Independence of controller and subject Acceptance Sustainability Auditability Accountability Recovery


Remedial Measures

Alter environment Erect barriers Improve procedures Early detection Contingency plans Risk assignment (insurance) Agreements Stockpiling Risk acceptance


Remedial Measures

Fire Detection, suppression

Water Detection, equipment covers, positioning

Electrical UPS, generators

Environmental Backups

Good housekeeping Backup procedures Emergency response procedures



Plan DevelopmentSpecify resources needed for recoveryTeam-basedRecovery plansMitigation stepsTesting plansPrepared by those who will carry them out


Included in a BCP

Off-site storageTrip there - secure? Timely?Physical layout of siteFire protectionClimate controlsSecurity access controlsBackup power


Included in a BCP

Off-site storage

Alternate site Reciprocal agreements/Multiple sites/Service bureaus Hot/Warm/Cold(Shell) sites Trip there - secure? Timely? Physical layout of site Fire protection Climate controls Security access controls Backup power Agreements


Included in a BCP

Off-site storage Alternate site

Backup processing Compatibility Capacity Journaling - maintaining audit records

Remote journaling - to off-site location Shadowing - remote journaling and delayed mirroring Mirroring - maintaining realtime copy of data Electronic vaulting - bulk transfer of backup files


Included in a BCP

Off-site storage Alternate site Backup processing

CommunicationsCompatibilityAccessibilityCapacityAlternatives


Included in a BCP

Off-site storage Alternate site Backup processing Communications

Work spaceAccessibilityCapacityEnvironment


Included in a BCP

Off-site storage Alternate site Backup processing Communications Work space Office equipment/supplies/documentation Security Critical business processes/Management Testing Vendors - Contact info, agreements Teams - Contact info, transportation Return to normal operations Resources needed


Complications

Media/Police/Public Families Fraud Looting/Vandalism Safety/Legal issues Expenses/Approval


The Steps in a BCP - Finally

Plan TestingProves feasibility of recovery processVerifies compatibility of backup facilitiesEnsures adequacy of team procedures

Identifies deficiencies in procedures

Trains team membersProvides mechanism for maintaining/updating the

planUpper management comfort



Plan TestingDesk checks/ChecklistStructured WalkthroughsLife exercises/SimulationsPeriodic off-site recovery tests/ParallelFull interruption drills



Test Software Hardware Personnel Communications Procurement Procedures Supplies/forms Documentation Transportation Utilities Alternate site processing Security



Test Purpose (scenario) Objectives/Assumptions Type Timing Schedule Duration Participants

Assignments Constraints Steps



Alternate Site Test– Activate emergency control center– Notify & mobilize personnel– Notify vendors– Pickup and transport

tapes supplies documentation

– Install (Cold and Warm sites)– IPL– Verify– Run– Shut down/Clean up– Document/Report



Plan Update and Retest cycle (Plan Maintenance) Critical to maintain validity and usability of plan

Environmental changes HW/SW/FW changes Personnel

Needs to be included in organization plans Job description/expectations Personnel evaluations Audit work plans


BCP by Stages

Initiation Current state assessment Develop support processes Training Impact Assessment Alternative selection Recovery Plan development Support services continuity plan development Master plan consolidation Testing strategy development Post transition plan development


BCP by Stages

Implementation planning Quick Hits Implementation, testing, maintenance


End User Planning

DP is critical to end users Difficult to use manual procedures Recovery is complex Need to plan

manual proceduresrecovery of data/transactionsprocedures for alternate site operationprocedures to return to normal


The Real World

DR plans normally involveEssential DP platforms/systems onlyA manual on the shelf written 2-3 years agoLittle or no user involvementNo provision for business processesNo active testingResource lists and contact information that do

not match current realities


Stages in an Incident

Disaster interruption affecting user operations

significantly



Disaster Initial/Emergency response

Purpose Ensure safety of people Prevent further damage

Activate emergency response team Covers emergency procedures for expected hazards Safety essential Emergency supplies Crisis Management plan - decision making



Disaster Initial response Impact assessment

Activate assessment teamDetermine situation

What is affected?

Decide whether to activate plan



Disaster Initial response Impact assessment Initial recovery

Initial recovery of key areas at alternate siteDetailed proceduresSalvage/repair - Clean up



Disaster Initial response Impact assessment Initial recovery Return to normal/Business resumption

Return to operation at normal site “Emergency” is not over until you are back to normal Requires just as much planning - Parallel operations


Special Cases

Y2K Incidents will happen in a particular time

frameAlternate sites won’t helpRedundant equipment won’t helpBackups won’t help Involves automated equipment and services


Final Thoughts

Do you really want to activate a DR/BCP plan?PreventionPlanning

Date post:	16-May-2015
Category:	Documents
Upload:	nostrad
View:	1,239 times
Download:	2 times

Business Continuity Planning

Documents