Information Systems Security

Business Continuity PlanningDomain #6

Pieces of the BCP

Disaster Recovery Planning– How to survive the disaster– Emergency response responsibilities– Recovery procedures

Business Continuity Planning– How to stay in business crippled– Continuity of critical business functions– Reduce overall impact of interruption

Processes of the BCP Plan

Project Initiation Phase Current State Assessment Phase Design and Development Phase Implementation Phase Management Phase REPEAT, REPEAT, REPEAT

Project Initiation

Gain support of management Show cost versus benefit Regulatory requirements Ramifications of others not having a plan Current vulnerability analysis

Current State Assessment

Threat Analysis Business Impact Assessment Continuity Planning Process Assessment Benchmark or Peer Review

Design and Development

Develop appropriate continuity strategy Develop crisis management plan Develop infrastructure Design initial acceptance testing Plan for resource acquisition

Implementation

Deploy continuity plan Perform short-term and long-term testing Program maintenance Program training and awareness Program management process

Senior Management’s Role

Due diligence and due care Drive all phases of the plan Consistent support and final approval Ensure that testing takes place Constructing a budget

BCP Team

Minimum key personnel should be:– Member of each key department– Member of support staff– IT reps– Security reps– Legal reps– Senior management

BCP Committee

Carries out risk assessment and analysis Analysis to be carried out before plan is

developed Execute

– Business impact analysis– Development plan– Testing and plan maintenance

Risk Assessment

ID critical business functions ID resources these functions depend upon Calculate life expectancy w/o resources ID vulnerabilities and threats to these

functions Calculate risks to these functions Develop backup plans for these functions Develop recovery plans for these functions

Types of Analyses

Quantitative– Involves the use of numbers and formulas to

reach a decision Qualitative

– Involves the use of non-numerical factors such as emotions, confidence, workforce stability, and other concerns into account

Identify Priorities

Activities that are most essential to your day-to-day operations

Maximum Tolerable Downtime (MTD)– Maximum length of time a business function can

be inoperable without causing irreparable harm to the business

Identify Business Risks

Natural Disasters– Storms, hurricanes, earthquakes, volcanoes…

Man Made– Terrorist/wars/civil unrest– Theft/vandalism– Fire/explosion/building collapse– Power outages

ID Critical Functions Resources

Specific types of technology Necessary software Electrical power Network/physical production environment Safe environment for workers Access to outside entities Communication lines

Likelihood Assessment

Business Impact Assessment (BIA) identifies the likelihood that each risk will occur

Expressed in terms of an annualized rate of occurrence (ARO) that reflects the number of times a business expects to experience a given disaster each year

Impact Assessment

Exposure Factor (EF) is the amount of damage that the risk poses to the asset

Single loss expectancy (SLE) is the $ loss that is expected each time the risk materializes

Annualized loss expectancy (ALE) is the $ loss that is expected to occurs as a result of the risk over the period of a year

Example

Fire at Building – Building value of $500,000– Exposure factor of 70%– Occurs once every 30 years– What is the ALE?

Qualitative Assessment

Loss of confidence and goodwill among your clients

Loss of employees due to down time Social/ethical responsibilities to the

community Negative publicity

Resource Prioritization

Create a list of all of the risks you analyzed during the BIA process and sort them in descending order by the ALE

Results of the quantitative or qualitative analysis may justify a risk as having a higher priority based on business impact

Continuity Strategy

Focuses on the development and implementation of a continuity strategy to minimize the impact realized risks might have on protected assets

Consider the MTD and decide which risks are acceptable

Bridge the gap between BIA and Continuity

Provisions and Processes

People– Ensure that people within your organization are

safe before, during, and after an emergency– Building/facilities– Infrastructure

Buildings/facilities

Hardening provisions– Reinforce structure, patch roofs, etc

Alternate sites– Hot Site

Ready for data processing in a few hours of less Contains all necessary systems, devices

– Just needs people & data Annual tests are conducted Most expensive subscription option

More Sites

Warm Site– Ready for data processing in 12 hours or longer– Some peripheral devices

Needs software, people, data, and computers– Better choice for proprietary hardware/software– Less expensive than hot sites

More Sites

Cold Site– Empty building– No equipment– Electrical wiring, A/C, plumbing, and flooring– Two weeks or longer for operational status– Least expensive

Testing Offsite Facility

Hardware should be compatible Software should be compatible Type of database transfer

– Remote mirroring/database shadowing– Remote journaling – Electronic vaulting

Test data backups– Full, incremental, differential

BCP Plan Approval

Gain top level management endorsement Be prepared with explanations of purpose Planning team should contain top level

executive– Helps to get final approval

Testing and Drills

Test Characteristics– Indicate if company can actually recover– At least annually– Identify areas of weakness

Drills– Create a disaster scenario– Create goals to be accomplished– Run drill and report findings to management

BCP Tests Checklist tests

– Copies of BCP distributed to functional manager– Review part of plan that addresses their area– Simplest but most crucial

Structured walk through– Functional managers meet to go through plan

Simulation – Carry out the disaster scenario– Continues up to actual relocation to offsite– Response measures are tested

BCP Tests

Parallel – Some systems are transported to the offsite

facility for parallel processing– Actually relocate personnel where they perform

their disaster recovery tasks Full interruption test

– Original site shuts down– All processing takes place at offsite

What is Success?

Response within an acceptable timeframe Operations at alternate location adequate Backups successfully restored Emergency personnel reached within

acceptable time frame Team members aware of current plan and

able to perform associated duties Plan is current and relevant

BCP Plan can Become Outdated

Technology changes Company merges or splits Plan in not properly maintained Personnel turnover No person or group made responsible Plan not audited No change control tool

BCP Phases

Business Impact Analysis Strategy Development Plan Development Implementation Testing Maintenance

Are We There Yet?

2005 Survey indicates:– Less than 15% of companies prepared for

disaster– 40% of companies would be out of business

permanently if closed for a week

Legislative Issues

Health Insurance Portability and Accountability Act (HIPPA)

Gramm – Leach – Briley Act (GLB) Patriot Act Electronic Communications Privacy Act

(ECPA)