Information Systems Security
Business Continuity PlanningDomain #6
Pieces of the BCP
Disaster Recovery Planning– How to survive the disaster– Emergency response responsibilities– Recovery procedures
Business Continuity Planning– How to stay in business crippled– Continuity of critical business functions– Reduce overall impact of interruption
Processes of the BCP Plan
Project Initiation Phase Current State Assessment Phase Design and Development Phase Implementation Phase Management Phase REPEAT, REPEAT, REPEAT
Project Initiation
Gain support of management Show cost versus benefit Regulatory requirements Ramifications of others not having a plan Current vulnerability analysis
Current State Assessment
Threat Analysis Business Impact Assessment Continuity Planning Process Assessment Benchmark or Peer Review
Design and Development
Develop appropriate continuity strategy Develop crisis management plan Develop infrastructure Design initial acceptance testing Plan for resource acquisition
Implementation
Deploy continuity plan Perform short-term and long-term testing Program maintenance Program training and awareness Program management process
Senior Management’s Role
Due diligence and due care Drive all phases of the plan Consistent support and final approval Ensure that testing takes place Constructing a budget
BCP Team
Minimum key personnel should be:– Member of each key department– Member of support staff– IT reps– Security reps– Legal reps– Senior management
BCP Committee
Carries out risk assessment and analysis Analysis to be carried out before plan is
developed Execute
– Business impact analysis– Development plan– Testing and plan maintenance
Risk Assessment
ID critical business functions ID resources these functions depend upon Calculate life expectancy w/o resources ID vulnerabilities and threats to these
functions Calculate risks to these functions Develop backup plans for these functions Develop recovery plans for these functions
Types of Analyses
Quantitative– Involves the use of numbers and formulas to
reach a decision Qualitative
– Involves the use of non-numerical factors such as emotions, confidence, workforce stability, and other concerns into account
Identify Priorities
Activities that are most essential to your day-to-day operations
Maximum Tolerable Downtime (MTD)– Maximum length of time a business function can
be inoperable without causing irreparable harm to the business
Identify Business Risks
Natural Disasters– Storms, hurricanes, earthquakes, volcanoes…
Man Made– Terrorist/wars/civil unrest– Theft/vandalism– Fire/explosion/building collapse– Power outages
ID Critical Functions Resources
Specific types of technology Necessary software Electrical power Network/physical production environment Safe environment for workers Access to outside entities Communication lines
Likelihood Assessment
Business Impact Assessment (BIA) identifies the likelihood that each risk will occur
Expressed in terms of an annualized rate of occurrence (ARO) that reflects the number of times a business expects to experience a given disaster each year
Impact Assessment
Exposure Factor (EF) is the amount of damage that the risk poses to the asset
Single loss expectancy (SLE) is the $ loss that is expected each time the risk materializes
Annualized loss expectancy (ALE) is the $ loss that is expected to occurs as a result of the risk over the period of a year
Example
Fire at Building – Building value of $500,000– Exposure factor of 70%– Occurs once every 30 years– What is the ALE?
Qualitative Assessment
Loss of confidence and goodwill among your clients
Loss of employees due to down time Social/ethical responsibilities to the
community Negative publicity
Resource Prioritization
Create a list of all of the risks you analyzed during the BIA process and sort them in descending order by the ALE
Results of the quantitative or qualitative analysis may justify a risk as having a higher priority based on business impact
Continuity Strategy
Focuses on the development and implementation of a continuity strategy to minimize the impact realized risks might have on protected assets
Consider the MTD and decide which risks are acceptable
Bridge the gap between BIA and Continuity
Provisions and Processes
People– Ensure that people within your organization are
safe before, during, and after an emergency– Building/facilities– Infrastructure
Buildings/facilities
Hardening provisions– Reinforce structure, patch roofs, etc
Alternate sites– Hot Site
Ready for data processing in a few hours of less Contains all necessary systems, devices
– Just needs people & data Annual tests are conducted Most expensive subscription option
More Sites
Warm Site– Ready for data processing in 12 hours or longer– Some peripheral devices
Needs software, people, data, and computers– Better choice for proprietary hardware/software– Less expensive than hot sites
More Sites
Cold Site– Empty building– No equipment– Electrical wiring, A/C, plumbing, and flooring– Two weeks or longer for operational status– Least expensive
Testing Offsite Facility
Hardware should be compatible Software should be compatible Type of database transfer
– Remote mirroring/database shadowing– Remote journaling – Electronic vaulting
Test data backups– Full, incremental, differential
BCP Plan Approval
Gain top level management endorsement Be prepared with explanations of purpose Planning team should contain top level
executive– Helps to get final approval
Testing and Drills
Test Characteristics– Indicate if company can actually recover– At least annually– Identify areas of weakness
Drills– Create a disaster scenario– Create goals to be accomplished– Run drill and report findings to management
BCP Tests Checklist tests
– Copies of BCP distributed to functional manager– Review part of plan that addresses their area– Simplest but most crucial
Structured walk through– Functional managers meet to go through plan
Simulation – Carry out the disaster scenario– Continues up to actual relocation to offsite– Response measures are tested
BCP Tests
Parallel – Some systems are transported to the offsite
facility for parallel processing– Actually relocate personnel where they perform
their disaster recovery tasks Full interruption test
– Original site shuts down– All processing takes place at offsite
What is Success?
Response within an acceptable timeframe Operations at alternate location adequate Backups successfully restored Emergency personnel reached within
acceptable time frame Team members aware of current plan and
able to perform associated duties Plan is current and relevant
BCP Plan can Become Outdated
Technology changes Company merges or splits Plan in not properly maintained Personnel turnover No person or group made responsible Plan not audited No change control tool
BCP Phases
Business Impact Analysis Strategy Development Plan Development Implementation Testing Maintenance
Are We There Yet?
2005 Survey indicates:– Less than 15% of companies prepared for
disaster– 40% of companies would be out of business
permanently if closed for a week
Legislative Issues
Health Insurance Portability and Accountability Act (HIPPA)
Gramm – Leach – Briley Act (GLB) Patriot Act Electronic Communications Privacy Act
(ECPA)