27
Donald Hester March 9, 2010 For audio call Toll Free 1-888-886-3951 and use PIN/code 695202 IT Best Practices for Community Colleges Part 2: Business Continuity
| Date post: | 08-Nov-2015 |
| Category: |
Documents |
| Upload: | faizan-nabi |
| View: | 220 times |
| Download: | 1 times |
Donald HesterMarch 9, 2010
For audio call Toll Free 1-888-886-3951 and use PIN/code 695202
IT Best Practices for Community Colleges Part 2: Business Continuity
Maximize your CCC Confer window.Phone audio will be in presenter-only mode.Ask questions and make comments using the chat window.Housekeeping
Adjusting AudioIf youre listening on your computer, adjust your volume using the speaker slider. If youre listening over the phone, click on phone headset. Do not listen on both computer and phone.
Saving Files & Open/close CaptionsSave chat window with floppy disc iconOpen/close captioning window with CC icon
Emoticons and Polling Raise hand and Emoticons Polling options
CISOA Conference http://cisoa.net
Donald Hester
IT Best Practices for Community Colleges Part 2: Business Continuity
*NIST SP 800-34OMB Circular A-130, Appendix III, requires the development and maintenance of continuity of support plans for general support systems and contingency plans for major applications.
Business continuity planningreestablishment of critical business operations so that operations can continueIf a disaster has rendered the business unusable for continued operations, there must be a plan to allow the business to continue to function
Management must drive strategic planning to assure continuous information systems availabilityPlans are referred to in a number of waysBusiness Continuity Plans (BCPs)Disaster Recovery Plans (DRPs)Incident Response Plans (IRPs)Contingency Plans (CP)Continuity of Operations Plan (COOP)Business Recovery Plan (BRP) Some organizations may have many types of plans, some may have one simple planMost organizations have inadequate planning
*NIST SP 800-34
*NIST SP 800-34
*
A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan. Identify statutory requirementsIdentify organizational requirementsManagement supportCreate policyPublish policy (communicate policy)
*
Begin with Business Impact Analysis (BIA)if the attack succeeds, what do we do then?The CP team conducts the BIA in the following stages:Threat attack identificationBusiness unit analysisAttack success scenariosPotential damage assessmentSubordinate plan classificationThe BIA helps to identify and prioritize critical IT systems and components.
*Identify critical IT resources and dependenciesIdentify maximum allowable downtime Develop recovery strategies & priorities
3 types of threatsNatural - e.g., earthquake, hurricane, tornado, flood, and fire Human - e.g., operator error, sabotage, implant of malicious code, and terrorist attacks Environmental - e.g., equipment failure, software error, telecommunications network outage, and electric power failure.
*
Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs. RedundancyBackupsEnvironmental: A/C, Fire SuppressionOffsite StorageUPS/GeneratorEarthquake racks
*
Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption. Onsite Recovery, recover from backupHardware replacement,Vendor agreements (SLA)Alternate site, reciprocal agreementsCold site, warm site, hot site, mobile site, mirrored sites
*
Develop an IT Contingency PlanThe contingency plan should contain detailed guidance and procedures for restoring a damaged system. Document roles and responsibilitiesDocument recovery informationNotification and ActivationDamage AssessmentRecovery ProceduresCall Tree
Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness. Annual testingClassroom exercisesFunctional exerciseFind weaknessTrain users so that when it happens you are ready and know what to do
*
The plan should be a living document that is updated regularly to remain current with system enhancements.The plan must be maintained in a ready state that accurately reflects system requirements, procedures, organizational structure, and policies.Keep a record of changesUpdated as needed
*
*State, local, and tribal governments, as well as private sector organizations, are encouraged to use the guidelines, as appropriate." NIST SP 800-100California Information Security Strategic Plan (OCT 2009)
"...by adopting the National Institute of Standards and Technology (NIST) 800-37 guidelines for certification and accreditation of information systems. Applying NIST guidelines to state government systems will demonstrate Californias leadership in building a resilient, secure, and trustworthy digital infrastructure."
"Establish a California modified version of the NIST 800-30 risk management standard as the risk management standard for all state agencies."
"Establish a California-modified version of the NIST 800-53 recommended security controls within all state agencies."
NIST SP 800-34 Contingency Guide for Information Technology SystemsHas sample documentsISO 17799 11COBIT DS4.0Guide to Disaster Recovery by Michael Erbschloe ISBN 0-619-13122-5DRI InternationalDisaster-Resource.com
Donald E. HesterCISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+Maze & Associates @One / San Diego City College www.LearnSecurity.orghttp://www.linkedin.com/in/donaldehesterhttp://www.facebook.com/group.php?gid=245570977486
Q&A
Evaluation Survey LinkHelp us improve our seminars by filing out a short online evaluation survey at: http://www.surveymonkey.com/s/10SpIT2
Thanks for attendingFor upcoming events and links to recently archived seminars, check the @ONE Web site at: http://onefortraining.org/
IT Best Practices for Community Colleges Part 2: Business Continuity
***
