LTU CISP Security 1
Business Continuity Planning
The Problem - Reasons for Business Continuity Planning - BCP
Principles of BCP Doing BCP
The stepsWhat is includedThe stages of an incident
LTU CISP Security 2
Definitions
A contingency plan is:“A plan for emergency response, backup operations,
and post-disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation…”
(National Computer Security Center 1988)
1997-98 survey >35% of companies have no plans
LTU CISP Security 3
Definitions of BCP
Disaster Recovery Business Continuity Planning End-user Recovery Planning Contingency Planning Emergency Response Crisis Management
The goal is to assist the organization/business to continue functioning even though normal operations are disrupted
Includes steps to take Before a disruption During a disruption After a disruption
LTU CISP Security 4
Reasons for BCP
It is better to plan activities ahead of time rather than to react when the time comes“Proactive” rather than “Reactive”Take the correct actions when neededAllow for experienced personnel to be absent
LTU CISP Security 5
Reasons for BCP
It is better to plan activities ahead of time rather than to react when the time comes“Proactive” rather than “Reactive”
Maintain business operations Keep the money coming in Short and long term loss of business Have necessary materials, equipment, information on hand Saves time, mistakes, stress and $$ Planning can take up to 3 years
LTU CISP Security 6
Reasons for BCP
It is better to plan activities ahead of time rather than to react when the time comes“Proactive” rather than “Reactive”
Maintain business operations Keep the money coming in Short and long term loss of business
Effect on customersPublic imageLoss of life
LTU CISP Security 7
Reasons for BCP
It is better to plan activities ahead of time rather than to react when the time comes“Proactive” rather than “Reactive”
Maintain business operations Keep the money coming in Short and long term loss of business
Effect on customers Legal requirements
‘77 Foreign Corrupt Practices Act/protection of stockholders Management criminally liable
LTU CISP Security 8
Reasons for BCP
It is better to plan activities ahead of time rather than to react when the time comes
“Proactive” rather than “Reactive”
Maintain business operations Keep the money coming in Short and long term loss of business
Effect on customers Legal requirements
‘77 Foreign Corrupt Practices Act/protection of stockholders Federal Financial Institutions Examination Council (FFIEC) FCPA SAS30 Audit Standards Defense Investigative Service Legal and Regulatory sanctions, civil suits
LTU CISP Security 9
Definitions
Due Careminimum and customary practice of
responsible protection of assets that reflects a community or societal norm
Due Diligenceprudent management and execution of due
care
LTU CISP Security 10
The Problem
Utility failures Intruders Fire/Smoke Water Natural disasters (earthquakes, snow/hail/ice, lightning,
hurricanes) Heat/Humidity Electromagnetic emanations Hostile activity Technology failure
LTU CISP Security 11
Recent Disasters
Bombings ‘92 London financial district ‘93 World Trade Center, NY ‘93 London financial district ‘95 Oklahoma City ’01 World Trade Center, NY (9/11)
Earthquakes ‘89 San Francisco ‘94 Los Angeles ‘95 Kobe, JP
Fires ‘95 Malden Mills, Lawrence, MA ‘96 Credit Lyonnais, FR ‘97 Iron Mountain Record Center, Brunswick, NJ
LTU CISP Security 12
Recent Disasters
Power ‘92 AT&T ‘96 Orrville, OH ‘99 East coast heat/drought brownouts
Floods ‘97 Midwest floods
Storms ‘92 Hurricane Andrew ‘93 Northeast Blizzard ‘96 Hurricanes Bertha, Fran ‘98 Florida tornados
Hardware/Software Year 2000
LTU CISP Security 13
The Problem
Utility failures Intruders Fire/Smoke Water Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes) Heat/Humidity Electromagnetic emanations Hostile activity Technology failure
Failure to keep operatingFortune 1000 study Average loss $78K, up to $500K 65% failing over 1 week never reopen Loss of market share common
LTU CISP Security 14
Threats
From Data Pro reportsErrors & omissions 50%Fire, water, electrical 25%Dishonest employees 10%Disgruntled employees 10%Outsider threats 5%
LTU CISP Security 15
The Controls
Least Privilege Information security
Redundancy Backed up dataAlternate equipmentAlternate communicationsAlternate facilitiesAlternate personnelAlternate procedures
LTU CISP Security 16
The Steps in a BCP - Initiation
Project initiation Business case to obtain support Sell the need for DRP (price vs benefit) Build and maintain awareness On-going testing & maintenance Top down approach Executive commitment and support MOST CRITICAL Project planning, staffing
Local support/responsibility
LTU CISP Security 17
The Steps in a BCP - 1
Impact Assessment (Impact Analysis/Vulnerability Assessment/Current State Assessment/Risk Assessment )Purpose Identify risks Identify business requirements for continuity Quantify impact of potential threats Balance impact and countermeasure cost Establish recovery priorities
LTU CISP Security 18
Benefits
Relates security objectives to organization mission Quantifies how much to spend on security measures Provides long term planning guidance
Building design HW configuration SW Internal controls Criteria for contingency plans Security policy Site selection
Protection requirements Significant threats Responsibilities
LTU CISP Security 19
The Steps in a BCP - 1
Risk AssessmentPotential failure scenariosLikelihood of failureCost of failure (loss impact analysis)
Dollar losses Additional operational expenses Violation of contracts, regulatory requirements Loss of competitive advantage, public confidence
Assumed maximum downtime (recovery time frames) Rate of losses Periodic criticality Time-loss curve charts
LTU CISP Security 20
The Steps in a BCP - 1
Risk Assessment/Analysis Potential failure scenarios (risks) Likelihood of failure Cost of failure, quantify impact of threat Assumed maximum downtime Annual Loss Expectancy Worst case assumptions Based on business process model? Or IT model? Identify critical functions and supporting resources Balance impact and countermeasure cost
Key - Potential damage Likelihood
LTU CISP Security 21
Definitions
Threat any event which could have an undesirable impact
Vulnerability absence or weakness of a risk-reducing safeguard, potential to allow
a threat to occur with greater frequency, greater impact, or both Exposure a measure of the magnitude of loss or impact on the value of the
asset
Risk the potential for harm or loss, including the degree of confidence of
the estimate
LTU CISP Security 22
Definitions
Quantitative Risk Analysis quantified estimates of impact, threat frequency, safeguard
effectiveness and cost, and probability Powerful aid to decision making Difficult to do in time and cost
Qualitative Risk Analysis minimally quantified estimates Exposure scale ranking estimates Easier in time and money Less compelling
Risk Analysis is performed as a continuum from fully qualitative to less than fully quantitative
LTU CISP Security 23
Results
Loss impact analysis Recovery time frames
Essential business functions Information systems applications
Recommended recovery priorities & strategies Goals
Understand economic & operational impact Determine recovery time frame (business/DP/Network) Identify most appropriate strategy Cost/justify recovery planning Include BCP in normal decision making process
LTU CISP Security 24
Risk Management Team
Management - Support DP Operations Systems Programming Internal Audit Physical Security Application owners Application programmers
LTU CISP Security 25
Preliminary Security Exam
Asset costs Threat survey
Personnel Physical environment HW/SW Communications Applications Operations Natural disasters Environment Facility Access Data value
LTU CISP Security 26
Preliminary Security Exam
Asset costs Threat survey Existing security measures Management review
LTU CISP Security 27
Threats
Hardware failure Utility failure Natural disasters Loss of key personnel Human errors Neighborhood hazards Tampering Disgruntled employees Emanations Unauthorized access Safety Improper use of technology Repetition of errors Cascading of errors
• Illogical processing• Translation of user needs
(technical requirements)• Inability to control
technology• Equipment failure• Incorrect entry of data• Concentration of data• Inability to react quickly• Inability to substantiate
processing• Concentration of
responsibilities• Erroneous/falsified data• Misuse
LTU CISP Security 28
Threats
Uncontrolled system access Ineffective application security Operations procedural errors Program errors Operating system flaws Communications system failure Utility failure
LTU CISP Security 29
Risk Analysis Steps
1 - Identify essential business functions Dollar losses or added expense Contract/legal/regulatory requirements Competitive advantage/market share Interviews, questionnaires, workshops
2 - Establish recovery plan parameters Prioritize business functions
3 - Gather impact data/Threat analysis Probability of occurrence, source of help Document business functions Define support requirements Document effects of disruption Determine maximum acceptable outage period Create outage scenarios
LTU CISP Security 30
Risk Analysis Steps
4 - Analyze and summarize Estimate potential losses
Destruction/theft of assets Loss of data Theft of information Indirect theft of assets Delayed processing Consider periodicity
Combine potential loss & probability Magnitude of risk is the ALE (Annual Loss
Expectancy) Guide to security measures and how much to spend
LTU CISP Security 31
Results
Significant threats & probabilities Critical tasks & loss potential by
threat Remedial measures
Greatest net reduction in losses Annual cost
LTU CISP Security 32
Information Valuation
Information has cost/value Acquire/develop/maintain Owner/Custodian/User/Adversary
Do a cost/value estimate for Cost/benefit analysis Integrate security in systems Avoid penalties Preserve proprietary information Business continuity
Circumstances effect valuation timing Ethical obligation to use justifiable tools/techniques
LTU CISP Security 33
Conditions of Value
Exclusive possession Utility Cost of creation/recreation Liability Convertibility/negotiability Operational impact Market forces Official value Expert opinion/appraisal Bilateral agreement/contract
LTU CISP Security 34
Scenario
A specific threat (potential event/act) in which assets are subject to loss
Write scenario for each major threat Credibility/functionality review Evaluate current safeguards Finalize/Play out Prepare findings
LTU CISP Security 35
The Steps in a BCP - 2
Strategy Development (Alternative Selection)Management supportTeam structureStrategy selection
Cost effective Workable
LTU CISP Security 36
The Steps in a BCP - 3
Implementation (Plan Development)Specify resources needed for recoveryMake necessary advance arrangementsMitigate exposures
LTU CISP Security 37
The Steps in a BCP - 3
Risk Prevention/Mitigation Security - physical and information (access) Environmental controls Redundancy - Backups/Recoverability
Journaling, Mirroring, Shadowing On-line/near-line/off-line
Insurance Emergency response plans Procedures Training Risk management program
LTU CISP Security 38
The Steps in a BCP - 3
Decision Making Cost effectiveness
Total cost Human intervention requirements
Manual functions are weakest Overrides and defaults
Shutdown capability Default to no access
Design openness Least Privilege
Minimum information Visible safeguards
Entrapment Selected vulnerabilities made attractive
LTU CISP Security 39
The Steps in a BCP - 3
Decision Making Universality Compartmentalization, defense in depth Isolation Completeness Instrumentation Independence of controller and subject Acceptance Sustainability Auditability Accountability Recovery
LTU CISP Security 40
Remedial Measures
Alter environment Erect barriers Improve procedures Early detection Contingency plans Risk assignment (insurance) Agreements Stockpiling Risk acceptance
LTU CISP Security 41
Remedial Measures
Fire Detection, suppression
Water Detection, equipment covers, positioning
Electrical UPS, generators
Environmental Backups
Good housekeeping Backup procedures Emergency response procedures
LTU CISP Security 42
The Steps in a BCP - 3
Plan DevelopmentSpecify resources needed for recoveryTeam-basedRecovery plansMitigation stepsTesting plansPrepared by those who will carry them out
LTU CISP Security 43
Included in a BCP
Off-site storageTrip there - secure? Timely?Physical layout of siteFire protectionClimate controlsSecurity access controlsBackup power
LTU CISP Security 44
Included in a BCP
Off-site storage
Alternate site Reciprocal agreements/Multiple sites/Service bureaus Hot/Warm/Cold(Shell) sites Trip there - secure? Timely? Physical layout of site Fire protection Climate controls Security access controls Backup power Agreements
LTU CISP Security 45
Included in a BCP
Off-site storage Alternate site
Backup processing Compatibility Capacity Journaling - maintaining audit records
Remote journaling - to off-site location Shadowing - remote journaling and delayed mirroring Mirroring - maintaining realtime copy of data Electronic vaulting - bulk transfer of backup files
LTU CISP Security 46
Included in a BCP
Off-site storage Alternate site Backup processing
CommunicationsCompatibilityAccessibilityCapacityAlternatives
LTU CISP Security 47
Included in a BCP
Off-site storage Alternate site Backup processing Communications
Work spaceAccessibilityCapacityEnvironment
LTU CISP Security 48
Included in a BCP
Off-site storage Alternate site Backup processing Communications Work space Office equipment/supplies/documentation Security Critical business processes/Management Testing Vendors - Contact info, agreements Teams - Contact info, transportation Return to normal operations Resources needed
LTU CISP Security 49
Complications
Media/Police/Public Families Fraud Looting/Vandalism Safety/Legal issues Expenses/Approval
LTU CISP Security 50
The Steps in a BCP - Finally
Plan TestingProves feasibility of recovery processVerifies compatibility of backup facilitiesEnsures adequacy of team procedures
Identifies deficiencies in procedures
Trains team membersProvides mechanism for maintaining/updating the
planUpper management comfort
LTU CISP Security 51
The Steps in a BCP - Finally
Plan TestingDesk checks/ChecklistStructured WalkthroughsLife exercises/SimulationsPeriodic off-site recovery tests/ParallelFull interruption drills
LTU CISP Security 52
The Steps in a BCP - Finally
Test Software Hardware Personnel Communications Procurement Procedures Supplies/forms Documentation Transportation Utilities Alternate site processing Security
LTU CISP Security 53
The Steps in a BCP - Finally
Test Purpose (scenario) Objectives/Assumptions Type Timing Schedule Duration Participants
Assignments Constraints Steps
LTU CISP Security 54
The Steps in a BCP - Finally
Alternate Site Test– Activate emergency control center– Notify & mobilize personnel– Notify vendors– Pickup and transport
tapes supplies documentation
– Install (Cold and Warm sites)– IPL– Verify– Run– Shut down/Clean up– Document/Report
LTU CISP Security 55
The Steps in a BCP - Finally
Plan Update and Retest cycle (Plan Maintenance) Critical to maintain validity and usability of plan
Environmental changes HW/SW/FW changes Personnel
Needs to be included in organization plans Job description/expectations Personnel evaluations Audit work plans
LTU CISP Security 56
BCP by Stages
Initiation Current state assessment Develop support processes Training Impact Assessment Alternative selection Recovery Plan development Support services continuity plan development Master plan consolidation Testing strategy development Post transition plan development
LTU CISP Security 57
BCP by Stages
Implementation planning Quick Hits Implementation, testing, maintenance
LTU CISP Security 58
End User Planning
DP is critical to end users Difficult to use manual procedures Recovery is complex Need to plan
manual proceduresrecovery of data/transactionsprocedures for alternate site operationprocedures to return to normal
LTU CISP Security 59
The Real World
DR plans normally involveEssential DP platforms/systems onlyA manual on the shelf written 2-3 years agoLittle or no user involvementNo provision for business processesNo active testingResource lists and contact information that do
not match current realities
LTU CISP Security 60
Stages in an Incident
Disaster interruption affecting user operations
significantly
LTU CISP Security 61
Stages in an Incident
Disaster Initial/Emergency response
Purpose Ensure safety of people Prevent further damage
Activate emergency response team Covers emergency procedures for expected hazards Safety essential Emergency supplies Crisis Management plan - decision making
LTU CISP Security 62
Stages in an Incident
Disaster Initial response Impact assessment
Activate assessment teamDetermine situation
What is affected?
Decide whether to activate plan
LTU CISP Security 63
Stages in an Incident
Disaster Initial response Impact assessment Initial recovery
Initial recovery of key areas at alternate siteDetailed proceduresSalvage/repair - Clean up
LTU CISP Security 64
Stages in an Incident
Disaster Initial response Impact assessment Initial recovery Return to normal/Business resumption
Return to operation at normal site “Emergency” is not over until you are back to normal Requires just as much planning - Parallel operations
LTU CISP Security 65
Special Cases
Y2K Incidents will happen in a particular time
frameAlternate sites won’t helpRedundant equipment won’t helpBackups won’t help Involves automated equipment and services
LTU CISP Security 66
Final Thoughts
Do you really want to activate a DR/BCP plan?PreventionPlanning