IT Risk Identification and Disaster Recovery. Mark Fenech BSc MBA CRISC CBCI January 2014

Size: px
Start display at page:

Download "IT Risk Identification and Disaster Recovery. Mark Fenech BSc MBA CRISC CBCI January 2014"


1 IT Risk Identification and Disaster Recovery Mark Fenech BSc MBA CRISC CBCI January 2014


3 ISO 31000:2009 Risk Management Standard Risk Assessment Process Risk Context Risk Identification Risk Analysis Risk Evaluation Risk Treatment 3

4 Risk Identification ISACA's information criteria/goals Criteria that information must satisfy to be useful to the business A more structured approach 4

5 Risk Essentials Risk = f(impact, Probability) Human are biased when doing risk assessments We tend to give a higher priority to risks that - have occurred recently - are closer to us 5

6 ISACA's Information Criteria Some examples from COBIT 4.1 and 5 Availability Confidentiality Efficiency (information as a service) Effectiveness (information as a product) Relevancy Currency 6

7 7

8 Business Continuity Business Continuity (plans) for Equipment, materials and resources IT (e.g. redundancy) HR (e.g. succession planning) Facilities (e.g. alternate sites) Suppliers (outsourced activities/common supplies) The capability of the organization to continue delivery of products and services at acceptable predefined levels following a disruptive incident. (GPG2013) 8

9 Disaster Recovery The strategies and plans for recovering and restoring the organizations technological infrastructure and capabilities after a serious interruption. (GPG2013) Mostly redundancy, but not always (incl. passwords/updates, BIA priority lists) 9

10 When PIXAR deleted Toy Story 2 Internet Disruption (2008) Marsa Bridge (2010, Business Continuity) Drop Chemicals (2011, Business Continuity) Crypto Locker Case in Malta (2013) and backups 10

11 Uptime 11

12 SLA/OLA Downtime per year 90% (0.9) 36.5 days 99% (0.99) 3.6 days 99.9% (0.999) 8.7 hours 99.99% (0.9999) 52 minutes % ( ) 5 minutes Measuring uptime: network/system metrics End user experience is what counts! 12

13 Disaster Recovery will not solve all your problems! Get the basics right... TIA942 Software Bugs 13

14 Software Bugs This is NOT Disaster Recovery An SME had 1. a program writing data at the wrong location (e.g. name and surname swapped) COMPENSATED BY 2. a program reading data from the wrong location (e.g. name and surname swapped) Reading the database with a new version resulted in problems that were not solved when switching over to the 2nd site. 14

15 Major Cloud Services Providers Risks Data Location, Security Procedures Transparency, Commingled Data, Vendor Lock-In, Data Ownership (logs?), CSP going out of business, Forensic Audits Penetration Detection, Access Control, Compliance, Disaster Recovery 15

16 Cloud Services Provider Monthly Backup and Recovery Service Levels Monthly Uptime Percentage Service Credit <99.9% (8.7 hours per year) 10% <99% (3.6 days per year) 25% Example: 100GB Database, 1000GB Bandwidth Costs EUR 215 per month Refunds: 10% = EUR 21.50, 25% = EUR

17 Cloud Services Provider Contract This SLA and any applicable Service Levels do not apply to any performance or availability issues: 1. Due to factors outside [the vendor's] reasonable control (for example, a network or device failure external to [vendors's] data centers); : : iii. The Service Credits awarded in any billing month shall not, under any circumstance, exceed Customer's monthly Service fees for that billing month. 17

18 Typical Replication Technique 18

19 19

20 Disaster Recovery Plans Objectives Assumptions Prerequisites Dependencies High-level diagram Recovery procedure Reconstruction 20

21 Disaster Recovery Plans Contact details Definitions Exercise logs Inventory Related documents and contracts 21

22 Disaster Recovery Exercises Prolonged switch over of live operations 24 hour (2 hour) switch over of live operations Parallel Processing Availability of secondary setup to selected users (no live data is modified or keyed in during exercise) 22

23 Metrics Percentage of systems that are classified formally (through a BIA process) Percentage of systems with DRPs that comply with BIA guidelines Average time since last recovery exercise Number of DRPs that were confirmed less than 12/24 months ago (exercise/validation/review) Percentage of successful exercises in the past 12 months 23

24 Thank You! Questions? 24