Domain 3 Business Continuity and Disaster Recovery Planning

Transcription

1 Domain 3 Business Continuity and Disaster Recovery Planning Steps (ISC) 2 steps [Har10] Project initiation Business Impact Analysis (BIA) Recovery strategy Plan design and development Implementation Testing Continual maintenance NIST SP (Continuity Planning Guide for Information Technology Systems) steps: Develop the continuity planning policy statement Assigns authority and roles Conduct the business impact analysis (BIA) Identify critical functions and systems, vulnerabilities, threats, and calculate risks Identify preventive controls Develop recovery strategies Develop the contingency plan Test the plan and conduct training and exercises Maintain the plan BIA Definition [Har10]: A functional analysis in which a team collects data through interview and documentary sources documents business functions, activities, and transactions develops a hierarchy of business functions applies a classification scheme to each indicate each individual function s criticality level

2 BIA steps [Har10]: Select individuals to interview for data gathering Create data- gathering techniques (questionnaires, qualitative and quantitative approaches) Identify the company s critical business functions Identify the resources these functions rely on Calculate how long these functions can survive without these resources Identify vulnerabilities and threats to these functions Calculate the risk for each different business function, e.g., equipment malfunction unavailable equipment, utilities, facility, personnel, etc. vendors or service providers go out of business software or data corruption Document findings and report them to the management Types of loss: Loss of productivity Loss of revenue Delayed income costs Increase in operational expenses Loss of competitive advantages Loss in reputation and public confidence Violations of contract agreements Violations of legal and regulatory requirements Maximum Tolerable Downtime (MTD): Critical: Minutes to hours Urgent: 24 hours Important: 72 hours Normal: 7 days Nonessential: 30 days Note: Be prepared for the loss of any or all business resources, instead of focusing on the events that could cause the loss.

3 The team must balance the cost to recover against the cost of disruption the balancing point becomes the recovery time objective Recovery and Reconstitution Normal operations Disaster Emergency response: Interim operations Emergency response Situation assessment Restoration Command center Alternate operations Recovery operations Protection of life is top priority If the situation is not life threatening, systems should be shut down in an orderly fashion, and critical data files or resources, along with critical personal items like purses and wallets, should be removed during evacuation At least one person should be available to the press Protection from looting, vandalism, etc. Teams [Har10, p. 817]: Damage assessment team Once a disaster has happened, determine the cause of the disaster Determine the potential for further damage Identify the affected business functions and areas Identify the level of functionality for the critical resources Identify the resources that must be replaced immediately Estimate how long it will take to bring critical functions back online

4 If it will take longer than the previously estimated MTD values to restore operations, then a disaster should be declared, and the BCP should be put into action Note: It is after a disaster has been declared that a BCP is activated Legal team Media relations team Network recovery team Relocation team Restoration team Responsible for getting the alternate site working Note: Restoration is part of recovery, not the other round Salvage team Recovers the original site Signs off on the readiness of the original site Back up data from the alternate site and restore it within the original facility Carefully terminate contingency operations Securely transport equipment and personnel to the original facility, starting with the least critical functions Note: The salvage team plays a large part in reconstitution (see p. 4 for reconstitution phase checklist) Security team Telecommunications team In addition to network recovery team Checklist for returning to the original site: Ensuring the safety of employees Ensuring an adequate environment is provided (power, facility infrastructure, water, HVAC) Ensuring that the necessary equipment and supplies are present and in working order

5 Ensuring proper communications and connectivity methods are working Properly testing the new environment Emergency is not over until the company is back in operation at the original primary site, or a new site that was constructed to replace the primary site Goals development A goal must contain the following key information: Responsibility: Each task should be assigned to that individual most logically situated to handle it Authority: Reduces confusion and increases cooperation Priorities: It is necessary to know which department should come online first, which second, and so on The priorities of systems, information, and programs must be established, e.g., database before file server The general priorities must be set by the management with the help of different departments and the IT staff Implementation and testing: Once a continuity plan has been developed, it needs to be stored in places easily accessible during emergencies People who are assigned specific tasks need to be instructed Dry runs must be done Drills should be conducted at least once a year The entire program should be continually updated and improved Recovery Plans Business resumption plan: re- create the necessary business processes Continuity of operations plan: establishes senior management and a headquarters after a disaster

6 Disaster recovery plan: focuses on how to recover various IT mechanisms after a disaster Occupant emergency plan: establishes personnel safety and evacuation procedures Plan maintenance Plans may become outdated because: The business continuity process is not integrated into the change management process Infrastructure and environment changes occur Reorganization of the company, layoffs, or mergers occur Personnel turnover Changes in hardware, software, and applications occur After the plan is constructed, people feel their job is done Large plans take a lot of work to maintain Plans do not have a direct line to profitability How to maintain the plan: Make business continuity a part of every business decision Insert the maintenance responsibilities into job descriptions Include maintenance in personnel evaluations Perform internal audits that include disaster recovery and continuity documentation and procedures Perform regular drills that use the plan Integrate the BCP into the current change management process Alternate site Hot site: Leased facility that is fully configured Advantages: Ready within hours for operation Highly available Usually used for short- term solutions, but available for longer stays Annual testing available

7 Disadvantages: Very expensive Limited on hardware and software choices Warm site: Leased facility configured with peripheral equipment (i.e., not including computers) Most common site type Advantages: Less expensive Available for longer time frames Practical for proprietary hardware or software use Disadvantages: Takes time to get up and running Operational testing typically not available Resources for operations not immediately available Cold site: Leased facility that supplies the basic environment (i.e., electrical wiring, plumbing, air conditioning, etc.) but no equipment Often used as backups for call centers, manufacturing plants and other services that require extensive retooling and building Advantages: similar to warm site, but even less expensive Disadvantages: similar to warm site, but takes even longer to be operational Backups Disk shadowing: fault- tolerant solution by duplicating hardware and maintaining at least one copy of the information Disk mirroring produces only one copy Electronic vaulting makes copies of files as they are modified and periodically transmits them (i.e., in batches) to an offsite backup facility

8 Remote journaling backs up journal or transaction offsite in real- time Automatic tape vaulting sends data over a serial line to a backup tape system at the offsite facility See Domain 7 Operations Security for more Testing Test types [Har10, p. 826]: Checklist test: copies of the BCP are distributed to different departments and functional areas for review Structured walkthrough test: identical to Walkthrough exercise below Simulation test: similar to Simulation exercise below Continues up to the point of actual relocation to an offsite facility and actual shipment of replacement equipment Parallel test: is done to ensure that the specific systems can actually perform adequately at the alternate site Some systems are moved to the alternate site and processing takes place The results are compared with the regular processing performed at the original site This points out any necessary tweaking, reconfiguring, or steps that need to take place Full- interruption test: similar to Compact exercise below The original site is actually shut down, and processing takes place at the alternate site The recovery team fulfills its obligations in preparing the systems and environment for the alternate site All processing is done only on devices at the alternate offsite facility Increasing tests are called exercises

9 The first exercise shall not include all employees, but rather a small group of people here and there until each learns his or her responsibilities Exercise types [Tip09, p. 293]: Call exercise The planner attempts to call everyone on the emergency notification list and measure the time taken to reach them, and checks if they are prepared to respond It is common to have the participants reached to call into a conference bridge to acknowledge receipt of the communication Walkthrough exercise (tabletop exercise) Walkthrough the actual plan document with everyone who has a role in the plan, to ensure everyone understands their own role, and to identify gaps in the plan Can be used to validate the plan within an actual scenario without having to actually execute the recovery procedures Simulated exercise Simulate execution or actually execute recovery procedures at the alternate site, but ensure test does not impact the production environment (e.g., by executing it during off hours), in order to: provide training to and improve awareness of team members identify plan weakness or deficiencies improve recovery capabilities validate alternate site readiness Compact exercise The planner begins with a call exercise and continue through an actual exercise (unavoidably causing disruption to the production environment)

10 Note: Should not plan exercise for success, look instead for what does not work. Regulations Federal Financial Institutions Examination Council (FFIEC) BCP is about maintaining, resuming, and recovering the business, not just the recovery of the technology Planning process should be conducted on an enterprise- wide basis Stipulates that a thorough BIA and risk assessment are the foundation of an effective BCP Effectiveness can be validated only through testing or practical application BCP and test results should be subjected to an independent audit and reviewed by the board of directors A company should be aware of BCP of its third- party providers, key suppliers, and business partners When a company outsources information, transaction processing, and settlement activities, the company should review and understand service providers BCP and ensure critical services can be restored within acceptable time frames The institution should participate in their provider s testing process References [Car07] J. H. Carmouche, IPsec virtual private network fundamentals, Cisco Press, [EC10] EC- Council, Network Defense: Security and Vulnerability Assessment, Cengage Learning, [Gup02] M. Gupta, Storage Area Network Fundamentals, Cisco Press, [HBH03] S. Hansche, J. Berti, and C. Hare, Official (ISC)2 Guide to the CISSP Exam, Auerbach Publications, 2003.

11 [Har10] S. Harris, CISSP All- in- One Exam Guide, Fifth Edition, McGraw- Hill Osborne Media, [SBP10] M. Swanson, P. Bowen, A. W. Phillips, D. Gallup, and D. Lynes, Contingency Planning Guide for Federal Information Systems, NIST Special Publication Rev. 1, May [Tip09] H. F. Tipton, Official (ISC)2 Guide to the CISSP CBK, Second Edition, Auerbach Publications, 2009.