#316 The Security Elements of Business Continuity & Disaster Recovery Plans



Similar documents
PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

External Supplier Control Requirements BCM

Council Policy Business Continuity Management

Business Continuity Planning and Disaster Recovery Planning

INFOSEC.MY KNOWLEDGE SHARING SESSION

Information Security Policy. Chapter 11. Business Continuity

Coping with a major business disruption. Some practical advice

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

State of South Carolina Policy Guidance and Training

It s the Business! Business continuity considerations for all organisations

By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd

HB A Practitioners Guide to Business Continuity Management

Business Continuity and Disaster Recovery Planning

Prudential Practice Guide

Business Continuity Policy

Business Continuity Planning

BUSINESS CONTINUITY MANAGEMENT FRAMEWORK

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Business Continuity Policy

Business Continuity Policy and Business Continuity Management System

How To Manage A Disruption Event

FINRMFS9 Facilitate Business Continuity Planning and disaster recovery for a financial services organisation

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

Information Services IT Security Policies B. Business continuity management and planning

Guideline - Business Continuity Plan

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

Business Continuity Management

Chapter I: Fundamentals of Business Continuity Management

SCOPE; ENFORCEMENT; AUTHORITY; EXCEPTIONS

Business Continuity Management Policy

Principles for BCM requirements for the Dutch financial sector and its providers.

D2-02_01 Disaster Recovery in the modern EPU

Business Continuity Planning and Disaster Recovery Planning. Ed Crowley IAM/IEM

BUSINESS CONTINUITY POLICY

Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015

Business Continuity Management

Business/ Organisation Name

Business Continuity. Is your Business Prepared for the worse? What is Business Continuity? Why use a Business Continuity Plan?

Prudential Standard CPS 232 Business Continuity Management

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

INFORMATION TECHNOLOGY SECURITY STANDARDS

Prudential Practice Guide

KPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity

Emergency Response and Business Continuity Management Policy

Business Continuity - IT Disaster Recovery Discussion Paper - - Commercial in Confidence Version V2.0R Wednesday, 5 September 2012

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS

Business Continuity Plan

ISO27001 Controls and Objectives

POLICY. 1) Business Continuity Management 2) Disaster Recovery 3) Critical Incident Management 4) Risk Management

Business Continuity Management

BUSINESS CONTINUITY POLICY RM03

Business continuity management policy

Running head: COMPONENTS OF A DISASTER RECOVERY PLAN 1

BUSINESS CONTINUITY MANAGEMENT POLICY

Guidance Note XGN XXX.1

Business Continuity and Risk Management. Ken Kaberia Principal BCM Officer, Enterprise Risk Safaricom Limited

South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy

INSURANCE REGULATORY AUTHORITY IRA/PG/ GUIDELINE TO THE INSURANCE INDUSTRY ON THE BUSINESS CONTINUITY MANAGEMENT

COMCARE BUSINESS CONTINUITY MANAGEMENT

Appendix 2 - Leicester City Council s Business Continuity Management Policy Statement and Strategy Business Continuity Policy Statement 2015

BUSINESS CONTINUITY STRATEGY

Proposal for Business Continuity Plan and Management Review 6 August 2008

<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP

Business Continuity Management

Desktop Scenario Self Assessment Exercise Page 1

ICT & Communications Services Disaster & Recovery Plan

Evaluating and Improving Your Business Continuity Plan

Introduction UNDERSTANDING BUSINESS CONTINUITY MANAGEMENT

BCP and DR. P K Patel AGM, MoF

Business Continuity Planning

Developing a Business Continuity Plan... More Than Disaster

Business Unit CONTINGENCY PLAN

A risky business. Why you can t afford to gamble on the resilience of business-critical infrastructure

Business continuity plan

Birmingham CrossCity Clinical Commissioning Group. Business Continuity Management Policy

Business Continuity Planning and Disaster Recovery Planning

EMERGENCY MANAGEMENT BUSINESS CONTINUITY PLANNING TEMPLATE

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four

Bank of Papua New Guinea Prudential Standard BPS251: Business Continuity Management

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Business Continuity Planning (BCP) 101

National Fire Protection Association s Contribution to Business Continuity Strategies

Disaster Management and Business Continuity Plan for Bankers

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three

Business Continuity Planning Manual. Version 1

Attachment #2. BUSINESS CONTINUITY PLAN Plan Development Guidelines

HEALTH AND SOCIAL CARE BOARD POLICY ON BUSINESS CONTINUITY MANAGEMENT

Best Practices in Disaster Recovery Planning and Testing

Disaster Recovery/Business Continuity

Information Security Awareness Training

William Rider Manager Disaster Recovery & Data Security The Johns Hopkins Health System & University

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Business Continuity Planning from the municipal perspective

Overview TECHIS Manage information security business resilience activities

The ABC s of BCP. Jeremy Sucharski Governance Risk and Compliance G31

Unit Guide to Business Continuity/Resumption Planning

Assessing Your Disaster. Andrews Hooper Pavlik PLC. Andrews Hooper Pavlik PLC

Success or Failure? Your Keys to Business Continuity Planning. An Ingenuity Whitepaper

ASX CLEAR (FUTURES) OPERATING RULES Guidance Note 10

Regulatory Requirements for Disaster Recovery/Business Continuity Programs

Transcription:

#316 The Security Elements of Business Continuity & Disaster Recovery Plans Ken Doughty CISA CBCP ODAS kdoughty@ozemail.com.au

Presentation Outline Introduction Overview of Business Continuity Security Elements of BCP Planning Security for a Disaster Conclusion 2

Introduction Business Continuity Planning is no longer a luxury for organizations. It is an essential element of the organization s risk management program. Organizations are being forced to invest in Business Continuity. 3

Introduction - Definitions Business Continuity Planning (BCP) Disaster Recovery Planning (DRP) An all-encompassing, "umbrella" term covering both disaster recovery planning and business resumption planning The technological aspect of business continuity planning Crisis Management The overall coordination of an organisation's response to a crisis 4

The Statistics The Statistics 92% of Internet Businesses are not prepared for a computer disaster (IBM Survey) 82% of companies are not prepared to handle a computer system disaster (COMDISCO Vulnerability Index Research Report) 93% of companies that have a disaster & no BCP go out of business within 3 years!! Studies of organizations in USA which have experienced a disaster have shown that over 40% of them never resume operations 5

Where does your organisation stand? SLEEPING Little awareness Low cost backup No recovery plan WAKING UP Business Impact Analysis Initiated Some resilience Stronger backup regime 6

Where does your organisation stand? GETTING UP Well focused Management commitment to Business Continuity Recovery policy, standards and processes WIDE AWAKE Corporate wide focus Risk management program Business Continuity Plan/s 7

BCP Standards & Guidelines ISO/IEC17799 Information Technology Code of Practice for Information Security. Section 11 of this publication specifically addresses business continuity. NFPA1600. The Standard on Disaster/Emergency Management and Business Continuity (www.nfpa.org). This publication is by the American National Fire Protection Association. 8

BCP Standards & Guidelines National Institute of Standards and Technology (www.nist.org) - Contingency Planning Guide for Information Technology System (NIST 800-34). Australian Standards Association (www.standards.com.au). Their publication Business Continuity Management HB221:2004 outlines an approach to develop and implement business continuity within an organisation. 9

Objectives of BCP Implementation of risk reduction strategies to minimize the likelihood of a disaster Protect the organizations assets (security) Provide a planned response to a disaster event Ensure continuity of operations during the recovery period Restore full business capabilities 10

Information Information Strategic Strategic Approach Technology Economic cycle Cause Risk Mitigation Mitigation 11 Strategic Risk Management Plan Crisis Management Bus. Unit Bus. Unit Bus. Unit Bus. Unit Bus. Unit Bus. Unit Bus. Unit Bus. Unit Suppliers Natural Disaster Competitive Environment Policy/ Methodology Replacement Cost Legal Regulatory Business Reputation Business Interruption Risk Treatment Options (consider changes) Risk Reponses (monitor & maintain) Business Continuity Responses Consequence Clients and others Personnel Regulatory Political Reputation Brand

The BCP Framework Model Business (who) Plan Maintenance Tools Awareness BCP Organisation Support Plan Management Services (what) Prevention / Mitigation (avoiding a disruption) Processes (how) Physical Risk Analysis Business Impact Analysis Criticality Assessment Contingency / Recovery (minimising the effect of a disruption) Recovery Strategy Deliverables Policy Priorities & Recovery Windows Preventative Actions Inventory Lists Recovery Kits Emergency Response Plans Testing Salvage & Restoration Plans Contingency / Fallback Procedures Training & Awareness Plans 12

Security is a Component of BCP Security Functional Requirem ents Design & Developm ent Maintenance & Updating Testing & Exercising Im plem entation 13

Business Continuity Planning Prevention / Mitigation Oriented Tasks BCP Cycle Recovery Oriented Tasks Identify Identify Time Time Sensitive Sensitive Business Business Functions Functions Testing Testing Risk Risk Identification Identification Robust Robust Application Application Design Design Power Power Supply Supply Protection Protection Fire Fire Protection Protection Physical Physical and and logical logical security security Mitigation Mitigation Priorities Priorities Define Resumption Priorities and Timeframes Impact Impact of of Loss Loss Recovery Recovery Strategy Strategy - - Business Business and and technology technology requirements requirements eg. eg. alternates alternates sites, sites, backup backup needs needs etc. etc. Crisis Crisis Management Management Plans Plans Inventories Inventories Recovery Recovery Procedures Procedures 14

Security Elements of BCP 1. Security over the various plans: Crisis Management Plans Business Continuity Plans Disaster Recovery Plans 2. Security during execution of the plans 3. Security over the restoration of critical processes 4. Security during the disaster recovery period 15

1. Security Over the Plans The plans should only be available to those persons designated as members of the various teams Controls should be enforced over the distribution of the plans The CMP, BCP and DRP contains sensitive information (personnel contact numbers, addresses, etc.) Recovery strategies are detailed in the plans. Analysis of the plans may reveal potential holes that may be exploited. 16

2. Security Over Execution of the Plans Poor security controls over the execution of the plan will allow for the opportunity of: physical assets to be stolen intellectual property assets to be stolen fraud to occur 17

3. Security During Restoration Restoration of critical business applications will often mean that: existing user security access profiles may not be restored with the application User access privileges may not be re-created until security processes have been re-established Security logging etc. may be switched off due to overhead 18

4. Security During Disaster Recovery Period Security processes supporting the business may not be re-established until well into the recovery period allowing for the opportunity of fraud to occur! User security access privileges are often increased during the recovery period, which compromises segregation of duties Security monitoring and reporting often is not reestablished until late into the recovery period if at all! 19

Planning for Security Security processes and tools needs to be incorporated into the planning process from the beginning Security starts at the beginning of a disaster securing the physical assets of the organisation not only from theft, looting etc, but also from further damage IT Security processes are to be established with the restoration of the IT infrastructure 20

Planning for Security Security software (including fraud detection) needs to be included in the restoration of the IT applications The security software and processes needs to be fully operational at the same time as the IT applications are recovered Manual security controls are to be incorporated into the BCP to monitor for any activity that may be suspicious 21

Conclusion Security is often overlooked when planning for business continuity It is not seen to be as critical as recovering the business processes and dependencies Security is a BCP risk mitigation strategy and needs to be include as part of the BCM 22

Questions!

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information