#316 The Security Elements of Business Continuity & Disaster Recovery Plans Ken Doughty CISA CBCP ODAS kdoughty@ozemail.com.au
Presentation Outline Introduction Overview of Business Continuity Security Elements of BCP Planning Security for a Disaster Conclusion 2
Introduction Business Continuity Planning is no longer a luxury for organizations. It is an essential element of the organization s risk management program. Organizations are being forced to invest in Business Continuity. 3
Introduction - Definitions Business Continuity Planning (BCP) Disaster Recovery Planning (DRP) An all-encompassing, "umbrella" term covering both disaster recovery planning and business resumption planning The technological aspect of business continuity planning Crisis Management The overall coordination of an organisation's response to a crisis 4
The Statistics The Statistics 92% of Internet Businesses are not prepared for a computer disaster (IBM Survey) 82% of companies are not prepared to handle a computer system disaster (COMDISCO Vulnerability Index Research Report) 93% of companies that have a disaster & no BCP go out of business within 3 years!! Studies of organizations in USA which have experienced a disaster have shown that over 40% of them never resume operations 5
Where does your organisation stand? SLEEPING Little awareness Low cost backup No recovery plan WAKING UP Business Impact Analysis Initiated Some resilience Stronger backup regime 6
Where does your organisation stand? GETTING UP Well focused Management commitment to Business Continuity Recovery policy, standards and processes WIDE AWAKE Corporate wide focus Risk management program Business Continuity Plan/s 7
BCP Standards & Guidelines ISO/IEC17799 Information Technology Code of Practice for Information Security. Section 11 of this publication specifically addresses business continuity. NFPA1600. The Standard on Disaster/Emergency Management and Business Continuity (www.nfpa.org). This publication is by the American National Fire Protection Association. 8
BCP Standards & Guidelines National Institute of Standards and Technology (www.nist.org) - Contingency Planning Guide for Information Technology System (NIST 800-34). Australian Standards Association (www.standards.com.au). Their publication Business Continuity Management HB221:2004 outlines an approach to develop and implement business continuity within an organisation. 9
Objectives of BCP Implementation of risk reduction strategies to minimize the likelihood of a disaster Protect the organizations assets (security) Provide a planned response to a disaster event Ensure continuity of operations during the recovery period Restore full business capabilities 10
Information Information Strategic Strategic Approach Technology Economic cycle Cause Risk Mitigation Mitigation 11 Strategic Risk Management Plan Crisis Management Bus. Unit Bus. Unit Bus. Unit Bus. Unit Bus. Unit Bus. Unit Bus. Unit Bus. Unit Suppliers Natural Disaster Competitive Environment Policy/ Methodology Replacement Cost Legal Regulatory Business Reputation Business Interruption Risk Treatment Options (consider changes) Risk Reponses (monitor & maintain) Business Continuity Responses Consequence Clients and others Personnel Regulatory Political Reputation Brand
The BCP Framework Model Business (who) Plan Maintenance Tools Awareness BCP Organisation Support Plan Management Services (what) Prevention / Mitigation (avoiding a disruption) Processes (how) Physical Risk Analysis Business Impact Analysis Criticality Assessment Contingency / Recovery (minimising the effect of a disruption) Recovery Strategy Deliverables Policy Priorities & Recovery Windows Preventative Actions Inventory Lists Recovery Kits Emergency Response Plans Testing Salvage & Restoration Plans Contingency / Fallback Procedures Training & Awareness Plans 12
Security is a Component of BCP Security Functional Requirem ents Design & Developm ent Maintenance & Updating Testing & Exercising Im plem entation 13
Business Continuity Planning Prevention / Mitigation Oriented Tasks BCP Cycle Recovery Oriented Tasks Identify Identify Time Time Sensitive Sensitive Business Business Functions Functions Testing Testing Risk Risk Identification Identification Robust Robust Application Application Design Design Power Power Supply Supply Protection Protection Fire Fire Protection Protection Physical Physical and and logical logical security security Mitigation Mitigation Priorities Priorities Define Resumption Priorities and Timeframes Impact Impact of of Loss Loss Recovery Recovery Strategy Strategy - - Business Business and and technology technology requirements requirements eg. eg. alternates alternates sites, sites, backup backup needs needs etc. etc. Crisis Crisis Management Management Plans Plans Inventories Inventories Recovery Recovery Procedures Procedures 14
Security Elements of BCP 1. Security over the various plans: Crisis Management Plans Business Continuity Plans Disaster Recovery Plans 2. Security during execution of the plans 3. Security over the restoration of critical processes 4. Security during the disaster recovery period 15
1. Security Over the Plans The plans should only be available to those persons designated as members of the various teams Controls should be enforced over the distribution of the plans The CMP, BCP and DRP contains sensitive information (personnel contact numbers, addresses, etc.) Recovery strategies are detailed in the plans. Analysis of the plans may reveal potential holes that may be exploited. 16
2. Security Over Execution of the Plans Poor security controls over the execution of the plan will allow for the opportunity of: physical assets to be stolen intellectual property assets to be stolen fraud to occur 17
3. Security During Restoration Restoration of critical business applications will often mean that: existing user security access profiles may not be restored with the application User access privileges may not be re-created until security processes have been re-established Security logging etc. may be switched off due to overhead 18
4. Security During Disaster Recovery Period Security processes supporting the business may not be re-established until well into the recovery period allowing for the opportunity of fraud to occur! User security access privileges are often increased during the recovery period, which compromises segregation of duties Security monitoring and reporting often is not reestablished until late into the recovery period if at all! 19
Planning for Security Security processes and tools needs to be incorporated into the planning process from the beginning Security starts at the beginning of a disaster securing the physical assets of the organisation not only from theft, looting etc, but also from further damage IT Security processes are to be established with the restoration of the IT infrastructure 20
Planning for Security Security software (including fraud detection) needs to be included in the restoration of the IT applications The security software and processes needs to be fully operational at the same time as the IT applications are recovered Manual security controls are to be incorporated into the BCP to monitor for any activity that may be suspicious 21
Conclusion Security is often overlooked when planning for business continuity It is not seen to be as critical as recovering the business processes and dependencies Security is a BCP risk mitigation strategy and needs to be include as part of the BCM 22
Questions!