Planning for Disaster. Ramesh Ramani CISM CGEIT ramani@pcsuae.com 02 June 2010

Planning for Disaster Ramesh Ramani CISM CGEIT ramani@pcsuae.com 02 June 2010

Agenda Disaster Management-Introduction Examples BCP and IT Continuity Process of Disaster Management-PDCA Disaster Management Framework Project Execution Typical Plan Testing the Plan

Disaster Management Discipline of dealing with and avoiding risks Discipline that involves preparing for disaster BEFORE it occurs, In the private sector, sometimes referred to as Business Continuity Planning (BCP)

Definitions-Disaster situation or event which overwhelms local capacity, necessitating a request to a national or international level for external assistance. An overwhelming ecological disruption occurring on a scale sufficient to require outside assistance exceptional events that kill or injure a large number of people Strategic and Tactical capability of an organisation to plan for and respond to incidents and business disruptions in order to continue business operations to an acceptable pre defined level -BS 25999

Examples-Disaster Tsunami-December 2006 Haiti Earthquake Oil Spill-Gulf of Mexico 9-11 Flooding Mumbai-2005 Power Outage Dubai-2005 Flooding Sharjah-2009 Volcano Ash-Europe H1N1 Flu

IT and BCP Industry age to information age Information itself is becoming business International Standards ISO 27001:2005-Information Security BS 25999-Business Continuity PAS 77:2006-IT Service Continuity Many Common Factors

Disaster Management

PM Framework-DR Value Threat Vulnerability BS 25999 PAS 77 Existing setup / Redundancy / New Technologies

Risk Management Plan Risk Assessment Vulnerability Technical Threat Processes. Procedures Risk Mitigation Plan Asset Value People Do Risk Mitigation Products, Processes or People Controls Check Audit Internal Audit Act Continual Improvement Closing of Audit Gaps/Raising the Bar Continue with PDCA Cycle

Project Execution and Deliverables Aim-Perform BIA/ Risk Assessment Aim on the identified critical /IT assets and - to collect all relevant develop data BCP/Risk pertaining Treatment to the Plan. scope Develop mandatory policies Aim-Implement and controls BCP/Risk Mitigation Controls based on the BCP/control - develop BIA/Risk Assessment implementation road map methodology Aim-Provide initial planning - perform and asset preparation enumeration/valuation for the assignment. Aim - To Test the BCP/DRP -To audit the ISMS Prepare for ISO 27001/BS 25999 Certification Aim-Continual Improvement of BCMS/ISMS Initial Plan Acquire/ Analyze Data Develop BCMS/ISMS Implement BCMS/ISMS Test BCM/S/ISMS Continual Improvement 1. Vulnerability Assessment-C 1. Implement controls 1. identified BC/DR Test Certification Results against BS 2. Threat Assessment-C 2. People (Training/Duties) 2. ISO 27001 C Audit 25999/ISO Reports 27001 1. BIA/Risk Assessment Methodology 1. Scope and Service Acceptance Document 3. C Risk Assessment 3. Report Implementing (IS) products C? 2. Information Asset Valuation/Critical Asset 2. ISMS/BCMS Scope definition 4. BIA (RTO/RPO) 4. Implementing Processes Valuation-C,I,A-C 3. BC/IS Policy Statement C 5. BCP/DRP 3. Critical/ information assets register-c 4. BCM/Information Security Steering 6. Risk Mitigation & Treatment Plan C Committee Charter C 7. Statement of Applicability (ISO 27001) 8. BCP/DR Policies and Procedures C? 9. IS Policies and Procedures C? 10. SOA (ISO 27001) 11. BS 25999 Mandatory Controls 12. Control Implementation Roadmap

Typical BC Plan Introduction Definitions Abbreviations Mission, objectives and intent Key plan assumptions Business impact analysis Disaster recovery strategy Disaster recovery organization Disaster recovery management team responsibilities Disaster recovery emergency procedures Plan administration Change management Maintenance of the disaster recovery plan Testing of the disaster recovery plan

Typical Disaster Recovery Organisation Senior Recovery Manager Recovery Manager Administration Assistant Damage Assessment Physical Security Infrastructure Restoration Team Leader Application Restoration Team Leader Hardware Network ERP POS Other Applications

Senior Recovery Manager Responsibilities Pre-Disaster Approves the final Disaster Recovery Plan Ensures the Disaster Recovery Plan is maintained Ensures Disaster Recovery training is conducted Authorizes periodic Disaster Recovery Plan testing Post-Disaster Declares that a disaster has occurred and the Disaster Recovery Plan is activated Determines the plan strategy to be implemented Determines alternate team members (if any) and other support members of the recovery process Authorizes travel and housing arrangements for team members Authorizes expenditures Manages and monitors the overall recovery process Advises Senior Business Managers and user management on the status of the disaster recovery efforts Coordinates media and press releases

Basic Principles-DR Minimize injury to personnel Minimize damage to equipment and facilities Achieve a report of injury to personnel and damage assessment within XX hours of the interruption Recover IT capabilities and functionality within the Critical Time Frames specified In an emergency situation where life is threatened or you are in danger of physical harm, immediately leave the facility. Never place yourself in a dangerous situation or take unnecessary risks.

Check Off List-Network Assistant Mission: To restore networking the capabilities required within the Critical Time Frames specified Upon notification of a disaster by the Management Team assemble at the designated site for a briefing on the extent of damages, escalation plan implemented and support required. Contact Etisalat for connecting up DR Site Connectivity Number Reference Bandwidth Etisalat Reference Number Etisalat Contact (land line) Etisalat Contact (Mobile) Indicate to DRT as to resumption details of network Work closely with software, hardware and restoration team to restore services Provide internal communication to team members as required (Network Assistant should be provided with three additional mobile phones as an emergency measure) Under no circumstances should the Network Assistant make any public statements regarding the disaster, its cause or its effect on the operations

Information Technology Checklist-Plan Administration Change in LAN server(s), terminals, or personal computer workstations Change in operating system and utility software programs Change in the design of production systems or files Addition of deletion of a production system Change in the scheme of backing up data or equipment Change in the communications network design Change in personnel assignments or the Information Technology organization Change in off-site storage facilities, location or methods of cycling items Improvements or physical change to the current LAN data center Review of time frames for availability and delivery of replacement computer components

Corporate Checklist-Plan Administration Is the Disaster Recovery Plan in conformance with the corporate by laws? Are Executive Management and the Board of Directors aware of the state and status of the Disaster Recovery Plan and Processes? Has a new division or department been formed? Has a new system been developed for computer processing? Has a system for computer processing been discontinued? Have individuals within the Recovery Team been transferred, promoted or terminated? Has an internal system been significantly modified to change the basic functions, data flow requirements or accounting requirements? Has a sales office been opened, moved or closed?

Testing-Principles Type Techniques Process Participants Frequency Complexity Checklist Audit Validation Verification Review & Challenge the contents of the plan High Low Walkthrough Simulation Full- Interruption Scenario Freeplay Controlled Time lapse Unannounced Live Tabletop Individual components Integrated Components Extended Checklist check to see interaction & roles of participants Incorporated associated plans. Simulate disaster Pull the plug test. Shut down data center Low High

Testing Check List Type Techniques Process Participants Frequency Duration Checklist Audit Validation Verification 1.Review & Challenge the contents of the plan 2.Check all Check off lists are present and updated 3.Check back Up Tapes 4.Visit DR Site and ensure infrastructure /back up tapes available 5.Verify DR Team contacts Recovery Manager Network Assistant Restoration Team (2 Members) Once a month 4 Hrs Simulation 1 Scenario Controlled 1.Extended Checklist check to see interaction & roles of participants 2. Actual Restoration of back up tapes Recovery Manager Network Assistant Software Assistant Hardware Assistant Restoration Team (All Members) After Completion of minimum six check list type testing Once in two months thereafter One Nonworki ng day

Testing Check List (Contd) Simulation 2 Unannounced Live Extended Checklist check to see interaction & roles of participants 2. Actual Restoration of back up tapes Full Recovery Team After Completion of Minimum two Simulation 1 Testing Once in six months thereafter One Non- Working Day Full Interruption Announced Full and thorough check of DRP Full Recovery Team Businesses After Completion of Minimum three simulation testing To be done only once Can be done without affecting any business if proper timings are chosen to conduct this test One Non Working Day

Planning for Disaster Questions? Comments? Ramesh Ramani CISM CGEIT ramani@pcsuae.com 02 June 2010