IT Risk Identification and Disaster Recovery. Mark Fenech BSc MBA CRISC CBCI January 2014

Similar documents
Business Unit CONTINGENCY PLAN

IT Audit in the Cloud

Sound Transit Internal Audit Report - No

Services Providers. Ivan Soto

Service Level Agreement

OpenStack Private Cloud Hosting in an Tier 3 Data Centre. G-Cloud Lot 1 IaaS

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

DRAFT Disaster Recovery Policy Template

Top Ten Technology Risks Facing Colleges and Universities

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HA / DR Jargon Buster High Availability / Disaster Recovery

B U S I N E S S C O N T I N U I T Y P L A N

ESKITP6032 IT Disaster Recovery Level 2 Role

Indicative Requirements for Cloud Service Providers. connect communicate collaborate

2014 NABRICO Conference

CA API Management SaaS

Virtualization & Covance Inc.

Things You Need to Know About Cloud Backup

Data In The Cloud: Who Owns It, and How Do You Get it Back?

How To Choose A Cloud Computing Solution

Adopting Cloud Computing with a RISK Mitigation Strategy

Business Continuity and Capacity Building

White Paper: ISO Business Continuity Management An Overview. ISO Business Continuity Management An Overview

How To Fix A Powerline From Disaster To Powerline

Vendor Due-Diligence & Vendor Management

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Business Continuity Planning

Proposal for Business Continuity Plan and Management Review 6 August 2008

Service availability (in the clouds)

White Paper. Lifecycle Disaster Recovery Costs

Technology Risk Management

By: Tracy Hall. Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level. June 9, 2015

What s the Path? Information Life-cycle part of Vendor Management

CISM Certified Information Security Manager

Cisco Disaster Recovery: Best Practices White Paper

A Managed Storage Service on a Hybrid Cloud

Best Practices in Disaster Recovery Planning and Testing

BCM and DRP - RFP Template

Unit Guide to Business Continuity/Resumption Planning

PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA

Checklist of ISO Mandatory Documentation

Cloud Vendor Evaluation

ITSM Governance In the world of cloud computing

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

Our consultancy team will provide guidance throughout the process helping you to produce the necessary documentation and raise staff awareness.

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Continuity of Operations Planning. A step by step guide for business

DISASTER RECOVERY WITH AWS

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

NETWORK SERVICES WITH SOME CREDIT UNIONS PROCESSING 800,000 TRANSACTIONS ANNUALLY AND MOVING OVER 500 MILLION, SYSTEM UPTIME IS CRITICAL.

Version: Page 1 of 5

Domain 1 The Process of Auditing Information Systems

Draft Information Technology Policy

G-Cloud 6 Service Definition DCG Cloud Disaster Recovery Service

HOSTEDMIDEX.CO.UK. Additional services are also available according to Client specific plan configuration.

Barracuda Backup Server. Introduction

Certified Information Security Manager (CISM)

April Understanding the Benefits of Cloud Backup/Disaster Recovery Solutions

Information Services IT Security Policies B. Business continuity management and planning

a Disaster Recovery Plan

5 Essential Benefits of Hybrid Cloud Backup

Cloud Computing Backgrounder

The Difference Between Disaster Recovery and Business Continuance

Cloud Computing Contracts Top Issues for Healthcare Providers

24/7 Monitoring Pro-Active Support High Availability Hardware & Software Helpdesk. itg CloudBase

ASX CLEAR (FUTURES) OPERATING RULES Guidance Note 10

SERVICE SCHEDULE INFRASTRUCTURE AND PLATFORM SERVICES

State of South Carolina Policy Guidance and Training

19. Planning. 19 PLANNING p1

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Negotiating Contracts That Will Keep our Clouds Afloat: You re going to put THAT in a cloud? Meteorologist: Daniel T. Graham

Disaster Recovery Committee. Learning Resource Center Specialist

Why Should Companies Take a Closer Look at Business Continuity Planning?

Session 11 : (additional) Cloud Computing Advantages and Disadvantages

DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES

AUSTRACLEAR REGULATIONS Guidance Note 10

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

Enterprise level security, the Huddle way.

IBM G-Cloud Microsoft Windows Active Directory as a Service

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

How to Set Up Disaster Recovery for HP OO

DOCUMENT HISTORY LOG. Description

Can SaaS be your strategic advantage in building software? Presented by: Paul Gatty, Director of World Wide Operations

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Lunch & Learn Series Subscribe!

Disaster recovery strategic planning: How achievable will it be?

Ohio Supercomputer Center

Dean Bank Primary and Nursery School. Secure Storage of Data and Cloud Storage

Does it state the management commitment and set out the organizational approach to managing information security?

CLOUD SERVICES FOR EMS

ASX SETTLEMENT OPERATING RULES Guidance Note 10

2011 Morrison & Foerster LLP All Rights Reserved mofo.com. Risk, Governance and Negotiation in the Cloud: Capture Benefits and Reduce Risks

Have a Plan of ATTACK. Not a panic attack. 10 September 2003 IBM Internal Use Only Jarrett Potts, Tivoli Sales Enablement

SAMPLE IT CONTINGENCY PLAN FORMAT

Securing the Service Desk in the Cloud

Microsoft s Compliance Framework for Online Services

This is the third and final presentation on HIPAA Security Administrative Safeguards. This presentation focuses on the last 2 standards under the

Abhi Rathinavelu Foster School of Business

Application Management. Lot 4 - Specialist Cloud Services. Version: 3.0, Issue Date: 05/02/2014. Classification: Open

Transcription:

IT Risk Identification and Disaster Recovery Mark Fenech BSc MBA CRISC CBCI January 2014

ISO 31000:2009 Risk Management Standard Risk Assessment Process Risk Context Risk Identification Risk Analysis Risk Evaluation Risk Treatment 3

Risk Identification ISACA's information criteria/goals Criteria that information must satisfy to be useful to the business A more structured approach 4

Risk Essentials Risk = f(impact, Probability) Human are biased when doing risk assessments We tend to give a higher priority to risks that - have occurred recently - are closer to us 5

ISACA's Information Criteria Some examples from COBIT 4.1 and 5 Availability Confidentiality Efficiency (information as a service) Effectiveness (information as a product) Relevancy Currency 6

7

Business Continuity Business Continuity (plans) for Equipment, materials and resources IT (e.g. redundancy) HR (e.g. succession planning) Facilities (e.g. alternate sites) Suppliers (outsourced activities/common supplies) The capability of the organization to continue delivery of products and services at acceptable predefined levels following a disruptive incident. (GPG2013) 8

Disaster Recovery The strategies and plans for recovering and restoring the organizations technological infrastructure and capabilities after a serious interruption. (GPG2013) Mostly redundancy, but not always (incl. passwords/updates, BIA priority lists) 9

When PIXAR deleted Toy Story 2 Internet Disruption (2008) Marsa Bridge (2010, Business Continuity) Drop Chemicals (2011, Business Continuity) Crypto Locker Case in Malta (2013) and backups 10

Uptime 11

SLA/OLA Downtime per year 90% (0.9) 36.5 days 99% (0.99) 3.6 days 99.9% (0.999) 8.7 hours 99.99% (0.9999) 52 minutes 99.999% (0.99999) 5 minutes Measuring uptime: network/system metrics End user experience is what counts! 12

Disaster Recovery will not solve all your problems! Get the basics right... TIA942 Software Bugs 13

Software Bugs This is NOT Disaster Recovery An SME had 1. a program writing data at the wrong location (e.g. name and surname swapped) COMPENSATED BY 2. a program reading data from the wrong location (e.g. name and surname swapped) Reading the database with a new version resulted in problems that were not solved when switching over to the 2nd site. 14

Major Cloud Services Providers Risks Data Location, Security Procedures Transparency, Commingled Data, Vendor Lock-In, Data Ownership (logs?), CSP going out of business, Forensic Audits Penetration Detection, Access Control, Compliance, Disaster Recovery 15

Cloud Services Provider Monthly Backup and Recovery Service Levels Monthly Uptime Percentage Service Credit <99.9% (8.7 hours per year) 10% <99% (3.6 days per year) 25% Example: 100GB Database, 1000GB Bandwidth Costs EUR 215 per month Refunds: 10% = EUR 21.50, 25% = EUR 53.75 16

Cloud Services Provider Contract This SLA and any applicable Service Levels do not apply to any performance or availability issues: 1. Due to factors outside [the vendor's] reasonable control (for example, a network or device failure external to [vendors's] data centers); : : iii. The Service Credits awarded in any billing month shall not, under any circumstance, exceed Customer's monthly Service fees for that billing month. 17

Typical Replication Technique 18

19

Disaster Recovery Plans Objectives Assumptions Prerequisites Dependencies High-level diagram Recovery procedure Reconstruction 20

Disaster Recovery Plans Contact details Definitions Exercise logs Inventory Related documents and contracts 21

Disaster Recovery Exercises Prolonged switch over of live operations 24 hour (2 hour) switch over of live operations Parallel Processing Availability of secondary setup to selected users (no live data is modified or keyed in during exercise) 22

Metrics Percentage of systems that are classified formally (through a BIA process) Percentage of systems with DRPs that comply with BIA guidelines Average time since last recovery exercise Number of DRPs that were confirmed less than 12/24 months ago (exercise/validation/review) Percentage of successful exercises in the past 12 months 23

Thank You! Questions? mark.fenech@axelia.eu www.linkedin.com/in/markfenech 24

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information