Planning for Disaster Ramesh Ramani CISM CGEIT Ramesh Ramani CISM CGEIT Paramount-Dubai
Agenda Disaster Management-Introduction Examples BCP and IT Continuity Process of Disaster Management-PDCA Disaster Management Framework Project Execution Typical Plan Testing the Plan
Disaster Management Discipline of dealing with and avoiding risks Discipline that involves preparing for disaster BEFORE it occurs, Sometimes referred to as Business Continuity Planning (BCP)
Definitions-Disaster situation ti or event which h overwhelms local l capacity, necessitating ti a request to a national or international level for external assistance. An overwhelming ecological disruption occurring on a scale sufficient to require outside assistance exceptional events that kill or injure a large number of people Strategic and Tactical capability of an organisation to plan for and respond to incidents and business disruptions in order to continue business operations to an acceptable pre defined level -BS 25999
Examples-Disaster Japan-March 2011 Middle East Tsunami-December 2006 Haiti Earthquake Oil Spill-Gulf of Mexico 9-11 Flooding Mumbai-2005 Power Outage Dubai-2005 Flooding Sharjah-2009 Volcano Ash-Europe
Middle East People-Expat p Dependency Volatility Absence of Laws/Regulations Monopolistic-Telco/Power etc BCP-Not generally available in SME False Sense of Security
IT and BCP Industry age to information age Information itself is becoming business International Standards ISO 27001:2005-Information Security BS 25999-Business Continuity BS 25777-IT Service Continuity Many Common Factors
Disaster Management
Value Threat PM Framework-DR Risk Assessment (Critical Assets) Business Impact Analysis Vulnerability RTO / RPO / Max Outage BS 25999 Business Continuity Plan BS 25777 Drawing of IT Continuity Plan Disaster Recovery Strategy Plan Drawing of RFP for DR site Existing setup / Redundancy / New Technologies Establishment of DR site Testing DRP
Risk Management Plan Risk Assessment Vulnerability Technical Threat Processes. Procedures Risk Mitigation Plan Asset Value People Do Risk Mitigation Products, Processes or People Controls Check Audit Internal Audit Act Continual Improvement Closing of Audit Gaps/Raising the Bar Continue with PDCA Cycle
Project Execution and Deliverables Aim-Provide initial planning and preparation for the assignment. g Initial Plan Acquire/ Analyze Data Develop BCMS/ISMS Implement BCMS/ISMS Test BCM/S/ISMS Continual Improvement 1. Scope and Service Acceptance Document C 2. ISMS/BCMS Scope definition 3. BC/IS Policy Statement C 4. BCM/Information Security Steering Committee Charter C
Project Execution and Deliverables Aim - to collect all relevant data pertaining to the scope - develop BIA/Risk Assessment methodology - perform asset enumeration/valuation Initial Plan Acquire/ Analyze Data Develop BCMS/ISMS Implement BCMS/ISMS Test BCM/S/ISMS Continual Improvement 1. BIA/Risk Assessment Methodology 2. Information Asset Valuation/Critical Asset Valuation-C,I,A-C 3. Critical/ information assets register-c
Project Execution and Deliverables Aim-Perform BIA/ Risk Assessment on the identified critical /IT assets and develop BCP/Risk Treatment Plan. Develop mandatory policies and controls Initial Plan Acquire/ Analyze Data Develop BCMS/ISMS Implement BCMS/ISMS Test BCM/S/ISMS Continual Improvement 1. Vulnerability Assessment-C 2. Threat Assessment-C 3. Risk Assessment Report (IS) 4. BIA (RTO/RPO) 5. BCP/DRP 6. Risk Mitigation & Treatment Plan C 7. Statement of Applicability (ISO 27001) 8. BCP/DR Policies and Procedures C? 9. IS Policies and Procedures C? 10. SOA (ISO 27001) 11. BS 25999 Mandatory Controls 12. Control Implementation Roadmap
Project Execution and Deliverables Aim-Implement BCP/Risk Mitigation Controls based on the BCP/control implementation road map Initial Plan Acquire/ Analyze Data Develop BCMS/ISMS Implement BCMS/ISMS Test BCM/S/ISMS Continual Improvement 1. Implement controls identified 2. People (Training/Duties) C 3. Implementing products C? 4. Implementing Processes
Project Execution and Deliverables Aim - To Test the BCP/DRP -To audit the ISMS Prepare for ISO 27001/BS 25999 Certification Initial Plan Acquire/ Analyze Data Develop BCMS/ISMS Implement BCMS/ISMS Test BCM/S/ISMS Continual Improvement 1. BC/DR Test Results 2. ISO 27001 Audit Reports
Project Execution and Deliverables Aim-Continual Improvement of BCMS/ISMS Initial Plan Acquire/ Analyze Data Develop BCMS/ISMS Implement BCMS/ISMS Test BCM/S/ISMS Continual Improvement Certification against BS Certification against BS 25999/ISO 27001
Typical BC Plan Introduction Definitions Abbreviations Mission, objectives and intent Key plan assumptions Business impact analysis Disaster recovery strategy Disaster recovery organization Disaster recovery management team responsibilities Disaster recovery emergency procedures Plan administration Change management Maintenance of the disaster recovery plan Testing of the disaster recovery plan
Typical Disaster Recovery Organisation Senior Recovery Manager Recovery Manager Administration Assistant Damage Assessment Physical Security Infrastructure Restoration Team Leader Application Restoration Team Leader Hardware Network ERP POS Other Applications
Basic Principles-DR Minimize injury to personnel Minimize i i damage to equipment and facilities Achieve a report of injury to personnel and damage assessment within XX hours of the interruption Recover IT capabilities and functionality within the Critical Time Frames specified In an emergency situation where life is threatened or you are in danger of physical harm, immediately leave the facility. Never place yourself in a dangerous situation ti or take unnecessary risks.
Senior Recovery Manager Responsibilities Pre-Disaster Approves the final Disaster Recovery Plan Ensures the Disaster Recovery Plan is maintained Ensures Disaster Recovery training is conducted Authorizes periodic Disaster Recovery Plan testing Post-Disaster Declares that a disaster has occurred and the Disaster Recovery Plan is activated Determines the plan strategy to be implemented Determines alternate t team members (if any) and other support members of the recovery process Authorizes travel and housing arrangements for team members Authorizes expenditures Manages and monitors the overall recovery process Advises Senior Business Managers and user management on the status of the disaster recovery efforts Coordinates media and press releases
Check Off List-Network Assistant Mission: i To restore networking the capabilities required within the Critical Time Frames specified Upon notification of a disaster by the Management Team assemble at the designated site for a briefing on the extent of damages, escalation plan implemented and support required. Contact Telco for connecting up DR Site Connectivity Number Reference Bandwidth Telco Reference Number Telco Contact (land line) TelcoContact (Mobile) Indicate to DRT as to resumption details of network Work closely with software, hardware and restoration team to restore services Provide internal communication to team members as required (Network Assistant should be provided with three additional mobile phones as an emergency measure) Under no circumstances should the Network Assistant make any public statements regarding the disaster, its cause or its effect on the operations
Information Technology Checklist-Plan Administration Change in LAN server(s), terminals, or personal computer workstations Change in operating system and utility software programs Change in the design of production systems or files Addition of deletion of a production system Change in the scheme of backing up data or equipment Change in the communications network design Change in personnel assignments or the Information Technology organization Change in off-site storage facilities, location or methods of cycling items Improvements or physical change to the current LAN data center Review of time frames for availability and delivery of replacement computer components
Corporate Checklist-Plan Administration Is the Disaster Recovery Plan in conformance with the corporate by laws? Are Executive Management and the Board of Directors aware of the state and status of the Disaster Recovery Plan and Processes? Has a new division or department been formed? Has a new system been developed d for computer processing? Has a system for computer processing been discontinued? Have individuals within the Recovery Team been transferred, promoted or terminated? Has an internal system been significantly modified to change the basic functions, data flow requirements or accounting requirements? Has a sales office been opened, moved or closed?
Testing-Principles Type Techniques Process Participants Frequency Complexity Checklist Audit Validation Verification Review & Challenge the contents of the plan High Low Walkthrough Simulation Full- Interruption Scenario Freeplay Controlled Time lapse Unannounced Live Tabletop Individual components Integrated Components Extended Checklist check to see interaction & roles of participants Incorporated associated plans. Simulate disaster Pull the plug test. Shut down data center Low High
Testing Check List Type Techniques Process Participants Frequency Duration Checklist Audit Validation Verification 1.Review & Challenge the contents of the plan 2.Check all Check off lists are present and updated 3.Check back Up Tapes 4.Visit DR Site and ensure infrastructure /back up tapes available 5.Verify DR Team contacts Recovery Manager Network Assistant Restoration Team (2 Members) Once a month Simulation 1 Scenario 1Extended 1.Extended Recovery Manager After One Non- Controlled Checklist check to see interaction & roles of participants Network Assistant Software Assistant Hardware Assistant Restoration Team (All Members) Completion of minimum six check list type testing Once in two worki ng day 2. Actual Restoration of back up tapes months thereafter 4 Hrs
Testing Check List (Cont.) Simulation 2 Unannounced Live Extended Checklist check to see interaction & roles of participants 2. Actual Restoration of back up tapes Full Recovery Team After Completion of Minimum two Simulation 1 Testing Once in six months thereafter One Non- Working Day Full Interruption Announced Full and thorough check of DRP Full Recovery Team Businesses After Completion of Minimum three simulation testing To be done only once Can C be done without affecting any business if proper timings are chosen to conduct this test One Non Working Day
Planning for Disaster Questions? Comments? Ramesh Ramani CISM CGEIT ramani@pcsuae.com