Domain 3 Business Continuity and Disaster Recovery Planning



Similar documents
Business Continuity Planning and Disaster Recovery Planning. Ed Crowley IAM/IEM

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

Business Continuity Planning and Disaster Recovery Planning

Domain 5 Information Security Governance and Risk Management

Assessing Your Disaster. Andrews Hooper Pavlik PLC. Andrews Hooper Pavlik PLC

CISSP Common Body of Knowledge: Business Continuity & Disaster Recovery Planning Domain Version: 5.9.2

Business Continuity Plan

Business Continuity Planning and Disaster Recovery Planning

DISASTER RECOVERY AND CONTINGENCY PLANNING CHECKLIST FOR ICT SYSTEMS

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP).

Business Continuity Glossary

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

CISM Certified Information Security Manager

Business Continuity Planning (800)

Disaster Recovery and Business Continuity Plan

Q uick Guide to Disaster Recovery Planning An ITtoolkit.com White Paper

Table of Contents... 1

Disaster Recovery Planning Process

BCP and DR. P K Patel AGM, MoF

State of South Carolina Policy Guidance and Training

SAMPLE IT CONTINGENCY PLAN FORMAT

Information Security Management: Business Continuity Planning. Presentation by Stanislav Nurilov March 9th, 2005 CS 996: Info. Sec. Mgmt.

BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK

Virginia Commonwealth University School of Medicine Information Security Standard

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

2014 NABRICO Conference

STEP-BY-STEP BUSINESS CONTINUITY AND EMERGENCY PLANNING MAY

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 13 Business Continuity

<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP

PAPER-6 PART-4 OF 5 CA A.RAFEQ, FCA

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Business Continuity Planning for Risk Reduction

IT Disaster Recovery Plan Template

Why Should Companies Take a Closer Look at Business Continuity Planning?

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three

Disaster Recovery. 1.1 Introduction. 1.2 Reasons for Disaster Recovery. EKAM Solutions Ltd Disaster Recovery

Proposal for Business Continuity Plan and Management Review 6 August 2008

NIST SP , Revision 1 Contingency Planning Guide for Federal Information Systems

INSIDE. Preventing Data Loss. > Disaster Recovery Types and Categories. > Disaster Recovery Site Types. > Disaster Recovery Procedure Lists

Overview of Business Continuity Planning Sally Meglathery Payoff

How To Prepare For A Disaster

IT Service Management

Contingency Planning Guide

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA

Business Continuity Planning Principles and Best Practices Tom Hinkel and Zach Duke

Best Practices in Disaster Recovery Planning and Testing

Disaster Recovery Planning Procedures and Guidelines

Main Reference : Hall, James A Information Technology Auditing and Assurance, 3 rd Edition, Florida, USA : Auerbach Publications

MANAGEMENT AUDIT REPORT DISASTER RECOVERY PLAN DEPARTMENT OF FINANCE AND ADMINISTRATIVE SERVICES INFORMATION TECHNOLOGY SERVICES DIVISION

Offsite Disaster Recovery Plan

Business Continuity and Disaster Recovery Planning

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning MARCH 2003 IT EXAMINATION H ANDBOOK

HA / DR Jargon Buster High Availability / Disaster Recovery

Massachusetts Institute of Technology. Functional Area Recovery Management Team Plan Development Template

Ohio Conference for Payroll Professionals Disaster Recovery

How to write a DISASTER RECOVERY PLAN. To print to A4, print at 75%.

Ohio Supercomputer Center

Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

Business Continuity Management

DISASTER RECOVERY PLAN

DISASTER RECOVERY PLANNING GUIDE

How To Manage A Disruption Event

Temple university. Auditing a business continuity management BCM. November, 2015

University Information Technology Services. Information System Contingency Plan Instructions

Overview of how to test a. Business Continuity Plan

PPSADOPTED: OCT BACKGROUND POLICY STATEMENT PHYSICAL FACILITIES. PROFESSIONAL PRACTICE STATEMENT Developing a Business Continuity Plan

How To Manage A Business Continuity Strategy

Technology Recovery Plan Instructions

Course: Information Security Management in e-governance. Day 2. Session 5: Disaster Recovery Planning

Department of Budget & Management. State of Maryland Information Technology (IT) Disaster Recovery Guidelines Version 4.0

Best Practices in Developing an IT Disaster Recovery Plan. Vijaykumar Kulkarni AGM Product Management

Security Architecture. Title Disaster Planning Procedures for Information Technology

Disaster Preparedness Plan. "[Click Here and type your Company Name]" Prepared By: Date:

Disaster Recovery Plan (DRP) / Business Continuity Plan (BCP)

Disaster Recovery Planning

Tips and techniques a typical audit programme

ESCB definitions of major business continuity terms in relation to payment and securities settlement systems 1

IT Disaster Recovery and Business Resumption Planning Standards

Clinic Business Continuity Plan Guidelines

Statement of Guidance

Protecting your Enterprise

ASX CLEAR (FUTURES) OPERATING RULES Guidance Note 10

Department of Information Technology Data Center Disaster Recovery Audit Report Final Report. September 2006

Continuity of Operations Planning. A step by step guide for business

Planning for Disaster. Ramesh Ramani CISM CGEIT 02 June 2010

Transcription:

Domain 3 Business Continuity and Disaster Recovery Planning Steps (ISC) 2 steps [Har10] Project initiation Business Impact Analysis (BIA) Recovery strategy Plan design and development Implementation Testing Continual maintenance NIST SP 800-34 (Continuity Planning Guide for Information Technology Systems) steps: Develop the continuity planning policy statement Assigns authority and roles Conduct the business impact analysis (BIA) Identify critical functions and systems, vulnerabilities, threats, and calculate risks Identify preventive controls Develop recovery strategies Develop the contingency plan Test the plan and conduct training and exercises Maintain the plan BIA Definition [Har10]: A functional analysis in which a team collects data through interview and documentary sources documents business functions, activities, and transactions develops a hierarchy of business functions applies a classification scheme to each indicate each individual function s criticality level

BIA steps [Har10]: Select individuals to interview for data gathering Create data- gathering techniques (questionnaires, qualitative and quantitative approaches) Identify the company s critical business functions Identify the resources these functions rely on Calculate how long these functions can survive without these resources Identify vulnerabilities and threats to these functions Calculate the risk for each different business function, e.g., equipment malfunction unavailable equipment, utilities, facility, personnel, etc. vendors or service providers go out of business software or data corruption Document findings and report them to the management Types of loss: Loss of productivity Loss of revenue Delayed income costs Increase in operational expenses Loss of competitive advantages Loss in reputation and public confidence Violations of contract agreements Violations of legal and regulatory requirements Maximum Tolerable Downtime (MTD): Critical: Minutes to hours Urgent: 24 hours Important: 72 hours Normal: 7 days Nonessential: 30 days Note: Be prepared for the loss of any or all business resources, instead of focusing on the events that could cause the loss.

The team must balance the cost to recover against the cost of disruption the balancing point becomes the recovery time objective Recovery and Reconstitution Normal operations Disaster Emergency response: Interim operations Emergency response Situation assessment Restoration Command center Alternate operations Recovery operations Protection of life is top priority If the situation is not life threatening, systems should be shut down in an orderly fashion, and critical data files or resources, along with critical personal items like purses and wallets, should be removed during evacuation At least one person should be available to the press Protection from looting, vandalism, etc. Teams [Har10, p. 817]: Damage assessment team Once a disaster has happened, determine the cause of the disaster Determine the potential for further damage Identify the affected business functions and areas Identify the level of functionality for the critical resources Identify the resources that must be replaced immediately Estimate how long it will take to bring critical functions back online

If it will take longer than the previously estimated MTD values to restore operations, then a disaster should be declared, and the BCP should be put into action Note: It is after a disaster has been declared that a BCP is activated Legal team Media relations team Network recovery team Relocation team Restoration team Responsible for getting the alternate site working Note: Restoration is part of recovery, not the other round Salvage team Recovers the original site Signs off on the readiness of the original site Back up data from the alternate site and restore it within the original facility Carefully terminate contingency operations Securely transport equipment and personnel to the original facility, starting with the least critical functions Note: The salvage team plays a large part in reconstitution (see p. 4 for reconstitution phase checklist) Security team Telecommunications team In addition to network recovery team Checklist for returning to the original site: Ensuring the safety of employees Ensuring an adequate environment is provided (power, facility infrastructure, water, HVAC) Ensuring that the necessary equipment and supplies are present and in working order

Ensuring proper communications and connectivity methods are working Properly testing the new environment Emergency is not over until the company is back in operation at the original primary site, or a new site that was constructed to replace the primary site Goals development A goal must contain the following key information: Responsibility: Each task should be assigned to that individual most logically situated to handle it Authority: Reduces confusion and increases cooperation Priorities: It is necessary to know which department should come online first, which second, and so on The priorities of systems, information, and programs must be established, e.g., database before file server The general priorities must be set by the management with the help of different departments and the IT staff Implementation and testing: Once a continuity plan has been developed, it needs to be stored in places easily accessible during emergencies People who are assigned specific tasks need to be instructed Dry runs must be done Drills should be conducted at least once a year The entire program should be continually updated and improved Recovery Plans Business resumption plan: re- create the necessary business processes Continuity of operations plan: establishes senior management and a headquarters after a disaster

Disaster recovery plan: focuses on how to recover various IT mechanisms after a disaster Occupant emergency plan: establishes personnel safety and evacuation procedures Plan maintenance Plans may become outdated because: The business continuity process is not integrated into the change management process Infrastructure and environment changes occur Reorganization of the company, layoffs, or mergers occur Personnel turnover Changes in hardware, software, and applications occur After the plan is constructed, people feel their job is done Large plans take a lot of work to maintain Plans do not have a direct line to profitability How to maintain the plan: Make business continuity a part of every business decision Insert the maintenance responsibilities into job descriptions Include maintenance in personnel evaluations Perform internal audits that include disaster recovery and continuity documentation and procedures Perform regular drills that use the plan Integrate the BCP into the current change management process Alternate site Hot site: Leased facility that is fully configured Advantages: Ready within hours for operation Highly available Usually used for short- term solutions, but available for longer stays Annual testing available

Disadvantages: Very expensive Limited on hardware and software choices Warm site: Leased facility configured with peripheral equipment (i.e., not including computers) Most common site type Advantages: Less expensive Available for longer time frames Practical for proprietary hardware or software use Disadvantages: Takes time to get up and running Operational testing typically not available Resources for operations not immediately available Cold site: Leased facility that supplies the basic environment (i.e., electrical wiring, plumbing, air conditioning, etc.) but no equipment Often used as backups for call centers, manufacturing plants and other services that require extensive retooling and building Advantages: similar to warm site, but even less expensive Disadvantages: similar to warm site, but takes even longer to be operational Backups Disk shadowing: fault- tolerant solution by duplicating hardware and maintaining at least one copy of the information Disk mirroring produces only one copy Electronic vaulting makes copies of files as they are modified and periodically transmits them (i.e., in batches) to an offsite backup facility

Remote journaling backs up journal or transaction offsite in real- time Automatic tape vaulting sends data over a serial line to a backup tape system at the offsite facility See Domain 7 Operations Security for more Testing Test types [Har10, p. 826]: Checklist test: copies of the BCP are distributed to different departments and functional areas for review Structured walkthrough test: identical to Walkthrough exercise below Simulation test: similar to Simulation exercise below Continues up to the point of actual relocation to an offsite facility and actual shipment of replacement equipment Parallel test: is done to ensure that the specific systems can actually perform adequately at the alternate site Some systems are moved to the alternate site and processing takes place The results are compared with the regular processing performed at the original site This points out any necessary tweaking, reconfiguring, or steps that need to take place Full- interruption test: similar to Compact exercise below The original site is actually shut down, and processing takes place at the alternate site The recovery team fulfills its obligations in preparing the systems and environment for the alternate site All processing is done only on devices at the alternate offsite facility Increasing tests are called exercises

The first exercise shall not include all employees, but rather a small group of people here and there until each learns his or her responsibilities Exercise types [Tip09, p. 293]: Call exercise The planner attempts to call everyone on the emergency notification list and measure the time taken to reach them, and checks if they are prepared to respond It is common to have the participants reached to call into a conference bridge to acknowledge receipt of the communication Walkthrough exercise (tabletop exercise) Walkthrough the actual plan document with everyone who has a role in the plan, to ensure everyone understands their own role, and to identify gaps in the plan Can be used to validate the plan within an actual scenario without having to actually execute the recovery procedures Simulated exercise Simulate execution or actually execute recovery procedures at the alternate site, but ensure test does not impact the production environment (e.g., by executing it during off hours), in order to: provide training to and improve awareness of team members identify plan weakness or deficiencies improve recovery capabilities validate alternate site readiness Compact exercise The planner begins with a call exercise and continue through an actual exercise (unavoidably causing disruption to the production environment)

Note: Should not plan exercise for success, look instead for what does not work. Regulations Federal Financial Institutions Examination Council (FFIEC) BCP is about maintaining, resuming, and recovering the business, not just the recovery of the technology Planning process should be conducted on an enterprise- wide basis Stipulates that a thorough BIA and risk assessment are the foundation of an effective BCP Effectiveness can be validated only through testing or practical application BCP and test results should be subjected to an independent audit and reviewed by the board of directors A company should be aware of BCP of its third- party providers, key suppliers, and business partners When a company outsources information, transaction processing, and settlement activities, the company should review and understand service providers BCP and ensure critical services can be restored within acceptable time frames The institution should participate in their provider s testing process References [Car07] J. H. Carmouche, IPsec virtual private network fundamentals, Cisco Press, 2007. [EC10] EC- Council, Network Defense: Security and Vulnerability Assessment, Cengage Learning, 2010. [Gup02] M. Gupta, Storage Area Network Fundamentals, Cisco Press, 2002. [HBH03] S. Hansche, J. Berti, and C. Hare, Official (ISC)2 Guide to the CISSP Exam, Auerbach Publications, 2003.

[Har10] S. Harris, CISSP All- in- One Exam Guide, Fifth Edition, McGraw- Hill Osborne Media, 2010. [SBP10] M. Swanson, P. Bowen, A. W. Phillips, D. Gallup, and D. Lynes, Contingency Planning Guide for Federal Information Systems, NIST Special Publication 800-34 Rev. 1, May 2010. [Tip09] H. F. Tipton, Official (ISC)2 Guide to the CISSP CBK, Second Edition, Auerbach Publications, 2009.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information