Fred Estrella

1
Fred Estrella

• Chief Information Technology Officer for Northern
  Arizona University
• Guest presentationHow ITS Aligns with NAU
  Goals
• April 29th
• Before presentation
• Go to http//www4.nau.edu/its/home/
• READ Vision Statement, Strategic Plan, and
  Organizational Chart pages
• Prepare a question to ask in class

2
Recovery and Continuity

• Campbell, Calvert Boswell, Chapter 16

3
Overview

• Business continuity
• Recovery planning process
• Policies and procedures
• Privilege management

4
Disaster Recovery

• Most of security about preventing disasters
• This chapter about what happens when disasters
  occur

5
Disasters

• Human error
• Natural
• Internal misconduct
• Armed conflict
• External attack

6
Business Continuity

• Business continuity ability of business (or
  organization) to survive IT emergency
• Purpose of disaster recovery planning is to
  insure business continuity

7
Disaster Recovery Planning

• Identify possible disasters for plan to cover
• Select team members
• Assess impact of disaster on business
• Duration of recovery process
• Loss of revenue
• Cost to recover
• Acceptable workarounds
• Instructions for recovering feasible functions
• Document plan
• Practice recovery

8
Categories of IT Functions

• Critical
• Must be restored to maintain normal processing
• Essential
• Restore as soon as resources available
• Necessary
• Data must be captured and saved
• Restore as normal process restored
• Desirable
• Suspended for duration of emergency

9
Recovery Plan

• List of covered disasters
• List of disaster recovery team members
• Team members contact information
• Business impact assessment
• Business resumption plan
• Data backup information
• Restore instructions

10
Backup

• Preventive measure
• Hardware and media fail
• Backup essential to recovery

11
Backup Issues

• How often
• What medium to use
• What time of day
• Manual or automatic
• How to verify
• How long to retain
• Primary and secondary responsible persons

12
Disaster Recovery Team

• Members
• Member of senior management
• Members of IT department
• Representatives of facilities management
• Representatives of user community
• Must keep contact information current
• Must be trained
• Must be prepared to respond immediately

13
Policies and Procedures

• Security policies
• Human resource policies
• Incident response policies

14
Security Policies

• Acceptable use
• Due care
• Privacy
• Separation of duties
• Need to know
• Password management
• Service level agreements
• Data disposal and destruction

15
Human Resource Policies

• Employee hiring
• Employee termination
• Code of ethics

16
Incident Response Policies

• Prepare before disaster
• Detect and report incident
• Contain disruption
• Eradicate cause
• Recovery
• Full system restore
• Change all passwords
• Follow up

17
Privilege Management

• To secure system, carefully manage access
• Types of access control lists
• Discretion access control (DAC)
• System access control (SAC)
• Role-based access control (RBAC)
• Restrict access
• Files
• Services

18
Summary
19
Summary

• Business continuity
• Recovery planning process
• Define and document
• Privilege management

20
Questions?