Lecture 08 Business Continuity Management and Disaster Recovery Planning

1
Lecture 08Business Continuity Management and
Disaster Recovery Planning

• Assistant Professor Supakorn Kungpisdan, Ph.D.
• CISA, IRCA ISO27001, ITIL-F, ECSA, CHFI, CEH,
  ECES
• supakorn_at_mut.ac.th

2
Domain Agenda

• Business Continuity Management (BCM) Project
  Planning
• Understanding the Organization
• Recovery Strategy Selection
• Creating the Plan(s)
• Developing and Implementing Response
• Testing, Update, and Maintenance of the Plan

3
Sources of Information

• Disaster Recovery Institute International (DRII)
• US based
• Business Continuity Institute (BCI)
• European based
• BS25999 now become ISO22301
• ISO27001 Annex A
• NIST SP 800-34

4
BS25999 Business Continuity Management

• Risk management
• Disaster recovery
• Facilities management
• Supply chain management
• Quality management
• Health and safety
• Knowledge management
• Emergency management
• Security
• Crisis communications PR

5
Enterprise-Wide BCM

• BCP
• BIA
• Alternate processes
• DRP
• Backups
• Alternate sites
• Recovery of IT infrastructure
• Incident management
• Incident response teams
• Health and safety
• Crisis management

6
Information Security Priorities

• Keeping CRIRITAL products and services going
• Availability
• Integrity
• Confidentiality
• What should be done in a crisis when most
  controls are missing?

7
The Business Continuity Lifecycle Overview

• Analyze the business
• Assess the risks
• Develop the BC strategy
• Develop the BC plan
• Rehearse the plan

8
BCM Project Management

• Senior management support
• Policy
• Access to key personnel
• Budget
• Immediate and ongoing budget

9
BCM Project Management (cont.)

• Project management
• Scope
• Time
• Deliverables
• Team members
• Tools

10
Initiating the BCP

• Awareness, data, and implementation
• Staff and budget
• Result must be a long-term, sustainable program
• Review progress monthly

11
Documentation

• Review current BCP, if available
• Documentation may not equal capability
• Having document does not mean that you can do
  well
• Staff must be trained to use and necessary
  software
• Types of BCM documents
• Review/update as directed by policy

12
Domain Agenda

• Business Continuity Management (BCM) Project
  Planning
• Understanding the Organization
• Recovery Strategy Selection
• Creating the Plan(s)
• Developing and Implementing Response
• Testing, Update, and Maintenance of the Plan

13
Understanding BCM Priorities

• Business priorities
• Policy/culture
• Critical services and products
• Legal and regulatory requirements

14
Risk Assessment and Management

• Risk management versus business continuity
  planning
• Coordination between risk assessment and business
  impact analysis
• Purpose of risk management

15
Threat Identification

• Natural/environmental
• human/manmade
• Utility
• Supply chain
• Equipment
• Facility
• Loss of key personnel

16
Understanding the Organization

• Business Impact Analysis (BIA)
• Benefits
• Objectives
• Indicators of critical business factors
• Time sensitivity
• Data integrity
• Classification

17
Business Impact Analysis

• Identifies, quantifies, and qualifies loss over
  time
• BIA process
• Workshops
• Questionnaires
• Interviews
• Observation

18
BIA (cont.)

• Business justification for budget
• MTD/MTPD (Maximum Tolerable Downtime/Maximum
  Tolerable Period of Disruption)
• RPO (Recovery Point Objective)
• Document dependencies
• Third party dependencies and liabilities
• Service level agreements

19
Example of MTPD Groupings
Items Required recovery time following a disaster
Non-essential 30 days
Normal 7 days
Important 72 hours
Urgent 24 hours
Critical/Essential Minutes to hours
20
Incident Readiness Response

• Planners become leaders
• Be prepared
• Triage (assessment alert)
• Incident management
• Success return to operations
• Application of lessons learned

21
Continuity Requirements Analysis

• Identify supporting activities and resources
• Outcomes feed BCP strategy selection
• Reviewed with BIA

22
Domain Agenda

• Business Continuity Management (BCM) Project
  Planning
• Understanding the Organization
• Recovery Strategy Selection
• Creating the Plan(s)
• Developing and Implementing Response
• Testing, Update, and Maintenance of the Plan

23
Determining Recovery Strategy

• Determining BC strategies
• Strategy options
• Data
• Activity continuity options
• Resource-level consolidation
• High-level strategies
• RTO lt MTPD
• Separation distance
• Cost/benefit analysis
• Address specific business types
• Different business functions have different
  recovery solutions

24
Recovery Alternatives
Alternative Description Readiness Cost
Multiple processing/mirrored site Fully redundant, identical equipment data Highest level of availability readiness Highest
Mobile site/trailer Designed, self-contained IT communications Variable drive time load data test systems High
Hot site Fully provisioned IT office, HVAC, infrastructure communications Short time to load data, test systems. May be yours or vendor staff High
Warm site Partially IT equipped, some office, data voice infrastructure Days or weeks. Need equipment, data, communications Moderate
Cold site Minimal infrastructure, HVAC Weeks or more. Need all IT, office equipment communications Lowest
25
Domain Agenda

• Business Continuity Management (BCM) Project
  Planning
• Understanding the Organization
• Recovery Strategy Selection
• Creating the Plan(s)
• Developing and Implementing Response
• Testing, Update, and Maintenance of the Plan

26
Business Continuity Plan

• Master plan
• Modular in design
• Executive endorsement
• Review quarterly

27
Business Continuity Plan Contents

• When team will be activated
• Means by which the team will be activated
• Places to meet
• Action plans/task list created
• Reporting

28
BPC Contents (cont.)

• Responsibilities of the team or of specific
  individuals
• Liaising with emergency services (fire, police,
  ambulance)
• Receiving or seeking information from response
  teams
• Reporting information to the incident management
  team
• Mobilizing third-party suppliers of salvage and
  recovery services
• Allocating available resources to recovery teams
• Location/mobilization instructions

29
Developing Response Plans

• Incident response structure
• Emergency response procedures
• Personnel
• Communications
• Alternate site considerations
• Logistics and supplies

30
Creating Recovery Plans

• Recovery procedures
• Recovery priorities
• Activation of alternate site or processes
• Data recovery
• Business resumption plan

31
Creating Disaster Recovery Plans

• Disaster recovery
• Responsibilities and authority

32
Creating Restoration Plans

• Rebuilding of primary site
• Facility restoration
• System restoration
• Priorities
• Data synchronization
• Salvage
• Closure of alternate site

33
Topics to Address in Plans

• Equipment
• Procurement (vendor agreements)
• Having a corporate credit card in case of
  emergency
• Facilities
• Environmental controls
• Fire and water protection
• Personnel

34
Topics to Address in Plans (cont.)

• Data
• Offsite storage requirements
• Utilities
• Communications
• Logistics and supplies

35
Resource-Level Consideration

• Consolidation plan
• Availability of solutions
• Consolidate, approve, and implement
• Outcomes and deliverables

36
Domain Agenda

• Business Continuity Management (BCM) Project
  Planning
• Understanding the Organization
• Recovery Strategy Selection
• Creating the Plan(s)
• Developing and Implementing Response
• Testing, Update, and Maintenance of the Plan

37
Incident Response Management
38
Implementing Incident Management

• Crisis management
• Rapid response is critical
• Triage (alerts)
• Notification
• Health and safety of personnel
• Escalation
• Executive succession

39
Initial Assessment

• Damage assessment
• Declaring a disaster
• Mobilization of response teams
• Permanent and virtual teams

40
Documentation and Communication

• Documentation of the incident
• Feedback and analysis
• Communications
• Public relations

41
Domain Agenda

• Business Continuity Management (BCM) Project
  Planning
• Understanding the Organization
• Recovery Strategy Selection
• Creating the Plan(s)
• Developing and Implementing Response
• Testing, Update, and Maintenance of the Plan

42
Testing the Program

• Find the flaws
• Outsourcing
• Timetable for tests
• Designing a test

43
Testing Types
Types Process Participants Frequency Complexity
Desk check Check the contents of the plan Aid in maintenance Author Often LOW
Walk through Check interaction and roles of participants Author and main people
simulation Include business plans, buildings, and communication Main people and auditor
Parallel testing Moves work to another site Recreates the existing work from the displaced site Everyone at test location
Full interruption Shuts down and relocate all work Everyone at both locations Seldom HIGH
44
Testing BCP Arrangements

• Test, rehearsal, exercise
• Combining individual test to ensure complete
  coverage
• Stringency, realism, and minimal exposure
• Risks of testing
• Scope and documentation of a test
• Outcomes

45
Embedding BCP into the Organization

• Assessing level of awareness and training
• Levels of training
• Developing BCP within the culture
• Monitoring cultural change

46
Specialized Training Needs

• EOC (emergency operations center)
• Specialized skills
• Forensics
• Interviewing
• Technical
• Crisis Management

47
Maintaining BCP Arrangement

• Ready and embedded
• Aligned with change-management procedures
• Owners keep information current
• Reviewed as needed

48
Summary of BCM Maintenance

• Updating
• Annual review
• Subsequent to tests
• Response to audits
• Version control
• Distribution of plan
• Confidential

49
Reviewing BCP Arrangement

• Audit
• Independent BCP audit option
• As directed by audit policy

50
Factors for BCM Success

• Supported by senior management
• Everyone is aware
• Everyone is invested
• Consensus
• General agreement among BCM team, management, and
  process owners

51
Questions?

• Next lecture
• Operations Security