ee579u/11 #1 spring 2004 © 2000-2004, richard a. stanley ee579u information systems security and...

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/11 #1

EE579UInformation Systems Security

and Management11: Business Continuity Planning

Professor Richard A. Stanley


EE579U/11 #2

Overview of Today’s Class

• Review of last class

• Business Continuity Planning


EE579U/11 #3

Summary

• Security management is the “glue” that binds the entire security effort together.

• Absent proper and adequate management, it doesn't matter how well the other bits and pieces work

• This is probably the hardest part of all, because it remains difficult to compute the ROI


EE579U/11 #4

What is Business Continuity Planning?

• Planning for the continuation of the business in the event of disaster(s)

• Much larger issue than information assurance, but IA is a big piece of it

• Model: military organizations, where casualties are expected, planned for

• Many issues


EE579U/11 #5

Things to Think About

• Will the “continued” business look like the pre-disaster version?

• If people are identified to fill vacancies, do you tell them ahead of time?– Pros and cons, much consternation

• What about flexibility?

• Risks/rewards?


EE579U/11 #6

Where to Begin?

• Look at past problems and issues

• Read the paper!!– Today’s headlines can provide many pointers to

risks that did not get much attention heretofore– e.g. terrorism, information theft


EE579U/11 #7

What Is A Disaster?

• "A disaster is any incident or event that results in a major (multi-day) interruption of operations at one or more of the contact or data centers. For disruptions in service that affect only a portion of systems or operations at any one contact or data center, only a subset of the full recovery procedures will likely be used to restore normal operations. However, a catastrophic disaster would render the center(s) incapable of conducting critical functions for an extended period of time."

Source: http://www.donald-firesmith.com/Components/WorkUnits/Tasks/DisasterRecovery/DisasterThreatAnalysis.html


EE579U/11 #8

Levels of Disasters

• Limited Disaster.A limited disaster is characterized by limited or isolated damage to a part of a contact or data center that is sufficient that has disabled or will disable it, partially or completely, for a period of 24 hours.

• Moderate Disaster.A moderate disaster is characterized by severe damage to the entire contact or data center, thereby temporarily prohibiting the performance of all user support or operations tasks. It requires either temporarily allocation of the workload to other existing sites or else temporarily transfer to a hot-backup site until the facility can be repaired. However, no cold backup site is required because of the limited time required to put the affected site into full operation.

• Catastrophic Disaster.A catastrophic disaster is characterized by complete destruction of a contact or data center. Because the center is a total loss and needs to be completely rebuilt or replaced, it requires either temporarily allocation of the workload to other existing sites or else temporarily transfer to either a hot or cold-backup site.



EE579U/11 #9

Most Costly Disaster Types

1. Floods

2. Earthquakes

3. Wind storms

4. Forest / scrub fires

5. Non-natural disasters

6. Droughts

7. Extreme temperatures

8. Avalanches / landslides

9. Volcanoes

10. Other natural disasters

Source: International Federation of Red Cross and Red Cross Societies


EE579U/11 #10

Another Disaster Type Taxonomy

• Natural Disasters: – Earthquake. – Fire. – Flood. – Major storms such as tornados and

hurricanes. – Mudslide. – Blizzard.

• Man-Made Disasters: – Loss of electrical power (e.g., power brownouts

and blackouts, accidental cutting of power cables).

– Loss of cooling. – Loss of network connectivity. – Loss of telephone service (e.g., accidental

cutting of telephone lines).. – Hardware component failure. – Failure of physical security. – Loss of required staffing (e.g., evacuation,

strike, or sick-out). – Sabotage. – Bomb threat. – Hacker attacks. – Water or sewer line breaks. – Flooding or roof cave-in due to plumbing

problem



EE579U/11 #11

Disasters Depend on Geography

Source: FEMA disaster archives


EE579U/11 #12

…and on Timing

Source: FEMA disaster archives


EE579U/11 #13

Reasons for a Business Continuity Plan - 1

• Increased dependency by the business over recent years on computerized production and sales delivery mechanisms, thereby creating increased risk of loss of normal services

• Increased dependency by the business over recent years on computerized information systems

• Increased likelihood of inadequate IT and information security safeguards

• Increased recognition of the impact that a serious incident could have on the business


EE579U/11 #14

Reasons for a Business Continuity Plan - 2

• Need to establish a formal process to be followed when a disaster occurs

• Need to develop effective back up and recovery strategies to mitigate the impact of disruptive events

• An intention to lower costs or losses arising from serious incidents

• Avoidance of business failure from disruptive incidents.


EE579U/11 #15

Initiating the Plan

• Review existing plan, if there is one

• Come up with a policy statement

• Develop a plan project budget

• Develop a plan for approval of the plan

• Let the employees know you are developing a continuity plan


EE579U/11 #16

Organizing the Process

• Develop goals and objectives

• Appoint project management

• Select project team

• Lay out a timeline and milestones

• Reporting requirements?

• Identify needed information, documents, etc.


EE579U/11 #17

Assess the Business Risks and Impacts

• Emergency events

• Business risks

• IT and communications

• Existing emergency procedures

• Facility issues


EE579U/11 #18

Emergency Events

• Environmental disasters

• Deliberate disruption of business services

• Loss of utilities

• Equipment / system failures

• IT security incidents

• Others


EE579U/11 #19

Business Risk Assessment

• What are our key business processes?

• Set up timelines for measuring periods when normal services could be unavailable– e.g. time bands

• Financial and operational impact– Link to timelines above


EE579U/11 #20

IT and Communications

• Specify IT/Comm dependencies

• Specify key IT/Comm processes

• Key personnel contact list

• Key suppliers

• Existing recovery procedures


EE579U/11 #21

Existing Emergency Procedures

• What are they?

• Who has them?

• Have they been practiced?

• Key personnel

• Outside emergency services needed, and contact information


EE579U/11 #22

Facility Issues

• Responsibilities and authority for building and system repairs

• Back-up power arrangements

• Hazardous materials, storage, etc.

• Key personnel contact data


EE579U/11 #23

Preparing for Emergency

• Back-up and recovery strategies

• Key personnel and supplies

• Key documents and procedures


EE579U/11 #24

Back-up and Recovery Strategies• Alternative Business Process Handing Strategy • IT Systems Back-up and Recovery Strategy • Premises and Essential Equipment Back-up and

Recovery Strategy • Customer Service Back-up and Recovery Strategy • Administration and Operations Back-up and

Recovery Strategy • Information and Documentation Back-up and

Recovery Strategy • Insurance Coverage


EE579U/11 #25

Key Personnel and Supplies• Functional Organization Chart • BCP Project coordinator and deputy for each Key

Functional Area • Key Personnel and Emergency Contact Information • Key Suppliers and Vendors, and Emergency

Contact Information • Manpower Recovery Strategies • Establishing the Disaster Recovery Team • Mobilizing the Business Recovery Team


EE579U/11 #26

Key Documents and Supplies

• Documents and Records Vital to the Business Process

• Off-site Storage Requirements • Emergency Stationery and Office Supplies • Media Handling Procedures • Emergency Authorization Procedures • Prepare Budget for Back-up and Recovery

Phase


EE579U/11 #27

Disaster Recovery Phase

• Handling emergency situations

• Notification and reporting during the disaster phase

• Responsibility and authority for securing from the disaster recovery phase


EE579U/11 #28

Planning for Emergencies

• Identification of potential disasters– Probability?– Impact?

• Involvement of emergency services

• Assessing business impact of the emergency

• Disaster recovery management activities


EE579U/11 #29

Notification and Reporting During Disaster Recovery

• Mobilizing the Disaster Recovery Team • Notification to Management and Key Employees • Handling Notification of Personnel Families• Handling Media during the Disaster Recovery

Phase • Maintain Event Log during Disaster Recovery

Phase • Disaster Recovery Phase Report


EE579U/11 #30

Business Recovery Phase

• Management of this phase

• Activities during business recovery


EE579U/11 #31

Managing Business Recovery

• Mobilizing the Business Recovery Team • Assessing extent of damage and business impact • Preparing specific recovery plan • Monitoring progress • Keeping everyone informed • Handing Business Operations Back to Regular

Management • Preparing Business Recovery Phase Report


EE579U/11 #32

Recovery Activities

• Power and Other Utilities • Premises, Fixtures and Furniture• Communications Systems • IT Systems (hardware and software) • Production and other Equipment • Warehouse and Inventory • Sales and Customer Service • Human Resources • Information and Documentation • Office Supplies


EE579U/11 #33

Does it Work? Testing the Plan

• Plan the tests

• Conduct the test

• Evaluate and feedback

• Beware complacency—strive for realism as much as possible

• Beware of impact on outsiders, and on real customers and suppliers


EE579U/11 #34

Planning the Test

• Develop objectives and scope of tests • Prepare budget for testing phase • Setting the test environment • Prepare test data • Identify who is to conduct the tests • Identify who is to control and monitor the tests • Prepare feedback questionnaires • Training testing team for each business unit


EE579U/11 #35

Conducting the Test

• Test each part of the business recovery process

• Measure success against stated goals

• Test accuracy of employee and vendor emergency contact numbers

• Assess results


EE579U/11 #36

Finally…

• Keep staff trained in the recovery process– Manage this process– Assess training

• Keep the plan up-to-date– Revise in response to significant changes– Don’t make it a moving target


EE579U/11 #37

Summary

• Business continuity planning is critical to the continued existence and functioning of any business in the face of unexpected events, man-made or natural

• It requires attention to detail, broad view of the business, and buy-in from above

• Planning requires facing some hard issues, and making public things that might otherwise be kept very secret in normal circumstances


EE579U/11 #38

Homework

• From your own experience or press reports, write a report analyzing the success or failure of business continuity planning in the face of disaster for a real organization having a substantial involvement with information technology. What went wrong? What went right? What would you have changed to make it better?