ee579u/11 #1 spring 2004 © 2000-2004, richard a. stanley ee579u information systems security and...
Post on 15-Jan-2016
213 views
TRANSCRIPT
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #1
EE579UInformation Systems Security
and Management11: Business Continuity Planning
Professor Richard A. Stanley
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #2
Overview of Today’s Class
• Review of last class
• Business Continuity Planning
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #3
Summary
• Security management is the “glue” that binds the entire security effort together.
• Absent proper and adequate management, it doesn't matter how well the other bits and pieces work
• This is probably the hardest part of all, because it remains difficult to compute the ROI
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #4
What is Business Continuity Planning?
• Planning for the continuation of the business in the event of disaster(s)
• Much larger issue than information assurance, but IA is a big piece of it
• Model: military organizations, where casualties are expected, planned for
• Many issues
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #5
Things to Think About
• Will the “continued” business look like the pre-disaster version?
• If people are identified to fill vacancies, do you tell them ahead of time?– Pros and cons, much consternation
• What about flexibility?
• Risks/rewards?
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #6
Where to Begin?
• Look at past problems and issues
• Read the paper!!– Today’s headlines can provide many pointers to
risks that did not get much attention heretofore– e.g. terrorism, information theft
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #7
What Is A Disaster?
• "A disaster is any incident or event that results in a major (multi-day) interruption of operations at one or more of the contact or data centers. For disruptions in service that affect only a portion of systems or operations at any one contact or data center, only a subset of the full recovery procedures will likely be used to restore normal operations. However, a catastrophic disaster would render the center(s) incapable of conducting critical functions for an extended period of time."
Source: http://www.donald-firesmith.com/Components/WorkUnits/Tasks/DisasterRecovery/DisasterThreatAnalysis.html
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #8
Levels of Disasters
• Limited Disaster.A limited disaster is characterized by limited or isolated damage to a part of a contact or data center that is sufficient that has disabled or will disable it, partially or completely, for a period of 24 hours.
• Moderate Disaster.A moderate disaster is characterized by severe damage to the entire contact or data center, thereby temporarily prohibiting the performance of all user support or operations tasks. It requires either temporarily allocation of the workload to other existing sites or else temporarily transfer to a hot-backup site until the facility can be repaired. However, no cold backup site is required because of the limited time required to put the affected site into full operation.
• Catastrophic Disaster.A catastrophic disaster is characterized by complete destruction of a contact or data center. Because the center is a total loss and needs to be completely rebuilt or replaced, it requires either temporarily allocation of the workload to other existing sites or else temporarily transfer to either a hot or cold-backup site.
Source: http://www.donald-firesmith.com/Components/WorkUnits/Tasks/DisasterRecovery/DisasterThreatAnalysis.html
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #9
Most Costly Disaster Types
1. Floods
2. Earthquakes
3. Wind storms
4. Forest / scrub fires
5. Non-natural disasters
6. Droughts
7. Extreme temperatures
8. Avalanches / landslides
9. Volcanoes
10. Other natural disasters
Source: International Federation of Red Cross and Red Cross Societies
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #10
Another Disaster Type Taxonomy
• Natural Disasters: – Earthquake. – Fire. – Flood. – Major storms such as tornados and
hurricanes. – Mudslide. – Blizzard.
• Man-Made Disasters: – Loss of electrical power (e.g., power brownouts
and blackouts, accidental cutting of power cables).
– Loss of cooling. – Loss of network connectivity. – Loss of telephone service (e.g., accidental
cutting of telephone lines).. – Hardware component failure. – Failure of physical security. – Loss of required staffing (e.g., evacuation,
strike, or sick-out). – Sabotage. – Bomb threat. – Hacker attacks. – Water or sewer line breaks. – Flooding or roof cave-in due to plumbing
problem
Source: http://www.donald-firesmith.com/Components/WorkUnits/Tasks/DisasterRecovery/DisasterThreatAnalysis.html
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #11
Disasters Depend on Geography
Source: FEMA disaster archives
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #12
…and on Timing
Source: FEMA disaster archives
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #13
Reasons for a Business Continuity Plan - 1
• Increased dependency by the business over recent years on computerized production and sales delivery mechanisms, thereby creating increased risk of loss of normal services
• Increased dependency by the business over recent years on computerized information systems
• Increased likelihood of inadequate IT and information security safeguards
• Increased recognition of the impact that a serious incident could have on the business
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #14
Reasons for a Business Continuity Plan - 2
• Need to establish a formal process to be followed when a disaster occurs
• Need to develop effective back up and recovery strategies to mitigate the impact of disruptive events
• An intention to lower costs or losses arising from serious incidents
• Avoidance of business failure from disruptive incidents.
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #15
Initiating the Plan
• Review existing plan, if there is one
• Come up with a policy statement
• Develop a plan project budget
• Develop a plan for approval of the plan
• Let the employees know you are developing a continuity plan
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #16
Organizing the Process
• Develop goals and objectives
• Appoint project management
• Select project team
• Lay out a timeline and milestones
• Reporting requirements?
• Identify needed information, documents, etc.
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #17
Assess the Business Risks and Impacts
• Emergency events
• Business risks
• IT and communications
• Existing emergency procedures
• Facility issues
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #18
Emergency Events
• Environmental disasters
• Deliberate disruption of business services
• Loss of utilities
• Equipment / system failures
• IT security incidents
• Others
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #19
Business Risk Assessment
• What are our key business processes?
• Set up timelines for measuring periods when normal services could be unavailable– e.g. time bands
• Financial and operational impact– Link to timelines above
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #20
IT and Communications
• Specify IT/Comm dependencies
• Specify key IT/Comm processes
• Key personnel contact list
• Key suppliers
• Existing recovery procedures
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #21
Existing Emergency Procedures
• What are they?
• Who has them?
• Have they been practiced?
• Key personnel
• Outside emergency services needed, and contact information
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #22
Facility Issues
• Responsibilities and authority for building and system repairs
• Back-up power arrangements
• Hazardous materials, storage, etc.
• Key personnel contact data
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #23
Preparing for Emergency
• Back-up and recovery strategies
• Key personnel and supplies
• Key documents and procedures
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #24
Back-up and Recovery Strategies• Alternative Business Process Handing Strategy • IT Systems Back-up and Recovery Strategy • Premises and Essential Equipment Back-up and
Recovery Strategy • Customer Service Back-up and Recovery Strategy • Administration and Operations Back-up and
Recovery Strategy • Information and Documentation Back-up and
Recovery Strategy • Insurance Coverage
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #25
Key Personnel and Supplies• Functional Organization Chart • BCP Project coordinator and deputy for each Key
Functional Area • Key Personnel and Emergency Contact Information • Key Suppliers and Vendors, and Emergency
Contact Information • Manpower Recovery Strategies • Establishing the Disaster Recovery Team • Mobilizing the Business Recovery Team
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #26
Key Documents and Supplies
• Documents and Records Vital to the Business Process
• Off-site Storage Requirements • Emergency Stationery and Office Supplies • Media Handling Procedures • Emergency Authorization Procedures • Prepare Budget for Back-up and Recovery
Phase
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #27
Disaster Recovery Phase
• Handling emergency situations
• Notification and reporting during the disaster phase
• Responsibility and authority for securing from the disaster recovery phase
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #28
Planning for Emergencies
• Identification of potential disasters– Probability?– Impact?
• Involvement of emergency services
• Assessing business impact of the emergency
• Disaster recovery management activities
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #29
Notification and Reporting During Disaster Recovery
• Mobilizing the Disaster Recovery Team • Notification to Management and Key Employees • Handling Notification of Personnel Families• Handling Media during the Disaster Recovery
Phase • Maintain Event Log during Disaster Recovery
Phase • Disaster Recovery Phase Report
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #30
Business Recovery Phase
• Management of this phase
• Activities during business recovery
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #31
Managing Business Recovery
• Mobilizing the Business Recovery Team • Assessing extent of damage and business impact • Preparing specific recovery plan • Monitoring progress • Keeping everyone informed • Handing Business Operations Back to Regular
Management • Preparing Business Recovery Phase Report
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #32
Recovery Activities
• Power and Other Utilities • Premises, Fixtures and Furniture• Communications Systems • IT Systems (hardware and software) • Production and other Equipment • Warehouse and Inventory • Sales and Customer Service • Human Resources • Information and Documentation • Office Supplies
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #33
Does it Work? Testing the Plan
• Plan the tests
• Conduct the test
• Evaluate and feedback
• Beware complacency—strive for realism as much as possible
• Beware of impact on outsiders, and on real customers and suppliers
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #34
Planning the Test
• Develop objectives and scope of tests • Prepare budget for testing phase • Setting the test environment • Prepare test data • Identify who is to conduct the tests • Identify who is to control and monitor the tests • Prepare feedback questionnaires • Training testing team for each business unit
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #35
Conducting the Test
• Test each part of the business recovery process
• Measure success against stated goals
• Test accuracy of employee and vendor emergency contact numbers
• Assess results
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #36
Finally…
• Keep staff trained in the recovery process– Manage this process– Assess training
• Keep the plan up-to-date– Revise in response to significant changes– Don’t make it a moving target
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #37
Summary
• Business continuity planning is critical to the continued existence and functioning of any business in the face of unexpected events, man-made or natural
• It requires attention to detail, broad view of the business, and buy-in from above
• Planning requires facing some hard issues, and making public things that might otherwise be kept very secret in normal circumstances
Spring 2004© 2000-2004, Richard A. Stanley
EE579U/11 #38
Homework
• From your own experience or press reports, write a report analyzing the success or failure of business continuity planning in the face of disaster for a real organization having a substantial involvement with information technology. What went wrong? What went right? What would you have changed to make it better?