ISA 562 1

Domain 6: Business Continuity &

Disaster Recovery Planning

ISA 562Internet Security Theory & Practice

2

Objectives

Response to save business and human life Recovery activities after a disaster to

normal operations Recovery plans to resume interrupted

critical business

Introduction

Need to process critical business systems in the event of disruption to normal business data processing operations.

Ensure the availability of critical information system resources in the event of an unexpected network interruption or disaster

Many kinds of plans Contingency plans, Business Continuity

Planning (BCP), Disaster Recovery Planning (DRP)

3

BCP and DRP Life cycle

Steps of BCP and DRP project life cycle 1. Project Scope Development and planning2. Business Continuity analysis (BIA) and

functional requirements (for BIA steps, please see the book)

3. Business Continuity and Recovery Strategy4. Plan Design and Development5. Restoration6. Feedback

4

Project Scope and Development Planning

Higher management’s commitment to go through the different steps of the project.

Deliverables Project scope definition Producing a Project plan Dedicating a steering committee for the project

The BCP should be aligned with the organization's mission

Business continuity steering committee should Know the mission statement in order to place the scope Have required authorization

Resources requirement need to be known at this stage

Budget requirements are estimated and validated Personnel availability Knowing key points of contact or personnel in an

emergency5

Business Impact Analysis (BIA) Evaluates all business functions against a

common criterion to assess potential impacts to the business by an interruption

The following fall under the BIA Preparing a BIA format Assess potential impacts Prioritize: very important for business functions

Elements to consider Analysis of different threats for the business Identification of critical business functions and

units Emergency Assessment 3rd party considerations

6

Different Items to be considered in BIA

Threats analysis Human Made threats, Natural threats, IT threats Etc

Identify critical business functions: some characteristics

Time Sensitivity, Data Integrity, Etc Their impact on business: Financial & Operational Impact ,

Reputation etc Emergency Assessment

Affected Areas Alerting procedures Security and safety procedures and guidelines, Etc

3rd party considerations Need to look at Down stream liabilities and

upstream impacts Compliance requirements, SLA Agreements, etc

7

Business Continuity and recovery Strategy

Business Unit Priorities: Business units are examined for BIA identified critical functions Critical processes and functions are reviewed by

the Steering committee and establishes priorities Find the minimum resources required to carry out

identified functions Priorities are documented Recovery time Objective (RTO): is the maximum

time to restore a critical function Recovery point objective (RPO): minimum

tolerable amount of data integrity Perform a Cost/Benefit analysis

8

Recovery Alternatives Three approaches for recovery

Dedicated site operated by the organization Multiple processing centers

Commercially leased facility Hot site / cost high Worm site / cost moderate Cold site / cost lowest

Agreement with an Internal or external facility Identify organizations with equivalent IT

configurations and backup technologies and establish an agreement

Types of agreements Reciprocal or Mutual Aid Contingency Service Bureau

9

Backup

Strategies Replication Storage Area network Electronic Vaulting, etc

Location and Storage Criteria Perhaps store in several locations for different

purposes On-site storage, Near-site storage , Off-site storage.

Resilience Strategies Improve an organization's continuity and resilience

IT and Site Resilience etc

10

Plan Design Development Emergency Response Procedures

Life , Health & safety Damage Assessment Event Reporting Disaster Declaration, etc

Personnel Notifications List of people to notify Defining the role of the executives in crisis management Executive succession planning, etc

Backup and off-site storage Inventory list is compiled and documented Facility Accessibility and Resilience

Communication in Emergency Emergency and Business communication system should be

in place Data communication priorities in networks should be

agreed upon

11

Plan Design Development (Continued) Alterative site considerations

The ability to support the required infrastructure, environmental and space demands should be analyzed: utilities, communications, etc

Logistics and supplies How resources are acquired or procured, transported and

maintained Personnel and materials transportation Remote worker environment activation Emergency funds access, etc

Documentation Document BCP & DRP activation and de-activation plans and

procedures. Activity and status reports Checklists etc

Business continuity and resumption planning Contracts for emergency vendor services Risk avoidance and mitigation planning Emergency business recovery procedures

12

Implementation

Includes Training, Testing, Recovery and Audit Training

Increasing the organization's awareness of the BC and DR business case

Different kinds of training for different attendees All people training, Operation teams, Recovery teams etc

Testing Confirms that the plan meets its emergency,

recovery and restoration objectives Measures the accuracy of the plans Allow management to evaluate personnel readiness for an

adverse event

13

Implementation (continued) Test Plans

Each time tests are scheduled, a test plan should be written, it should contain

Objectives and success criteria Details Schedule Post-test review

Test types Several test types exists which server different

purposes Checklist test Structured walk-through Simulation Parallel testing

Testing follow-up Identifying existing deficiencies Plan should be routinely assessed Should be scheduled for testing for example annually

14

Implementation (continued) Recovery procedures

Site migration Local Recovery procedures Transfer and recovery, etc.

Audit Ensures an organization has an effective BC

and DR capability Measures compliance Addressing audit findings

15

Restoration Restoration of primary location

Primary facility must be stabilized and secured and then more detailed damage assessment is conducted

Procurement Has an essential role in supporting restoration Consolidating acquisitions and Disposition Costs reporting

Data Recovery Reversal procedures Business process recovery point Journal and process synchronization

Relocation to primary site Restoration order and prioritization End of disaster declaration

16

Feedback and plan management Post-recovery reporting

Identification or remediation of plan gaps Record Lessons learned Performance metric review

Plan review and evaluation Training of key personnel

Communication Plan distribution Communicate the plan to stakeholders

17

References ISC2 CBK Material CISSP-All-in-one book

18