risk management and business continuity planning
TRANSCRIPT
![Page 1: Risk Management and Business Continuity Planning](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649e305503460f94b20bc0/html5/thumbnails/1.jpg)
Risk Management and Business Continuity Planning
![Page 2: Risk Management and Business Continuity Planning](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649e305503460f94b20bc0/html5/thumbnails/2.jpg)
Risk Analysis & Assessment What could happen (threat event)? If it happened, how bad could it
be (threat impact)? How often could it happen (threat
frequency, annualized)? How certain are the answers to
the first three questions (recognition of uncertainty)?
![Page 3: Risk Management and Business Continuity Planning](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649e305503460f94b20bc0/html5/thumbnails/3.jpg)
Risk Management What can be done (risk
mitigation)? How much will it cost
(annualized)? Is it cost effective (cost/benefit
analysis)?
![Page 4: Risk Management and Business Continuity Planning](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649e305503460f94b20bc0/html5/thumbnails/4.jpg)
Business Continuity Planning The phases of a disaster recovery
plan process are Awareness and discovery Risk assessment Mitigation Preparation Testing Response and recovery
![Page 5: Risk Management and Business Continuity Planning](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649e305503460f94b20bc0/html5/thumbnails/5.jpg)
Risk Analysis Steps
Identify assets Determine vulnerabilities Estimate likelihood of exploitation Compute expected annual cost Survey applicable controls and their
costs Project annual savings of control
![Page 6: Risk Management and Business Continuity Planning](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649e305503460f94b20bc0/html5/thumbnails/6.jpg)
Identify assets Hardware
processors, boards, keyboards, monitors, terminals, microcomputers, workstations, tape drives, printers, disks, disk drives, cables, connections, communications controllers, and communications media
Software source programs, object programs, purchased programs, in-house
programs, utility programs, operating systems, systems programs (such as compilers), and maintenance diagnostic programs
Data data used during execution, stored data on various media, printed data,
archival data, update logs, and audit records People
skills needed to run the computing system or specific programs Documentation
on programs, hardware, systems, administrative procedures, and the entire system
Supplies paper, forms, laser cartridges, magnetic media, and printer fluid
![Page 7: Risk Management and Business Continuity Planning](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649e305503460f94b20bc0/html5/thumbnails/7.jpg)
Determine VulnerabilitiesAsset Secrecy Integrity AvailabilityHardware Overloaded,
destroyed, tampered
failed stolen destroyed unavailable
Software Stolen, copied, pirated
impaired by Trojan horse modified tampered with
deleted misplaced usage expired
Data Disclosed, accessed, inferred
damaged - software error - hardware error - user error
deleted misplaced destroyed
People quit retired terminated on vacation
Docs lost stolen destroyed
Supplies lost stolen damaged
![Page 8: Risk Management and Business Continuity Planning](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649e305503460f94b20bc0/html5/thumbnails/8.jpg)
Causes of Vulnerabilities
![Page 9: Risk Management and Business Continuity Planning](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649e305503460f94b20bc0/html5/thumbnails/9.jpg)
Estimate Expected Loss Legal obligations for preserving
confidentiality/integrity Business agreements on the expected service Cost due to public disclosure Benefit to competitor due to compromise of
data Loss of future business, credibility Computational cost and outsourcing
possibility Value to other from the data Cost of data recovery/reconstruction
![Page 10: Risk Management and Business Continuity Planning](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649e305503460f94b20bc0/html5/thumbnails/10.jpg)
Vulnerabilities to Controls
![Page 11: Risk Management and Business Continuity Planning](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649e305503460f94b20bc0/html5/thumbnails/11.jpg)
BCP BCP should include all critical resources
IT People Facilities Specialized equipment
BCP is a high-level concern for enterprises Maintaining Financial confidence Reputation of the business
![Page 12: Risk Management and Business Continuity Planning](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649e305503460f94b20bc0/html5/thumbnails/12.jpg)
Phase 1: Business Impact and Risk Analysis Identify what the enterprise has at
risk Which business processes are most
critical Prioritize risk management and
recovery investments Identify the enterprise’s vulnerability
to risks so that they can be mitigated in the project design phase
![Page 13: Risk Management and Business Continuity Planning](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649e305503460f94b20bc0/html5/thumbnails/13.jpg)
Phase 2: Develop and Implement Plan Develop recovery strategies and processes Create team responsible for the daily
operation of the processes create detailed plans and procedures. Two types of teams are possible:
First, a team of technical people who know what to do given an outline of a plan
Second, a team of people who will follow the given plans word-by-word
A good team should include both types of members Select team members based on their availability,
background etc
![Page 14: Risk Management and Business Continuity Planning](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649e305503460f94b20bc0/html5/thumbnails/14.jpg)
Phase 3: Maintain the Plan Plan must be tested and kept up to
date Test the recovery plan before
implementation to ensure requirements can be met
Keep the plan current by initiating a review of every change to business processes or systems
Test the plan to see when it will fail and not when it succeed
![Page 15: Risk Management and Business Continuity Planning](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649e305503460f94b20bc0/html5/thumbnails/15.jpg)
Causes of Business Interruptions Computer virus (7%) Human error (32%) Software failure (14%) Hardware/system failure (44%) Site disaster (3%)
(source: Computer Associates)
![Page 16: Risk Management and Business Continuity Planning](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649e305503460f94b20bc0/html5/thumbnails/16.jpg)
BCP Framework components Infrastructure Management IT Service Management Database and Application
Management Storage Management and
At the center of it all
Security Management
![Page 17: Risk Management and Business Continuity Planning](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649e305503460f94b20bc0/html5/thumbnails/17.jpg)
Security Management Components Identity and Access Management Secure Content Management Integrated threat Management Vulnerability and Remediation
![Page 18: Risk Management and Business Continuity Planning](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649e305503460f94b20bc0/html5/thumbnails/18.jpg)
Infrastructure Management IT asset discovery, inventory and life-
cycle management Mapping of IT assets to business
processes Operations management Business Service management
Deliver Support Monitor Measure Account
![Page 19: Risk Management and Business Continuity Planning](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649e305503460f94b20bc0/html5/thumbnails/19.jpg)
Storage Overheads Only 26% of data is of current use
19% is duplicate 43% is old data 7% is unused 5% has no owner
Still all data needs to be backed up(Source: Computer Associates)
![Page 20: Risk Management and Business Continuity Planning](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649e305503460f94b20bc0/html5/thumbnails/20.jpg)
Storage Management Identify Classify Define Automate
![Page 21: Risk Management and Business Continuity Planning](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649e305503460f94b20bc0/html5/thumbnails/21.jpg)
Database and Application Management
Data protection Security Performance and availability Access control and user provisioning Application performance management Data management, migration,
optimization
![Page 22: Risk Management and Business Continuity Planning](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649e305503460f94b20bc0/html5/thumbnails/22.jpg)
Some Continuity Plans Commercial Recovery sites
Hot-site A complete alternate data center where all
hardware software facilities are available to the organization to recover their businesses
Comdisco, IBM, SunGard Cold site
Space where an organization can setup operation during disaster times
Mobile or Porta sites Small standalone units that can be brought to the
end user for deployment
![Page 23: Risk Management and Business Continuity Planning](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649e305503460f94b20bc0/html5/thumbnails/23.jpg)
Services by Major Vendors
![Page 24: Risk Management and Business Continuity Planning](https://reader035.vdocuments.net/reader035/viewer/2022062421/56649e305503460f94b20bc0/html5/thumbnails/24.jpg)
Some Continuity Plans… Data Storage and Software
Backup Off-site Storage : data is sent to off-
site using tapes, disks Electronic Vaulting (or Advanced
Recovery Services) : An on-line storage capacity, where users can send data directly for backup