Risk Management and Business Continuity Planning

Risk Analysis & Assessment What could happen (threat event)?  If it happened, how bad could it

be (threat impact)? How often could it happen (threat

frequency, annualized)? How certain are the answers to

the first three questions (recognition of uncertainty)?

Risk Management  What can be done (risk

mitigation)?  How much will it cost

(annualized)?  Is it cost effective (cost/benefit

analysis)?

Business Continuity Planning The phases of a disaster recovery

plan process are  Awareness and discovery Risk assessment Mitigation Preparation Testing Response and recovery

Risk Analysis Steps

Identify assets Determine vulnerabilities Estimate likelihood of exploitation Compute expected annual cost Survey applicable controls and their

costs Project annual savings of control

Identify assets Hardware

processors, boards, keyboards, monitors, terminals, microcomputers, workstations, tape drives, printers, disks, disk drives, cables, connections, communications controllers, and communications media

Software source programs, object programs, purchased programs, in-house

programs, utility programs, operating systems, systems programs (such as compilers), and maintenance diagnostic programs

Data data used during execution, stored data on various media, printed data,

archival data, update logs, and audit records People

skills needed to run the computing system or specific programs Documentation

on programs, hardware, systems, administrative procedures, and the entire system

Supplies paper, forms, laser cartridges, magnetic media, and printer fluid

Determine VulnerabilitiesAsset Secrecy Integrity AvailabilityHardware Overloaded,

destroyed, tampered

failed stolen destroyed unavailable

Software Stolen, copied, pirated

impaired by Trojan horse modified tampered with

deleted misplaced usage expired

Data Disclosed, accessed, inferred

damaged - software error - hardware error - user error

deleted misplaced destroyed

People quit retired terminated on vacation

Docs lost stolen destroyed

Supplies lost stolen damaged

Causes of Vulnerabilities

Estimate Expected Loss Legal obligations for preserving

confidentiality/integrity Business agreements on the expected service Cost due to public disclosure Benefit to competitor due to compromise of

data Loss of future business, credibility Computational cost and outsourcing

possibility Value to other from the data Cost of data recovery/reconstruction

Vulnerabilities to Controls

BCP BCP should include all critical resources

IT People Facilities Specialized equipment

BCP is a high-level concern for enterprises Maintaining Financial confidence Reputation of the business

Phase 1: Business Impact and Risk Analysis Identify what the enterprise has at

risk Which business processes are most

critical Prioritize risk management and

recovery investments Identify the enterprise’s vulnerability

to risks so that they can be mitigated in the project design phase

Phase 2: Develop and Implement Plan Develop recovery strategies and processes Create team responsible for the daily

operation of the processes create detailed plans and procedures. Two types of teams are possible:

First, a team of technical people who know what to do given an outline of a plan

Second, a team of people who will follow the given plans word-by-word

A good team should include both types of members Select team members based on their availability,

background etc

Phase 3: Maintain the Plan Plan must be tested and kept up to

date Test the recovery plan before

implementation to ensure requirements can be met

Keep the plan current by initiating a review of every change to business processes or systems

Test the plan to see when it will fail and not when it succeed

Causes of Business Interruptions Computer virus (7%) Human error (32%) Software failure (14%) Hardware/system failure (44%) Site disaster (3%)

(source: Computer Associates)

BCP Framework components Infrastructure Management IT Service Management Database and Application

Management Storage Management and

At the center of it all

Security Management

Security Management Components Identity and Access Management Secure Content Management Integrated threat Management Vulnerability and Remediation

Infrastructure Management IT asset discovery, inventory and life-

cycle management Mapping of IT assets to business

processes Operations management Business Service management

Deliver Support Monitor Measure Account

Storage Overheads Only 26% of data is of current use

19% is duplicate 43% is old data 7% is unused 5% has no owner

Still all data needs to be backed up(Source: Computer Associates)

Storage Management Identify Classify Define Automate

Database and Application Management

Data protection Security Performance and availability Access control and user provisioning Application performance management Data management, migration,

optimization

Some Continuity Plans Commercial Recovery sites

Hot-site A complete alternate data center where all

hardware software facilities are available to the organization to recover their businesses

Comdisco, IBM, SunGard Cold site

Space where an organization can setup operation during disaster times

Mobile or Porta sites Small standalone units that can be brought to the

end user for deployment

Services by Major Vendors

Some Continuity Plans… Data Storage and Software

Backup Off-site Storage : data is sent to off-

site using tapes, disks Electronic Vaulting (or Advanced

Recovery Services) : An on-line storage capacity, where users can send data directly for backup