business continuity

204
Naresh Gandhi FCA, D.I.S.A. (ICAI)

Upload: oona

Post on 18-Mar-2016

42 views

Category:

Documents


1 download

DESCRIPTION

Business Continuity. Business Impact Analysis. Stages BCP/DRP. Develop contingency planning policy Conduct business impact analysis (BIA) Identify preventive controls Develop recovery strategies Develop contingency plan Test the plan and train personnel Maintain the plan. Exploit. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Page 2: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Business Impact Analysis

Page 3: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Stages BCP/DRP

Develop contingency planning policyConduct business impact analysis (BIA)Identify preventive controlsDevelop recovery strategiesDevelop contingency planTest the plan and train personnelMaintain the plan

Page 4: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Threats

Potential Impact on Business

Vulnerabilities

AssetsRisksControls

SecurityArrangements Asset Value

Protec

t Ag

ainst

Met By

Exploit

Reduce

Indicate

Increa

se Expose

Have

Increase

Increase

Page 5: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Risk Analysis

A pre-requisite to complete and meaningful DRP programIt is assessment of threats to assets Determination of protection required to safe guard the assets

Page 6: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Risk Assessment Process

Identification of assetsIdentifying threats to these assets and assessing their likelihoodIdentifying vulnerabilities and assessing how easily they might be exploitedCorrelate threats to assetsRanking of risksIdentifying the protection provided by the controls in place

Page 7: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Risk Management

The process of identifying, controlling and minimizing or eliminating risks that may affect information systems for acceptable cost

Page 8: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Risk Management - Direction

Reducing the riskAvoiding the riskTransferring the riskAccepting the risk

Page 9: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Degree of Assurance Required

It is not possible to achieve total securityThere will always be a residual riskWhat degree of residual risk is acceptable to the organization?

Page 10: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Risk Management

Defining an acceptable level of residual riskConstantly reviewing threats and vulnerabilitiesReviewing of existing controlsApplying additional controlsIntroducing policy and procedures

Page 11: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

What are Assets?

An asset is something to which an organization directly assigns value and hence for which the organization requires protection

Page 12: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Examples of Asset

Information data filesuser manuals etc.

Softwareapplication and system software etc.

Servicescommunicationstechnical etc.

Company image and reputation

Page 13: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Examples of Asset

Documentscontractsguidelines etc

Hardwarecomputermagnetic media etc.

Peoplepersonnelcustomers etc.

Page 14: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Assets

PhysicalLogical

•Data• Information•Software •Documentation

•People•Hardware•Facilities •Documentation •Supplies

Page 15: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Some Assets

physical assetspersonnel assetsintellectual propertytrade secretscorporate informationfinancial informationmarket researchstrategic planning

customer listsvendor listscontact listsinformation systemsR & D informationcommunicationsmeetingsfuture directions

Page 16: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Assets Valuation

Would depend onBusiness impact on loss of assetPeriod of time for which asset is unavailableValuation of the competitorValue of information rather than replacement of hardware

Page 17: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

What is a Risk?

The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to assets

Page 18: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Ranking of Risks

Protection of asset should be on the basis of their criticalityHow long can I continue without my assetWhat is the loss to business if asset is not thereCan I continue operations otherwise

Page 19: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Outage Impact & Allowable Outage Times

R e s o u r c e O u t a g e Im p a c t A l l o w a b l eO u t a g e T im e

AuthenticationServer

User could not access Inventory System 8 hours

Database Server User could not access Inventory System 8 hours

E-mail Server User could not send e-mail 2 days5 DesktopComputers

User could not access Inventory System 8 hours

Hub User could not access Inventory System 8 hoursNetwork Cabling User could not access Inventory System 8 hoursElectric P ower User could not access Inventory System 8 hoursP rinter User could not produce Inventory Reports 4 days

Page 20: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

System Ranking

CriticalOnly automatedLow tolerance to interruptionHigh cost of interruption

VitalLevel of tolerance is highCan be operated manually for limited periodCost of interruption is low

Page 21: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

System Ranking

SensitiveCan performed manually for extended time periodAdditional resources required

Non CriticalCan remain inoperativeData is not restored

Page 22: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Formulae for Comparing Risks

Asset Cost

A

Likelihood of Threat

OccurrenceB

Vulnerability C

Measure of Risk

D A+B+C

3

Risk Ranking

E

4 5 3 4 High 3 3 3 3 Moderate 5 5 5 5 Very High 4 1 1 2 Low

1 1 1 1 Very Low

Page 23: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Threat

A declaration of the intent to inflict harm, pain or miseryPotential to cause an unwanted incident, which may result in harm to a system or organization and its assetsIntentional or accidental, man-made or an act of GodAssets are subject to many kinds of threats which exploits vulnerabilities

Page 24: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Types of Threat

Man made ThreatsMan made ThreatsErrorsSabotageBombsStrikesTerrorist AttackCompetitors

Page 25: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Type of Threats

Man made Man made ThreatsThreats

Disgruntled employeesEx-employeesHackersCrackerFire

Page 26: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Type of Threats

Natural ThreatsNatural ThreatsFloodsHurricanesTornadoesEarth-quakesFireLightning

Page 27: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Type of Threats

TechnologicalDeliberate threatsAccidental threatsThreat frequency

Page 28: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Threat Likelihood

Low Less likely to occur

Mediumsome history of occurrence

High Good possibility of occurrence

Page 29: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Impact of Threat

Loss of moneyLoss of reputation or goodwillOpportunities missedLitigationThreat on personnelBreak-ins or HacksLost confidenceBusiness interruptionReduced efficiency

Page 30: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Vulnerability

A vulnerability is a weakness/hole in an organization’s information securityA vulnerability in itself does not cause harmIt is merely a condition or set of conditions that may allow a threat to affect an assetA vulnerability if not managed, will allow a threat to materialize

Page 31: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Vulnerabilities

Absence of key personnelUnstable power gridUnprotected cabling linesLack of security awarenessWrong allocation of password rights

Insufficient security trainingNo firewall installedUnlocked doorPassword same as useridPoor choice of passwordNew technology

Page 32: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Controls

Controls are applied to mitigate riskbring to acceptable levelaccept the risk

Controls should be cost effective

Page 33: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Control Selection

Which Control?

Page 34: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Control Selection

RiskDegree of assurance requiredCostEase of ImplementationServicingLegal and regulatory requirementsCustomer and other contractual requirements

Page 35: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Control Selection - Cost

Budget limitationsDoes the cost of applying the control outweigh the value of the assetMay have to select Best Value range of controls

Page 36: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Control - Ease of Implementation

Does environment support controlHow long will the control take to implementIs the control readily available

Page 37: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Control - Servicing

Are skills available to manage controlsAre upgrades readily availableIs equipment supported by local engineers or suppliers

Page 38: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Controls

The policies, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected

Page 39: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Power Outage Mitigation

Provide one hour of uninterrupted power on all servers used internallyProvide eight hour of uninterrupted power on all web server and support hardwareReplace desktop systems with laptops where possibleAlternate power supplyDG SetUPS/voltage regulators

Page 40: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Fire Damage

Automatic and manual fire alarms at strategic locationsFire extinguishers at strategic locations

Halon or CO2 or water?Automatic fire sprinkler systemControl panelsAutomatic fire proof doorsMaster switches both inside and outside IS facilityWiring in closets

Page 41: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Water Damage

IS facility should not be on the ground floorWater proof ceilings, walls and floorsDrainage systemsWater alarmsDry pipe sprinkler systemCover hardware with protective fabric

Page 42: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Controls of the Last Resort (Insurance)

IS equipment and facility Media reconstruction (Software)Extra expenseBusiness interruptionValuable papers and RecordsErrors and omissionsFidelity coverageMedia transportationExtra Equipment CoverageSpecialized Equipment CoverageCivil Authority

Page 43: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

What is a contingency?

An event with a potential to disrupt computer operations, critical missions and business functionsReasons:

Power outageHardware failureFireStorms

Page 44: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

What is a Disaster?

A contingency event which is very destructiveDisasters results from threats

Page 45: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Phases of Disaster

Crisis PhaseEmergency Response PhaseRecovery PhaseRestoration Phase

Page 46: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Disasters

New York WTC collapseGujrat earthquakePower Outage knocks out a data serverSprinkler system leaksChemical spills from a tanker

Page 47: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01

I Liberty Plaza Head Quarter of Nasdaq is across the street from WTCCIO Gregor Bailar provides an inside look at how Nasdaq got back up and running after the Sept. 11 tragedyWhat was happening at 1 Liberty?

They began evacuating after the first plane hit. Our security guards on their own accord evacuated our floor at least, so most of our people were on the ground when the second plane hit

Page 48: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01

Halting the market wasn't a step you Halting the market wasn't a step you could take lightlycould take lightly

"Yes, halt the market."

Page 49: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01

How did the command center operate?How did the command center operate?

The first thing we had to understand was our personnel situationThen we broadened the investigation to learn who was affected among our tradersThen we had to understand the situation from a physical perspective

Page 50: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01

How did the command center operate?How did the command center operate?

Did we lose a building? Did we lose a data center? Did we lose connectivity? What have we got in the way of physical damage that's going to take a long time to restore?

Page 51: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01

How did the command center operate?How did the command center operate?

Next we needed to know the regulatory situation: Are people trading today? What's the landscape of the trading industry? It was literally in that order

Page 52: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01

Some of your traders were in trouble, but Some of your traders were in trouble, but Nasdaq's systems were all up?Nasdaq's systems were all up?

Nasdaq is highly redundantWe have servers in different buildingsEvery single one of our traders is connected to two different Nasdaq points of presence or connection centers

Page 53: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01

Some of your traders were in trouble, but Some of your traders were in trouble, but Nasdaq's systems were all up?Nasdaq's systems were all up?

There are four connection centers alone in downtown Manhattan20 connection centers around the United StatesEvery single server connects to two of those centers through two different paths, and often through two different vendors

Page 54: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01

How did you prepare for Monday?How did you prepare for Monday?

We started industrywide testing on Saturday at 7 or 8 in the morning, and by 11:30 that morning, we had achieved 98 percent of the volume. And then on Sunday we did a half-day of retesting with people who wanted to add a little more volume capability.

Page 55: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01

What did Nasdaq lose over the downtime What did Nasdaq lose over the downtime and what did it cost to get back up?and what did it cost to get back up? We have interruption insurance, so we hope to recover most of it, but it's in the millions, and it could crest tens of millions

Page 56: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01

What were the Disaster recovery lessons for What were the Disaster recovery lessons for Nasdaq?Nasdaq?

We learned that distributed systems are really good. You have to think about how your business has concentrated people or operational centers in certain places. You've got to consider if it's the wisest distribution. We feel we were lucky having some folks in Connecticut and some in Maryland. Even if we had lost some of our senior management at 1 Liberty Plaza, we would have still had a senior team

Page 57: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01

After living through this, what would you After living through this, what would you advise other CIOs to consider?advise other CIOs to consider?

This was a true test of people's backup strategiesDid you ever test your backup strategy?Have you worked out of your backup center?

Page 58: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01

After living through this, what would you After living through this, what would you advise other CIOs to consider?advise other CIOs to consider?

Do you know how to get people there?Do you know the critical phone numbers?A lot of people don't have phone numbers as part of their continuity of business plan

Page 59: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01

After living through this, what would you After living through this, what would you advise other CIOs to consider?advise other CIOs to consider?

I think people will have to look very carefully at their backup strategies and see whether they can communicate with everybody easily, whether the phone numbers are not stored in that same

Page 60: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01

After living through this, what would you After living through this, what would you advise other CIOs to consider?advise other CIOs to consider?

building that could experience the Disaster, and whether they've got hot backupsHot backups are going to be much more popular than they have been in the past

Page 61: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Yellow line shows normal traffic

Page 62: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

How did AT&T Control

141 video display screens show the status of all the networksNetwork managers put controls on the network to slow down the flow of inbound callsKeep circuits available for outbound callingAs a result, the AT&T long distance network carried a record 431 million call attempts on Sept. 11, 101 million more than the previous high-traffic day

Page 63: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Business Continuity Plan

The BCP focuses on sustaining an organization’s business functions during and after a disruption

Page 64: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Disaster Recovery Plan

The DRP applies to major, usually catastrophic, events that deny access to the normal facility for an extended period

Page 65: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Type of Plans

Business Recovery PlanAddresses restoration of business processes but lacks procedures

Continuity Of Operations PlanAddresses restoring H.Q. level issues at an alternate site

Page 66: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Type of Plans

Crisis Communication PlanA plan responsible for public communications

IT Contingency Plan Plan for each major application

Occupant Emergency Plan Response Procedures for Occupants

Test planIdentifies deficiency in different Plans

Page 67: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Cyber Incident Response Plan

The IRP defines strategies to detect, respond to and limit consequences of malicious cyber incident

Page 68: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Category of Disaster

Minor disruptionSerious disruptionMajor disruptionCatastrophic disruption

Page 69: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Category of Disaster

Minor disruptionNo damage or loss

Temporary power failure or fluctuationCommunication failureUnavailability of non critical personnel

Page 70: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Category of Disaster

Serious disruptionRepairable damage to equipment, office area, data, records, software

Equipment breakdownFailure of ACHuman error

Page 71: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Category of Disaster

Major disruptionDestruction of equipment, office area, data

Complete loss of equipmentStructural mishapMalicious loss of data

Page 72: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Category of Disaster

Catastrophic DisasterTotal loss of office area, data or people due to natural Disaster like fire, flood etc.

Complete destruction of personnel Complete destruction of facilities

Page 73: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

What is a Disaster Recovery Plan?

A plan that provides vital pre planned A plan that provides vital pre planned frame-workframe-work

for initiating recovery operationsprovides guidance for damage assessmentplanned actions to resume critical IS and functional activitiesrestore full business operationsminimum delay and disruption

Page 74: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Coping with Emergencies

Idea of DRP is to think before actual happenings:

How likely is the happeningWhat can be done on happeningWhat can be done to lessen their likelihoodWhat can be done to prepare for these events

Page 75: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

DRP - Key Issues

How to develop the planHow to test the planHow to maintainHow to keep continuity of operations

Page 76: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

DRP Overview

A total plan for all departments integrated togetherMust be written, tested and documentedClear assignment of responsibilities to employeesIt should address

main frame computermini computermicro computer

Page 77: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

DRP Overview

It should address...networksautomated operationssemi automated operationsmanual operation

Page 78: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Why Disaster Recovery Plan

To respond to Disasters of any typeTo curtail revenue lossTo avoid loss of critical dataTo maintain competitive edgeTo maintain employee productivity

Page 79: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

DRP - Phases

Identifying threats and vulnerabilitiesDeveloping the contingency planConducting tasks and drillsUpdating and maintaining the plan

Page 80: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Ranking of Objectives of DRP

Protection of organizations employees and publicMinimizing the financial impactLimiting extent of damageReducing physical damage

Page 81: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Planning Responsibilities

Prime responsibility for developing, maintaining, executing contingency plan is with senior managementRecommended approach to planning is by teams

Page 82: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques

DRP PlanTop down approach

Page 83: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques - DRP Plan

Top down approach - it involves Senior managementLine managementIS managementSystem auditors End user

Page 84: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques - DRP Plan Steps

Conduct impact analysisPlan designPlan developmentPlan ImplementationPlan testingPlan Maintenance

Page 85: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques

Ongoing maintenance Combination of top down and bottom up approach

Page 86: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques

Why do we require plan?Why do we require plan?Responsibility to

shareholderscustomerssuppliersemployeeslegal

Page 87: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques

What can go wrong in a planning What can go wrong in a planning process?process?

Technical aspectsBack-up employeesFunctional user operationsSelection of DRP team

Page 88: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques

Application System Application System PrioritizationPrioritization

Critical application systemsPrioritize itemConduct impact analysisPrioritization to be based on importance to the organization and not to individual

Page 89: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques

What can go wrong in system What can go wrong in system prioritization?prioritization?Majority of the system may not be criticalMost business user claim their system qualify as critical

Page 90: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques

Planning CommitteePlanning CommitteeResponsible for developing DRPKnowledgeable membersSpecific assignments

Page 91: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques

Planning Committee MembersPlanning Committee MembersKnowledgeable membersProject leadersWell versed with IS requirementsFrom security, fire, operations, production control, legal, audit, users, tele-communication, network, system and application programming

Page 92: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques

Recovery Capability AssessmentRecovery Capability AssessmentCurrent security Disaster recovery capabilitiesWeaknessesAnalysisRecommend prioritized actions

Page 93: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques

Plan Development AlternativesPlan Development AlternativesIn-houseReady made software packageHire consultantsCombination of the above

Page 94: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques

Plan requirement analysisHardwareSystem softwarePersonnel'sTelecommunicationsBackup data fileVendor support availabilitySecurity

Page 95: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques

Plan requirement analysis Office equipmentLogisticsStorageFundingPurchase orders

Page 96: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques

Planning document contentsPurpose and scopeTesting and Recovery proceduresVendors with address and tele nos.Location of contingency planProcedure for post recoveryEmergency recovery team members with responsibilityPhone list for fire, police, hardware, software, major suppliers and customers

Page 97: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques

Planning document contents Contact person with address at backup locationDescription and configuration of hardware and softwareBackup contractual agreementsApplication system job prioritiesLogisticsInsurance carrier phone nos.

Page 98: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Contingency Planning Process - Steps

Identifying the critical functionsIdentifying the resources supporting critical functionsAnticipating potential contingencies or DisastersSelecting contingency planning strategy

Emergency responseRecoveryResumption

Page 99: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Contingency Planning Process - Steps

Implementing the contingency strategyImplementationDocumentingTraining

Testing and revising the strategy

Page 100: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Disaster Recovery Teams

Emergency action teamDisaster assessment teamRecovery management teamPublic Relations teamOff-site storage teamSoftware teamApplication team

Security teamCommunication teamTransportation teamFacilities teamAdministration teamOperation teamProcurement teamSalvage teamStaff Coordination team

Page 101: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Activating the Plan

Recognize an emergencyContact the proper authority

Specific nature of the emergencyTime of the emergencyLocation of the emergencyExtent of damage or status of the emergencyDanger or injuries to peopleCause of the emergency

Page 102: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Activating the Plan

Activate the planGather the response teamBrief the response teamActivate emergency command center

Communications equipmentPersonal protective equipment (First Aid Kits)Records and information needed to respondReference manuals, including maps

Page 103: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Activating the Plan

Activate emergency command centerEmergency communication directoryBack-up power supply, including fuelOffice supplies, including computers with internet accessAM/FM radios, cable televisionFood, water, and other personal supplies to last several daysMessage boards, overhead projectors and other presentation materials and equipment

Page 104: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Activation of the Plan

Maintain communication Initiate recovery activitiesAssemble a damage assessment teamGather initial damage estimates

Facility structural damageDamage to products, materials, or supplies, including records and informationDamage to vehicles or equipmentDamage to property

Page 105: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Activation of the Plan

Gather initial damage estimatesPersonal injuriesCosts to recover (materials and supplies)Costs to recover (repairs and maintenance)Costs to recover (labor)Loss of revenue

Compile information into a reportInitial Damage Assessment Report

Page 106: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Facility Damaged:

Location:(Attach map with clearly marked location and travel route to site, If needed)

Describe Damage or Injuries:

List Work Needed to Repair Sites:

List Work that has been completed: (Attach activity report if any work has been completed)

Estimated Cost:(Develop a detailed breakdown of personnel, equipment, and materials for complete damage assessment; include estimate of any loss of revenue)

Notes/Comments:

Damage Report Completed By:

Dated:

Initial Damage Assessment Report

Page 107: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Activation of the Plan

Train the damage assessment teamInitiate security activities

Issuing identification badges to employees and other authorized personnelLocking doors if personnel cannot monitor the facility during an emergencyInstalling signs designating secured or restricted areaPlacing a sign-in sheet at the command center and logging time in/outCreating a list of authorized personnel and monitoring it

Page 108: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Activation of the Plan

Initiate security activitiesEnsuring that personnel know who is authorized to make decisionsMaintaining supplies to board up windows quicklySecuring cash operations immediatelyAsking for police assistanceAsking a neighbor to help monitor securityNotify recovery siteNotify impacted staffFile insurance claimsPrimary site proceduresReturn to normal operationsPost recovery analysis

Activate Contingency Arrangements

Page 109: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Develop Recovery Priorities

Resource Recovery PriorityAuthentication Server HighDatabase Server High5 Desktop Computers High1 Hub HighE-mail Server MediumP rinter MediumRemaining Desktop Computers (45) LowRemaining Hub (5) Low

Page 110: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Recovery AlternativeCentralized Systems

Hot SiteWarm SiteCold SiteMobile SiteMirrored SiteDuplicate Information Processing FacilityReciprocal AgreementCommercial Service Bureaux

Page 111: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Recovery Alternatives

Hot SiteHot SiteFully configuredReady for operationsIntended for emergency operationsUse for limited time operationsMost expensive

Page 112: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Recovery Alternatives

Warm SiteWarm SitePartially configuredWithout CPULess expensive then hot site

Page 113: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Recovery Alternatives

Cold SiteCold SiteOnly basic environmentActivation takes several weeksLeast expensive

Page 114: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Recovery Alternatives

Mobile SiteMobile SiteEmpty shell facilitiesTransportableAvailable on lease through vendors

Page 115: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Recovery Alternatives

Mirrored SiteMirrored SiteFully redundantReal time information mirroringIdentical to primary siteMost expensive to maintain

Page 116: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Recovery Alternatives

Duplicate Information Processing Duplicate Information Processing FacilitiesFacilities

Dedicated self developed recovery sitesBackup of critical applicationsSite chosen to be away from primary siteResource availability to be assuredRegular testing

Page 117: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Recovery Alternatives

Reciprocal agreementsagreements between organizations with similar equipments or applicationslow costconfiguration compatibility

Page 118: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Service Bureaus/ASPs

Emergency processing servicesApplication specific

Page 119: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Alternate Site Selection Criteria

S it e C o s t H a r d w a r eE q u ip m e n t

T e l e C o m -m u n ic a t io n

S e t u pT im e

L o c a t io n

Cold Site Low None None Long FixedWarm Site Medium P artial P artial/Full Medium FixedHot Site Medium/High Full Full Short Fixed

Mobile Site High Dependent Dependent Dependent Not FixedMirrored Site High Full Full None Fixed

Page 120: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Telecommunication Network Backup

RedundancySurplus capacity created for extra load/failure

Alternative RoutingRouting by means of alternate medium

Diverse RoutingSplit or duplicate cable sheet

Page 121: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Telecommunication Network Backup

Last mile circuit protectionLocal communication loops

Long haul network diversityT1 circuits between network carriers for automatic re-routing in case of failures

Voice Recovery

Page 122: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Data Recovery Plan

CriticalVitalSensitiveNon Critical

Page 123: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Backup Techniques

Full BackupIncremental BackupDifferential Backup

Page 124: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Backup Methods

Floppy DiskettesCompact DiskReplication Internet Backup

Page 125: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Removable CartridgesTape DrivesNetworked DiskRemote Mirroring

Backup Methods

Page 126: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Answer the following

Where will media be stored?What data should be backed up?How frequent are backups conducted?How quickly the backups are retrieved in the event of an emergency?Who is authorized to retrieve the media?How long will it take to retrieve the media?Where will the media be delivered?

Page 127: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Answer the following

Who will restore the data from the media?What is the tape-labeling scheme?How long will the backup media be retained?When the media are stored onsite, what environmental controls are provided to preserve the media? What types of tape readers are used at the alternate site?

Page 128: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Backup Media Library

It should containBackup of tapes, disks, master and transaction filesBackup copies of current application softwareUpto date copy of contingency planUpto date operation manuals, system and program documentation

Each facility must have backup media library

Page 129: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Backup Media Library

Should be at some distance from main facilitySubject to physical and environmental control

Page 130: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Backup Procedures

What can go wrongWhat can go wrongMay contain only magnetic or electronic record not paper recordAccess not available at all timeCritical data may not be stored

Page 131: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Backup Procedures

Determining Backup PrioritiesDetermining Backup PrioritiesPostpone less urgent task Identify in advance critical functionEliminate or postpone non-urgent portion of record keeping

Page 132: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Plan Testing

ScopeTime-frameTeamsObjectivesMethodology

Conduct EvaluationWeaknessesImprovementRevision

Page 133: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Phases of Testing

Pre testTestPost Test

Page 134: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Type of Tests

Checklist testStructured walk through testSimulation testParallel testFull interruption test

Page 135: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Result Analysis

TimeAmountCountAccuracy

Page 136: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Test Examples

Contact every level of call tree successfully within 1 hourRestore critical system off-site within 48 hoursEvacuate building in 15 minutesContact key vendors within 1 hourFire drills carried selectivelyCheck jockey pump pressure

Notify participants in advance

Page 137: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Awareness and Training

Walkthrough SessionScenario WorkshopSimulation of a Live Test

Page 138: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Maintenance

Strategy as per changing need of the businessNew applications documentedChange in critical applicationsChange in hardware or software environmentPlan maintenance methods

Page 139: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Maintenance

Schedule for periodic review and maintenanceReview of revisionsConducting scheduled and unscheduled tasksTraining recovery personnelMaintaining roundsUpdating personnel changes

Page 140: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Record of Change

P a g e N o . C h a n g eC o m m e n t

D a t e o fC h a n g e

S ig n a t u r e

Page 141: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Law And Standards

Page 142: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

HIPAA

Documented Practices for data protection and continuity of operations for health care industry

Page 143: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

GBL And The Expedited Funds Availability Act

Standards for safeguarding security, confidentiality of customer records

Page 144: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Sarbanes-Oxley Act

An Act for protecting investors by improving reliability of corporate disclosures and internal control

Page 145: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

GASSP

Principles supporting the Generally Accepted Accounting Principles and similar models

Page 146: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Information TechnologyInfrastructure Library

A collection of best practices in IT service management

Page 147: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Basel Committee On e-Banking

Principles for effective capacity, business continuity and contingency planning of e-banking systems and services

Page 148: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Basel II Capital Accord

Encourage financial firms to be more proactive and forward looking in financial activities

Page 149: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

SAS 70

Internationally recognized auditing standard for service organization

Page 150: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

COBIT

A framework resulting in control objectives considered to be good or best practices

Page 151: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Strategies For Networked Systems

Page 152: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Strategies

Eliminating single points of failure Redundant Cabling and DevicesRemote AccessWireless LANs

Page 153: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Strategies For Fault Tolerant Implementation

Page 154: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID

A system which uses multiple hard drives to share or replicate data among the drivesA system that combines multiple hard drives into a single logical unit

Page 155: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

BENEFITSHigher data securityFault toleranceImproved availabilityIncreased, Integrated capacityImproved performance

RAID

Page 156: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Data redundancy techniquesMirroringParityStripping

RAID

Page 157: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

MIRRORINGData in the system is written simultaneously to two hard disks instead of one

RAID

Page 158: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID

MIRRORING

Page 159: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID

MIRRORING

AdvantagesData redundancyFast recovery

DisadvantagesExpensive

Page 160: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID

Duplexing

Data in the system is written simultaneously to two hard disks with separate controllers

Page 161: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID

Disk Duplexing

Page 162: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

STRIPINGA data element is broken into multiple pieces at bytes level or in blocks

RAID

Page 163: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAIDSTRIPING

Page 164: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

It involves the use of parity information, which is redundancy information calculated from the actual data values

RAID

PARITY

Page 165: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID-0Technique : stripping without parityFiles broken into stripesNo redundancyStorage efficiency: 100% if drives identicalMinimum of 2 hard disk required Fault tolerance noneCost lowest of all RAID levelsRecommended uses non critical data

RAID LEVELS

Page 166: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID-0

This illustration shows how files of different sizes are distributed between the drives on a four-disk, 16 kiB stripe size RAID 0 array. The red file is  4 kiB in size; the blue is 20 kiB; the green is 100 kiB; and the magenta is 500 kiB.

Page 167: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Functions of EDI

RAID-1Technique: mirroringExactly 2 hard disksFault tolerance very goodStorage efficiency: 50% if drives identicalCost Relatively highRecommended uses for applications requiring high fault tolerance eg.Accounting and other financial data.

RAID LEVELS

Page 168: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID-1

Illustration of a pair of mirrored hard disks, showing how thefiles are duplicated on both drives.

Page 169: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Functions of EDI

RAID-2Technique used Bit level striping with ECCHard disk requirements-10 data disks & 4 ECC disksRandom read performance: FairRandom write performance: PoorFault tolerance only fairCost very expensiveRecommended use- not used in modern systems

RAID LEVELS

Page 170: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID-3Technique: Byte level striping with dedicated parityMinimum 3 hard disks Random read performance: GoodRandom write performance: PoorArray Capacity: Size of smallest drive*(no. of drives-1)Fault tolerance goodCost: ModerateRecommended uses: Applications working with large files that require high transfer performance

RAID LEVELS

Page 171: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID-3

This illustration shows how files of different sizes are distributed between the drives on a four-disk, byte-striped RAID 3 array. The red file is 4 kiB in size; the blue is 20 kiB;the green is 100 kiB; and the magenta is 500 kiB,. Notice that the files are evenly spread between three drives, with the fourth containing parity information (shown in dark gray)

Page 172: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID-4Technique used: Block level striping with dedicated parityRandom read performance: GoodRandom write performance: FairArray Capacity: Size of smallest drive*(no. of drives-1)Minimum 3 hard disksFault tolerance goodCost: ModerateRecommended uses: Not commonly used

RAID LEVELS

Page 173: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID-4

This illustration shows how files of different sizes are distributed betweenthe drives on a four-disk RAID 4 array using a 16 kiB stripe size. The red file is 4 kiB in size; the blue is 20 kiB; the greenis 100 kiB; and the magenta is 500 kiB, Notice that as with RAID 3, the files are evenly spread betweenthree drives, with the fourth containing parity information (shown in gray).

Page 174: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID-5Technique used: Block level striping with distributed parityOne of the most popular RAID levelRandom read performance: Very GoodRandom write performance: Only Fair Array Capacity: Size of smallest drive*(no. of drives-1)Minimum 3 hard disksFault tolerance goodCost: ModerateRecommended uses: ERP, Relational database applications & other business systems

RAID LEVELS

Page 175: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID-5

This illustration shows how files of different sizes are distributedbetween the drives on a four-disk RAID 5 array using a 16 kiB stripesize.The red file is 4 kiB in size; the blueis 20 kiB; the green is 100 kiB; and the magenta is 500 kiB,

Page 176: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID LEVELS

RAID-6Technique used: Block level striping with dual distributed parityMinimum 4 hard disksRandom read performance: Very GoodRandom write performance: PoorArray Capacity: Size of smallest drive*(no. of drives-2)Fault tolerance very goodCost: HighSpecialized controllerRecommended uses: Same as RAID5 But not popular as cost high

Page 177: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID-6

This illustration shows how files of different sizes are distributedbetween the drives on a four-disk RAID 6 array using a 16 kiB stripesize.The red file is 4 kiB in size; the blueis 20 kiB; the green is 100 kiB; and the magenta is 500 kiB,

Page 178: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID LEVELS

RAID-7Proprietary product of Storage Computer CorporationHard disk dependsRandom read performance: Very GoodRandom write performance: Very GoodArray Capacity: DependsFault tolerance very goodCost: Very HighSpecialized controllerRecommended uses: Not popular as cost high

Page 179: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

MULTIPLE(NESTED) RAID LEVELS

RAID-0+1 & RAID-10Technique used: Mirroring & Striping without parityMost popular of the multiple RAID LevelsMinimum 4 Hard disks Availability very good for RAID-01,excellent for RAID-10Random read performance: very goodRandom write performance: goodFault tolerance very goodCost: HighRecommended uses: Often used in place of RAID-1 or RAID-5 for higher performance

Page 180: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID 0+1

Page 181: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID 10

Page 182: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Strategies for Data communications

Dial upCircuit ExtensionOn demand service from the carriersDiversification of servicesMicrowave communicationsVSAT

Page 183: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Strategies for Voice communications

Cellular phone backupCarrier call rerouting systemsBackup PBX systems

Page 184: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Electronic vaulting

Electronic vaulting is the ability to store and retrieve backup electronically in a site remote from the primary computer centre

Page 185: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Remote Journaling

Parallel processing of transactions to an alternate site

Page 186: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Database shadowing

Duplicating the database sites to multiple servers

Page 187: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Back up strategies

Dual RecordingDumpingLogging Input TransactionsLogging BeforeimagesLogging Afterimages

Page 188: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

NETWORK ATTACHED STORAGE

A class of systems that provide file services to host computersDedicated storage solution that is attached to a network topology

Page 189: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

STORAGE AREA NETWORK

A network of storage disksIt connects multiple computers to a centralized pool of disk storageFibre Channel Technology

Page 190: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

AdvantagesCentralization of storageStorage & server resources grow independentlyData transfer directly from device to device

STORAGE AREA NETWORK

Page 191: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Server Load Balancing

It consists of distributing user activity across a network so that no single server

is overloaded Enables application to operate even if one of the server is down

Page 192: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Server Load Balancing

Load Balancing done by load balancersRouters & switches with application specific integrated circuits

Page 193: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

IS Audit Technique

Role of AuditorObserverReviewerReporter

Page 194: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Review of BCP

Current copy of BCPEvaluation of documented proceduresCritical application identifiedAll application reviewedSupport of critical applicationsReview of BCP personnel, vendors, hot site contents, back-up contents

Page 195: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Review of BCP

Interview key membersEvaluation of emergency proceduresWritten procedures of recovery teams

Page 196: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Audit Procedure

Interview personnel and reading documentsRisk analysis documentsDisaster recovery requirement documentsDisaster recovery training documentsDisaster recovery plan testing documentsDisaster recovery plan maintenance proceduresAlternative processing contracts with back-up facilitiesThird party audit reports

Page 197: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Audit Procedure

Risk analysisCritical application identificationsClassification of critical dataMinimum hardware configurationExisting file backup proceduresRecord retention and rotation schedules

Page 198: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Audit Procedure

Off-site storage facilitiesCommercialPrivateVerify financial background and reputationVisit the facilityAssess the storage standardsMethod of separation of mediaMode of transportation of media

Page 199: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Audit Procedure

Off-site storage facilities ...Review flow of media in and outVisitors accessTerms and conditions of vendorsConfidentiality of dataPeriodic inventory of mediaOther physical and environmental controls

Page 200: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Audit Procedure

Plan DocumentsNo of subscriber and capacity of computer in backup facilityFee structure of vendorOff-site media storage facilityLiability of vendors for loss or damage at off-siteName, addresses Tele Nos. of recovery team membersTransportation arrangements

Page 201: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Audit Procedure

Plan Documents …Equipments and supportsEmergency team instructions for evacuations and recoveryTele Nos. of hardware, software supply vendorsProcedures to handle bombs or arson threatsPlan testing proceduresNetwork configuration diagram and documentation

Page 202: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Audit Objectives

Adequacy of risk analysisAdequacy of off-site storage facilitiesDRP documents is complete, clear and under- standable Adequacy of management preparednessAdequacy of plan maintenance procedures

Page 203: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Audit Objectives

Identify problems, concernsMake cost effective recommendationsIdentify over secured and under secured activities

Page 204: Business Continuity

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Thanks...