business continuity and disaster recovery planning cissp guide to security essentials chapter 4
TRANSCRIPT
Business Continuity and Disaster Recovery Planning
CISSP Guide to Security Essentials
Chapter 4
CISSP Guide to Security Essentials 2
Objectives
• Running a business continuity and disaster recovery planning project
• Developing business continuity and disaster recovery plans
• Testing business continuity and disaster recovery plans
CISSP Guide to Security Essentials 3
Objectives (cont.)
• Training users
• Maintaining business continuity and disaster recovery plans
CISSP Guide to Security Essentials 4
What Is a Disaster
• Any natural or man-made event that disrupts the operations of a business in such a significant way that a considerable and coordinated effort is required to achieve a recovery.
CISSP Guide to Security Essentials 5
Natural Disasters
• Geological: earthquakes, volcanoes, lahars, tsunamis, landslides, and sinkholes
• Meteorological: hurricanes, tornados, wind storms, hail, ice storms, snow storms, rainstorms, and lightning
CISSP Guide to Security Essentials 6
Natural Disasters (cont.)
• Other: avalanches, fires, floods, meteors and meteorites, and solar storms
• Health: widespread illnesses, quarantines, and pandemics
CISSP Guide to Security Essentials 7
Man-made Disasters
• Labor: strikes, walkouts, and slow-downs that disrupt services and supplies
• Social-political: war, terrorism, sabotage, vandalism, civil unrest, protests, demonstrations, cyber attacks, and blockades
CISSP Guide to Security Essentials 8
Man-made Disasters (cont.)
• Materials: fires, hazardous materials spills
• Utilities: power failures, communications outages, water supply shortages, fuel shortages, and radioactive fallout from power plant accidents
CISSP Guide to Security Essentials 9
How Disasters Affect Businesses
• Direct damage to facilities and equipment
• Transportation infrastructure damage– Delays deliveries, supplies, employees going to work
• Communications outages
• Utilities outages
CISSP Guide to Security Essentials 10
How BCP and DRP Support Security
• Security pillars: C-I-A– Confidentiality– Integrity– Availability
• BCP and DRP directly support availability
CISSP Guide to Security Essentials 11
BCP and DRP Differences and Similarities
• BCP– activities required to ensure the continuation of
critical business processes in an organization– Alternate personnel, equipment, and facilities
• DRP– Assessment, salvage, repair, and eventual
restoration of damaged facilities and systems
CISSP Guide to Security Essentials 12
Industry Standards Supporting BCP and DRP
• ISO27001/27002: Code of Practice for Information Security Management. Section 14 addresses business continuity management. Principles, terminology and process to support business continuity management.
CISSP Guide to Security Essentials 13
Industry Standards Supporting BCP and DRP (cont.)
• NIST 800-34: Contingency Planning Guide for Information Technology Systems. Seven step process for BCP and DRP projects.
• NFPA 1600: Standard on Disaster / Emergency Management and Business Continuity Programs.
CISSP Guide to Security Essentials 14
Industry Standards Supporting BCP and DRP (cont.)
• NFPA 1620: The Recommended Practice for Pre-Incident Planning.
• HIPAA: Requires a documented and tested disaster recovery plan for patient electronic data.
CISSP Guide to Security Essentials 15
Benefits of BCP and DRP Planning
• Reduced risk through risk/threat analysis
• Process improvements
• Improved organizational maturity
• Improved availability and reliability
• Marketplace advantage
CISSP Guide to Security Essentials 16
The Role of Prevention
• Not prevention of the disaster itself, but prevention of surprise and disorganized response
CISSP Guide to Security Essentials 17
The Role of Prevention (cont.)
• Reduction in impact of a disaster– Better equipment bracing– Better fire detection and suppression– Contingency plans that provide [near] continuous
operation of critical business processes– Prevention of extended periods of downtime
CISSP Guide to Security Essentials 18
Running a BCP / DRP Project
• Pre-project activities
• Perform a Business Impact Assessment (BIA)
• Develop resumption and recovery plans
• Test resumption and recovery plans
CISSP Guide to Security Essentials 19
Pre-project Activities
• Obtain executive support
• Formally define the scope of the project
• Choose project team members
• Develop a project plan– Business Impact Analysis
– Develop Contingency plans
– Test plans
• Develop a project charter– Purpose, executive sponsorship, scope, budget, team members, milestones
CISSP Guide to Security Essentials 20
Performing a Business Impact Analysis
• Survey critical business processes
• Perform threat assessment, risk analyses
• Develop key metrics– Maximum tolerable downtime, recovery time
objective, recovery point objective
CISSP Guide to Security Essentials 21
Performing a Business Impact Analysis (cont.)
• Develop impact statements
• Perform criticality analysis
CISSP Guide to Security Essentials 22
Survey In-scope Business Processes
• Develop interview / intake template
• Interview a rep from each department– Identify all important processes
• Identify dependencies on systems, people, equipment
• information consolidation
• Collate data into database or spreadsheets– Gives a big picture, all-company view
Process name Shipping; Marketing Department
Date
Interviewer
Interviewee
Process owner name Manager’s name
Process purpose Role, why the process is performed
Process inputs Data, people, supplies, other
Process outputs Data, products, other
Supplier dependency Name of the supplier needed to continue
Personnel dependencies
CISSP Guide to Security Essentials 23
Process intake form:
CISSP Guide to Security Essentials 24
Threat and Risk Analysis
• Identify threats, vulnerabilities, risks for each key process– Rank according to probability, impact, cost– Identify mitigating controls
Process name Date Interviewer Interviewee Process owner name
Process purpose
Process inputs
Shipping: Marketing dept Manager’s name
Data, people, supplies, other
CISSP Guide to Security Essentials 25
Threat / Risk analysis from intake form:
CISSP Guide to Security Essentials 26
Determine Maximum Tolerable Downtime (MTD)
• For each business process
• Identify the maximum time that each business process can be inoperative before significant damage or long-term viability is threatened
• Probably an educated guess for many processes
CISSP Guide to Security Essentials 27
Determine Maximum Tolerable Downtime (cont.)
• Obtain senior management input to validate data
• Publish into the same database / spreadsheet listing all business processes
CISSP Guide to Security Essentials 28
Develop Statements of Impact
• For each process, describe the impact on the rest of the organization if the process is incapacitated
CISSP Guide to Security Essentials 29
Develop Statements of Impact (cont.)
• Examples– Inability to process payments– Inability to produce invoices– Inability to access customer data for support
purposes
CISSP Guide to Security Essentials 30
Record Other Key Metrics
• Examples– Cost to operate the process– Cost of process downtime– Profit derived from the process
• Useful for upcoming criticality analysis
CISSP Guide to Security Essentials 31
Ascertain Current Continuity and Recovery Capabilities
• For each business process(adequate, inadequate, non-existent)– Identify documented continuity capabilities– Identify documented recovery capabilities– Identify undocumented capabilities
• What if the disaster happened tomorrow
CISSP Guide to Security Essentials 32
Develop Key Recovery Targets
• Recovery time objective (RTO)– Period of time from disaster onset to
resumption of business process
• Recovery point objective (RPO)– Maximum period of data loss from onset
of disaster counting backwards
CISSP Guide to Security Essentials 33
CISSP Guide to Security Essentials 34
Develop Key Recovery Targets (cont.)
• Obtain senior management buyoff on RTO and RPO
• Publish into the same database / spreadsheet listing all business processes
CISSP Guide to Security Essentials 35
Sample Recovery Time Objectives
RPO Technology(ies) required8-14 days New equipment, data recovery from backup
4-7 days Cold systems, data recovery from backup
2-3 days Warm systems, data recovery from backup
12-24 hours Warm systems, recovery from high speed backup media
CISSP Guide to Security Essentials 36
Sample Recovery Time Objectives (cont.)
RPO Technology(ies) required6-12 hours Hot systems, recovery from high speed
backup media
3-6 hours Hot systems, data replication
1-3 hours Clustering, data replication
< 1 hour Clustering, near real time data replication
CISSP Guide to Security Essentials 37
Criticality Analysis
• Rank processes by criticality criteria– MTD (maximum tolerable downtime)– RTO (recovery time objective)– RPO (recovery point objective)– Revenue loss per hour/day/week– Cost of downtime or other metrics– Qualitative criteria
• Reputation, market share, goodwill
CISSP Guide to Security Essentials 38
Improve System and Process Resilience
• For the most critical processes (based upon ranking in the criticality analysis)– Identify the biggest risks– Identify cost of mitigation– Can several mitigating controls be combined– Do mitigating controls follow best / common
practices
CISSP Guide to Security Essentials 39
Develop Business Continuity and Disaster Recovery Plans
• For the most critical processes (based upon ranking in the criticality analysis)– Develop continuity plans and recovery plans
• Must meet RTO, RPO objectives
• Develop budget for plan development
• Develop budget for response and recovery effort
• Revise as needed
Develop Business Continuity and Disaster Recovery Plans
• Select Recovery Team Members• Emergency Response• Damage Assessment and Salvage • Notification• Personnel safety• Communications• Public utilities and infrastructure• Logistics and supplies• Business resumption planning• Restoration and planning
CISSP Guide to Security Essentials 40
CISSP Guide to Security Essentials 41
Select Recovery Team Members
• Issues– Unable to respond– Unwilling to respond
• Selection criteria– Location of residence, relative to work
and other key locations– Skills and experience (determines effectiveness)– Ability and willingness to respond– Own transportation
CISSP Guide to Security Essentials 42
Select Recovery Team Members (cont.)
• Selection criteria (cont.)– Health and family (determines probability to serve)– Identify backups
• Other team members, external resources
CISSP Guide to Security Essentials 43
Emergency Response
• Personnel safety: includes first-aid, searching for personnel, etc.
• Evacuation: evacuation procedures to prevent any hazard to workers.
• Asset protection: includes buildings, vehicles, and equipment.
CISSP Guide to Security Essentials 44
Emergency Response (cont.)
• Damage assessment: this could involve outside structural engineers to assess damage to buildings and equipment.
• Emergency notification: response team communication, and keeping management and organization staff informed.
CISSP Guide to Security Essentials 45
Damage Assessment and Salvage
• Determine damage to buildings, equipment, utilities– Requires inside experts– Usually requires outside experts
• Civil engineers to inspect buildings
• Government building inspectors
CISSP Guide to Security Essentials 46
Damage Assessment and Salvage (cont.)
• Salvage– Identify working and salvageable assets– Cannibalize for parts or other uses
CISSP Guide to Security Essentials 47
Notification
• Many parties need to know the condition of the organization– Employees, suppliers, customers, regulators,
authorities, shareholders, community
CISSP Guide to Security Essentials 48
Notification (cont.)
• Methods of communication– Telephone call trees, web site, signage, media– Alternate means of communication must be
identified
CISSP Guide to Security Essentials 49
Personnel Safety
• The number one concern in any disaster response operation– Emergency evacuation– Accounting for all personnel– Administering first-aid
CISSP Guide to Security Essentials 50
Personnel Safety (cont.)
• The number one concern in any disaster response operation (cont.)– Emergency supplies
• Water, food, blankets, shelters
• On-site employees could be stranded for several days
CISSP Guide to Security Essentials 51
Communications
• Communications essential during emergency operations
CISSP Guide to Security Essentials 52
Communications (cont.)
• Considerations– Avoid common infrastructure– Diversify mobile services– Consider two-way radios– Consider satellite phones– Consider amateur radio
CISSP Guide to Security Essentials 53
Public Utilities and Infrastructure
• Often interrupted during a disaster– Electricity: emergency generation: UPS, generator– Water: building could be closed if no
water is available– Natural gas: heating– Wastewater: if disabled, building could be closed
CISSP Guide to Security Essentials 54
Public Utilities and Infrastructure (cont.)
• Emergency supplies– Drinking water, sanitation, spare parts, waste bins
CISSP Guide to Security Essentials 55
Logistics and Supplies
• Food and drinking water
• Blankets and sleeping cots
• Sanitation
• Tools
CISSP Guide to Security Essentials 56
Logistics and Supplies (cont.)
• Spare parts
• Waste bins
• Information
• Communications
CISSP Guide to Security Essentials 57
Business Resumption Planning
• Alternate work locations
• Alternate personnel
• Communications– Emergency, support of business processes
• Standby assets and equipment
• Access to procedures, business records
CISSP Guide to Security Essentials 58
Restoration and Recovery
• Repairs to facilities, equipment
• Replacement equipment
• Restoration of utilities
• Resumption of business operations in primary business facilities
CISSP Guide to Security Essentials 59
Improving System Resilience and Recovery
• From BIA two recovery targets– RTO and RPO– What will help?
• Off-site media storage– Assurance of data recovery
• Server clusters– Improved availability– Geographic clusters
CISSP Guide to Security Essentials 60
Improving System Resilience and Recovery (cont.)
• Data replication– Hardware, OS, DBMS, application– Current data on multiple servers even in remote
places
CISSP Guide to Security Essentials 61
Training Staff
• Everyday operations
• Recovery procedures
• Emergency procedures
• Resumption procedures» Learn through participation
» Learn through formal training
CISSP Guide to Security Essentials 62
Testing Business Continuity and Disaster Recovery Plans
• Five levels of testing– Document review– Walkthrough– Simulation– Parallel test– Cutover test
CISSP Guide to Security Essentials 63
Document Review
• Review of recovery, operations, resumption plans and procedures
• Performed by individuals
• Provide feedback to document owners
• Least impact, lowest risk, least benefit
CISSP Guide to Security Essentials 64
Walkthrough
• Group discussion of recovery, operations, resumption plans and procedures
• Performed by teams
• Brainstorming and discussion brings out new issues, ideas
CISSP Guide to Security Essentials 65
Walkthrough (cont.)
• Provide feedback to document owners
• Low impact, lowest risk, moderate benefit
CISSP Guide to Security Essentials 66
Simulation
• Walkthrough of recovery, operations, resumption plans and procedures in a scripted “case study” or “scenario”
• Performed by teams
CISSP Guide to Security Essentials 67
Simulation (cont.)
• Places participants in a mental disaster setting that helps them discern real issues more easily
• Low impact, low risk, moderate benefit
CISSP Guide to Security Essentials 68
Parallel Test
• Full or partial workload is applied to recovery systems
• Performed by teams
• Tests actual system readiness and accuracy of procedures
CISSP Guide to Security Essentials 69
Parallel Test (cont.)
• Production systems continue to operate and support actual business processes
• Moderate impact, low risk, moderate benefit
CISSP Guide to Security Essentials 70
Cutover Test
• Production systems are shut down or disconnected; recovery systems assume full actual workload
• Performed by teams
CISSP Guide to Security Essentials 71
Maintaining Business Continuity and Disaster Recovery Plans
• Events that necessitate review and modification of DRP and BCP procedures:– Changes in business processes and procedures– Changes to IT systems and applications– Changes in IT architecture– Changes in service providers
CISSP Guide to Security Essentials 72
Maintaining Business Continuity and Disaster Recovery Plans
(cont.)
• Events (cont.):– Additions to IT applications– Changes in service providers– Changes in organizational structure
CISSP Guide to Security Essentials 73
Summary
• Natural and man-made disasters affect businesses through direct damage, and damage to transportation and utilities
• BCP is concerned with continuation of processes; DRP is concerned with recovery of facilities
CISSP Guide to Security Essentials 74
Summary (cont.)
• Benefits of BCP and DRP include process improvement, reduced risk, and market advantage
CISSP Guide to Security Essentials 75
Summary (cont.)
• The components of a Business Impact Assessment (BIA) are:– Inventory processes– Perform risk and threat assessment– Assign recovery targets– Perform criticality assessment
CISSP Guide to Security Essentials 76
Summary (cont.)
• Several key metrics are developed in a BIA:– MTD (maximum tolerable downtime)– RTO (recovery time objective)– RPO (recovery point objective)– Possibly others (cost of downtime, recovery)
CISSP Guide to Security Essentials 77
Summary (cont.)
• The components of a DRP and BCP plan are:– Emergency response– Damage assessment and salvage– Communications
CISSP Guide to Security Essentials 78
Summary (cont.)
• The components of a DRP and BCP plan are (cont.):– Personnel evacuation and safety– Restoration and recovery– Business resumption
CISSP Guide to Security Essentials 79
Summary (cont.)
• The types of BCP and DRP plan testing are:– Document review– Walkthrough– Simulation– Parallel test– Cutover test