major component of dr/bcp plan by tareq hanaysha
TRANSCRIPT
Major Component of DR/BCP Plan DR/BCP Component`s Policy In this document I`m going through the Major Components of DR/BCP Plan and based on these components I’m trying to write a simple organizational security policy to address them. Tareq Hanaysha 4/8/2008
Major Component of DR/BCP Plan
A disaster: is any event that has a significant impact on an enterprise's ability to conduct normal
business. This plan includes the information and procedures needed to resume an organization's
operation after some sort of disaster. Sometimes the plan is split into several plans, one to address
recoverable disasters (e.g., loss of a server) and a more comprehensive business continuity plan for use
in total loss situations.
Business continuity plans: are designed to help organisations protect themselves from the losses to
infrastructure and resources caused by earthquakes, extreme weather, other natural disasters,
pandemics and terrorism. It is important to differentiate between BCP and DR. BCP is a plan that
takes into account YOUR RESOURCES, PROCESSES AND TECHNOLOGY IN THE EVENT OF DOWNTIME, A DISASTER OR
EMERGENCY; whereas Disaster Recovery is the underlying technology component determining how the
falls-over. On the other hand, A Disaster Recovery Plan (DRP): applies to major, usually catastrophic,
events that deny access to the normal facility for an extended period. Frequently, DRP refers to an IT-
focused plan designed to restore operability of the target system, application, or computer facility at
an alternate site after an emergency.
Plan Purpose Scope
Business Continuity Plan (BCP) Provide procedures for sustaining essential business operations while recovering from a significant disruption
Addresses business processes; IT addressed based only on its support for business process
Disaster Recovery Plan (DRP) Provide detailed procedures
to facilitate recovery of capabilities at an alternate site
Often IT-focused; limited to major disruptions with long-term effects
Major Components of DR/BCP:
1. Develop the contingency planning policy statement. A formal security department or agency
within the organization provides the authority and guidance necessary to develop an effective contingency plan.
2. Conduct the business impact analysis (BIA). The BIA helps to identify and prioritize critical IT systems and components.
3. Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.
4. Develop recovery strategies. Thorough recovery strategies ensure that the system may be
recovered quickly and effectively following a disruption. 5. Develop an IT contingency plan. The contingency plan should contain detailed guidance and
procedures for restoring a damaged system. 6. Plan testing, training, and exercises. Testing the plan identifies planning gaps, whereas training
prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness.
7. Plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements.
o PREPARE FOR DISASTERS : 1. Investigate the risks we can insure against: Risk mitigation should be part of our BCP plan;
sometimes, insurance really is the best policy. 2. Make BCP central to the organisational strategic plan: we won`t let business continuity
languish in the pages of a plan the rest of the business will never read. 3. Make sure our CEO and executive committee grasp the significance of BCP: Capture the
attention of the board with numbers that illustrate the effect of downtime, but keep it real. 4. Make sure we have manual process contingencies: A lot of the information organisations
need in a disaster are in electronic form and may not be accessible.
5. Assess risks to our assets and infrastructure: A disaster would affect not only our information systems; other assets might also be affected.
6. Address our legacy challenges: Virtualisation of IT resources, through a single physical device that appears to function as multiple logical devices, can also play a part in BCP.
7. Measure the success of BCP through testing: Make our BCP exercises real, not “thought experiments”.
o AVOIDING DISASTERS :
There are a number of techniques that can be used to reduce or eliminate the probability of some disasters. (Of course you can't completely eliminate the risk of disasters!) These mitigation measures often also reduce the cost or time needed for disaster recovery. You should use as many mitigation strategies as makes sense for your DRP:
1. Store key data off-site. The location and access information must be documented in your DRP. Types of key data and documents to store off-line (and perhaps off-site) include system logs, backups, hardware inventories and configurations, /etc/passwd and /etc/shadow (and other /etc/* files), network maps (showing connections, IP address assignments, DNS data, etc.), serial numbers for all equipment, software keys, licenses and permits, room keys (and combinations for locks), and any other security information (such as the root password for your servers).
2. Keep paper copies of vital data (including your DRP).
3. Keep information (contact information, passwords, ...) current.
4. Use anti-virus and malware removal software.
5. Use and regularly test UPS, fire and smoke sensors and alarms, anti-theft systems.
6. Have INFOSEC and compliance (e.g., Sarbanes-Oxley) assessments and evaluations (also known as audits) done at least once after any major IT infrastructure changes.
7. Test disaster recovery plan by staging a disaster drill. Do every 1–3 years, more often if a lot has changed since the last drill (such as key personnel turnovers) or if your personnel need the practice. Tell people in advance, and also fire, police, ISP, and others you are staging a drill at a specific time.
8. Maintain systems, including regular inspections (e.g., change A/C filters, examine fire extinguishers, change batteries regularly in smoke detectors and UPSes). Such disaster preventative measures should be clearly documented in your DRP, including who is responsible for doing what.
9. Have a backup ISP (say via cheap ISDN line), backup email and possibly other backup servers in different geographical locations. (Often a reciprocal agreement can be made between East and West coast companies to host each other's services in case of emergency.)
o DISASTER RESPONSE : 1. Defines who has the authority to declare a disaster.
2. Defines who has the authority to contact external entities.
3. Defines evacuation procedures .
4. Defines emergency communication & notification procedures.
o BUSINESS CONTINGENCY : 1. Should be task-based.
2. Should be step-by-step.
3. Different than SOPs.
Figure 2-1 Contingency Planning as an Element of Risk Management Implementation
o BUSINESS RECOVERY: 1. Backup Methods.
2. Alternate Sites.
3. Equipment Replacement.
4. Roles and Responsibilities.
5. Cost Considerations.
Section [COMPANY] Information Effective
X: Security Policy: DR/BCP Date:8 April,2008
Subsection DR/BCP Change Control #:
Policy Disaster Recover & Approved
Business continuity Planning By: Andy Igonor
Objective: This policy will assist agencies to:
o Identify IT resources that are at risk.
o Implement useful plans to protect against identified threats and mitigate risk.
o Implement tested emergency procedures when a service outage or a disaster occurs.
o Implement and test procedures that enable short-term recovery of IT services following a service outage.
Purpose: The purpose of this policy is to ensure that information technology (IT) resource are
protected against service interruptions, including large scale disasters, by the development,
implementation, and testing of disaster recovery/business continuity (DR/BCP) plans.
o For purposes of this policy "DR/BCP" includes, but is not limited to, the documentation,
plans, policies, and procedures that are required to restore normal operation to a state
agency impacted by man-made or natural outages or disasters.
Audience: Managers and individuals responsible for IT security at system and operational levels
includes the following personnel :
o Managers: responsible for overseeing IT operations or business processes that rely on IT systems.
o System administrators: responsible for maintaining daily IT operations. o Information System Security Officers (ISSOs): and other staff responsible for
developing, implementing, and maintaining an organization’s IT security activities. o System engineers and architects: responsible for designing, implementing, or modifying
information systems. o Users: who employ desktop and portable systems to perform their assigned job
functions? o Other personnel: responsible for designing, managing, operating, maintaining, or using
information systems.
Scope: This policy applies to all executive and judicial branch agencies and educational institutions,
that operate, manage, or use IT services or equipment to support critical state business functions. The
scope includes, but is not limited to:
o Agencies that operate, manage, or use stand-alone, shared, or network-attached computers, whether mainframes, servers, or personal computers for their own use or for use by other agencies.
o Agencies that operate, manage, or use voice, data, or video telecommunications equipment, networks, or services for their own use or for use by other agencies.
o Agencies that purchase computer services or telecommunications network services from other state agencies or commercial concerns.
Policy: The disaster recovery policy must be reviewed at least annually to assure its relevance. Just as in the development of such a policy, a planning team that consists of upper management, and personnel from information security, information technology, human resources, or other operations should be assembled to review the disaster policy. Roles and responsibilities of the planning team should be as follows:
a. Perform an initial risk assessment to determine current information systems vulnerabilities. b. Perform an initial business impact analysis to document and understand the
interdependencies among business processes and determine how the business would be affected by an information systems outage.
c. Take an inventory of information systems assets such as computer hardware, software, applications, and data.
d. Identify single points of failure within the information systems infrastructure. e. Identify critical applications, systems, and data. f. Prioritize key business functions.
2. Company personnel will carry out the following procedures in the implementation of a disaster recovery policy a. Setup and maintain offsite facilities for data backup storage and electronic vaulting as well
as redundant and reliable standby systems if necessary. b. Ensure that critical applications, systems, and data are distributed among facilities that are
reasonably easy to get to but not so close that they could be affected by the same disaster. c. Establish written policies, contracts, and service level agreements with third party hosting,
collocation, telecommunications, and Internet service providers that facilitate prompt recovery and continuity.
d. Create an incident response team that consists of information security, IT, marketing, HR, legal, and other relevant personnel.
e. Define the roles and responsibilities of the incident response team. f. Obtain each incident response team member’s contact information. g. Determine which methods the incident response team members will use to communicate
in the event of a disaster. h. Create a public relations plan to assist with the effective handling of an incident. i. Assign a manager (such as an IT or Information Security Manager) that has the
responsibility and authority to make critical IT decisions. j. Develop testing standards. k. Document and distribute the disaster recovery plan. l. Distribute copies of the written plans to everyone involved and also store extra copies in an
offsite, fireproof vault. m. The following are ongoing procedures that must be followed: n. Continuously perform data backups, store at least weekly backups offsite, and test those
backups regularly for data integrity and reliability. o. Test plans at least annually, document and review the results, and update the plans as
needed. p. Analyze plans on an ongoing basis to ensure alignment with current business objectives and
requirements. q. Provide security awareness and disaster recovery education for all team members involved. r. Continuously update information security policies and network diagrams
3. Secure critical applications and data by patching known vulnerabilities with the latest fixes or
software updates.
4. Test disaster recovery/business resumption plans annually: Agencies are required to test their plan at least once a year. Agencies shall correct any deficiencies revealed by the test. The type and extent of testing adopted by an agency will depend on: a. Criticality of agency business functions. b. Cost of executing the test plan. c. Budget availability. d. Complexity of information system and components.
5. Train their employees to execute the recovery plans: Training will consist of :
a. Making employees aware of the need for a disaster recovery/business resumption plan.
b. Informing all employees of the existence of the plan and providing procedures to follow in the event of an emergency.
c. Training all personnel with responsibilities identified in the plan to perform the disaster recovery/business resumption procedures.
d. Providing the opportunity for recovery teams to practice disaster recovery/business resumption skills.
6. The State Auditor may audit disaster recovery/business Recovery plans.
The State Auditor may audit agency disaster recovery/business resumption plans and tests
for compliance with policy and standards.
7. Maintenance
Technological advances and changes in the business requirements of agencies will
necessitate periodic revisions to policies, standards, and guidelines. The Department of
Information Services is responsible for routine maintenance of these to keep them current.
Major policy changes will require the approval of the ISB.
Exception: None.
Disciplinary Action: Violation of this policy may result in penalizing action in different ways. Moreover,
individuals are subject to civil and criminal prosecution.
References
NIST: National Institute of Standards and Technology.
Many Sample DRPs can be seen at www.drj.com.
Planning, a chapter of the book Disaster Recovery Planning: Preparing For The
Unthinkable by Jon Toigo.
www.disasterrecoveryworld.com is a commercial site that also provides excellent resources,
and explains the COBRA method of analysis.
www.security-risk-analysis.com
www.crisis-management-and-disaster-recovery.com
www.itil-itsm-world.com/itil-8.htm
Business continuity planning / management (BCM) from wikipedia.org
www.FindWhitePapers.com/storage/backup-and-recovery.