Major Component of DR/BCP Plan DR/BCP Component`s Policy In this document I`m going through the Major Components of DR/BCP Plan and based on these components I’m trying to write a simple organizational security policy to address them. Tareq Hanaysha 4/8/2008

Major Component of DR/BCP Plan

A disaster: is any event that has a significant impact on an enterprise's ability to conduct normal

business. This plan includes the information and procedures needed to resume an organization's

operation after some sort of disaster. Sometimes the plan is split into several plans, one to address

recoverable disasters (e.g., loss of a server) and a more comprehensive business continuity plan for use

in total loss situations.

Business continuity plans: are designed to help organisations protect themselves from the losses to

infrastructure and resources caused by earthquakes, extreme weather, other natural disasters,

pandemics and terrorism. It is important to differentiate between BCP and DR. BCP is a plan that

takes into account YOUR RESOURCES, PROCESSES AND TECHNOLOGY IN THE EVENT OF DOWNTIME, A DISASTER OR

EMERGENCY; whereas Disaster Recovery is the underlying technology component determining how the

falls-over. On the other hand, A Disaster Recovery Plan (DRP): applies to major, usually catastrophic,

events that deny access to the normal facility for an extended period. Frequently, DRP refers to an IT-

focused plan designed to restore operability of the target system, application, or computer facility at

an alternate site after an emergency.

Plan Purpose Scope

Business Continuity Plan (BCP) Provide procedures for sustaining essential business operations while recovering from a significant disruption

Addresses business processes; IT addressed based only on its support for business process

Disaster Recovery Plan (DRP) Provide detailed procedures

to facilitate recovery of capabilities at an alternate site

Often IT-focused; limited to major disruptions with long-term effects

Major Components of DR/BCP:

1. Develop the contingency planning policy statement. A formal security department or agency

within the organization provides the authority and guidance necessary to develop an effective contingency plan.

2. Conduct the business impact analysis (BIA). The BIA helps to identify and prioritize critical IT systems and components.

3. Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.

4. Develop recovery strategies. Thorough recovery strategies ensure that the system may be

recovered quickly and effectively following a disruption. 5. Develop an IT contingency plan. The contingency plan should contain detailed guidance and

procedures for restoring a damaged system. 6. Plan testing, training, and exercises. Testing the plan identifies planning gaps, whereas training

prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness.

7. Plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements.

o PREPARE FOR DISASTERS : 1. Investigate the risks we can insure against: Risk mitigation should be part of our BCP plan;

sometimes, insurance really is the best policy. 2. Make BCP central to the organisational strategic plan: we won`t let business continuity

languish in the pages of a plan the rest of the business will never read. 3. Make sure our CEO and executive committee grasp the significance of BCP: Capture the

attention of the board with numbers that illustrate the effect of downtime, but keep it real. 4. Make sure we have manual process contingencies: A lot of the information organisations

need in a disaster are in electronic form and may not be accessible.

5. Assess risks to our assets and infrastructure: A disaster would affect not only our information systems; other assets might also be affected.

6. Address our legacy challenges: Virtualisation of IT resources, through a single physical device that appears to function as multiple logical devices, can also play a part in BCP.

7. Measure the success of BCP through testing: Make our BCP exercises real, not “thought experiments”.

o AVOIDING DISASTERS :

There are a number of techniques that can be used to reduce or eliminate the probability of some disasters. (Of course you can't completely eliminate the risk of disasters!) These mitigation measures often also reduce the cost or time needed for disaster recovery. You should use as many mitigation strategies as makes sense for your DRP:

1. Store key data off-site. The location and access information must be documented in your DRP. Types of key data and documents to store off-line (and perhaps off-site) include system logs, backups, hardware inventories and configurations, /etc/passwd and /etc/shadow (and other /etc/* files), network maps (showing connections, IP address assignments, DNS data, etc.), serial numbers for all equipment, software keys, licenses and permits, room keys (and combinations for locks), and any other security information (such as the root password for your servers).

2. Keep paper copies of vital data (including your DRP).

3. Keep information (contact information, passwords, ...) current.

4. Use anti-virus and malware removal software.

5. Use and regularly test UPS, fire and smoke sensors and alarms, anti-theft systems.

6. Have INFOSEC and compliance (e.g., Sarbanes-Oxley) assessments and evaluations (also known as audits) done at least once after any major IT infrastructure changes.

7. Test disaster recovery plan by staging a disaster drill. Do every 1–3 years, more often if a lot has changed since the last drill (such as key personnel turnovers) or if your personnel need the practice. Tell people in advance, and also fire, police, ISP, and others you are staging a drill at a specific time.

8. Maintain systems, including regular inspections (e.g., change A/C filters, examine fire extinguishers, change batteries regularly in smoke detectors and UPSes). Such disaster preventative measures should be clearly documented in your DRP, including who is responsible for doing what.

9. Have a backup ISP (say via cheap ISDN line), backup email and possibly other backup servers in different geographical locations. (Often a reciprocal agreement can be made between East and West coast companies to host each other's services in case of emergency.)

o DISASTER RESPONSE : 1. Defines who has the authority to declare a disaster.

2. Defines who has the authority to contact external entities.

3. Defines evacuation procedures .

4. Defines emergency communication & notification procedures.

o BUSINESS CONTINGENCY : 1. Should be task-based.

2. Should be step-by-step.

3. Different than SOPs.

Figure 2-1 Contingency Planning as an Element of Risk Management Implementation

o BUSINESS RECOVERY: 1. Backup Methods.

2. Alternate Sites.

3. Equipment Replacement.

4. Roles and Responsibilities.

5. Cost Considerations.

Section [COMPANY] Information Effective

X: Security Policy: DR/BCP Date:8 April,2008

Subsection DR/BCP Change Control #:

Policy Disaster Recover & Approved

Business continuity Planning By: Andy Igonor

Objective: This policy will assist agencies to:

o Identify IT resources that are at risk.

o Implement useful plans to protect against identified threats and mitigate risk.

o Implement tested emergency procedures when a service outage or a disaster occurs.

o Implement and test procedures that enable short-term recovery of IT services following a service outage.

Purpose: The purpose of this policy is to ensure that information technology (IT) resource are

protected against service interruptions, including large scale disasters, by the development,

implementation, and testing of disaster recovery/business continuity (DR/BCP) plans.

o For purposes of this policy "DR/BCP" includes, but is not limited to, the documentation,

plans, policies, and procedures that are required to restore normal operation to a state

agency impacted by man-made or natural outages or disasters.

Audience: Managers and individuals responsible for IT security at system and operational levels

includes the following personnel :

o Managers: responsible for overseeing IT operations or business processes that rely on IT systems.

o System administrators: responsible for maintaining daily IT operations. o Information System Security Officers (ISSOs): and other staff responsible for

developing, implementing, and maintaining an organization’s IT security activities. o System engineers and architects: responsible for designing, implementing, or modifying

information systems. o Users: who employ desktop and portable systems to perform their assigned job

functions? o Other personnel: responsible for designing, managing, operating, maintaining, or using

information systems.

Scope: This policy applies to all executive and judicial branch agencies and educational institutions,

that operate, manage, or use IT services or equipment to support critical state business functions. The

scope includes, but is not limited to:

o Agencies that operate, manage, or use stand-alone, shared, or network-attached computers, whether mainframes, servers, or personal computers for their own use or for use by other agencies.

o Agencies that operate, manage, or use voice, data, or video telecommunications equipment, networks, or services for their own use or for use by other agencies.

o Agencies that purchase computer services or telecommunications network services from other state agencies or commercial concerns.

Policy: The disaster recovery policy must be reviewed at least annually to assure its relevance. Just as in the development of such a policy, a planning team that consists of upper management, and personnel from information security, information technology, human resources, or other operations should be assembled to review the disaster policy. Roles and responsibilities of the planning team should be as follows:

a. Perform an initial risk assessment to determine current information systems vulnerabilities. b. Perform an initial business impact analysis to document and understand the

interdependencies among business processes and determine how the business would be affected by an information systems outage.

c. Take an inventory of information systems assets such as computer hardware, software, applications, and data.

d. Identify single points of failure within the information systems infrastructure. e. Identify critical applications, systems, and data. f. Prioritize key business functions.

2. Company personnel will carry out the following procedures in the implementation of a disaster recovery policy a. Setup and maintain offsite facilities for data backup storage and electronic vaulting as well

as redundant and reliable standby systems if necessary. b. Ensure that critical applications, systems, and data are distributed among facilities that are

reasonably easy to get to but not so close that they could be affected by the same disaster. c. Establish written policies, contracts, and service level agreements with third party hosting,

collocation, telecommunications, and Internet service providers that facilitate prompt recovery and continuity.

d. Create an incident response team that consists of information security, IT, marketing, HR, legal, and other relevant personnel.

e. Define the roles and responsibilities of the incident response team. f. Obtain each incident response team member’s contact information. g. Determine which methods the incident response team members will use to communicate

in the event of a disaster. h. Create a public relations plan to assist with the effective handling of an incident. i. Assign a manager (such as an IT or Information Security Manager) that has the

responsibility and authority to make critical IT decisions. j. Develop testing standards. k. Document and distribute the disaster recovery plan. l. Distribute copies of the written plans to everyone involved and also store extra copies in an

offsite, fireproof vault. m. The following are ongoing procedures that must be followed: n. Continuously perform data backups, store at least weekly backups offsite, and test those

backups regularly for data integrity and reliability. o. Test plans at least annually, document and review the results, and update the plans as

needed. p. Analyze plans on an ongoing basis to ensure alignment with current business objectives and

requirements. q. Provide security awareness and disaster recovery education for all team members involved. r. Continuously update information security policies and network diagrams

3. Secure critical applications and data by patching known vulnerabilities with the latest fixes or

software updates.

4. Test disaster recovery/business resumption plans annually: Agencies are required to test their plan at least once a year. Agencies shall correct any deficiencies revealed by the test. The type and extent of testing adopted by an agency will depend on: a. Criticality of agency business functions. b. Cost of executing the test plan. c. Budget availability. d. Complexity of information system and components.

5. Train their employees to execute the recovery plans: Training will consist of :

a. Making employees aware of the need for a disaster recovery/business resumption plan.

b. Informing all employees of the existence of the plan and providing procedures to follow in the event of an emergency.

c. Training all personnel with responsibilities identified in the plan to perform the disaster recovery/business resumption procedures.

d. Providing the opportunity for recovery teams to practice disaster recovery/business resumption skills.

6. The State Auditor may audit disaster recovery/business Recovery plans.

The State Auditor may audit agency disaster recovery/business resumption plans and tests

for compliance with policy and standards.

7. Maintenance

Technological advances and changes in the business requirements of agencies will

necessitate periodic revisions to policies, standards, and guidelines. The Department of

Information Services is responsible for routine maintenance of these to keep them current.

Major policy changes will require the approval of the ISB.

Exception: None.

Disciplinary Action: Violation of this policy may result in penalizing action in different ways. Moreover,

individuals are subject to civil and criminal prosecution.

References

NIST: National Institute of Standards and Technology.

Many Sample DRPs can be seen at www.drj.com.

Planning, a chapter of the book Disaster Recovery Planning: Preparing For The

Unthinkable by Jon Toigo.

www.disasterrecoveryworld.com is a commercial site that also provides excellent resources,

and explains the COBRA method of analysis.

www.security-risk-analysis.com

www.crisis-management-and-disaster-recovery.com

www.itil-itsm-world.com/itil-8.htm

Business continuity planning / management (BCM) from wikipedia.org

www.FindWhitePapers.com/storage/backup-and-recovery.