2. The Learning Outcomes At the end of this session you should be able to: the importance ofdisaster recovery in an organization EXAMINE the steps in risk management approach DESCRIBE backup systems and system recovery DISCUSS
5. Impact (cost) if it happensIs it possible to protect against every risk? What is RISK? “The chance of a negative outcome”
6. A risk-management approachhelps identify threats and select cost-effective security measures. Risk-management analysis can be enhanced by the use of DSS software packages. Calculations can be used to compare the expected loss with the cost of preventing it. A business continuity planoutlines the process in which businesses should recover from a major disaster Risk ManagementApproach “What is it all about?”
8. STEP 1: Determine the value and importance of assets Infrastructure: hardware, networks, security environment itself Software environment Staff Cost of replacement Cost of loss of use Assessment of assets
9. STEP 2: List all potential threats Review the current protection/controls system Record weaknesses in the current protection system in view of all the potential threats Vulnerability of assets
10. STEP 3: Assess the probability of damage Specify the tangible and intangible losses that may result Loss analysis
11. STEP 4: Provide a description of available controls that should be considered – general, application, network etc Probability of successful defense The cost Protection analysis
12. STEP 5: Compare cost and benefits Decide on which controls to install Cost Benefit Analysis
14. Increasing the Reliability of Systems Fault tolerance to keep the information systems working, even if some parts fail. Intelligent Systems for Early Detection of problems Detecting intrusion IT Security in the 21st Security
15. Why do we need to back up systems? Because systems fail Impact From minor irritation to business closedown Back up system to: Periodic in Local storage Periodic in Remote storage Mirror site – local Mirror site – distant Withstand fault tolerance Backing-up Systems
16. System Disaster – it happens! Think about: Loss of power Cyber crime Traumatic damage Hardware failure Statutory Requirement
17. System Recovery and Business Continuity Is there a relationship between the two? Here are some key thoughts about disaster recovery by Knoll (1986): The purpose of a recovery plan is to keep the business running after a disaster occurs Recovery planning is part of asset protection Planning should focus first on recovery from a total loss of all capabilities
18. How to ensure that the recovery system works Proof of capability usually involves some kind of what-if analysis that shows that the recovery plan is current All critical applications must be identified and their recovery procedures addressed in the plan
19. Disaster Recovery Plan In other words: BACK UP PROCEDURES In the event of a major disaster it may be necessary to move to another back up location.
20. Disaster Recovery Plan Considerations Customers Facilities Communications Infrastructure Disaster Recovery Plan Knowledge Workers Computer Equipment Business Information PGM
21. Disaster Recovery Plan HOT SITE VENDORS External hot site vendors provide access to a fully configured back up data center. Following the 1989 San Francisco earthquake Charles Schwab were up and running in New Jersey the following morning. PGM
22. Disaster Recovery Plan COLD SITE VENDORS Provide empty office space with special flooring, wiring and ventilation. In an emergency the affected company moves its own or leased computers to the cold site. These back up sites may work well for a company with centralised computing facilities but what can a company with a distributed network system do? PGM
23. Physical access control Uninterrupted power supply (UPS) Generator Humidity control Temperature control Water Detector Raised Floors Fire Extinguisher Alarm Methods to Control & Secure I.S. PGM
24. THINGS TO TAKE NOTE OFF Risk management approach (the 5 steps) What are the different risk mitigation controls? Types of back-up systems What is a disaster recovery plan? What should be considered in a disaster recovery plan?
26. IT’S TIME FOR SOME DISCUSSIONS! List and briefly describe the steps involved in risk analysis of controls. Define and describe a disaster recovery plan. What are “hot” and “cold” recovery sites? Explain why risk management should involve the following elements: threats, exposure associated with each threat, risk of each threat occurring, and cost of controls, as well as assessment of their effectiveness. Why should information control and security be a prime concern to management?
27. IT’S TIME FOR ANIN-CLASS ACTIVITY! Get into groups of 5-6 members Using the Risk Management Approach (5-Steps), apply it to your company / one company of your choice as below: GSC Cinemas Ticketing / Fashion Retail (brick-and-mortar) / IBM / Malaysian Airlines Ticketing / Hilton Hotel Reservation / Facebook Suggest which Risk Mitigation Control should you implement and how it can help you mitigate your risk Present your approach the class
28. Coming soon… next class ManagementInformation Systemsin Organizations DISASTER RECOVERY PLAN What is a disaster recovery plan? How does it minimize risk?