The document provides an overview of business continuity planning (BCP), emphasizing its importance for organizations to maintain operations during disruptions. It outlines key definitions, reasons for BCP, various steps involved in creating a BCP, and the necessity of risk management and testing. Despite being dated, the core principles discussed remain relevant for effective disaster recovery and continuity planning.

1. CBK REVIEW - August
1999 1E
Business Continuity Planning
• Note: these are slides that were part of a CISSP
prep course that I partly developed and taught while I
was with Ernst and Young.
• While these slides are dated – August 1999 - the
core information is still relevant.
• Contact me w/ any questions or comments –
• Ben Rothke, CISSP brothke@hotmail.com

2. CBK REVIEW - August
1999 2E
Introduction
• The Problem - Reasons for BCP
• Principles of BCP
• Doing BCP
– The steps
– What is included
– The stages of an incident

3. CBK REVIEW - August
1999 3E
Definitions
A contingency plan is:
“A plan for emergency response, backup operations, and post-
disaster recovery maintained by an activity as a part of its
security program that will ensure the availability of critical
resources and facilitate the continuity of operations in an
emergency situation…”
(National Computer Security Center 1988)
1997-98 survey >35% of companies have no plans

4. CBK REVIEW - August
1999 4E
Definitions of BCP
• Disaster Recovery
• Business Continuity Planning
• End-user Recovery Planning
• Contingency Planning
• Emergency Response
• Crisis Management
The goal is to assist the organization/business to continue
functioning even though normal operations are disrupted
Includes steps to take
– Before a disruption
– During a disruption
– After a disruption

5. CBK REVIEW - August
1999 5E
Reasons for BCP
• It is better to plan activities ahead of time rather than
to react when the time comes
– “Proactive” rather than “Reactive”
– Take the correct actions when needed
– Allow for experienced personnel to be absent

6. CBK REVIEW - August
1999 6E
Reasons for BCP
• It is better to plan activities ahead of time rather than
to react when the time comes
“Proactive” rather than “Reactive”
• Maintain business operations
– Saves time, mistakes, stress and $$
– Keep the money coming in
– Short and long term loss of business
– Have necessary materials, equipment, information on hand
– Planning can take up to 3 years

7. CBK REVIEW - August
1999 7E
Reasons for BCP
• It is better to plan activities ahead of time rather than
to react when the time comes
“Proactive” rather than “Reactive”
• Maintain business operations
– Keep the money coming in
– Short and long term loss of business
• Effect on customers
– Public image
– Loss of life

8. CBK REVIEW - August
1999 8E
Reasons for BCP
• It is better to plan activities ahead of time rather than
to react when the time comes
“Proactive” rather than “Reactive”
• Maintain business operations
– Keep the money coming in
– Short and long term loss of business
• Effect on customers
• Legal requirements
– ‘77 Foreign Corrupt Practices Act/protection of stockholders
• Management criminally liable

9. CBK REVIEW - August
1999 9E
Reasons for BCP
• It is better to plan activities ahead of time rather than
to react when the time comes
“Proactive” rather than “Reactive”
• Maintain business operations
– Keep the money coming in
– Short and long term loss of business
• Effect on customers
• Legal requirements
– ‘77 Foreign Corrupt Practices Act/protection of stockholders
– Federal Financial Institutions Examination Council (FFIEC)
– FCPA SAS30 Audit Standards
– Defense Investigative Service
– Legal and Regulatory sanctions, civil suits

10. CBK REVIEW - August
1999 10E
Definitions
• Due Care
– minimum and customary practice of responsible protection
of assets that reflects a community or societal norm
• Due Diligence
– prudent management and execution of due care

11. CBK REVIEW - August
1999 11E
The Problem
• Utility failures
• Intruders
• Fire/Smoke
• Water
• Natural disasters (earthquakes, snow/hail/ice,
lightning, hurricanes)
• Heat/Humidity
• Electromagnetic emanations
• Hostile activity
• Technology failure

12. CBK REVIEW - August
1999 12E
Recent Disasters
• Bombings
– ‘92 London financial district
– ‘93 World Trade Center, NY
– ‘93 London financial district
– ‘95 Oklahoma City
• Earthquakes
– ‘89 San Francisco
– ‘94 Los Angeles
– ‘95 Kobe, JP
• Fires
– ‘95 Malden Mills, Lawrence, MA
– ‘96 Credit Lyonnais, FR
– ‘97 Iron Mountain Record Center, Brunswick, NJ

13. CBK REVIEW - August
1999 13E
Recent Disasters
• Power
– ‘92 AT&T
– ‘96 Orrville, OH
– ‘99 East coast heat/drought brownouts
• Floods
– ‘97 Midwest floods
• Storms
– ‘92 Hurricane Andrew
– ‘93 Northeast Blizzard
– ‘96 Hurricanes Bertha, Fran
– ‘98 Florida tornados
• Hardware/Software
– Year 2000

14. CBK REVIEW - August
1999 14E
The Problem
• Utility failures
• Intruders
• Fire/Smoke
• Water
• Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes)
• Heat/Humidity
• Electromagnetic emanations
• Hostile activity
• Technology failure
• Failure to keep operating
Fortune 1000 study
– Average loss $78K, up to $500K
– 65% failing over 1 week never reopen
– Loss of market share common

15. CBK REVIEW - August
1999 15E
Threats
• From Data Pro reports
– Errors & omissions 50%
– Fire, water, electrical 25%
– Dishonest employees 10%
– Disgruntled employees 10%
– Outsider threats 5%

16. CBK REVIEW - August
1999 16E
The Controls
• Least Privilege
– Information security
• Redundancy
– Backed up data
– Alternate equipment
– Alternate communications
– Alternate facilities
– Alternate personnel
– Alternate procedures

17. CBK REVIEW - August
1999 17E
The Steps in a BCP - Initiation
• Project initiation
– Executive commitment and support MOST CRITICAL
– Business case to obtain support
– Sell the need for DRP (price vs benefit)
– Build and maintain awareness
– On-going testing & maintenance
– Top down approach
– Project planning, staffing
• Local support/responsibility

18. CBK REVIEW - August
1999 18E
The Steps in a BCP - 1
• Impact Assessment (Impact Analysis/Vulnerability
Assessment/Current State Assessment/Risk
Assessment )
Purpose
– Identify risks
– Identify business requirements for continuity
– Quantify impact of potential threats
– Balance impact and countermeasure cost
– Establish recovery priorities

19. CBK REVIEW - August
1999 19E
Benefits
• Relates security objectives to organization mission
• Quantifies how much to spend on security measures
• Provides long term planning guidance
– Site selection
– Building design
– HW configuration
– SW
– Internal controls
– Criteria for contingency plans
– Security policy
• Protection requirements
• Significant threats
• Responsibilities

20. CBK REVIEW - August
1999 20E
The Steps in a BCP - 1
• Risk Assessment
– Potential failure scenarios
– Likelihood of failure
– Cost of failure (loss impact analysis)
• Dollar losses
• Additional operational expenses
• Violation of contracts, regulatory requirements
• Loss of competitive advantage, public confidence
– Assumed maximum downtime (recovery time frames)
• Rate of losses
• Periodic criticality
• Time-loss curve charts

21. CBK REVIEW - August
1999 21E
The Steps in a BCP - 1
• Risk Assessment/Analysis
– Potential failure scenarios (risks)
– Likelihood of failure
– Cost of failure, quantify impact of threat
– Assumed maximum downtime
– Annual Loss Expectancy
– Worst case assumptions
– Based on business process model? Or IT model?
– Identify critical functions and supporting resources
– Balance impact and countermeasure cost
• Key -
– Potential damage
– Likelihood

22. CBK REVIEW - August
1999 22E
Definitions
• Threat
– any event which could have an undesirable impact
• Vulnerability
– absence or weakness of a risk-reducing safeguard, potential
to allow a threat to occur with greater frequency, greater
impact, or both
– Exposure
– a measure of the magnitude of loss or impact on the value of
the asset
• Risk
– the potential for harm or loss, including the degree of
confidence of the estimate

23. CBK REVIEW - August
1999 23E
Definitions
• Quantitative Risk Analysis
– quantified estimates of impact, threat frequency, safeguard
effectiveness and cost, and probability
– Powerful aid to decision making
– Difficult to do in time and cost
• Qualitative Risk Analysis
– minimally quantified estimates
– Exposure scale ranking estimates
– Easier in time and money
– Less compelling
• Risk Analysis is performed as a continuum from fully
qualitative to less than fully quantitative

24. CBK REVIEW - August
1999 24E
Results
• Loss impact analysis
• Recovery time frames
– Essential business functions
– Information systems applications
• Recommended recovery priorities & strategies
• Goals
– Understand economic & operational impact
– Determine recovery time frame (business/DP/Network)
– Identify most appropriate strategy
– Cost/justify recovery planning
– Include BCP in normal decision making process

25. CBK REVIEW - August
1999 25E
Risk Management Team
• Management - Support
• DP Operations
• Systems Programming
• Internal Audit
• Physical Security
• Application owners
• Application programmers

26. CBK REVIEW - August
1999 26E
Preliminary Security Exam
• Asset costs
• Threat survey
– Personnel
– Physical environment
– HW/SW
– Communications
– Applications
– Operations
– Natural disasters
– Environment
– Facility
– Access
– Data value

27. CBK REVIEW - August
1999 27E
Preliminary Security Exam
• Asset costs
• Threat survey
• Existing security measures
• Management review

28. CBK REVIEW - August
1999 28E
Threats
• Unauthorized access
• Hardware failure
• Utility failure
• Natural disasters
• Loss of key personnel
• Human errors
• Neighborhood hazards
• Tampering
• Disgruntled employees
• Emanations
• Safety
• Improper use of technology
• Repetition of errors
• Cascading of errors
• Illogical processing
• Translation of user needs
(technical requirements)
• Inability to control technology
• Equipment failure
• Incorrect entry of data
• Concentration of data
• Inability to react quickly
• Inability to substantiate
processing
• Concentration of
responsibilities
• Erroneous/falsified data
• Misuse

29. CBK REVIEW - August
1999 29E
Threats
• Uncontrolled system access
• Ineffective application security
• Operations procedural errors
• Program errors
• Operating system flaws
• Communications system failure
• Utility failure

30. CBK REVIEW - August
1999 30E
Risk Analysis Steps
• 1 - Identify essential business functions
– Dollar losses or added expense
– Contract/legal/regulatory requirements
– Competitive advantage/market share
– Interviews, questionnaires, workshops
• 2 - Establish recovery plan parameters
– Prioritize business functions
• 3 - Gather impact data/Threat analysis
– Probability of occurrence, source of help
– Document business functions
– Define support requirements
– Document effects of disruption
– Determine maximum acceptable outage period
– Create outage scenarios

31. CBK REVIEW - August
1999 31E
Risk Analysis Steps
• 4 - Analyze and summarize
– Estimate potential losses
• Destruction/theft of assets
• Loss of data
• Theft of information
• Indirect theft of assets
• Delayed processing
• Consider periodicity
– Combine potential loss & probability
– Magnitude of risk is the ALE (Annual Loss
Expectancy)
– Guide to security measures and how much to spend

32. CBK REVIEW - August
1999 32E
Results
• Significant threats & probabilities
• Critical tasks & loss potential by threat
• Remedial measures
– Greatest net reduction in losses
– Annual cost

33. CBK REVIEW - August
1999 33E
Information Valuation
• Information has cost/value
– Acquire/develop/maintain
– Owner/Custodian/User/Adversary
• Do a cost/value estimate for
– Cost/benefit analysis
– Integrate security in systems
– Avoid penalties
– Preserve proprietary information
– Business continuity
• Circumstances effect valuation timing
• Ethical obligation to use justifiable tools/techniques

34. CBK REVIEW - August
1999 34E
Conditions of Value
• Exclusive possession
• Utility
• Cost of creation/recreation
• Liability
• Convertibility/negotiability
• Operational impact
• Market forces
• Official value
• Expert opinion/appraisal
• Bilateral agreement/contract

35. CBK REVIEW - August
1999 35E
Scenario
• A specific threat (potential event/act) in which assets are subject
to loss
• Write scenario for each major threat
• Credibility/functionality review
• Evaluate current safeguards
• Finalize/Play out
• Prepare findings

36. CBK REVIEW - August
1999 36E
The Steps in a BCP - 2
• Strategy Development (Alternative Selection)
– Management support
– Team structure
– Strategy selection
• Cost effective
• Workable

37. CBK REVIEW - August
1999 37E
The Steps in a BCP - 3
• Implementation (Plan Development)
– Specify resources needed for recovery
– Make necessary advance arrangements
– Mitigate exposures

38. CBK REVIEW - August
1999 38E
The Steps in a BCP - 3
• Risk Prevention/Mitigation
– Risk management program
– Security - physical and information (access)
– Environmental controls
– Redundancy - Backups/Recoverability
• Journaling, Mirroring, Shadowing
• On-line/near-line/off-line
– Insurance
– Emergency response plans
– Procedures
– Training

39. CBK REVIEW - August
1999 39E
The Steps in a BCP - 3
• Decision Making
– Cost effectiveness
• Total cost
– Human intervention requirements
• Manual functions are weakest
– Overrides and defaults
• Shutdown capability
• Default to no access
– Design openness
– Least Privilege
• Minimum information
• Visible safeguards
– Entrapment
• Selected vulnerabilities made attractive

40. CBK REVIEW - August
1999 40E
The Steps in a BCP - 3
• Decision Making
– Independence of controller and subject
– Universality
– Compartmentalization, defense in depth
– Isolation
– Completeness
– Instrumentation
– Acceptance
– Sustainability
– Auditability
– Accountability
– Recovery

41. CBK REVIEW - August
1999 41E
Remedial Measures
• Alter environment
• Erect barriers
• Improve procedures
• Early detection
• Contingency plans
• Risk assignment (insurance)
• Agreements
• Stockpiling
• Risk acceptance

42. CBK REVIEW - August
1999 42E
Remedial Measures
• Fire
– Detection, suppression
• Water
– Detection, equipment covers, positioning
• Electrical
– UPS, generators
• Environmental
– Backups
• Good housekeeping
• Backup procedures
• Emergency response procedures

43. CBK REVIEW - August
1999 43E
The Steps in a BCP - 3
• Plan Development
– Specify resources needed for recovery
– Team-based
– Recovery plans
– Mitigation steps
– Testing plans
– Prepared by those who will carry them out

44. CBK REVIEW - August
1999 44E
Included in a BCP
• Off-site storage
– Trip there - secure? Timely?
– Physical layout of site
– Fire protection
– Climate controls
– Security access controls
– Backup power

45. CBK REVIEW - August
1999 45E
Included in a BCP
• Off-site storage
• Alternate site
– Hot/Warm/Cold(Shell) sites
– Reciprocal agreements/Multiple sites/Service bureaus
– Trip there - secure? Timely?
– Physical layout of site
– Fire protection
– Climate controls
– Security access controls
– Backup power
– Agreements

46. CBK REVIEW - August
1999 46E
Included in a BCP
• Off-site storage
• Alternate site
• Backup processing
– Compatibility
– Capacity
– Journaling - maintaining audit records
• Remote journaling - to off-site location
– Shadowing - remote journaling and delayed mirroring
– Mirroring - maintaining realtime copy of data
– Electronic vaulting - bulk transfer of backup files

47. CBK REVIEW - August
1999 47E
Included in a BCP
• Off-site storage
• Alternate site
• Backup processing
• Communications
– Compatibility
– Accessibility
– Capacity
– Alternatives

48. CBK REVIEW - August
1999 48E
Included in a BCP
• Off-site storage
• Alternate site
• Backup processing
• Communications
• Work space
– Accessibility
– Capacity
– Environment

49. CBK REVIEW - August
1999 49E
Included in a BCP
• Off-site storage
• Alternate site
• Backup processing
• Communications
• Work space
• Office equipment/supplies/documentation
• Security
• Critical business processes/Management
• Testing
• Vendors - Contact info, agreements
• Teams - Contact info, transportation
• Return to normal operations
• Resources needed

50. CBK REVIEW - August
1999 50E
Complications
• Media/Police/Public
• Families
• Fraud
• Looting/Vandalism
• Safety/Legal issues
• Expenses/Approval

51. CBK REVIEW - August
1999 51E
The Steps in a BCP - Finally
• Plan Testing
– Proves feasibility of recovery process
– Verifies compatibility of backup facilities
– Ensures adequacy of team procedures
• Identifies deficiencies in procedures
– Trains team members
– Provides mechanism for maintaining/updating the plan
– Upper management comfort

52. CBK REVIEW - August
1999 52E
The Steps in a BCP - Finally
• Plan Testing
– Desk checks/Checklist
– Structured Walkthroughs
– Life exercises/Simulations
– Periodic off-site recovery tests/Parallel
– Full interruption drills

53. CBK REVIEW - August
1999 53E
The Steps in a BCP - Finally
• Test
– Hardware
– Software
– Personnel
– Communications
– Procurement
– Procedures
– Supplies/forms
– Documentation
– Transportation
– Utilities
– Alternate site processing
– Security

54. CBK REVIEW - August
1999 54E
The Steps in a BCP - Finally
• Test
– Purpose (scenario)
– Objectives/Assumptions
– Type
– Timing
– Schedule
– Duration
– Participants
• Assignments
– Constraints
– Steps

55. CBK REVIEW - August
1999 55E
The Steps in a BCP - Finally
• Alternate Site Test
– Activate emergency control center
– Notify & mobilize personnel
– Notify vendors
– Pickup and transport
– tapes
– supplies
– documentation
– Install (Cold and Warm sites)
– IPL
– Verify
– Run
– Shut down/Clean up
– Document/Report

56. CBK REVIEW - August
1999 56E
The Steps in a BCP - Finally
• Plan Update and Retest cycle (Plan Maintenance)
– Critical to maintain validity and usability of plan
• Environmental changes
• HW/SW/FW changes
• Personnel
– Needs to be included in organization plans
• Job description/expectations
• Personnel evaluations
• Audit work plans

57. CBK REVIEW - August
1999 57E
BCP by Stages
• Initiation
• Current state assessment
• Develop support processes
• Training
• Impact Assessment
• Alternative selection
• Recovery Plan development
• Support services continuity plan development
• Master plan consolidation
• Testing strategy development
• Post transition transition plan development

58. CBK REVIEW - August
1999 58E
BCP by Stages
• Implementation planning
• Quick Hits
• Implementation, testing, maintenance

59. CBK REVIEW - August
1999 59E
End User Planning
• DP is critical to end users
• Difficult to use manual procedures
• Recovery is complex
• Need to plan
– manual procedures
– recovery of data/transactions
– procedures for alternate site operation
– procedures to return to normal

60. CBK REVIEW - August
1999 60E
The Real World
• DR plans normally involve
– Essential DP platforms/systems only
– A manual on the shelf written 2-3 years ago
– Little or no user involvement
– No provision for business processes
– No active testing
– Resource lists and contact information that do not match
current realities

61. CBK REVIEW - August
1999 61E
Stages in an Incident
• Disaster
– interruption affecting user operations significantly

62. CBK REVIEW - August
1999 62E
Stages in an Incident
• Disaster
• Initial/Emergency response
– Purpose
• Ensure safety of people
• Prevent further damage
– Activate emergency response team
– Covers emergency procedures for expected hazards
– Safety essential
– Emergency supplies
– Crisis Management plan - decision making

63. CBK REVIEW - August
1999 63E
Stages in an Incident
• Disaster
• Initial response
• Impact assessment
– Activate assessment team
– Determine situation
• What is affected?
– Decide whether to activate plan

64. CBK REVIEW - August
1999 64E
Stages in an Incident
• Disaster
• Initial response
• Impact assessment
• Initial recovery
– Initial recovery of key areas at alternate site
– Detailed procedures
– Salvage/repair - Clean up

65. CBK REVIEW - August
1999 65E
Stages in an Incident
• Disaster
• Initial response
• Impact assessment
• Initial recovery
• Return to normal/Business resumption
– Return to operation at normal site
– “Emergency” is not over until you are back to normal
– Requires just as much planning - Parallel operations

66. CBK REVIEW - August
1999 66E
Special Cases
• Y2K
– Incidents will happen in a particular time frame
– Alternate sites won’t help
– Redundant equipment won’t help
– Backups won’t help
– Involves automated equipment and services

67. CBK REVIEW - August
1999 67E
Final Thoughts
• Do you really want to activate a DR/BCP plan?
– Prevention
– Planning