SlideShare a Scribd company logo

Cissp business continuity planning

Download as PPT, PDF
N
N N

A contingency plan is: “A plan for emergency response, backup operations, and post-disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation…” (National Computer Security Center 1988)

Business
1 of 67
CBK REVIEW - August 1999 1E Business Continuity Planning • Note: these are slides that were part of a CISSP prep course that I partly developed and taught while I was with Ernst and Young. • While these slides are dated – August 1999 - the core information is still relevant. • Contact me w/ any questions or comments – • Ben Rothke, CISSP brothke@hotmail.com
CBK REVIEW - August 1999 2E Introduction • The Problem - Reasons for BCP • Principles of BCP • Doing BCP – The steps – What is included – The stages of an incident
CBK REVIEW - August 1999 3E Definitions A contingency plan is: “A plan for emergency response, backup operations, and post- disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation…” (National Computer Security Center 1988) 1997-98 survey >35% of companies have no plans
CBK REVIEW - August 1999 4E Definitions of BCP • Disaster Recovery • Business Continuity Planning • End-user Recovery Planning • Contingency Planning • Emergency Response • Crisis Management The goal is to assist the organization/business to continue functioning even though normal operations are disrupted Includes steps to take – Before a disruption – During a disruption – After a disruption
CBK REVIEW - August 1999 5E Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes – “Proactive” rather than “Reactive” – Take the correct actions when needed – Allow for experienced personnel to be absent
CBK REVIEW - August 1999 6E Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes “Proactive” rather than “Reactive” • Maintain business operations – Saves time, mistakes, stress and $$ – Keep the money coming in – Short and long term loss of business – Have necessary materials, equipment, information on hand – Planning can take up to 3 years
CBK REVIEW - August 1999 7E Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes “Proactive” rather than “Reactive” • Maintain business operations – Keep the money coming in – Short and long term loss of business • Effect on customers – Public image – Loss of life
CBK REVIEW - August 1999 8E Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes “Proactive” rather than “Reactive” • Maintain business operations – Keep the money coming in – Short and long term loss of business • Effect on customers • Legal requirements – ‘77 Foreign Corrupt Practices Act/protection of stockholders • Management criminally liable
CBK REVIEW - August 1999 9E Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes “Proactive” rather than “Reactive” • Maintain business operations – Keep the money coming in – Short and long term loss of business • Effect on customers • Legal requirements – ‘77 Foreign Corrupt Practices Act/protection of stockholders – Federal Financial Institutions Examination Council (FFIEC) – FCPA SAS30 Audit Standards – Defense Investigative Service – Legal and Regulatory sanctions, civil suits
CBK REVIEW - August 1999 10E Definitions • Due Care – minimum and customary practice of responsible protection of assets that reflects a community or societal norm • Due Diligence – prudent management and execution of due care
CBK REVIEW - August 1999 11E The Problem • Utility failures • Intruders • Fire/Smoke • Water • Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes) • Heat/Humidity • Electromagnetic emanations • Hostile activity • Technology failure
CBK REVIEW - August 1999 12E Recent Disasters • Bombings – ‘92 London financial district – ‘93 World Trade Center, NY – ‘93 London financial district – ‘95 Oklahoma City • Earthquakes – ‘89 San Francisco – ‘94 Los Angeles – ‘95 Kobe, JP • Fires – ‘95 Malden Mills, Lawrence, MA – ‘96 Credit Lyonnais, FR – ‘97 Iron Mountain Record Center, Brunswick, NJ
CBK REVIEW - August 1999 13E Recent Disasters • Power – ‘92 AT&T – ‘96 Orrville, OH – ‘99 East coast heat/drought brownouts • Floods – ‘97 Midwest floods • Storms – ‘92 Hurricane Andrew – ‘93 Northeast Blizzard – ‘96 Hurricanes Bertha, Fran – ‘98 Florida tornados • Hardware/Software – Year 2000
CBK REVIEW - August 1999 14E The Problem • Utility failures • Intruders • Fire/Smoke • Water • Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes) • Heat/Humidity • Electromagnetic emanations • Hostile activity • Technology failure • Failure to keep operating Fortune 1000 study – Average loss $78K, up to $500K – 65% failing over 1 week never reopen – Loss of market share common
CBK REVIEW - August 1999 15E Threats • From Data Pro reports – Errors & omissions 50% – Fire, water, electrical 25% – Dishonest employees 10% – Disgruntled employees 10% – Outsider threats 5%
CBK REVIEW - August 1999 16E The Controls • Least Privilege – Information security • Redundancy – Backed up data – Alternate equipment – Alternate communications – Alternate facilities – Alternate personnel – Alternate procedures
CBK REVIEW - August 1999 17E The Steps in a BCP - Initiation • Project initiation – Executive commitment and support MOST CRITICAL – Business case to obtain support – Sell the need for DRP (price vs benefit) – Build and maintain awareness – On-going testing & maintenance – Top down approach – Project planning, staffing • Local support/responsibility
CBK REVIEW - August 1999 18E The Steps in a BCP - 1 • Impact Assessment (Impact Analysis/Vulnerability Assessment/Current State Assessment/Risk Assessment ) Purpose – Identify risks – Identify business requirements for continuity – Quantify impact of potential threats – Balance impact and countermeasure cost – Establish recovery priorities
CBK REVIEW - August 1999 19E Benefits • Relates security objectives to organization mission • Quantifies how much to spend on security measures • Provides long term planning guidance – Site selection – Building design – HW configuration – SW – Internal controls – Criteria for contingency plans – Security policy • Protection requirements • Significant threats • Responsibilities
CBK REVIEW - August 1999 20E The Steps in a BCP - 1 • Risk Assessment – Potential failure scenarios – Likelihood of failure – Cost of failure (loss impact analysis) • Dollar losses • Additional operational expenses • Violation of contracts, regulatory requirements • Loss of competitive advantage, public confidence – Assumed maximum downtime (recovery time frames) • Rate of losses • Periodic criticality • Time-loss curve charts
CBK REVIEW - August 1999 21E The Steps in a BCP - 1 • Risk Assessment/Analysis – Potential failure scenarios (risks) – Likelihood of failure – Cost of failure, quantify impact of threat – Assumed maximum downtime – Annual Loss Expectancy – Worst case assumptions – Based on business process model? Or IT model? – Identify critical functions and supporting resources – Balance impact and countermeasure cost • Key - – Potential damage – Likelihood
CBK REVIEW - August 1999 22E Definitions • Threat – any event which could have an undesirable impact • Vulnerability – absence or weakness of a risk-reducing safeguard, potential to allow a threat to occur with greater frequency, greater impact, or both – Exposure – a measure of the magnitude of loss or impact on the value of the asset • Risk – the potential for harm or loss, including the degree of confidence of the estimate
CBK REVIEW - August 1999 23E Definitions • Quantitative Risk Analysis – quantified estimates of impact, threat frequency, safeguard effectiveness and cost, and probability – Powerful aid to decision making – Difficult to do in time and cost • Qualitative Risk Analysis – minimally quantified estimates – Exposure scale ranking estimates – Easier in time and money – Less compelling • Risk Analysis is performed as a continuum from fully qualitative to less than fully quantitative
CBK REVIEW - August 1999 24E Results • Loss impact analysis • Recovery time frames – Essential business functions – Information systems applications • Recommended recovery priorities & strategies • Goals – Understand economic & operational impact – Determine recovery time frame (business/DP/Network) – Identify most appropriate strategy – Cost/justify recovery planning – Include BCP in normal decision making process
CBK REVIEW - August 1999 25E Risk Management Team • Management - Support • DP Operations • Systems Programming • Internal Audit • Physical Security • Application owners • Application programmers
CBK REVIEW - August 1999 26E Preliminary Security Exam • Asset costs • Threat survey – Personnel – Physical environment – HW/SW – Communications – Applications – Operations – Natural disasters – Environment – Facility – Access – Data value
CBK REVIEW - August 1999 27E Preliminary Security Exam • Asset costs • Threat survey • Existing security measures • Management review
CBK REVIEW - August 1999 28E Threats • Unauthorized access • Hardware failure • Utility failure • Natural disasters • Loss of key personnel • Human errors • Neighborhood hazards • Tampering • Disgruntled employees • Emanations • Safety • Improper use of technology • Repetition of errors • Cascading of errors • Illogical processing • Translation of user needs (technical requirements) • Inability to control technology • Equipment failure • Incorrect entry of data • Concentration of data • Inability to react quickly • Inability to substantiate processing • Concentration of responsibilities • Erroneous/falsified data • Misuse
CBK REVIEW - August 1999 29E Threats • Uncontrolled system access • Ineffective application security • Operations procedural errors • Program errors • Operating system flaws • Communications system failure • Utility failure
CBK REVIEW - August 1999 30E Risk Analysis Steps • 1 - Identify essential business functions – Dollar losses or added expense – Contract/legal/regulatory requirements – Competitive advantage/market share – Interviews, questionnaires, workshops • 2 - Establish recovery plan parameters – Prioritize business functions • 3 - Gather impact data/Threat analysis – Probability of occurrence, source of help – Document business functions – Define support requirements – Document effects of disruption – Determine maximum acceptable outage period – Create outage scenarios
CBK REVIEW - August 1999 31E Risk Analysis Steps • 4 - Analyze and summarize – Estimate potential losses • Destruction/theft of assets • Loss of data • Theft of information • Indirect theft of assets • Delayed processing • Consider periodicity – Combine potential loss & probability – Magnitude of risk is the ALE (Annual Loss Expectancy) – Guide to security measures and how much to spend
CBK REVIEW - August 1999 32E Results • Significant threats & probabilities • Critical tasks & loss potential by threat • Remedial measures – Greatest net reduction in losses – Annual cost
CBK REVIEW - August 1999 33E Information Valuation • Information has cost/value – Acquire/develop/maintain – Owner/Custodian/User/Adversary • Do a cost/value estimate for – Cost/benefit analysis – Integrate security in systems – Avoid penalties – Preserve proprietary information – Business continuity • Circumstances effect valuation timing • Ethical obligation to use justifiable tools/techniques
CBK REVIEW - August 1999 34E Conditions of Value • Exclusive possession • Utility • Cost of creation/recreation • Liability • Convertibility/negotiability • Operational impact • Market forces • Official value • Expert opinion/appraisal • Bilateral agreement/contract
CBK REVIEW - August 1999 35E Scenario • A specific threat (potential event/act) in which assets are subject to loss • Write scenario for each major threat • Credibility/functionality review • Evaluate current safeguards • Finalize/Play out • Prepare findings
CBK REVIEW - August 1999 36E The Steps in a BCP - 2 • Strategy Development (Alternative Selection) – Management support – Team structure – Strategy selection • Cost effective • Workable
CBK REVIEW - August 1999 37E The Steps in a BCP - 3 • Implementation (Plan Development) – Specify resources needed for recovery – Make necessary advance arrangements – Mitigate exposures
CBK REVIEW - August 1999 38E The Steps in a BCP - 3 • Risk Prevention/Mitigation – Risk management program – Security - physical and information (access) – Environmental controls – Redundancy - Backups/Recoverability • Journaling, Mirroring, Shadowing • On-line/near-line/off-line – Insurance – Emergency response plans – Procedures – Training
CBK REVIEW - August 1999 39E The Steps in a BCP - 3 • Decision Making – Cost effectiveness • Total cost – Human intervention requirements • Manual functions are weakest – Overrides and defaults • Shutdown capability • Default to no access – Design openness – Least Privilege • Minimum information • Visible safeguards – Entrapment • Selected vulnerabilities made attractive
CBK REVIEW - August 1999 40E The Steps in a BCP - 3 • Decision Making – Independence of controller and subject – Universality – Compartmentalization, defense in depth – Isolation – Completeness – Instrumentation – Acceptance – Sustainability – Auditability – Accountability – Recovery
CBK REVIEW - August 1999 41E Remedial Measures • Alter environment • Erect barriers • Improve procedures • Early detection • Contingency plans • Risk assignment (insurance) • Agreements • Stockpiling • Risk acceptance
CBK REVIEW - August 1999 42E Remedial Measures • Fire – Detection, suppression • Water – Detection, equipment covers, positioning • Electrical – UPS, generators • Environmental – Backups • Good housekeeping • Backup procedures • Emergency response procedures
CBK REVIEW - August 1999 43E The Steps in a BCP - 3 • Plan Development – Specify resources needed for recovery – Team-based – Recovery plans – Mitigation steps – Testing plans – Prepared by those who will carry them out
CBK REVIEW - August 1999 44E Included in a BCP • Off-site storage – Trip there - secure? Timely? – Physical layout of site – Fire protection – Climate controls – Security access controls – Backup power
CBK REVIEW - August 1999 45E Included in a BCP • Off-site storage • Alternate site – Hot/Warm/Cold(Shell) sites – Reciprocal agreements/Multiple sites/Service bureaus – Trip there - secure? Timely? – Physical layout of site – Fire protection – Climate controls – Security access controls – Backup power – Agreements
CBK REVIEW - August 1999 46E Included in a BCP • Off-site storage • Alternate site • Backup processing – Compatibility – Capacity – Journaling - maintaining audit records • Remote journaling - to off-site location – Shadowing - remote journaling and delayed mirroring – Mirroring - maintaining realtime copy of data – Electronic vaulting - bulk transfer of backup files
CBK REVIEW - August 1999 47E Included in a BCP • Off-site storage • Alternate site • Backup processing • Communications – Compatibility – Accessibility – Capacity – Alternatives
CBK REVIEW - August 1999 48E Included in a BCP • Off-site storage • Alternate site • Backup processing • Communications • Work space – Accessibility – Capacity – Environment
CBK REVIEW - August 1999 49E Included in a BCP • Off-site storage • Alternate site • Backup processing • Communications • Work space • Office equipment/supplies/documentation • Security • Critical business processes/Management • Testing • Vendors - Contact info, agreements • Teams - Contact info, transportation • Return to normal operations • Resources needed
CBK REVIEW - August 1999 50E Complications • Media/Police/Public • Families • Fraud • Looting/Vandalism • Safety/Legal issues • Expenses/Approval
CBK REVIEW - August 1999 51E The Steps in a BCP - Finally • Plan Testing – Proves feasibility of recovery process – Verifies compatibility of backup facilities – Ensures adequacy of team procedures • Identifies deficiencies in procedures – Trains team members – Provides mechanism for maintaining/updating the plan – Upper management comfort
CBK REVIEW - August 1999 52E The Steps in a BCP - Finally • Plan Testing – Desk checks/Checklist – Structured Walkthroughs – Life exercises/Simulations – Periodic off-site recovery tests/Parallel – Full interruption drills
CBK REVIEW - August 1999 53E The Steps in a BCP - Finally • Test – Hardware – Software – Personnel – Communications – Procurement – Procedures – Supplies/forms – Documentation – Transportation – Utilities – Alternate site processing – Security
CBK REVIEW - August 1999 54E The Steps in a BCP - Finally • Test – Purpose (scenario) – Objectives/Assumptions – Type – Timing – Schedule – Duration – Participants • Assignments – Constraints – Steps
CBK REVIEW - August 1999 55E The Steps in a BCP - Finally • Alternate Site Test – Activate emergency control center – Notify & mobilize personnel – Notify vendors – Pickup and transport – tapes – supplies – documentation – Install (Cold and Warm sites) – IPL – Verify – Run – Shut down/Clean up – Document/Report
CBK REVIEW - August 1999 56E The Steps in a BCP - Finally • Plan Update and Retest cycle (Plan Maintenance) – Critical to maintain validity and usability of plan • Environmental changes • HW/SW/FW changes • Personnel – Needs to be included in organization plans • Job description/expectations • Personnel evaluations • Audit work plans
CBK REVIEW - August 1999 57E BCP by Stages • Initiation • Current state assessment • Develop support processes • Training • Impact Assessment • Alternative selection • Recovery Plan development • Support services continuity plan development • Master plan consolidation • Testing strategy development • Post transition transition plan development
CBK REVIEW - August 1999 58E BCP by Stages • Implementation planning • Quick Hits • Implementation, testing, maintenance
CBK REVIEW - August 1999 59E End User Planning • DP is critical to end users • Difficult to use manual procedures • Recovery is complex • Need to plan – manual procedures – recovery of data/transactions – procedures for alternate site operation – procedures to return to normal
CBK REVIEW - August 1999 60E The Real World • DR plans normally involve – Essential DP platforms/systems only – A manual on the shelf written 2-3 years ago – Little or no user involvement – No provision for business processes – No active testing – Resource lists and contact information that do not match current realities
CBK REVIEW - August 1999 61E Stages in an Incident • Disaster – interruption affecting user operations significantly
CBK REVIEW - August 1999 62E Stages in an Incident • Disaster • Initial/Emergency response – Purpose • Ensure safety of people • Prevent further damage – Activate emergency response team – Covers emergency procedures for expected hazards – Safety essential – Emergency supplies – Crisis Management plan - decision making
CBK REVIEW - August 1999 63E Stages in an Incident • Disaster • Initial response • Impact assessment – Activate assessment team – Determine situation • What is affected? – Decide whether to activate plan
CBK REVIEW - August 1999 64E Stages in an Incident • Disaster • Initial response • Impact assessment • Initial recovery – Initial recovery of key areas at alternate site – Detailed procedures – Salvage/repair - Clean up
CBK REVIEW - August 1999 65E Stages in an Incident • Disaster • Initial response • Impact assessment • Initial recovery • Return to normal/Business resumption – Return to operation at normal site – “Emergency” is not over until you are back to normal – Requires just as much planning - Parallel operations
CBK REVIEW - August 1999 66E Special Cases • Y2K – Incidents will happen in a particular time frame – Alternate sites won’t help – Redundant equipment won’t help – Backups won’t help – Involves automated equipment and services
CBK REVIEW - August 1999 67E Final Thoughts • Do you really want to activate a DR/BCP plan? – Prevention – Planning

Recommended

CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCP
Karthikeyan Dhayalan
 
Chap6 2007 Cisa Review Course
Chap6 2007 Cisa Review CourseChap6 2007 Cisa Review Course
Chap6 2007 Cisa Review Course
Desmond Devendran
 
Rm 11-1
Rm 11-1Rm 11-1
Rm 11-1
tomkacy
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1
Ismail aboulezz
 
CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016
Hafiz Sheikh Adnan Ahmed
 
How to Create an Effective Business Continuity Program
How to Create an Effective Business Continuity ProgramHow to Create an Effective Business Continuity Program
How to Create an Effective Business Continuity Program
Al Abbas, PMP, CISSP, MBA, MSc
 
CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016
Hafiz Sheikh Adnan Ahmed
 

Recommended

CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCP
Karthikeyan Dhayalan
 
Chap6 2007 Cisa Review Course
Chap6 2007 Cisa Review CourseChap6 2007 Cisa Review Course
Chap6 2007 Cisa Review Course
Desmond Devendran
 
Rm 11-1
Rm 11-1Rm 11-1
Rm 11-1
tomkacy
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1
Ismail aboulezz
 
CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016
Hafiz Sheikh Adnan Ahmed
 
How to Create an Effective Business Continuity Program
How to Create an Effective Business Continuity ProgramHow to Create an Effective Business Continuity Program
How to Create an Effective Business Continuity Program
Al Abbas, PMP, CISSP, MBA, MSc
 
CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
InfosecTrain
 
CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016
Hafiz Sheikh Adnan Ahmed
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information System
arif prasetyo
 
Everything You Need To Know About Internal Control Reviews
Everything You Need To Know About Internal Control ReviewsEverything You Need To Know About Internal Control Reviews
Everything You Need To Know About Internal Control Reviews
Adriana Sklencar
 
Ch 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsCh 3a: Risk Management Concepts
Ch 3a: Risk Management Concepts
Sam Bowne
 
Hi600 m1 u1_part2_instslides
Hi600 m1 u1_part2_instslidesHi600 m1 u1_part2_instslides
Hi600 m1 u1_part2_instslides
ljmcneill33
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit
Sreekanth Narendran
 
CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)
Sam Bowne
 
Chap3 2007 Cisa Review Course
Chap3 2007 Cisa Review CourseChap3 2007 Cisa Review Course
Chap3 2007 Cisa Review Course
Desmond Devendran
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guide
CenapSerdarolu
 
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Sreekanth Narendran
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-Practices
Marco Raposo
 
HI600 U02_inst_slides
HI600 U02_inst_slides HI600 U02_inst_slides
HI600 U02_inst_slides
ljmcneill33
 
Hi600 m1 u1_part1_instslides
Hi600 m1 u1_part1_instslidesHi600 m1 u1_part1_instslides
Hi600 m1 u1_part1_instslides
ljmcneill33
 
Cisa Certification Overview
Cisa Certification OverviewCisa Certification Overview
Cisa Certification Overview
Al Imran, CISA
 
Mobile EHS and Quality Auditing - Lessons Learned
Mobile EHS and Quality Auditing - Lessons LearnedMobile EHS and Quality Auditing - Lessons Learned
Mobile EHS and Quality Auditing - Lessons Learned
Nimonik
 
Leveraging Primavera to Fulfill Financial Management Strategies
Leveraging Primavera to Fulfill Financial Management StrategiesLeveraging Primavera to Fulfill Financial Management Strategies
Leveraging Primavera to Fulfill Financial Management Strategies
Jeffrey Finkiel
 
ISO 27001-Manage IT Risks and Build Customer Confidence
ISO 27001-Manage IT Risks and Build Customer ConfidenceISO 27001-Manage IT Risks and Build Customer Confidence
ISO 27001-Manage IT Risks and Build Customer Confidence
Al Abbas, PMP, CISSP, MBA, MSc
 
3 focus areas for any organisation's IT & Security department
3 focus areas for any organisation's IT & Security department 3 focus areas for any organisation's IT & Security department
3 focus areas for any organisation's IT & Security department
Sandeep S Jaryal
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010
Donald E. Hester
 
Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...
Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...
Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...
Alexander Larsen
 
2014 PV Reliability, Operations & Maintenance Workshop: An O&M Perspective
2014 PV Reliability, Operations & Maintenance Workshop: An O&M Perspective2014 PV Reliability, Operations & Maintenance Workshop: An O&M Perspective
2014 PV Reliability, Operations & Maintenance Workshop: An O&M Perspective
Sandia National Laboratories: Energy & Climate: Renewables
 

More Related Content

What's hot

CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
InfosecTrain
 
CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016
Hafiz Sheikh Adnan Ahmed
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information System
arif prasetyo
 
Everything You Need To Know About Internal Control Reviews
Everything You Need To Know About Internal Control ReviewsEverything You Need To Know About Internal Control Reviews
Everything You Need To Know About Internal Control Reviews
Adriana Sklencar
 
Ch 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsCh 3a: Risk Management Concepts
Ch 3a: Risk Management Concepts
Sam Bowne
 
Hi600 m1 u1_part2_instslides
Hi600 m1 u1_part2_instslidesHi600 m1 u1_part2_instslides
Hi600 m1 u1_part2_instslides
ljmcneill33
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit
Sreekanth Narendran
 
CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)
Sam Bowne
 
Chap3 2007 Cisa Review Course
Chap3 2007 Cisa Review CourseChap3 2007 Cisa Review Course
Chap3 2007 Cisa Review Course
Desmond Devendran
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guide
CenapSerdarolu
 
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Sreekanth Narendran
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-Practices
Marco Raposo
 
HI600 U02_inst_slides
HI600 U02_inst_slides HI600 U02_inst_slides
HI600 U02_inst_slides
ljmcneill33
 
Hi600 m1 u1_part1_instslides
Hi600 m1 u1_part1_instslidesHi600 m1 u1_part1_instslides
Hi600 m1 u1_part1_instslides
ljmcneill33
 
Cisa Certification Overview
Cisa Certification OverviewCisa Certification Overview
Cisa Certification Overview
Al Imran, CISA
 
Mobile EHS and Quality Auditing - Lessons Learned
Mobile EHS and Quality Auditing - Lessons LearnedMobile EHS and Quality Auditing - Lessons Learned
Mobile EHS and Quality Auditing - Lessons Learned
Nimonik
 
Leveraging Primavera to Fulfill Financial Management Strategies
Leveraging Primavera to Fulfill Financial Management StrategiesLeveraging Primavera to Fulfill Financial Management Strategies
Leveraging Primavera to Fulfill Financial Management Strategies
Jeffrey Finkiel
 
ISO 27001-Manage IT Risks and Build Customer Confidence
ISO 27001-Manage IT Risks and Build Customer ConfidenceISO 27001-Manage IT Risks and Build Customer Confidence
ISO 27001-Manage IT Risks and Build Customer Confidence
Al Abbas, PMP, CISSP, MBA, MSc
 
3 focus areas for any organisation's IT & Security department
3 focus areas for any organisation's IT & Security department 3 focus areas for any organisation's IT & Security department
3 focus areas for any organisation's IT & Security department
Sandeep S Jaryal
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010
Donald E. Hester
 

What's hot (20)

CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
 
CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information System
 
Everything You Need To Know About Internal Control Reviews
Everything You Need To Know About Internal Control ReviewsEverything You Need To Know About Internal Control Reviews
Everything You Need To Know About Internal Control Reviews
 
Ch 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsCh 3a: Risk Management Concepts
Ch 3a: Risk Management Concepts
 
Hi600 m1 u1_part2_instslides
Hi600 m1 u1_part2_instslidesHi600 m1 u1_part2_instslides
Hi600 m1 u1_part2_instslides
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit
 
CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)
 
Chap3 2007 Cisa Review Course
Chap3 2007 Cisa Review CourseChap3 2007 Cisa Review Course
Chap3 2007 Cisa Review Course
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guide
 
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-Practices
 
HI600 U02_inst_slides
HI600 U02_inst_slides HI600 U02_inst_slides
HI600 U02_inst_slides
 
Hi600 m1 u1_part1_instslides
Hi600 m1 u1_part1_instslidesHi600 m1 u1_part1_instslides
Hi600 m1 u1_part1_instslides
 
Cisa Certification Overview
Cisa Certification OverviewCisa Certification Overview
Cisa Certification Overview
 
Mobile EHS and Quality Auditing - Lessons Learned
Mobile EHS and Quality Auditing - Lessons LearnedMobile EHS and Quality Auditing - Lessons Learned
Mobile EHS and Quality Auditing - Lessons Learned
 
Leveraging Primavera to Fulfill Financial Management Strategies
Leveraging Primavera to Fulfill Financial Management StrategiesLeveraging Primavera to Fulfill Financial Management Strategies
Leveraging Primavera to Fulfill Financial Management Strategies
 
ISO 27001-Manage IT Risks and Build Customer Confidence
ISO 27001-Manage IT Risks and Build Customer ConfidenceISO 27001-Manage IT Risks and Build Customer Confidence
ISO 27001-Manage IT Risks and Build Customer Confidence
 
3 focus areas for any organisation's IT & Security department
3 focus areas for any organisation's IT & Security department 3 focus areas for any organisation's IT & Security department
3 focus areas for any organisation's IT & Security department
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010
 

Similar to Cissp business continuity planning

Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...
Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...
Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...
Alexander Larsen
 
2014 PV Reliability, Operations & Maintenance Workshop: An O&M Perspective
2014 PV Reliability, Operations & Maintenance Workshop: An O&M Perspective2014 PV Reliability, Operations & Maintenance Workshop: An O&M Perspective
2014 PV Reliability, Operations & Maintenance Workshop: An O&M Perspective
Sandia National Laboratories: Energy & Climate: Renewables
 
Efficiency Valuation: Fine Tuning M&V for Business Transactions
Efficiency Valuation: Fine Tuning M&V for Business TransactionsEfficiency Valuation: Fine Tuning M&V for Business Transactions
Efficiency Valuation: Fine Tuning M&V for Business Transactions
IEA DSM Implementing Agreement (IA)
 
Iam active asset management 2016
Iam active asset management 2016Iam active asset management 2016
Iam active asset management 2016
seamsltd
 
Business continuity planning
Business continuity planningBusiness continuity planning
Business continuity planning
Sandeep Kashyap
 
Apdip disaster mgmt
Apdip disaster mgmtApdip disaster mgmt
Apdip disaster mgmt
srinivasan gopalan
 
Customer case: Health & Safety
Customer case: Health & SafetyCustomer case: Health & Safety
Customer case: Health & Safety
IFS
 
Bcp coop training taxpayer services 1-15-09
Bcp coop training taxpayer services 1-15-09Bcp coop training taxpayer services 1-15-09
Bcp coop training taxpayer services 1-15-09
Richard Turner
 
Construction safety Management Training by NMMCC
Construction safety Management Training by NMMCCConstruction safety Management Training by NMMCC
Construction safety Management Training by NMMCC
Atlantic Training, LLC.
 
OPERATOR ANALYTICS FROM IMPLEMENTING AN OPERATE BY EXCEPTION STRATEGY
OPERATOR ANALYTICS FROM IMPLEMENTING AN OPERATE BY EXCEPTION STRATEGYOPERATOR ANALYTICS FROM IMPLEMENTING AN OPERATE BY EXCEPTION STRATEGY
OPERATOR ANALYTICS FROM IMPLEMENTING AN OPERATE BY EXCEPTION STRATEGY
wle-ss
 
Introduction to Metocean: Quantifying the impact and effect of weather and se...
Introduction to Metocean: Quantifying the impact and effect of weather and se...Introduction to Metocean: Quantifying the impact and effect of weather and se...
Introduction to Metocean: Quantifying the impact and effect of weather and se...
Institute of Marine Engineering, Science &Technology
 
Willem A. Hoekstra Business Continuity Management in Banking Industry World C...
Willem A. Hoekstra Business Continuity Management in Banking Industry World C...Willem A. Hoekstra Business Continuity Management in Banking Industry World C...
Willem A. Hoekstra Business Continuity Management in Banking Industry World C...
BCM Institute
 
Fire alarm ppt_presentation_to_suppliers_november_2015
Fire alarm ppt_presentation_to_suppliers_november_2015Fire alarm ppt_presentation_to_suppliers_november_2015
Fire alarm ppt_presentation_to_suppliers_november_2015
MuhamedAshraf4
 
Essentials of Project Management
Essentials of Project ManagementEssentials of Project Management
Essentials of Project Management
Living Online
 
Andrew martin - Knowledge Based Asset Integrity (KBAI™)
Andrew martin - Knowledge Based Asset Integrity (KBAI™)Andrew martin - Knowledge Based Asset Integrity (KBAI™)
Andrew martin - Knowledge Based Asset Integrity (KBAI™)
Lloyd's Register Renewables
 
Managing the Unknown v2
Managing the Unknown v2Managing the Unknown v2
Managing the Unknown v2
MikeGriffiths403
 
Reliability Engineering in Biomanufacturing - Presentation by Michael Andrews
Reliability Engineering in Biomanufacturing - Presentation by Michael AndrewsReliability Engineering in Biomanufacturing - Presentation by Michael Andrews
Reliability Engineering in Biomanufacturing - Presentation by Michael Andrews
WPICPE
 
EPA Presentation - Andy Smith
EPA Presentation - Andy SmithEPA Presentation - Andy Smith
EPA Presentation - Andy Smith
Andy Smith
 
London 2012 Olympics, Managing and controlling contingency
London 2012 Olympics, Managing and controlling contingencyLondon 2012 Olympics, Managing and controlling contingency
London 2012 Olympics, Managing and controlling contingency
Association for Project Management
 
Collaborate 2012: Environmental Accounting and Reporting
Collaborate 2012: Environmental Accounting and ReportingCollaborate 2012: Environmental Accounting and Reporting
Collaborate 2012: Environmental Accounting and Reporting
Angela Miller
 

Similar to Cissp business continuity planning (20)

Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...
Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...
Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...
 
2014 PV Reliability, Operations & Maintenance Workshop: An O&M Perspective
2014 PV Reliability, Operations & Maintenance Workshop: An O&M Perspective2014 PV Reliability, Operations & Maintenance Workshop: An O&M Perspective
2014 PV Reliability, Operations & Maintenance Workshop: An O&M Perspective
 
Efficiency Valuation: Fine Tuning M&V for Business Transactions
Efficiency Valuation: Fine Tuning M&V for Business TransactionsEfficiency Valuation: Fine Tuning M&V for Business Transactions
Efficiency Valuation: Fine Tuning M&V for Business Transactions
 
Iam active asset management 2016
Iam active asset management 2016Iam active asset management 2016
Iam active asset management 2016
 
Business continuity planning
Business continuity planningBusiness continuity planning
Business continuity planning
 
Apdip disaster mgmt
Apdip disaster mgmtApdip disaster mgmt
Apdip disaster mgmt
 
Customer case: Health & Safety
Customer case: Health & SafetyCustomer case: Health & Safety
Customer case: Health & Safety
 
Bcp coop training taxpayer services 1-15-09
Bcp coop training taxpayer services 1-15-09Bcp coop training taxpayer services 1-15-09
Bcp coop training taxpayer services 1-15-09
 
Construction safety Management Training by NMMCC
Construction safety Management Training by NMMCCConstruction safety Management Training by NMMCC
Construction safety Management Training by NMMCC
 
OPERATOR ANALYTICS FROM IMPLEMENTING AN OPERATE BY EXCEPTION STRATEGY
OPERATOR ANALYTICS FROM IMPLEMENTING AN OPERATE BY EXCEPTION STRATEGYOPERATOR ANALYTICS FROM IMPLEMENTING AN OPERATE BY EXCEPTION STRATEGY
OPERATOR ANALYTICS FROM IMPLEMENTING AN OPERATE BY EXCEPTION STRATEGY
 
Introduction to Metocean: Quantifying the impact and effect of weather and se...
Introduction to Metocean: Quantifying the impact and effect of weather and se...Introduction to Metocean: Quantifying the impact and effect of weather and se...
Introduction to Metocean: Quantifying the impact and effect of weather and se...
 
Willem A. Hoekstra Business Continuity Management in Banking Industry World C...
Willem A. Hoekstra Business Continuity Management in Banking Industry World C...Willem A. Hoekstra Business Continuity Management in Banking Industry World C...
Willem A. Hoekstra Business Continuity Management in Banking Industry World C...
 
Fire alarm ppt_presentation_to_suppliers_november_2015
Fire alarm ppt_presentation_to_suppliers_november_2015Fire alarm ppt_presentation_to_suppliers_november_2015
Fire alarm ppt_presentation_to_suppliers_november_2015
 
Essentials of Project Management
Essentials of Project ManagementEssentials of Project Management
Essentials of Project Management
 
Andrew martin - Knowledge Based Asset Integrity (KBAI™)
Andrew martin - Knowledge Based Asset Integrity (KBAI™)Andrew martin - Knowledge Based Asset Integrity (KBAI™)
Andrew martin - Knowledge Based Asset Integrity (KBAI™)
 
Managing the Unknown v2
Managing the Unknown v2Managing the Unknown v2
Managing the Unknown v2
 
Reliability Engineering in Biomanufacturing - Presentation by Michael Andrews
Reliability Engineering in Biomanufacturing - Presentation by Michael AndrewsReliability Engineering in Biomanufacturing - Presentation by Michael Andrews
Reliability Engineering in Biomanufacturing - Presentation by Michael Andrews
 
EPA Presentation - Andy Smith
EPA Presentation - Andy SmithEPA Presentation - Andy Smith
EPA Presentation - Andy Smith
 
London 2012 Olympics, Managing and controlling contingency
London 2012 Olympics, Managing and controlling contingencyLondon 2012 Olympics, Managing and controlling contingency
London 2012 Olympics, Managing and controlling contingency
 
Collaborate 2012: Environmental Accounting and Reporting
Collaborate 2012: Environmental Accounting and ReportingCollaborate 2012: Environmental Accounting and Reporting
Collaborate 2012: Environmental Accounting and Reporting
 

More from N N

Poduzetnik
PoduzetnikPoduzetnik
Poduzetnik
N N
 
Poduzetnik
PoduzetnikPoduzetnik
Poduzetnik
N N
 
Nks prezentacija
Nks prezentacijaNks prezentacija
Nks prezentacija
N N
 
Westtek native office viewers
Westtek native office viewersWesttek native office viewers
Westtek native office viewers
N N
 
Koncepcija i strategija razvoja
Koncepcija i strategija razvojaKoncepcija i strategija razvoja
Koncepcija i strategija razvoja
N N
 
Globalizacija
GlobalizacijaGlobalizacija
Globalizacija
N N
 
Objedinjavanje nadzornih tijela financijskog
Objedinjavanje nadzornih tijela financijskogObjedinjavanje nadzornih tijela financijskog
Objedinjavanje nadzornih tijela financijskog
N N
 
Kontroling
KontrolingKontroling
Kontroling
N N
 
Finance 2
Finance 2Finance 2
Finance 2
N N
 
Finance1
Finance1Finance1
Finance1
N N
 
Interpreting Company Accounts
Interpreting Company AccountsInterpreting Company Accounts
Interpreting Company Accounts
N N
 
Critical
CriticalCritical
Critical
N N
 
Communication
CommunicationCommunication
Communication
N N
 
Ratio
RatioRatio
Ratio
N N
 

More from N N (14)

Poduzetnik
PoduzetnikPoduzetnik
Poduzetnik
 
Poduzetnik
PoduzetnikPoduzetnik
Poduzetnik
 
Nks prezentacija
Nks prezentacijaNks prezentacija
Nks prezentacija
 
Westtek native office viewers
Westtek native office viewersWesttek native office viewers
Westtek native office viewers
 
Koncepcija i strategija razvoja
Koncepcija i strategija razvojaKoncepcija i strategija razvoja
Koncepcija i strategija razvoja
 
Globalizacija
GlobalizacijaGlobalizacija
Globalizacija
 
Objedinjavanje nadzornih tijela financijskog
Objedinjavanje nadzornih tijela financijskogObjedinjavanje nadzornih tijela financijskog
Objedinjavanje nadzornih tijela financijskog
 
Kontroling
KontrolingKontroling
Kontroling
 
Finance 2
Finance 2Finance 2
Finance 2
 
Finance1
Finance1Finance1
Finance1
 
Interpreting Company Accounts
Interpreting Company AccountsInterpreting Company Accounts
Interpreting Company Accounts
 
Critical
CriticalCritical
Critical
 
Communication
CommunicationCommunication
Communication
 
Ratio
RatioRatio
Ratio
 

Recently uploaded

Best practices for project execution and delivery
Best practices for project execution and deliveryBest practices for project execution and delivery
Best practices for project execution and delivery
CLIVE MINCHIN
 
Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024
FelixPerez547899
 
❼❷⓿❺❻❷❽❷❼❽ Dpboss Matka Result Satta Matka Guessing Satta Fix jodi Kalyan Fin...
❼❷⓿❺❻❷❽❷❼❽ Dpboss Matka Result Satta Matka Guessing Satta Fix jodi Kalyan Fin...❼❷⓿❺❻❷❽❷❼❽ Dpboss Matka Result Satta Matka Guessing Satta Fix jodi Kalyan Fin...
❼❷⓿❺❻❷❽❷❼❽ Dpboss Matka Result Satta Matka Guessing Satta Fix jodi Kalyan Fin...
❼❷⓿❺❻❷❽❷❼❽ Dpboss Kalyan Satta Matka Guessing Matka Result Main Bazar chart
 
Digital Transformation Frameworks: Driving Digital Excellence
Digital Transformation Frameworks: Driving Digital ExcellenceDigital Transformation Frameworks: Driving Digital Excellence
Digital Transformation Frameworks: Driving Digital Excellence
Operational Excellence Consulting
 
The APCO Geopolitical Radar - Q3 2024 The Global Operating Environment for Bu...
The APCO Geopolitical Radar - Q3 2024 The Global Operating Environment for Bu...The APCO Geopolitical Radar - Q3 2024 The Global Operating Environment for Bu...
The APCO Geopolitical Radar - Q3 2024 The Global Operating Environment for Bu...
APCO
 
Lundin Gold Corporate Presentation - June 2024
Lundin Gold Corporate Presentation - June 2024Lundin Gold Corporate Presentation - June 2024
Lundin Gold Corporate Presentation - June 2024
Adnet Communications
 
Observation Lab PowerPoint Assignment for TEM 431
Observation Lab PowerPoint Assignment for TEM 431Observation Lab PowerPoint Assignment for TEM 431
Observation Lab PowerPoint Assignment for TEM 431
ecamare2
 
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
my Pandit
 
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel ChartSatta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
➒➌➎➏➑➐➋➑➐➐Dpboss Matka Guessing Satta Matka Kalyan Chart Indian Matka
 
Business storytelling: key ingredients to a story
Business storytelling: key ingredients to a storyBusiness storytelling: key ingredients to a story
Business storytelling: key ingredients to a story
Alexandra Fulford
 
Organizational Change Leadership Agile Tour Geneve 2024
Organizational Change Leadership Agile Tour Geneve 2024Organizational Change Leadership Agile Tour Geneve 2024
Organizational Change Leadership Agile Tour Geneve 2024
Kirill Klimov
 
一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理
一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理
一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理
taqyea
 
3 Simple Steps To Buy Verified Payoneer Account In 2024
3 Simple Steps To Buy Verified Payoneer Account In 20243 Simple Steps To Buy Verified Payoneer Account In 2024
3 Simple Steps To Buy Verified Payoneer Account In 2024
SEOSMMEARTH
 
Digital Marketing with a Focus on Sustainability
Digital Marketing with a Focus on SustainabilityDigital Marketing with a Focus on Sustainability
Digital Marketing with a Focus on Sustainability
sssourabhsharma
 
Mastering B2B Payments Webinar from BlueSnap
Mastering B2B Payments Webinar from BlueSnapMastering B2B Payments Webinar from BlueSnap
Mastering B2B Payments Webinar from BlueSnap
Norma Mushkat Gaffin
 
Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...
Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...
Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...
Neil Horowitz
 
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
SOFTTECHHUB
 
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
Stephen Cashman
 
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challengesEvent Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Holger Mueller
 
How are Lilac French Bulldogs Beauty Charming the World and Capturing Hearts....
How are Lilac French Bulldogs Beauty Charming the World and Capturing Hearts....How are Lilac French Bulldogs Beauty Charming the World and Capturing Hearts....
How are Lilac French Bulldogs Beauty Charming the World and Capturing Hearts....
Lacey Max
 

Recently uploaded (20)

Best practices for project execution and delivery
Best practices for project execution and deliveryBest practices for project execution and delivery
Best practices for project execution and delivery
 
Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024
 
❼❷⓿❺❻❷❽❷❼❽ Dpboss Matka Result Satta Matka Guessing Satta Fix jodi Kalyan Fin...
❼❷⓿❺❻❷❽❷❼❽ Dpboss Matka Result Satta Matka Guessing Satta Fix jodi Kalyan Fin...❼❷⓿❺❻❷❽❷❼❽ Dpboss Matka Result Satta Matka Guessing Satta Fix jodi Kalyan Fin...
❼❷⓿❺❻❷❽❷❼❽ Dpboss Matka Result Satta Matka Guessing Satta Fix jodi Kalyan Fin...
 
Digital Transformation Frameworks: Driving Digital Excellence
Digital Transformation Frameworks: Driving Digital ExcellenceDigital Transformation Frameworks: Driving Digital Excellence
Digital Transformation Frameworks: Driving Digital Excellence
 
The APCO Geopolitical Radar - Q3 2024 The Global Operating Environment for Bu...
The APCO Geopolitical Radar - Q3 2024 The Global Operating Environment for Bu...The APCO Geopolitical Radar - Q3 2024 The Global Operating Environment for Bu...
The APCO Geopolitical Radar - Q3 2024 The Global Operating Environment for Bu...
 
Lundin Gold Corporate Presentation - June 2024
Lundin Gold Corporate Presentation - June 2024Lundin Gold Corporate Presentation - June 2024
Lundin Gold Corporate Presentation - June 2024
 
Observation Lab PowerPoint Assignment for TEM 431
Observation Lab PowerPoint Assignment for TEM 431Observation Lab PowerPoint Assignment for TEM 431
Observation Lab PowerPoint Assignment for TEM 431
 
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
 
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel ChartSatta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
Satta Matka Dpboss Matka Guessing Kalyan Chart Indian Matka Kalyan panel Chart
 
Business storytelling: key ingredients to a story
Business storytelling: key ingredients to a storyBusiness storytelling: key ingredients to a story
Business storytelling: key ingredients to a story
 
Organizational Change Leadership Agile Tour Geneve 2024
Organizational Change Leadership Agile Tour Geneve 2024Organizational Change Leadership Agile Tour Geneve 2024
Organizational Change Leadership Agile Tour Geneve 2024
 
一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理
一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理
一比一原版新西兰奥塔哥大学毕业证(otago毕业证)如何办理
 
3 Simple Steps To Buy Verified Payoneer Account In 2024
3 Simple Steps To Buy Verified Payoneer Account In 20243 Simple Steps To Buy Verified Payoneer Account In 2024
3 Simple Steps To Buy Verified Payoneer Account In 2024
 
Digital Marketing with a Focus on Sustainability
Digital Marketing with a Focus on SustainabilityDigital Marketing with a Focus on Sustainability
Digital Marketing with a Focus on Sustainability
 
Mastering B2B Payments Webinar from BlueSnap
Mastering B2B Payments Webinar from BlueSnapMastering B2B Payments Webinar from BlueSnap
Mastering B2B Payments Webinar from BlueSnap
 
Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...
Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...
Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...
 
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
 
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
 
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challengesEvent Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
 
How are Lilac French Bulldogs Beauty Charming the World and Capturing Hearts....
How are Lilac French Bulldogs Beauty Charming the World and Capturing Hearts....How are Lilac French Bulldogs Beauty Charming the World and Capturing Hearts....
How are Lilac French Bulldogs Beauty Charming the World and Capturing Hearts....
 

Cissp business continuity planning

  • 1. CBK REVIEW - August 1999 1E Business Continuity Planning • Note: these are slides that were part of a CISSP prep course that I partly developed and taught while I was with Ernst and Young. • While these slides are dated – August 1999 - the core information is still relevant. • Contact me w/ any questions or comments – • Ben Rothke, CISSP brothke@hotmail.com
  • 2. CBK REVIEW - August 1999 2E Introduction • The Problem - Reasons for BCP • Principles of BCP • Doing BCP – The steps – What is included – The stages of an incident
  • 3. CBK REVIEW - August 1999 3E Definitions A contingency plan is: “A plan for emergency response, backup operations, and post- disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation…” (National Computer Security Center 1988) 1997-98 survey >35% of companies have no plans
  • 4. CBK REVIEW - August 1999 4E Definitions of BCP • Disaster Recovery • Business Continuity Planning • End-user Recovery Planning • Contingency Planning • Emergency Response • Crisis Management The goal is to assist the organization/business to continue functioning even though normal operations are disrupted Includes steps to take – Before a disruption – During a disruption – After a disruption
  • 5. CBK REVIEW - August 1999 5E Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes – “Proactive” rather than “Reactive” – Take the correct actions when needed – Allow for experienced personnel to be absent
  • 6. CBK REVIEW - August 1999 6E Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes “Proactive” rather than “Reactive” • Maintain business operations – Saves time, mistakes, stress and $$ – Keep the money coming in – Short and long term loss of business – Have necessary materials, equipment, information on hand – Planning can take up to 3 years
  • 7. CBK REVIEW - August 1999 7E Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes “Proactive” rather than “Reactive” • Maintain business operations – Keep the money coming in – Short and long term loss of business • Effect on customers – Public image – Loss of life
  • 8. CBK REVIEW - August 1999 8E Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes “Proactive” rather than “Reactive” • Maintain business operations – Keep the money coming in – Short and long term loss of business • Effect on customers • Legal requirements – ‘77 Foreign Corrupt Practices Act/protection of stockholders • Management criminally liable
  • 9. CBK REVIEW - August 1999 9E Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes “Proactive” rather than “Reactive” • Maintain business operations – Keep the money coming in – Short and long term loss of business • Effect on customers • Legal requirements – ‘77 Foreign Corrupt Practices Act/protection of stockholders – Federal Financial Institutions Examination Council (FFIEC) – FCPA SAS30 Audit Standards – Defense Investigative Service – Legal and Regulatory sanctions, civil suits
  • 10. CBK REVIEW - August 1999 10E Definitions • Due Care – minimum and customary practice of responsible protection of assets that reflects a community or societal norm • Due Diligence – prudent management and execution of due care
  • 11. CBK REVIEW - August 1999 11E The Problem • Utility failures • Intruders • Fire/Smoke • Water • Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes) • Heat/Humidity • Electromagnetic emanations • Hostile activity • Technology failure
  • 12. CBK REVIEW - August 1999 12E Recent Disasters • Bombings – ‘92 London financial district – ‘93 World Trade Center, NY – ‘93 London financial district – ‘95 Oklahoma City • Earthquakes – ‘89 San Francisco – ‘94 Los Angeles – ‘95 Kobe, JP • Fires – ‘95 Malden Mills, Lawrence, MA – ‘96 Credit Lyonnais, FR – ‘97 Iron Mountain Record Center, Brunswick, NJ
  • 13. CBK REVIEW - August 1999 13E Recent Disasters • Power – ‘92 AT&T – ‘96 Orrville, OH – ‘99 East coast heat/drought brownouts • Floods – ‘97 Midwest floods • Storms – ‘92 Hurricane Andrew – ‘93 Northeast Blizzard – ‘96 Hurricanes Bertha, Fran – ‘98 Florida tornados • Hardware/Software – Year 2000
  • 14. CBK REVIEW - August 1999 14E The Problem • Utility failures • Intruders • Fire/Smoke • Water • Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes) • Heat/Humidity • Electromagnetic emanations • Hostile activity • Technology failure • Failure to keep operating Fortune 1000 study – Average loss $78K, up to $500K – 65% failing over 1 week never reopen – Loss of market share common
  • 15. CBK REVIEW - August 1999 15E Threats • From Data Pro reports – Errors & omissions 50% – Fire, water, electrical 25% – Dishonest employees 10% – Disgruntled employees 10% – Outsider threats 5%
  • 16. CBK REVIEW - August 1999 16E The Controls • Least Privilege – Information security • Redundancy – Backed up data – Alternate equipment – Alternate communications – Alternate facilities – Alternate personnel – Alternate procedures
  • 17. CBK REVIEW - August 1999 17E The Steps in a BCP - Initiation • Project initiation – Executive commitment and support MOST CRITICAL – Business case to obtain support – Sell the need for DRP (price vs benefit) – Build and maintain awareness – On-going testing & maintenance – Top down approach – Project planning, staffing • Local support/responsibility
  • 18. CBK REVIEW - August 1999 18E The Steps in a BCP - 1 • Impact Assessment (Impact Analysis/Vulnerability Assessment/Current State Assessment/Risk Assessment ) Purpose – Identify risks – Identify business requirements for continuity – Quantify impact of potential threats – Balance impact and countermeasure cost – Establish recovery priorities
  • 19. CBK REVIEW - August 1999 19E Benefits • Relates security objectives to organization mission • Quantifies how much to spend on security measures • Provides long term planning guidance – Site selection – Building design – HW configuration – SW – Internal controls – Criteria for contingency plans – Security policy • Protection requirements • Significant threats • Responsibilities
  • 20. CBK REVIEW - August 1999 20E The Steps in a BCP - 1 • Risk Assessment – Potential failure scenarios – Likelihood of failure – Cost of failure (loss impact analysis) • Dollar losses • Additional operational expenses • Violation of contracts, regulatory requirements • Loss of competitive advantage, public confidence – Assumed maximum downtime (recovery time frames) • Rate of losses • Periodic criticality • Time-loss curve charts
  • 21. CBK REVIEW - August 1999 21E The Steps in a BCP - 1 • Risk Assessment/Analysis – Potential failure scenarios (risks) – Likelihood of failure – Cost of failure, quantify impact of threat – Assumed maximum downtime – Annual Loss Expectancy – Worst case assumptions – Based on business process model? Or IT model? – Identify critical functions and supporting resources – Balance impact and countermeasure cost • Key - – Potential damage – Likelihood
  • 22. CBK REVIEW - August 1999 22E Definitions • Threat – any event which could have an undesirable impact • Vulnerability – absence or weakness of a risk-reducing safeguard, potential to allow a threat to occur with greater frequency, greater impact, or both – Exposure – a measure of the magnitude of loss or impact on the value of the asset • Risk – the potential for harm or loss, including the degree of confidence of the estimate
  • 23. CBK REVIEW - August 1999 23E Definitions • Quantitative Risk Analysis – quantified estimates of impact, threat frequency, safeguard effectiveness and cost, and probability – Powerful aid to decision making – Difficult to do in time and cost • Qualitative Risk Analysis – minimally quantified estimates – Exposure scale ranking estimates – Easier in time and money – Less compelling • Risk Analysis is performed as a continuum from fully qualitative to less than fully quantitative
  • 24. CBK REVIEW - August 1999 24E Results • Loss impact analysis • Recovery time frames – Essential business functions – Information systems applications • Recommended recovery priorities & strategies • Goals – Understand economic & operational impact – Determine recovery time frame (business/DP/Network) – Identify most appropriate strategy – Cost/justify recovery planning – Include BCP in normal decision making process
  • 25. CBK REVIEW - August 1999 25E Risk Management Team • Management - Support • DP Operations • Systems Programming • Internal Audit • Physical Security • Application owners • Application programmers
  • 26. CBK REVIEW - August 1999 26E Preliminary Security Exam • Asset costs • Threat survey – Personnel – Physical environment – HW/SW – Communications – Applications – Operations – Natural disasters – Environment – Facility – Access – Data value
  • 27. CBK REVIEW - August 1999 27E Preliminary Security Exam • Asset costs • Threat survey • Existing security measures • Management review
  • 28. CBK REVIEW - August 1999 28E Threats • Unauthorized access • Hardware failure • Utility failure • Natural disasters • Loss of key personnel • Human errors • Neighborhood hazards • Tampering • Disgruntled employees • Emanations • Safety • Improper use of technology • Repetition of errors • Cascading of errors • Illogical processing • Translation of user needs (technical requirements) • Inability to control technology • Equipment failure • Incorrect entry of data • Concentration of data • Inability to react quickly • Inability to substantiate processing • Concentration of responsibilities • Erroneous/falsified data • Misuse
  • 29. CBK REVIEW - August 1999 29E Threats • Uncontrolled system access • Ineffective application security • Operations procedural errors • Program errors • Operating system flaws • Communications system failure • Utility failure
  • 30. CBK REVIEW - August 1999 30E Risk Analysis Steps • 1 - Identify essential business functions – Dollar losses or added expense – Contract/legal/regulatory requirements – Competitive advantage/market share – Interviews, questionnaires, workshops • 2 - Establish recovery plan parameters – Prioritize business functions • 3 - Gather impact data/Threat analysis – Probability of occurrence, source of help – Document business functions – Define support requirements – Document effects of disruption – Determine maximum acceptable outage period – Create outage scenarios
  • 31. CBK REVIEW - August 1999 31E Risk Analysis Steps • 4 - Analyze and summarize – Estimate potential losses • Destruction/theft of assets • Loss of data • Theft of information • Indirect theft of assets • Delayed processing • Consider periodicity – Combine potential loss & probability – Magnitude of risk is the ALE (Annual Loss Expectancy) – Guide to security measures and how much to spend
  • 32. CBK REVIEW - August 1999 32E Results • Significant threats & probabilities • Critical tasks & loss potential by threat • Remedial measures – Greatest net reduction in losses – Annual cost
  • 33. CBK REVIEW - August 1999 33E Information Valuation • Information has cost/value – Acquire/develop/maintain – Owner/Custodian/User/Adversary • Do a cost/value estimate for – Cost/benefit analysis – Integrate security in systems – Avoid penalties – Preserve proprietary information – Business continuity • Circumstances effect valuation timing • Ethical obligation to use justifiable tools/techniques
  • 34. CBK REVIEW - August 1999 34E Conditions of Value • Exclusive possession • Utility • Cost of creation/recreation • Liability • Convertibility/negotiability • Operational impact • Market forces • Official value • Expert opinion/appraisal • Bilateral agreement/contract
  • 35. CBK REVIEW - August 1999 35E Scenario • A specific threat (potential event/act) in which assets are subject to loss • Write scenario for each major threat • Credibility/functionality review • Evaluate current safeguards • Finalize/Play out • Prepare findings
  • 36. CBK REVIEW - August 1999 36E The Steps in a BCP - 2 • Strategy Development (Alternative Selection) – Management support – Team structure – Strategy selection • Cost effective • Workable
  • 37. CBK REVIEW - August 1999 37E The Steps in a BCP - 3 • Implementation (Plan Development) – Specify resources needed for recovery – Make necessary advance arrangements – Mitigate exposures
  • 38. CBK REVIEW - August 1999 38E The Steps in a BCP - 3 • Risk Prevention/Mitigation – Risk management program – Security - physical and information (access) – Environmental controls – Redundancy - Backups/Recoverability • Journaling, Mirroring, Shadowing • On-line/near-line/off-line – Insurance – Emergency response plans – Procedures – Training
  • 39. CBK REVIEW - August 1999 39E The Steps in a BCP - 3 • Decision Making – Cost effectiveness • Total cost – Human intervention requirements • Manual functions are weakest – Overrides and defaults • Shutdown capability • Default to no access – Design openness – Least Privilege • Minimum information • Visible safeguards – Entrapment • Selected vulnerabilities made attractive
  • 40. CBK REVIEW - August 1999 40E The Steps in a BCP - 3 • Decision Making – Independence of controller and subject – Universality – Compartmentalization, defense in depth – Isolation – Completeness – Instrumentation – Acceptance – Sustainability – Auditability – Accountability – Recovery
  • 41. CBK REVIEW - August 1999 41E Remedial Measures • Alter environment • Erect barriers • Improve procedures • Early detection • Contingency plans • Risk assignment (insurance) • Agreements • Stockpiling • Risk acceptance
  • 42. CBK REVIEW - August 1999 42E Remedial Measures • Fire – Detection, suppression • Water – Detection, equipment covers, positioning • Electrical – UPS, generators • Environmental – Backups • Good housekeeping • Backup procedures • Emergency response procedures
  • 43. CBK REVIEW - August 1999 43E The Steps in a BCP - 3 • Plan Development – Specify resources needed for recovery – Team-based – Recovery plans – Mitigation steps – Testing plans – Prepared by those who will carry them out
  • 44. CBK REVIEW - August 1999 44E Included in a BCP • Off-site storage – Trip there - secure? Timely? – Physical layout of site – Fire protection – Climate controls – Security access controls – Backup power
  • 45. CBK REVIEW - August 1999 45E Included in a BCP • Off-site storage • Alternate site – Hot/Warm/Cold(Shell) sites – Reciprocal agreements/Multiple sites/Service bureaus – Trip there - secure? Timely? – Physical layout of site – Fire protection – Climate controls – Security access controls – Backup power – Agreements
  • 46. CBK REVIEW - August 1999 46E Included in a BCP • Off-site storage • Alternate site • Backup processing – Compatibility – Capacity – Journaling - maintaining audit records • Remote journaling - to off-site location – Shadowing - remote journaling and delayed mirroring – Mirroring - maintaining realtime copy of data – Electronic vaulting - bulk transfer of backup files
  • 47. CBK REVIEW - August 1999 47E Included in a BCP • Off-site storage • Alternate site • Backup processing • Communications – Compatibility – Accessibility – Capacity – Alternatives
  • 48. CBK REVIEW - August 1999 48E Included in a BCP • Off-site storage • Alternate site • Backup processing • Communications • Work space – Accessibility – Capacity – Environment
  • 49. CBK REVIEW - August 1999 49E Included in a BCP • Off-site storage • Alternate site • Backup processing • Communications • Work space • Office equipment/supplies/documentation • Security • Critical business processes/Management • Testing • Vendors - Contact info, agreements • Teams - Contact info, transportation • Return to normal operations • Resources needed
  • 50. CBK REVIEW - August 1999 50E Complications • Media/Police/Public • Families • Fraud • Looting/Vandalism • Safety/Legal issues • Expenses/Approval
  • 51. CBK REVIEW - August 1999 51E The Steps in a BCP - Finally • Plan Testing – Proves feasibility of recovery process – Verifies compatibility of backup facilities – Ensures adequacy of team procedures • Identifies deficiencies in procedures – Trains team members – Provides mechanism for maintaining/updating the plan – Upper management comfort
  • 52. CBK REVIEW - August 1999 52E The Steps in a BCP - Finally • Plan Testing – Desk checks/Checklist – Structured Walkthroughs – Life exercises/Simulations – Periodic off-site recovery tests/Parallel – Full interruption drills
  • 53. CBK REVIEW - August 1999 53E The Steps in a BCP - Finally • Test – Hardware – Software – Personnel – Communications – Procurement – Procedures – Supplies/forms – Documentation – Transportation – Utilities – Alternate site processing – Security
  • 54. CBK REVIEW - August 1999 54E The Steps in a BCP - Finally • Test – Purpose (scenario) – Objectives/Assumptions – Type – Timing – Schedule – Duration – Participants • Assignments – Constraints – Steps
  • 55. CBK REVIEW - August 1999 55E The Steps in a BCP - Finally • Alternate Site Test – Activate emergency control center – Notify & mobilize personnel – Notify vendors – Pickup and transport – tapes – supplies – documentation – Install (Cold and Warm sites) – IPL – Verify – Run – Shut down/Clean up – Document/Report
  • 56. CBK REVIEW - August 1999 56E The Steps in a BCP - Finally • Plan Update and Retest cycle (Plan Maintenance) – Critical to maintain validity and usability of plan • Environmental changes • HW/SW/FW changes • Personnel – Needs to be included in organization plans • Job description/expectations • Personnel evaluations • Audit work plans
  • 57. CBK REVIEW - August 1999 57E BCP by Stages • Initiation • Current state assessment • Develop support processes • Training • Impact Assessment • Alternative selection • Recovery Plan development • Support services continuity plan development • Master plan consolidation • Testing strategy development • Post transition transition plan development
  • 58. CBK REVIEW - August 1999 58E BCP by Stages • Implementation planning • Quick Hits • Implementation, testing, maintenance
  • 59. CBK REVIEW - August 1999 59E End User Planning • DP is critical to end users • Difficult to use manual procedures • Recovery is complex • Need to plan – manual procedures – recovery of data/transactions – procedures for alternate site operation – procedures to return to normal
  • 60. CBK REVIEW - August 1999 60E The Real World • DR plans normally involve – Essential DP platforms/systems only – A manual on the shelf written 2-3 years ago – Little or no user involvement – No provision for business processes – No active testing – Resource lists and contact information that do not match current realities
  • 61. CBK REVIEW - August 1999 61E Stages in an Incident • Disaster – interruption affecting user operations significantly
  • 62. CBK REVIEW - August 1999 62E Stages in an Incident • Disaster • Initial/Emergency response – Purpose • Ensure safety of people • Prevent further damage – Activate emergency response team – Covers emergency procedures for expected hazards – Safety essential – Emergency supplies – Crisis Management plan - decision making
  • 63. CBK REVIEW - August 1999 63E Stages in an Incident • Disaster • Initial response • Impact assessment – Activate assessment team – Determine situation • What is affected? – Decide whether to activate plan
  • 64. CBK REVIEW - August 1999 64E Stages in an Incident • Disaster • Initial response • Impact assessment • Initial recovery – Initial recovery of key areas at alternate site – Detailed procedures – Salvage/repair - Clean up
  • 65. CBK REVIEW - August 1999 65E Stages in an Incident • Disaster • Initial response • Impact assessment • Initial recovery • Return to normal/Business resumption – Return to operation at normal site – “Emergency” is not over until you are back to normal – Requires just as much planning - Parallel operations
  • 66. CBK REVIEW - August 1999 66E Special Cases • Y2K – Incidents will happen in a particular time frame – Alternate sites won’t help – Redundant equipment won’t help – Backups won’t help – Involves automated equipment and services
  • 67. CBK REVIEW - August 1999 67E Final Thoughts • Do you really want to activate a DR/BCP plan? – Prevention – Planning

Editor's Notes

  1. Vulnerabilities? Improper access to data - controls not granular enough Invalid data - Update permitted to the wrong/too many people