CBK REVIEW - August
1999 1E
Business Continuity Planning
• Note: these are slides that were part of a CISSP
prep course that I partly developed and taught while I
was with Ernst and Young.
• While these slides are dated – August 1999 - the
core information is still relevant.
• Contact me w/ any questions or comments –
• Ben Rothke, CISSP brothke@hotmail.com
CBK REVIEW - August
1999 2E
Introduction
• The Problem - Reasons for BCP
• Principles of BCP
• Doing BCP
– The steps
– What is included
– The stages of an incident
CBK REVIEW - August
1999 3E
Definitions
A contingency plan is:
“A plan for emergency response, backup operations, and post-
disaster recovery maintained by an activity as a part of its
security program that will ensure the availability of critical
resources and facilitate the continuity of operations in an
emergency situation…”
(National Computer Security Center 1988)
1997-98 survey >35% of companies have no plans
CBK REVIEW - August
1999 4E
Definitions of BCP
• Disaster Recovery
• Business Continuity Planning
• End-user Recovery Planning
• Contingency Planning
• Emergency Response
• Crisis Management
The goal is to assist the organization/business to continue
functioning even though normal operations are disrupted
Includes steps to take
– Before a disruption
– During a disruption
– After a disruption
CBK REVIEW - August
1999 5E
Reasons for BCP
• It is better to plan activities ahead of time rather than
to react when the time comes
– “Proactive” rather than “Reactive”
– Take the correct actions when needed
– Allow for experienced personnel to be absent
CBK REVIEW - August
1999 6E
Reasons for BCP
• It is better to plan activities ahead of time rather than
to react when the time comes
“Proactive” rather than “Reactive”
• Maintain business operations
– Saves time, mistakes, stress and $$
– Keep the money coming in
– Short and long term loss of business
– Have necessary materials, equipment, information on hand
– Planning can take up to 3 years
CBK REVIEW - August
1999 7E
Reasons for BCP
• It is better to plan activities ahead of time rather than
to react when the time comes
“Proactive” rather than “Reactive”
• Maintain business operations
– Keep the money coming in
– Short and long term loss of business
• Effect on customers
– Public image
– Loss of life
CBK REVIEW - August
1999 8E
Reasons for BCP
• It is better to plan activities ahead of time rather than
to react when the time comes
“Proactive” rather than “Reactive”
• Maintain business operations
– Keep the money coming in
– Short and long term loss of business
• Effect on customers
• Legal requirements
– ‘77 Foreign Corrupt Practices Act/protection of stockholders
• Management criminally liable
CBK REVIEW - August
1999 9E
Reasons for BCP
• It is better to plan activities ahead of time rather than
to react when the time comes
“Proactive” rather than “Reactive”
• Maintain business operations
– Keep the money coming in
– Short and long term loss of business
• Effect on customers
• Legal requirements
– ‘77 Foreign Corrupt Practices Act/protection of stockholders
– Federal Financial Institutions Examination Council (FFIEC)
– FCPA SAS30 Audit Standards
– Defense Investigative Service
– Legal and Regulatory sanctions, civil suits
CBK REVIEW - August
1999 10E
Definitions
• Due Care
– minimum and customary practice of responsible protection
of assets that reflects a community or societal norm
• Due Diligence
– prudent management and execution of due care
CBK REVIEW - August
1999 11E
The Problem
• Utility failures
• Intruders
• Fire/Smoke
• Water
• Natural disasters (earthquakes, snow/hail/ice,
lightning, hurricanes)
• Heat/Humidity
• Electromagnetic emanations
• Hostile activity
• Technology failure
CBK REVIEW - August
1999 12E
Recent Disasters
• Bombings
– ‘92 London financial district
– ‘93 World Trade Center, NY
– ‘93 London financial district
– ‘95 Oklahoma City
• Earthquakes
– ‘89 San Francisco
– ‘94 Los Angeles
– ‘95 Kobe, JP
• Fires
– ‘95 Malden Mills, Lawrence, MA
– ‘96 Credit Lyonnais, FR
– ‘97 Iron Mountain Record Center, Brunswick, NJ
CBK REVIEW - August
1999 13E
Recent Disasters
• Power
– ‘92 AT&T
– ‘96 Orrville, OH
– ‘99 East coast heat/drought brownouts
• Floods
– ‘97 Midwest floods
• Storms
– ‘92 Hurricane Andrew
– ‘93 Northeast Blizzard
– ‘96 Hurricanes Bertha, Fran
– ‘98 Florida tornados
• Hardware/Software
– Year 2000
CBK REVIEW - August
1999 14E
The Problem
• Utility failures
• Intruders
• Fire/Smoke
• Water
• Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes)
• Heat/Humidity
• Electromagnetic emanations
• Hostile activity
• Technology failure
• Failure to keep operating
Fortune 1000 study
– Average loss $78K, up to $500K
– 65% failing over 1 week never reopen
– Loss of market share common
CBK REVIEW - August
1999 15E
Threats
• From Data Pro reports
– Errors & omissions 50%
– Fire, water, electrical 25%
– Dishonest employees 10%
– Disgruntled employees 10%
– Outsider threats 5%
CBK REVIEW - August
1999 16E
The Controls
• Least Privilege
– Information security
• Redundancy
– Backed up data
– Alternate equipment
– Alternate communications
– Alternate facilities
– Alternate personnel
– Alternate procedures
CBK REVIEW - August
1999 17E
The Steps in a BCP - Initiation
• Project initiation
– Executive commitment and support MOST CRITICAL
– Business case to obtain support
– Sell the need for DRP (price vs benefit)
– Build and maintain awareness
– On-going testing & maintenance
– Top down approach
– Project planning, staffing
• Local support/responsibility
CBK REVIEW - August
1999 18E
The Steps in a BCP - 1
• Impact Assessment (Impact Analysis/Vulnerability
Assessment/Current State Assessment/Risk
Assessment )
Purpose
– Identify risks
– Identify business requirements for continuity
– Quantify impact of potential threats
– Balance impact and countermeasure cost
– Establish recovery priorities
CBK REVIEW - August
1999 19E
Benefits
• Relates security objectives to organization mission
• Quantifies how much to spend on security measures
• Provides long term planning guidance
– Site selection
– Building design
– HW configuration
– SW
– Internal controls
– Criteria for contingency plans
– Security policy
• Protection requirements
• Significant threats
• Responsibilities
CBK REVIEW - August
1999 20E
The Steps in a BCP - 1
• Risk Assessment
– Potential failure scenarios
– Likelihood of failure
– Cost of failure (loss impact analysis)
• Dollar losses
• Additional operational expenses
• Violation of contracts, regulatory requirements
• Loss of competitive advantage, public confidence
– Assumed maximum downtime (recovery time frames)
• Rate of losses
• Periodic criticality
• Time-loss curve charts
CBK REVIEW - August
1999 21E
The Steps in a BCP - 1
• Risk Assessment/Analysis
– Potential failure scenarios (risks)
– Likelihood of failure
– Cost of failure, quantify impact of threat
– Assumed maximum downtime
– Annual Loss Expectancy
– Worst case assumptions
– Based on business process model? Or IT model?
– Identify critical functions and supporting resources
– Balance impact and countermeasure cost
• Key -
– Potential damage
– Likelihood
CBK REVIEW - August
1999 22E
Definitions
• Threat
– any event which could have an undesirable impact
• Vulnerability
– absence or weakness of a risk-reducing safeguard, potential
to allow a threat to occur with greater frequency, greater
impact, or both
– Exposure
– a measure of the magnitude of loss or impact on the value of
the asset
• Risk
– the potential for harm or loss, including the degree of
confidence of the estimate
CBK REVIEW - August
1999 23E
Definitions
• Quantitative Risk Analysis
– quantified estimates of impact, threat frequency, safeguard
effectiveness and cost, and probability
– Powerful aid to decision making
– Difficult to do in time and cost
• Qualitative Risk Analysis
– minimally quantified estimates
– Exposure scale ranking estimates
– Easier in time and money
– Less compelling
• Risk Analysis is performed as a continuum from fully
qualitative to less than fully quantitative
CBK REVIEW - August
1999 24E
Results
• Loss impact analysis
• Recovery time frames
– Essential business functions
– Information systems applications
• Recommended recovery priorities & strategies
• Goals
– Understand economic & operational impact
– Determine recovery time frame (business/DP/Network)
– Identify most appropriate strategy
– Cost/justify recovery planning
– Include BCP in normal decision making process
CBK REVIEW - August
1999 25E
Risk Management Team
• Management - Support
• DP Operations
• Systems Programming
• Internal Audit
• Physical Security
• Application owners
• Application programmers
CBK REVIEW - August
1999 26E
Preliminary Security Exam
• Asset costs
• Threat survey
– Personnel
– Physical environment
– HW/SW
– Communications
– Applications
– Operations
– Natural disasters
– Environment
– Facility
– Access
– Data value
CBK REVIEW - August
1999 27E
Preliminary Security Exam
• Asset costs
• Threat survey
• Existing security measures
• Management review
CBK REVIEW - August
1999 28E
Threats
• Unauthorized access
• Hardware failure
• Utility failure
• Natural disasters
• Loss of key personnel
• Human errors
• Neighborhood hazards
• Tampering
• Disgruntled employees
• Emanations
• Safety
• Improper use of technology
• Repetition of errors
• Cascading of errors
• Illogical processing
• Translation of user needs
(technical requirements)
• Inability to control technology
• Equipment failure
• Incorrect entry of data
• Concentration of data
• Inability to react quickly
• Inability to substantiate
processing
• Concentration of
responsibilities
• Erroneous/falsified data
• Misuse
CBK REVIEW - August
1999 29E
Threats
• Uncontrolled system access
• Ineffective application security
• Operations procedural errors
• Program errors
• Operating system flaws
• Communications system failure
• Utility failure
CBK REVIEW - August
1999 30E
Risk Analysis Steps
• 1 - Identify essential business functions
– Dollar losses or added expense
– Contract/legal/regulatory requirements
– Competitive advantage/market share
– Interviews, questionnaires, workshops
• 2 - Establish recovery plan parameters
– Prioritize business functions
• 3 - Gather impact data/Threat analysis
– Probability of occurrence, source of help
– Document business functions
– Define support requirements
– Document effects of disruption
– Determine maximum acceptable outage period
– Create outage scenarios
CBK REVIEW - August
1999 31E
Risk Analysis Steps
• 4 - Analyze and summarize
– Estimate potential losses
• Destruction/theft of assets
• Loss of data
• Theft of information
• Indirect theft of assets
• Delayed processing
• Consider periodicity
– Combine potential loss & probability
– Magnitude of risk is the ALE (Annual Loss
Expectancy)
– Guide to security measures and how much to spend
CBK REVIEW - August
1999 32E
Results
• Significant threats & probabilities
• Critical tasks & loss potential by threat
• Remedial measures
– Greatest net reduction in losses
– Annual cost
CBK REVIEW - August
1999 33E
Information Valuation
• Information has cost/value
– Acquire/develop/maintain
– Owner/Custodian/User/Adversary
• Do a cost/value estimate for
– Cost/benefit analysis
– Integrate security in systems
– Avoid penalties
– Preserve proprietary information
– Business continuity
• Circumstances effect valuation timing
• Ethical obligation to use justifiable tools/techniques
CBK REVIEW - August
1999 34E
Conditions of Value
• Exclusive possession
• Utility
• Cost of creation/recreation
• Liability
• Convertibility/negotiability
• Operational impact
• Market forces
• Official value
• Expert opinion/appraisal
• Bilateral agreement/contract
CBK REVIEW - August
1999 35E
Scenario
• A specific threat (potential event/act) in which assets are subject
to loss
• Write scenario for each major threat
• Credibility/functionality review
• Evaluate current safeguards
• Finalize/Play out
• Prepare findings
CBK REVIEW - August
1999 36E
The Steps in a BCP - 2
• Strategy Development (Alternative Selection)
– Management support
– Team structure
– Strategy selection
• Cost effective
• Workable
CBK REVIEW - August
1999 37E
The Steps in a BCP - 3
• Implementation (Plan Development)
– Specify resources needed for recovery
– Make necessary advance arrangements
– Mitigate exposures
CBK REVIEW - August
1999 38E
The Steps in a BCP - 3
• Risk Prevention/Mitigation
– Risk management program
– Security - physical and information (access)
– Environmental controls
– Redundancy - Backups/Recoverability
• Journaling, Mirroring, Shadowing
• On-line/near-line/off-line
– Insurance
– Emergency response plans
– Procedures
– Training
CBK REVIEW - August
1999 39E
The Steps in a BCP - 3
• Decision Making
– Cost effectiveness
• Total cost
– Human intervention requirements
• Manual functions are weakest
– Overrides and defaults
• Shutdown capability
• Default to no access
– Design openness
– Least Privilege
• Minimum information
• Visible safeguards
– Entrapment
• Selected vulnerabilities made attractive
CBK REVIEW - August
1999 40E
The Steps in a BCP - 3
• Decision Making
– Independence of controller and subject
– Universality
– Compartmentalization, defense in depth
– Isolation
– Completeness
– Instrumentation
– Acceptance
– Sustainability
– Auditability
– Accountability
– Recovery
CBK REVIEW - August
1999 41E
Remedial Measures
• Alter environment
• Erect barriers
• Improve procedures
• Early detection
• Contingency plans
• Risk assignment (insurance)
• Agreements
• Stockpiling
• Risk acceptance
CBK REVIEW - August
1999 42E
Remedial Measures
• Fire
– Detection, suppression
• Water
– Detection, equipment covers, positioning
• Electrical
– UPS, generators
• Environmental
– Backups
• Good housekeeping
• Backup procedures
• Emergency response procedures
CBK REVIEW - August
1999 43E
The Steps in a BCP - 3
• Plan Development
– Specify resources needed for recovery
– Team-based
– Recovery plans
– Mitigation steps
– Testing plans
– Prepared by those who will carry them out
CBK REVIEW - August
1999 44E
Included in a BCP
• Off-site storage
– Trip there - secure? Timely?
– Physical layout of site
– Fire protection
– Climate controls
– Security access controls
– Backup power
CBK REVIEW - August
1999 45E
Included in a BCP
• Off-site storage
• Alternate site
– Hot/Warm/Cold(Shell) sites
– Reciprocal agreements/Multiple sites/Service bureaus
– Trip there - secure? Timely?
– Physical layout of site
– Fire protection
– Climate controls
– Security access controls
– Backup power
– Agreements
CBK REVIEW - August
1999 46E
Included in a BCP
• Off-site storage
• Alternate site
• Backup processing
– Compatibility
– Capacity
– Journaling - maintaining audit records
• Remote journaling - to off-site location
– Shadowing - remote journaling and delayed mirroring
– Mirroring - maintaining realtime copy of data
– Electronic vaulting - bulk transfer of backup files
CBK REVIEW - August
1999 47E
Included in a BCP
• Off-site storage
• Alternate site
• Backup processing
• Communications
– Compatibility
– Accessibility
– Capacity
– Alternatives
CBK REVIEW - August
1999 48E
Included in a BCP
• Off-site storage
• Alternate site
• Backup processing
• Communications
• Work space
– Accessibility
– Capacity
– Environment
CBK REVIEW - August
1999 49E
Included in a BCP
• Off-site storage
• Alternate site
• Backup processing
• Communications
• Work space
• Office equipment/supplies/documentation
• Security
• Critical business processes/Management
• Testing
• Vendors - Contact info, agreements
• Teams - Contact info, transportation
• Return to normal operations
• Resources needed
CBK REVIEW - August
1999 50E
Complications
• Media/Police/Public
• Families
• Fraud
• Looting/Vandalism
• Safety/Legal issues
• Expenses/Approval
CBK REVIEW - August
1999 51E
The Steps in a BCP - Finally
• Plan Testing
– Proves feasibility of recovery process
– Verifies compatibility of backup facilities
– Ensures adequacy of team procedures
• Identifies deficiencies in procedures
– Trains team members
– Provides mechanism for maintaining/updating the plan
– Upper management comfort
CBK REVIEW - August
1999 52E
The Steps in a BCP - Finally
• Plan Testing
– Desk checks/Checklist
– Structured Walkthroughs
– Life exercises/Simulations
– Periodic off-site recovery tests/Parallel
– Full interruption drills
CBK REVIEW - August
1999 53E
The Steps in a BCP - Finally
• Test
– Hardware
– Software
– Personnel
– Communications
– Procurement
– Procedures
– Supplies/forms
– Documentation
– Transportation
– Utilities
– Alternate site processing
– Security
CBK REVIEW - August
1999 54E
The Steps in a BCP - Finally
• Test
– Purpose (scenario)
– Objectives/Assumptions
– Type
– Timing
– Schedule
– Duration
– Participants
• Assignments
– Constraints
– Steps
CBK REVIEW - August
1999 55E
The Steps in a BCP - Finally
• Alternate Site Test
– Activate emergency control center
– Notify & mobilize personnel
– Notify vendors
– Pickup and transport
– tapes
– supplies
– documentation
– Install (Cold and Warm sites)
– IPL
– Verify
– Run
– Shut down/Clean up
– Document/Report
CBK REVIEW - August
1999 56E
The Steps in a BCP - Finally
• Plan Update and Retest cycle (Plan Maintenance)
– Critical to maintain validity and usability of plan
• Environmental changes
• HW/SW/FW changes
• Personnel
– Needs to be included in organization plans
• Job description/expectations
• Personnel evaluations
• Audit work plans
CBK REVIEW - August
1999 57E
BCP by Stages
• Initiation
• Current state assessment
• Develop support processes
• Training
• Impact Assessment
• Alternative selection
• Recovery Plan development
• Support services continuity plan development
• Master plan consolidation
• Testing strategy development
• Post transition transition plan development
CBK REVIEW - August
1999 58E
BCP by Stages
• Implementation planning
• Quick Hits
• Implementation, testing, maintenance
CBK REVIEW - August
1999 59E
End User Planning
• DP is critical to end users
• Difficult to use manual procedures
• Recovery is complex
• Need to plan
– manual procedures
– recovery of data/transactions
– procedures for alternate site operation
– procedures to return to normal
CBK REVIEW - August
1999 60E
The Real World
• DR plans normally involve
– Essential DP platforms/systems only
– A manual on the shelf written 2-3 years ago
– Little or no user involvement
– No provision for business processes
– No active testing
– Resource lists and contact information that do not match
current realities
CBK REVIEW - August
1999 61E
Stages in an Incident
• Disaster
– interruption affecting user operations significantly
CBK REVIEW - August
1999 62E
Stages in an Incident
• Disaster
• Initial/Emergency response
– Purpose
• Ensure safety of people
• Prevent further damage
– Activate emergency response team
– Covers emergency procedures for expected hazards
– Safety essential
– Emergency supplies
– Crisis Management plan - decision making
CBK REVIEW - August
1999 63E
Stages in an Incident
• Disaster
• Initial response
• Impact assessment
– Activate assessment team
– Determine situation
• What is affected?
– Decide whether to activate plan
CBK REVIEW - August
1999 64E
Stages in an Incident
• Disaster
• Initial response
• Impact assessment
• Initial recovery
– Initial recovery of key areas at alternate site
– Detailed procedures
– Salvage/repair - Clean up
CBK REVIEW - August
1999 65E
Stages in an Incident
• Disaster
• Initial response
• Impact assessment
• Initial recovery
• Return to normal/Business resumption
– Return to operation at normal site
– “Emergency” is not over until you are back to normal
– Requires just as much planning - Parallel operations
CBK REVIEW - August
1999 66E
Special Cases
• Y2K
– Incidents will happen in a particular time frame
– Alternate sites won’t help
– Redundant equipment won’t help
– Backups won’t help
– Involves automated equipment and services
CBK REVIEW - August
1999 67E
Final Thoughts
• Do you really want to activate a DR/BCP plan?
– Prevention
– Planning

Cissp business continuity planning

  • 1.
    CBK REVIEW -August 1999 1E Business Continuity Planning • Note: these are slides that were part of a CISSP prep course that I partly developed and taught while I was with Ernst and Young. • While these slides are dated – August 1999 - the core information is still relevant. • Contact me w/ any questions or comments – • Ben Rothke, CISSP brothke@hotmail.com
  • 2.
    CBK REVIEW -August 1999 2E Introduction • The Problem - Reasons for BCP • Principles of BCP • Doing BCP – The steps – What is included – The stages of an incident
  • 3.
    CBK REVIEW -August 1999 3E Definitions A contingency plan is: “A plan for emergency response, backup operations, and post- disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation…” (National Computer Security Center 1988) 1997-98 survey >35% of companies have no plans
  • 4.
    CBK REVIEW -August 1999 4E Definitions of BCP • Disaster Recovery • Business Continuity Planning • End-user Recovery Planning • Contingency Planning • Emergency Response • Crisis Management The goal is to assist the organization/business to continue functioning even though normal operations are disrupted Includes steps to take – Before a disruption – During a disruption – After a disruption
  • 5.
    CBK REVIEW -August 1999 5E Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes – “Proactive” rather than “Reactive” – Take the correct actions when needed – Allow for experienced personnel to be absent
  • 6.
    CBK REVIEW -August 1999 6E Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes “Proactive” rather than “Reactive” • Maintain business operations – Saves time, mistakes, stress and $$ – Keep the money coming in – Short and long term loss of business – Have necessary materials, equipment, information on hand – Planning can take up to 3 years
  • 7.
    CBK REVIEW -August 1999 7E Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes “Proactive” rather than “Reactive” • Maintain business operations – Keep the money coming in – Short and long term loss of business • Effect on customers – Public image – Loss of life
  • 8.
    CBK REVIEW -August 1999 8E Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes “Proactive” rather than “Reactive” • Maintain business operations – Keep the money coming in – Short and long term loss of business • Effect on customers • Legal requirements – ‘77 Foreign Corrupt Practices Act/protection of stockholders • Management criminally liable
  • 9.
    CBK REVIEW -August 1999 9E Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes “Proactive” rather than “Reactive” • Maintain business operations – Keep the money coming in – Short and long term loss of business • Effect on customers • Legal requirements – ‘77 Foreign Corrupt Practices Act/protection of stockholders – Federal Financial Institutions Examination Council (FFIEC) – FCPA SAS30 Audit Standards – Defense Investigative Service – Legal and Regulatory sanctions, civil suits
  • 10.
    CBK REVIEW -August 1999 10E Definitions • Due Care – minimum and customary practice of responsible protection of assets that reflects a community or societal norm • Due Diligence – prudent management and execution of due care
  • 11.
    CBK REVIEW -August 1999 11E The Problem • Utility failures • Intruders • Fire/Smoke • Water • Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes) • Heat/Humidity • Electromagnetic emanations • Hostile activity • Technology failure
  • 12.
    CBK REVIEW -August 1999 12E Recent Disasters • Bombings – ‘92 London financial district – ‘93 World Trade Center, NY – ‘93 London financial district – ‘95 Oklahoma City • Earthquakes – ‘89 San Francisco – ‘94 Los Angeles – ‘95 Kobe, JP • Fires – ‘95 Malden Mills, Lawrence, MA – ‘96 Credit Lyonnais, FR – ‘97 Iron Mountain Record Center, Brunswick, NJ
  • 13.
    CBK REVIEW -August 1999 13E Recent Disasters • Power – ‘92 AT&T – ‘96 Orrville, OH – ‘99 East coast heat/drought brownouts • Floods – ‘97 Midwest floods • Storms – ‘92 Hurricane Andrew – ‘93 Northeast Blizzard – ‘96 Hurricanes Bertha, Fran – ‘98 Florida tornados • Hardware/Software – Year 2000
  • 14.
    CBK REVIEW -August 1999 14E The Problem • Utility failures • Intruders • Fire/Smoke • Water • Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes) • Heat/Humidity • Electromagnetic emanations • Hostile activity • Technology failure • Failure to keep operating Fortune 1000 study – Average loss $78K, up to $500K – 65% failing over 1 week never reopen – Loss of market share common
  • 15.
    CBK REVIEW -August 1999 15E Threats • From Data Pro reports – Errors & omissions 50% – Fire, water, electrical 25% – Dishonest employees 10% – Disgruntled employees 10% – Outsider threats 5%
  • 16.
    CBK REVIEW -August 1999 16E The Controls • Least Privilege – Information security • Redundancy – Backed up data – Alternate equipment – Alternate communications – Alternate facilities – Alternate personnel – Alternate procedures
  • 17.
    CBK REVIEW -August 1999 17E The Steps in a BCP - Initiation • Project initiation – Executive commitment and support MOST CRITICAL – Business case to obtain support – Sell the need for DRP (price vs benefit) – Build and maintain awareness – On-going testing & maintenance – Top down approach – Project planning, staffing • Local support/responsibility
  • 18.
    CBK REVIEW -August 1999 18E The Steps in a BCP - 1 • Impact Assessment (Impact Analysis/Vulnerability Assessment/Current State Assessment/Risk Assessment ) Purpose – Identify risks – Identify business requirements for continuity – Quantify impact of potential threats – Balance impact and countermeasure cost – Establish recovery priorities
  • 19.
    CBK REVIEW -August 1999 19E Benefits • Relates security objectives to organization mission • Quantifies how much to spend on security measures • Provides long term planning guidance – Site selection – Building design – HW configuration – SW – Internal controls – Criteria for contingency plans – Security policy • Protection requirements • Significant threats • Responsibilities
  • 20.
    CBK REVIEW -August 1999 20E The Steps in a BCP - 1 • Risk Assessment – Potential failure scenarios – Likelihood of failure – Cost of failure (loss impact analysis) • Dollar losses • Additional operational expenses • Violation of contracts, regulatory requirements • Loss of competitive advantage, public confidence – Assumed maximum downtime (recovery time frames) • Rate of losses • Periodic criticality • Time-loss curve charts
  • 21.
    CBK REVIEW -August 1999 21E The Steps in a BCP - 1 • Risk Assessment/Analysis – Potential failure scenarios (risks) – Likelihood of failure – Cost of failure, quantify impact of threat – Assumed maximum downtime – Annual Loss Expectancy – Worst case assumptions – Based on business process model? Or IT model? – Identify critical functions and supporting resources – Balance impact and countermeasure cost • Key - – Potential damage – Likelihood
  • 22.
    CBK REVIEW -August 1999 22E Definitions • Threat – any event which could have an undesirable impact • Vulnerability – absence or weakness of a risk-reducing safeguard, potential to allow a threat to occur with greater frequency, greater impact, or both – Exposure – a measure of the magnitude of loss or impact on the value of the asset • Risk – the potential for harm or loss, including the degree of confidence of the estimate
  • 23.
    CBK REVIEW -August 1999 23E Definitions • Quantitative Risk Analysis – quantified estimates of impact, threat frequency, safeguard effectiveness and cost, and probability – Powerful aid to decision making – Difficult to do in time and cost • Qualitative Risk Analysis – minimally quantified estimates – Exposure scale ranking estimates – Easier in time and money – Less compelling • Risk Analysis is performed as a continuum from fully qualitative to less than fully quantitative
  • 24.
    CBK REVIEW -August 1999 24E Results • Loss impact analysis • Recovery time frames – Essential business functions – Information systems applications • Recommended recovery priorities & strategies • Goals – Understand economic & operational impact – Determine recovery time frame (business/DP/Network) – Identify most appropriate strategy – Cost/justify recovery planning – Include BCP in normal decision making process
  • 25.
    CBK REVIEW -August 1999 25E Risk Management Team • Management - Support • DP Operations • Systems Programming • Internal Audit • Physical Security • Application owners • Application programmers
  • 26.
    CBK REVIEW -August 1999 26E Preliminary Security Exam • Asset costs • Threat survey – Personnel – Physical environment – HW/SW – Communications – Applications – Operations – Natural disasters – Environment – Facility – Access – Data value
  • 27.
    CBK REVIEW -August 1999 27E Preliminary Security Exam • Asset costs • Threat survey • Existing security measures • Management review
  • 28.
    CBK REVIEW -August 1999 28E Threats • Unauthorized access • Hardware failure • Utility failure • Natural disasters • Loss of key personnel • Human errors • Neighborhood hazards • Tampering • Disgruntled employees • Emanations • Safety • Improper use of technology • Repetition of errors • Cascading of errors • Illogical processing • Translation of user needs (technical requirements) • Inability to control technology • Equipment failure • Incorrect entry of data • Concentration of data • Inability to react quickly • Inability to substantiate processing • Concentration of responsibilities • Erroneous/falsified data • Misuse
  • 29.
    CBK REVIEW -August 1999 29E Threats • Uncontrolled system access • Ineffective application security • Operations procedural errors • Program errors • Operating system flaws • Communications system failure • Utility failure
  • 30.
    CBK REVIEW -August 1999 30E Risk Analysis Steps • 1 - Identify essential business functions – Dollar losses or added expense – Contract/legal/regulatory requirements – Competitive advantage/market share – Interviews, questionnaires, workshops • 2 - Establish recovery plan parameters – Prioritize business functions • 3 - Gather impact data/Threat analysis – Probability of occurrence, source of help – Document business functions – Define support requirements – Document effects of disruption – Determine maximum acceptable outage period – Create outage scenarios
  • 31.
    CBK REVIEW -August 1999 31E Risk Analysis Steps • 4 - Analyze and summarize – Estimate potential losses • Destruction/theft of assets • Loss of data • Theft of information • Indirect theft of assets • Delayed processing • Consider periodicity – Combine potential loss & probability – Magnitude of risk is the ALE (Annual Loss Expectancy) – Guide to security measures and how much to spend
  • 32.
    CBK REVIEW -August 1999 32E Results • Significant threats & probabilities • Critical tasks & loss potential by threat • Remedial measures – Greatest net reduction in losses – Annual cost
  • 33.
    CBK REVIEW -August 1999 33E Information Valuation • Information has cost/value – Acquire/develop/maintain – Owner/Custodian/User/Adversary • Do a cost/value estimate for – Cost/benefit analysis – Integrate security in systems – Avoid penalties – Preserve proprietary information – Business continuity • Circumstances effect valuation timing • Ethical obligation to use justifiable tools/techniques
  • 34.
    CBK REVIEW -August 1999 34E Conditions of Value • Exclusive possession • Utility • Cost of creation/recreation • Liability • Convertibility/negotiability • Operational impact • Market forces • Official value • Expert opinion/appraisal • Bilateral agreement/contract
  • 35.
    CBK REVIEW -August 1999 35E Scenario • A specific threat (potential event/act) in which assets are subject to loss • Write scenario for each major threat • Credibility/functionality review • Evaluate current safeguards • Finalize/Play out • Prepare findings
  • 36.
    CBK REVIEW -August 1999 36E The Steps in a BCP - 2 • Strategy Development (Alternative Selection) – Management support – Team structure – Strategy selection • Cost effective • Workable
  • 37.
    CBK REVIEW -August 1999 37E The Steps in a BCP - 3 • Implementation (Plan Development) – Specify resources needed for recovery – Make necessary advance arrangements – Mitigate exposures
  • 38.
    CBK REVIEW -August 1999 38E The Steps in a BCP - 3 • Risk Prevention/Mitigation – Risk management program – Security - physical and information (access) – Environmental controls – Redundancy - Backups/Recoverability • Journaling, Mirroring, Shadowing • On-line/near-line/off-line – Insurance – Emergency response plans – Procedures – Training
  • 39.
    CBK REVIEW -August 1999 39E The Steps in a BCP - 3 • Decision Making – Cost effectiveness • Total cost – Human intervention requirements • Manual functions are weakest – Overrides and defaults • Shutdown capability • Default to no access – Design openness – Least Privilege • Minimum information • Visible safeguards – Entrapment • Selected vulnerabilities made attractive
  • 40.
    CBK REVIEW -August 1999 40E The Steps in a BCP - 3 • Decision Making – Independence of controller and subject – Universality – Compartmentalization, defense in depth – Isolation – Completeness – Instrumentation – Acceptance – Sustainability – Auditability – Accountability – Recovery
  • 41.
    CBK REVIEW -August 1999 41E Remedial Measures • Alter environment • Erect barriers • Improve procedures • Early detection • Contingency plans • Risk assignment (insurance) • Agreements • Stockpiling • Risk acceptance
  • 42.
    CBK REVIEW -August 1999 42E Remedial Measures • Fire – Detection, suppression • Water – Detection, equipment covers, positioning • Electrical – UPS, generators • Environmental – Backups • Good housekeeping • Backup procedures • Emergency response procedures
  • 43.
    CBK REVIEW -August 1999 43E The Steps in a BCP - 3 • Plan Development – Specify resources needed for recovery – Team-based – Recovery plans – Mitigation steps – Testing plans – Prepared by those who will carry them out
  • 44.
    CBK REVIEW -August 1999 44E Included in a BCP • Off-site storage – Trip there - secure? Timely? – Physical layout of site – Fire protection – Climate controls – Security access controls – Backup power
  • 45.
    CBK REVIEW -August 1999 45E Included in a BCP • Off-site storage • Alternate site – Hot/Warm/Cold(Shell) sites – Reciprocal agreements/Multiple sites/Service bureaus – Trip there - secure? Timely? – Physical layout of site – Fire protection – Climate controls – Security access controls – Backup power – Agreements
  • 46.
    CBK REVIEW -August 1999 46E Included in a BCP • Off-site storage • Alternate site • Backup processing – Compatibility – Capacity – Journaling - maintaining audit records • Remote journaling - to off-site location – Shadowing - remote journaling and delayed mirroring – Mirroring - maintaining realtime copy of data – Electronic vaulting - bulk transfer of backup files
  • 47.
    CBK REVIEW -August 1999 47E Included in a BCP • Off-site storage • Alternate site • Backup processing • Communications – Compatibility – Accessibility – Capacity – Alternatives
  • 48.
    CBK REVIEW -August 1999 48E Included in a BCP • Off-site storage • Alternate site • Backup processing • Communications • Work space – Accessibility – Capacity – Environment
  • 49.
    CBK REVIEW -August 1999 49E Included in a BCP • Off-site storage • Alternate site • Backup processing • Communications • Work space • Office equipment/supplies/documentation • Security • Critical business processes/Management • Testing • Vendors - Contact info, agreements • Teams - Contact info, transportation • Return to normal operations • Resources needed
  • 50.
    CBK REVIEW -August 1999 50E Complications • Media/Police/Public • Families • Fraud • Looting/Vandalism • Safety/Legal issues • Expenses/Approval
  • 51.
    CBK REVIEW -August 1999 51E The Steps in a BCP - Finally • Plan Testing – Proves feasibility of recovery process – Verifies compatibility of backup facilities – Ensures adequacy of team procedures • Identifies deficiencies in procedures – Trains team members – Provides mechanism for maintaining/updating the plan – Upper management comfort
  • 52.
    CBK REVIEW -August 1999 52E The Steps in a BCP - Finally • Plan Testing – Desk checks/Checklist – Structured Walkthroughs – Life exercises/Simulations – Periodic off-site recovery tests/Parallel – Full interruption drills
  • 53.
    CBK REVIEW -August 1999 53E The Steps in a BCP - Finally • Test – Hardware – Software – Personnel – Communications – Procurement – Procedures – Supplies/forms – Documentation – Transportation – Utilities – Alternate site processing – Security
  • 54.
    CBK REVIEW -August 1999 54E The Steps in a BCP - Finally • Test – Purpose (scenario) – Objectives/Assumptions – Type – Timing – Schedule – Duration – Participants • Assignments – Constraints – Steps
  • 55.
    CBK REVIEW -August 1999 55E The Steps in a BCP - Finally • Alternate Site Test – Activate emergency control center – Notify & mobilize personnel – Notify vendors – Pickup and transport – tapes – supplies – documentation – Install (Cold and Warm sites) – IPL – Verify – Run – Shut down/Clean up – Document/Report
  • 56.
    CBK REVIEW -August 1999 56E The Steps in a BCP - Finally • Plan Update and Retest cycle (Plan Maintenance) – Critical to maintain validity and usability of plan • Environmental changes • HW/SW/FW changes • Personnel – Needs to be included in organization plans • Job description/expectations • Personnel evaluations • Audit work plans
  • 57.
    CBK REVIEW -August 1999 57E BCP by Stages • Initiation • Current state assessment • Develop support processes • Training • Impact Assessment • Alternative selection • Recovery Plan development • Support services continuity plan development • Master plan consolidation • Testing strategy development • Post transition transition plan development
  • 58.
    CBK REVIEW -August 1999 58E BCP by Stages • Implementation planning • Quick Hits • Implementation, testing, maintenance
  • 59.
    CBK REVIEW -August 1999 59E End User Planning • DP is critical to end users • Difficult to use manual procedures • Recovery is complex • Need to plan – manual procedures – recovery of data/transactions – procedures for alternate site operation – procedures to return to normal
  • 60.
    CBK REVIEW -August 1999 60E The Real World • DR plans normally involve – Essential DP platforms/systems only – A manual on the shelf written 2-3 years ago – Little or no user involvement – No provision for business processes – No active testing – Resource lists and contact information that do not match current realities
  • 61.
    CBK REVIEW -August 1999 61E Stages in an Incident • Disaster – interruption affecting user operations significantly
  • 62.
    CBK REVIEW -August 1999 62E Stages in an Incident • Disaster • Initial/Emergency response – Purpose • Ensure safety of people • Prevent further damage – Activate emergency response team – Covers emergency procedures for expected hazards – Safety essential – Emergency supplies – Crisis Management plan - decision making
  • 63.
    CBK REVIEW -August 1999 63E Stages in an Incident • Disaster • Initial response • Impact assessment – Activate assessment team – Determine situation • What is affected? – Decide whether to activate plan
  • 64.
    CBK REVIEW -August 1999 64E Stages in an Incident • Disaster • Initial response • Impact assessment • Initial recovery – Initial recovery of key areas at alternate site – Detailed procedures – Salvage/repair - Clean up
  • 65.
    CBK REVIEW -August 1999 65E Stages in an Incident • Disaster • Initial response • Impact assessment • Initial recovery • Return to normal/Business resumption – Return to operation at normal site – “Emergency” is not over until you are back to normal – Requires just as much planning - Parallel operations
  • 66.
    CBK REVIEW -August 1999 66E Special Cases • Y2K – Incidents will happen in a particular time frame – Alternate sites won’t help – Redundant equipment won’t help – Backups won’t help – Involves automated equipment and services
  • 67.
    CBK REVIEW -August 1999 67E Final Thoughts • Do you really want to activate a DR/BCP plan? – Prevention – Planning

Editor's Notes

  • #11 Vulnerabilities? Improper access to data - controls not granular enough Invalid data - Update permitted to the wrong/too many people