This document discusses disaster recovery and business continuity planning. It defines business continuity planning (BCP) and disaster recovery planning (DRP) as processes for improving an organization's ability to continue operations during adverse events. The key aspects covered include identifying threats, developing recovery teams, creating emergency and backup plans, selecting alternative processing sites, testing plans, and maintaining plans over time. Regular auditing of BCP/DRP is also recommended to ensure plans remain adequate as business needs change.

1. Disaster Recovery And Business Continuity Adv. Prashant Mali [BSc.(Phy.), MSc.(Comp. Sci.),CNA, LLB ] Cyber Law ,Cyber Security & IPR Expert www.cyberlawconsulting.com

2. Session Overview What is Business Continuity Planning (BCP) or Disaster Recovery Planning ( DRP)? Need for BCP / DRP Objectives of BCP/DRP Planning & Implementing BCP/DRP www.cyberlawconsulting.com

3. What is BCP or DRP ? BCP, the primarily the responsibility of senior management, Is collection of plans, policies and procedures to improve the ability of organisation to continue its normal business operations under adverse or disastrous conditions So as to decrease the loss due to such adverse of disastrous conditions www.cyberlawconsulting.com

4. Need for BCP / DRP Organizational Strategies & Standards Events beyond human control like, earthquake, bomb blast, etc. Business should continue Legal & Statutory requirements Competition www.cyberlawconsulting.com

5. Objectives of BCP Plan for continuity of business under disaster and non-disaster events Limiting the tangible & Intangible losses of disaster events Most often, in the event of a disaster, it is survival and not business as usual. So, should aim at normal business resumption www.cyberlawconsulting.com

6. Testing & evaluation of BCP Training & test personnel for the adverse conditions Maintenance & Currency of BCP … Objectives of BCP

7. Other Enables management to quantify and qualify the resources like personnel, facilities etc. Manage the resources to support the required operational commitment Test the awareness and skills of the personnel in such events. … Objectives of BCP

8. BCP – DRP A business continuity plan aims to sustain mission critical business processes when an unforeseen interruption occurs A disaster recover plan is a comprehensive statement of consistent actions to be taken before, during and after a disruptive event that causes a significant loss occurs www.cyberlawconsulting.com

9. Steps in BCP Establish a BCP workgroup Develop high-level BCP strategy Develop master schedule and milestones Obtain management support Initiate Perform Risk Assessment Choose Recovery strategy Test and Validate www.cyberlawconsulting.com

10. … Steps in BCP Perform a risk assessment exercise Identify threats and exposures to each of the core business processes Initiate Perform Risk Assessment Choose Recovery strategy Test and Validate www.cyberlawconsulting.com

11. … Steps in BCP Identify recovery strategy Define notification procedures and Procedures activating contingency plans Establish business recovery teams for each core business process Initiate Perform Risk Assessment Choose Recovery strategy Test and Validate www.cyberlawconsulting.com

12. … Steps in BCP Validate the company’s business continuity plans Develop and document contingency test plans Prepare and execute tests Update disaster recovery plans and procedures Initiate Perform Risk Assessment Choose Recovery strategy Test and Validate www.cyberlawconsulting.com

13. What is a disaster ? Disaster is a event that could affect the continuity of normal business operation of organisation Categorizations of Disaster Events Disaster Results unavailability of entire processing facility Longer duration usually more than > 1 day

14. … Disaster Catastrophe Results in full/major destruction of processing facility Alternate processing facility can be temporarily utilized But, needs new permanent facility Non-Disaster Short term unavailability of the systems or files Disruption is temporary and easy to restore

15. Business Continuity Plan Defining strategy and policy by senior management Identifying and prioritizing critical business functions by doing business impact analysis and involving end users Identifying disaster events and evaluating its impacts Identifying and evaluating recovery alternatives

16. … Business Continuity Plan Identifying and assigning responsibilities to adequate personnel Testing and correcting the Business Continuity Plan Reviewing and Maintaining the Business Continuity Plan www.cyberlawconsulting.com

17. Teams and Responsibilities Emergency Action Team First response team – Bucket Team Fire wardens Deals with fire and other emergency scenarios Orderly evacuation of personnel Securing of human life www.cyberlawconsulting.com

18. … Teams Damage Assessment Team Assess the extent of damage Members with ability to assess damage, estimate recovery time Knowledge of test equipment, networks, systems, safety regulations and procedures Identify cause of disaster, impact and predict downtime www.cyberlawconsulting.com

19. … Teams Emergency Management Team Coordinating activities of all other teams and handles key decision making Determine the activation of BCP Arrangement of finance for recovery Legal matters Public relations Media www.cyberlawconsulting.com

20. … Teams Off-Site Storage Team Obtaining, packaging and shipping media and records to the recovery facilities Establishing and overseeing an off-site storage schedule for information created during operations at the recovery site Software Team Restore system, loading and testing OS Resolving system level problems

21. … Teams Applications Teams Restores user packs and applications programs Monitoring application performance and database integrity Security Team Monitor security system and comm. links Resolve security conflicts Installation and functioning of sec. package www.cyberlawconsulting.com

22. … Teams Emergency Operations Team Shift operators and shift supervisors reside at the recovery site Manage operations during recovery Coordinating hardware installation Network Recovery Team Rerouting wide area voice and data comm. Traffic www.cyberlawconsulting.com

23. … Teams Network Recovery Team Reestablishing host network control and access Provide on-going support data communications and overseas communications integrity Communications Team Work in conjugation with remote network recovery team www.cyberlawconsulting.com

24. … Teams Communications Team Soliciting and installing communications hardware Work with local exchange carriers and gateway vendors Transport Team Coordinating company employees to the site Also help in contacting, scheduling and arranging lodgings

25. … Teams User Hardware Team Delivery and installation of terminal. Printers, typewriters, photocopiers and other necessary equipment Facilitate salvage efforts Data Preparation and Records Team Updates applications Oversea contract data-entry personnel Record salvage

26. … Teams Administrative Support Team Clerical support to the other teams Accounting, payroll Supplies Team Coordinating logistics Office and computer supplies www.cyberlawconsulting.com

27. … Teams Salvage Team Manage relocation project More detailed analysis of damage Provides information to make decision about reconstruction or relocation Insurance claims Immediate records salvage Paper documents and electronic media www.cyberlawconsulting.com

28. … Teams Relocation Team Coordinates the process of moving from the hot site to a new location or to the restored original location Relocation of information system, processing operations, communication traffic and user operations Monitor transition to normal service levels www.cyberlawconsulting.com

29. IS Auditor’s Role in BCP Offering suggestions for selecting right strategy Can be facilitator as he or she has thorough understanding of BCP www.cyberlawconsulting.com

30. Policy Implementation What constitutes disaster? Who will decide or declare it? When can it happen? How to identify a disaster? How to estimate (time, efforts, resources) The overall budget should provide for it

31. Business Continuity Planning Gather all the relevant facts Obtain reports on historical events Make risk analysis / impact analysis needs to be reviewed periodically Ascertain Legal liabilities Budgeting and obtaining management approval

32. ...BCP Align with other policies / procedures. Options available: In house Auditors Consultants

33. Business Impact Analysis Identify critical information resources for business continuity Prioritization of critical systems Determine critical recovery time and tolerance in monetary terms System ranking Needs involvement of IS personnel and end users

34. Risk Ranking It is prioritization of systems on basis of systems criticality and impact on business continuity Sensitivity of an application is equal to that of most sensitive data Users has varying degree of tolerance -cost As processes become more automated and more integrated, the ability to prioritize systems more difficult

35. Classification of Systems Critical (level 1) Cannot be processed manually but must be processed on schedule Vital (level 2) Can be processed manually but for a short period of time Sensitive (level 3) Can be done manually for a long period of time Non Critical www.cyberlawconsulting.com

36. Critical Recovery Time Critical Recovery Time Period Is a time frame within which business should resume Before suffering significant losses. Depends on nature of business e.g. Banks, broking house, mfg. house Depends on time of year or hour of business when disaster occurs www.cyberlawconsulting.com

37. Critical applications, systems software and data should be recovered first Do not ignore desktop or end-user applications and utilities like spread sheet, notepad, etc. … Critical Recovery Time www.cyberlawconsulting.com

38. Insurance Equipment and Facility insurance Loss or damage to property, including IS Equipment and facilities Business interruption insurance Loss due to a disaster Continuing expenses during the time the company is unable to operate

39. … Insurance Extra Expense Extremely important add-on to property coverage Covers expenses incurred to avoid or minimise the suspension of business Professional Liability Errors and Omissions

40. … Insurance Extra Equipment Coverage If the system is not adequately covered Various types of equipment breakdown Data Reconstruction Time spent on data restoration Not value of data Specialised Equipment Coverage Anything that doesn’t fit in usual insurance coverage

41. … Insurance Valuable Papers and Records Against direct physical loss or damage Covers cost of recreating document, data reentry Fidelity Coverage Loss of organisational assets due to theft, forgery and fraud www.cyberlawconsulting.com

42. … Insurance Civil Authorities Civil authority prevents use of assets Media Transit Damage or loss during physical shipment of data www.cyberlawconsulting.com www.cyberlawconsulting.com

43. How to Implement BCP? Identification of Threats Implementing Plan Various Teams Involved Disaster Recovery plan Maintenance of BCP www.cyberlawconsulting.com

44. Identification of Threats External Threats Natural Calamities like earthquake, flood, fire Hardware suppliers - Unreliable or incompatible h/w Software Suppliers - Erroneous s/w. poor documentation Contractors - e.g. untimely provision of service Other resources - e.g. communication services www.cyberlawconsulting.com

45. … Identification of Threats Competitors - e.g. Sabotage, lawsuits, fair and unfair competition Debt & equity holders - e.g. financial distress through foreclosure on claims. Unions - e.g. strikes, sabotage www.cyberlawconsulting.com

46. Government - e.g Financial distress through onerous regulation Environmentalist - e.g. Unfavorable publicity Criminals / hackers - e.g. Theft, extortion … Identification of Threats www.cyberlawconsulting.com

47. Internal Threats Management Failure to provide resources Inadequate planning an control Employees Errors Improper usr of facilities and services Theft, fraud, sabotage … Identification of Threats

48. Unions Strikes or harassment Unreliable systems H/w failure, S/w failure … Identification of Threats

49. Major Security threats Major Security threats Fire Water Energy variations Structural damage Pollution due to smoke,chemicals Unauthorised intrusion Viruses and worms Misuse of software,data and services

50. Implementing Plan Inventory Process Who should be involved? Staff from concerned department Purchase department Personal /HRD department Finance / accounts department Engineering / technical depts. Administration department

51. Implementing Plan Inventory Process What should be inventorised? Manpower (specific for BCP /DRP ).. Who possesses special skills? Building, plant & machinery, furniture & fixtures Communications equipment & facilities e.g. telephone systems, modems, wiring systems, controllers, switches Electrical equipment and facilities, wiring

52. … Implementing Plan Computer equipment and peripherals Computer data & software such as O.S.,utilities ( defragmentation, forming etc. ), application s/w Back-up facilities Stationary items e.g. computer stationary Specific consumables e.g. printer ribbons, cartridges Documents, forms and registers www.cyberlawconsulting.com

53. Disaster Recovery Plan Disaster Recovery Plan consists of Emergency Plan Backup Plan Recovery Plan Test Plan www.cyberlawconsulting.com

54. Emergency Plan Specifies emergencies and immediate actions to be taken Who is to be notified e.g. management, police What activities to be undertaken shutdown of equipment termination of power www.cyberlawconsulting.com

55. … Emergency Plan Evacuation procedures required Return Procedures www.cyberlawconsulting.com www.cyberlawconsulting.com

56. Backup Plan Personal - Training & Rotation of staff… so that the function does not become person specifics Hardware and peripherals - Redundancy Facilities (such as transportation, telecommunication etc.) - arrangement with other companies www.cyberlawconsulting.com

57. ...Backup Plan Documentation Operating procedures, systems and program documentation, special procedures, input source documents, output documents A copy of current BCP plan at backup site & backup plan at current site A copy of all important legal documents to be available at backup site

58. ...Backup Plan Supplies - stationary, ribbons etc Data / Information - inventory of files, data Sensitive data to be stored in fire-proof magnetic media container Automated backups as far as possible Backup, its restoration, retention and purging

59. ...Backup Plan Software backup Systems s/w & Application software current Program patches for all backup locations Electronic Vaulting

60. Alternative Site options Hot Site Fully Configured, ready to operate If owned… computer hardware and data/software is available If shared… computer hardware / O.S. is available, data & application software may have to be loaded Expensive option can be used initially for short period

61. ...Alternative Sites Options Warm Site Partially configured, with network connection and selected peripheral equipment but without the main computer Cold Site Basic environment is available Duplicate Information processing facility Dedicated self-developed www.cyberlawconsulting.com

62. ...Alternative Sites Options Reciprocal agreement Two or more organisation agree to provide backup facilities Low cost Often informal in nature and cannot be enforced legally Confidentiality could be a concern www.cyberlawconsulting.com

63. Contract with Alternative site Configurations H/w, s/w whether adequate at all times? Speed of availability How early facility will be available? Subscribers per site Whether limited number of subscribers? Preference Priority in case of global disaster www.cyberlawconsulting.com

64. ...Contract Usage period How long the facility shall be available? Warranties Any liability limitations? e.g. lack of electricity. Provision for generator Testing Whether testing is allowed at alternate site?

65. ...Contract Reliability Technical and financial reliability Insurance coverage at alternate site .. your insurance policy should also cover h/w, s/w etc. at alternate site

66. Alternate hardware facilities Vendor or third-party Vendor may not immediately supply in crisis Buy from used h/w market.. Mostly applicable abroad Vendor supply can be best ensured at the time of moving from hot site to warm / cold site in phased manner

67. Telecommunication Network Susceptible to.. The same natural disasters Also sensitive to unique disastrous events e.g. cable cuts, central switching office disasters,hacking etc. Organisation’s responsibility and not that of Local Exchange Carrier (LEC)

68. ...Telecommunication Networks Backing up of telecommunication facilities such as Telephone voice circuits LAN, WAN Third party EDI providers UPS for telecom equipment Critical capacity requirement be identified www.cyberlawconsulting.com

69. Methods of Telecom Continuity Redundancy Extra capacity is provided Alternative Routing Routing via alternating medium e.g. copper, fiber optic Involves use of different networks, circuit or end points Use of couriers as an alternative to electronic transmission. www.cyberlawconsulting.com

70. ...Methods Diverse Routing Mix of redundancy and alternate routing Therefore time consuming and costly Generally alternative and diverse routing is over terrestrial media and therefore is subject to risk of decaying

71. ...Methods Long Haul Network Diversity Alternate/redundancy/diverse routing for LECs “ Last Mile” Circuit Protection Alternate or redundancy for “last mile” Voice recovery Voice communication maybe necessary in financial and other retail service

72. Recovery Plan Refers to procedures to restore original site Depends on type of disaster whether localised or global Specific responsibilities and priorities Function of Salvage team makes more detailed assessment of damage provides information for filing insurance Relocation team manages the relocation

73. Test Plan To identify deficiencies in emergency, backup and recovery plans Most tests falls short of a full-scale test of all operations Should be comprehensive Must be scheduled properly Key recovery team members should be involved www.cyberlawconsulting.com

74. Test Execution Pretest Test Post-test Other types of test Paper test Preparedness test Full Operational test Document for all scenarios Analysis of the Results Quantify results rather than evaluating only observations Measures for Quantification Recovery Time spent volume of work performed at alternate site Accuracy www.cyberlawconsulting.com

75. BCP Maintenance Responsibility of BCP Co-ordinator Should reflect changing environment Changes in business strategy may alter significance of critical application New applications may be developed Changes in S/w or H/w environment Plan updating should be prompt Maintenance schedule be prepared www.cyberlawconsulting.com

76. Auditing BCP / DRP Check for policy and support from senior management for BCP Check whether risk assessment is proper Evaluating ability of personnel - IS & users to respond to disaster Dependency on third party service providers for business continuity purposes is a major concern www.cyberlawconsulting.com

77. ...Auditing Evaluate BCP / DRP for their adequacy and currency May not exist May partially meet requirements Fully meets requirements Evaluate the test results - If possible, simulate few tests Check the inventories www.cyberlawconsulting.com

78. ...Auditing Evaluate the contract with back up site vendors Check whether plan addresses upload of data manually processed to computer system on resuming to normalcy Evaluate security at back up facility & off-site data storage site Review insurance coverage. www.cyberlawconsulting.com

79. Any Questions? Thank You Contact: prashant . [email_address] cyberlawconsulting @gmail.com Cell: (91)(9821763157) www.cyberlawconsulting.com