CISSP Guide to Security Essentials, Ch4 - PowerPoint

Document Sample
CISSP Guide to Security Essentials, Ch4 - PowerPoint Powered By Docstoc
					 Business Continuity and
Disaster Recovery Planning


CISSP Guide to Security Essentials
           Chapter 4
                                 Objectives
• Running a business continuity and
  disaster recovery planning project
• Developing business continuity and
  disaster recovery plans
• Testing business continuity and disaster
  recovery plans



CISSP Guide to Security Essentials            2
                       Objectives (cont.)
• Training users
• Maintaining business continuity and
  disaster recovery plans




CISSP Guide to Security Essentials          3
                      What Is a Disaster
• Any natural or man-made event that
  disrupts the operations of a business
  in such a significant way that a
  considerable and coordinated effort is
  required to achieve a recovery.




CISSP Guide to Security Essentials         4
                        Natural Disasters
• Geological: earthquakes, volcanoes,
  lahars, tsunamis, landslides, and
  sinkholes
• Meteorological: hurricanes, tornados,
  wind storms, hail, ice storms, snow
  storms, rainstorms, and lightning



CISSP Guide to Security Essentials          5
              Natural Disasters (cont.)
• Other: avalanches, fires, floods, meteors
  and meteorites, and solar storms
• Health: widespread illnesses,
  quarantines, and pandemics




CISSP Guide to Security Essentials            6
                   Man-made Disasters
• Labor: strikes, walkouts, and slow-downs
  that disrupt services and supplies
• Social-political: war, terrorism, sabotage,
  vandalism, civil unrest, protests,
  demonstrations, cyber attacks, and
  blockades



CISSP Guide to Security Essentials              7
         Man-made Disasters (cont.)
• Materials: fires, hazardous materials spills
• Utilities: power failures, communications
  outages, water supply shortages, fuel
  shortages, and radioactive fallout from
  power plant accidents




CISSP Guide to Security Essentials           8
  How Disasters Affect Businesses
• Direct damage to facilities and equipment
• Transportation infrastructure damage
     – Delays deliveries, supplies, employees going to work
• Communications outages
• Utilities outages




CISSP Guide to Security Essentials                        9
                     How BCP and DRP
                      Support Security
• Security pillars: C-I-A
     – Confidentiality
     – Integrity
     – Availability
• BCP and DRP directly support availability




CISSP Guide to Security Essentials        10
           BCP and DRP Differences
               and Similarities
• BCP
     – activities required to ensure the continuation of
       critical business processes in an organization
     – Alternate personnel, equipment, and facilities
• DRP
     – Assessment, salvage, repair, and eventual
       restoration of damaged facilities and systems




CISSP Guide to Security Essentials                         11
      Industry Standards Supporting
              BCP and DRP
 • ISO27001/27002: Code of Practice for
   Information Security Management.
   Section 14 addresses business
   continuity management. Principles,
   terminology and process to support
   business
   continuity management.


CISSP Guide to Security Essentials        12
      Industry Standards Supporting
          BCP and DRP (cont.)
 • NIST 800-34: Contingency Planning
   Guide for Information Technology
   Systems. Seven step process for BCP
   and DRP projects.
 • NFPA 1600: Standard on Disaster /
   Emergency Management and Business
   Continuity Programs.


CISSP Guide to Security Essentials       13
      Industry Standards Supporting
          BCP and DRP (cont.)
 • NFPA 1620: The Recommended
   Practice for Pre-Incident Planning.
 • HIPAA: Requires a documented and
   tested disaster recovery plan for patient
   electronic data.




CISSP Guide to Security Essentials             14
            Benefits of BCP and DRP
                     Planning
•   Reduced risk through risk/threat analysis
•   Process improvements
•   Improved organizational maturity
•   Improved availability and reliability
•   Marketplace advantage




CISSP Guide to Security Essentials              15
                The Role of Prevention
• Not prevention of the disaster itself,
  but prevention of surprise and
  disorganized response




CISSP Guide to Security Essentials         16
      The Role of Prevention (cont.)
• Reduction in impact of a disaster
     – Better equipment bracing
     – Better fire detection and suppression
     – Contingency plans that provide [near] continuous
       operation of critical business processes
     – Prevention of extended periods of downtime




CISSP Guide to Security Essentials                        17
       Running a BCP / DRP Project
• Pre-project activities
• Perform a Business Impact Assessment
  (BIA)
• Develop resumption and recovery plans
• Test resumption and recovery plans




CISSP Guide to Security Essentials        18
                   Pre-project Activities
•   Obtain executive support
•   Formally define the scope of the project
•   Choose project team members
•   Develop a project plan
     –   Business Impact Analysis
     –   Develop Contingency plans
     –   Test plans

• Develop a project charter
     –   Purpose, executive sponsorship, scope, budget, team members, milestones




CISSP Guide to Security Essentials                                                 19
                Performing a Business
                   Impact Analysis
• Survey critical business processes
• Perform threat assessment, risk analyses
• Develop key metrics
     – Maximum tolerable downtime, recovery time
       objective, recovery point objective




CISSP Guide to Security Essentials                 20
                Performing a Business
                Impact Analysis (cont.)
• Develop impact statements
• Perform criticality analysis




CISSP Guide to Security Essentials        21
                     Survey In-scope
                    Business Processes
• Develop interview / intake template
• Interview a rep from each department
     – Identify all important processes
           • Identify dependencies on systems, people, equipment
           • information consolidation
• Collate data into database or
  spreadsheets
     – Gives a big picture, all-company view


CISSP Guide to Security Essentials                             22
Process intake form:

            Process name                      Shipping; Marketing Department

            Date

            Interviewer

            Interviewee

            Process owner name                Manager’s name

            Process purpose                   Role, why the process is performed

            Process inputs                    Data, people, supplies, other

            Process outputs                   Data, products, other

            Supplier dependency               Name of the supplier needed to continue

            Personnel dependencies




         CISSP Guide to Security Essentials                                             23
             Threat and Risk Analysis
• Identify threats, vulnerabilities, risks
  for each key process
     – Rank according to probability, impact, cost
     – Identify mitigating controls




CISSP Guide to Security Essentials                   24
Threat / Risk analysis from intake form:


         Process name                 Date   Interviewer   Interviewee   Process      Process   Process
                                                                         owner name   purpose   inputs




         Shipping: Marketing dept                                        Manager’s              Data, people,
                                                                         name                   supplies,
                                                                                                other




         CISSP Guide to Security Essentials                                                                     25
             Determine Maximum
          Tolerable Downtime (MTD)
• For each business process
• Identify the maximum time that each
  business process can be inoperative
  before significant damage or long-term
  viability is threatened
• Probably an educated guess for many
  processes


CISSP Guide to Security Essentials         26
             Determine Maximum
          Tolerable Downtime (cont.)
• Obtain senior management input to
  validate data
• Publish into the same database /
  spreadsheet listing all business
  processes




CISSP Guide to Security Essentials     27
      Develop Statements of Impact
• For each process, describe the impact
  on the rest of the organization if the
  process is incapacitated




CISSP Guide to Security Essentials         28
                Develop Statements of
                   Impact (cont.)
• Examples
     – Inability to process payments
     – Inability to produce invoices
     – Inability to access customer data for support
       purposes




CISSP Guide to Security Essentials                     29
            Record Other Key Metrics
• Examples
     – Cost to operate the process
     – Cost of process downtime
     – Profit derived from the process
• Useful for upcoming criticality analysis




CISSP Guide to Security Essentials           30
   Ascertain Current Continuity and
        Recovery Capabilities
• For each business process(adequate,
  inadequate, non-existent)
     – Identify documented continuity capabilities
     – Identify documented recovery capabilities
     – Identify undocumented capabilities
           • What if the disaster happened tomorrow




CISSP Guide to Security Essentials                    31
     Develop Key Recovery Targets
• Recovery time objective (RTO)
     – Period of time from disaster onset to
       resumption of business process
• Recovery point objective (RPO)
     – Maximum period of data loss from onset
       of disaster counting backwards




CISSP Guide to Security Essentials              32
CISSP Guide to Security Essentials   33
                Develop Key Recovery
                   Targets (cont.)
• Obtain senior management buyoff on
  RTO and RPO
• Publish into the same database /
  spreadsheet listing all business
  processes




CISSP Guide to Security Essentials     34
Sample Recovery Time Objectives
RPO                   Technology(ies) required
8-14 days             New equipment, data recovery from backup
4-7 days              Cold systems, data recovery from backup
2-3 days              Warm systems, data recovery from backup
12-24 hours Warm systems, recovery from high speed
            backup media




CISSP Guide to Security Essentials                              35
                  Sample Recovery
                Time Objectives (cont.)
RPO                   Technology(ies) required
6-12 hours            Hot systems, recovery from high speed
                      backup media
3-6 hours             Hot systems, data replication
1-3 hours             Clustering, data replication
< 1 hour              Clustering, near real time data replication




CISSP Guide to Security Essentials                                  36
                       Criticality Analysis
• Rank processes by criticality criteria
     –   MTD (maximum tolerable downtime)
     –   RTO (recovery time objective)
     –   RPO (recovery point objective)
     –   Revenue loss per hour/day/week
     –   Cost of downtime or other metrics
     –   Qualitative criteria
           • Reputation, market share, goodwill



CISSP Guide to Security Essentials                37
                   Improve System and
                    Process Resilience
• For the most critical processes (based
  upon ranking in the criticality analysis)
     –   Identify the biggest risks
     –   Identify cost of mitigation
     –   Can several mitigating controls be combined
     –   Do mitigating controls follow best / common
         practices




CISSP Guide to Security Essentials                     38
        Develop Business Continuity
        and Disaster Recovery Plans
• For the most critical processes (based
  upon ranking in the criticality analysis)
     – Develop continuity plans and recovery plans
           •   Must meet RTO, RPO objectives
           •   Develop budget for plan development
           •   Develop budget for response and recovery effort
           •   Revise as needed




CISSP Guide to Security Essentials                               39
        Develop Business Continuity
        and Disaster Recovery Plans
•   Select Recovery Team Members
•   Emergency Response
•   Damage Assessment and Salvage
•   Notification
•   Personnel safety
•   Communications
•   Public utilities and infrastructure
•   Logistics and supplies
•   Business resumption planning
•   Restoration and planning
CISSP Guide to Security Essentials        40
   Select Recovery Team Members
• Issues
     – Unable to respond
     – Unwilling to respond
• Selection criteria
     – Location of residence, relative to work
       and other key locations
     – Skills and experience (determines effectiveness)
     – Ability and willingness to respond
     – Own transportation

CISSP Guide to Security Essentials                        41
                Select Recovery Team
                   Members (cont.)
• Selection criteria (cont.)
     – Health and family (determines probability to serve)
     – Identify backups
           • Other team members, external resources




CISSP Guide to Security Essentials                           42
                 Emergency Response
• Personnel safety: includes first-aid,
  searching for personnel, etc.
• Evacuation: evacuation procedures to
  prevent any hazard to workers.
• Asset protection: includes buildings,
  vehicles, and equipment.



CISSP Guide to Security Essentials        43
       Emergency Response (cont.)
• Damage assessment: this could involve
  outside structural engineers to assess
  damage to buildings and equipment.
• Emergency notification: response team
  communication, and keeping
  management and organization staff
  informed.


CISSP Guide to Security Essentials         44
Damage Assessment and Salvage
• Determine damage to buildings,
  equipment, utilities
     – Requires inside experts
     – Usually requires outside experts
           • Civil engineers to inspect buildings
           • Government building inspectors




CISSP Guide to Security Essentials                  45
                  Damage Assessment
                   and Salvage (cont.)
• Salvage
     – Identify working and salvageable assets
     – Cannibalize for parts or other uses




CISSP Guide to Security Essentials               46
                                Notification
• Many parties need to know the condition
  of the organization
     – Employees, suppliers, customers, regulators,
       authorities, shareholders, community




CISSP Guide to Security Essentials                    47
                       Notification (cont.)
• Methods of communication
     – Telephone call trees, web site, signage, media
     – Alternate means of communication must be
       identified




CISSP Guide to Security Essentials                      48
                        Personnel Safety
• The number one concern in any disaster
  response operation
     – Emergency evacuation
     – Accounting for all personnel
     – Administering first-aid




CISSP Guide to Security Essentials         49
              Personnel Safety (cont.)
• The number one concern in any disaster
  response operation (cont.)
     – Emergency supplies
           • Water, food, blankets, shelters
           • On-site employees could be stranded for
             several days




CISSP Guide to Security Essentials                     50
                        Communications
• Communications essential during
  emergency operations




CISSP Guide to Security Essentials       51
               Communications (cont.)
• Considerations
     –   Avoid common infrastructure
     –   Diversify mobile services
     –   Consider two-way radios
     –   Consider satellite phones
     –   Consider amateur radio




CISSP Guide to Security Essentials      52
   Public Utilities and Infrastructure
• Often interrupted during a disaster
     – Electricity: emergency generation: UPS, generator
     – Water: building could be closed if no
       water is available
     – Natural gas: heating
     – Wastewater: if disabled, building could be closed




CISSP Guide to Security Essentials                         53
                     Public Utilities and
                    Infrastructure (cont.)
• Emergency supplies
     – Drinking water, sanitation, spare parts, waste bins




CISSP Guide to Security Essentials                           54
                 Logistics and Supplies
•   Food and drinking water
•   Blankets and sleeping cots
•   Sanitation
•   Tools




CISSP Guide to Security Essentials        55
       Logistics and Supplies (cont.)
•   Spare parts
•   Waste bins
•   Information
•   Communications




CISSP Guide to Security Essentials      56
     Business Resumption Planning
• Alternate work locations
• Alternate personnel
• Communications
     – Emergency, support of business processes
• Standby assets and equipment
• Access to procedures, business records



CISSP Guide to Security Essentials                57
            Restoration and Recovery
•   Repairs to facilities, equipment
•   Replacement equipment
•   Restoration of utilities
•   Resumption of business operations in
    primary business facilities




CISSP Guide to Security Essentials         58
        Improving System Resilience
               and Recovery
• From BIA two recovery targets
     – RTO and RPO
     – What will help?
• Off-site media storage
     – Assurance of data recovery
• Server clusters
     – Improved availability
     – Geographic clusters


CISSP Guide to Security Essentials    59
        Improving System Resilience
           and Recovery (cont.)
• Data replication
     – Hardware, OS, DBMS, application
     – Current data on multiple servers even in remote
       places




CISSP Guide to Security Essentials                       60
                             Training Staff
•   Everyday operations
•   Recovery procedures
•   Emergency procedures
•   Resumption procedures
                      » Learn through participation
                      » Learn through formal training




CISSP Guide to Security Essentials                      61
          Testing Business Continuity
         and Disaster Recovery Plans
• Five levels of testing
     –   Document review
     –   Walkthrough
     –   Simulation
     –   Parallel test
     –   Cutover test




CISSP Guide to Security Essentials      62
                      Document Review
• Review of recovery, operations,
  resumption plans and procedures
• Performed by individuals
• Provide feedback to document owners
• Least impact, lowest risk, least benefit




CISSP Guide to Security Essentials           63
                              Walkthrough
• Group discussion of recovery, operations,
  resumption plans and procedures
• Performed by teams
• Brainstorming and discussion brings out
  new issues, ideas




CISSP Guide to Security Essentials          64
                    Walkthrough (cont.)
• Provide feedback to document owners
• Low impact, lowest risk, moderate benefit




CISSP Guide to Security Essentials        65
                                 Simulation
• Walkthrough of recovery, operations,
  resumption plans and procedures in a
  scripted “case study” or “scenario”
• Performed by teams




CISSP Guide to Security Essentials            66
                       Simulation (cont.)
• Places participants in a mental disaster
  setting that helps them discern real
  issues more easily
• Low impact, low risk, moderate benefit




CISSP Guide to Security Essentials           67
                              Parallel Test
• Full or partial workload is applied to
  recovery systems
• Performed by teams
• Tests actual system readiness and
  accuracy of procedures




CISSP Guide to Security Essentials            68
                     Parallel Test (cont.)
• Production systems continue to operate
  and support actual business processes
• Moderate impact, low risk, moderate
  benefit




CISSP Guide to Security Essentials           69
                              Cutover Test
• Production systems are shut down or
  disconnected; recovery systems assume
  full actual workload
• Performed by teams




CISSP Guide to Security Essentials           70
    Maintaining Business Continuity
     and Disaster Recovery Plans
• Events that necessitate review and
  modification of DRP and BCP
  procedures:
     –   Changes in business processes and procedures
     –   Changes to IT systems and applications
     –   Changes in IT architecture
     –   Changes in service providers




CISSP Guide to Security Essentials                      71
    Maintaining Business Continuity
     and Disaster Recovery Plans
                (cont.)
• Events (cont.):
     – Additions to IT applications
     – Changes in service providers
     – Changes in organizational structure




CISSP Guide to Security Essentials           72
                                     Summary
• Natural and man-made disasters affect
  businesses through direct damage, and
  damage to transportation and utilities
• BCP is concerned with continuation of
  processes; DRP is concerned with
  recovery of facilities



CISSP Guide to Security Essentials             73
                         Summary (cont.)
• Benefits of BCP and DRP include
  process improvement, reduced risk,
  and market advantage




CISSP Guide to Security Essentials         74
                         Summary (cont.)
• The components of a Business Impact
  Assessment (BIA) are:
     –   Inventory processes
     –   Perform risk and threat assessment
     –   Assign recovery targets
     –   Perform criticality assessment




CISSP Guide to Security Essentials            75
                         Summary (cont.)
• Several key metrics are developed
  in a BIA:
     –   MTD (maximum tolerable downtime)
     –   RTO (recovery time objective)
     –   RPO (recovery point objective)
     –   Possibly others (cost of downtime, recovery)




CISSP Guide to Security Essentials                      76
                         Summary (cont.)
• The components of a DRP and
  BCP plan are:
     – Emergency response
     – Damage assessment and salvage
     – Communications




CISSP Guide to Security Essentials         77
                         Summary (cont.)
• The components of a DRP and
  BCP plan are (cont.):
     – Personnel evacuation and safety
     – Restoration and recovery
     – Business resumption




CISSP Guide to Security Essentials         78
                         Summary (cont.)
• The types of BCP and DRP
  plan testing are:
     –   Document review
     –   Walkthrough
     –   Simulation
     –   Parallel test
     –   Cutover test




CISSP Guide to Security Essentials         79

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:2
posted:11/4/2012
language:Latin
pages:79