Business Continuity Planning and Disaster Recovery Planning - PowerPoint PPT Presentation


Title: Business Continuity Planning and Disaster Recovery Planning


1
Business Continuity Planning and Disaster
Recovery Planning
  • Ref. CISSP exam guide
  • W.lilakiatsakun

2
Business Continuity Planning and Disaster
Recovery Planning (1)
  • DRP is the process of regaining access to the
    data, hardware and software necessary to resume
    critical business operations after a natural or
    human-induced disaster.
  • DRP is part of a larger process known as business
    continuity planning (BCP).
  • Disaster recovery is the process by which you
    resume business after a disruptive event.

3
Business Continuity Planning and Disaster
Recovery Planning (2)
  • The event might be
  • something huge-like an earthquake or the
    terrorist attacks on the World Trade Center
  • something small, like malfunctioning software
    caused by a computer virus.
  • Many business executives are prone to ignoring
    "disaster recovery" because disaster seems an
    unlikely event.

4
Business Continuity Planning and Disaster
Recovery Planning (3)
  • All BC/DR plans need to encompass
  • How employees will communicate
  • Where they will go
  • How they will keep doing their jobs.
  • The details can vary greatly, depending on the
    size and scope of a company and the way it does
    business.

5
Events that necessitate disaster recovery
  • Natural disasters
  • Fire
  • Power failure
  • Terrorist attacks
  • Organized or deliberate disruptions
  • Theft
  • System and/or equipment failures
  • Human error
  • Computer viruses
  • Testing

6
Business Continuity Steps (1)
  • 1 Develop the continuity planning policy
    statement
  • - Write a policy that provides the guidance
    necessary to develop a BCP and assigns authority
    to the necessary roles to carry out these tasks
  • 2 Conduct the business impact analysis (BIA)
  • - Identify critical functions and systems and
    allow the organization to prioritize them on
    necessity.
  • -Identify vulnerabilities, threats and calculate
    risks
  • - Calculate MTD (Maximum Tolerable Downtime) for
    resources

7
Business Continuity Steps (2)
  • 3 Identify preventive controls
  • Identify and implement controls and
    countermeasures to reduce the organizations risk
    level in an economical manner
  • 4 Develop recovery strategies
  • Formulate methods to ensure that systems and
    critical function can be brought online quickly

8
Business Continuity Steps (3)
  • 5 Develop the contingency plan
  • Write procedure and guidelines for how the
    organization can still stay functional in a
    cripple state
  • 6 Test the plan and conduct training and exercise
  • Test the plan to identify deficiencies in the BCP
    and conduct training to properly prepare
    individuals on their expected task
  • 7 Maintain plan
  • Put in place steps to ensure the BCP is a living
    document that is upgraded regularly

9
Initiation (1)
  • Identified a business continuity coordinator
    (leader for the BCP team)
  • Setup a BCP committee might consist of
    representative from
  • Business units
  • Senior management
  • IT department
  • Security department
  • Communications department
  • Legal department

10
Initiation (2)
  • At this phase, the team works with management to
    develop the continuity planning policy statement
  • Layout the scope of the BCP project
  • Team member roles
  • Goal of the project

11
BCP Requirement
  • The major requirement is management support
  • Work best in a top-down approach
  • Management should be driving the project
  • It is important that management set the overall
    goals of continuity planning
  • It should help set priorities of what should be
    dealt first

12
Business Impact Analysis (1)
  • The BCP committee must identify the threats to
    the company and map them to the following
    characteristics
  • Maximum tolerable downtime
  • Operational disruption and productivity
  • Financial consideration
  • Regulatory responsibilities
  • Reputation

13
Business Impact Analysis (2)
  • Data would gather from interviewing, surveying,
    workshops and etc
  • Threat can be manmade, natural or technical
  • The committee needs to step through scenarios
    that could produce the following results
  • Equipment malfunction
  • Unavailable utilities (Power, Communication)
  • Software or data corruption

14
Business Impact Analysis (3)
  • Loss criteria must applied to the individual
    threats
  • Loss in reputation and public confidence
  • Loss of competitive advantages
  • Increase in operational expenses
  • Violations of contract agreement
  • Violations of legal and regulatory requirement
  • Delays income costs
  • Loss in revenue
  • Loss in productivity

15
Business Impact Analysis (4)
  • Example of Maximum Tolerable Downtime (MTD)
  • Nonessential 30 days
  • Normal 7 days
  • Important 72 hours
  • Urgent 24 hours
  • Critical Minute to hours

16
Business Impact Analysis (5)
  • Interdependencies
  • Business function might depend on the other
    functions
  • BCP team should carried out these tasks
  • Define essential business function and support
    departments
  • Identifies interdependencies
  • Discover all possible disruption that could
    affect the mechanism
  • Identify and document potential threats
  • Gather quantitative and qualification information
    pertaining to those threat
  • Provide alternative methods for restoring
  • Provide a brief statement of rationale for each
    threat and corresponding information

17
BIA Steps (1)
  • 1 Select individuals to interview for data
    gathering
  • 2 Create data-gathering techniques (surveys,
    questionnaires, qualitative and quantitative
    approaches)
  • 3 Identify the company s critical business
    function
  • 4 Identify the resources that these functions
    depend upon

18
BIA Steps (2)
  • 5 Calculate how long these functions can survive
    without these resources
  • 6 Identify vulnerabilities and threats to these
    function
  • 7 Calculate risk for each different business
    function
  • 8 Document findings and report them to management

19
Preventive Controls
  • Reduce impact and mitigate risks
  • Example of preventive measures
  • Redundant servers and communication links
  • Power lines coming in through different
    transformers
  • UPS and generators
  • Data backup
  • Fire detection

20
Recovery strategies
  • Business process recovery
  • Facility recovery
  • Supply and technology recovery
  • User environment recovery
  • Data recovery

21
Developing the BCP (1)
  • Define goals of the plan and goals must contain
    certain key information such as
  • Responsibility
  • Each individual should have their
    responsibilities spell out in writing to ensure a
    clear understanding in a chaotic situation
  • Authority
  • In time of crisis, it is important to know who is
    in charge
  • Clear cut authority will aid in reducing
    confusion and increase corperation

22
Developing the BCP (2)
  • Priorities
  • It is necessary to know which department come
    online first which second and so on
  • Along with the priorities of department, the
    priorities of systems, information and program
    must be established
  • Implement and testing

23
Developing the BCP (3)
  • Documenting the following
  • Procedures
  • Recovery solutions
  • Roles and tasks
  • Emergency response

24
Testing plan (1)
  • Checklist test
  • Forget anything ?
  • Structured walk-through test
  • Discussion by representatives
  • Simulation test
  • Ensure that specific steps were not left out and
    certain threats were not overlooked
  • Raise awareness of people involved

25
Testing plan (2)
  • Parallel test
  • Ensure that the specific systems can actually
    perform adequately at the alternate off site
    facility
  • Full interruption test
  • Ensure that everything will be recovered as
    planned
  • It can reveal many holes that need to be fixed

26
Maintaining the plan
  • Organization can keep the plan updated by taking
    the following actions
  • Make business continuity a part of business
    decision
  • Insert the maintenance responsibilities into job
    descriptions
  • Include maintenance in personnel evaluation
  • Perform internal audits that include disaster
    recovery and continuity documentation and
    procedures
  • Perform regular drills that use the plan
  • Integrate BCP into the current change management
    process
View by Category
About This Presentation
Title:

Business Continuity Planning and Disaster Recovery Planning

Description:

Title: Business Continuity Planning and Disaster Recovery Planning Author: worapol Last modified by: worapol Created Date: 2/23/2013 6:11:51 AM Document presentation ... – PowerPoint PPT presentation

Number of Views:231
Avg rating:3.0/5.0
Slides: 27
Provided by: wora152
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Business Continuity Planning and Disaster Recovery Planning


1
Business Continuity Planning and Disaster
Recovery Planning
  • Ref. CISSP exam guide
  • W.lilakiatsakun

2
Business Continuity Planning and Disaster
Recovery Planning (1)
  • DRP is the process of regaining access to the
    data, hardware and software necessary to resume
    critical business operations after a natural or
    human-induced disaster.
  • DRP is part of a larger process known as business
    continuity planning (BCP).
  • Disaster recovery is the process by which you
    resume business after a disruptive event.

3
Business Continuity Planning and Disaster
Recovery Planning (2)
  • The event might be
  • something huge-like an earthquake or the
    terrorist attacks on the World Trade Center
  • something small, like malfunctioning software
    caused by a computer virus.
  • Many business executives are prone to ignoring
    "disaster recovery" because disaster seems an
    unlikely event.

4
Business Continuity Planning and Disaster
Recovery Planning (3)
  • All BC/DR plans need to encompass
  • How employees will communicate
  • Where they will go
  • How they will keep doing their jobs.
  • The details can vary greatly, depending on the
    size and scope of a company and the way it does
    business.

5
Events that necessitate disaster recovery
  • Natural disasters
  • Fire
  • Power failure
  • Terrorist attacks
  • Organized or deliberate disruptions
  • Theft
  • System and/or equipment failures
  • Human error
  • Computer viruses
  • Testing

6
Business Continuity Steps (1)
  • 1 Develop the continuity planning policy
    statement
  • - Write a policy that provides the guidance
    necessary to develop a BCP and assigns authority
    to the necessary roles to carry out these tasks
  • 2 Conduct the business impact analysis (BIA)
  • - Identify critical functions and systems and
    allow the organization to prioritize them on
    necessity.
  • -Identify vulnerabilities, threats and calculate
    risks
  • - Calculate MTD (Maximum Tolerable Downtime) for
    resources

7
Business Continuity Steps (2)
  • 3 Identify preventive controls
  • Identify and implement controls and
    countermeasures to reduce the organizations risk
    level in an economical manner
  • 4 Develop recovery strategies
  • Formulate methods to ensure that systems and
    critical function can be brought online quickly

8
Business Continuity Steps (3)
  • 5 Develop the contingency plan
  • Write procedure and guidelines for how the
    organization can still stay functional in a
    cripple state
  • 6 Test the plan and conduct training and exercise
  • Test the plan to identify deficiencies in the BCP
    and conduct training to properly prepare
    individuals on their expected task
  • 7 Maintain plan
  • Put in place steps to ensure the BCP is a living
    document that is upgraded regularly

9
Initiation (1)
  • Identified a business continuity coordinator
    (leader for the BCP team)
  • Setup a BCP committee might consist of
    representative from
  • Business units
  • Senior management
  • IT department
  • Security department
  • Communications department
  • Legal department

10
Initiation (2)
  • At this phase, the team works with management to
    develop the continuity planning policy statement
  • Layout the scope of the BCP project
  • Team member roles
  • Goal of the project

11
BCP Requirement
  • The major requirement is management support
  • Work best in a top-down approach
  • Management should be driving the project
  • It is important that management set the overall
    goals of continuity planning
  • It should help set priorities of what should be
    dealt first

12
Business Impact Analysis (1)
  • The BCP committee must identify the threats to
    the company and map them to the following
    characteristics
  • Maximum tolerable downtime
  • Operational disruption and productivity
  • Financial consideration
  • Regulatory responsibilities
  • Reputation

13
Business Impact Analysis (2)
  • Data would gather from interviewing, surveying,
    workshops and etc
  • Threat can be manmade, natural or technical
  • The committee needs to step through scenarios
    that could produce the following results
  • Equipment malfunction
  • Unavailable utilities (Power, Communication)
  • Software or data corruption

14
Business Impact Analysis (3)
  • Loss criteria must applied to the individual
    threats
  • Loss in reputation and public confidence
  • Loss of competitive advantages
  • Increase in operational expenses
  • Violations of contract agreement
  • Violations of legal and regulatory requirement
  • Delays income costs
  • Loss in revenue
  • Loss in productivity

15
Business Impact Analysis (4)
  • Example of Maximum Tolerable Downtime (MTD)
  • Nonessential 30 days
  • Normal 7 days
  • Important 72 hours
  • Urgent 24 hours
  • Critical Minute to hours

16
Business Impact Analysis (5)
  • Interdependencies
  • Business function might depend on the other
    functions
  • BCP team should carried out these tasks
  • Define essential business function and support
    departments
  • Identifies interdependencies
  • Discover all possible disruption that could
    affect the mechanism
  • Identify and document potential threats
  • Gather quantitative and qualification information
    pertaining to those threat
  • Provide alternative methods for restoring
  • Provide a brief statement of rationale for each
    threat and corresponding information

17
BIA Steps (1)
  • 1 Select individuals to interview for data
    gathering
  • 2 Create data-gathering techniques (surveys,
    questionnaires, qualitative and quantitative
    approaches)
  • 3 Identify the company s critical business
    function
  • 4 Identify the resources that these functions
    depend upon

18
BIA Steps (2)
  • 5 Calculate how long these functions can survive
    without these resources
  • 6 Identify vulnerabilities and threats to these
    function
  • 7 Calculate risk for each different business
    function
  • 8 Document findings and report them to management

19
Preventive Controls
  • Reduce impact and mitigate risks
  • Example of preventive measures
  • Redundant servers and communication links
  • Power lines coming in through different
    transformers
  • UPS and generators
  • Data backup
  • Fire detection

20
Recovery strategies
  • Business process recovery
  • Facility recovery
  • Supply and technology recovery
  • User environment recovery
  • Data recovery

21
Developing the BCP (1)
  • Define goals of the plan and goals must contain
    certain key information such as
  • Responsibility
  • Each individual should have their
    responsibilities spell out in writing to ensure a
    clear understanding in a chaotic situation
  • Authority
  • In time of crisis, it is important to know who is
    in charge
  • Clear cut authority will aid in reducing
    confusion and increase corperation

22
Developing the BCP (2)
  • Priorities
  • It is necessary to know which department come
    online first which second and so on
  • Along with the priorities of department, the
    priorities of systems, information and program
    must be established
  • Implement and testing

23
Developing the BCP (3)
  • Documenting the following
  • Procedures
  • Recovery solutions
  • Roles and tasks
  • Emergency response

24
Testing plan (1)
  • Checklist test
  • Forget anything ?
  • Structured walk-through test
  • Discussion by representatives
  • Simulation test
  • Ensure that specific steps were not left out and
    certain threats were not overlooked
  • Raise awareness of people involved

25
Testing plan (2)
  • Parallel test
  • Ensure that the specific systems can actually
    perform adequately at the alternate off site
    facility
  • Full interruption test
  • Ensure that everything will be recovered as
    planned
  • It can reveal many holes that need to be fixed

26
Maintaining the plan
  • Organization can keep the plan updated by taking
    the following actions
  • Make business continuity a part of business
    decision
  • Insert the maintenance responsibilities into job
    descriptions
  • Include maintenance in personnel evaluation
  • Perform internal audits that include disaster
    recovery and continuity documentation and
    procedures
  • Perform regular drills that use the plan
  • Integrate BCP into the current change management
    process
About PowerShow.com