Disaster Recovery Plan - PowerPoint PPT Presentation

Loading...

PPT – Disaster Recovery Plan PowerPoint presentation | free to download - id: 795a75-YjA4Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Disaster Recovery Plan

Description:

Business Impact Analysis Stages BCP/DRP Develop contingency planning policy Conduct business impact analysis (BIA) Identify preventive controls Develop recovery ... – PowerPoint PPT presentation

Number of Views:942
Avg rating:3.0/5.0
Slides: 205
Provided by: Nare79
Learn more at: http://www.casansaar.com
Category:
Tags: disaster | plan | recovery | vsat

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Disaster Recovery Plan


1
Business Continuity
2
Business Impact Analysis
3
Stages BCP/DRP
  • Develop contingency planning policy
  • Conduct business impact analysis (BIA)
  • Identify preventive controls
  • Develop recovery strategies
  • Develop contingency plan
  • Test the plan and train personnel
  • Maintain the plan

4
Exploit
Threats
Vulnerabilities
Expose
Increase
Protect Against
Increase
Reduce
Assets
Risks
Controls
Indicate
Increase
Have
Met By
Security Arrangements
Asset Value
Potential Impact on Business
5
Risk Analysis
  • A pre-requisite to complete and meaningful DRP
    program
  • It is assessment of threats to assets
  • Determination of protection required to safe
    guard the assets

6
Risk Assessment Process
  • Identification of assets
  • Identifying threats to these assets and assessing
    their likelihood
  • Identifying vulnerabilities and assessing how
    easily they might be exploited
  • Correlate threats to assets
  • Ranking of risks
  • Identifying the protection provided by the
    controls in place

7
Risk Management
  • The process of identifying, controlling and
    minimizing or eliminating risks that may affect
    information systems for acceptable cost

8
Risk Management - Direction
  • Reducing the risk
  • Avoiding the risk
  • Transferring the risk
  • Accepting the risk

9
Degree of Assurance Required
  • It is not possible to achieve total security
  • There will always be a residual risk
  • What degree of residual risk is acceptable to the
    organization?

10
Risk Management
  • Defining an acceptable level of residual risk
  • Constantly reviewing threats and vulnerabilities
  • Reviewing of existing controls
  • Applying additional controls
  • Introducing policy and procedures

11
What are Assets?
  • An asset is something to which an organization
    directly assigns value and hence for which the
    organization requires protection

12
Examples of Asset
  • Information
  • data files
  • user manuals etc.
  • Software
  • application and system software etc.
  • Services
  • communications
  • technical etc.
  • Company image and reputation

13
Examples of Asset
  • Documents
  • contracts
  • guidelines etc
  • Hardware
  • computer
  • magnetic media etc.
  • People
  • personnel
  • customers etc.

14
Assets
Physical
Logical
  • Data
  • Information
  • Software
  • Documentation
  • People
  • Hardware
  • Facilities
  • Documentation
  • Supplies

15
Some Assets
  • physical assets
  • personnel assets
  • intellectual property
  • trade secrets
  • corporate information
  • financial information
  • market research
  • strategic planning
  • customer lists
  • vendor lists
  • contact lists
  • information systems
  • R D information
  • communications
  • meetings
  • future directions

16
Assets Valuation
  • Would depend on
  • Business impact on loss of asset
  • Period of time for which asset is unavailable
  • Valuation of the competitor
  • Value of information rather than replacement of
    hardware

17
What is a Risk?
  • The potential that a given threat will exploit
    vulnerabilities of an asset or group of assets to
    cause loss or damage to assets

18
Ranking of Risks
  • Protection of asset should be on the basis of
    their criticality
  • How long can I continue without my asset
  • What is the loss to business if asset is not
    there
  • Can I continue operations otherwise

19
Outage Impact Allowable Outage Times
20
System Ranking
  • Critical
  • Only automated
  • Low tolerance to interruption
  • High cost of interruption
  • Vital
  • Level of tolerance is high
  • Can be operated manually for limited period
  • Cost of interruption is low

21
System Ranking
  • Sensitive
  • Can performed manually for extended time period
  • Additional resources required
  • Non Critical
  • Can remain inoperative
  • Data is not restored

22
Formulae for Comparing Risks
23
Threat
  • A declaration of the intent to inflict harm, pain
    or misery
  • Potential to cause an unwanted incident, which
    may result in harm to a system or organization
    and its assets
  • Intentional or accidental, man-made or an act of
    God
  • Assets are subject to many kinds of threats which
    exploits vulnerabilities

24
Types of Threat
  • Man made Threats
  • Errors
  • Sabotage
  • Bombs
  • Strikes
  • Terrorist Attack
  • Competitors

25
Type of Threats
  • Man made Threats
  • Disgruntled employees
  • Ex-employees
  • Hackers
  • Cracker
  • Fire

26
Type of Threats
  • Natural Threats
  • Floods
  • Hurricanes
  • Tornadoes
  • Earth-quakes
  • Fire
  • Lightning

27
Type of Threats
  • Technological
  • Deliberate threats
  • Accidental threats
  • Threat frequency

28
Threat Likelihood
  • Low
  • Less likely to occur
  • Medium
  • some history of occurrence
  • High
  • Good possibility of occurrence

29
Impact of Threat
  • Loss of money
  • Loss of reputation or goodwill
  • Opportunities missed
  • Litigation
  • Threat on personnel
  • Break-ins or Hacks
  • Lost confidence
  • Business interruption
  • Reduced efficiency

30
Vulnerability
  • A vulnerability is a weakness/hole in an
    organizations information security
  • A vulnerability in itself does not cause harm
  • It is merely a condition or set of conditions
    that may allow a threat to affect an asset
  • A vulnerability if not managed, will allow a
    threat to materialize

31
Vulnerabilities
  • Absence of key personnel
  • Unstable power grid
  • Unprotected cabling lines
  • Lack of security awareness
  • Wrong allocation of password rights
  • Insufficient security training
  • No firewall installed
  • Unlocked door
  • Password same as userid
  • Poor choice of password
  • New technology

32
Controls
  • Controls are applied to
  • mitigate risk
  • bring to acceptable level
  • accept the risk
  • Controls should be cost effective

33
Control Selection
  • Which Control?

34
Control Selection
  • Risk
  • Degree of assurance required
  • Cost
  • Ease of Implementation
  • Servicing
  • Legal and regulatory requirements
  • Customer and other contractual requirements

35
Control Selection - Cost
  • Budget limitations
  • Does the cost of applying the control outweigh
    the value of the asset
  • May have to select Best Value range of controls

36
Control - Ease of Implementation
  • Does environment support control
  • How long will the control take to implement
  • Is the control readily available

37
Control - Servicing
  • Are skills available to manage controls
  • Are upgrades readily available
  • Is equipment supported by local engineers or
    suppliers

38
Controls
  • The policies, practices and organizational
    structures designed to provide reasonable
    assurance that business objectives will be
    achieved and that undesired events will be
    prevented or detected and corrected

39
Power Outage Mitigation
  • Provide one hour of uninterrupted power on all
    servers used internally
  • Provide eight hour of uninterrupted power on all
    web server and support hardware
  • Replace desktop systems with laptops where
    possible
  • Alternate power supply
  • DG Set
  • UPS/voltage regulators

40
Fire Damage
  • Automatic and manual fire alarms at strategic
    locations
  • Fire extinguishers at strategic locations
  • Halon or CO2 or water?
  • Automatic fire sprinkler system
  • Control panels
  • Automatic fire proof doors
  • Master switches both inside and outside IS
    facility
  • Wiring in closets

41
Water Damage
  • IS facility should not be on the ground floor
  • Water proof ceilings, walls and floors
  • Drainage systems
  • Water alarms
  • Dry pipe sprinkler system
  • Cover hardware with protective fabric

42
Controls of the Last Resort (Insurance)
  • IS equipment and facility
  • Media reconstruction (Software)
  • Extra expense
  • Business interruption
  • Valuable papers and Records
  • Errors and omissions
  • Fidelity coverage
  • Media transportation
  • Extra Equipment Coverage
  • Specialized Equipment Coverage
  • Civil Authority

43
What is a contingency?
  • An event with a potential to disrupt computer
    operations, critical missions and business
    functions
  • Reasons
  • Power outage
  • Hardware failure
  • Fire
  • Storms

44
What is a Disaster?
  • A contingency event which is very destructive
  • Disasters results from threats

45
Phases of Disaster
  • Crisis Phase
  • Emergency Response Phase
  • Recovery Phase
  • Restoration Phase

46
Disasters
  • New York WTC collapse
  • Gujrat earthquake
  • Power Outage knocks out a data server
  • Sprinkler system leaks
  • Chemical spills from a tanker

47
Nasdaq Story 11 Sept, 01
  • I Liberty Plaza Head Quarter of Nasdaq is across
    the street from WTC
  • CIO Gregor Bailar provides an inside look at how
    Nasdaq got back up and running after the Sept. 11
    tragedy
  • What was happening at 1 Liberty?
  • They began evacuating after the first plane hit.
    Our security guards on their own accord evacuated
    our floor at least, so most of our people were on
    the ground when the second plane hit

48
Nasdaq Story 11 Sept, 01
  • Halting the market wasn't a step you could take
    lightly
  • "Yes, halt the market."

49
Nasdaq Story 11 Sept, 01
  • How did the command center operate?
  • The first thing we had to understand was our
    personnel situation
  • Then we broadened the investigation to learn who
    was affected among our traders
  • Then we had to understand the situation from a
    physical perspective

50
Nasdaq Story 11 Sept, 01
  • How did the command center operate?
  • Did we lose a building?
  • Did we lose a data center?
  • Did we lose connectivity?
  • What have we got in the way of physical damage
    that's going to take a long time to restore?

51
Nasdaq Story 11 Sept, 01
  • How did the command center operate?
  • Next we needed to know the regulatory situation
  • Are people trading today?
  • What's the landscape of the trading industry?
  • It was literally in that order

52
Nasdaq Story 11 Sept, 01
  • Some of your traders were in trouble, but
    Nasdaq's systems were all up?
  • Nasdaq is highly redundant
  • We have servers in different buildings
  • Every single one of our traders is connected to
    two different Nasdaq points of presence or
    connection centers

53
Nasdaq Story 11 Sept, 01
  • Some of your traders were in trouble, but
    Nasdaq's systems were all up?
  • There are four connection centers alone in
    downtown Manhattan
  • 20 connection centers around the United States
  • Every single server connects to two of those
    centers through two different paths, and often
    through two different vendors

54
Nasdaq Story 11 Sept, 01
  • How did you prepare for Monday?
  • We started industrywide testing on Saturday at 7
    or 8 in the morning, and by 1130 that morning,
    we had achieved 98 percent of the volume. And
    then on Sunday we did a half-day of retesting
    with people who wanted to add a little more
    volume capability.

55
Nasdaq Story 11 Sept, 01
  • What did Nasdaq lose over the downtime and what
    did it cost to get back up?
  • We have interruption insurance, so we hope to
    recover most of it, but it's in the millions, and
    it could crest tens of millions

56
Nasdaq Story 11 Sept, 01
  • What were the Disaster recovery lessons for
    Nasdaq?
  • We learned that distributed systems are really
    good. You have to think about how your business
    has concentrated people or operational centers in
    certain places. You've got to consider if it's
    the wisest distribution. We feel we were lucky
    having some folks in Connecticut and some in
    Maryland. Even if we had lost some of our senior
    management at 1 Liberty Plaza, we would have
    still had a senior team

57
Nasdaq Story 11 Sept, 01
  • After living through this, what would you advise
    other CIOs to consider?
  • This was a true test of people's backup
    strategies
  • Did you ever test your backup strategy?
  • Have you worked out of your backup center?

58
Nasdaq Story 11 Sept, 01
  • After living through this, what would you advise
    other CIOs to consider?
  • Do you know how to get people there?
  • Do you know the critical phone numbers?
  • A lot of people don't have phone numbers as part
    of their continuity of business plan

59
Nasdaq Story 11 Sept, 01
  • After living through this, what would you advise
    other CIOs to consider?
  • I think people will have to look very carefully
    at their backup strategies and see whether they
    can communicate with everybody easily, whether
    the phone numbers are not stored in that same

60
Nasdaq Story 11 Sept, 01
  • After living through this, what would you advise
    other CIOs to consider?
  • building that could experience the Disaster, and
    whether they've got hot backups
  • Hot backups are going to be much more popular
    than they have been in the past

61
Yellow line shows normal traffic
62
How did ATT Control
  • 141 video display screens show the status of all
    the networks
  • Network managers put controls on the network to
    slow down the flow of inbound calls
  • Keep circuits available for outbound calling
  • As a result, the ATT long distance network
    carried a record 431 million call attempts on
    Sept. 11, 101 million more than the previous
    high-traffic day

63
Business Continuity Plan
  • The BCP focuses on sustaining an organizations
    business functions during and after a disruption

64
Disaster Recovery Plan
  • The DRP applies to major, usually catastrophic,
    events that deny access to the normal facility
    for an extended period

65
Type of Plans
  • Business Recovery Plan
  • Addresses restoration of business processes but
    lacks procedures
  • Continuity Of Operations Plan
  • Addresses restoring H.Q. level issues at an
    alternate site

66
Type of Plans
  • Crisis Communication Plan
  • A plan responsible for public communications
  • IT Contingency Plan
  • Plan for each major application
  • Occupant Emergency Plan
  • Response Procedures for Occupants
  • Test plan
  • Identifies deficiency in different Plans

67
Cyber Incident Response Plan
  • The IRP defines strategies to detect, respond to
    and limit consequences of malicious cyber incident

68
Category of Disaster
  • Minor disruption
  • Serious disruption
  • Major disruption
  • Catastrophic disruption

69
Category of Disaster
  • Minor disruption
  • No damage or loss
  • Temporary power failure or fluctuation
  • Communication failure
  • Unavailability of non critical personnel

70
Category of Disaster
  • Serious disruption
  • Repairable damage to equipment, office area,
    data, records, software
  • Equipment breakdown
  • Failure of AC
  • Human error

71
Category of Disaster
  • Major disruption
  • Destruction of equipment, office area, data
  • Complete loss of equipment
  • Structural mishap
  • Malicious loss of data

72
Category of Disaster
  • Catastrophic Disaster
  • Total loss of office area, data or people due to
    natural Disaster like fire, flood etc.
  • Complete destruction of personnel
  • Complete destruction of facilities

73
What is a Disaster Recovery Plan?
  • A plan that provides vital pre planned frame-work
  • for initiating recovery operations
  • provides guidance for damage assessment
  • planned actions to resume critical IS and
    functional activities
  • restore full business operations
  • minimum delay and disruption

74
Coping with Emergencies
  • Idea of DRP is to think before actual happenings
  • How likely is the happening
  • What can be done on happening
  • What can be done to lessen their likelihood
  • What can be done to prepare for these events

75
DRP - Key Issues
  • How to develop the plan
  • How to test the plan
  • How to maintain
  • How to keep continuity of operations

76
DRP Overview
  • A total plan for all departments integrated
    together
  • Must be written, tested and documented
  • Clear assignment of responsibilities to employees
  • It should address
  • main frame computer
  • mini computer
  • micro computer

77
DRP Overview
  • It should address...
  • networks
  • automated operations
  • semi automated operations
  • manual operation

78
Why Disaster Recovery Plan
  • To respond to Disasters of any type
  • To curtail revenue loss
  • To avoid loss of critical data
  • To maintain competitive edge
  • To maintain employee productivity

79
DRP - Phases
  • Identifying threats and vulnerabilities
  • Developing the contingency plan
  • Conducting tasks and drills
  • Updating and maintaining the plan

80
Ranking of Objectives of DRP
  • Protection of organizations employees and public
  • Minimizing the financial impact
  • Limiting extent of damage
  • Reducing physical damage

81
Planning Responsibilities
  • Prime responsibility for developing, maintaining,
    executing contingency plan is with senior
    management
  • Recommended approach to planning is by teams

82
BCP Techniques
  • DRP Plan
  • Top down approach

83
BCP Techniques - DRP Plan
  • Top down approach - it involves
  • Senior management
  • Line management
  • IS management
  • System auditors
  • End user

84
BCP Techniques - DRP Plan Steps
  • Conduct impact analysis
  • Plan design
  • Plan development
  • Plan Implementation
  • Plan testing
  • Plan Maintenance

85
BCP Techniques
  • Ongoing maintenance
  • Combination of top down and bottom up approach

86
BCP Techniques
  • Why do we require plan?
  • Responsibility to
  • shareholders
  • customers
  • suppliers
  • employees
  • legal

87
BCP Techniques
  • What can go wrong in a planning process?
  • Technical aspects
  • Back-up employees
  • Functional user operations
  • Selection of DRP team

88
BCP Techniques
  • Application System
  • Prioritization
  • Critical application systems
  • Prioritize item
  • Conduct impact analysis
  • Prioritization to be based on importance to the
    organization and not to individual

89
BCP Techniques
  • What can go wrong in system prioritization?
  • Majority of the system may not be critical
  • Most business user claim their system qualify as
    critical

90
BCP Techniques
  • Planning Committee
  • Responsible for developing DRP
  • Knowledgeable members
  • Specific assignments

91
BCP Techniques
  • Planning Committee Members
  • Knowledgeable members
  • Project leaders
  • Well versed with IS requirements
  • From security, fire, operations, production
    control, legal, audit, users, tele-communication,
    network, system and application programming

92
BCP Techniques
  • Recovery Capability Assessment
  • Current security
  • Disaster recovery capabilities
  • Weaknesses
  • Analysis
  • Recommend prioritized actions

93
BCP Techniques
  • Plan Development Alternatives
  • In-house
  • Ready made software package
  • Hire consultants
  • Combination of the above

94
BCP Techniques
  • Plan requirement analysis
  • Hardware
  • System software
  • Personnel's
  • Telecommunications
  • Backup data file
  • Vendor support availability
  • Security

95
BCP Techniques
  • Plan requirement analysis
  • Office equipment
  • Logistics
  • Storage
  • Funding
  • Purchase orders

96
BCP Techniques
  • Planning document contents
  • Purpose and scope
  • Testing and Recovery procedures
  • Vendors with address and tele nos.
  • Location of contingency plan
  • Procedure for post recovery
  • Emergency recovery team members with
    responsibility
  • Phone list for fire, police, hardware, software,
    major suppliers and customers

97
BCP Techniques
  • Planning document contents
  • Contact person with address at backup location
  • Description and configuration of hardware and
    software
  • Backup contractual agreements
  • Application system job priorities
  • Logistics
  • Insurance carrier phone nos.

98
Contingency Planning Process - Steps
  • Identifying the critical functions
  • Identifying the resources supporting critical
    functions
  • Anticipating potential contingencies or Disasters
  • Selecting contingency planning strategy
  • Emergency response
  • Recovery
  • Resumption

99
Contingency Planning Process - Steps
  • Implementing the contingency strategy
  • Implementation
  • Documenting
  • Training
  • Testing and revising the strategy

100
Disaster Recovery Teams
  • Emergency action team
  • Disaster assessment team
  • Recovery management team
  • Public Relations team
  • Off-site storage team
  • Software team
  • Application team
  • Security team
  • Communication team
  • Transportation team
  • Facilities team
  • Administration team
  • Operation team
  • Procurement team
  • Salvage team
  • Staff Coordination team

101
Activating the Plan
  • Recognize an emergency
  • Contact the proper authority
  • Specific nature of the emergency
  • Time of the emergency
  • Location of the emergency
  • Extent of damage or status of the emergency
  • Danger or injuries to people
  • Cause of the emergency

102
Activating the Plan
  • Activate the plan
  • Gather the response team
  • Brief the response team
  • Activate emergency command center
  • Communications equipment
  • Personal protective equipment (First Aid Kits)
  • Records and information needed to respond
  • Reference manuals, including maps

103
Activating the Plan
  • Activate emergency command center
  • Emergency communication directory
  • Back-up power supply, including fuel
  • Office supplies, including computers with
    internet access
  • AM/FM radios, cable television
  • Food, water, and other personal supplies to last
    several days
  • Message boards, overhead projectors and other
    presentation materials and equipment

104
Activation of the Plan
  • Maintain communication
  • Initiate recovery activities
  • Assemble a damage assessment team
  • Gather initial damage estimates
  • Facility structural damage
  • Damage to products, materials, or supplies,
    including records and information
  • Damage to vehicles or equipment
  • Damage to property

105
Activation of the Plan
  • Gather initial damage estimates
  • Personal injuries
  • Costs to recover (materials and supplies)
  • Costs to recover (repairs and maintenance)
  • Costs to recover (labor)
  • Loss of revenue
  • Compile information into a report
  • Initial Damage Assessment Report

106
Initial Damage Assessment Report
Facility Damaged Location (Attach map with
clearly marked location and travel route to site,
If needed) Describe Damage or Injuries List
Work Needed to Repair Sites List Work that has
been completed (Attach activity report if any
work has been completed) Estimated
Cost (Develop a detailed breakdown of personnel,
equipment, and materials for complete damage
assessment include estimate of any loss of
revenue) Notes/Comments Damage Report
Completed By Dated
107
Activation of the Plan
  • Train the damage assessment team
  • Initiate security activities
  • Issuing identification badges to employees and
    other authorized personnel
  • Locking doors if personnel cannot monitor the
    facility during an emergency
  • Installing signs designating secured or
    restricted area
  • Placing a sign-in sheet at the command center and
    logging time in/out
  • Creating a list of authorized personnel and
    monitoring it

108
Activation of the Plan
  • Initiate security activities
  • Ensuring that personnel know who is authorized
    to make decisions
  • Maintaining supplies to board up windows quickly
  • Securing cash operations immediately
  • Asking for police assistance
  • Asking a neighbor to help monitor security
  • Notify recovery site
  • Notify impacted staff
  • File insurance claims
  • Primary site procedures
  • Return to normal operations
  • Post recovery analysis
  • Activate Contingency Arrangements

109
Develop Recovery Priorities
110
Recovery Alternative Centralized Systems
  • Hot Site
  • Warm Site
  • Cold Site
  • Mobile Site
  • Mirrored Site
  • Duplicate Information Processing Facility
  • Reciprocal Agreement
  • Commercial Service Bureaux

111
Recovery Alternatives
  • Hot Site
  • Fully configured
  • Ready for operations
  • Intended for emergency operations
  • Use for limited time operations
  • Most expensive

112
Recovery Alternatives
  • Warm Site
  • Partially configured
  • Without CPU
  • Less expensive then hot site

113
Recovery Alternatives
  • Cold Site
  • Only basic environment
  • Activation takes several weeks
  • Least expensive

114
Recovery Alternatives
  • Mobile Site
  • Empty shell facilities
  • Transportable
  • Available on lease through vendors

115
Recovery Alternatives
  • Mirrored Site
  • Fully redundant
  • Real time information mirroring
  • Identical to primary site
  • Most expensive to maintain

116
Recovery Alternatives
  • Duplicate Information Processing Facilities
  • Dedicated self developed recovery sites
  • Backup of critical applications
  • Site chosen to be away from primary site
  • Resource availability to be assured
  • Regular testing

117
Recovery Alternatives
  • Reciprocal agreements
  • agreements between organizations with similar
    equipments or applications
  • low cost
  • configuration compatibility

118
Service Bureaus/ASPs
  • Emergency processing services
  • Application specific

119
Alternate Site Selection Criteria
120
Telecommunication Network Backup
  • Redundancy
  • Surplus capacity created for extra load/failure
  • Alternative Routing
  • Routing by means of alternate medium
  • Diverse Routing
  • Split or duplicate cable sheet

121
Telecommunication Network Backup
  • Last mile circuit protection
  • Local communication loops
  • Long haul network diversity
  • T1 circuits between network carriers for
    automatic re-routing in case of failures
  • Voice Recovery

122
Data Recovery Plan
  • Critical
  • Vital
  • Sensitive
  • Non Critical

123
Backup Techniques
  • Full Backup
  • Incremental Backup
  • Differential Backup

124
Backup Methods
  • Floppy Diskettes
  • Compact Disk
  • Replication
  • Internet Backup

125
Backup Methods
  • Removable Cartridges
  • Tape Drives
  • Networked Disk
  • Remote Mirroring

126
Answer the following
  • Where will media be stored?
  • What data should be backed up?
  • How frequent are backups conducted?
  • How quickly the backups are retrieved in the
    event of an emergency?
  • Who is authorized to retrieve the media?
  • How long will it take to retrieve the media?
  • Where will the media be delivered?

127
Answer the following
  • Who will restore the data from the media?
  • What is the tape-labeling scheme?
  • How long will the backup media be retained?
  • When the media are stored onsite, what
    environmental controls are provided to preserve
    the media?
  • What types of tape readers are used at the
    alternate site?

128
Backup Media Library
  • It should contain
  • Backup of tapes, disks, master and transaction
    files
  • Backup copies of current application software
  • Upto date copy of contingency plan
  • Upto date operation manuals, system and program
    documentation
  • Each facility must have backup media library

129
Backup Media Library
  • Should be at some distance from main facility
  • Subject to physical and environmental control

130
Backup Procedures
  • What can go wrong
  • May contain only magnetic or electronic record
    not paper record
  • Access not available at all time
  • Critical data may not be stored

131
Backup Procedures
  • Determining Backup Priorities
  • Postpone less urgent task
  • Identify in advance critical function
  • Eliminate or postpone non-urgent portion of
    record keeping

132
Plan Testing
  • Scope
  • Time-frame
  • Teams
  • Objectives
  • Methodology
  • Conduct
  • Evaluation
  • Weaknesses
  • Improvement
  • Revision

133
Phases of Testing
  • Pre test
  • Test
  • Post Test

134
Type of Tests
  • Checklist test
  • Structured walk through test
  • Simulation test
  • Parallel test
  • Full interruption test

135
Result Analysis
  • Time
  • Amount
  • Count
  • Accuracy

136
Test Examples
  • Contact every level of call tree successfully
    within 1 hour
  • Restore critical system off-site within 48 hours
  • Evacuate building in 15 minutes
  • Contact key vendors within 1 hour
  • Fire drills carried selectively
  • Check jockey pump pressure
  • Notify participants in advance

137
Awareness and Training
  • Walkthrough Session
  • Scenario Workshop
  • Simulation of a Live Test

138
BCP Maintenance
  • Strategy as per changing need of the business
  • New applications documented
  • Change in critical applications
  • Change in hardware or software environment
  • Plan maintenance methods

139
BCP Maintenance
  • Schedule for periodic review and maintenance
  • Review of revisions
  • Conducting scheduled and unscheduled tasks
  • Training recovery personnel
  • Maintaining rounds
  • Updating personnel changes

140
Record of Change
141
Law And Standards
142
HIPAA
  • Documented Practices for data protection and
    continuity of operations for health care industry

143
GBL And The Expedited Funds Availability Act
  • Standards for safeguarding security,
    confidentiality of customer records

144
Sarbanes-Oxley Act
  • An Act for protecting investors by improving
    reliability of corporate disclosures and
    internal control

145
GASSP
  • Principles supporting the Generally Accepted
    Accounting Principles and similar models

146
Information Technology Infrastructure Library
  • A collection of best practices in IT service
    management

147
Basel Committee On e-Banking
  • Principles for effective capacity, business
    continuity and contingency planning of e-banking
    systems and services

148
Basel II Capital Accord
  • Encourage financial firms to be more proactive
    and forward looking in financial activities

149
SAS 70
  • Internationally recognized auditing standard for
    service organization

150
COBIT
  • A framework resulting in control objectives
    considered to be good or best practices

151
Strategies For Networked Systems
152
Strategies
  • Eliminating single points of failure
  • Redundant Cabling and Devices
  • Remote Access
  • Wireless LANs

153
Strategies For Fault Tolerant Implementation
154
RAID
  • A system which uses multiple hard drives
    to share or replicate data among the drives
  • A system that combines multiple hard drives into
    a single logical unit

155
RAID
  • BENEFITS
  • Higher data security
  • Fault tolerance
  • Improved availability
  • Increased, Integrated capacity
  • Improved performance

156
RAID
  • Data redundancy techniques
  • Mirroring
  • Parity
  • Stripping

157
RAID
  • MIRRORING
  • Data in the system is written simultaneously to
    two hard disks instead of one

158
RAID
MIRRORING
159
RAID
MIRRORING
  • Advantages
  • Data redundancy
  • Fast recovery
  • Disadvantages
  • Expensive

160
RAID
Duplexing
  • Data in the system is written simultaneously to
    two hard disks with separate controllers

161
RAID
Disk Duplexing
162
RAID
  • STRIPING
  • A data element is broken into multiple pieces at
    bytes level or in blocks

163
RAID
STRIPING
164
RAID
PARITY
  • It involves the use of parity information, which
    is redundancy information calculated from the
    actual data values

165
RAID LEVELS
  • RAID-0
  • Technique stripping without parity
  • Files broken into stripes
  • No redundancy
  • Storage efficiency 100 if drives identical
  • Minimum of 2 hard disk required
  • Fault tolerance none
  • Cost lowest of all RAID levels
  • Recommended uses non critical data

166
RAID-0
  • This illustration shows how files of different
    sizes are distributed between the drives on a
    four-disk, 16 kiB stripe size RAID 0 array. The
    red file is  4 kiB in size the blue is 20 kiB
    the green is 100 kiB and the magenta is 500 kiB.

167
Functions of EDI
RAID LEVELS
  • RAID-1
  • Technique mirroring
  • Exactly 2 hard disks
  • Fault tolerance very good
  • Storage efficiency 50 if drives identical
  • Cost Relatively high
  • Recommended uses for applications requiring high
    fault tolerance eg.Accounting and other financial
    data.

168
RAID-1
  • Illustration of a pair of mirrored hard disks,
    showing how the files are duplicated on both
    drives.

169
Functions of EDI
RAID LEVELS
  • RAID-2
  • Technique used Bit level striping with ECC
  • Hard disk requirements-10 data disks 4 ECC
    disks
  • Random read performance Fair
  • Random write performance Poor
  • Fault tolerance only fair
  • Cost very expensive
  • Recommended use- not used in modern systems

170
RAID LEVELS
  • RAID-3
  • Technique Byte level striping with dedicated
    parity
  • Minimum 3 hard disks
  • Random read performance Good
  • Random write performance Poor
  • Array Capacity Size of smallest drive(no. of
    drives-1)
  • Fault tolerance good
  • Cost Moderate
  • Recommended uses Applications working with large
    files that require high transfer performance

171
RAID-3
  • This illustration shows how files of different
    sizes are distributed between the drives on a
    four-disk, byte-striped RAID 3 array. The red
    file is 4 kiB in size the blue is 20 kiB the
    green is 100 kiB and the magenta is 500 kiB,.
    Notice that the files are evenly spread between
    three drives, with the fourth containing parity
    information (shown in dark gray)

172
RAID LEVELS
  • RAID-4
  • Technique used Block level striping with
    dedicated parity
  • Random read performance Good
  • Random write performance Fair
  • Array Capacity Size of smallest drive(no. of
    drives-1)
  • Minimum 3 hard disks
  • Fault tolerance good
  • Cost Moderate
  • Recommended uses Not commonly used

173
RAID-4
  • This illustration shows how files of different
    sizes are distributed between the drives on a
    four-disk RAID 4 array using a 16 kiB stripe
    size. The red file is 4 kiB in size the blue is
    20 kiB the green is 100 kiB and the magenta is
    500 kiB, Notice that as with RAID 3, the files
    are evenly spread between three drives, with the
    fourth containing parity information (shown in
    gray).

174
RAID LEVELS
  • RAID-5
  • Technique used Block level striping with
    distributed parity
  • One of the most popular RAID level
  • Random read performance Very Good
  • Random write performance Only Fair
  • Array Capacity Size of smallest drive(no. of
    drives-1)
  • Minimum 3 hard disks
  • Fault tolerance good
  • Cost Moderate
  • Recommended uses ERP, Relational database
    applications other business systems

175
RAID-5
  • This illustration shows how files of different
    sizes are distributed between the drives on a
    four-disk RAID 5 array using a 16 kiB
    stripe size.The red file is 4 kiB in size the
    blue is 20 kiB the green is 100 kiB and the
    magenta is 500 kiB,

176
RAID LEVELS
  • RAID-6
  • Technique used Block level striping with dual
    distributed parity
  • Minimum 4 hard disks
  • Random read performance Very Good
  • Random write performance Poor
  • Array Capacity Size of smallest drive(no. of
    drives-2)
  • Fault tolerance very good
  • Cost High
  • Specialized controller
  • Recommended uses Same as RAID5 But not popular
    as cost high

177
RAID-6
  • This illustration shows how files of different
    sizes are distributed between the drives on a
    four-disk RAID 6 array using a 16 kiB
    stripe size.The red file is 4 kiB in size the
    blue is 20 kiB the green is 100 kiB and the
    magenta is 500 kiB,

178
RAID LEVELS
  • RAID-7
  • Proprietary product of Storage Computer
    Corporation
  • Hard disk depends
  • Random read performance Very Good
  • Random write performance Very Good
  • Array Capacity Depends
  • Fault tolerance very good
  • Cost Very High
  • Specialized controller
  • Recommended uses Not popular as cost high

179
MULTIPLE(NESTED) RAID LEVELS
  • RAID-01 RAID-10
  • Technique used Mirroring Striping without
    parity
  • Most popular of the multiple RAID Levels
  • Minimum 4 Hard disks
  • Availability very good for RAID-01,excellent for
    RAID-10
  • Random read performance very good
  • Random write performance good
  • Fault tolerance very good
  • Cost High
  • Recommended uses Often used in place of RAID-1
    or RAID-5 for higher performance

180
RAID 01

181
RAID 10
182
Strategies for Data communications
  • Dial up
  • Circuit Extension
  • On demand service from the carriers
  • Diversification of services
  • Microwave communications
  • VSAT

183
Strategies for Voice communications
  • Cellular phone backup
  • Carrier call rerouting systems
  • Backup PBX systems

184
Electronic vaulting
  • Electronic vaulting is the ability to store and
    retrieve backup electronically in a site remote
    from the primary computer centre

185
Remote Journaling
  • Parallel processing of transactions to an
    alternate site

186
Database shadowing
  • Duplicating the database sites to multiple servers

187
Back up strategies
  • Dual Recording
  • Dumping
  • Logging Input Transactions
  • Logging Beforeimages
  • Logging Afterimages

188
NETWORK ATTACHED STORAGE
  • A class of systems that provide file services to
    host computers
  • Dedicated storage solution that is attached to a
    network topology

189
STORAGE AREA NETWORK
  • A network of storage disks
  • It connects multiple computers to a centralized
    pool of disk storage
  • Fibre Channel Technology

190
STORAGE AREA NETWORK
  • Advantages
  • Centralization of storage
  • Storage server resources grow independently
  • Data transfer directly from device to device

191
Server Load Balancing
  • It consists of distributing user activity across
    a network so that no single server is
    overloaded
  • Enables application to operate even if one of
    the server is down

192
Server Load Balancing
  • Load Balancing done by load balancers
  • Routers switches with application specific
    integrated circuits

193
IS Audit Technique
  • Role of Auditor
  • Observer
  • Reviewer
  • Reporter

194
Review of BCP
  • Current copy of BCP
  • Evaluation of documented procedures
  • Critical application identified
  • All application reviewed
  • Support of critical applications
  • Review of BCP personnel, vendors, hot site
    contents, back-up contents

195
Review of BCP
  • Interview key members
  • Evaluation of emergency procedures
  • Written procedures of recovery teams

196
Audit Procedure
  • Interview personnel and reading documents
  • Risk analysis documents
  • Disaster recovery requirement documents
  • Disaster recovery training documents
  • Disaster recovery plan testing documents
  • Disaster recovery plan maintenance procedures
  • Alternative processing contracts with back-up
    facilities
  • Third party audit reports

197
Audit Procedure
  • Risk analysis
  • Critical application identifications
  • Classification of critical data
  • Minimum hardware configuration
  • Existing file backup procedures
  • Record retention and rotation schedules

198
Audit Procedure
  • Off-site storage facilities
  • Commercial
  • Private
  • Verify financial background and reputation
  • Visit the facility
  • Assess the storage standards
  • Method of separation of media
  • Mode of transportation of media

199
Audit Procedure
  • Off-site storage facilities ...
  • Review flow of media in and out
  • Visitors access
  • Terms and conditions of vendors
  • Confidentiality of data
  • Periodic inventory of media
  • Other physical and environmental controls

200
Audit Procedure
  • Plan Documents
  • No of subscriber and capacity of computer in
    backup facility
  • Fee structure of vendor
  • Off-site media storage facility
  • Liability of vendors for loss or damage at
    off-site
  • Name, addresses Tele Nos. of recovery team
    members
  • Transportation arrangements

201
Audit Procedure
  • Plan Documents
  • Equipments and supports
  • Emergency team instructions for evacuations and
    recovery
  • Tele Nos. of hardware, software supply vendors
  • Procedures to handle bombs or arson threats
  • Plan testing procedures
  • Network configuration diagram and documentation

202
Audit Objectives
  • Adequacy of risk analysis
  • Adequacy of off-site storage facilities
  • DRP documents is complete, clear and under-
    standable
  • Adequacy of management preparedness
  • Adequacy of plan maintenance procedures

203
Audit Objectives
  • Identify problems, concerns
  • Make cost effective recommendations
  • Identify over secured and under secured activities

204
Thanks...
About PowerShow.com