Business Continuity Planning
Download
Report
Transcript Business Continuity Planning
Business Continuity Planning
The Problem - Reasons for Business
Continuity Planning - BCP
Principles of BCP
Doing BCP
The
steps
What is included
The stages of an incident
LTU CISP Security
1
Definitions
A contingency plan is:
“A plan for emergency response, backup operations,
and post-disaster recovery maintained by an activity
as a part of its security program that will ensure the
availability of critical resources and facilitate the
continuity of operations in an emergency situation…”
(National Computer Security Center 1988)
1997-98 survey >35% of companies have no plans
LTU CISP Security
2
Definitions of BCP
Disaster Recovery
Business Continuity Planning
End-user Recovery Planning
Contingency Planning
Emergency Response
Crisis Management
The goal is to assist the organization/business to continue functioning
even though normal operations are disrupted
Includes steps to take
Before a disruption
During a disruption
After a disruption
LTU CISP Security
3
Reasons for BCP
It is better to plan activities ahead of time
rather than to react when the time comes
“Proactive”
rather than “Reactive”
Take the correct actions when needed
Allow for experienced personnel to be absent
LTU CISP Security
4
Reasons for BCP
It is better to plan activities ahead of time
rather than to react when the time comes
“Proactive” rather than “Reactive”
Maintain business operations
Keep the money coming in
Short and long term loss of business
Have necessary materials, equipment, information on hand
Saves time, mistakes, stress and $$
Planning can take up to 3 years
LTU CISP Security
5
Reasons for BCP
It is better to plan activities ahead of time
rather than to react when the time comes
“Proactive” rather than “Reactive”
Maintain business operations
Keep
the money coming in
Short and long term loss of business
Effect on customers
Public
image
Loss of life
LTU CISP Security
6
Reasons for BCP
It is better to plan activities ahead of time rather
than to react when the time comes
“Proactive” rather than “Reactive”
Maintain business operations
Keep the money coming in
Short and long term loss of business
Effect on customers
Legal requirements
‘77
Foreign Corrupt Practices Act/protection of
stockholders
LTU CISP
Security
Management criminally
liable
7
Reasons for BCP
It is better to plan activities ahead of time rather than to react when the time
comes
“Proactive” rather than “Reactive”
Maintain business operations
Keep the money coming in
Short and long term loss of business
Effect on customers
Legal requirements
‘77 Foreign Corrupt Practices Act/protection of stockholders
Federal Financial Institutions Examination Council (FFIEC)
FCPA SAS30 Audit Standards
Defense Investigative Service
Legal and Regulatory sanctions, civil suits
LTU CISP Security
8
Definitions
Due Care
minimum
and customary practice of
responsible protection of assets that
reflects a community or societal norm
Due Diligence
prudent
management and execution of due
care
LTU CISP Security
9
The Problem
Utility failures
Intruders
Fire/Smoke
Water
Natural disasters (earthquakes, snow/hail/ice, lightning,
hurricanes)
Heat/Humidity
Electromagnetic emanations
Hostile activity
Technology failure
LTU CISP Security
10
Recent Disasters
Bombings
‘92 London financial district
‘93 World Trade Center, NY
‘93 London financial district
‘95 Oklahoma City
’01 World Trade Center, NY (9/11)
Earthquakes
‘89 San Francisco
‘94 Los Angeles
‘95 Kobe, JP
Fires
‘95 Malden Mills, Lawrence, MA
‘96 Credit Lyonnais, FR
‘97 Iron Mountain Record Center, Brunswick, NJ
LTU CISP Security
11
Recent Disasters
Power
‘92 AT&T
‘96 Orrville, OH
‘99 East coast heat/drought brownouts
Floods
‘97 Midwest floods
Storms
‘92 Hurricane Andrew
‘93 Northeast Blizzard
‘96 Hurricanes Bertha, Fran
‘98 Florida tornados
Hardware/Software
Year 2000
LTU CISP Security
12
The Problem
Utility failures
Intruders
Fire/Smoke
Water
Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes)
Heat/Humidity
Electromagnetic emanations
Hostile activity
Technology failure
Failure to keep operating
Fortune 1000 study
Average loss $78K, up to $500K
65% failing over 1 week never reopen
Loss of market share common
LTU CISP Security
13
Threats
From Data Pro reports
Errors
& omissions 50%
Fire, water, electrical 25%
Dishonest employees 10%
Disgruntled employees 10%
Outsider threats 5%
LTU CISP Security
14
The Controls
Least Privilege
Information
security
Redundancy
Backed
up data
Alternate equipment
Alternate communications
Alternate facilities
Alternate personnel
Alternate procedures
LTU CISP Security
15
The Steps in a BCP - Initiation
Project initiation
Business
case to obtain support
Sell the need for DRP (price vs benefit)
Build and maintain awareness
On-going testing & maintenance
Top down approach
Executive commitment and support MOST CRITICAL
Project planning, staffing
Local support/responsibility
LTU CISP Security
16
The Steps in a BCP - 1
Impact Assessment (Impact
Analysis/Vulnerability Assessment/Current
State Assessment/Risk Assessment )
Purpose
Identify risks
Identify business requirements for continuity
Quantify impact of potential threats
Balance impact and countermeasure cost
Establish recovery priorities
LTU CISP Security
17
Benefits
Relates security objectives to organization mission
Quantifies how much to spend on security measures
Provides long term planning guidance
Building design
HW configuration
SW
Internal controls
Criteria for contingency plans
Security policy
Site selection
Protection requirements
Significant threats
Responsibilities
LTU CISP Security
18
The Steps in a BCP - 1
Risk Assessment
Potential
failure scenarios
Likelihood of failure
Cost of failure (loss impact analysis)
Dollar losses
Additional operational expenses
Violation of contracts, regulatory requirements
Loss of competitive advantage, public confidence
Assumed
frames)
maximum downtime (recovery time
LTU CISP Security
19
The Steps in a BCP - 1
Risk Assessment/Analysis
Potential failure scenarios (risks)
Likelihood of failure
Cost of failure, quantify impact of threat
Assumed maximum downtime
Annual Loss Expectancy
Worst case assumptions
Based on business process model? Or IT model?
Identify critical functions and supporting resources
Balance impact and countermeasure cost
Key
Potential damage
Likelihood
LTU CISP Security
20
Definitions
Threat
Vulnerability
any event which could have an undesirable impact
absence or weakness of a risk-reducing safeguard, potential to
allow a threat to occur with greater frequency, greater impact, or
both
Exposure
a measure of the magnitude of loss or impact on the value of the
asset
Risk
the potential for harm or loss, including the degree of confidence
of the estimate
LTU CISP Security
21
Definitions
Quantitative Risk Analysis
quantified estimates of impact, threat frequency, safeguard
effectiveness and cost, and probability
Powerful aid to decision making
Difficult to do in time and cost
Qualitative Risk Analysis
minimally quantified estimates
Exposure scale ranking estimates
Easier in time and money
Less compelling
Risk Analysis is performed as a continuum from fully qualitative to
less than fully quantitative
LTU CISP Security
22
Results
Loss impact analysis
Recovery time frames
Essential business functions
Information systems applications
Recommended recovery priorities & strategies
Goals
Understand economic & operational impact
Determine recovery time frame (business/DP/Network)
Identify most appropriate strategy
Cost/justify recovery planning
Include BCP in normal decision making process
LTU CISP Security
23
Risk Management Team
Management - Support
DP Operations
Systems Programming
Internal Audit
Physical Security
Application owners
Application programmers
LTU CISP Security
24
Preliminary Security Exam
Asset costs
Threat survey
Personnel
Physical environment
HW/SW
Communications
Applications
Operations
Natural disasters
Environment
Facility
Access
Data value
LTU CISP Security
25
Preliminary Security Exam
Asset costs
Threat survey
Existing security measures
Management review
LTU CISP Security
26
Threats
Hardware failure
Utility failure
Natural disasters
Loss of key personnel
Human errors
Neighborhood hazards
Tampering
Disgruntled employees
Emanations
Unauthorized access
Safety
Improper use of technology
Repetition of errors
Cascading of errors
• Illogical processing
• Translation of user needs
(technical requirements)
• Inability to control technology
• Equipment failure
• Incorrect entry of data
• Concentration of data
• Inability to react quickly
• Inability to substantiate
processing
• Concentration of
responsibilities
• Erroneous/falsified data
• Misuse
LTU CISP Security
27
Threats
Uncontrolled system access
Ineffective application security
Operations procedural errors
Program errors
Operating system flaws
Communications system failure
Utility failure
LTU CISP Security
28
Risk Analysis Steps
1 - Identify essential business functions
Dollar losses or added expense
Contract/legal/regulatory requirements
Competitive advantage/market share
Interviews, questionnaires, workshops
2 - Establish recovery plan parameters
Prioritize business functions
3 - Gather impact data/Threat analysis
Probability of occurrence, source of help
Document business functions
Define support requirements
Document effects of disruption
Determine maximum acceptable outage period
Create outage scenarios
LTU CISP Security
29
Risk Analysis Steps
4 - Analyze and summarize
Estimate potential losses
Destruction/theft of assets
Loss of data
Theft of information
Indirect theft of assets
Delayed processing
Consider periodicity
Combine potential loss & probability
Magnitude of risk is the ALE (Annual Loss
Expectancy)
Guide to security measures and how much to
spend
LTU CISP Security
30
Results
Significant threats & probabilities
Critical tasks & loss potential by
threat
Remedial measures
Greatest
net reduction in losses
Annual cost
LTU CISP Security
31
Information Valuation
Information has cost/value
Do a cost/value estimate for
Acquire/develop/maintain
Owner/Custodian/User/Adversary
Cost/benefit analysis
Integrate security in systems
Avoid penalties
Preserve proprietary information
Business continuity
Circumstances effect valuation timing
Ethical obligation to use justifiable tools/techniques
LTU CISP Security
32
Conditions of Value
Exclusive possession
Utility
Cost of creation/recreation
Liability
Convertibility/negotiability
Operational impact
Market forces
Official value
Expert opinion/appraisal
Bilateral agreement/contract
LTU CISP Security
33
Scenario
A specific threat (potential event/act) in which
assets are subject to loss
Write scenario for each major threat
Credibility/functionality review
Evaluate current safeguards
Finalize/Play out
Prepare findings
LTU CISP Security
34
The Steps in a BCP - 2
Strategy Development (Alternative
Selection)
Management
support
Team structure
Strategy selection
Cost effective
Workable
LTU CISP Security
35
The Steps in a BCP - 3
Implementation (Plan Development)
Specify
resources needed for recovery
Make necessary advance arrangements
Mitigate exposures
LTU CISP Security
36
The Steps in a BCP - 3
Risk Prevention/Mitigation
Security - physical and information (access)
Environmental controls
Redundancy - Backups/Recoverability
Journaling, Mirroring, Shadowing
On-line/near-line/off-line
Insurance
Emergency response plans
Procedures
Training
Risk management program
LTU CISP Security
37
The Steps in a BCP - 3
Decision Making
Cost effectiveness
Human intervention requirements
Total cost
Manual functions are weakest
Overrides and defaults
Shutdown capability
Default to no access
Design openness
Least Privilege
Minimum information
Visible safeguards
Entrapment
Selected vulnerabilities made attractive
LTU CISP Security
38
The Steps in a BCP - 3
Decision Making
Universality
Compartmentalization, defense in depth
Isolation
Completeness
Instrumentation
Independence of controller and subject
Acceptance
Sustainability
Auditability
Accountability
Recovery
LTU CISP Security
39
Remedial Measures
Alter environment
Erect barriers
Improve procedures
Early detection
Contingency plans
Risk assignment (insurance)
Agreements
Stockpiling
Risk acceptance
LTU CISP Security
40
Remedial Measures
Fire
Water
UPS, generators
Environmental
Detection, equipment covers, positioning
Electrical
Detection, suppression
Backups
Good housekeeping
Backup procedures
Emergency response procedures
LTU CISP Security
41
The Steps in a BCP - 3
Plan Development
Specify
resources needed for recovery
Team-based
Recovery plans
Mitigation steps
Testing plans
Prepared by those who will carry them out
LTU CISP Security
42
Included in a BCP
Off-site storage
Trip
there - secure? Timely?
Physical layout of site
Fire protection
Climate controls
Security access controls
Backup power
LTU CISP Security
43
Included in a BCP
Off-site storage
Alternate site
Reciprocal agreements/Multiple sites/Service bureaus
Hot/Warm/Cold(Shell) sites
Trip there - secure? Timely?
Physical layout of site
Fire protection
Climate controls
Security access controls
Backup power
Agreements
LTU CISP Security
44
Included in a BCP
Off-site storage
Alternate site
Backup processing
Compatibility
Capacity
Journaling - maintaining audit records
Remote journaling - to off-site location
Shadowing - remote journaling and delayed mirroring
Mirroring - maintaining realtime copy of data
Electronic vaulting - bulk transfer of backup files
LTU CISP Security
45
Included in a BCP
Off-site storage
Alternate site
Backup processing
Communications
Compatibility
Accessibility
Capacity
Alternatives
LTU CISP Security
46
Included in a BCP
Off-site storage
Alternate site
Backup processing
Communications
Work space
Accessibility
Capacity
Environment
LTU CISP Security
47
Included in a BCP
Off-site storage
Alternate site
Backup processing
Communications
Work space
Office equipment/supplies/documentation
Security
Critical business processes/Management
Testing
Vendors - Contact info, agreements
Teams - Contact info, transportation
Return to normal operations
Resources needed
LTU CISP Security
48
Complications
Media/Police/Public
Families
Fraud
Looting/Vandalism
Safety/Legal issues
Expenses/Approval
LTU CISP Security
49
The Steps in a BCP - Finally
Plan Testing
Proves
feasibility of recovery process
Verifies compatibility of backup facilities
Ensures adequacy of team procedures
Identifies deficiencies in procedures
Trains
team members
Provides mechanism for maintaining/updating
the plan
Upper management comfort
LTU CISP Security
50
The Steps in a BCP - Finally
Plan Testing
Desk
checks/Checklist
Structured Walkthroughs
Life exercises/Simulations
Periodic off-site recovery tests/Parallel
Full interruption drills
LTU CISP Security
51
The Steps in a BCP - Finally
Test
Software
Hardware
Personnel
Communications
Procurement
Procedures
Supplies/forms
Documentation
Transportation
Utilities
Alternate site processing
Security
LTU CISP Security
52
The Steps in a BCP - Finally
Test
Purpose (scenario)
Objectives/Assumptions
Type
Timing
Schedule
Duration
Participants
Assignments
Constraints
Steps
LTU CISP Security
53
The Steps in a BCP - Finally
Alternate Site Test
–
Activate emergency control center
Notify & mobilize personnel
Notify vendors
Pickup and transport
–
–
–
–
–
–
–
–
–
tapes
supplies
documentation
Install (Cold and Warm sites)
IPL
Verify
Run
Shut down/Clean up
Document/Report
LTU CISP Security
54
The Steps in a BCP - Finally
Plan Update and Retest cycle (Plan
Maintenance)
Critical
Environmental changes
HW/SW/FW changes
Personnel
Needs
to maintain validity and usability of plan
to be included in organization plans
Job description/expectations
Personnel evaluations
Audit work plans
LTU CISP Security
55
BCP by Stages
Initiation
Current state assessment
Develop support processes
Training
Impact Assessment
Alternative selection
Recovery Plan development
Support services continuity plan development
Master plan consolidation
Testing strategy development
Post transition plan development
LTU CISP Security
56
BCP by Stages
Implementation planning
Quick Hits
Implementation, testing, maintenance
LTU CISP Security
57
End User Planning
DP is critical to end users
Difficult to use manual procedures
Recovery is complex
Need to plan
manual
procedures
recovery of data/transactions
procedures for alternate site operation
procedures to return to normal
LTU CISP Security
58
The Real World
DR plans normally involve
Essential
DP platforms/systems only
A manual on the shelf written 2-3 years ago
Little or no user involvement
No provision for business processes
No active testing
Resource lists and contact information that do
not match current realities
LTU CISP Security
59
Stages in an Incident
Disaster
interruption
affecting user operations
significantly
LTU CISP Security
60
Stages in an Incident
Disaster
Initial/Emergency response
Purpose
Ensure safety of people
Prevent further damage
Activate
emergency response team
Covers emergency procedures for expected hazards
Safety essential
Emergency supplies
Crisis Management plan - decision making
LTU CISP Security
61
Stages in an Incident
Disaster
Initial response
Impact assessment
Activate
assessment team
Determine situation
What is affected?
Decide
whether to activate plan
LTU CISP Security
62
Stages in an Incident
Disaster
Initial response
Impact assessment
Initial recovery
Initial
recovery of key areas at alternate site
Detailed procedures
Salvage/repair - Clean up
LTU CISP Security
63
Stages in an Incident
Disaster
Initial response
Impact assessment
Initial recovery
Return to normal/Business resumption
Return to operation at normal site
“Emergency” is not over until you are back to normal
Requires just as much planning - Parallel operations
LTU CISP Security
64
Special Cases
Y2K
Incidents
will happen in a particular time
frame
Alternate sites won’t help
Redundant equipment won’t help
Backups won’t help
Involves automated equipment and services
LTU CISP Security
65
Final Thoughts
Do you really want to activate a DR/BCP
plan?
Prevention
Planning
LTU CISP Security
66