© Copyright 2005 (ISC) 2®. All Rights Reserved. 1 Business Continuity Planning v5.0 Business...

© Copyright 2005 (ISC)2®. All Rights Reserved.

1Business Continuity Planning v5.0

Business Continuity Planning



Introduction

The Business Continuity Planning (BCP) domain addresses the preservation and recovery of the business in the event of outages to normal business operations.



Objectives

•The CISSP should:– Have an understanding of the

preparation of specific actions required to preserve critical business operations from the perspective of creating, implementing, and updating a continuity plan.



Section Objectives

• Define business continuity plan

• Define disaster

• Describe the phases of business continuity planning

• List restoration actions



Goals of Information Security As They Relate to BCP

• The common thread among good information security objectives is that they address all three core security principles.

AvailabilityAvailability

Con

fiden

tialit

y

Prevents unauthorized

disclosure of systems and

information.

IntegrityPrevents unauthorized

modification of systems and

information.

Prevents disruption of

service and productivity.



What is a disaster?

• A disaster is something that interrupts normal business process.– A disaster is defined as a sudden, unplanned

calamitous event that brings about great damage or loss.

– In the business environment, it is any event that creates an inability on an organization’s part to support critical business functions for some predetermined period of time.



Potentially Disastrous Events

• Natural (i.e,. earthquakes, storms)

• System/Technical (i.e., outages, malicious code)

• Supply Systems (i.e., electrical power problems)

• Human-Made/Political (i.e., disgruntled employees, riots, vandalism)



Defining a BCP

An approved set of advanced arrangements and procedures that enable an organization to:

• Ensure the safety of people.• Minimize the amount of loss.• Facilitate the recovery of business operations to

reduce the overall impact of an event, while at the same time resuming the critical business functions within a predetermined period of time.

• Repair or replace the damaged facilities as soon as possible.



Defining a BCP (cont.)

• Traditionally, recovery plans focused on the recovery of critical computer systems running at data centers.

• Today, recovery plans must also focus on the critical computer systems operating in a distributed environment involving personal computers, LANs, telecommunications, etc.

• Essentially, continuity plans address every critical function of an enterprise.



Requirements of Business Continuity Planning

• Provide an immediate, accurate, and measured response to emergency situations, with the overall goal of ensuring the safety of individuals.

• Mitigate the damage you are experiencing as a result of the disaster.

• Ensure the survivability of the business. • Provide procedures and a listing of resources to

assist in the recovery process. • Identify vendors that may be needed in the

recovery process and put agreements in place with selected vendors.



Requirements of Business Continuity Planning (cont.)

• Avoid confusion experienced during a crisis by documenting, testing, and training plan procedures.

• Clear guidance for declaring a disaster.

• Provide the necessary direction to ensure the timely resumption of critical services.



Requirements of Business Continuity Planning, cont.

• Document storage, safeguarding, and retrieval procedures for critical systems and supporting functions.

• Describe the actions, resources, and materials required to restore critical operations at an alternate site in the event that the primary site(s) has suffered a serious outage.

• Document recovery procedures so they can be executed by knowledgeable people.



BCP Scope

• The BCP should cover all aspects of an organization, including:– Personnel

– Facilities

– Infrastructure

– Support systems

– Information systems



Subtopics

• Business Continuity Management

• Phases of BCP• Restoration Action• Example of a

Recovery Process



Business Continuity Management

• A strategic and operational framework to review the way an organization provides its products and services while increasing its resilience to disruption, interruption or loss.

• Provides a framework for building resilience and the capability for an effective response which safeguards the interests of a company’s key stakeholders, reputation, brand and value creating activities.



Stages of BCM



Subtopics



Recovery Process



Phases of the BCP

Project Mgmt/Initiation

Business Impact Assessment

Recovery Strategy

Plan Design & Development

Implementation

TestingMaintenanceMaintenance



Phases of the BCPSubtopics

1. Project Management and Initiation

2. Business Impact Analysis

3. Recovery Strategy

4. Plan Design and Development

5. Testing, Maintenance, Awareness, and Training



Phase I: Project Management and Initiation

• Establish the need for a BCP.– Perform a focused risk analysis to identify and

document potential outages to critical systems.

• Obtain management support.

• Identify strategic internal and external resources to ensure that BCP matches overall business and technology plans.



Phase I: Project Management and Initiation (cont.)

• Establish the project management work plan that includes the:– Scope of the project– Identification of objectives– Determination of methods for organizing and

managing development of the BCP– Identification of related tasks and

responsibilities– Scheduling of formal meetings and task

completion dates



Phase I: Project Management and Initiation (cont.)

• Determine the need for automated data collection tools, including plans to provide training on how to use the software.

• Establish members of the BCP team, both technical and functional representatives.

• Prepare and present an initial report to management on how the BCP will meet the objectives.



Products That Can Help

“Automated” plan development can help you:– Speed the process

– Avoid missing critical elements

– Organize teams

– Maintain the plan



BCP Planner/Coordinator

• Ensures that all elements of the plan are thoroughly addressed and an appropriate level of planning, preparation, and training have been accomplished.

• Serves as leader for the development team.• Has direct access and authority to interact with all

employees necessary to complete the plans.• Is in a position within the organization to balance

the needs of the organization with the needs of the individual business units that may be affected.



BCP Planner/Coordinator (cont.)

• Has knowledge of the business to be able to understand how a disaster can affect the organization.

• Has easy access to management.• Is able to review the charter, mission

statement, and executive viewpoint.• Has the credibility and ability to influence

senior management when decisions need to be made.



Team Members

Representatives also include, but are not limited to: • Senior Management, Chief Financial Officer, etc.• Legal Staff• Business Unit/Functions• Support Systems• Recovery Team Leaders• Information Security Department• Data Communications Department• Communications Department



Team Members (cont.)

The same people who would be responsible for executing the plan in the event of an outage, must also be involved in preparing the BCP.



Project Plan

• Identify and develop business continuity plan phases similar to traditional project plan phases.– Including problem investigation, problem definition,

feasibility study, systems description, implementation, installation, and evaluation.

• Establish business continuity plan project characteristics.– Such as goals/objectives, tasks, resources (personnel,

financial), time schedules, budget estimates, and critical success factors



Phase II: Business Impact Analysis (BIA)

The BIA is a functional analysis that identifies the impacts should an outage occur. Impact is measured by the following:

• Allowable Business Interruption – the Maximum Tolerable Downtime

• Financial and Operational Considerations• Regulatory Requirements• Organizational Reputation



Phase II: Business Impact Analysis (BIA)

• The BIA sets the stage for determining a business-oriented judgment concerning the appropriation of resources for recovery planning efforts.



Eight Steps of the BIA

Step 1: Select Interviewees

Step 2: Determine information gathering techniques

Step 3: Customize questionnaire to gather economic and operational impact information (quantitative and qualitative questions)

Step 4: Analyze information



Eight Steps of the BIA (cont.)

Step 5: Determine time-critical business systems

Step 6: Determine maximum tolerable downtimes

Step 7: Prioritize critical business systems based on maximum tolerable downtimes

Step 8: Document findings and report recommendations



Maximum Tolerable Downtime



Phase III: Recovery Strategies

• Recovery strategies are a set of pre-defined and management approved actions that will be followed and implemented in response to a business interruption.



Recovery Strategies Focus

• Meeting the pre-determined recovery time frames.

• Maintaining the operation of the critical business functions.

• Compiling the resource requirements.

• Identifying alternatives that are available for recovery.



Recovery Strategies Key Element

The key element of developing a recovery strategy is to base it on the recovery time for mission critical business systems -- as outlined in the Business Impact Analysis.



Recovery StrategiesDevelopment Steps

1. Document all costs with each alternative.2. Obtain cost estimates for any outside

services.3. Develop written agreements for such

services.4. Evaluate resumption strategies based on

a full loss of the facility.5. Document recovery strategies and

present to management for comments and approval.



Categories of Recovery Strategies

1. Business Recovery

2. Facility and Supply

3. User

4. Operational

5. Data



Business Recovery

• Focus is on the critical resources and the maximum tolerable downtime for each business/support unit system. This may include the identification of:– Critical IT system hardware, software, and

data – Critical equipment, supplies, furniture, and

office space – Key personnel for each business unit and

support unit, such as Operations, Facilities, Security, etc.



Facility and Supply Recovery

• Focus is on restoration and recovery such as:– Facility - main building, remote facilities– Inventory - supplies, equipment, paper, forms– Equipment - network environments, servers,

mainframe, microcomputers, etc.– Telecommunications - voice and data– Documentation - application, technical materials– Transportation - movement of equipment, personnel– Supporting equipment - HVAC, safety, security



User Recovery

• Focus is on personnel requirements such as:– Manual procedures– Vital record storage (i.e. Medical, Personnel)– Employee transportation– Critical documentation and forms– User workspace and equipment– Alternate site access procedures



User Recovery (cont.)

• Team responsibilities• Distribution of information• Manual processing

techniques• Disaster policies

Procedures for the organization’s employees to follow during the outage include items such as:

• Notification procedures

• High priority tasks

• Emergency accounting

• Checklists



Operational Recovery

• Determine the necessary equipment configurations such as:– Mainframes, LANs, microcomputers,

peripherals– Explore opportunities for

integration/consolidation– Usage parameters

• Data communications configurations include:– Switching equipment, Routers, Bridges,

Gateways



Operational Recovery (cont. )

• Outline alternative strategies for technical capabilities, such as network infrastructure components.

• Options include:– Hot Site, Warm Site, Cold Site, Mobile Site– Reciprocal or Mutual Aid Agreements– Multiple Processing Centers– Service Bureaus



Operational Recovery (cont.)Alternate Site Choices

HOT SITE

Fully

Operational

Except data/staff

Instant Minutes-Hours Days - Week Weeks/Months

WARM SITE

Partially Prepared for Operations

COLD SITE

Basic HVAC and

Connections

Maximum Tolerable Downtime

COST

MIRRORSITE

Actively running identical

processes in parallel



Software and Data Recovery

• Focus is on the recovery of information - the data. Options include:– Backing up and Off-site storage – Electronic vaulting – On-line tape vaulting– Remote journaling – Database Shadowing – Standby Services– Software Escrow



Phase IV: BCP Design and Development

In this phase the team prepares and documents a detailed plan for recovery of critical business systems. End products include:

–Business and Service Recovery Plans –Plan Maintenance Programs–Employee Awareness and Training Programs–Test Method Descriptions–Restoration Plans



Design and Development Steps 1 - 4

1. Determine management concerns and priorities.

2. Determine planning scope such as geographical concerns, organizational issues, and the various recovery functions to be covered in the plan.

3. Establish outage assumptions.4. Identify response procedures, such as ensuring

evacuation and safety of personnel, notification of disaster, initial damage assessment, activating teams, relocating to alternate sites.




5. Identify resumption strategies for mission critical- and non-mission critical-systems at alternate sites.

6. Identify the location for the emergency operations center/command center.

7. Identify restoration procedures for salvage, repair, and return to the primary site. Also, the procedures to deactivate the recovery site.



Design and Development Step 8

8. Plan and implement the gathering of data required for plan completion. – Personnel information– Vendor services– Equipment, software, forms, supplies– Vital records– Technical information– Office space requirements




9.Review and outline who (and how) the organization will interface with external groups.

• Utility providers• Industry group

coalitions• Media

• Customers• Shareholders• Civic officials• Community, region,

and state emergency services groups




10. Review and outline how the organization will cope with other complications beyond the actual disaster.– Responsibility to families– Coordination with human resource and legal

departments– Fraud opportunities– Looting and vandalism– Ensuring primary site is protected during disaster– Safety and legal problems– Expenses exceeding emergency manager

authority




11. Develop support service plans, including human resources, public relations, transportation, facilities, information processing, telecommunications, etc.

12. Develop business function plans and procedures.

13. Develop facility recovery (i.e. the building) plans.



BCP Document

The final aspect of this phase is to combine all of the various steps into the organization’s BCP. This plan should then be interfaced with the organization’s other emergency plans.



Phase V: Testing, Maintenance, Awareness and Training

In this phase, plans for testing and maintaining the BCP are implemented and also awareness and training procedures are executed.



Phase V: Plan Testing

• Plan testing ensures that the business continuity capability remains effective, regardless of the disaster. It includes:– Testing objectives– Measurement criteria– Test Schedules– Post-test reviews– Test results reported to management



Phase V: Plan Testing

The five main types of BCP testing strategies are:1. Checklist2. Structured Walk-Through3. Simulation4. Parallel5. Full Interruption



Phase V: Plan Maintenance Goal

• Develop processes that maintain the currency of continuity capabilities and the BCP document in accordance with the organization's strategic direction. This includes:– Changing management procedures– Resolving problems found during testing– Building maintenance procedures into the

process– Centralizing responsibility for updates – Reporting results regularly to team members



Phase V: Plan Maintenance Functions

• Plan maintenance functions are:– Receive and monitor input on needed revisions

- maintain revision history– Plan maintenance reviews as needed – Monitor changes within business units, such as

upgrades to systems– Control plan maintenance distribution - who

receives a copy of plan updates– Ensuring version control - obsolete editions of

the plan are collected and destroyed.



Subtopics



Recovery Process



Damage Assessment

• Determine the extent of damage to the facility.

• Estimate the time needed to resume normal operations.

• Notify management of the findings.



Damage Assessment (cont.)

If the time estimated to resume operations exceeds the Maximum Tolerable Downtime (MTD) for critical business functions, then management should consider declaring a disaster and implementing the BCP.



Restoration Actions

• Restoration operations involve restoring the primary site to normal operation conditions.– Complete an assessment of all

damage.– Initiate cleanup of the primary site.– Implement necessary replacement

procedures.



Restoration Actions (cont.)

– Move unused backup materials (i.e., supplies, magnetic media, backup documentation) from the alternate site to the primary site.

– Do least critical work first.– Perform installations and updates of programs

and data.– Certify and accredit the system at the primary

site.– Initiate normal processing.



Subtopics



Recovery Process



Example of a Recovery Process



Subtopics

Example of a Recovery Process

1. Respond to the Disaster2. Recover Critical Functions3. Recover Non-critical Functions4. Salvage and Repair5. Return to Primary Site



Disaster Activity Example

• Assemble emergency operations team.• Contact recovery team members to

participate in the initial damage assessment.

• Determine the extent of damage to the primary site facility, including:– Building structure – Damage to utilities– Access to different areas within the building,

including capability to secure the building.



Disaster Activity Example (cont.)• Calculate the time required to resume critical

and non-critical business operations.• Notify management of the results.• Declare a disaster and begin implementation

of continuity/recovery plans.• Maintain a log of all steps taken after a

disaster. Be sure to note time, location, what has been done, who did it, and any expenses incurred.



Disaster Activity Example (cont.)

• Establish the command center to provide management control, administrative, logistic, and communications support.

• Move backup resources to the appropriate recovery site.

• Allocate the required office space and recovery resources to the recovery teams.




• Resume critical business functions at recovery site.– Go to recovery site to confirm the

following:• Space needs• Security needs• Fire protection• Infrastructure requirements




• Resume critical business functions at recovery site.– Install, activate and test all equipment.– Install & activate necessary software and data

from backup.– Test the system and certify it is ready for

operation.– Begin critical application processing in

accordance with established priorities.– Configure and test voice communications

systems.




• Resume critical business at recovery site.– Verify that media, forms, supplies,

documentation, and equipment at an off-site storage site have been transferred to the recovery site

– Notify users of schedule and site.• Resume non-critical business at recovery site.

• Follow similar procedures of critical business function recovery.



Salvage & Repair Example

• At the primary site, complete a detailed assessment of all damage at the primary site.

• Initiate cleanup of the primary site.• If necessary, dispose of damaged

equipment and procure new equipment.• Recover water soaked documents.• Review insurance policies and document

information as needed.



Salvage & Repair Example (cont.)

• Coordinate activities to have repairs made to the damaged areas within the primary site including:– Facility structure - walls, floors, ceilings,

etc.

– Equipment

– Support systems - HVAC, plumbing, etc.



Return to Primary Site Example

• Plan for the return.• Reactivate fire protection and other alarm systems.• Planning is different from recovery plan - least

critical work should be initiated first.• Implement and test the network system.• Certify and accredit the system ready for

operations.• When notified that normal operations have resumed

at the primary site, shutdown operations at the alternate site and return backup materials to storage.



Quick Quiz

• What is a business continuity plan?• What are the phases of business

continuity planning?



Section Summary

• A business continuity plan (BCP) is an approved set of advanced arrangements and procedures that enable an organization to facilitate the recovery of business operations to reduce the overall impact of an event, while at the same time resuming the critical business functions within a predetermined period of time.

• The phases of BCP are: 1)Project Management and Initiation; 2) Business Impact Analysis; 3) Recovery Strategy; 4) Plan Design; and 5) Development, and Testing, Maintenance, Awareness, and Training.

© Copyright 2005 (ISC) 2®. All Rights Reserved. 1 Business Continuity Planning v5.0 Business...

Documents

Transcript of © Copyright 2005 (ISC) 2®. All Rights Reserved. 1 Business Continuity Planning v5.0 Business...