Information Systems Security Business Continuity Planning Domain 6

Information Systems Security Business Continuity Planning Domain #6

Pieces of the BCP § Disaster Recovery Planning – How to survive the disaster – Emergency response responsibilities – Recovery procedures § Business Continuity Planning – How to stay in business crippled – Continuity of critical business functions – Reduce overall impact of interruption

Processes of the BCP Plan § § § Project Initiation Phase Current State Assessment Phase Design and Development Phase Implementation Phase Management Phase REPEAT, REPEAT

Project Initiation § § § Gain support of management Show cost versus benefit Regulatory requirements Ramifications of others not having a plan Current vulnerability analysis

Current State Assessment § § Threat Analysis Business Impact Assessment Continuity Planning Process Assessment Benchmark or Peer Review

Design and Development § § § Develop appropriate continuity strategy Develop crisis management plan Develop infrastructure Design initial acceptance testing Plan for resource acquisition

Implementation § § § Deploy continuity plan Perform short-term and long-term testing Program maintenance Program training and awareness Program management process

Senior Management’s Role § § § Due diligence and due care Drive all phases of the plan Consistent support and final approval Ensure that testing takes place Constructing a budget

BCP Team § Minimum key personnel should be: – Member of each key department – Member of support staff – IT reps – Security reps – Legal reps – Senior management

BCP Committee § Carries out risk assessment and analysis § Analysis to be carried out before plan is developed § Execute – Business impact analysis – Development plan – Testing and plan maintenance

Risk Assessment § § § § ID critical business functions ID resources these functions depend upon Calculate life expectancy w/o resources ID vulnerabilities and threats to these functions Calculate risks to these functions Develop backup plans for these functions Develop recovery plans for these functions

Types of Analyses § Quantitative – Involves the use of numbers and formulas to reach a decision § Qualitative – Involves the use of non-numerical factors such as emotions, confidence, workforce stability, and other concerns into account

Identify Priorities § Activities that are most essential to your day -to-day operations § Maximum Tolerable Downtime (MTD) – Maximum length of time a business function can be inoperable without causing irreparable harm to the business

Identify Business Risks § Natural Disasters – Storms, hurricanes, earthquakes, volcanoes… § Man Made – Terrorist/wars/civil unrest – Theft/vandalism – Fire/explosion/building collapse – Power outages

ID Critical Functions Resources § § § § Specific types of technology Necessary software Electrical power Network/physical production environment Safe environment for workers Access to outside entities Communication lines

Likelihood Assessment § Business Impact Assessment (BIA) identifies the likelihood that each risk will occur § Expressed in terms of an annualized rate of occurrence (ARO) that reflects the number of times a business expects to experience a given disaster each year

Impact Assessment § Exposure Factor (EF) is the amount of damage that the risk poses to the asset § Single loss expectancy (SLE) is the $ loss that is expected each time the risk materializes § Annualized loss expectancy (ALE) is the $ loss that is expected to occurs as a result of the risk over the period of a year

Example § Fire at Building – Building value of $500, 000 – Exposure factor of 70% – Occurs once every 30 years – What is the ALE?

Qualitative Assessment § Loss of confidence and goodwill among your clients § Loss of employees due to down time § Social/ethical responsibilities to the community § Negative publicity

Resource Prioritization § Create a list of all of the risks you analyzed during the BIA process and sort them in descending order by the ALE § Results of the quantitative or qualitative analysis may justify a risk as having a higher priority based on business impact

Continuity Strategy § Focuses on the development and implementation of a continuity strategy to minimize the impact realized risks might have on protected assets § Consider the MTD and decide which risks are acceptable § Bridge the gap between BIA and Continuity

Provisions and Processes § People – Ensure that people within your organization are safe before, during, and after an emergency – Building/facilities – Infrastructure

Buildings/facilities § Hardening provisions – Reinforce structure, patch roofs, etc § Alternate sites – Hot Site § Ready for data processing in a few hours of less § Contains all necessary systems, devices – Just needs people & data § Annual tests are conducted § Most expensive subscription option

More Sites § Warm Site – Ready for data processing in 12 hours or longer – Some peripheral devices § Needs software, people, data, and computers – Better choice for proprietary hardware/software – Less expensive than hot sites

More Sites § Cold Site – Empty building – No equipment – Electrical wiring, A/C, plumbing, and flooring – Two weeks or longer for operational status – Least expensive

Testing Offsite Facility § § § Hardware should be compatible Software should be compatible Type of database transfer – Remote mirroring/database shadowing – Remote journaling – Electronic vaulting § Test data backups – Full, incremental, differential

BCP Plan Approval § § § Gain top level management endorsement Be prepared with explanations of purpose Planning team should contain top level executive – Helps to get final approval

Testing and Drills § Test Characteristics – Indicate if company can actually recover – At least annually – Identify areas of weakness § Drills – Create a disaster scenario – Create goals to be accomplished – Run drill and report findings to management

BCP Tests § Checklist tests – – – Copies of BCP distributed to functional manager Review part of plan that addresses their area Simplest but most crucial § Structured walk through – Functional managers meet to go through plan § Simulation – Carry out the disaster scenario – Continues up to actual relocation to offsite – Response measures are tested

BCP Tests § Parallel – Some systems are transported to the offsite facility for parallel processing – Actually relocate personnel where they perform their disaster recovery tasks § Full interruption test – Original site shuts down – All processing takes place at offsite

What is Success? § § § Response within an acceptable timeframe Operations at alternate location adequate Backups successfully restored Emergency personnel reached within acceptable time frame Team members aware of current plan and able to perform associated duties Plan is current and relevant

BCP Plan can Become Outdated § § § § Technology changes Company merges or splits Plan in not properly maintained Personnel turnover No person or group made responsible Plan not audited No change control tool

BCP Phases § § § Business Impact Analysis Strategy Development Plan Development Implementation Testing Maintenance

Are We There Yet? § 2005 Survey indicates: – Less than 15% of companies prepared for disaster – 40% of companies would be out of business permanently if closed for a week

Legislative Issues § Health Insurance Portability and Accountability Act (HIPPA) § Gramm – Leach – Briley Act (GLB) § Patriot Act § Electronic Communications Privacy Act (ECPA)