Information Systems
Security
Business Continuity Planning
Domain #6
Pieces of the BCP
 Disaster Recovery Planning
– How to survive the disaster
– Emergency response responsibilities
– Recovery procedures
 Business Continuity Planning
– How to stay in business crippled
– Continuity of critical business functions
– Reduce overall impact of interruption
Processes of the BCP Plan






Project Initiation Phase
Current State Assessment Phase
Design and Development Phase
Implementation Phase
Management Phase
REPEAT, REPEAT, REPEAT
Project Initiation





Gain support of management
Show cost versus benefit
Regulatory requirements
Ramifications of others not having a plan
Current vulnerability analysis
Current State Assessment




Threat Analysis
Business Impact Assessment
Continuity Planning Process Assessment
Benchmark or Peer Review
Design and Development





Develop appropriate continuity strategy
Develop crisis management plan
Develop infrastructure
Design initial acceptance testing
Plan for resource acquisition
Implementation





Deploy continuity plan
Perform short-term and long-term testing
Program maintenance
Program training and awareness
Program management process
Senior Management’s Role





Due diligence and due care
Drive all phases of the plan
Consistent support and final approval
Ensure that testing takes place
Constructing a budget
BCP Team
 Minimum key personnel should be:
– Member of each key department
– Member of support staff
– IT reps
– Security reps
– Legal reps
– Senior management
BCP Committee
 Carries out risk assessment and analysis
 Analysis to be carried out before plan is
developed
 Execute
– Business impact analysis
– Development plan
– Testing and plan maintenance
Risk Assessment




ID critical business functions
ID resources these functions depend upon
Calculate life expectancy w/o resources
ID vulnerabilities and threats to these
functions
 Calculate risks to these functions
 Develop backup plans for these functions
 Develop recovery plans for these functions
Types of Analyses
 Quantitative
– Involves the use of numbers and formulas to
reach a decision
 Qualitative
– Involves the use of non-numerical factors such
as emotions, confidence, workforce stability,
and other concerns into account
Identify Priorities
 Activities that are most essential to your
day-to-day operations
 Maximum Tolerable Downtime (MTD)
– Maximum length of time a business function can
be inoperable without causing irreparable harm
to the business
Identify Business Risks
 Natural Disasters
– Storms, hurricanes, earthquakes, volcanoes…
 Man Made
– Terrorist/wars/civil unrest
– Theft/vandalism
– Fire/explosion/building collapse
– Power outages
ID Critical Functions Resources







Specific types of technology
Necessary software
Electrical power
Network/physical production environment
Safe environment for workers
Access to outside entities
Communication lines
Likelihood Assessment
 Business Impact Assessment (BIA)
identifies the likelihood that each risk will
occur
 Expressed in terms of an annualized rate of
occurrence (ARO) that reflects the number
of times a business expects to experience a
given disaster each year
Impact Assessment
 Exposure Factor (EF) is the amount of
damage that the risk poses to the asset
 Single loss expectancy (SLE) is the $ loss
that is expected each time the risk
materializes
 Annualized loss expectancy (ALE) is the $
loss that is expected to occurs as a result of
the risk over the period of a year
Example
 Fire at Building
– Building value of $500,000
– Exposure factor of 70%
– Occurs once every 30 years
– What is the ALE?
Qualitative Assessment
 Loss of confidence and goodwill among your
clients
 Loss of employees due to down time
 Social/ethical responsibilities to the
community
 Negative publicity
Resource Prioritization
 Create a list of all of the risks you analyzed
during the BIA process and sort them in
descending order by the ALE
 Results of the quantitative or qualitative
analysis may justify a risk as having a higher
priority based on business impact
Continuity Strategy
 Focuses on the development and
implementation of a continuity strategy to
minimize the impact realized risks might
have on protected assets
 Consider the MTD and decide which risks
are acceptable
 Bridge the gap between BIA and Continuity
Provisions and Processes
 People
– Ensure that people within your organization are
safe before, during, and after an emergency
– Building/facilities
– Infrastructure
Buildings/facilities
 Hardening provisions
– Reinforce structure, patch roofs, etc
 Alternate sites
– Hot Site
 Ready for data processing in a few hours of less
 Contains all necessary systems, devices
– Just needs people & data
 Annual tests are conducted
 Most expensive subscription option
More Sites
 Warm Site
– Ready for data processing in 12 hours or longer
– Some peripheral devices
 Needs software, people, data, and computers
– Better choice for proprietary hardware/software
– Less expensive than hot sites
More Sites
 Cold Site
– Empty building
– No equipment
– Electrical wiring, A/C, plumbing, and flooring
– Two weeks or longer for operational status
– Least expensive
Testing Offsite Facility
 Hardware should be compatible
 Software should be compatible
 Type of database transfer
– Remote mirroring/database shadowing
– Remote journaling
– Electronic vaulting
 Test data backups
– Full, incremental, differential
BCP Plan Approval
 Gain top level management endorsement
 Be prepared with explanations of purpose
 Planning team should contain top level
executive
– Helps to get final approval
Testing and Drills
 Test Characteristics
– Indicate if company can actually recover
– At least annually
– Identify areas of weakness
 Drills
– Create a disaster scenario
– Create goals to be accomplished
– Run drill and report findings to management
BCP Tests
 Checklist tests
– Copies of BCP distributed to functional manager
– Review part of plan that addresses their area
– Simplest but most crucial
 Structured walk through
– Functional managers meet to go through plan
 Simulation
– Carry out the disaster scenario
– Continues up to actual relocation to offsite
– Response measures are tested
BCP Tests
 Parallel
– Some systems are transported to the offsite
facility for parallel processing
– Actually relocate personnel where they perform
their disaster recovery tasks
 Full interruption test
– Original site shuts down
– All processing takes place at offsite
What is Success?




Response within an acceptable timeframe
Operations at alternate location adequate
Backups successfully restored
Emergency personnel reached within
acceptable time frame
 Team members aware of current plan and
able to perform associated duties
 Plan is current and relevant
BCP Plan can Become Outdated







Technology changes
Company merges or splits
Plan in not properly maintained
Personnel turnover
No person or group made responsible
Plan not audited
No change control tool
BCP Phases






Business Impact Analysis
Strategy Development
Plan Development
Implementation
Testing
Maintenance
Are We There Yet?
 2005 Survey indicates:
– Less than 15% of companies prepared for
disaster
– 40% of companies would be out of business
permanently if closed for a week
Legislative Issues
 Health Insurance Portability and
Accountability Act (HIPPA)
 Gramm – Leach – Briley Act (GLB)
 Patriot Act
 Electronic Communications Privacy Act
(ECPA)