13. Business Continuity &
Disaster Recovery Planning
1




Response to save business and human life
Recovery activities after a disaster to normal operations
Recovery plans to resume interrupted critical business
2




Need to process critical business systems in the event of disruption to normal business data processing operations.
Ensure the availability of critical information system resources in the event of an expected network interruption or disaster
Many kinds of plans

Contingency plans, Business Continuity Planning
(BCP), Disaster Recovery Planning (DRP)
3


Steps of BCP and DRP project life cycle

Project Scope Development and planning





Business Continuity analysis (BIA) and functional requirements ( for BIA steps, please see the book)
Business Continuity and Recovery Strategy
Plan Design and Development
Restoration
Feedback
4






Higher management’s commitment to go through the different steps of the project.
Deliverables


Project scope definition
Producing a Project plan

Dedicating a steering committee for the project
The BCP should be aligned with the organization's mission
Business continuity steering committee should

 know the mission statement in order to place the scope should have required authorization
Resources requirement need to be know at this stage



Budget requirements are estimated and validated
Personnel availability
Knowing key points of contact or personnel in an emergency
5




Evaluates all business functions against a common criterion to assess potential impacts to the business by an interruption
The following fall under the BIA

Preparing a BIA format


Assess Potential impacts
Prioritize: very important for business functions
Elements to consider

Analysis of different threats for the business



Identification of critical business functions and units
Emergency Assessment
3 rd party considerations
6





Threats analysis

Human Made threats, Natural threats, IT threats Etc
Identify critical business functions: some characteristics


Time Sensitivity, Data Integrity, Etc
Their impact on business: Financial & Operational Impact , Reputation etc
Emergency Assessment




Affected Areas
Alerting procedures
Security and safety procedures and guidelines
Etc
3 rd party considerations

Need to look at Down stream liabilities and upstream impacts

Compliance requirements, SLA Agreements, etc
7


Business Unit Priorities: Business units are examined for BIA identified critical functions

Critical processes and functions are reviewed by the
Steering committee and establishes priorities




The Committee looks at the minimum resources required for the identified functions
Priorities are documented
Recovery time Objective (RTO) is the assed time by which a critical function must be recovered
Recovery point objective (RPO) measures data integrity requirement or the tolerance for the amount of data loss

Cost/Benefit analysis
8


Three approaches for recovery



Dedicated site operated by the organization

Multiple processing centers
Commercially leased facility



Hot site / cost high
Worm site / cost moderate
Cold site / cost lowest
Agreement with an Internal or external facility


Identify organizations with equivalent IT configurations and backup technologies and establish an agreement
Types of agreements



Reciprocal or Mutual Aid
Contingency
Service Bureau
9




Strategies

Replication


Storage Area network
Electronic Vaulting, etc
Location and Storage Criteria


Maybe stored in several locations for different purposes
On-site storage, Off-site storage, Near-site storage
Resilience Strategies

Improve an organization's continuity and resilience

IT and Site Resilience etc
10





Emergency Response Procedures

Life , Health & safety



Damage Assessment
Event Reporting
Disaster Declaration, etc
Personnel Notifications





List of people to notify
Defining the role of the Executive crisis Management
Executive Succession Planning, etc
Backup and off-site storage


Inventory list is compiled and documented
Facility Accessibility and Resilience
Communication in Emergency
Emergency and Business communication system should be in place
Data communication priorities in networks should be agreed upon
11





Alterative site considerations

The ability to support the required infrastructure, environmental and space demands should be analyzed: Utilities, Communications, etc
Logistics and supplies

How resources are acquired or procured, transported and maintained



Personnel and materials transportation
Remote worker environment activation
Emergency funds access, etc
Documentation

BCP & DRP activation and de-activation plans and procedures are documented

Activity and status reports

Checklists etc
Business Continuity and resumption planning



Contracts for emergency vendor services
Risk Avoidance and mitigation planning
Emergency business Recovery procedures
12




Includes Training, Testing, Recovery and Audit
Training


Increasing the organization's awareness of the BC and DR business case
Different kinds of training for different attendees

All people training, Operation teams, Recovery teams etc
Testing

Confirms that the plan meets its emergency, recovery and restoration objectives

Measures the accuracy of the plans

Allow management to evaluate personnel readiness for an adverse event
13




Test Plans

Each time tests are scheduled, a test plan should be written, it should contain




Objectives and success criteria
Details
Schedule
Post-test review
Test types

Several test types exists which server different purposes




Checklist test
Structured walk-through
Simulation
Parallel testing
Testing follow-up



Identifying existing deficiencies
Plan should be routinely assessed
Should be scheduled for testing for example annually
14



Recovery procedures

Site migration


Local Recovery procedures
Transfer and recovery, etc.
Audit


Ensures an organization has an effective BC and DR capability
Measures compliance

Addressing audit findings
15





Restoration of primary location

Primary facility must be stabilized and secured and then more detailed damage assessment is conducted
Procurement



Has an essential role in supporting restoration
Consolidating acquisitions and Disposition
Costs reporting
Data Recovery



Reversal procedures
Business process recovery point
Journal and process synchronization
Relocation to primary site


Restoration order and prioritization
End of disaster declaration
16




Post-recovery reporting

Identification or remediation of plan gaps


Record Lessons learned
Performance metric review
Plan review and evaluation

Training of key personnel
Communication

Plan distribution

Communicate the plan to stakeholders
17



ISC2 CBK Material
CISSP-All-in-one book
18