Computer Security
advertisement
Information Systems Security Business Continuity Planning Domain #6 Pieces of the BCP Disaster Recovery Planning – How to survive the disaster – Emergency response responsibilities – Recovery procedures Business Continuity Planning – How to stay in business crippled – Continuity of critical business functions – Reduce overall impact of interruption Processes of the BCP Plan Project Initiation Phase Current State Assessment Phase Design and Development Phase Implementation Phase Management Phase REPEAT, REPEAT, REPEAT Project Initiation Gain support of management Show cost versus benefit Regulatory requirements Ramifications of others not having a plan Current vulnerability analysis Current State Assessment Threat Analysis Business Impact Assessment Continuity Planning Process Assessment Benchmark or Peer Review Design and Development Develop appropriate continuity strategy Develop crisis management plan Develop infrastructure Design initial acceptance testing Plan for resource acquisition Implementation Deploy continuity plan Perform short-term and long-term testing Program maintenance Program training and awareness Program management process Senior Management’s Role Due diligence and due care Drive all phases of the plan Consistent support and final approval Ensure that testing takes place Constructing a budget BCP Team Minimum key personnel should be: – Member of each key department – Member of support staff – IT reps – Security reps – Legal reps – Senior management BCP Committee Carries out risk assessment and analysis Analysis to be carried out before plan is developed Execute – Business impact analysis – Development plan – Testing and plan maintenance Risk Assessment ID critical business functions ID resources these functions depend upon Calculate life expectancy w/o resources ID vulnerabilities and threats to these functions Calculate risks to these functions Develop backup plans for these functions Develop recovery plans for these functions Types of Analyses Quantitative – Involves the use of numbers and formulas to reach a decision Qualitative – Involves the use of non-numerical factors such as emotions, confidence, workforce stability, and other concerns into account Identify Priorities Activities that are most essential to your day-to-day operations Maximum Tolerable Downtime (MTD) – Maximum length of time a business function can be inoperable without causing irreparable harm to the business Identify Business Risks Natural Disasters – Storms, hurricanes, earthquakes, volcanoes… Man Made – Terrorist/wars/civil unrest – Theft/vandalism – Fire/explosion/building collapse – Power outages ID Critical Functions Resources Specific types of technology Necessary software Electrical power Network/physical production environment Safe environment for workers Access to outside entities Communication lines Likelihood Assessment Business Impact Assessment (BIA) identifies the likelihood that each risk will occur Expressed in terms of an annualized rate of occurrence (ARO) that reflects the number of times a business expects to experience a given disaster each year Impact Assessment Exposure Factor (EF) is the amount of damage that the risk poses to the asset Single loss expectancy (SLE) is the $ loss that is expected each time the risk materializes Annualized loss expectancy (ALE) is the $ loss that is expected to occurs as a result of the risk over the period of a year Example Fire at Building – Building value of $500,000 – Exposure factor of 70% – Occurs once every 30 years – What is the ALE? Qualitative Assessment Loss of confidence and goodwill among your clients Loss of employees due to down time Social/ethical responsibilities to the community Negative publicity Resource Prioritization Create a list of all of the risks you analyzed during the BIA process and sort them in descending order by the ALE Results of the quantitative or qualitative analysis may justify a risk as having a higher priority based on business impact Continuity Strategy Focuses on the development and implementation of a continuity strategy to minimize the impact realized risks might have on protected assets Consider the MTD and decide which risks are acceptable Bridge the gap between BIA and Continuity Provisions and Processes People – Ensure that people within your organization are safe before, during, and after an emergency – Building/facilities – Infrastructure Buildings/facilities Hardening provisions – Reinforce structure, patch roofs, etc Alternate sites – Hot Site Ready for data processing in a few hours of less Contains all necessary systems, devices – Just needs people & data Annual tests are conducted Most expensive subscription option More Sites Warm Site – Ready for data processing in 12 hours or longer – Some peripheral devices Needs software, people, data, and computers – Better choice for proprietary hardware/software – Less expensive than hot sites More Sites Cold Site – Empty building – No equipment – Electrical wiring, A/C, plumbing, and flooring – Two weeks or longer for operational status – Least expensive Testing Offsite Facility Hardware should be compatible Software should be compatible Type of database transfer – Remote mirroring/database shadowing – Remote journaling – Electronic vaulting Test data backups – Full, incremental, differential BCP Plan Approval Gain top level management endorsement Be prepared with explanations of purpose Planning team should contain top level executive – Helps to get final approval Testing and Drills Test Characteristics – Indicate if company can actually recover – At least annually – Identify areas of weakness Drills – Create a disaster scenario – Create goals to be accomplished – Run drill and report findings to management BCP Tests Checklist tests – Copies of BCP distributed to functional manager – Review part of plan that addresses their area – Simplest but most crucial Structured walk through – Functional managers meet to go through plan Simulation – Carry out the disaster scenario – Continues up to actual relocation to offsite – Response measures are tested BCP Tests Parallel – Some systems are transported to the offsite facility for parallel processing – Actually relocate personnel where they perform their disaster recovery tasks Full interruption test – Original site shuts down – All processing takes place at offsite What is Success? Response within an acceptable timeframe Operations at alternate location adequate Backups successfully restored Emergency personnel reached within acceptable time frame Team members aware of current plan and able to perform associated duties Plan is current and relevant BCP Plan can Become Outdated Technology changes Company merges or splits Plan in not properly maintained Personnel turnover No person or group made responsible Plan not audited No change control tool BCP Phases Business Impact Analysis Strategy Development Plan Development Implementation Testing Maintenance Are We There Yet? 2005 Survey indicates: – Less than 15% of companies prepared for disaster – 40% of companies would be out of business permanently if closed for a week Legislative Issues Health Insurance Portability and Accountability Act (HIPPA) Gramm – Leach – Briley Act (GLB) Patriot Act Electronic Communications Privacy Act (ECPA)
