Presentation Slides

advertisement
IT Best Practices for Community Colleges Part 2:
Business Continuity
Donald Hester
March 9, 2010
For audio call Toll Free 1-888-886-3951
and use PIN/code 695202
Housekeeping
• Maximize your CCC Confer window.
• Phone audio will be in presenter-only mode.
• Ask questions and make comments using the chat window.
Adjusting Audio
1) If you’re listening on your computer, adjust your volume using
the speaker slider.
2) If you’re listening over the phone, click on phone headset.
Do not listen on both computer and phone.
Saving Files & Open/close Captions
1. Save chat window with floppy disc icon
2. Open/close captioning window with CC icon
Emoticons and Polling
1) Raise hand and Emoticons
2) Polling options
CISOA Conference
http://cisoa.net
IT Best Practices for Community Colleges Part 2:
Business Continuity
Donald Hester
What is IT Contingency Planning
NIST SP 800-34
OMB Circular A-130, Appendix III, requires the
development and maintenance of continuity of support
plans for general support systems and contingency
plans for major applications.
8
Business Continuity Planning
 Business continuity planning
• reestablishment of critical business
operations
so that operations can continue
•
 If a disaster has rendered the business
unusable for continued operations, there
must be a plan to allow the business to
continue to function
Continuity Strategy
 Management must drive strategic planning to assure
continuous information systems availability
 Plans are referred to in a number of ways
• Business Continuity Plans (BCPs)
• Disaster Recovery Plans (DRPs)
• Incident Response Plans (IRPs)
• Contingency Plans (CP)
• Continuity of Operations Plan (COOP)
• Business Recovery Plan (BRP)
 Some organizations may have many types of plans,
some may have one simple plan
 Most organizations have inadequate planning
Interrelationship of Emergency
Preparedness Plans
NIST SP 800-34
11
Follow the System Development
Life Cycle (SDLC)
NIST SP 800-34
12
Seven-step Continuity Process
13
1
• Develop the contingency planning policy statement
2
• Conduct the business impact analysis
3
• Identify preventive controls
4
• Develop recovery strategies
5
• Develop an IT contingency plan
6
• Plan testing, training and exercise
7
• Plan maintenance
Contingency Planning Policy
 “A formal department or agency policy
provides the authority and guidance
necessary to develop an effective
contingency plan.”
• Identify statutory requirements
• Identify organizational requirements
• Management support
• Create policy
• Publish policy (communicate policy)
14
Business Impact Analysis
 Begin with Business Impact Analysis (BIA)
if the attack succeeds, what do we do then?
 The CP team conducts the BIA in the following
stages:
1.Threat attack identification
2.Business unit analysis
3.Attack success scenarios
4.Potential damage assessment
5.Subordinate plan classification
 “The BIA helps to identify and prioritize critical
IT systems and components.”
BIA Process
Identify critical IT
resources and
dependencies
16
Identify
maximum
allowable
downtime
Develop
recovery
strategies &
priorities
Business Impact Analysis
 3 types of threats
• Natural - e.g., earthquake,
•
•
17
hurricane, tornado, flood, and fire
Human - e.g., operator error,
sabotage, implant of malicious
code, and terrorist attacks
Environmental - e.g., equipment
failure, software error,
telecommunications network
outage, and electric power failure.
Identify Preventive Controls
 “Measures taken to reduce the effects of
system disruptions can increase system
availability and reduce contingency life
cycle costs.”
• Redundancy
• Backups
• Environmental: A/C, Fire Suppression
• Offsite Storage
• UPS/Generator
• Earthquake racks
18
Develop Recovery Strategies
 “Thorough recovery strategies ensure
that the system may be recovered
quickly and effectively following a
disruption.”
• Onsite Recovery, recover from backup
• Hardware replacement,

Vendor agreements (SLA)
• Alternate site, reciprocal agreements

19
Cold site, warm site, hot site, mobile site,
mirrored sites
Develop an IT Contingency Plan
 “The contingency plan should contain
detailed guidance and procedures for
restoring a damaged system.”
• Document roles and responsibilities
• Document recovery information
• Notification and Activation
• Damage Assessment
• Recovery Procedures
• Call Tree
Plan Testing, Training & Exercises
 “Testing the plan identifies planning gaps,
whereas training prepares recovery personnel
for plan activation; both activities improve plan
effectiveness and overall agency
preparedness.”
• Annual testing
Classroom exercises
Functional exercise
Find weakness
Train users so that when it happens you are ready
and know what to do


•
•
21
Plan Maintenance
 “The plan should be a living document
that is updated regularly to remain
current with system enhancements.”
• The plan must be maintained in a ready
•
•
22
state that accurately reflects system
requirements, procedures, organizational
structure, and policies.
Keep a record of changes
Updated as needed
Why NIST?
“State, local, and tribal governments, as well as private
sector organizations, are encouraged to use the guidelines,
as appropriate." NIST SP 800-100
California Information Security Strategic Plan (OCT 2009)
"...by adopting the National Institute of Standards and Technology (NIST)
800-37 guidelines for certification and accreditation of information systems.
Applying NIST guidelines to state government systems will demonstrate
California’s leadership in building a resilient, secure, and trustworthy digital
infrastructure."
"Establish a California modified version of the NIST 800-30 risk
management standard as the risk management standard for all state
agencies."
23
"Establish a California-modified version of the NIST 800-53 recommended
security controls within all state agencies."
Resources
 NIST SP 800-34 “Contingency Guide for
Information Technology Systems”
• Has sample documents
 ISO 17799 § 11
 COBIT § DS4.0
 Guide to Disaster Recovery by Michael
Erbschloe ISBN 0-619-13122-5
 DRI International
 Disaster-Resource.com
Q&A
Donald E. Hester
CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+
Maze & Associates
@One / San Diego City College
www.LearnSecurity.org
http://www.linkedin.com/in/donaldehester
http://www.facebook.com/group.php?gid=245570977486
Evaluation Survey Link
Help us improve our seminars by filing
out a short online evaluation survey at:
http://www.surveymonkey.com/s/10SpIT2
IT Best Practices for Community Colleges Part 2:
Business Continuity
Thanks for attending
For upcoming events and links to recently archived
seminars, check the @ONE Web site at:
http://onefortraining.org/
Download