Business Continuity Planning

LTU CISP Security 1

The Problem - Reasons for Business Continuity Planning - BCP

Principles of BCP Doing BCP

The stepsWhat is includedThe stages of an incident

LTU CISP Security 2

Definitions

A contingency plan is:“A plan for emergency response, backup operations,

and post-disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation…”

(National Computer Security Center 1988)

1997-98 survey >35% of companies have no plans

LTU CISP Security 3

Definitions of BCP

Disaster Recovery Business Continuity Planning End-user Recovery Planning Contingency Planning Emergency Response Crisis Management

The goal is to assist the organization/business to continue functioning even though normal operations are disrupted

Includes steps to take Before a disruption During a disruption After a disruption

LTU CISP Security 4

Reasons for BCP

It is better to plan activities ahead of time rather than to react when the time comes“Proactive” rather than “Reactive”Take the correct actions when neededAllow for experienced personnel to be absent

LTU CISP Security 5

Reasons for BCP

It is better to plan activities ahead of time rather than to react when the time comes“Proactive” rather than “Reactive”

Maintain business operations Keep the money coming in Short and long term loss of business Have necessary materials, equipment, information on hand Saves time, mistakes, stress and $$ Planning can take up to 3 years

LTU CISP Security 6

Reasons for BCP

Maintain business operations Keep the money coming in Short and long term loss of business

Effect on customersPublic imageLoss of life

LTU CISP Security 7

Reasons for BCP

Effect on customers Legal requirements

‘77 Foreign Corrupt Practices Act/protection of stockholders Management criminally liable

LTU CISP Security 8

Reasons for BCP

It is better to plan activities ahead of time rather than to react when the time comes

“Proactive” rather than “Reactive”

Effect on customers Legal requirements

‘77 Foreign Corrupt Practices Act/protection of stockholders Federal Financial Institutions Examination Council (FFIEC) FCPA SAS30 Audit Standards Defense Investigative Service Legal and Regulatory sanctions, civil suits

LTU CISP Security 9

Definitions

Due Careminimum and customary practice of

responsible protection of assets that reflects a community or societal norm

Due Diligenceprudent management and execution of due

LTU CISP Security 10

The Problem

Utility failures Intruders Fire/Smoke Water Natural disasters (earthquakes, snow/hail/ice, lightning,

hurricanes) Heat/Humidity Electromagnetic emanations Hostile activity Technology failure

Recent Disasters

Bombings ‘92 London financial district ‘93 World Trade Center, NY ‘93 London financial district ‘95 Oklahoma City ’01 World Trade Center, NY (9/11)

Earthquakes ‘89 San Francisco ‘94 Los Angeles ‘95 Kobe, JP

Fires ‘95 Malden Mills, Lawrence, MA ‘96 Credit Lyonnais, FR ‘97 Iron Mountain Record Center, Brunswick, NJ

Recent Disasters

Power ‘92 AT&T ‘96 Orrville, OH ‘99 East coast heat/drought brownouts

Floods ‘97 Midwest floods

Storms ‘92 Hurricane Andrew ‘93 Northeast Blizzard ‘96 Hurricanes Bertha, Fran ‘98 Florida tornados

Hardware/Software Year 2000

The Problem

Utility failures Intruders Fire/Smoke Water Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes) Heat/Humidity Electromagnetic emanations Hostile activity Technology failure

Failure to keep operatingFortune 1000 study Average loss $78K, up to $500K 65% failing over 1 week never reopen Loss of market share common

Threats

From Data Pro reportsErrors & omissions 50%Fire, water, electrical 25%Dishonest employees 10%Disgruntled employees 10%Outsider threats 5%

The Controls

Least Privilege Information security

Redundancy Backed up dataAlternate equipmentAlternate communicationsAlternate facilitiesAlternate personnelAlternate procedures

The Steps in a BCP - Initiation

Project initiation Business case to obtain support Sell the need for DRP (price vs benefit) Build and maintain awareness On-going testing & maintenance Top down approach Executive commitment and support MOST CRITICAL Project planning, staffing

Local support/responsibility

The Steps in a BCP - 1

Impact Assessment (Impact Analysis/Vulnerability Assessment/Current State Assessment/Risk Assessment )Purpose Identify risks Identify business requirements for continuity Quantify impact of potential threats Balance impact and countermeasure cost Establish recovery priorities

Benefits

Relates security objectives to organization mission Quantifies how much to spend on security measures Provides long term planning guidance

Building design HW configuration SW Internal controls Criteria for contingency plans Security policy Site selection

Protection requirements Significant threats Responsibilities

Risk AssessmentPotential failure scenariosLikelihood of failureCost of failure (loss impact analysis)

Dollar losses Additional operational expenses Violation of contracts, regulatory requirements Loss of competitive advantage, public confidence

Assumed maximum downtime (recovery time frames) Rate of losses Periodic criticality Time-loss curve charts

Risk Assessment/Analysis Potential failure scenarios (risks) Likelihood of failure Cost of failure, quantify impact of threat Assumed maximum downtime Annual Loss Expectancy Worst case assumptions Based on business process model? Or IT model? Identify critical functions and supporting resources Balance impact and countermeasure cost

Key - Potential damage Likelihood

Definitions

Threat any event which could have an undesirable impact

Vulnerability absence or weakness of a risk-reducing safeguard, potential to allow

a threat to occur with greater frequency, greater impact, or both Exposure a measure of the magnitude of loss or impact on the value of the

Risk the potential for harm or loss, including the degree of confidence of

the estimate

Definitions

Quantitative Risk Analysis quantified estimates of impact, threat frequency, safeguard

effectiveness and cost, and probability Powerful aid to decision making Difficult to do in time and cost

Qualitative Risk Analysis minimally quantified estimates Exposure scale ranking estimates Easier in time and money Less compelling

Risk Analysis is performed as a continuum from fully qualitative to less than fully quantitative

Results

Loss impact analysis Recovery time frames

Essential business functions Information systems applications

Recommended recovery priorities & strategies Goals

Understand economic & operational impact Determine recovery time frame (business/DP/Network) Identify most appropriate strategy Cost/justify recovery planning Include BCP in normal decision making process

Risk Management Team

Management - Support DP Operations Systems Programming Internal Audit Physical Security Application owners Application programmers

Preliminary Security Exam

Asset costs Threat survey

Personnel Physical environment HW/SW Communications Applications Operations Natural disasters Environment Facility Access Data value

Preliminary Security Exam

Asset costs Threat survey Existing security measures Management review

Threats

Hardware failure Utility failure Natural disasters Loss of key personnel Human errors Neighborhood hazards Tampering Disgruntled employees Emanations Unauthorized access Safety Improper use of technology Repetition of errors Cascading of errors

• Illogical processing• Translation of user needs

(technical requirements)• Inability to control

technology• Equipment failure• Incorrect entry of data• Concentration of data• Inability to react quickly• Inability to substantiate

processing• Concentration of

responsibilities• Erroneous/falsified data• Misuse

Threats

Uncontrolled system access Ineffective application security Operations procedural errors Program errors Operating system flaws Communications system failure Utility failure

Risk Analysis Steps

1 - Identify essential business functions Dollar losses or added expense Contract/legal/regulatory requirements Competitive advantage/market share Interviews, questionnaires, workshops

2 - Establish recovery plan parameters Prioritize business functions

3 - Gather impact data/Threat analysis Probability of occurrence, source of help Document business functions Define support requirements Document effects of disruption Determine maximum acceptable outage period Create outage scenarios

Risk Analysis Steps

4 - Analyze and summarize Estimate potential losses

Destruction/theft of assets Loss of data Theft of information Indirect theft of assets Delayed processing Consider periodicity

Combine potential loss & probability Magnitude of risk is the ALE (Annual Loss

Expectancy) Guide to security measures and how much to spend

Results

Significant threats & probabilities Critical tasks & loss potential by

threat Remedial measures

Greatest net reduction in losses Annual cost

Information Valuation

Information has cost/value Acquire/develop/maintain Owner/Custodian/User/Adversary

Do a cost/value estimate for Cost/benefit analysis Integrate security in systems Avoid penalties Preserve proprietary information Business continuity

Circumstances effect valuation timing Ethical obligation to use justifiable tools/techniques

Conditions of Value

Exclusive possession Utility Cost of creation/recreation Liability Convertibility/negotiability Operational impact Market forces Official value Expert opinion/appraisal Bilateral agreement/contract

Scenario

A specific threat (potential event/act) in which assets are subject to loss

Write scenario for each major threat Credibility/functionality review Evaluate current safeguards Finalize/Play out Prepare findings

Strategy Development (Alternative Selection)Management supportTeam structureStrategy selection

Cost effective Workable

Implementation (Plan Development)Specify resources needed for recoveryMake necessary advance arrangementsMitigate exposures

Risk Prevention/Mitigation Security - physical and information (access) Environmental controls Redundancy - Backups/Recoverability

Journaling, Mirroring, Shadowing On-line/near-line/off-line

Insurance Emergency response plans Procedures Training Risk management program

Decision Making Cost effectiveness

Total cost Human intervention requirements

Manual functions are weakest Overrides and defaults

Shutdown capability Default to no access

Design openness Least Privilege

Minimum information Visible safeguards

Entrapment Selected vulnerabilities made attractive

Decision Making Universality Compartmentalization, defense in depth Isolation Completeness Instrumentation Independence of controller and subject Acceptance Sustainability Auditability Accountability Recovery

Remedial Measures

Alter environment Erect barriers Improve procedures Early detection Contingency plans Risk assignment (insurance) Agreements Stockpiling Risk acceptance

Remedial Measures

Fire Detection, suppression

Water Detection, equipment covers, positioning

Electrical UPS, generators

Environmental Backups

Good housekeeping Backup procedures Emergency response procedures

Plan DevelopmentSpecify resources needed for recoveryTeam-basedRecovery plansMitigation stepsTesting plansPrepared by those who will carry them out

Included in a BCP

Off-site storageTrip there - secure? Timely?Physical layout of siteFire protectionClimate controlsSecurity access controlsBackup power

Included in a BCP

Off-site storage

Alternate site Reciprocal agreements/Multiple sites/Service bureaus Hot/Warm/Cold(Shell) sites Trip there - secure? Timely? Physical layout of site Fire protection Climate controls Security access controls Backup power Agreements

Included in a BCP

Off-site storage Alternate site

Backup processing Compatibility Capacity Journaling - maintaining audit records

Remote journaling - to off-site location Shadowing - remote journaling and delayed mirroring Mirroring - maintaining realtime copy of data Electronic vaulting - bulk transfer of backup files

Included in a BCP

Off-site storage Alternate site Backup processing

CommunicationsCompatibilityAccessibilityCapacityAlternatives

Included in a BCP

Off-site storage Alternate site Backup processing Communications

Work spaceAccessibilityCapacityEnvironment

Included in a BCP

Off-site storage Alternate site Backup processing Communications Work space Office equipment/supplies/documentation Security Critical business processes/Management Testing Vendors - Contact info, agreements Teams - Contact info, transportation Return to normal operations Resources needed

Complications

Media/Police/Public Families Fraud Looting/Vandalism Safety/Legal issues Expenses/Approval

The Steps in a BCP - Finally

Plan TestingProves feasibility of recovery processVerifies compatibility of backup facilitiesEnsures adequacy of team procedures

Identifies deficiencies in procedures

Trains team membersProvides mechanism for maintaining/updating the

planUpper management comfort

Plan TestingDesk checks/ChecklistStructured WalkthroughsLife exercises/SimulationsPeriodic off-site recovery tests/ParallelFull interruption drills

Test Software Hardware Personnel Communications Procurement Procedures Supplies/forms Documentation Transportation Utilities Alternate site processing Security

Test Purpose (scenario) Objectives/Assumptions Type Timing Schedule Duration Participants

Assignments Constraints Steps

Alternate Site Test– Activate emergency control center– Notify & mobilize personnel– Notify vendors– Pickup and transport

tapes supplies documentation

– Install (Cold and Warm sites)– IPL– Verify– Run– Shut down/Clean up– Document/Report

Plan Update and Retest cycle (Plan Maintenance) Critical to maintain validity and usability of plan

Environmental changes HW/SW/FW changes Personnel

Needs to be included in organization plans Job description/expectations Personnel evaluations Audit work plans

BCP by Stages

Initiation Current state assessment Develop support processes Training Impact Assessment Alternative selection Recovery Plan development Support services continuity plan development Master plan consolidation Testing strategy development Post transition plan development

BCP by Stages

Implementation planning Quick Hits Implementation, testing, maintenance

End User Planning

DP is critical to end users Difficult to use manual procedures Recovery is complex Need to plan

manual proceduresrecovery of data/transactionsprocedures for alternate site operationprocedures to return to normal

The Real World

DR plans normally involveEssential DP platforms/systems onlyA manual on the shelf written 2-3 years agoLittle or no user involvementNo provision for business processesNo active testingResource lists and contact information that do

not match current realities

Stages in an Incident

Disaster interruption affecting user operations

significantly

Disaster Initial/Emergency response

Purpose Ensure safety of people Prevent further damage

Activate emergency response team Covers emergency procedures for expected hazards Safety essential Emergency supplies Crisis Management plan - decision making

Disaster Initial response Impact assessment

Activate assessment teamDetermine situation

What is affected?

Decide whether to activate plan

Disaster Initial response Impact assessment Initial recovery

Initial recovery of key areas at alternate siteDetailed proceduresSalvage/repair - Clean up

Disaster Initial response Impact assessment Initial recovery Return to normal/Business resumption

Return to operation at normal site “Emergency” is not over until you are back to normal Requires just as much planning - Parallel operations

Special Cases

Y2K Incidents will happen in a particular time

frameAlternate sites won’t helpRedundant equipment won’t helpBackups won’t help Involves automated equipment and services

Final Thoughts

Do you really want to activate a DR/BCP plan?PreventionPlanning

Business Continuity Planning

Documents

Business Continuity The Basics Emergency Planning and Business Continuity Team

Business Continuity Planning in Severe Weather Check List ... · Checklist - Business Continuity Planning in Severe Weather 2 Business Continuity Planning Checklist - Responding to

Business Continuity Planning Guide

Business Continuity Planning; Financial impact analysis ... · The role of insurance is central to effective Business Continuity Planning. If the goal of Business Continuity Planning

Business Continuity Planning Anjan

Business Continuity Planning Guidelines Business Continuity

Business Continuity Program - Disaster Recovery Journal TILL Randal… · Business Continuity Program Program Governance Continuity Planning Business Continuity Planning Disaster

Business Continuity Disaster Planning

BUSINESS CONTINUITY PLANNING WORKPROGRAM · PDF fileBusiness Continuity Planning Booklet – December 2007 BUSINESS CONTINUITY PLANNING WORKPROGRAM EXAMINATION OBJECTIVE: Determine

Planning for Business Continuity Planning for Business

Business Continuity Management - FFIEC IT Examination ... · “Business Continuity Planning” booklet issued in February 2015. The change from business continuity planning to business

The Value of Business Continuity Planning€¦ · 4/2/2004 HP Business Continuity 15HP Business Continuity Solutions HP Business Continuity Planning Process Model HP business continuity

BUSINESS CONTINUITY · 2019. 6. 24. · Business Continuity Definition of Business Continuity Planning Business Continuity Planning is an holistic process, a combination of Risk Management

Business Continuity Planning

Business continuity planning booklet

MySQL Business Continuity Planning

Business Continuity Planning (BCP) & Disaster Recovery ... · Business Continuity Planning (BCP) & Disaster ... Business Continuity Planning (BCP) & Disaster Recovery Planning

Business Continuity Planning

Business Continuity Planning and Disaster Recovery Planning · Overview of the Business Continuity Plan and Disaster Recovery Plan • Business continuity planning and disaster recovery

Business Continuity Management · “Business Continuity Planning” booklet issued in February 2015. The change from business continuity planning to business continuity management