View
214
Download
2
Category
Tags:
Preview:
Citation preview
Copyright Security-Assessment.com 2006
S4 Conference Series
BCP and DR. Timely Reminder
Presented By Peter Benson
Copyright Security-Assessment.com 2006
Copyright Security-Assessment.com 2006
• Consider the Conditions• Trends and Issues• Basic Frameworks
Timely Reminder Agenda
Copyright Security-Assessment.com 2006
Environmental Conditions• Assume a hurricane has affected your main offices / building
and has wreaked significant havoc including smashing windows and damaging equipment. Assume that rainwater has entered the building through the broken windows and severely affected the computer systems.
• Assume your main premises have been affected by flooding and it has affected all systems and equipment located on the ground floor and lower ground floors. Assume also that any cables which pass through the ground floor are also affected and 'out of commission'.
• Assume main workplace affected by earthquake measuring 6.5 on the Richter scale with the epicentre only two miles away. Significant impact on local services and transportation and some injuries have been caused to some staff who's homes are located in the region. The earthquake has affected electrical power supplies, water and drainage. Telephones could still be operational.
Copyright Security-Assessment.com 2006
Environmental (continued)• Assume electrical storm has affected the premises and the
lightning rods were ineffective. The direct hit has knocked out the internal electrical power and amazed at least 50% of the equipment (including IT hardware).
• Fire Assume that there has been significant fire and smoke damage affecting over 50% of the companies records and workspace. Assume also, if one is installed, that the automatic sprinkler system was activated, causing further damage.
Copyright Security-Assessment.com 2006
Organised or Deliberate• A group of terrorists have exploded a car bomb outside your
main premises. There has been considerable damage to the building and equipment outside. Fortunately, there was no loss of life or injuries as the explosion occurred at 3 a.m.
• A disgruntled employee has planted some malicious code in your main systems and this has resulted in a complete shut down of your systems with probable loss of data and damage to data files.
• Over the weekend, your main office was broken into and a significant amount of computer equipment was removed. This has rendered the office unusable for at least five days.
• Your main warehouse has been burnt down through a deliberate fire. The warehouse and contents have been completely destroyed.
• Labour Dispute / Industrial Action
Copyright Security-Assessment.com 2006
Utilities and Services• Electrical power failure (blackouts) (brownouts) Assume
electrical power completely affected. No heating, air conditioning, lights, PC's, terminals, networks, telephones and faxes available. Only pre-printed hardcopy of laptop / battery based equipment usable.
• Loss of gas supply A gas leak in the local vicinity has forced the Gas Utility Supplier to close down all gas services in the area.
• Loss of water supply Contamination has leaked into the local fresh water supply and there is unlikely to be water available for the immediate future.
• Petroleum and oil shortage OPEC has a major internal dispute and this is affecting oil supplies worldwide. This may continue for some time and adequate precautions should be taken. Rationing has already started and the shortage is seriously affecting transportation.
Copyright Security-Assessment.com 2006
Utilities (continued)• Communications services breakdown Serious damage to
local cables has resulted in the telecommunications not being available today and for the immediate future. Predictions are for the service to be unavailable for seven days. This is affecting e-commerce sites, networks and Internet availability.
• Loss of drainage / waste removal Local flooding has caused serious problems for the local drainage system and debris has created a serious blockage affecting repairs. You are requested not to use the water drainage facilities for the next three days, by which time it may have been cleared.
Copyright Security-Assessment.com 2006
Trends and Considerations• Over reliance on power supply systems / suppliers• Over reliance on network / internet providers• Over reliance on hosting providers• Telecommunications issues• Underestimating impact• Breadth of consideration low• Under planning for worst case scenarios• Lack of testing / plan maintenance• Backup issues
Copyright Security-Assessment.com 2006
Considerations (continued)• Dependence on singular circuits (AK Power,
Telecommunications)• Triggers not just Technological (OSH)• Re-evaluation of old plans (cost escalations)• Backup systems / sites not up to spec for security• Upstream and Downstream Service Provider SLA’s (capabilities,
obligations)
Copyright Security-Assessment.com 2006
Standard Frameworks NIST• Develop the contingency planning policy statement • Conduct the business impact analysis (BIA) • Identify preventive controls • Develop recovery strategies • Develop an IT contingency plan • Plan testing, training, and exercises • Plan maintenance.
Copyright Security-Assessment.com 2006
Standard Frameworks ISO17799• Understanding the risks the organization is facing in terms of
likelihood and impact in time, including an identification and prioritisation of critical business processes
• Identify all the assets involved in critical business processes• Understand the impact which interruptions caused by
information security incidents are likely to have on the business and establishing the business objectives of information processing facilities;
• Consider the purchase of suitable insurance;• Identify and consider the implementation of additional
preventive and mitigating controls;
Copyright Security-Assessment.com 2006
Planning a Course of Action• Identify sufficient financial, organizational, technical, and
environmental resources to address the requirements;• Ensure the safety of personnel and the protection of
information processing facilities and organizational property;• Formulate and document business continuity plans addressing
requirements;• Regular testing and updating of the plans and processes put in
place;• Ensure that the management of business continuity is
incorporated in the organization’s processes and structure;
Copyright Security-Assessment.com 2006
Questions ?
http://www.security-assessment.com
Peter.benson@security-assessment.com
Recommended