Business Continuity. Business continuity... “Drive thy business or it will drive thee.” —Benjamin Franklin (1706-1790), American entrepreneur, statesman,

  • Published on
    17-Jan-2016

  • View
    221

  • Download
    0

Transcript

<ul><li><p>Business Continuity</p><p>Management of Information Security </p></li><li><p>Business continuity...Drive thy business or it will drive thee.Benjamin Franklin (1706-1790), American entrepreneur, statesman, scientist and philosopherIt is your business when the wall next door catches fire.Horatius (65-8 BC), Roman poet</p></li><li><p>What is a Disaster?Any unplanned event that requires immediate redeployment of limited resourcesNatural ForcesFireEnvironmental HazardsFlood / Water DamageExtreme Weather Technical FailurePower OutageEquipment FailureNetwork FailureSoftware FailureHuman InterferenceCriminal ActHuman ErrorLoss of UsersExplosions Sample Disasters</p><p>Management of Information Security </p></li><li><p>What is a Disaster Recovery Plan?A management document for how and when to utilize resources needed to maintain selected functions when disrupted by agreed upon incidents</p><p>Management of Information Security </p></li><li><p>business continuity plan: documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruptiondisaster recovery plan: clearly defined and documented plan which recovers ICT capabilities when a disruption occursbusiness impact analysis (BIA): process of analysing business functions and the effect that a business disruption might have upon them</p></li><li><p>The Auditors Role in ReviewingBusiness Continuity Planning, Ravi MuthukrishnanWhile a BCP refers to the activities required to keep the organisation running during a period of displacement or interruption of normal operation, a disaster recovery plan (DRP) is the process of rebuilding the operations or infrastructure after the disaster has passed.A DRP is a key component of a BCP, and refers to the technological aspect of a BCPthe advanced planning and preparations necessary to minimise loss and ensure continuity of critical business functions in the event of a disaster. A DRP comprises consistent actions to be undertaken prior to, during and subsequent to a disaster.</p></li><li><p>Terms and definitionsmaximum tolerable period of disruption: duration after which an organizations viability will be irrevocably threatened if product and service delivery cannot be resumed recovery time objective: period of time within which minimum levels of services and/or products and the supporting systems, applications, or functions must be recovered after a disruption has occurredrecovery point objective: point in time to which data must be recovered after a disruption has occurred</p></li><li><p> Avoidance StrategyRedundant configuration to avoid incidentsSite harden facilities to resist incidentsRedundant utilities and hardwareAutomated operation recovery plan Mitigation StrategyEarly warning detectionContractual agreements with vendorsMirrored data and documentsDetailed migration recovery plan Recovery StrategyHigh level recovery planOff-site data storageVery responsive vendor relationshipsVery knowledgeable employeesTypes of Strategy OptionsHot siteCold siteSelf BackupService BureauReciprocal AgreementTypes of Strategies</p><p>Management of Information Security </p></li><li><p>Timing RequirementsMinutesHoursDaysWeeksQuartersSpecial SituationsCriteria for a Critical Business FunctionCost of Impact $ImpactCostCost of Control $Cost of Control vs. Impact</p><p>Management of Information Security </p></li><li><p>ReplicationFailoverSite MigrationWide Area Clustering</p></li><li><p>Audit Program/ICQ</p><p>Get Preliminary InformationProcedure Step: PoliciesDetails/Test:Determine and obtain copies of all applicable policies for disaster recovery and business continuity, if any. Procedure Step: Get Applicable DocumentationDetails/Test:Obtain a copy of the organization's disaster recovery plan.Obtain a list of implementation team members list.Obtain a current copy of the organization chart.Obtain current inventory list. Obtain a copy of agreements relating to use of backup facilities.Procedure Step: Control QuestionnaireObjective: To verify that the disaster recovery plan is adequate to insure resumption of computer systems in a timely manner during adverse circumstances, is in line with the current business continuation plan, and reflects the current business operating environment.</p></li><li><p>Details/Test:Is there a disaster recovery plan? If a plan exists, when was it last updated?What are your procedures for updating the plan?Who is responsible for administration or coordination of the plan?Is the plan administrator/coordinator responsible for keeping the plan up-to-date?Is there a disaster recovery implementation team (i.e., the first response team members who will react to the emergency with immediate action steps)?Where is the disaster recovery plan stored? (Verify that key team members have copies of the plan at home as well as at the office).Where are the implementation team contacts list stored? (Suggest each key team member should have contact names and addresses of all other key team members both on his person and at home, as well as in the office - contact numbers should include home and mobile as well as office number) Where is the backup facility site? Are there alternate sites? (Be suspicious of loose arrangements with local businesses!)What is your schedule for testing and training on the plan?When was the last drill performed? (Consider the adequacy of the test - a desk test is unlikely to reveal many potential problems)Did the drill include use of the backup facilities? If not, when were the backup facilities last used? If over 1 year, how has the organization determined that its programs can still run on the backup equipment?What was the outcome of the drill? How did it improve preparedness?What critical systems are covered by the plan? Does the plan clearly indicate priorities for system restoration, based on risk to the business in particular? Does the plan allow for the restoration within pre-determined business critical time frames? (I.e. If certain systems are down for longer than a predetermined time, restoration after this time may be useless if the business has already gone under.)</p></li><li><p>Details/Test (continued):Does the plan indicate the operational requirements for each of the systems?What systems are not covered by the plan? Why not?What equipment is not covered by the plan?Why not?Does the plan operate under any assumptions? What are they?What are the procedures for activation of the plan?Are inventories as they relate to your critical systems kept (including LAN servers and communication devices)? (Critically, are the procedures and practices for keeping them up to date sufficient?)If inventories are kept, where are they stored?Are there formal procedures that specify backup procedures and responsibilities?What functions/systems/components are covered under such procedures?What training has been given to personnel in using backup equipment and established procedures?Where is the off-site storage site?Are the responsibilities for each team documented?Are the restoration procedures documented? Does the documentation for each system to be recovered indicate the process flow and as well as the equipment that will be recovered? (i.e. for an application that makes use of desktop equipment for dataentry and client server equipment for storage this should all be documented along with the software that will be required.</p><p>*****Extends local HA model to many sitesRequires data replication (by definition)Single point of monitoring and administration</p><p>All this can take place with a single command or mouse click. </p><p>Other misc infoWide Area Availability (0-10,000s KM) over a WAN/MANGlobal Application ObjectsHorizontal Application Scaling &amp; Data SharingStrategic Platform CoverageWide Area FailoverSite-Wide ConfigurationGlobal Availability ManagementReplication Integration, Management and MonitoringTied to local HA platform (service groups)****</p></li></ul>

Recommended

View more >