Upload
gail-brooks
View
94
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Business Continuity & Disaster recovery. SZABIST – Spring 2012. Business Continuity & Disaster Recovery. This chapter presents the following: Project initiation steps Recovery and continuity planning requirements Business impact analysis - PowerPoint PPT Presentation
Citation preview
BUSINESS CONTINUITY & DISASTER RECOVERY
SZABIST – Spring 2012
Business Continuity & Disaster RecoveryThis chapter presents the following: Project initiation steps Recovery and continuity planning requirements Business impact analysis Selecting, developing, and implementing disaster and
continuity plans Backup and offsite facilities Types of drills and tests
Business Continuity & Disaster Recovery Introduction
We can’t prepare for every possibility, as recent events have proved.
The catastrophic Indian Ocean tsunami in December 2004. The terrorists attack on World Trade Center towers.
affected many businesses, people, the government, and the world. Every year, thousands of businesses are affected by floods,
fires, tornadoes, terrorist attacks, and vandalism. The companies that survive are the ones that thought
ahead, planned for the worst, estimated the possible damages that could occur, and put the necessary controls in place to protect themselves and staying in the market.
Business Continuity & Disaster Recovery Business Continuity and Disaster Recovery
Business continuity planning provides methods and procedures for dealing with longer-term outages and disasters. How do we stay in and continue the business until the
disaster is over and things get back to normal
Disaster recovery is to minimize the effects of a disaster and to take the necessary steps to ensure that the resources, personnel, and business processes are able to resume operation in a timely manner”. Disaster recovery plan is usually very information
technology (IT) focused.
Business Continuity & Disaster Recovery
Classification of Disruption What is a ‘Disruption’? Types of Disruption:
Non-disasters Due to a device malfunction or failure
Disasters Causes the entire facility to be unusable for a day or
longer Catastrophes
Major disruption that destroys the facility altogether
Business Continuity Steps – An Overview Although no specific scientific equation is followed to
create continuity plans, certain best practices have proven themselves over time.
Accordingly following steps are outlined:1. Develop the continuity planning policy statement. 2. Conduct the business impact analysis (BIA).
1. Identify critical functions and systems, prioritize them based on necessity.
2. Identify vulnerabilities, threats, and calculate risks.3. Identify preventive controls.4. Develop recovery strategies.5. Develop the contingency plan.6. Test the plan and conduct training and exercises.7. Maintain the plan.
Business Continuity Steps – An Overview
Develop the Continuity Planning Policy Business continuity should be a part of the
security program and business decisions establishing and maintaining a current continuity plan
with management support. justification of cost and benefit for the activity formation of a BCP Team which includes individuals
from: Business units Senior management IT department Security department Communications department Legal department; etc
Business Impact Analysis (BIA) A business impact analysis (BIA) is a functional
analysis of an organization to develops a hierarchy of business functions; and applies a classification scheme to indicate each individual function’s criticality level.
How do we determine a classification scheme based on criticality levels?
Business Impact Analysis (BIA)
Business Impact Analysis (BIA)Perform the Risk Assessment Calculate Asset Value and Perform Risk Assessment (BIA Step 6 –
7) Same as discussed in Chapter 3Various Disaster Scenarios The analysis should consider the scenarios that could
produce the following results: Equipment malfunction or unavailable equipment Unavailable utilities (HVAC, power, communications lines) Facility becomes unavailable Critical personnel become unavailable Vendor and service providers become unavailable Software and/or data corruption
Business Impact Analysis (BIA)Estimation of Losses Loss in reputation and public confidence Loss of competitive advantages Increase in operational expenses Violations of contract agreements Violations of legal and regulatory requirements Delayed income costs Loss in revenue Loss in productivity
Identification of Maximum Tolerable Downtime (MTD)
Business Impact Analysis (BIA)Maximum Tolerable Downtime (MTD) The following are some MTD estimates that may
be used within an organization:
System Rating Duration Nonessential 30 days Normal Seven days Important 72 hours Urgent 24 hours Critical Minutes to hours
Business Impact Analysis (BIA)
Preventive Measures Based on BIA result and calculated MTD the
preventive measures are implemented to reduce the impact of risk. They may include some of the following components: Redundant servers and communications links Power lines coming in through different locations Purchasing of UPS and generators Redundant vendor support Purchasing of insurance Data backup technologies Backup media protection safeguards Increased inventory of critical equipment Fire detection and suppression systems
Recovery Strategies A recovery strategy is a combination of preventive,
detective and corrective measures. The selection of a recovery strategy would depend upon:
The criticality of the business process and the applications supporting the processes
Cost Time required to recover Security
It is the most cost-effective recovery mechanisms to address the threats identified in the BIA stage. E.g. If the facility was unavailable for a day, it would cost the
organization $200,000 a day, the company has to be up and running within MTD or the company could be financially crippled.
The company needs to obtain a hot site or redundant facility that would allow it to be up and running in this amount of time.
Recovery Strategies Recovery strategies might cover the following
areas: Business process recovery Facility recovery Supply and technology recovery User environment recovery Data recovery
Recovery Strategies Business Process Recovery
Considering the example of SZABIST: Course registration through ZABDESK is not available
then???
What are the alternates to continue the process?
Also In the mean time, recover the processes to
original state.
Recovery Strategies Facility Recovery
Companies can choose from three main types of leased or rented offsite facilities: Hot Site
Fully configured and ready to operate immediately or within few hours Warm Site
Leased or rented facility that is partially configured with some equipment, but not all the systems and equipments.
Cold Site Leased or rented facility that supplies the basic environment, electrical
wiring, air conditioning, but none of the equipment or additional services.
Reciprocal Agreements Redundant Sites
Speed of availability Subscribers per site and area
Note: Offsite location should be far enough away from the original site so one disaster does not take out both locations
Recovery Strategies Supply and Technology Recovery
Backup solutions for the following: Network and computer equipment / Hardware Voice and data communications resources
Redundancy Alternative routing
Human resources Business Applications, Software and Data Environment issues (HVAC)
Recovery Strategies Data Backup Alternatives
Full Backup Incremental Backup
Electronic Backup Solutions Offsite backup vaults Disk Mirroring Real time data replication
Insurance
Recovery Strategies Real time data replication
Recovery Strategies
Recovery Strategies
Which solution to go for???Depends on: Maximum Tolerable Downtime (MTD) Recovery Point Objective (RPO) Based on acceptable data loss Indicates earliest point in time in which it is acceptable to
recover the data Recovery Time Objective (RTO) Based on acceptable downtime Indicates earliest point in time at which the business
operations must resume after a disaster
Recovery Strategies Recovery Point Objective (RPO) and Recovery Time
Objective (RTO)
Recovery and Restoration Coming back to Normal State (i.e.
Reconstruction) Disaster Recovery
Documentation of Plans Documentation of formal plans includes: Business Continuity Plan (BCP) Disaster Recovery Plan (DRP)
Testing and Revising the Plans BCP and DRP should be tested at least once a
year. The following type of tests can be conducted: Checklist Test Structured Walk-Through Test Simulation Test Full-Interruption Test
Maintaining the Plan The plan developed today might be obsolete in
a year due to: Infrastructure and environnent changes occur. Reorganization of the company, layoffs, or mergers
occur. Changes in hardware, software, and applications
occur. Plans do not have a direct line to profitability. Plans should be updated based on the test
results
Summary – BCP and DRP Cycle
End of Chapter 5 Thank You!