Naresh Gandhi FCA, D.I.S.A. (ICAI)

Naresh Gandhi FCA, D.I.S.A. (ICAI)
Business Continuity Naresh Gandhi FCA, D.I.S.A. (ICAI)

Business Impact Analysis
Naresh Gandhi FCA, D.I.S.A. (ICAI)

Stages BCP/DRP Develop contingency planning policy Conduct business impact analysis (BIA) Identify preventive controls Develop recovery strategies Develop contingency plan Test the plan and train personnel Maintain the plan Naresh Gandhi FCA, D.I.S.A. (ICAI)

Potential Impact on Business
Exploit Threats Vulnerabilities Expose Increase Protect Against Increase Reduce Controls Risks Assets Indicate Increase Met By Have Security Arrangements Asset Value Potential Impact on Business Naresh Gandhi FCA, D.I.S.A. (ICAI)

Risk Analysis A pre-requisite to complete and meaningful DRP program It is assessment of threats to assets Determination of protection required to safe guard the assets Naresh Gandhi FCA, D.I.S.A. (ICAI)

Risk Assessment Process
Identification of assets Identifying threats to these assets and assessing their likelihood Identifying vulnerabilities and assessing how easily they might be exploited Correlate threats to assets Ranking of risks Identifying the protection provided by the controls in place Naresh Gandhi FCA, D.I.S.A. (ICAI)

Risk Management The process of identifying, controlling and minimizing or eliminating risks that may affect information systems for acceptable cost Naresh Gandhi FCA, D.I.S.A. (ICAI)

Risk Management - Direction
Reducing the risk Avoiding the risk Transferring the risk Accepting the risk Naresh Gandhi FCA, D.I.S.A. (ICAI)

Degree of Assurance Required
It is not possible to achieve total security There will always be a residual risk What degree of residual risk is acceptable to the organization? Naresh Gandhi FCA, D.I.S.A. (ICAI)

Risk Management Defining an acceptable level of residual risk Constantly reviewing threats and vulnerabilities Reviewing of existing controls Applying additional controls Introducing policy and procedures Naresh Gandhi FCA, D.I.S.A. (ICAI)

What are Assets? An asset is something to which an organization directly assigns value and hence for which the organization requires protection Naresh Gandhi FCA, D.I.S.A. (ICAI)

Examples of Asset Information data files user manuals etc. Software application and system software etc. Services communications technical etc. Company image and reputation Naresh Gandhi FCA, D.I.S.A. (ICAI)

Examples of Asset Documents contracts guidelines etc Hardware computer magnetic media etc. People personnel customers etc. Naresh Gandhi FCA, D.I.S.A. (ICAI)

Assets Physical Logical Data Information Software Documentation People Hardware Facilities Documentation Supplies Naresh Gandhi FCA, D.I.S.A. (ICAI)

Some Assets physical assets personnel assets intellectual property trade secrets corporate information financial information market research strategic planning customer lists vendor lists contact lists information systems R & D information communications meetings future directions Naresh Gandhi FCA, D.I.S.A. (ICAI)

Assets Valuation Would depend on Business impact on loss of asset Period of time for which asset is unavailable Valuation of the competitor Value of information rather than replacement of hardware Naresh Gandhi FCA, D.I.S.A. (ICAI)

What is a Risk? The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to assets Naresh Gandhi FCA, D.I.S.A. (ICAI)

Ranking of Risks Protection of asset should be on the basis of their criticality How long can I continue without my asset What is the loss to business if asset is not there Can I continue operations otherwise Naresh Gandhi FCA, D.I.S.A. (ICAI)

Outage Impact & Allowable Outage Times

System Ranking Critical Only automated Low tolerance to interruption High cost of interruption Vital Level of tolerance is high Can be operated manually for limited period Cost of interruption is low Naresh Gandhi FCA, D.I.S.A. (ICAI)

System Ranking Sensitive Can performed manually for extended time period Additional resources required Non Critical Can remain inoperative Data is not restored Naresh Gandhi FCA, D.I.S.A. (ICAI)

Formulae for Comparing Risks

Threat A declaration of the intent to inflict harm, pain or misery Potential to cause an unwanted incident, which may result in harm to a system or organization and its assets Intentional or accidental, man-made or an act of God Assets are subject to many kinds of threats which exploits vulnerabilities Naresh Gandhi FCA, D.I.S.A. (ICAI)

Types of Threat Man made Threats Errors Sabotage Bombs Strikes Terrorist Attack Competitors Naresh Gandhi FCA, D.I.S.A. (ICAI)

Type of Threats Man made Threats Disgruntled employees Ex-employees Hackers Cracker Fire Naresh Gandhi FCA, D.I.S.A. (ICAI)

Type of Threats Natural Threats Floods Hurricanes Tornadoes Earth-quakes Fire Lightning Naresh Gandhi FCA, D.I.S.A. (ICAI)

Type of Threats Technological Deliberate threats Accidental threats Threat frequency Naresh Gandhi FCA, D.I.S.A. (ICAI)

Threat Likelihood Low Less likely to occur Medium some history of occurrence High Good possibility of occurrence Naresh Gandhi FCA, D.I.S.A. (ICAI)

Impact of Threat Loss of money Loss of reputation or goodwill Opportunities missed Litigation Threat on personnel Break-ins or Hacks Lost confidence Business interruption Reduced efficiency Naresh Gandhi FCA, D.I.S.A. (ICAI)

Vulnerability A vulnerability is a weakness/hole in an organization’s information security A vulnerability in itself does not cause harm It is merely a condition or set of conditions that may allow a threat to affect an asset A vulnerability if not managed, will allow a threat to materialize Naresh Gandhi FCA, D.I.S.A. (ICAI)

Vulnerabilities Absence of key personnel Unstable power grid Unprotected cabling lines Lack of security awareness Wrong allocation of password rights Insufficient security training No firewall installed Unlocked door Password same as userid Poor choice of password New technology Naresh Gandhi FCA, D.I.S.A. (ICAI)

Controls Controls are applied to mitigate risk bring to acceptable level accept the risk Controls should be cost effective Naresh Gandhi FCA, D.I.S.A. (ICAI)

Control Selection Which Control? Naresh Gandhi FCA, D.I.S.A. (ICAI)

Control Selection Risk Degree of assurance required Cost Ease of Implementation Servicing Legal and regulatory requirements Customer and other contractual requirements Naresh Gandhi FCA, D.I.S.A. (ICAI)

Control Selection - Cost
Budget limitations Does the cost of applying the control outweigh the value of the asset May have to select Best Value range of controls Naresh Gandhi FCA, D.I.S.A. (ICAI)

Control - Ease of Implementation
Does environment support control How long will the control take to implement Is the control readily available Naresh Gandhi FCA, D.I.S.A. (ICAI)

Control - Servicing Are skills available to manage controls Are upgrades readily available Is equipment supported by local engineers or suppliers Naresh Gandhi FCA, D.I.S.A. (ICAI)

Controls The policies, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected Naresh Gandhi FCA, D.I.S.A. (ICAI)

Power Outage Mitigation
Provide one hour of uninterrupted power on all servers used internally Provide eight hour of uninterrupted power on all web server and support hardware Replace desktop systems with laptops where possible Alternate power supply DG Set UPS/voltage regulators Naresh Gandhi FCA, D.I.S.A. (ICAI)

Fire Damage Automatic and manual fire alarms at strategic locations Fire extinguishers at strategic locations Halon or CO2 or water? Automatic fire sprinkler system Control panels Automatic fire proof doors Master switches both inside and outside IS facility Wiring in closets Naresh Gandhi FCA, D.I.S.A. (ICAI)

Water Damage IS facility should not be on the ground floor Water proof ceilings, walls and floors Drainage systems Water alarms Dry pipe sprinkler system Cover hardware with protective fabric Naresh Gandhi FCA, D.I.S.A. (ICAI)

Controls of the Last Resort (Insurance)
IS equipment and facility Media reconstruction (Software) Extra expense Business interruption Valuable papers and Records Errors and omissions Fidelity coverage Media transportation Extra Equipment Coverage Specialized Equipment Coverage Civil Authority Naresh Gandhi FCA, D.I.S.A. (ICAI)

What is a contingency? An event with a potential to disrupt computer operations, critical missions and business functions Reasons: Power outage Hardware failure Fire Storms Naresh Gandhi FCA, D.I.S.A. (ICAI)

What is a Disaster? A contingency event which is very destructive Disasters results from threats Naresh Gandhi FCA, D.I.S.A. (ICAI)

Phases of Disaster Crisis Phase Emergency Response Phase Recovery Phase Restoration Phase Naresh Gandhi FCA, D.I.S.A. (ICAI)

Disasters New York WTC collapse Gujrat earthquake Power Outage knocks out a data server Sprinkler system leaks Chemical spills from a tanker Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01 I Liberty Plaza Head Quarter of Nasdaq is across the street from WTC CIO Gregor Bailar provides an inside look at how Nasdaq got back up and running after the Sept. 11 tragedy What was happening at 1 Liberty? They began evacuating after the first plane hit. Our security guards on their own accord evacuated our floor at least, so most of our people were on the ground when the second plane hit Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01 Halting the market wasn't a step you could take lightly "Yes, halt the market." Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01 How did the command center operate?
The first thing we had to understand was our personnel situation Then we broadened the investigation to learn who was affected among our traders Then we had to understand the situation from a physical perspective Naresh Gandhi FCA, D.I.S.A. (ICAI)

Did we lose a building? Did we lose a data center? Did we lose connectivity? What have we got in the way of physical damage that's going to take a long time to restore? Naresh Gandhi FCA, D.I.S.A. (ICAI)

Next we needed to know the regulatory situation: Are people trading today? What's the landscape of the trading industry? It was literally in that order Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01 Some of your traders were in trouble, but Nasdaq's systems were all up? Nasdaq is highly redundant We have servers in different buildings Every single one of our traders is connected to two different Nasdaq points of presence or connection centers Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01 Some of your traders were in trouble, but Nasdaq's systems were all up? There are four connection centers alone in downtown Manhattan 20 connection centers around the United States Every single server connects to two of those centers through two different paths, and often through two different vendors Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01 How did you prepare for Monday?
We started industrywide testing on Saturday at 7 or 8 in the morning, and by 11:30 that morning, we had achieved 98 percent of the volume. And then on Sunday we did a half-day of retesting with people who wanted to add a little more volume capability. Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01 What did Nasdaq lose over the downtime and what did it cost to get back up? We have interruption insurance, so we hope to recover most of it, but it's in the millions, and it could crest tens of millions Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01 What were the Disaster recovery lessons for Nasdaq? We learned that distributed systems are really good. You have to think about how your business has concentrated people or operational centers in certain places. You've got to consider if it's the wisest distribution. We feel we were lucky having some folks in Connecticut and some in Maryland. Even if we had lost some of our senior management at 1 Liberty Plaza, we would have still had a senior team Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01 After living through this, what would you advise other CIOs to consider? This was a true test of people's backup strategies Did you ever test your backup strategy? Have you worked out of your backup center? Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01 After living through this, what would you advise other CIOs to consider? Do you know how to get people there? Do you know the critical phone numbers? A lot of people don't have phone numbers as part of their continuity of business plan Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01 After living through this, what would you advise other CIOs to consider? I think people will have to look very carefully at their backup strategies and see whether they can communicate with everybody easily, whether the phone numbers are not stored in that same Naresh Gandhi FCA, D.I.S.A. (ICAI)

Nasdaq Story 11 Sept, 01 After living through this, what would you advise other CIOs to consider? building that could experience the Disaster, and whether they've got hot backups Hot backups are going to be much more popular than they have been in the past Naresh Gandhi FCA, D.I.S.A. (ICAI)

Yellow line shows normal traffic

How did AT&T Control 141 video display screens show the status of all the networks Network managers put controls on the network to slow down the flow of inbound calls Keep circuits available for outbound calling As a result, the AT&T long distance network carried a record 431 million call attempts on Sept. 11, 101 million more than the previous high-traffic day Naresh Gandhi FCA, D.I.S.A. (ICAI)

Business Continuity Plan
The BCP focuses on sustaining an organization’s business functions during and after a disruption Naresh Gandhi FCA, D.I.S.A. (ICAI)

Disaster Recovery Plan
The DRP applies to major, usually catastrophic, events that deny access to the normal facility for an extended period Naresh Gandhi FCA, D.I.S.A. (ICAI)

Type of Plans Business Recovery Plan Addresses restoration of business processes but lacks procedures Continuity Of Operations Plan Addresses restoring H.Q. level issues at an alternate site Naresh Gandhi FCA, D.I.S.A. (ICAI)

Type of Plans Crisis Communication Plan A plan responsible for public communications IT Contingency Plan Plan for each major application Occupant Emergency Plan Response Procedures for Occupants Test plan Identifies deficiency in different Plans Naresh Gandhi FCA, D.I.S.A. (ICAI)

Cyber Incident Response Plan
The IRP defines strategies to detect, respond to and limit consequences of malicious cyber incident Naresh Gandhi FCA, D.I.S.A. (ICAI)

Category of Disaster Minor disruption Serious disruption Major disruption Catastrophic disruption Naresh Gandhi FCA, D.I.S.A. (ICAI)

Category of Disaster Minor disruption No damage or loss Temporary power failure or fluctuation Communication failure Unavailability of non critical personnel Naresh Gandhi FCA, D.I.S.A. (ICAI)

Category of Disaster Serious disruption Repairable damage to equipment, office area, data, records, software Equipment breakdown Failure of AC Human error Naresh Gandhi FCA, D.I.S.A. (ICAI)

Category of Disaster Major disruption Destruction of equipment, office area, data Complete loss of equipment Structural mishap Malicious loss of data Naresh Gandhi FCA, D.I.S.A. (ICAI)

Category of Disaster Catastrophic Disaster Total loss of office area, data or people due to natural Disaster like fire, flood etc. Complete destruction of personnel Complete destruction of facilities Naresh Gandhi FCA, D.I.S.A. (ICAI)

What is a Disaster Recovery Plan?
A plan that provides vital pre planned frame-work for initiating recovery operations provides guidance for damage assessment planned actions to resume critical IS and functional activities restore full business operations minimum delay and disruption Naresh Gandhi FCA, D.I.S.A. (ICAI)

Coping with Emergencies
Idea of DRP is to think before actual happenings: How likely is the happening What can be done on happening What can be done to lessen their likelihood What can be done to prepare for these events Naresh Gandhi FCA, D.I.S.A. (ICAI)

DRP - Key Issues How to develop the plan How to test the plan How to maintain How to keep continuity of operations Naresh Gandhi FCA, D.I.S.A. (ICAI)

DRP Overview A total plan for all departments integrated together Must be written, tested and documented Clear assignment of responsibilities to employees It should address main frame computer mini computer micro computer Naresh Gandhi FCA, D.I.S.A. (ICAI)

DRP Overview It should address... networks automated operations semi automated operations manual operation Naresh Gandhi FCA, D.I.S.A. (ICAI)

Why Disaster Recovery Plan
To respond to Disasters of any type To curtail revenue loss To avoid loss of critical data To maintain competitive edge To maintain employee productivity Naresh Gandhi FCA, D.I.S.A. (ICAI)

DRP - Phases Identifying threats and vulnerabilities Developing the contingency plan Conducting tasks and drills Updating and maintaining the plan Naresh Gandhi FCA, D.I.S.A. (ICAI)

Ranking of Objectives of DRP
Protection of organizations employees and public Minimizing the financial impact Limiting extent of damage Reducing physical damage Naresh Gandhi FCA, D.I.S.A. (ICAI)

Planning Responsibilities
Prime responsibility for developing, maintaining, executing contingency plan is with senior management Recommended approach to planning is by teams Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques DRP Plan Top down approach Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques - DRP Plan
Top down approach - it involves Senior management Line management IS management System auditors End user Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques - DRP Plan Steps
Conduct impact analysis Plan design Plan development Plan Implementation Plan testing Plan Maintenance Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques Ongoing maintenance Combination of top down and bottom up approach Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques Why do we require plan? Responsibility to shareholders customers suppliers employees legal Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques What can go wrong in a planning process?
Technical aspects Back-up employees Functional user operations Selection of DRP team Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques Application System Prioritization Critical application systems Prioritize item Conduct impact analysis Prioritization to be based on importance to the organization and not to individual Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques What can go wrong in system prioritization? Majority of the system may not be critical Most business user claim their system qualify as critical Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques Planning Committee Responsible for developing DRP Knowledgeable members Specific assignments Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques Planning Committee Members Knowledgeable members
Project leaders Well versed with IS requirements From security, fire, operations, production control, legal, audit, users, tele-communication, network, system and application programming Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques Recovery Capability Assessment Current security
Disaster recovery capabilities Weaknesses Analysis Recommend prioritized actions Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques Plan Development Alternatives In-house
Ready made software package Hire consultants Combination of the above Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques Plan requirement analysis Hardware System software Personnel's Telecommunications Backup data file Vendor support availability Security Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques Plan requirement analysis Office equipment Logistics Storage Funding Purchase orders Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques Planning document contents Purpose and scope Testing and Recovery procedures Vendors with address and tele nos. Location of contingency plan Procedure for post recovery Emergency recovery team members with responsibility Phone list for fire, police, hardware, software, major suppliers and customers Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Techniques Planning document contents Contact person with address at backup location Description and configuration of hardware and software Backup contractual agreements Application system job priorities Logistics Insurance carrier phone nos. Naresh Gandhi FCA, D.I.S.A. (ICAI)

Contingency Planning Process - Steps
Identifying the critical functions Identifying the resources supporting critical functions Anticipating potential contingencies or Disasters Selecting contingency planning strategy Emergency response Recovery Resumption Naresh Gandhi FCA, D.I.S.A. (ICAI)

Contingency Planning Process - Steps
Implementing the contingency strategy Implementation Documenting Training Testing and revising the strategy Naresh Gandhi FCA, D.I.S.A. (ICAI)

Disaster Recovery Teams
Emergency action team Disaster assessment team Recovery management team Public Relations team Off-site storage team Software team Application team Security team Communication team Transportation team Facilities team Administration team Operation team Procurement team Salvage team Staff Coordination team Naresh Gandhi FCA, D.I.S.A. (ICAI)

Activating the Plan Recognize an emergency Contact the proper authority Specific nature of the emergency Time of the emergency Location of the emergency Extent of damage or status of the emergency Danger or injuries to people Cause of the emergency Naresh Gandhi FCA, D.I.S.A. (ICAI)

Activating the Plan Activate the plan Gather the response team Brief the response team Activate emergency command center Communications equipment Personal protective equipment (First Aid Kits) Records and information needed to respond Reference manuals, including maps Naresh Gandhi FCA, D.I.S.A. (ICAI)

Activating the Plan Activate emergency command center Emergency communication directory Back-up power supply, including fuel Office supplies, including computers with internet access AM/FM radios, cable television Food, water, and other personal supplies to last several days Message boards, overhead projectors and other presentation materials and equipment Naresh Gandhi FCA, D.I.S.A. (ICAI)

Activation of the Plan Maintain communication Initiate recovery activities Assemble a damage assessment team Gather initial damage estimates Facility structural damage Damage to products, materials, or supplies, including records and information Damage to vehicles or equipment Damage to property Naresh Gandhi FCA, D.I.S.A. (ICAI)

Activation of the Plan Gather initial damage estimates Personal injuries Costs to recover (materials and supplies) Costs to recover (repairs and maintenance) Costs to recover (labor) Loss of revenue Compile information into a report Initial Damage Assessment Report Naresh Gandhi FCA, D.I.S.A. (ICAI)

Initial Damage Assessment Report
Facility Damaged: Location: (Attach map with clearly marked location and travel route to site, If needed) Describe Damage or Injuries: List Work Needed to Repair Sites: List Work that has been completed: (Attach activity report if any work has been completed) Estimated Cost: (Develop a detailed breakdown of personnel, equipment, and materials for complete damage assessment; include estimate of any loss of revenue) Notes/Comments: Damage Report Completed By: Dated: Naresh Gandhi FCA, D.I.S.A. (ICAI)

Activation of the Plan Train the damage assessment team Initiate security activities Issuing identification badges to employees and other authorized personnel Locking doors if personnel cannot monitor the facility during an emergency Installing signs designating secured or restricted area Placing a sign-in sheet at the command center and logging time in/out Creating a list of authorized personnel and monitoring it Naresh Gandhi FCA, D.I.S.A. (ICAI)

Activation of the Plan Initiate security activities Ensuring that personnel know who is authorized to make decisions Maintaining supplies to board up windows quickly Securing cash operations immediately Asking for police assistance Asking a neighbor to help monitor security Notify recovery site Notify impacted staff File insurance claims Primary site procedures Return to normal operations Post recovery analysis Activate Contingency Arrangements Naresh Gandhi FCA, D.I.S.A. (ICAI)

Develop Recovery Priorities

Recovery Alternative Centralized Systems
Hot Site Warm Site Cold Site Mobile Site Mirrored Site Duplicate Information Processing Facility Reciprocal Agreement Commercial Service Bureaux Naresh Gandhi FCA, D.I.S.A. (ICAI)

Recovery Alternatives
Hot Site Fully configured Ready for operations Intended for emergency operations Use for limited time operations Most expensive Naresh Gandhi FCA, D.I.S.A. (ICAI)

Warm Site Partially configured Without CPU Less expensive then hot site Naresh Gandhi FCA, D.I.S.A. (ICAI)

Cold Site Only basic environment Activation takes several weeks Least expensive Naresh Gandhi FCA, D.I.S.A. (ICAI)

Mobile Site Empty shell facilities Transportable Available on lease through vendors Naresh Gandhi FCA, D.I.S.A. (ICAI)

Mirrored Site Fully redundant Real time information mirroring Identical to primary site Most expensive to maintain Naresh Gandhi FCA, D.I.S.A. (ICAI)

Duplicate Information Processing Facilities Dedicated self developed recovery sites Backup of critical applications Site chosen to be away from primary site Resource availability to be assured Regular testing Naresh Gandhi FCA, D.I.S.A. (ICAI)

Reciprocal agreements agreements between organizations with similar equipments or applications low cost configuration compatibility Naresh Gandhi FCA, D.I.S.A. (ICAI)

Service Bureaus/ASPs Emergency processing services Application specific Naresh Gandhi FCA, D.I.S.A. (ICAI)

Alternate Site Selection Criteria

Telecommunication Network Backup
Redundancy Surplus capacity created for extra load/failure Alternative Routing Routing by means of alternate medium Diverse Routing Split or duplicate cable sheet Naresh Gandhi FCA, D.I.S.A. (ICAI)

Telecommunication Network Backup
Last mile circuit protection Local communication loops Long haul network diversity T1 circuits between network carriers for automatic re-routing in case of failures Voice Recovery Naresh Gandhi FCA, D.I.S.A. (ICAI)

Data Recovery Plan Critical Vital Sensitive Non Critical Naresh Gandhi FCA, D.I.S.A. (ICAI)

Backup Techniques Full Backup Incremental Backup Differential Backup Naresh Gandhi FCA, D.I.S.A. (ICAI)

Backup Methods Floppy Diskettes Compact Disk Replication Internet Backup Naresh Gandhi FCA, D.I.S.A. (ICAI)

Backup Methods Removable Cartridges Tape Drives Networked Disk Remote Mirroring Naresh Gandhi FCA, D.I.S.A. (ICAI)

Answer the following Where will media be stored? What data should be backed up? How frequent are backups conducted? How quickly the backups are retrieved in the event of an emergency? Who is authorized to retrieve the media? How long will it take to retrieve the media? Where will the media be delivered? Naresh Gandhi FCA, D.I.S.A. (ICAI)

Answer the following Who will restore the data from the media? What is the tape-labeling scheme? How long will the backup media be retained? When the media are stored onsite, what environmental controls are provided to preserve the media? What types of tape readers are used at the alternate site? Naresh Gandhi FCA, D.I.S.A. (ICAI)

Backup Media Library It should contain Backup of tapes, disks, master and transaction files Backup copies of current application software Upto date copy of contingency plan Upto date operation manuals, system and program documentation Each facility must have backup media library Naresh Gandhi FCA, D.I.S.A. (ICAI)

Backup Media Library Should be at some distance from main facility Subject to physical and environmental control Naresh Gandhi FCA, D.I.S.A. (ICAI)

Backup Procedures What can go wrong May contain only magnetic or electronic record not paper record Access not available at all time Critical data may not be stored Naresh Gandhi FCA, D.I.S.A. (ICAI)

Backup Procedures Determining Backup Priorities
Postpone less urgent task Identify in advance critical function Eliminate or postpone non-urgent portion of record keeping Naresh Gandhi FCA, D.I.S.A. (ICAI)

Plan Testing Scope Time-frame Teams Objectives Methodology Conduct Evaluation Weaknesses Improvement Revision Naresh Gandhi FCA, D.I.S.A. (ICAI)

Phases of Testing Pre test Test Post Test Naresh Gandhi FCA, D.I.S.A. (ICAI)

Type of Tests Checklist test Structured walk through test Simulation test Parallel test Full interruption test Naresh Gandhi FCA, D.I.S.A. (ICAI)

Result Analysis Time Amount Count Accuracy Naresh Gandhi FCA, D.I.S.A. (ICAI)

Test Examples Contact every level of call tree successfully within 1 hour Restore critical system off-site within 48 hours Evacuate building in 15 minutes Contact key vendors within 1 hour Fire drills carried selectively Check jockey pump pressure Notify participants in advance Naresh Gandhi FCA, D.I.S.A. (ICAI)

Awareness and Training
Walkthrough Session Scenario Workshop Simulation of a Live Test Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Maintenance Strategy as per changing need of the business New applications documented Change in critical applications Change in hardware or software environment Plan maintenance methods Naresh Gandhi FCA, D.I.S.A. (ICAI)

BCP Maintenance Schedule for periodic review and maintenance Review of revisions Conducting scheduled and unscheduled tasks Training recovery personnel Maintaining rounds Updating personnel changes Naresh Gandhi FCA, D.I.S.A. (ICAI)

Record of Change Naresh Gandhi FCA, D.I.S.A. (ICAI)

Law And Standards Naresh Gandhi FCA, D.I.S.A. (ICAI)

HIPAA Documented Practices for data protection and continuity of operations for health care industry Naresh Gandhi FCA, D.I.S.A. (ICAI)

GBL And The Expedited Funds Availability Act
Standards for safeguarding security, confidentiality of customer records Naresh Gandhi FCA, D.I.S.A. (ICAI)

Sarbanes-Oxley Act An Act for protecting investors by improving reliability of corporate disclosures and internal control Naresh Gandhi FCA, D.I.S.A. (ICAI)

GASSP Principles supporting the Generally Accepted Accounting Principles and similar models Naresh Gandhi FCA, D.I.S.A. (ICAI)

Information Technology Infrastructure Library
A collection of best practices in IT service management Naresh Gandhi FCA, D.I.S.A. (ICAI)

Basel Committee On e-Banking
Principles for effective capacity, business continuity and contingency planning of e-banking systems and services Naresh Gandhi FCA, D.I.S.A. (ICAI)

Basel II Capital Accord
Encourage financial firms to be more proactive and forward looking in financial activities Naresh Gandhi FCA, D.I.S.A. (ICAI)

SAS 70 Internationally recognized auditing standard for service organization Naresh Gandhi FCA, D.I.S.A. (ICAI)

COBIT A framework resulting in control objectives considered to be good or best practices Naresh Gandhi FCA, D.I.S.A. (ICAI)

Strategies For Networked Systems

Strategies Eliminating single points of failure Redundant Cabling and Devices Remote Access Wireless LANs Naresh Gandhi FCA, D.I.S.A. (ICAI)

Strategies For Fault Tolerant Implementation

RAID A system which uses multiple hard drives to share or replicate data among the drives A system that combines multiple hard drives into a single logical unit Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID BENEFITS Higher data security Fault tolerance Improved availability Increased, Integrated capacity Improved performance Naresh Gandhi FCA, D.I.S.A. (ICAI)

Data redundancy techniques Mirroring Parity Stripping
RAID Data redundancy techniques Mirroring Parity Stripping Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID MIRRORING Data in the system is written simultaneously to two hard disks instead of one Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID MIRRORING Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID MIRRORING Advantages Data redundancy Fast recovery Disadvantages Expensive Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID Duplexing Data in the system is written simultaneously to two hard disks with separate controllers Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID Disk Duplexing Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID STRIPING A data element is broken into multiple pieces at bytes level or in blocks Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID STRIPING Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID PARITY It involves the use of parity information, which is redundancy information calculated from the actual data values Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID LEVELS RAID-0 Technique : stripping without parity Files broken into stripes No redundancy Storage efficiency: 100% if drives identical Minimum of 2 hard disk required Fault tolerance none Cost lowest of all RAID levels Recommended uses non critical data Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID-0 This illustration shows how files of different sizes are distributed between the drives on a four-disk, 16 kiB stripe size RAID 0 array. The red file is 4 kiB in size; the blue is 20 kiB; the green is 100 kiB; and the magenta is 500 kiB. Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID LEVELS Functions of EDI RAID-1 Technique: mirroring Exactly 2 hard disks Fault tolerance very good Storage efficiency: 50% if drives identical Cost Relatively high Recommended uses for applications requiring high fault tolerance eg.Accounting and other financial data. Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID-1 Illustration of a pair of mirrored hard disks, showing how the files are duplicated on both drives. Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID LEVELS Functions of EDI RAID-2 Technique used Bit level striping with ECC Hard disk requirements-10 data disks & 4 ECC disks Random read performance: Fair Random write performance: Poor Fault tolerance only fair Cost very expensive Recommended use- not used in modern systems Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID LEVELS RAID-3 Technique: Byte level striping with dedicated parity Minimum 3 hard disks Random read performance: Good Random write performance: Poor Array Capacity: Size of smallest drive*(no. of drives-1) Fault tolerance good Cost: Moderate Recommended uses: Applications working with large files that require high transfer performance Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID-3 This illustration shows how files of different sizes are distributed between the drives on a four-disk, byte-striped RAID 3 array. The red file is 4 kiB in size; the blue is 20 kiB; the green is 100 kiB; and the magenta is 500 kiB,. Notice that the files are evenly spread between three drives, with the fourth containing parity information (shown in dark gray) Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID LEVELS RAID-4 Technique used: Block level striping with dedicated parity Random read performance: Good Random write performance: Fair Array Capacity: Size of smallest drive*(no. of drives-1) Minimum 3 hard disks Fault tolerance good Cost: Moderate Recommended uses: Not commonly used Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID-4 This illustration shows how files of different sizes are distributed between the drives on a four-disk RAID 4 array using a 16 kiB stripe size. The red file is 4 kiB in size; the blue is 20 kiB; the green is 100 kiB; and the magenta is 500 kiB, Notice that as with RAID 3, the files are evenly spread between three drives, with the fourth containing parity information (shown in gray). Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID LEVELS RAID-5 Technique used: Block level striping with distributed parity One of the most popular RAID level Random read performance: Very Good Random write performance: Only Fair Array Capacity: Size of smallest drive*(no. of drives-1) Minimum 3 hard disks Fault tolerance good Cost: Moderate Recommended uses: ERP, Relational database applications & other business systems Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID-5 This illustration shows how files of different sizes are distributed between the drives on a four-disk RAID 5 array using a 16 kiB stripe size.The red file is 4 kiB in size; the blue is 20 kiB; the green is 100 kiB; and the magenta is 500 kiB, Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID LEVELS RAID-6 Technique used: Block level striping with dual distributed parity Minimum 4 hard disks Random read performance: Very Good Random write performance: Poor Array Capacity: Size of smallest drive*(no. of drives-2) Fault tolerance very good Cost: High Specialized controller Recommended uses: Same as RAID5 But not popular as cost high Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID-6 This illustration shows how files of different sizes are distributed between the drives on a four-disk RAID 6 array using a 16 kiB stripe size.The red file is 4 kiB in size; the blue is 20 kiB; the green is 100 kiB; and the magenta is 500 kiB, Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID LEVELS RAID-7 Proprietary product of Storage Computer Corporation Hard disk depends Random read performance: Very Good Random write performance: Very Good Array Capacity: Depends Fault tolerance very good Cost: Very High Specialized controller Recommended uses: Not popular as cost high Naresh Gandhi FCA, D.I.S.A. (ICAI)

MULTIPLE(NESTED) RAID LEVELS
RAID-0+1 & RAID-10 Technique used: Mirroring & Striping without parity Most popular of the multiple RAID Levels Minimum 4 Hard disks Availability very good for RAID-01,excellent for RAID-10 Random read performance: very good Random write performance: good Fault tolerance very good Cost: High Recommended uses: Often used in place of RAID-1 or RAID-5 for higher performance Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID 0+1 Naresh Gandhi FCA, D.I.S.A. (ICAI)

RAID 10 Naresh Gandhi FCA, D.I.S.A. (ICAI)

Strategies for Data communications
Dial up Circuit Extension On demand service from the carriers Diversification of services Microwave communications VSAT Naresh Gandhi FCA, D.I.S.A. (ICAI)

Strategies for Voice communications
Cellular phone backup Carrier call rerouting systems Backup PBX systems Naresh Gandhi FCA, D.I.S.A. (ICAI)

Electronic vaulting Electronic vaulting is the ability to store and retrieve backup electronically in a site remote from the primary computer centre Naresh Gandhi FCA, D.I.S.A. (ICAI)

Remote Journaling Parallel processing of transactions to an alternate site Naresh Gandhi FCA, D.I.S.A. (ICAI)

Database shadowing Duplicating the database sites to multiple servers Naresh Gandhi FCA, D.I.S.A. (ICAI)

Back up strategies Dual Recording Dumping Logging Input Transactions Logging Beforeimages Logging Afterimages Naresh Gandhi FCA, D.I.S.A. (ICAI)

NETWORK ATTACHED STORAGE
A class of systems that provide file services to host computers Dedicated storage solution that is attached to a network topology Naresh Gandhi FCA, D.I.S.A. (ICAI)

STORAGE AREA NETWORK A network of storage disks It connects multiple computers to a centralized pool of disk storage Fibre Channel Technology Naresh Gandhi FCA, D.I.S.A. (ICAI)

STORAGE AREA NETWORK Advantages Centralization of storage Storage & server resources grow independently Data transfer directly from device to device Naresh Gandhi FCA, D.I.S.A. (ICAI)

Server Load Balancing It consists of distributing user activity across a network so that no single server is overloaded Enables application to operate even if one of the server is down Naresh Gandhi FCA, D.I.S.A. (ICAI)

Server Load Balancing Load Balancing done by load balancers Routers & switches with application specific integrated circuits Naresh Gandhi FCA, D.I.S.A. (ICAI)

IS Audit Technique Role of Auditor Observer Reviewer Reporter Naresh Gandhi FCA, D.I.S.A. (ICAI)

Review of BCP Current copy of BCP Evaluation of documented procedures Critical application identified All application reviewed Support of critical applications Review of BCP personnel, vendors, hot site contents, back-up contents Naresh Gandhi FCA, D.I.S.A. (ICAI)

Review of BCP Interview key members Evaluation of emergency procedures Written procedures of recovery teams Naresh Gandhi FCA, D.I.S.A. (ICAI)

Audit Procedure Interview personnel and reading documents Risk analysis documents Disaster recovery requirement documents Disaster recovery training documents Disaster recovery plan testing documents Disaster recovery plan maintenance procedures Alternative processing contracts with back-up facilities Third party audit reports Naresh Gandhi FCA, D.I.S.A. (ICAI)

Audit Procedure Risk analysis Critical application identifications Classification of critical data Minimum hardware configuration Existing file backup procedures Record retention and rotation schedules Naresh Gandhi FCA, D.I.S.A. (ICAI)

Audit Procedure Off-site storage facilities Commercial Private Verify financial background and reputation Visit the facility Assess the storage standards Method of separation of media Mode of transportation of media Naresh Gandhi FCA, D.I.S.A. (ICAI)

Audit Procedure Off-site storage facilities ... Review flow of media in and out Visitors access Terms and conditions of vendors Confidentiality of data Periodic inventory of media Other physical and environmental controls Naresh Gandhi FCA, D.I.S.A. (ICAI)

Audit Procedure Plan Documents No of subscriber and capacity of computer in backup facility Fee structure of vendor Off-site media storage facility Liability of vendors for loss or damage at off-site Name, addresses Tele Nos. of recovery team members Transportation arrangements Naresh Gandhi FCA, D.I.S.A. (ICAI)

Audit Procedure Plan Documents … Equipments and supports Emergency team instructions for evacuations and recovery Tele Nos. of hardware, software supply vendors Procedures to handle bombs or arson threats Plan testing procedures Network configuration diagram and documentation Naresh Gandhi FCA, D.I.S.A. (ICAI)

Audit Objectives Adequacy of risk analysis Adequacy of off-site storage facilities DRP documents is complete, clear and under- standable Adequacy of management preparedness Adequacy of plan maintenance procedures Naresh Gandhi FCA, D.I.S.A. (ICAI)

Audit Objectives Identify problems, concerns Make cost effective recommendations Identify over secured and under secured activities Naresh Gandhi FCA, D.I.S.A. (ICAI)

Thanks... Naresh Gandhi FCA, D.I.S.A. (ICAI)

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Similar presentations

Presentation on theme: "Naresh Gandhi FCA, D.I.S.A. (ICAI)"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Naresh Gandhi FCA, D.I.S.A. (ICAI)

Similar presentations

Presentation on theme: "Naresh Gandhi FCA, D.I.S.A. (ICAI)"— Presentation transcript:

Similar presentations

About project

Feedback