Presentation is loading. Please wait.

Presentation is loading. Please wait.

Naresh Gandhi FCA, D.I.S.A. (ICAI). Business Impact Analysis.

Similar presentations


Presentation on theme: "Naresh Gandhi FCA, D.I.S.A. (ICAI). Business Impact Analysis."— Presentation transcript:

1 Naresh Gandhi FCA, D.I.S.A. (ICAI)

2 Business Impact Analysis

3 Naresh Gandhi FCA, D.I.S.A. (ICAI) Stages BCP/DRP Develop contingency planning policy Conduct business impact analysis (BIA) Identify preventive controls Develop recovery strategies Develop contingency plan Test the plan and train personnel Maintain the plan

4 Naresh Gandhi FCA, D.I.S.A. (ICAI) Threats Potential Impact on Business Vulnerabilities AssetsRisksControls Security Arrangements Asset Value Protect Against Met By Exploit Reduce Indicate Increase Expose Have Increase

5 Naresh Gandhi FCA, D.I.S.A. (ICAI) Risk Analysis A pre-requisite to complete and meaningful DRP program It is assessment of threats to assets Determination of protection required to safe guard the assets

6 Naresh Gandhi FCA, D.I.S.A. (ICAI) Risk Assessment Process Identification of assets Identifying threats to these assets and assessing their likelihood Identifying vulnerabilities and assessing how easily they might be exploited Correlate threats to assets Ranking of risks Identifying the protection provided by the controls in place

7 Naresh Gandhi FCA, D.I.S.A. (ICAI) Risk Management The process of identifying, controlling and minimizing or eliminating risks that may affect information systems for acceptable cost

8 Naresh Gandhi FCA, D.I.S.A. (ICAI) Risk Management - Direction Reducing the risk Avoiding the risk Transferring the risk Accepting the risk

9 Naresh Gandhi FCA, D.I.S.A. (ICAI) Degree of Assurance Required It is not possible to achieve total security There will always be a residual risk What degree of residual risk is acceptable to the organization?

10 Naresh Gandhi FCA, D.I.S.A. (ICAI) Risk Management Defining an acceptable level of residual risk Constantly reviewing threats and vulnerabilities Reviewing of existing controls Applying additional controls Introducing policy and procedures

11 Naresh Gandhi FCA, D.I.S.A. (ICAI) What are Assets? An asset is something to which an organization directly assigns value and hence for which the organization requires protection

12 Naresh Gandhi FCA, D.I.S.A. (ICAI) Examples of Asset Information data files user manuals etc. Software application and system software etc. Services communications technical etc. Company image and reputation

13 Naresh Gandhi FCA, D.I.S.A. (ICAI) Examples of Asset Documents contracts guidelines etc Hardware computer magnetic media etc. People personnel customers etc.

14 Naresh Gandhi FCA, D.I.S.A. (ICAI) Assets Physical Logical Data Information Software Documentation People Hardware Facilities Documentation Supplies

15 Naresh Gandhi FCA, D.I.S.A. (ICAI) Some Assets physical assets personnel assets intellectual property trade secrets corporate information financial information market research strategic planning customer lists vendor lists contact lists information systems R & D information communications meetings future directions

16 Naresh Gandhi FCA, D.I.S.A. (ICAI) Assets Valuation Would depend on Business impact on loss of asset Period of time for which asset is unavailable Valuation of the competitor Value of information rather than replacement of hardware

17 Naresh Gandhi FCA, D.I.S.A. (ICAI) What is a Risk? The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to assets

18 Naresh Gandhi FCA, D.I.S.A. (ICAI) Ranking of Risks Protection of asset should be on the basis of their criticality How long can I continue without my asset What is the loss to business if asset is not there Can I continue operations otherwise

19 Naresh Gandhi FCA, D.I.S.A. (ICAI) Outage Impact & Allowable Outage Times

20 Naresh Gandhi FCA, D.I.S.A. (ICAI) System Ranking Critical Only automated Low tolerance to interruption High cost of interruption Vital Level of tolerance is high Can be operated manually for limited period Cost of interruption is low

21 Naresh Gandhi FCA, D.I.S.A. (ICAI) System Ranking Sensitive Can performed manually for extended time period Additional resources required Non Critical Can remain inoperative Data is not restored

22 Naresh Gandhi FCA, D.I.S.A. (ICAI) Formulae for Comparing Risks

23 Naresh Gandhi FCA, D.I.S.A. (ICAI) Threat A declaration of the intent to inflict harm, pain or misery Potential to cause an unwanted incident, which may result in harm to a system or organization and its assets Intentional or accidental, man-made or an act of God Assets are subject to many kinds of threats which exploits vulnerabilities

24 Naresh Gandhi FCA, D.I.S.A. (ICAI) Types of Threat Man made Threats Errors Sabotage Bombs Strikes Terrorist Attack Competitors

25 Naresh Gandhi FCA, D.I.S.A. (ICAI) Type of Threats Man made Threats Disgruntled employees Ex-employees Hackers Cracker Fire

26 Naresh Gandhi FCA, D.I.S.A. (ICAI) Type of Threats Natural Threats Floods Hurricanes Tornadoes Earth-quakes Fire Lightning

27 Naresh Gandhi FCA, D.I.S.A. (ICAI) Type of Threats Technological Deliberate threats Accidental threats Threat frequency

28 Naresh Gandhi FCA, D.I.S.A. (ICAI) Threat Likelihood Low Less likely to occur Medium some history of occurrence High Good possibility of occurrence

29 Naresh Gandhi FCA, D.I.S.A. (ICAI) Impact of Threat Loss of money Loss of reputation or goodwill Opportunities missed Litigation Threat on personnel Break-ins or Hacks Lost confidence Business interruption Reduced efficiency

30 Naresh Gandhi FCA, D.I.S.A. (ICAI) Vulnerability A vulnerability is a weakness/hole in an organizations information security A vulnerability in itself does not cause harm It is merely a condition or set of conditions that may allow a threat to affect an asset A vulnerability if not managed, will allow a threat to materialize

31 Naresh Gandhi FCA, D.I.S.A. (ICAI) Vulnerabilities Absence of key personnel Unstable power grid Unprotected cabling lines Lack of security awareness Wrong allocation of password rights Insufficient security training No firewall installed Unlocked door Password same as userid Poor choice of password New technology

32 Naresh Gandhi FCA, D.I.S.A. (ICAI) Controls Controls are applied to mitigate risk bring to acceptable level accept the risk Controls should be cost effective

33 Naresh Gandhi FCA, D.I.S.A. (ICAI) Control Selection Which Control?

34 Naresh Gandhi FCA, D.I.S.A. (ICAI) Control Selection Risk Degree of assurance required Cost Ease of Implementation Servicing Legal and regulatory requirements Customer and other contractual requirements

35 Naresh Gandhi FCA, D.I.S.A. (ICAI) Control Selection - Cost Budget limitations Does the cost of applying the control outweigh the value of the asset May have to select Best Value range of controls

36 Naresh Gandhi FCA, D.I.S.A. (ICAI) Control - Ease of Implementation Does environment support control How long will the control take to implement Is the control readily available

37 Naresh Gandhi FCA, D.I.S.A. (ICAI) Control - Servicing Are skills available to manage controls Are upgrades readily available Is equipment supported by local engineers or suppliers

38 Naresh Gandhi FCA, D.I.S.A. (ICAI) Controls The policies, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected

39 Naresh Gandhi FCA, D.I.S.A. (ICAI) Power Outage Mitigation Provide one hour of uninterrupted power on all servers used internally Provide eight hour of uninterrupted power on all web server and support hardware Replace desktop systems with laptops where possible Alternate power supply DG Set UPS/voltage regulators

40 Naresh Gandhi FCA, D.I.S.A. (ICAI) Fire Damage Automatic and manual fire alarms at strategic locations Fire extinguishers at strategic locations Halon or CO 2 or water? Automatic fire sprinkler system Control panels Automatic fire proof doors Master switches both inside and outside IS facility Wiring in closets

41 Naresh Gandhi FCA, D.I.S.A. (ICAI) Water Damage IS facility should not be on the ground floor Water proof ceilings, walls and floors Drainage systems Water alarms Dry pipe sprinkler system Cover hardware with protective fabric

42 Naresh Gandhi FCA, D.I.S.A. (ICAI) Controls of the Last Resort (Insurance) IS equipment and facility Media reconstruction (Software) Extra expense Business interruption Valuable papers and Records Errors and omissions Fidelity coverage Media transportation Extra Equipment Coverage Specialized Equipment Coverage Civil Authority

43 Naresh Gandhi FCA, D.I.S.A. (ICAI) What is a contingency? An event with a potential to disrupt computer operations, critical missions and business functions Reasons: Power outage Hardware failure Fire Storms

44 Naresh Gandhi FCA, D.I.S.A. (ICAI) What is a Disaster? A contingency event which is very destructive Disasters results from threats

45 Naresh Gandhi FCA, D.I.S.A. (ICAI) Phases of Disaster Crisis Phase Emergency Response Phase Recovery Phase Restoration Phase

46 Naresh Gandhi FCA, D.I.S.A. (ICAI) Disasters New York WTC collapse Gujrat earthquake Power Outage knocks out a data server Sprinkler system leaks Chemical spills from a tanker

47 Naresh Gandhi FCA, D.I.S.A. (ICAI) Nasdaq Story 11 Sept, 01 I Liberty Plaza Head Quarter of Nasdaq is across the street from WTC CIO Gregor Bailar provides an inside look at how Nasdaq got back up and running after the Sept. 11 tragedy What was happening at 1 Liberty? They began evacuating after the first plane hit. Our security guards on their own accord evacuated our floor at least, so most of our people were on the ground when the second plane hit

48 Naresh Gandhi FCA, D.I.S.A. (ICAI) Nasdaq Story 11 Sept, 01 Halting the market wasn't a step you could take lightly Halting the market wasn't a step you could take lightly "Yes, halt the market."

49 Naresh Gandhi FCA, D.I.S.A. (ICAI) Nasdaq Story 11 Sept, 01 How did the command center operate? The first thing we had to understand was our personnel situation Then we broadened the investigation to learn who was affected among our traders Then we had to understand the situation from a physical perspective

50 Naresh Gandhi FCA, D.I.S.A. (ICAI) Nasdaq Story 11 Sept, 01 How did the command center operate? Did we lose a building? Did we lose a data center? Did we lose connectivity? What have we got in the way of physical damage that's going to take a long time to restore?

51 Naresh Gandhi FCA, D.I.S.A. (ICAI) Nasdaq Story 11 Sept, 01 How did the command center operate? Next we needed to know the regulatory situation: Are people trading today? What's the landscape of the trading industry? It was literally in that order

52 Naresh Gandhi FCA, D.I.S.A. (ICAI) Nasdaq Story 11 Sept, 01 Some of your traders were in trouble, but Nasdaq's systems were all up? Nasdaq is highly redundant We have servers in different buildings Every single one of our traders is connected to two different Nasdaq points of presence or connection centers

53 Naresh Gandhi FCA, D.I.S.A. (ICAI) Nasdaq Story 11 Sept, 01 Some of your traders were in trouble, but Nasdaq's systems were all up? There are four connection centers alone in downtown Manhattan 20 connection centers around the United States Every single server connects to two of those centers through two different paths, and often through two different vendors

54 Naresh Gandhi FCA, D.I.S.A. (ICAI) Nasdaq Story 11 Sept, 01 How did you prepare for Monday? We started industrywide testing on Saturday at 7 or 8 in the morning, and by 11:30 that morning, we had achieved 98 percent of the volume. And then on Sunday we did a half-day of retesting with people who wanted to add a little more volume capability.

55 Naresh Gandhi FCA, D.I.S.A. (ICAI) Nasdaq Story 11 Sept, 01 What did Nasdaq lose over the downtime and what did it cost to get back up? We have interruption insurance, so we hope to recover most of it, but it's in the millions, and it could crest tens of millions

56 Naresh Gandhi FCA, D.I.S.A. (ICAI) Nasdaq Story 11 Sept, 01 What were the Disaster recovery lessons for Nasdaq? We learned that distributed systems are really good. You have to think about how your business has concentrated people or operational centers in certain places. You've got to consider if it's the wisest distribution. We feel we were lucky having some folks in Connecticut and some in Maryland. Even if we had lost some of our senior management at 1 Liberty Plaza, we would have still had a senior team

57 Naresh Gandhi FCA, D.I.S.A. (ICAI) Nasdaq Story 11 Sept, 01 After living through this, what would you advise other CIOs to consider? This was a true test of people's backup strategies Did you ever test your backup strategy? Have you worked out of your backup center?

58 Naresh Gandhi FCA, D.I.S.A. (ICAI) Nasdaq Story 11 Sept, 01 After living through this, what would you advise other CIOs to consider? Do you know how to get people there? Do you know the critical phone numbers? A lot of people don't have phone numbers as part of their continuity of business plan

59 Naresh Gandhi FCA, D.I.S.A. (ICAI) Nasdaq Story 11 Sept, 01 After living through this, what would you advise other CIOs to consider? I think people will have to look very carefully at their backup strategies and see whether they can communicate with everybody easily, whether the phone numbers are not stored in that same

60 Naresh Gandhi FCA, D.I.S.A. (ICAI) Nasdaq Story 11 Sept, 01 After living through this, what would you advise other CIOs to consider? building that could experience the Disaster, and whether they've got hot backups Hot backups are going to be much more popular than they have been in the past

61 Naresh Gandhi FCA, D.I.S.A. (ICAI) Yellow line shows normal traffic

62 Naresh Gandhi FCA, D.I.S.A. (ICAI) How did AT&T Control 141 video display screens show the status of all the networks Network managers put controls on the network to slow down the flow of inbound calls Keep circuits available for outbound calling As a result, the AT&T long distance network carried a record 431 million call attempts on Sept. 11, 101 million more than the previous high-traffic day

63 Naresh Gandhi FCA, D.I.S.A. (ICAI) Business Continuity Plan The BCP focuses on sustaining an organizations business functions during and after a disruption

64 Naresh Gandhi FCA, D.I.S.A. (ICAI) Disaster Recovery Plan The DRP applies to major, usually catastrophic, events that deny access to the normal facility for an extended period

65 Naresh Gandhi FCA, D.I.S.A. (ICAI) Type of Plans Business Recovery Plan Addresses restoration of business processes but lacks procedures Continuity Of Operations Plan Addresses restoring H.Q. level issues at an alternate site

66 Naresh Gandhi FCA, D.I.S.A. (ICAI) Type of Plans Crisis Communication Plan A plan responsible for public communications IT Contingency Plan Plan for each major application Occupant Emergency Plan Response Procedures for Occupants Test plan Identifies deficiency in different Plans

67 Naresh Gandhi FCA, D.I.S.A. (ICAI) Cyber Incident Response Plan The IRP defines strategies to detect, respond to and limit consequences of malicious cyber incident

68 Naresh Gandhi FCA, D.I.S.A. (ICAI) Category of Disaster Minor disruption Serious disruption Major disruption Catastrophic disruption

69 Naresh Gandhi FCA, D.I.S.A. (ICAI) Category of Disaster Minor disruption No damage or loss Temporary power failure or fluctuation Communication failure Unavailability of non critical personnel

70 Naresh Gandhi FCA, D.I.S.A. (ICAI) Category of Disaster Serious disruption Repairable damage to equipment, office area, data, records, software Equipment breakdown Failure of AC Human error

71 Naresh Gandhi FCA, D.I.S.A. (ICAI) Category of Disaster Major disruption Destruction of equipment, office area, data Complete loss of equipment Structural mishap Malicious loss of data

72 Naresh Gandhi FCA, D.I.S.A. (ICAI) Category of Disaster Catastrophic Disaster Total loss of office area, data or people due to natural Disaster like fire, flood etc. Complete destruction of personnel Complete destruction of facilities

73 Naresh Gandhi FCA, D.I.S.A. (ICAI) What is a Disaster Recovery Plan? A plan that provides vital pre planned frame-work for initiating recovery operations provides guidance for damage assessment planned actions to resume critical IS and functional activities restore full business operations minimum delay and disruption

74 Naresh Gandhi FCA, D.I.S.A. (ICAI) Coping with Emergencies Idea of DRP is to think before actual happenings: How likely is the happening What can be done on happening What can be done to lessen their likelihood What can be done to prepare for these events

75 Naresh Gandhi FCA, D.I.S.A. (ICAI) DRP - Key Issues How to develop the plan How to test the plan How to maintain How to keep continuity of operations

76 Naresh Gandhi FCA, D.I.S.A. (ICAI) DRP Overview A total plan for all departments integrated together Must be written, tested and documented Clear assignment of responsibilities to employees It should address main frame computer mini computer micro computer

77 Naresh Gandhi FCA, D.I.S.A. (ICAI) DRP Overview It should address... networks automated operations semi automated operations manual operation

78 Naresh Gandhi FCA, D.I.S.A. (ICAI) Why Disaster Recovery Plan To respond to Disasters of any type To curtail revenue loss To avoid loss of critical data To maintain competitive edge To maintain employee productivity

79 Naresh Gandhi FCA, D.I.S.A. (ICAI) DRP - Phases Identifying threats and vulnerabilities Developing the contingency plan Conducting tasks and drills Updating and maintaining the plan

80 Naresh Gandhi FCA, D.I.S.A. (ICAI) Ranking of Objectives of DRP Protection of organizations employees and public Minimizing the financial impact Limiting extent of damage Reducing physical damage

81 Naresh Gandhi FCA, D.I.S.A. (ICAI) Planning Responsibilities Prime responsibility for developing, maintaining, executing contingency plan is with senior management Recommended approach to planning is by teams

82 Naresh Gandhi FCA, D.I.S.A. (ICAI) BCP Techniques DRP Plan Top down approach

83 Naresh Gandhi FCA, D.I.S.A. (ICAI) BCP Techniques - DRP Plan Top down approach - it involves Senior management Line management IS management System auditors End user

84 Naresh Gandhi FCA, D.I.S.A. (ICAI) BCP Techniques - DRP Plan Steps Conduct impact analysis Plan design Plan development Plan Implementation Plan testing Plan Maintenance

85 Naresh Gandhi FCA, D.I.S.A. (ICAI) BCP Techniques Ongoing maintenance Combination of top down and bottom up approach

86 Naresh Gandhi FCA, D.I.S.A. (ICAI) BCP Techniques Why do we require plan? Responsibility to shareholders customers suppliers employees legal

87 Naresh Gandhi FCA, D.I.S.A. (ICAI) BCP Techniques What can go wrong in a planning process? Technical aspects Back-up employees Functional user operations Selection of DRP team

88 Naresh Gandhi FCA, D.I.S.A. (ICAI) BCP Techniques Application System Prioritization Critical application systems Prioritize item Conduct impact analysis Prioritization to be based on importance to the organization and not to individual

89 Naresh Gandhi FCA, D.I.S.A. (ICAI) BCP Techniques What can go wrong in system prioritization? Majority of the system may not be critical Most business user claim their system qualify as critical

90 Naresh Gandhi FCA, D.I.S.A. (ICAI) BCP Techniques Planning Committee Responsible for developing DRP Knowledgeable members Specific assignments

91 Naresh Gandhi FCA, D.I.S.A. (ICAI) BCP Techniques Planning Committee Members Knowledgeable members Project leaders Well versed with IS requirements From security, fire, operations, production control, legal, audit, users, tele- communication, network, system and application programming

92 Naresh Gandhi FCA, D.I.S.A. (ICAI) BCP Techniques Recovery Capability Assessment Current security Disaster recovery capabilities Weaknesses Analysis Recommend prioritized actions

93 Naresh Gandhi FCA, D.I.S.A. (ICAI) BCP Techniques Plan Development Alternatives In-house Ready made software package Hire consultants Combination of the above

94 Naresh Gandhi FCA, D.I.S.A. (ICAI) BCP Techniques Plan requirement analysis Hardware System software Personnel's Telecommunications Backup data file Vendor support availability Security

95 Naresh Gandhi FCA, D.I.S.A. (ICAI) BCP Techniques Plan requirement analysis Office equipment Logistics Storage Funding Purchase orders

96 Naresh Gandhi FCA, D.I.S.A. (ICAI) BCP Techniques Planning document contents Purpose and scope Testing and Recovery procedures Vendors with address and tele nos. Location of contingency plan Procedure for post recovery Emergency recovery team members with responsibility Phone list for fire, police, hardware, software, major suppliers and customers

97 Naresh Gandhi FCA, D.I.S.A. (ICAI) BCP Techniques Planning document contents Contact person with address at backup location Description and configuration of hardware and software Backup contractual agreements Application system job priorities Logistics Insurance carrier phone nos.

98 Naresh Gandhi FCA, D.I.S.A. (ICAI) Contingency Planning Process - Steps Identifying the critical functions Identifying the resources supporting critical functions Anticipating potential contingencies or Disasters Selecting contingency planning strategy Emergency response Recovery Resumption

99 Naresh Gandhi FCA, D.I.S.A. (ICAI) Contingency Planning Process - Steps Implementing the contingency strategy Implementation Documenting Training Testing and revising the strategy

100 Naresh Gandhi FCA, D.I.S.A. (ICAI) Disaster Recovery Teams Emergency action team Disaster assessment team Recovery management team Public Relations team Off-site storage team Software team Application team Security team Communication team Transportation team Facilities team Administration team Operation team Procurement team Salvage team Staff Coordination team

101 Naresh Gandhi FCA, D.I.S.A. (ICAI) Activating the Plan Recognize an emergency Contact the proper authority Specific nature of the emergency Time of the emergency Location of the emergency Extent of damage or status of the emergency Danger or injuries to people Cause of the emergency

102 Naresh Gandhi FCA, D.I.S.A. (ICAI) Activating the Plan Activate the plan Gather the response team Brief the response team Activate emergency command center Communications equipment Personal protective equipment (First Aid Kits) Records and information needed to respond Reference manuals, including maps

103 Naresh Gandhi FCA, D.I.S.A. (ICAI) Activating the Plan Activate emergency command center Emergency communication directory Back-up power supply, including fuel Office supplies, including computers with internet access AM/FM radios, cable television Food, water, and other personal supplies to last several days Message boards, overhead projectors and other presentation materials and equipment

104 Naresh Gandhi FCA, D.I.S.A. (ICAI) Activation of the Plan Maintain communication Initiate recovery activities Assemble a damage assessment team Gather initial damage estimates Facility structural damage Damage to products, materials, or supplies, including records and information Damage to vehicles or equipment Damage to property

105 Naresh Gandhi FCA, D.I.S.A. (ICAI) Activation of the Plan Gather initial damage estimates Personal injuries Costs to recover (materials and supplies) Costs to recover (repairs and maintenance) Costs to recover (labor) Loss of revenue Compile information into a report Initial Damage Assessment Report

106 Naresh Gandhi FCA, D.I.S.A. (ICAI) Facility Damaged: Location: (Attach map with clearly marked location and travel route to site, If needed) Describe Damage or Injuries: List Work Needed to Repair Sites: List Work that has been completed: (Attach activity report if any work has been completed) Estimated Cost: (Develop a detailed breakdown of personnel, equipment, and materials for complete damage assessment; include estimate of any loss of revenue) Notes/Comments: Damage Report Completed By: Dated: Facility Damaged: Location: (Attach map with clearly marked location and travel route to site, If needed) Describe Damage or Injuries: List Work Needed to Repair Sites: List Work that has been completed: (Attach activity report if any work has been completed) Estimated Cost: (Develop a detailed breakdown of personnel, equipment, and materials for complete damage assessment; include estimate of any loss of revenue) Notes/Comments: Damage Report Completed By: Dated: Initial Damage Assessment Report

107 Naresh Gandhi FCA, D.I.S.A. (ICAI) Activation of the Plan Train the damage assessment team Initiate security activities Issuing identification badges to employees and other authorized personnel Locking doors if personnel cannot monitor the facility during an emergency Installing signs designating secured or restricted area Placing a sign-in sheet at the command center and logging time in/out Creating a list of authorized personnel and monitoring it

108 Naresh Gandhi FCA, D.I.S.A. (ICAI) Activation of the Plan Initiate security activities Ensuring that personnel know who is authorized to make decisions Maintaining supplies to board up windows quickly Securing cash operations immediately Asking for police assistance Asking a neighbor to help monitor security Notify recovery site Notify impacted staff File insurance claims Primary site procedures Return to normal operations Post recovery analysis Activate Contingency Arrangements

109 Naresh Gandhi FCA, D.I.S.A. (ICAI) Develop Recovery Priorities

110 Naresh Gandhi FCA, D.I.S.A. (ICAI) Recovery Alternative Centralized Systems Hot Site Warm Site Cold Site Mobile Site Mirrored Site Duplicate Information Processing Facility Reciprocal Agreement Commercial Service Bureaux

111 Naresh Gandhi FCA, D.I.S.A. (ICAI) Recovery Alternatives Hot Site Fully configured Ready for operations Intended for emergency operations Use for limited time operations Most expensive

112 Naresh Gandhi FCA, D.I.S.A. (ICAI) Recovery Alternatives Warm Site Partially configured Without CPU Less expensive then hot site

113 Naresh Gandhi FCA, D.I.S.A. (ICAI) Recovery Alternatives Cold Site Only basic environment Activation takes several weeks Least expensive

114 Naresh Gandhi FCA, D.I.S.A. (ICAI) Recovery Alternatives Mobile Site Empty shell facilities Transportable Available on lease through vendors

115 Naresh Gandhi FCA, D.I.S.A. (ICAI) Recovery Alternatives Mirrored Site Fully redundant Real time information mirroring Identical to primary site Most expensive to maintain

116 Naresh Gandhi FCA, D.I.S.A. (ICAI) Recovery Alternatives Duplicate Information Processing Facilities Dedicated self developed recovery sites Backup of critical applications Site chosen to be away from primary site Resource availability to be assured Regular testing

117 Naresh Gandhi FCA, D.I.S.A. (ICAI) Recovery Alternatives Reciprocal agreements agreements between organizations with similar equipments or applications low cost configuration compatibility

118 Naresh Gandhi FCA, D.I.S.A. (ICAI) Service Bureaus/ASPs Emergency processing services Application specific

119 Naresh Gandhi FCA, D.I.S.A. (ICAI) Alternate Site Selection Criteria

120 Naresh Gandhi FCA, D.I.S.A. (ICAI) Telecommunication Network Backup Redundancy Surplus capacity created for extra load/failure Alternative Routing Routing by means of alternate medium Diverse Routing Split or duplicate cable sheet

121 Naresh Gandhi FCA, D.I.S.A. (ICAI) Telecommunication Network Backup Last mile circuit protection Local communication loops Long haul network diversity T1 circuits between network carriers for automatic re-routing in case of failures Voice Recovery

122 Naresh Gandhi FCA, D.I.S.A. (ICAI) Data Recovery Plan Critical Vital Sensitive Non Critical

123 Naresh Gandhi FCA, D.I.S.A. (ICAI) Backup Techniques Full Backup Incremental Backup Differential Backup

124 Naresh Gandhi FCA, D.I.S.A. (ICAI) Backup Methods Floppy Diskettes Compact Disk Replication Internet Backup

125 Naresh Gandhi FCA, D.I.S.A. (ICAI) Removable Cartridges Tape Drives Networked Disk Remote Mirroring Backup Methods

126 Naresh Gandhi FCA, D.I.S.A. (ICAI) Answer the following Where will media be stored? What data should be backed up? How frequent are backups conducted? How quickly the backups are retrieved in the event of an emergency? Who is authorized to retrieve the media? How long will it take to retrieve the media? Where will the media be delivered?

127 Naresh Gandhi FCA, D.I.S.A. (ICAI) Answer the following Who will restore the data from the media? What is the tape-labeling scheme? How long will the backup media be retained? When the media are stored onsite, what environmental controls are provided to preserve the media? What types of tape readers are used at the alternate site?

128 Naresh Gandhi FCA, D.I.S.A. (ICAI) Backup Media Library It should contain Backup of tapes, disks, master and transaction files Backup copies of current application software Upto date copy of contingency plan Upto date operation manuals, system and program documentation Each facility must have backup media library

129 Naresh Gandhi FCA, D.I.S.A. (ICAI) Backup Media Library Should be at some distance from main facility Subject to physical and environmental control

130 Naresh Gandhi FCA, D.I.S.A. (ICAI) Backup Procedures What can go wrong May contain only magnetic or electronic record not paper record Access not available at all time Critical data may not be stored

131 Naresh Gandhi FCA, D.I.S.A. (ICAI) Backup Procedures Determining Backup Priorities Postpone less urgent task Identify in advance critical function Eliminate or postpone non-urgent portion of record keeping

132 Naresh Gandhi FCA, D.I.S.A. (ICAI) Plan Testing Scope Time-frame Teams Objectives Methodology Conduct Evaluation Weaknesses Improvement Revision

133 Naresh Gandhi FCA, D.I.S.A. (ICAI) Phases of Testing Pre test Test Post Test

134 Naresh Gandhi FCA, D.I.S.A. (ICAI) Type of Tests Checklist test Structured walk through test Simulation test Parallel test Full interruption test

135 Naresh Gandhi FCA, D.I.S.A. (ICAI) Result Analysis Time Amount Count Accuracy

136 Naresh Gandhi FCA, D.I.S.A. (ICAI) Test Examples Contact every level of call tree successfully within 1 hour Restore critical system off-site within 48 hours Evacuate building in 15 minutes Contact key vendors within 1 hour Fire drills carried selectively Check jockey pump pressure Notify participants in advance

137 Naresh Gandhi FCA, D.I.S.A. (ICAI) Awareness and Training Walkthrough Session Scenario Workshop Simulation of a Live Test

138 Naresh Gandhi FCA, D.I.S.A. (ICAI) BCP Maintenance Strategy as per changing need of the business New applications documented Change in critical applications Change in hardware or software environment Plan maintenance methods

139 Naresh Gandhi FCA, D.I.S.A. (ICAI) BCP Maintenance Schedule for periodic review and maintenance Review of revisions Conducting scheduled and unscheduled tasks Training recovery personnel Maintaining rounds Updating personnel changes

140 Naresh Gandhi FCA, D.I.S.A. (ICAI) Record of Change

141 Naresh Gandhi FCA, D.I.S.A. (ICAI) Law And Standards

142 Naresh Gandhi FCA, D.I.S.A. (ICAI) HIPAA Documented Practices for data protection and continuity of operations for health care industry

143 Naresh Gandhi FCA, D.I.S.A. (ICAI) GBL And The Expedited Funds Availability Act Standards for safeguarding security, confidentiality of customer records

144 Naresh Gandhi FCA, D.I.S.A. (ICAI) Sarbanes-Oxley Act An Act for protecting investors by improving reliability of corporate disclosures and internal control

145 Naresh Gandhi FCA, D.I.S.A. (ICAI) GASSP Principles supporting the Generally Accepted Accounting Principles and similar models

146 Naresh Gandhi FCA, D.I.S.A. (ICAI) Information Technology Infrastructure Library A collection of best practices in IT service management

147 Naresh Gandhi FCA, D.I.S.A. (ICAI) Basel Committee On e-Banking Principles for effective capacity, business continuity and contingency planning of e-banking systems and services

148 Naresh Gandhi FCA, D.I.S.A. (ICAI) Basel II Capital Accord Encourage financial firms to be more proactive and forward looking in financial activities

149 Naresh Gandhi FCA, D.I.S.A. (ICAI) SAS 70 Internationally recognized auditing standard for service organization

150 Naresh Gandhi FCA, D.I.S.A. (ICAI) COBIT A framework resulting in control objectives considered to be good or best practices

151 Naresh Gandhi FCA, D.I.S.A. (ICAI) Strategies For Networked Systems

152 Naresh Gandhi FCA, D.I.S.A. (ICAI) Strategies Eliminating single points of failure Redundant Cabling and Devices Remote Access Wireless LANs

153 Naresh Gandhi FCA, D.I.S.A. (ICAI) Strategies For Fault Tolerant Implementation

154 Naresh Gandhi FCA, D.I.S.A. (ICAI) RAID A system which uses multiple hard drives to share or replicate data among the drives A system that combines multiple hard drives into a single logical unit

155 Naresh Gandhi FCA, D.I.S.A. (ICAI) BENEFITS Higher data security Fault tolerance Improved availability Increased, Integrated capacity Improved performance RAID

156 Naresh Gandhi FCA, D.I.S.A. (ICAI) Data redundancy techniques Mirroring Parity Stripping RAID

157 Naresh Gandhi FCA, D.I.S.A. (ICAI) MIRRORING Data in the system is written simultaneously to two hard disks instead of one RAID

158 Naresh Gandhi FCA, D.I.S.A. (ICAI) RAID MIRRORING

159 Naresh Gandhi FCA, D.I.S.A. (ICAI) RAID MIRRORING Advantages Data redundancy Fast recovery Disadvantages Expensive

160 Naresh Gandhi FCA, D.I.S.A. (ICAI) RAID Duplexing Data in the system is written simultaneously to two hard disks with separate controllers

161 Naresh Gandhi FCA, D.I.S.A. (ICAI) RAID Disk Duplexing

162 Naresh Gandhi FCA, D.I.S.A. (ICAI) STRIPING A data element is broken into multiple pieces at bytes level or in blocks RAID

163 Naresh Gandhi FCA, D.I.S.A. (ICAI) RAID STRIPING

164 Naresh Gandhi FCA, D.I.S.A. (ICAI) It involves the use of parity information, which is redundancy information calculated from the actual data values RAID PARITY

165 Naresh Gandhi FCA, D.I.S.A. (ICAI) RAID-0 Technique : stripping without parity Files broken into stripes No redundancy Storage efficiency: 100% if drives identical Minimum of 2 hard disk required Fault tolerance none Cost lowest of all RAID levels Recommended uses non critical data RAID LEVELS

166 Naresh Gandhi FCA, D.I.S.A. (ICAI) RAID-0 This illustration shows how files of different sizes are distributed between the drives on a four-disk, 16 kiB stripe size RAID 0 array. The red file is 4 kiB in size; the blue is 20 kiB; the green is 100 kiB; and the magenta is 500 kiB.

167 Naresh Gandhi FCA, D.I.S.A. (ICAI) Functions of EDI RAID-1 Technique: mirroring Exactly 2 hard disks Fault tolerance very good Storage efficiency: 50% if drives identical Cost Relatively high Recommended uses for applications requiring high fault tolerance eg.Accounting and other financial data. RAID LEVELS

168 Naresh Gandhi FCA, D.I.S.A. (ICAI) RAID-1 Illustration of a pair of mirrored hard disks, showing how the files are duplicated on both drives.

169 Naresh Gandhi FCA, D.I.S.A. (ICAI) Functions of EDI RAID-2 Technique used Bit level striping with ECC Hard disk requirements-10 data disks & 4 ECC disks Random read performance: Fair Random write performance: Poor Fault tolerance only fair Cost very expensive Recommended use- not used in modern systems RAID LEVELS

170 Naresh Gandhi FCA, D.I.S.A. (ICAI) RAID-3 Technique: Byte level striping with dedicated parity Minimum 3 hard disks Random read performance: Good Random write performance: Poor Array Capacity: Size of smallest drive*(no. of drives-1) Fault tolerance good Cost: Moderate Recommended uses: Applications working with large files that require high transfer performance RAID LEVELS

171 Naresh Gandhi FCA, D.I.S.A. (ICAI) RAID-3 This illustration shows how files of different sizes are distributed between the drives on a four-disk, byte- striped RAID 3 array. The red file is 4 kiB in size; the blue is 20 kiB; the green is 100 kiB; and the magenta is 500 kiB,. Notice that the files are evenly spread between three drives, with the fourth containing parity information (shown in dark gray)

172 Naresh Gandhi FCA, D.I.S.A. (ICAI) RAID-4 Technique used: Block level striping with dedicated parity Random read performance: Good Random write performance: Fair Array Capacity: Size of smallest drive*(no. of drives-1) Minimum 3 hard disks Fault tolerance good Cost: Moderate Recommended uses: Not commonly used RAID LEVELS

173 Naresh Gandhi FCA, D.I.S.A. (ICAI) RAID-4 This illustration shows how files of different sizes are distributed between the drives on a four-disk RAID 4 array using a 16 kiB stripe size. The red file is 4 kiB in size; the blue is 20 kiB; the green is 100 kiB; and the magenta is 500 kiB, Notice that as with RAID 3, the files are evenly spread between three drives, with the fourth containing parity information (shown in gray).

174 Naresh Gandhi FCA, D.I.S.A. (ICAI) RAID-5 Technique used: Block level striping with distributed parity One of the most popular RAID level Random read performance: Very Good Random write performance: Only Fair Array Capacity: Size of smallest drive*(no. of drives-1) Minimum 3 hard disks Fault tolerance good Cost: Moderate Recommended uses: ERP, Relational database applications & other business systems RAID LEVELS

175 Naresh Gandhi FCA, D.I.S.A. (ICAI) RAID-5 This illustration shows how files of different sizes are distributed between the drives on a four-disk RAID 5 array using a 16 kiB stripe size.The red file is 4 kiB in size; the blue is 20 kiB; the green is 100 kiB; and the magenta is 500 kiB,

176 Naresh Gandhi FCA, D.I.S.A. (ICAI) RAID LEVELS RAID-6 Technique used: Block level striping with dual distributed parity Minimum 4 hard disks Random read performance: Very Good Random write performance: Poor Array Capacity: Size of smallest drive*(no. of drives-2) Fault tolerance very good Cost: High Specialized controller Recommended uses: Same as RAID5 But not popular as cost high

177 Naresh Gandhi FCA, D.I.S.A. (ICAI) RAID-6 This illustration shows how files of different sizes are distributed between the drives on a four-disk RAID 6 array using a 16 kiB stripe size.The red file is 4 kiB in size; the blue is 20 kiB; the green is 100 kiB; and the magenta is 500 kiB,

178 Naresh Gandhi FCA, D.I.S.A. (ICAI) RAID LEVELS RAID-7 Proprietary product of Storage Computer Corporation Hard disk depends Random read performance: Very Good Random write performance: Very Good Array Capacity: Depends Fault tolerance very good Cost: Very High Specialized controller Recommended uses: Not popular as cost high

179 Naresh Gandhi FCA, D.I.S.A. (ICAI) MULTIPLE(NESTED) RAID LEVELS RAID-0+1 & RAID-10 Technique used: Mirroring & Striping without parity Most popular of the multiple RAID Levels Minimum 4 Hard disks Availability very good for RAID-01,excellent for RAID-10 Random read performance: very good Random write performance: good Fault tolerance very good Cost: High Recommended uses: Often used in place of RAID-1 or RAID-5 for higher performance

180 Naresh Gandhi FCA, D.I.S.A. (ICAI) RAID 0+1

181 Naresh Gandhi FCA, D.I.S.A. (ICAI) RAID 10

182 Naresh Gandhi FCA, D.I.S.A. (ICAI) Strategies for Data communications Dial up Circuit Extension On demand service from the carriers Diversification of services Microwave communications VSAT

183 Naresh Gandhi FCA, D.I.S.A. (ICAI) Strategies for Voice communications Cellular phone backup Carrier call rerouting systems Backup PBX systems

184 Naresh Gandhi FCA, D.I.S.A. (ICAI) Electronic vaulting Electronic vaulting is the ability to store and retrieve backup electronically in a site remote from the primary computer centre

185 Naresh Gandhi FCA, D.I.S.A. (ICAI) Remote Journaling Parallel processing of transactions to an alternate site

186 Naresh Gandhi FCA, D.I.S.A. (ICAI) Database shadowing Duplicating the database sites to multiple servers

187 Naresh Gandhi FCA, D.I.S.A. (ICAI) Back up strategies Dual Recording Dumping Logging Input Transactions Logging Beforeimages Logging Afterimages

188 Naresh Gandhi FCA, D.I.S.A. (ICAI) NETWORK ATTACHED STORAGE A class of systems that provide file services to host computers Dedicated storage solution that is attached to a network topology

189 Naresh Gandhi FCA, D.I.S.A. (ICAI) STORAGE AREA NETWORK A network of storage disks It connects multiple computers to a centralized pool of disk storage Fibre Channel Technology

190 Naresh Gandhi FCA, D.I.S.A. (ICAI) Advantages Centralization of storage Storage & server resources grow independently Data transfer directly from device to device STORAGE AREA NETWORK

191 Naresh Gandhi FCA, D.I.S.A. (ICAI) Server Load Balancing It consists of distributing user activity across a network so that no single server is overloaded Enables application to operate even if one of the server is down

192 Naresh Gandhi FCA, D.I.S.A. (ICAI) Server Load Balancing Load Balancing done by load balancers Routers & switches with application specific integrated circuits

193 Naresh Gandhi FCA, D.I.S.A. (ICAI) IS Audit Technique Role of Auditor Observer Reviewer Reporter

194 Naresh Gandhi FCA, D.I.S.A. (ICAI) Review of BCP Current copy of BCP Evaluation of documented procedures Critical application identified All application reviewed Support of critical applications Review of BCP personnel, vendors, hot site contents, back-up contents

195 Naresh Gandhi FCA, D.I.S.A. (ICAI) Review of BCP Interview key members Evaluation of emergency procedures Written procedures of recovery teams

196 Naresh Gandhi FCA, D.I.S.A. (ICAI) Audit Procedure Interview personnel and reading documents Risk analysis documents Disaster recovery requirement documents Disaster recovery training documents Disaster recovery plan testing documents Disaster recovery plan maintenance procedures Alternative processing contracts with back-up facilities Third party audit reports

197 Naresh Gandhi FCA, D.I.S.A. (ICAI) Audit Procedure Risk analysis Critical application identifications Classification of critical data Minimum hardware configuration Existing file backup procedures Record retention and rotation schedules

198 Naresh Gandhi FCA, D.I.S.A. (ICAI) Audit Procedure Off-site storage facilities Commercial Private Verify financial background and reputation Visit the facility Assess the storage standards Method of separation of media Mode of transportation of media

199 Naresh Gandhi FCA, D.I.S.A. (ICAI) Audit Procedure Off-site storage facilities... Review flow of media in and out Visitors access Terms and conditions of vendors Confidentiality of data Periodic inventory of media Other physical and environmental controls

200 Naresh Gandhi FCA, D.I.S.A. (ICAI) Audit Procedure Plan Documents No of subscriber and capacity of computer in backup facility Fee structure of vendor Off-site media storage facility Liability of vendors for loss or damage at off-site Name, addresses Tele Nos. of recovery team members Transportation arrangements

201 Naresh Gandhi FCA, D.I.S.A. (ICAI) Audit Procedure Plan Documents … Equipments and supports Emergency team instructions for evacuations and recovery Tele Nos. of hardware, software supply vendors Procedures to handle bombs or arson threats Plan testing procedures Network configuration diagram and documentation

202 Naresh Gandhi FCA, D.I.S.A. (ICAI) Audit Objectives Adequacy of risk analysis Adequacy of off-site storage facilities DRP documents is complete, clear and under- standable Adequacy of management preparedness Adequacy of plan maintenance procedures

203 Naresh Gandhi FCA, D.I.S.A. (ICAI) Audit Objectives Identify problems, concerns Make cost effective recommendations Identify over secured and under secured activities

204 Naresh Gandhi FCA, D.I.S.A. (ICAI) Thanks...


Download ppt "Naresh Gandhi FCA, D.I.S.A. (ICAI). Business Impact Analysis."

Similar presentations


Ads by Google