Presentation is loading. Please wait.

Presentation is loading. Please wait.

McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Information Assurance for the Enterprise: A Roadmap to Information.

Published byDylan Foster Modified over 8 years ago

Similar presentations

Presentation on theme: "McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Information Assurance for the Enterprise: A Roadmap to Information."— Presentation transcript:

1 McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Information Assurance for the Enterprise: A Roadmap to Information Security, by Schou and Shoemaker Chapter 10 Continuity Planning and Disaster Recovery

2 10-2 Objectives Develop an effective business continuity approach Manage an effective incident response Plan for disaster recovery

3 10-3 Business Continuity Preserves essential organizational assets Protect resources from damage, destruction, and loss Serves as an information assurance lifeboat Does not preserve everything; preserves things essential to continue business operations Develops and maintains an up-to-date, comprehensive strategy

4 10-4 Business Continuity Planning Planning mitigates the interruption of essential services Seeks to re-establish operations quickly by focusing on critical functions Relies on contingency plans that itemize the steps to follow when needed First step in building the plan is to identify and prioritize critical assets through risk analysis Business continuity Offsite storage and recovery facilities

5 10-5 Continuity and Business Value Continuity planning Preparedness plan – prevention and minimization of damage as well as securing or recovering information after a disaster Developed through a strategic planning process Characterizes the operational measures followed to prevent avoidable disasters Enumerates the contingency measures to be adopted, should a disaster occur Itemizes the replacement and restoration procedures used to ensure the integrity of the information assets

6 10-6 Continuity and Business Value Contents of continuity plan Continuity planning process has two goals: To avoid loss of critical information in a disaster To return critical information functions to operation as quickly and efficiently as possible Continuity planning function targets the three components of an IT operation: Systems Personnel Facilities

7 10-7 Continuity and Business Value Contents of continuity plan (cont’d) Plans must be established to respond to every possible threat Key concept is feasibility Employs ongoing threat modeling and risk assessment processes To identify and prioritize threats because of the need to identify and address only the feasible options Establishes a risk analysis procedure To decide the order in which the threats should be addressed by a formal preparedness response

8 10-8 Proactive Response: Ensuring “Continuous” Continuity To ensure continuity, build real-time survivability into the overall information function Immediate “recoverability” – integration of protection strategies with a range of proactive recovery technologies The result should be a dynamic assurance solution that blends protection elements Firewalls and intrusion detection systems Rigor is essential Survival of critical technology processes is inextricably linked to the continuing effectiveness of functions

9 10-9 Recovery time Fundamental aim of the business continuity process is to: Ensure the shortest realistic recovery time possible Estimate recovery time calculated by determining the Maximum Tolerable Downtime (MTD) Estimate based on three concepts: Recovery Time Objective - RTO Network Recovery Objective - NRO Recovery Point Objective - RPO

10 10-10 Recovery time Recovery Time Objective - RTO Maximum operationally acceptable period of time that a system can be out of service without causing harm Network Recovery Objective - NRO Greatest amount of time a network can be out of service Recovery Point Objective - RPO The point in time to which data can be restored after a failure

11 10-11 Recovery time Determining RTO, NRO, and RPO for one environment RTO/NRO and RPO are mutually supportive, but: They are different concepts They support different sets of decisions and protection requirements

12 10-12 Alternative Sites In the event of a disaster Systems should be able to switch processing functions efficiently to alternative sites Relationship between criticality requirements and alternative processing requires an understanding of: Hotsites Warmsites Coldsites

13 10-13 Data Recovery Hotsites In critical instances requiring an immediate restoration capability Facilities mirror the real-time processing at the primary site Provides near instantaneous backup since they operate in parallel Ensures the optimum potential for total recovery of the data resource and continuity of operation

14 10-14 Data Recovery Warmsites Provide the equipment and communications interfaces for establishing an immediate backup operation Cannot ensure that all the data will be preserved Usually the most practical approach Extremely cost efficient

15 10-15 Data Recovery Coldsites It provides a degree of protection Value – resumption of business operations as soon as the staff is moved Disadvantage – significant data from the primary site might be lost or have to be rebuilt

16 10-16 Analysis Processes Identify risks to critical systems and the effect their failure has on overall business processes Two kinds of analyses are associated with continuity plans development: Business impact analysis Risk analysis

17 10-17 Analysis Processes Business impact analysis Determines the effect that a potential disruption might have on a function or information asset Risk analysis Examines the critical functions and resources that support operations detailed in the impact study Driven by an estimate of the overall criticality of the system Major component of risk analysis is disaster tolerance

18 10-18 Analysis Processes Risk analysis (cont’d) Disaster tolerance Implies various levels of criticality Varying degrees of associated responses, which form four categories: Minimal criticality Average criticality High criticality Mission-critical

19 10-19 Ingredients of a Continuity Plan Continuity plans have two steps: The assumptions about the circumstances of the plan Events that could change or affect those assumptions The strategy for maintaining continuity, based on those assumptions

20 10-20 Ingredients of a Continuity Plan Step 1: Assumption Derived from an understanding of the threats and the associated threat modeling Are dynamic since: The threat picture changes constantly The assumptions have to be periodically updated Should include the: Timing Extent of the threat Areas of potential harm

21 10-21 Ingredients of a Continuity Plan Step 2: Priorities and strategy Strategy adopted and the philosophy that drives continuity Must be understood and accepted throughout organization Must adopt and communicate a single common continuity approach Should originate from and align with the stated organization strategy and philosophy

22 10-22 Instituting the Business Continuity Management Process Management goal: keep critical systems operating and react to failures as soon as possible Management plan: protect the maximum number of assets with the highest degree of assurance Five questions to ensure that the plan has the right set of elements: What are the critical business systems? What is the business impact of each of these systems? What risks are associated with each system? What is the level of integrity required for each system? What are the RTO and the RPO for each system?

23 10-23 Four Phases of the Business Continuity Planning Process Business continuity planning is best done in phases There are four phases: Identify critical business functions Establish Recovery Time Objectives State the explicit work (SOW) Ensure acceptance and understanding of the solution

24 10-24 Four Phases of the Business Continuity Planning Process Planning process

25 10-25 Phase 1: Identify the Critical Business Functions Function criticality is derived from a characterization of the explicit value of: Products Services, including supporting functions Governance or administration factors Once these have been identified and evaluated they are assessed based on their overall contribution Volume and load factors – measures employed to describe the contribution

26 10-26 Phase 1: Identify the Critical Business Functions Matrix allows the organization to understand the relative contributions

27 10-27 Phase 1: Identify the Critical Business Functions Following classification characterizes the activities in the evaluation matrix: Critical activities Included activities Non-essential activities Determining feasible alternatives Whether there are other ways to perform a given operation Whether it could be carried out by a similar set of tasks This determination must consider all redundancy provisions

28 10-28 Phase 1: Identify the Critical Business Functions Know that it is an ongoing effort Perform needs assessments on a continuous or regular basis because organizations change constantly Activities designated as “critical” Must be addressed appropriately It must be possible to validate them by direct observation

29 10-29 Phase 2: Set Recovery Time Objectives (RTO) Specified in the order of their criticality after considering redundancy and contract alternatives Assign a value describing how soon it must be operational An estimate of the resources required to achieve it Establish a mechanism to ensure the resources will be available Identify the internal and then any external resources and contractors Identify any potential shortfalls in either resources or capabilities Itemize and cross-reference shortfall areas to the RTO

30 10-30 Phase 3: Identify and Record Solution in a Statement of Work Statement of work: Is a specification itemizing the steps to be taken to meet each RTO Details the procedures followed to address foreseeable problems Identifies areas of shortfall in personnel, work area, equipment, supplies, or service capability Is a set of recommendations for how that shortfall will be addressed Specifies the organization’s assumptions about continuity Provides clear guidance for each foreseeable contingency

31 10-31 Phase 4: Ensure Understanding Ensure that all participants in the process clearly understand their role and accountability Make appropriate parts of the plan available to each stakeholder Instill continuity concepts in active projects Bring the entire organization to the required level of capability All levels of management have to understand and support the process

32 10-32 Disaster Recovery Planning Disaster recovery planning or crisis management Aspect of business continuity management that applies after a disaster Focus on a narrower aspect of continuity Identify every disaster contingency and offer a prescription that allows an effective response to each Oriented toward restoring the technical operations with the aim of bringing an identified set of critical systems back to a desired level of operation

33 10-33 Timing and DRP Timing is important in the design of the disaster strategy and the implementation of the recovery plan Estimated time to return to normal operation at the damaged site must be significantly greater than the time it would take to migrate it A DRP requires understanding of the effect that the downtime has on business processes

34 10-34 Elements of Disaster Planning Disaster planning has: Long-term perspective – effective disaster planning centers on anticipating disasters and ensuring the proper solution Planning process assumptions are based on selecting the most likely disaster scenarios and regularly updating their probability Short-term perspective – specify the steps taken if a particular disaster occurs Anticipated events associated with a given scenario have to be clearly understood, laid out, and cross- referenced to the procedures

35 10-35 Elements of Disaster Planning Types of Disasters Natural disasters Localized or area floods Tornadoes, hurricanes, or earthquakes Site disasters Fire, water, and sewer emergencies Gas leaks, chemical leaks or spills Telephone or cable interruptions Explosion or other building failures Civil disasters Car, plane, or train crash Civil disturbance

36 10-36 Elements of Disaster Planning A disaster recovery plan should be able respond to all credible threats

37 10-37 Elements of Disaster Planning Three elements include: Disaster impact description and classification Requires understanding and describing of the threat implications Response deployment and communication processes Designates the right people to react in the case of a disaster Escalation and reassessment procedures Helpful if the situation turns out to be worse than anticipated

Download ppt "McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Information Assurance for the Enterprise: A Roadmap to Information."

Similar presentations

Reliability of the electrical service Business Continuity Management Business Impact Analysis (BIA) Critical ITC Services Minimum Business Continuity Objective.

Reliability of the electrical service Business Continuity Management Business Impact Analysis (BIA) Critical ITC Services Minimum Business Continuity Objective.
Unit 1: Introductions and Course Overview Administrative Information  Daily schedule  Restroom locations  Breaks and lunch  Emergency exit routes 

Unit 1: Introductions and Course Overview Administrative Information  Daily schedule  Restroom locations  Breaks and lunch  Emergency exit routes 
Systems Availability and Business Continuity Chapter Four Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc. 2007.

Systems Availability and Business Continuity Chapter Four Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Chapter 13 Managing Computer and Data Resources. Introduction A disciplined, systematic approach is needed for management success Problem Management,

Chapter 13 Managing Computer and Data Resources. Introduction A disciplined, systematic approach is needed for management success Problem Management,
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
1 Disaster Recovery “Protecting City Data” Ron Bergman First Deputy Commissioner Gregory Neuhaus Assistant Commissioner THE CITY OF NEW YORK.

1 Disaster Recovery “Protecting City Data” Ron Bergman First Deputy Commissioner Gregory Neuhaus Assistant Commissioner THE CITY OF NEW YORK.
1 Continuity Planning for transportation agencies.

1 Continuity Planning for transportation agencies.
Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)

Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)
Business Continuity Planning and Disaster Recovery Planning

Business Continuity Planning and Disaster Recovery Planning
Business Crisis and Continuity Management (BCCM) Class Session 3 3 - 1.

Business Crisis and Continuity Management (BCCM) Class Session
Planning for Contingencies

Planning for Contingencies
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.

Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.
John Graham – STRATEGIC Information Group Steve Lamb - QAD Disaster Recovery Planning MMUG Spring 2013 March 19, 2013 Cleveland, OH 03/19/2013MMUG Cleveland.

John Graham – STRATEGIC Information Group Steve Lamb - QAD Disaster Recovery Planning MMUG Spring 2013 March 19, 2013 Cleveland, OH 03/19/2013MMUG Cleveland.
Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter 10 10-1.

Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter
Protection Against Occupational Exposure

Protection Against Occupational Exposure
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)

EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
RBTC: Business Continuity 101 July 18, 2013. What is Business Continuity? Scenario Part 1 Why is BC important? What types of plans are needed? How do.

RBTC: Business Continuity 101 July 18, What is Business Continuity? Scenario Part 1 Why is BC important? What types of plans are needed? How do.
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Similar presentations

Ads by Google