1. Dr. Gerry Firmansyah CID 610 - Business Continuity and Disaster Recovery Planning for IT (W-I)

2. Business Continuity and Disaster Recovery Overview Business continuity and disaster recovery defined Components of business The cost of planning versus the cost of failure Types of disasters to consider Business continuity and disaster recovery planning basics

3. Legal and Regulatory Obligations Regarding Data and Information Security Impact of recent history Sources of legal obligations Scope of legal obligations Definitive legal standard Responsibility for compliance Required elements of a written information security plan

4. Project Initiation Elements of project success Project plan components Key contributors and responsibilities Project definition Business continuity and disaster recovery plan

5. Risk Assessment Risk management basics Risk assessment components Threat assessment methodology Vulnerability assessment

6. Business Impact Analysis Business impact analysis overview Understanding impact criticality Identifying business functions and processes Gathering data for the business impact analysis Determining the impact Business impact analysis data points Preparing the business impact analysis report

7. Risk Mitigation Strategy Development Types of risk mitigation strategies Risk mitigation process IT risk mitigation Backup and recovery considerations

8. Business Continuity/Disaster Recovery Plan Development Phases of business continuity and disaster recovery Defining BC/DR teams and key personnel Defining tasks and assigning resources Communications plans Event logs, change control, and appendices

9. Emergency Response and Recovery Emergency management overview Emergency response plans Crisis management Disaster recovery IT recovery Business continuity

10. Training, Testing, and Auditing Training for emergency response, disaster recovery, and business continuity Testing your business continuity and disaster recovery plan Performing IT systems audits

11. BC/DR Plan Maintenance BC/DR change management Strategies for managing change BC/DR plan audit Plan maintenance activities Project close out

12. Threat and Vulnerability Assessment ❖ 1. Identify all natural threats. ❖ 2. Identify all man-made threats. ❖ 3. Identify all IT and technology-based threats. ❖ 4. Identify all environmental/infrastructure threats. ❖ 5. For each threat, identify threat sources. ❖ 6. For each threat source, identify the likelihood of occurrence. ❖ 7. Based on likelihood of occurrence, assess company’s vulnerability to each threat ❖ source. ❖ 8. Based on likelihood and vulnerability, prioritize list of threats to company.

13. Business Impact Analysis ❖ 1. Based on prioritized list of threats, assess impact of each threat on business operations. ❖ 2. Based on threats, perform upstream and downstream loss analysis. ❖ 3. Prioritize business functions into mission-critical, important, minor (you can customize categories to suit your needs). ❖ 4. For each mission-critical business function, assess the impact of the loss of this function. ❖ 5. For each mission-critical business function, assess the impact of various threats to this function. ❖ 6. Develop a prioritized list of mission-critical business functions with the highest business impact. ❖ 7. For the highest priority functions, identify the recovery time requirements including maximum tolerable downtime (MTD).

14. Mitigation Strategies ❖ 1. For each mission-critical function, identify risk mitigation strategies for considerationincluding risk acceptance, avoidance, transference, and limitation. ❖ 2. For each mission-critical function, identify the recovery requirements and potentialrecovery options. ❖ 3. For each recovery option considered, identify the time, cost/capability, feasibility,service level requirements, and existing controls in place. ❖ 4. For each mission-critical option, select the optimal risk mitigation strategy. ❖ 5. For IT systems, identify mission-critical IT systems, equipment, and data. ❖ 6. For each mission-critical IT component, identify risk mitigation strategies. ❖ 7. For each risk mitigation strategy selected, develop implementation plan.