1. ISA 400 Management of Information Security
Week #5
Business Continuity and Disaster Recovery
Philip Robbins – April 11, 2015
Information Security & Assurance Program University of Hawai'i West Oahu

2. Management of Information Security
Week #5 Topics
Domain #5: Business Continuity and Disaster Recovery
Quiz #5
Assignment #5

3. CISSP Exam Objectives
The BC & DR domain addresses the preservation of the business in the face of major disruptions to normal business operations.
The most covered topic on the CISSP Examination (~50% of all questions).
The most dry (but can be rather interesting) material you’ll come across in your studies.
Biggest tip: Be sure to read the BC/DR section within Mike Myers “Passport” book before taking the exam. 3

11. Business Continuity and Disaster Recovery11

12. Business Continuity and Disaster Recovery
What is a Incident Response Plan (IRP) vs Cyber Incident Response vs Disaster Recovery Plan (DRP) vs Emergency Response Plan (ERP) vs Backup Plan (BP) vs Business Recovery Plan (BRP) vs Business Impact Analysis (BIA) vs Business Continuity Plan (BCP) vs Continuity of Operations Plan (COOP) vs Contingency Plan vs Crisis Management Plan? 12

13. Business Impact Assessment (BIA)
Determines risks and associated impacts resulting from the possibility of threats exploiting vulnerabilities to information systems.
A BIA can help to determine the criticality and sensitivity of essential functions, processes, systems, and information.
A BIA identifies business functions, capabilities to handle outages, prioritizes business functions to be recovered, and identifies resources required for recovery.
Provides the basis for the levels and types of protection required. 13

14. Developing a Business Impact Assessment (BIA)
Identify, Assess
Identify, Assess, Mitigate 14

15. Developing a Business Impact Assessment (BIA)
BIA Steps:
Develop an interview list (identify stakeholders).
Decide on data gathering techniques.
Identify critical business functions/resources.
Calculate Maximum Tolerable Downtime (MTD).
Document and report findings to management. 15

16. Business Impact Assessment (BIA) Metrics
Recovery Time Objective (RTO)
Amount of time allowed for the recovery of a business function or resource after a disaster occurs.
Recovery Point Objective (RPO)
The point prior to an outage in which data is to be restored, that is, the last point of known good data.
Work Recovery Time (WRT)
Time required to configure a recovered system.
Minimum Operating Requirements (MOR)
Minimum environmental and connections required to operate. 16

17. Business Impact Assessment (BIA) Metrics
Mean Time Between Failures (MTBF)
How long a new or repaired part will run before failing.
Mean Time To Repair (MTTR)
How long it takes to recover a failed system.
Maximum Tolerable Downtime (MTD) aka
Maximum Allowable Downtime (MAD) aka
Maximum Acceptable Outage (MAO)
Maximum length of time a business function can be unavailable without causing irreparable harm to the business. 17

18. Business Impact Assessment (BIA) Metrics
Maximum Tolerable Downtime (MTD)
MTD = RTO + WRT
MTD = Recovery Time Objective + Work Recovery Time
Nonessential days
Normal days
Important hours
Urgent hours
Critical - minutes, hours
Time critical processes and applications are identified if their MTD is around 72 hours or less. 18

19. Business Continuity Planning (BCP)
The BCP is a business’s last line of defense. When all other controls have failed, the BCP & DRP may prevent:
Injury
Loss of life
Disasters (natural or man made)
The most important (immediate) reason is always to ensure the safety of employees and others (top priority)!
Compliance with Legislative requirements, Industry Standards, & Guidelines
Good business practice (due diligence & due care)
Financial & moral obligations 19

20. Business Continuity Planning (BCP) Goals
The BCP focuses on the whole business.
The goal of a BCP is to allow a business to continue before, throughout, and after a disaster event is experienced.
Other objectives:
Identify risks to time-critical business processes and functions.
Creation of policies, procedures, and processes to help mitigate those risks.
Includes the Disaster Recovery Plan (DRP) for the continuity of operations. 20

21. BCP vs. IT Disaster Recovery
Deals with BUSINESS requirements, not the IT requirements.
WHAT not HOW: what is done…
WHEN not IF: focus on when not if … it’s only a matter of time…
BCP focuses on maintaining the business functionality.
Goes beyond surviving a network failure or disk crash.
BCPs address:
Fire, flood, bomb threats and incidents.
Extensive power outages.
Loss of critical staff. 21

22. BCP “Time Boxing”
BCPs are only needed for those functions that may be needed during the estimated duration (time-box) of the emergency.
For example: If a system can survive a downtime of 2 weeks, and a business was providing contingencies for events 2 weeks or shorter, then a BCP for would not be required to address that system. 22

23. Business Continuity Planning (BCP) Phases
Pre-Incident Planning
Business Impact Analysis
Vulnerability and dependency analysis
Alternative site plans
Security plans
Emergency management plans
Incident Management
Immediate (during the incident)
Post-Incident
Business Resumption
Recovery, restoration and reconstitution 23

24. COOP Definition Continuity Of Operations Planning (COOP) Plan
Government / Federal & DoD term for BCP.
Less distinction between IT disaster recovery & BC.
The COOP plan is an effort to document and ensure the capability of continuing essential department / agency functions during a wide range of potential emergencies at an alternate site for at least 30 days.
8 Planning Definitions 24

25. COOP Objectives Planning Objective #1
Ensure that a D/A can perform its Mission Essential Functions (MEFs) under all conditions.
Planning Objective #2
Reduce the loss of life and minimize property damage and loss.
Planning Objective #3
Delegation of authorities in the event of disruption to D/A operations. Establish chain of command. 25

26. COOP Objectives Planning Objective #4
Reduce or mitigate disruptions to D/A operations.
Planning Objective #5
Ensuring facilities (alternate sites) where it (D/A) can continue to perform its MEFs during a continuity event.
Planning Objective #6
Protecting personnel, essential facilities, equipment, records, or any other D/A assets of value. 26

27. COOP Objectives Planning Objective #7
Achieving timely and orderly recovery and reconstitution from an emergency.
Planning Objective #8
Ensure continuity readiness through continuity testing, training, and exercises (TT&E). 27

28. COOP Requirements Can be implemented without warning.
Operational within 12 hours after activation/ as required.
Capable of sustained operation up to 30 days/ as needed.
Includes regular testing & training.
Includes risk analysis of alternate site(s).
Alt. sites located to maximize operations.
Alt. sites located in different infrastructure areas if possible.
Maximize use of existing field locations and other working alternatives.
Consider distance of alternate sites from other threats.
Use multi-year plans for COOP. 28

29. NIST SP 29

30. NIST SP 30

31. NIST SP 31

32. NIST SP 800-34 Planning Process32

33. NIST SP 800-53 Rev 3: Security Controls33

34. NIST SP 800-53 Rev 3: Security Controls34

35. NIST SP 800-53 Rev 3: Security Controls35

36. Disaster Recovery Planning (DRP)
What is a disaster?
Disaster = any incident that results in the loss of support for time-critical business processes for longer than the predetermined Recovery Time Objective (RTO).
If the BCP/COOP fails to continue/restore those time-critical business processes/functions, then the DRP takes over.
The DRP is a subset of the overall BCP/COOP.
The DRP focuses on:
Infrastructure and resources.
Immediate response to disasters.
Minimizing decision making during disasters. 36

37. Disaster Events, Types, & Sources
Human error
Natural Disasters
Electrical
Fires
Temperature and Humidity Failures (Environmental)
Warfare, Terrorism, Sabotage
Personnel Shortages
Pandemics and disease
Strikes
Communication failures. 37

38. Alternate Sites Alternate facilities should provide / have:
Capability to perform essential functions.
Sufficient space and equipment to sustain the relocating organization.
Interoperable communications with all identified essential internal and external organizations, critical customers, and the public.
Reliable logistical support, services, and infrastructure systems, including water, electrical power, heating and air conditioning, etc.
Ability to sustain operations for a period of up to 30 days (at least).
Appropriate physical security and access controls. 38

39. Alternate Sites Cold Sites: MTD = 1-2 weeks
Adequate space and infrastructure to support IT systems (no equipment).
Warm Sites: MTD = 2 days (48 hours)
Partially equipped office space that includes some or all of the system hardware, software, and power sources. Maintained in an operational status ready to receive the relocated system.
Hot Sites: MTD = few minutes / hours
Fully configured site; typically staffed 24/7.
Multiple Sites, Mobile Sites, Virtual Business Partners, etc… 39

40. Alternate Sites
Federal Continuity Directives 1 & 2 require all D/A’s to designate an alternate operating facility as part of their COOP.
Minimum safe site distance.
5 miles
Low to medium critical site minimum distance.
15 miles
Maximum protection of critical components distance.
50 to 200 miles 40

41. Applying High Availability to Disaster Recovery
Assumes mirroring or shadowing plus a complete application environment
Hot Standby or Load-Balanced
Database and/or file
and/or object replication
Mirroring
Log/journal transfer
(continuous or periodic)
Shadowing
net $$$+
host $$$+
disk $$$$+
appl. $+
Cost
Database and/or file
and/or object backup
Electronic
Journaling
Elec.
Vaulting
Standard
Recovery
net $$$+
host $$+
disk $$$$+
net $-$$+
host $$+
disk $$$$+
net $
host $
disk $
tape $
net $
tape $ 72
hours 48
hours 24
hours
12 hrs.
Minutes
Disaster Recovery Times 41

42. Developing a BCP/DRP Remember there are 7 milestones:
Develop Contingency Planning Policy Statement.
Conduct the BIA.
Identify Preventative Controls.
Develop Recovery Strategies
Develop an IT Contingency Plan
Plan Testing, Training, and Exercises
Plan Maintenance. 42

43. Developing a BCP/DRP Creating a Timeline for developing a BCP/DRP:
Notification (1 month): must be able to reach people who can and will respond.
Vital records backup and recovery (6 months).
Business Impact Assessment (6 months).
Strategy Development (6-9 months): identify strategies for recovery, cost benefit analysis, approval.
Alternate Site Selection (9-12 months).
Contingency Plan Development (12 months).
Testing, plan maintenance, auditing (Ongoing) 43

44. Potential Loss Categories
Type of losses due to lack of continuity planning:
Financial Risk: how much revenue / money does the corporation stand to lose. Bankruptcy?
Reputational (embarrassment / loss of confidence): how badly the corporation will be perceived by its customers and its shareholders.
Regulatory: fines or penalties incurred and lawsuits filed against them. 44

45. Benefits to Continuity Planning
Type of benefits due to continuity planning:
Analysis may identify potential efficiencies and cost savings.
Advantages created over competitors.
New business opportunities.
Reduced insurance rates.
Profits. 45

46. Senior Leadership Support
Senior management commitment is a must!
Without it, the plan will fail.
Top-down approach.
Senior management sets clear direction and goals.
Tasked with growing the business and protecting the brand (disaster recovery).
Continuity planning requires cooperation at all levels.
Leadership establishes budget / approves funding.
Policies are established by leadership based on requirements and responsibilities.
Provides final approval of the plan. 46

47. BCP/DRP Common Mistakes
Lack of Management Support.
Lack of Involvement.
Improper scope.
Inadequate communications.
Plan is incomplete (remains in draft / unapproved)
Lack of Awareness and training.
Culture; do employees even know where to locate the BCP?
Lack of Testing.
Failure to keep the plan up to date.
No independent evaluation & improvement. 47

48. Checklists / Tools 48

49. FEMA COOP Template 49

50. FEMA COOP Template 50

51. FEMA COOP Template 51

52. FEMA COOP Template 52

53. FEMA COOP Template 53

54. FEMA COOP Template 54

55. FEMA COOP Template 55

56. Checklists / Tools 56

57. Checklists / Tools 57

58. Review Questions Question #1
Maximum tolerable downtime (MTD) is also known as what?
Maximum allowable downtime.
Mean time between failures (MTBF).
Mean time to repair (MTTR).
Recovery Time Objective (RTO). 58

59. Review Questions Question #1
Maximum tolerable downtime (MTD) is also known as what?
Maximum allowable downtime.
Mean time between failures (MTBF).
Mean time to repair (MTTR).
Recovery Time Objective (RTO). 59

60. Review Questions Question #2
What is the primary goal of disaster recovery planning?
Integrity of data.
Preservation of business capital.
Restoration of business processes.
Safety of personnel. 60

61. Review Questions Question #2
What is the primary goal of disaster recovery planning?
Integrity of data.
Preservation of business capital.
Restoration of business processes.
Safety of personnel. 61

62. Review Questions Question #3
What plan is designed to provide effective coordination among the managers of an organization in the event of an emergency or disruptive event?
Continuity of Support Plan.
Business Impact Assessment.
Crisis Management Plan.
Plan B. 62

63. Review Questions Question #3
What plan is designed to provide effective coordination among the managers of an organization in the event of an emergency or disruptive event?
Continuity of Support Plan.
Business Impact Assessment.
Crisis Management Plan.
Plan B. 63

64. Review Questions Question #4
Which plan details the steps required to restore normal business operations after recovering from a disruptive event?
Business Continuity Planning (BCP).
Business Recovery Planning (BRP).
Continuity of Operations Planning (COOP).
Disaster Recovery Planning (DRP). 64

65. Review Questions Question #4
Which plan details the steps required to restore normal business operations after recovering from a disruptive event?
Business Continuity Planning (BCP).
Business Recovery Planning (BRP).
Continuity of Operations Planning (COOP).
Disaster Recovery Planning (DRP). 65

66. Review Questions Question #5
What is one the first steps in developing a business continuity plan?
Identify backup solution.
Decide whether the company needs to perform a walk-through, parallel, or simulation test
Perform a business impact analysis.
Develop a business resumption plan. 66

67. Review Questions Question #5
What is one the first steps in developing a business continuity plan?
Identify backup solution.
Decide whether the company needs to perform a walk-through, parallel, or simulation test
Perform a business impact analysis.
Develop a business resumption plan. 67

68. Review Questions Question #6
How often should a business continuity plan be tested?
At least every ten years.
Only when the infrastructure or environment changes.
At least every two years.
Whenever there are significant changes in the organization. 68

69. Review Questions Question #6
How often should a business continuity plan be tested?
At least every ten years.
Only when the infrastructure or environment changes.
At least every two years.
Whenever there are significant changes in the organization. 69

70. Review Questions Question #7
During a test recovery procedure, one important step is to maintain records of important events that happen during the procedure. What other step is just as important?
Schedule another test to address issues that took place during that procedure.
Make sure someone is prepared to talk to the media with the appropriate responses.
Report the events to management.
Identify essential business functions. 70

71. Review Questions Question #7
During a test recovery procedure, one important step is to maintain records of important events that happen during the procedure. What other step is just as important?
Schedule another test to address issues that took place during that procedure.
Make sure someone is prepared to talk to the media with the appropriate responses.
Report the events to management.
Identify essential business functions. 71

72. Review Questions Question #8
The purpose of initiating emergency actions right after a disaster takes place is to prevent loss of life and injuries, and to ____________________?
Secure the area to ensure that no looting takes place.
Mitigate further damage.
Protect evidence and clues.
Investigate the extent of the damage. 72

73. Review Questions Question #8
The purpose of initiating emergency actions right after a disaster takes place is to prevent loss of life and injuries, and to ____________________?
Secure the area to ensure that no looting takes place.
Mitigate further damage.
Protect evidence and clues.
Investigate the extent of the damage. 73

74. Review Questions Question #9
Which best describes a hot-site versus a warm- or cold-site facility?
A site that has disk drives, controllers, and tape drives.
A site that has all necessary PCs, servers, and telecommunications.
A site that has wiring, central air, and raised flooring.
A mobile site that can be brought to the company’s parking lot. 74

75. Review Questions Question #9
Which best describes a hot-site versus a warm- or cold-site facility?
A site that has disk drives, controllers, and tape drives.
A site that has all necessary PCs, servers, and telecommunications.
A site that has wiring, central air, and raised flooring.
A mobile site that can be brought to the company’s parking lot. 75

76. Review Questions Question #10
Which areas of a company are recovery plans recommended for?
The most important operational and financial areas.
The areas that house critical systems.
All areas.
The areas that the company cannot survive without. 76

77. Review Questions Question #10
Which areas of a company are recovery plans recommended for?
The most important operational and financial areas.
The areas that house critical systems.
All areas.
The areas that the company cannot survive without. 77

78. Review Questions Question #11
What is the most crucial piece of developing a BCP?
BIA.
Implementation, testing, and following through.
Participation from each end every department.
Management support. 78

79. Review Questions Question #11
What is the most crucial piece of developing a BCP?
BIA.
Implementation, testing, and following through.
Participation from each end every department.
Management support. 79

80. Review Questions Question #12
When is the emergency actually over for a company?
When all people are safe and accounted for.
When all operations and people are moved back into the primary site.
When operations are safely moved to the offsite facility.
When a civil official declares that all is safe. 80

81. Review Questions Question #12
When is the emergency actually over for a company?
When all people are safe and accounted for.
When all operations and people are moved back into the primary site.
When operations are safely moved to the offsite facility.
When a civil official declares that all is safe. 81

82. Review Questions Question #13 (last one)
Which of the following best describes what a DRP should contain?
Hardware, software, people, emergency procedures, recover procedures.
People, hardware, offsite facility.
Software, media interaction, people, hardware, management issues.
Resources, emergency procedures, identified risk. 82

83. Review Questions Question #13 (last one)
Which of the following best describes what a DRP should contain?
Hardware, software, people, emergency procedures, recover procedures.
People, hardware, offsite facility.
Software, media interaction, people, hardware, management issues.
Resources, emergency procedures, identified risk. 83

84. Quiz #4
Short answer, closed book, closed computer, no cell phones, open notes. 84

85. probbins@hawaii.edu Questions? www2.hawaii.edu/~probbins 85