06 - Business Continuity and Disaster Recovery

8/3/2019 06 - Business Continuity and Disaster Recovery

1/22

Business Continuity andBusiness Continuity andDisaster RecoveryDisaster Recovery

1


2/22

Learning ObjectivesLearning Objectives

1. Business recovery and DRP

2. Auditing business continuity

2


3/22

Business Continuity ProcessBusiness Continuity Process

A process designed to reduce the

organization's business risk arising from

an unexpected disruption of the criticalfunctions/operations (manual or

automated) necessary for the survival of

the organization

Responsibility of senior management

3


4/22

Consideration in BCPConsideration in BCP

y Those critical operations that are

necessary to the survival of the

organization

y The human/material resources supporting

them

4


5/22

Business Continuity ProcessBusiness Continuity Process

y A realistic objective is to ensure the survival of an

organization by establishing a culture that will

identify and manage those risks that could cause it

to suffer, such as :

Inability to maintain critical customer services

Damage to market share, image, reputation or

brand

Failure to protect the company assets, includingintellectual properties and personnel

Business control failure

Failure to meet legal or regulatory requirements

5


6/22

Besides the Plan for the ContinuityBesides the Plan for the Continuity

of Operations, the BCPI

ncludesof Operations, the BCPI

ncludes

y The DRP that is used to recover a facility

rendered inoperable, including relocating

operations into a new location

y The restoration plan that is used to

return operations to normality whetherin a restored or new facility

6


7/22

Purpose of BCP/DRPPurpose of BCP/DRP

y To enable a business to continue offering

critical services in the event of a

disruption and to survive a disastrousinterruption to their activities.

y

Rigorous planning and commitment ofresources is necessary to adequately plan

for such an event

7


8/22

Preparing a New BCPPreparing a New BCP

y The operations part of the BCP should address all

functions and assets required to continue as a

viable organization. The extent of provisioning for

alternate facilities that should be pursued isultimately a business decision based on risk

management.

y Focus is on the availability of the key businessprocesses to continue operations should any kind

of disruption arise.

8


9/22

IS BCP/DRPIS BCP/DRP

y A major component of an organization's overall

business continuity and disaster recovery strategy

y Therefore, there should be a ready-to-start

reserved facility to support these operations in

case of a disruption if the business cannot function

without ongoing information processing

y If it is a separate plan, the IS plan must be

consistent with and support the corporate BCP

9


10/22

IS BCP/DRPIS BCP/DRP

y Identifies what the business will do in the

event of a disaster

y For example :

Where will employees report to work

How will orders be taken while the

computer system is being restoredWhich vendors should be called to provide

needed supplies

10


11/22

IT DRPIT DRPy A subcomponent ofIS BCP

y This typically details the process IT personnel will use to

restore the computer systems

y Based upon the results of the risk analysis, management may

not see a tangible cost benefit for restoring certain

applications in the event of a disaster

y The quality ofIS elements is essential for IS disaster

recovery, and it is therefore recommended that the

organization has an information security management system

(ISMS) implemented to maintain the integrity, confidentiality

and availability ofIS

11


12/22

Disaster and Other DisruptivenessDisaster and Other Disruptiveness

y Disasters are disruptions that cause critical

information resources to be inoperative for a

period of time, adversely impacting organizational

operations

y The disruption could be a few minutes to several

months, depending on the extent of damage to the

information resource

y Most important, disasters require recovery efforts

to restore operational status.

12


13/22

Cause of DisasterCause of Disaster

y By natural calamity

Including expected services are no

longer supplied to the company due to anatural disaster or other cause

y By events precipitated by human beings

13


14/22

Other DisruptivenessOther Disruptiveness

y System malfunctions

y Accidental file deletions

y Network denial of service (DoS) attacks,

y Intrusions

y Viruses

14


15/22

A Good BCP for Disaster andA Good BCP for Disaster and

Other DisruptivenessOther Disruptivenessy Take into account all types of events impacting critical IS processing

facilities and end users' normal organizational operation functions

y For worst-case scenarios, short-term and long-term fallback

strategies are required

y For the short term, an alternate processing facility may be needed

to satisfy immediate operational needs, as in the case of a major

natural disaster

y In the long term, a new permanent facility must be identified for

disaster recovery and equipped to provide for continuation ofIS

processing services on a regular basis

15


16/22

BCP Process LifeBCP Process Life--Cycle PhasesCycle Phases

y Creation of a business continuity policy

y Business impact analysis

y Classification of operations and criticality analysis

y Identification ofIS processes that support critical organizational

functions

y Development of a BCP and IS disaster recovery procedures

y Development of resumption procedures

y Training and awareness program

y Testing and implementation of plan

y Monitoring 16


17/22

Recovery Point Objective and Recovery Time ObjectiveRecovery Point Objective and Recovery Time Objective

y

The RPO is determined based on the acceptable data loss in caseof disruption of operations

y It indicates the earliest point in time in which it is acceptable to

recover the data

y For example, if the process can afford to lose the data up to four

hours before disaster, then the latest backup available should be up

to four hours before disaster or interruption, and the transactions

during RPO and interruption need to be entered after recovery

(known as catch-up data.)

y The RTO is determined based on the acceptable downtime in case

of a disruption of operations. It indicates the earliest point in time

at which the business operations must resume after disaster

17


18/22

Relationship Between RTO and RPORelationship Between RTO and RPO

18


19/22

RPO & RTORPO & RTO

y Both of these concepts are based on time parameters. The

lower the time requirements, the higher the cost of recovery

strategies, i.e., if the RPO is in minutes (lowest possible

acceptable data loss), then data mirroring or duplexing

should be implemented as the recovery strategy.

y If the RTO is lower, then the alternate site might be

preferred over a hot-site contract.

y Also, the lower the RTO, the lower the disaster tolerance.

Disaster tolerance is the time gap within which the business

can accept the nonavailability ofIT critical services.

19


20/22

Auditing Business ContinuityAuditing Business Continuity

y Understanding and evaluating business continuity

strategy and its connection to business objectives

y

Reviewing the BIA to ensure that it reflects currentbusiness practices and known threats

y Evaluating the BCPs to determine their adequacy

and currency, by reviewing the plans and comparingthem to appropriate standards and/or government

regulations including the RTO, RPO etc., defined by

the BIA

20


21/22


y Verifying that the BCPs are effective, by reviewing the

results from previous tests performed by IS and end-

user personnel

y Evaluating offsite storage to ensure its adequacy, by

inspecting the facility and reviewing its contents and

security and environmental controls

y Verifying the arrangements for transporting backupmedia to ensure that they meet the appropriate

security requirements

21


22/22


y Evaluating the ability ofIS and user personnel to respond

effectively in emergency situations, by reviewing emergency

procedures, employee training and results of their tests and

drills

y Ensuring that the process of maintaining plans is in place and

effective and covers both periodic and unscheduled revisions

y Evaluating whether the business continuity manuals and

procedures are written in a simple and easy to understand

manner. This can be achieved through interviews and

determining whether all the stakeholders understand their

roles and responsibilities with respect to business continuity

strategies.22

06 - Business Continuity and Disaster Recovery

Documents

Transcript of 06 - Business Continuity and Disaster Recovery