Skip to content Skip to sidebar Skip to footer

Business Continuity Disaster Recovery Planning Ppt Presentations

Download

business continuity and disaster recovery planning n.

Skip this Video

Loading SlideShow in 5 Seconds..

Business Continuity and Disaster Recovery Planning PowerPoint Presentation

play prev play next

Business Continuity and Disaster Recovery Planning

Download Presentation

Business Continuity and Disaster Recovery Planning

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

  1. Business Continuity and Disaster Recovery Planning CISSP Guide to Security Essentials Chapter 4

  2. Objectives • Running a business continuity and disaster recovery planning project • Developing business continuity and disaster recovery plans • Testing business continuity and disaster recovery plans CISSP Guide to Security Essentials

  3. Objectives (cont.) • Training users • Maintaining business continuity and disaster recovery plans CISSP Guide to Security Essentials

  4. What Is a Disaster • Any natural or man-made event that disrupts the operations of a business in such a significant way that a considerable and coordinated effort is required to achieve a recovery. CISSP Guide to Security Essentials

  5. Natural Disasters • Geological: earthquakes, volcanoes, lahars, tsunamis, landslides, and sinkholes • Meteorological: hurricanes, tornados, wind storms, hail, ice storms, snow storms, rainstorms, and lightning CISSP Guide to Security Essentials

  6. Natural Disasters (cont.) • Other: avalanches, fires, floods, meteors and meteorites, and solar storms • Health: widespread illnesses, quarantines, and pandemics CISSP Guide to Security Essentials

  7. Man-made Disasters • Labor: strikes, walkouts, and slow-downs that disrupt services and supplies • Social-political: war, terrorism, sabotage, vandalism, civil unrest, protests, demonstrations, cyber attacks, and blockades CISSP Guide to Security Essentials

  8. Man-made Disasters (cont.) • Materials: fires, hazardous materials spills • Utilities: power failures, communications outages, water supply shortages, fuel shortages, and radioactive fallout from power plant accidents CISSP Guide to Security Essentials

  9. How Disasters Affect Businesses • Direct damage to facilities and equipment • Transportation infrastructure damage • Delays deliveries, supplies, employees going to work • Communications outages • Utilities outages CISSP Guide to Security Essentials

  10. How BCP and DRP Support Security • Security pillars: C-I-A • Confidentiality • Integrity • Availability • BCP and DRP directly support availability CISSP Guide to Security Essentials

  11. BCP and DRP Differences and Similarities • BCP • activities required to ensure the continuation of critical business processes in an organization • Alternate personnel, equipment, and facilities • DRP • Assessment, salvage, repair, and eventual restoration of damaged facilities and systems CISSP Guide to Security Essentials

  12. Industry Standards Supporting BCP and DRP • ISO17799: Code of Practice for Information Security Management. Section 14 addresses business continuity management. • BS25999: Code of Practice for Business Continuity Management. CISSP Guide to Security Essentials

  13. Industry Standards Supporting BCP and DRP (cont.) • NIST 800-34: Contingency Planning Guide for Information Technology Systems. Seven step process for BCP and DRP projects. • NFPA 1600: Standard on Disaster / Emergency Management and Business Continuity Programs. CISSP Guide to Security Essentials

  14. Industry Standards Supporting BCP and DRP (cont.) • NFPA 1620: The Recommended Practice for Pre-Incident Planning. • HIPAA: Requires a documented and tested disaster recovery plan. CISSP Guide to Security Essentials

  15. Benefits of BCP and DRP Planning • Reduced risk • Process improvements • Improved organizational maturity • Improved availability and reliability • Marketplace advantage CISSP Guide to Security Essentials

  16. The Role of Prevention • Not prevention of the disaster itself, but prevention of surprise and disorganized response CISSP Guide to Security Essentials

  17. The Role of Prevention (cont.) • Reduction in impact of a disaster • Better equipment bracing • Better fire detection and suppression • Contingency plans that provide [near] continuous operation of critical business processes • Prevention of extended periods of downtime CISSP Guide to Security Essentials

  18. Running a BCP / DRP Project • Pre-project activities • Perform a Business Impact Assessment (BIA) • Develop resumption and recovery plans • Test resumption and recovery plans CISSP Guide to Security Essentials

  19. Pre-project Activities • Obtain executive support • Formally define the scope of the project • Choose project team members • Develop a project plan • Develop a project charter CISSP Guide to Security Essentials

  20. Performing a Business Impact Assessment • Survey critical processes • Perform threat, risk analyses • Develop key metrics • Maximum tolerable downtime, recovery time objective, recovery point objective CISSP Guide to Security Essentials

  21. Performing a Business Impact Assessment (cont.) • Develop impact statements • Perform criticality analysis CISSP Guide to Security Essentials

  22. Survey In-scope Business Processes • Develop interview / intake template • Interview a rep from each department • Identify all important processes • Identify dependencies on systems, people, equipment • Collate data into database or spreadsheets • Gives a big picture, all-company view CISSP Guide to Security Essentials

  23. Threat and Risk Analysis • Identify threats, vulnerabilities, risks for each key process • Rank according to probability, impact, cost • Identify mitigating controls CISSP Guide to Security Essentials

  24. Determine Maximum Tolerable Downtime (MTD) • For each business process • Identify the maximum time that each business process can be inoperative before significant damage or long-term viability is threatened • Probably an educated guess for many processes CISSP Guide to Security Essentials

  25. Determine Maximum Tolerable Downtime (cont.) • Obtain senior management input to validate data • Publish into the same database / spreadsheet listing all business processes CISSP Guide to Security Essentials

  26. Develop Statements of Impact • For each process, describe the impact on the rest of the organization if the process is incapacitated CISSP Guide to Security Essentials

  27. Develop Statements of Impact (cont.) • Examples • Inability to process payments • Inability to produce invoices • Inability to access customer data for support purposes CISSP Guide to Security Essentials

  28. Record Other Key Metrics • Examples • Cost to operate the process • Cost of process downtime • Profit derived from the process • Useful for upcoming criticality analysis CISSP Guide to Security Essentials

  29. Ascertain Current Continuity and Recovery Capabilities • For each business process • Identify documented continuity capabilities • Identify documented recovery capabilities • Identify undocumented capabilities • What if the disaster happened tomorrow CISSP Guide to Security Essentials

  30. Develop Key Recovery Targets • Recovery time objective (RTO) • Period of time from disaster onset to resumption of business process • Recovery point objective (RPO) • Maximum period of data loss from onset of disaster counting backwards CISSP Guide to Security Essentials

  31. Develop Key Recovery Targets (cont.) • Obtain senior management buyoff on RTO and RPO • Publish into the same database / spreadsheet listing all business processes CISSP Guide to Security Essentials

  32. Sample Recovery Time Objectives CISSP Guide to Security Essentials

  33. Sample Recovery Time Objectives (cont.) CISSP Guide to Security Essentials

  34. Criticality Analysis • Rank processes by criticality criteria • MTD (maximum tolerable downtime) • RTO (recovery time objective) • RPO (recovery point objective) • Cost of downtime or other metrics • Qualitative criteria • Reputation, market share, goodwill CISSP Guide to Security Essentials

  35. Improve System and Process Resilience • For the most critical processes (based upon ranking in the criticality analysis) • Identify the biggest risks • Identify cost of mitigation • Can several mitigating controls be combined • Do mitigating controls follow best / common practices CISSP Guide to Security Essentials

  36. Develop Business Continuity and Disaster Recovery Plans • For the most critical processes (based upon ranking in the criticality analysis) • Develop continuity plans and recovery plans • Must meet RTO, RPO objectives • Develop budget for plan development • Develop budget for response and recovery effort • Revise as needed CISSP Guide to Security Essentials

  37. Select Recovery Team Members • Selection criteria • Location of residence, relative to work and other key locations • Skills and experience (determines effectiveness) • Ability and willingness to respond CISSP Guide to Security Essentials

  38. Select Recovery Team Members (cont.) • Selection criteria (cont.) • Health and family (determines probability to serve) • Identify backups • Other team members, external resources CISSP Guide to Security Essentials

  39. Emergency Response • Personnel safety: includes first-aid, searching for personnel, etc. • Evacuation: evacuation procedures to prevent any hazard to workers. • Asset protection: includes buildings, vehicles, and equipment. CISSP Guide to Security Essentials

  40. Emergency Response (cont.) • Damage assessment: this could involve outside structural engineers to assess damage to buildings and equipment. • Emergency notification: response team communication, and keeping management and organization staff informed. CISSP Guide to Security Essentials

  41. Damage Assessment and Salvage • Determine damage to buildings, equipment, utilities • Requires inside experts • Usually requires outside experts • Civil engineers to inspect buildings • Government building inspectors CISSP Guide to Security Essentials

  42. Damage Assessment and Salvage (cont.) • Salvage • Identify working and salvageable assets • Cannibalize for parts or other uses CISSP Guide to Security Essentials

  43. Notification • Many parties need to know the condition of the organization • Employees, suppliers, customers, regulators, authorities, shareholders, community CISSP Guide to Security Essentials

  44. Notification (cont.) • Methods of communication • Telephone call trees, web site, signage, media • Alternate means of communication must be identified CISSP Guide to Security Essentials

  45. Personnel Safety • The number one concern in any disaster response operation • Emergency evacuation • Accounting for all personnel • Administering first-aid CISSP Guide to Security Essentials

  46. Personnel Safety (cont.) • The number one concern in any disaster response operation (cont.) • Emergency supplies • Water, food, blankets, shelters • On-site employees could be stranded for several days CISSP Guide to Security Essentials

  47. Communications • Communications essential during emergency operations CISSP Guide to Security Essentials

  48. Communications (cont.) • Considerations • Avoid common infrastructure • Diversify mobile services • Consider two-way radios • Consider satellite phones • Consider amateur radio CISSP Guide to Security Essentials

  49. Public Utilities and Infrastructure • Often interrupted during a disaster • Electricity: emergency generation: UPS, generator • Water: building could be closed if no water is available • Natural gas: heating • Wastewater: if disabled, building could be closed CISSP Guide to Security Essentials

  50. Public Utilities and Infrastructure (cont.) • Emergency supplies • Drinking water, sanitation, spare parts, waste bins CISSP Guide to Security Essentials

leflerquission.blogspot.com

Source: https://www.slideserve.com/jchiaramonte/business-continuity-and-disaster-recovery-planning-powerpoint-ppt-presentation

Post a Comment for "Business Continuity Disaster Recovery Planning Ppt Presentations"