ISSAP Session 7 Technology Based Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) 21 September 2011

BCP & DRP Questions from Session 6 ? Prior sessions handouts are posted on www.silverbulletinc.com/DM2 Contact Shelton Lee for credentials Shelton.lee@lmco.com

Requirements Schedule – Ten Sessions 08/24/2011 Organization 08/29/2011 Access Control pg 3-62 08/31/2011 Access Control pg 62-117 09/07/2011 Cryptography pg 125-172 09/12/2011 Cryptography pg 173-212 09/14/2011 Physical Security pg 222-285 09/19/2011 Requirements pg 293-351 09/21/2011 BCP & DRP pg 357-371 Telecom pt 1 pg 379-399 09/26/2011 Telecomm pt 2 pg 399-440 09/28/2011 Review

BCP & DRP Identicication and planning for adverse events Once identified, develop countermeasures BCP must meet business needs Fey areas of expertise Evaluating recovery requirements and strategy Designing and devloping the BCP Assessing the BCP and DRP

BCP & DRP BCP: avoid loss DRP: recover from loss (subset of BCP) Preparation that facilitates rapid recovery of business critical operations DRP: recover from loss (subset of BCP) Procedure for emergency response Results from planning and is part of the life cyle

BCP & DRP Planning Phases and Deliverables Identify the team and staff Validate vital records: whet will be needed to recover, includes backups Conduct risk and business impact analysis Whet needs to be mitigated, what must be recovered and in what order Develop recovery strategy Select strategy options and select: cost/benefit. Must/want. Alternate site selection: functional alternate site: capacity Document the plan Testing, maintenance, and update

BCP & DRP Risk Analysis or assessment What could happen What is likely to happen Industry risks Location risks Transportation Other nearby elements For example would a chemical spill impact transportation

BCP & DRP Natural hazards Earthquake Tornado Flood Himmicane Ice Storm (major problem in DFW) Blizzard Tsunami

BCP & DRP Industry Risks Robbery & theft Workplace violence Money laundering Identity Theft Theft of trade secrets Fraud Loan Defaults Market risk Credit risk Labor disputes

BCP & DRP Location Nuclear power plants FBI/CIA (government buildings) Oil storage Hazardous waste Chemical factories Biomedical research (activists)

BCP & DRP Risk Business Impact Analysis (BIA) Risk reduction (controls) Risk acceptance (small) Risk transfer (insurance) Business Impact Analysis (BIA) Foundation for plans What must be protected/restored Use time sensitive, not critical or essential Classify functions as to recovery priority

BCP & DRP BIA Recovery Time Objective (RTO) Usually used for applications Once all functions are prioritized, establish RTOs Anything that has not left building is at risk How much is acceptable determines backups Used for Recovery Point Objective

BCP & DRP Data Stored Electronically Determined by RTO and RPO Most sensitive is offloaded either synchronously or asynchronously (batch) Other data uses tape/media backup and physical transportation Consider time to pack and transport in the RTO. Consider transportation means in calculating time. Consider that all images, OS, applications, & data are needed to restore plus hardware.

BCP & DRP Remote replication and off site journaling Involves moving over network to secondary storage devices Expensive but needed if RTO is short Synchronous replication requires store and acknowledge Asynchronous: queue, batch, store Frequency depends on need for currency Does not impact real time operation

BCP & DRP Backup Strategies Remote Replication Does not eliminate need for backup Single logical event could take out both Point in time copies need to be maintained Backup Strategies Incremental vs complete/full Incremental (change archive bit) Differential backup (does not) Depends on RTO

BCP & DRP Selecting Recovery Strategy Dual Data Center Internal hot site External hot site Warm site (partially configured, needs hardware) Cold site: space only Reciprocal agreement With other similar business Agreed excess capacity Mobile unit – trailer or COW Outsourced

BCP & DRP Cost-Benefit Analysis Implementing Recovery Strategy Consider each Eliminate outliers Included sunk, fixed, and variable costs plus testing Implementing Recovery Strategy Negotiation Site surveys Cost of installation Separate project

BCP & DRP Document the plan Plan activation Recovery procedures Detailed enough to allow unfsmiliar person to proceed Stored at recovery site and used for all testing Updated as needed Test with untrained personnel

BCP & DRP Human Factor Logistics Hardship Availability Consideration of family Logistics How will event be declared How team will be contacted (possibly multiple) Travel and reservations – who will pay Where documentation is stored and how to retrieve How off-site backups will be retrieved. Who will do, & time Address. Phone numbers and directions to alternate site Command center location and phone number Problem reporting and management Public affairs

BCP & DRP Plan Maintenance Strategies Version control Maintenance Review and update at least annually Test Protect production environment Walkthrough with all personnel affected Simulated vs actual Actual production is moved Compact Exercise scenario After action report Action items & tracking Plan update

BCP & DRP Summary BCP and DRP is evolving process Virtualization will have impact Cloud: technology on demand Require new concepts

BCP & DRP End of BCP & DRP session Will continue with Telecom pt 2 on 26 September Questions ?