1. ISSAP Session 7 Technology Based Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)
21 September 2011

2. BCP & DRP Questions from Session 6 ?
Prior sessions handouts are posted on
Contact Shelton Lee for credentials

3. Requirements Schedule – Ten Sessions
08/24/2011 Organization 08/29/2011 Access Control pg /31/2011 Access Control pg /07/2011 Cryptography pg /12/2011 Cryptography pg /14/2011 Physical Security pg /19/2011 Requirements pg /21/2011 BCP & DRP pg Telecom pt 1 pg
09/26/2011 Telecomm pt 2 pg /28/2011 Review

4. BCP & DRP Identicication and planning for adverse events
Once identified, develop countermeasures
BCP must meet business needs
Fey areas of expertise
Evaluating recovery requirements and strategy
Designing and devloping the BCP
Assessing the BCP and DRP

5. BCP & DRP BCP: avoid loss DRP: recover from loss (subset of BCP)
Preparation that facilitates rapid recovery of business critical operations
DRP: recover from loss (subset of BCP)
Procedure for emergency response
Results from planning and is part of the life cyle

6. BCP & DRP Planning Phases and Deliverables Identify the team and staff
Validate vital records: whet will be needed to recover, includes backups
Conduct risk and business impact analysis
Whet needs to be mitigated, what must be recovered and in what order
Develop recovery strategy
Select strategy options and select: cost/benefit. Must/want.
Alternate site selection: functional alternate site: capacity
Document the plan
Testing, maintenance, and update

7. BCP & DRP Risk Analysis or assessment What could happen
What is likely to happen
Industry risks
Location risks
Transportation
Other nearby elements
For example would a chemical spill impact transportation

8. BCP & DRP Natural hazards Earthquake Tornado Flood Himmicane
Ice Storm (major problem in DFW)
Blizzard
Tsunami

9. BCP & DRP Industry Risks Robbery & theft Workplace violence
Money laundering
Identity Theft
Theft of trade secrets
Fraud
Loan Defaults
Market risk
Credit risk
Labor disputes

10. BCP & DRP Location Nuclear power plants FBI/CIA (government buildings)
Oil storage
Hazardous waste
Chemical factories
Biomedical research (activists)

11. BCP & DRP Risk Business Impact Analysis (BIA)
Risk reduction (controls)
Risk acceptance (small)
Risk transfer (insurance)
Business Impact Analysis (BIA)
Foundation for plans
What must be protected/restored
Use time sensitive, not critical or essential
Classify functions as to recovery priority

12. BCP & DRP BIA Recovery Time Objective (RTO)
Usually used for applications
Once all functions are prioritized, establish RTOs
Anything that has not left building is at risk
How much is acceptable determines backups
Used for Recovery Point Objective

13. BCP & DRP Data Stored Electronically Determined by RTO and RPO
Most sensitive is offloaded either synchronously or asynchronously (batch)
Other data uses tape/media backup and physical transportation
Consider time to pack and transport in the RTO. Consider transportation means in calculating time.
Consider that all images, OS, applications, & data are needed to restore plus hardware.

14. BCP & DRP Remote replication and off site journaling
Involves moving over network to secondary storage devices
Expensive but needed if RTO is short
Synchronous replication requires store and acknowledge
Asynchronous: queue, batch, store
Frequency depends on need for currency
Does not impact real time operation

15. BCP & DRP Backup Strategies Remote Replication
Does not eliminate need for backup
Single logical event could take out both
Point in time copies need to be maintained
Backup Strategies
Incremental vs complete/full
Incremental (change archive bit)
Differential backup (does not)
Depends on RTO

16. BCP & DRP Selecting Recovery Strategy Dual Data Center
Internal hot site
External hot site
Warm site (partially configured, needs hardware)
Cold site: space only
Reciprocal agreement
With other similar business
Agreed excess capacity
Mobile unit – trailer or COW
Outsourced

17. BCP & DRP Cost-Benefit Analysis Implementing Recovery Strategy
Consider each
Eliminate outliers
Included sunk, fixed, and variable costs plus testing
Implementing Recovery Strategy
Negotiation
Site surveys
Cost of installation
Separate project

18. BCP & DRP Document the plan Plan activation Recovery procedures
Detailed enough to allow unfsmiliar person to proceed
Stored at recovery site and used for all testing
Updated as needed
Test with untrained personnel

19. BCP & DRP Human Factor Logistics Hardship Availability
Consideration of family
Logistics
How will event be declared
How team will be contacted (possibly multiple)
Travel and reservations – who will pay
Where documentation is stored and how to retrieve
How off-site backups will be retrieved. Who will do, & time
Address. Phone numbers and directions to alternate site
Command center location and phone number
Problem reporting and management
Public affairs

20. BCP & DRP Plan Maintenance Strategies Version control Maintenance
Review and update at least annually
Test
Protect production environment
Walkthrough with all personnel affected
Simulated vs actual
Actual production is moved
Compact
Exercise scenario
After action report
Action items & tracking
Plan update

21. BCP & DRP Summary BCP and DRP is evolving process
Virtualization will have impact
Cloud: technology on demand
Require new concepts

22. BCP & DRP End of BCP & DRP session
Will continue with Telecom pt 2 on 26 September
Questions ?