Presentation is loading. Please wait.

Presentation is loading. Please wait.

EE579U/11 #1 Spring 2004 © 2000-2004, Richard A. Stanley EE579U Information Systems Security and Management 11: Business Continuity Planning Professor.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "EE579U/11 #1 Spring 2004 © 2000-2004, Richard A. Stanley EE579U Information Systems Security and Management 11: Business Continuity Planning Professor."— Presentation transcript:

1 EE579U/11 #1 Spring 2004 © 2000-2004, Richard A. Stanley EE579U Information Systems Security and Management 11: Business Continuity Planning Professor Richard A. Stanley

2 EE579U/11 #2 Spring 2004 © 2000-2004, Richard A. Stanley Overview of Today’s Class Review of last class Business Continuity Planning

3 EE579U/11 #3 Spring 2004 © 2000-2004, Richard A. Stanley Summary Security management is the “glue” that binds the entire security effort together. Absent proper and adequate management, it doesn't matter how well the other bits and pieces work This is probably the hardest part of all, because it remains difficult to compute the ROI

4 EE579U/11 #4 Spring 2004 © 2000-2004, Richard A. Stanley What is Business Continuity Planning? Planning for the continuation of the business in the event of disaster(s) Much larger issue than information assurance, but IA is a big piece of it Model: military organizations, where casualties are expected, planned for Many issues

5 EE579U/11 #5 Spring 2004 © 2000-2004, Richard A. Stanley Things to Think About Will the “continued” business look like the pre-disaster version? If people are identified to fill vacancies, do you tell them ahead of time? –Pros and cons, much consternation What about flexibility? Risks/rewards?

6 EE579U/11 #6 Spring 2004 © 2000-2004, Richard A. Stanley Where to Begin? Look at past problems and issues Read the paper!! –Today’s headlines can provide many pointers to risks that did not get much attention heretofore –e.g. terrorism, information theft

7 EE579U/11 #7 Spring 2004 © 2000-2004, Richard A. Stanley What Is A Disaster? "A disaster is any incident or event that results in a major (multi-day) interruption of operations at one or more of the contact or data centers. For disruptions in service that affect only a portion of systems or operations at any one contact or data center, only a subset of the full recovery procedures will likely be used to restore normal operations. However, a catastrophic disaster would render the center(s) incapable of conducting critical functions for an extended period of time." Source: http://www.donald-firesmith.com/Components/WorkUnits/Tasks/DisasterRecovery/DisasterThreatAnalysis.html

8 EE579U/11 #8 Spring 2004 © 2000-2004, Richard A. Stanley Levels of Disasters Limited Disaster. A limited disaster is characterized by limited or isolated damage to a part of a contact or data center that is sufficient that has disabled or will disable it, partially or completely, for a period of 24 hours. Moderate Disaster. A moderate disaster is characterized by severe damage to the entire contact or data center, thereby temporarily prohibiting the performance of all user support or operations tasks. It requires either temporarily allocation of the workload to other existing sites or else temporarily transfer to a hot-backup site until the facility can be repaired. However, no cold backup site is required because of the limited time required to put the affected site into full operation. Catastrophic Disaster. A catastrophic disaster is characterized by complete destruction of a contact or data center. Because the center is a total loss and needs to be completely rebuilt or replaced, it requires either temporarily allocation of the workload to other existing sites or else temporarily transfer to either a hot or cold-backup site. Source: http://www.donald-firesmith.com/Components/WorkUnits/Tasks/DisasterRecovery/DisasterThreatAnalysis.html

9 EE579U/11 #9 Spring 2004 © 2000-2004, Richard A. Stanley Most Costly Disaster Types 1.Floods 2.Earthquakes 3.Wind storms 4.Forest / scrub fires 5.Non-natural disasters 6.Droughts 7. Extreme temperatures 8. Avalanches / landslides 9. Volcanoes 10. Other natural disasters Source: International Federation of Red Cross and Red Cross Societies

10 EE579U/11 #10 Spring 2004 © 2000-2004, Richard A. Stanley Another Disaster Type Taxonomy Natural Disasters: –Earthquake. –Fire. –Flood. –Major storms such as tornados and hurricanes. –Mudslide. –Blizzard. Man-Made Disasters: –Loss of electrical power (e.g., power brownouts and blackouts, accidental cutting of power cables). –Loss of cooling. –Loss of network connectivity. –Loss of telephone service (e.g., accidental cutting of telephone lines).. –Hardware component failure. –Failure of physical security. –Loss of required staffing (e.g., evacuation, strike, or sick-out). –Sabotage. –Bomb threat. –Hacker attacks. –Water or sewer line breaks. –Flooding or roof cave-in due to plumbing problem Source: http://www.donald-firesmith.com/Components/WorkUnits/Tasks/DisasterRecovery/DisasterThreatAnalysis.html

11 EE579U/11 #11 Spring 2004 © 2000-2004, Richard A. Stanley Disasters Depend on Geography Source: FEMA disaster archives

12 EE579U/11 #12 Spring 2004 © 2000-2004, Richard A. Stanley …and on Timing Source: FEMA disaster archives

13 EE579U/11 #13 Spring 2004 © 2000-2004, Richard A. Stanley Reasons for a Business Continuity Plan - 1 Increased dependency by the business over recent years on computerized production and sales delivery mechanisms, thereby creating increased risk of loss of normal services Increased dependency by the business over recent years on computerized information systems Increased likelihood of inadequate IT and information security safeguards Increased recognition of the impact that a serious incident could have on the business

14 EE579U/11 #14 Spring 2004 © 2000-2004, Richard A. Stanley Reasons for a Business Continuity Plan - 2 Need to establish a formal process to be followed when a disaster occurs Need to develop effective back up and recovery strategies to mitigate the impact of disruptive events An intention to lower costs or losses arising from serious incidents Avoidance of business failure from disruptive incidents.

15 EE579U/11 #15 Spring 2004 © 2000-2004, Richard A. Stanley Initiating the Plan Review existing plan, if there is one Come up with a policy statement Develop a plan project budget Develop a plan for approval of the plan Let the employees know you are developing a continuity plan

16 EE579U/11 #16 Spring 2004 © 2000-2004, Richard A. Stanley Organizing the Process Develop goals and objectives Appoint project management Select project team Lay out a timeline and milestones Reporting requirements? Identify needed information, documents, etc.

17 EE579U/11 #17 Spring 2004 © 2000-2004, Richard A. Stanley Assess the Business Risks and Impacts Emergency events Business risks IT and communications Existing emergency procedures Facility issues

18 EE579U/11 #18 Spring 2004 © 2000-2004, Richard A. Stanley Emergency Events Environmental disasters Deliberate disruption of business services Loss of utilities Equipment / system failures IT security incidents Others

19 EE579U/11 #19 Spring 2004 © 2000-2004, Richard A. Stanley Business Risk Assessment What are our key business processes? Set up timelines for measuring periods when normal services could be unavailable –e.g. time bands Financial and operational impact –Link to timelines above

20 EE579U/11 #20 Spring 2004 © 2000-2004, Richard A. Stanley IT and Communications Specify IT/Comm dependencies Specify key IT/Comm processes Key personnel contact list Key suppliers Existing recovery procedures

21 EE579U/11 #21 Spring 2004 © 2000-2004, Richard A. Stanley Existing Emergency Procedures What are they? Who has them? Have they been practiced? Key personnel Outside emergency services needed, and contact information

22 EE579U/11 #22 Spring 2004 © 2000-2004, Richard A. Stanley Facility Issues Responsibilities and authority for building and system repairs Back-up power arrangements Hazardous materials, storage, etc. Key personnel contact data

23 EE579U/11 #23 Spring 2004 © 2000-2004, Richard A. Stanley Preparing for Emergency Back-up and recovery strategies Key personnel and supplies Key documents and procedures

24 EE579U/11 #24 Spring 2004 © 2000-2004, Richard A. Stanley Back-up and Recovery Strategies Alternative Business Process Handing Strategy IT Systems Back-up and Recovery Strategy Premises and Essential Equipment Back-up and Recovery Strategy Customer Service Back-up and Recovery Strategy Administration and Operations Back-up and Recovery Strategy Information and Documentation Back-up and Recovery Strategy Insurance Coverage

25 EE579U/11 #25 Spring 2004 © 2000-2004, Richard A. Stanley Key Personnel and Supplies Functional Organization Chart BCP Project coordinator and deputy for each Key Functional Area Key Personnel and Emergency Contact Information Key Suppliers and Vendors, and Emergency Contact Information Manpower Recovery Strategies Establishing the Disaster Recovery Team Mobilizing the Business Recovery Team

26 EE579U/11 #26 Spring 2004 © 2000-2004, Richard A. Stanley Key Documents and Supplies Documents and Records Vital to the Business Process Off-site Storage Requirements Emergency Stationery and Office Supplies Media Handling Procedures Emergency Authorization Procedures Prepare Budget for Back-up and Recovery Phase

27 EE579U/11 #27 Spring 2004 © 2000-2004, Richard A. Stanley Disaster Recovery Phase Handling emergency situations Notification and reporting during the disaster phase Responsibility and authority for securing from the disaster recovery phase

28 EE579U/11 #28 Spring 2004 © 2000-2004, Richard A. Stanley Planning for Emergencies Identification of potential disasters –Probability? –Impact? Involvement of emergency services Assessing business impact of the emergency Disaster recovery management activities

29 EE579U/11 #29 Spring 2004 © 2000-2004, Richard A. Stanley Notification and Reporting During Disaster Recovery Mobilizing the Disaster Recovery Team Notification to Management and Key Employees Handling Notification of Personnel Families Handling Media during the Disaster Recovery Phase Maintain Event Log during Disaster Recovery Phase Disaster Recovery Phase Report

30 EE579U/11 #30 Spring 2004 © 2000-2004, Richard A. Stanley Business Recovery Phase Management of this phase Activities during business recovery

31 EE579U/11 #31 Spring 2004 © 2000-2004, Richard A. Stanley Managing Business Recovery Mobilizing the Business Recovery Team Assessing extent of damage and business impact Preparing specific recovery plan Monitoring progress Keeping everyone informed Handing Business Operations Back to Regular Management Preparing Business Recovery Phase Report

32 EE579U/11 #32 Spring 2004 © 2000-2004, Richard A. Stanley Recovery Activities Power and Other Utilities Premises, Fixtures and Furniture Communications Systems IT Systems (hardware and software) Production and other Equipment Warehouse and Inventory Sales and Customer Service Human Resources Information and Documentation Office Supplies

33 EE579U/11 #33 Spring 2004 © 2000-2004, Richard A. Stanley Does it Work? Testing the Plan Plan the tests Conduct the test Evaluate and feedback Beware complacency—strive for realism as much as possible Beware of impact on outsiders, and on real customers and suppliers

34 EE579U/11 #34 Spring 2004 © 2000-2004, Richard A. Stanley Planning the Test Develop objectives and scope of tests Prepare budget for testing phase Setting the test environment Prepare test data Identify who is to conduct the tests Identify who is to control and monitor the tests Prepare feedback questionnaires Training testing team for each business unit

35 EE579U/11 #35 Spring 2004 © 2000-2004, Richard A. Stanley Conducting the Test Test each part of the business recovery process Measure success against stated goals Test accuracy of employee and vendor emergency contact numbers Assess results

36 EE579U/11 #36 Spring 2004 © 2000-2004, Richard A. Stanley Finally… Keep staff trained in the recovery process –Manage this process –Assess training Keep the plan up-to-date –Revise in response to significant changes –Don’t make it a moving target

37 EE579U/11 #37 Spring 2004 © 2000-2004, Richard A. Stanley Summary Business continuity planning is critical to the continued existence and functioning of any business in the face of unexpected events, man- made or natural It requires attention to detail, broad view of the business, and buy-in from above Planning requires facing some hard issues, and making public things that might otherwise be kept very secret in normal circumstances

38 EE579U/11 #38 Spring 2004 © 2000-2004, Richard A. Stanley Homework From your own experience or press reports, write a report analyzing the success or failure of business continuity planning in the face of disaster for a real organization having a substantial involvement with information technology. What went wrong? What went right? What would you have changed to make it better?

Download ppt "EE579U/11 #1 Spring 2004 © 2000-2004, Richard A. Stanley EE579U Information Systems Security and Management 11: Business Continuity Planning Professor."

Similar presentations

Project management.

Project management.
Museum Presentation Intermuseum Conservation Association.

Museum Presentation Intermuseum Conservation Association.
Practical Preparations Planning for Safety and Emergencies.

Practical Preparations Planning for Safety and Emergencies.
Business Continuity Training & Awareness by Sulia Toutai (ANZ)

Business Continuity Training & Awareness by Sulia Toutai (ANZ)
Planning for the Future Disaster Recovery Plan / Business Continuity Plan Jim Zukowski, Ed.D. Texas State Board of Dental Examiners 2006 Annual ConferenceAlexandria,

Planning for the Future Disaster Recovery Plan / Business Continuity Plan Jim Zukowski, Ed.D. Texas State Board of Dental Examiners 2006 Annual ConferenceAlexandria,
A Brief Overview of Emergency Management Office of Emergency Management April 2006 Prepared By: The Spartanburg County Office of Emergency Management.

A Brief Overview of Emergency Management Office of Emergency Management April 2006 Prepared By: The Spartanburg County Office of Emergency Management.
DISASTER CENTER Study Case DEMIRBANK ROMANIA “Piata Financiara” ConferenceJanuary 29, 2002 C 2002.

DISASTER CENTER Study Case DEMIRBANK ROMANIA “Piata Financiara” ConferenceJanuary 29, 2002 C 2002.
@TxSchoolSafety Continuity of Operations Planning Workshop Devolution & Reconstitution.

@TxSchoolSafety Continuity of Operations Planning Workshop Devolution & Reconstitution.
1 Continuity Planning for transportation agencies.

1 Continuity Planning for transportation agencies.
Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)

Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)
1 SOFTWARE PRODUCTION. 2 DEVELOPMENT Product Creation Means: Methods & Heuristics Measure of Success: Quality f(Fitness of Use) MANAGEMENT Efficient &

1 SOFTWARE PRODUCTION. 2 DEVELOPMENT Product Creation Means: Methods & Heuristics Measure of Success: Quality f(Fitness of Use) MANAGEMENT Efficient &
TEL382 Wallace Chapter 2. 11/3/09 2 Outline Introduction Building a Risk Analysis Scope of Risk The Five Layers of Risk Layer 1: External Risks Layer.

TEL382 Wallace Chapter 2. 11/3/09 2 Outline Introduction Building a Risk Analysis Scope of Risk The Five Layers of Risk Layer 1: External Risks Layer.
1.  Consider: What are my Hazard Risks & consequences?  Awareness to storm and flood risks ◦ Winds ◦ Floods ◦ Nor’easter ◦ Snow/Ice Storms ◦ Hurricane.

1.  Consider: What are my Hazard Risks & consequences?  Awareness to storm and flood risks ◦ Winds ◦ Floods ◦ Nor’easter ◦ Snow/Ice Storms ◦ Hurricane.
1 Lesson 3 Computer Protection Computer Literacy BASICS: A Comprehensive Guide to IC 3, 3 rd Edition Morrison / Wells.

1 Lesson 3 Computer Protection Computer Literacy BASICS: A Comprehensive Guide to IC 3, 3 rd Edition Morrison / Wells.
Network security policy: best practices

Network security policy: best practices
Disaster Recovery Plan: Do you have one? Neal Cross, Assistant Director of Instructional Technology Shelly Brown, Director of Web Services Southwest Baptist.

Disaster Recovery Plan: Do you have one? Neal Cross, Assistant Director of Instructional Technology Shelly Brown, Director of Web Services Southwest Baptist.
Chapter 8: Disaster Management

Chapter 8: Disaster Management
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)

EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
Continuity Planning & Disaster Recovery ( BRPASW Workshop)

Continuity Planning & Disaster Recovery ( BRPASW Workshop)
Care Home Forum 19 th May 2015 Sarah Chittock – Merton Civil Contingencies Officer Taryn Milton – Emergency Planning Manager – Epsom St. Helier.

Care Home Forum 19 th May 2015 Sarah Chittock – Merton Civil Contingencies Officer Taryn Milton – Emergency Planning Manager – Epsom St. Helier.

Similar presentations

Ads by Google