Presentation is loading. Please wait.

Presentation is loading. Please wait.

CISSP For Dummies Chapter 11 Business Continuity and Disaster Recovery Planning Last updated 11-26-12.

Published byAngelica Lane Modified over 8 years ago

Similar presentations

Presentation on theme: "CISSP For Dummies Chapter 11 Business Continuity and Disaster Recovery Planning Last updated 11-26-12."— Presentation transcript:

1 CISSP For Dummies Chapter 11 Business Continuity and Disaster Recovery Planning Last updated 11-26-12

2 Topics Disasters BCP (Business Continuity Planning) & DRP (Disaster Recovery Planning) Business Impact Assessment (BIA) BCP (Business Continuity Planning) Testing the DRP (Disaster Recovery Plan)

3 Disasters

4 Natural Disasters Fires and explosions Earthquakes Storms Floods Hurricanes Volcanoes etc.

5 Secondary Effects Utility outages Communications outages Transportation outages Evacuation/unavailability of personnel

6 Man-made Disasters Accidents – Hazardous material spills, power outages, etc. Crime and mischief – Arson, vandalism, burglary War and terrorism Cyberattacks/cyberwarfare – DoS attacks, malware, APT Civil disturbances – Riots, demonstration, strikes, etc.

7 How Disasters Affect Businesses Damage to – Business buildings – Records – Equipment – Communications Public utilities – Transportation systems – Injuries and loss of life – Indirect damage: suppliers and customers

8 BCP (Business Continuity Planning) & DRP (Disaster Recovery Planning)

9 BCP & DRP Work Together BCP – Keeps business running, often in a different location, after the disaster DRP – Restores normal business operations later

10 BCP & DRP Common Elements Identification of critical business functions – Business Impact Assessment (BIA) Identification of possible disaster scenarios Experts – Who understand the organization’s critical business processes

11 Continuity of Operations Planning (COOP) A new approach blending BCP and DRP together

12 BCP Project Elements Senior management support Senior management involvement Team must include representatives from all business units

13 BCP Project Components Scope Determination BIA (Business Impact Assessment) BCP (Business Continuity Plan) Implementation

14 BCP Scope Determination Difficult to choose which systems are vital and therefore should be included in BCP Scope creep occurs when a project grows beyond its original intent Strong leaders are needed to stay on target

15 Business Impact Assessment (BIA)

16 BIA (Business Impact Assessment) Describes the impact a disaster is expected to have on business operations Determines which business process are more resilient and which are more fragile

17 BIA (Business Impact Assessment) Tasks – Vulnerability assessment – Criticality assessment—how important a business function is to the viability of the organization – Determine MTD (Maximum Tolerable Downtime) – Establish recovery targets – Determine resource requirements

18 Vulnerability assessment Similar to Risk Assessment Quantitative parts – Loss of revenue and capital – Personal liabilities – Increased expenses – Penalties from violating business contracts – Violations of laws & regulations, fines, legal costs

19 Vulnerability assessment Qualitative parts: Loss of: – Service quality – Competitive advantages – Customer satisfaction – Market share – Prestige and reputation Critical support areas would cause irreparable harm if lost

20 Criticality Assessment Rank all business functions in order of criticality Length of disaster affects criticality assessment Identify key players

21 Determine MTD (Maximum Tolerable Downtime) Also called Maximum Tolerable Period of Disruption (MTPD) For each critical business function

22 Establish Recovery Targets Period of time between disaster and when critical processes have resumed Recovery Time Objective (RTO) – Maximum period of time required for restoration Recovery Point Objective (RPO) – Amount of data that could be lost – Amount of work that must be re-done

23 Determine Resource Requirements What resources are needed for each critical business function? Resources: – Systems and applications – Suppliers and partners – Key personnel – Business equipment

24 BCP (Business Continuity Planning)

25 Elements of a BCP Emergency response teams – With written instructions Damage assessment – Determine whether buildings and equipment are still usable Personnel safety Personnel notification

26 Backups and Off-Site Storage Store backups in a secure location Far enough away to not experience the same disaster Close enough to be used without unacceptable delays Online backup systems are increasing in popularity (also called remote backup)

27 Elements of a BCP Software escrow agreements – Software stored at a third party External communications – Communicating disaster information to press, customers, and public Utilities – How long can your data center run without power?

28 Elements of a BCP Logistics and supplies – Just-in-time shipments are most vulnerable Fire and water protection – Can you put out a fire if the water mains are out of service? – Will there be drinking water for the staff?

29 Documentation Must be available in a disaster Put a copy of DRP and BCP at remote facility where backups are Issue soft copies to all relevant personnel Hard copies also needed in case electronic copies cannot be used

30 Data Processing Continuity Planning Cold site – An empty room with power & HVAC but no computers – Cheapest, but slowest to implement Warm site – Cold site with computers and communications links already in place – Software and data must be installed to make it usable

31 Data Processing Continuity Planning Hot site – Most expensive option – Duplicate computers from main system – Applications, OS, and patches up-to-date – Data kept up-to-date Reciprocal site – Another company agrees to share data center resources during a disaster – Not a common choice anymore

32 Data Processing Continuity Planning Multiple data centers – Large organizations can synchronize the data at their geographically separated data centers – They don’t need any other company involved – No additional cost

33 Developing the BCP After determining scope, BIA, Criticality Assessment, and MTDs, you know – What portion of organization is included in the plan – Which functions are critical – Degree of impact on the business if a critical function fails Continuity Strategy – How to continue each critical process after a disaster

34 Simplifying Critical Functions Break them into components – People – Facilities – Technology – Miscellaneous

35 Documenting the Strategy Details of the continuity plan for each critical function must be described in detail, step by step Hiring an expert consultant may help

36 Implementing the BCP Secure senior management approval Promote awareness—every employee must know about the BCP Maintaining the BCP – It needs constant updating – BCP leader must attend Change Control Board meetings

37 Developing a DRP (Disaster Recovery Plan) Restoring the original site to full function

38 Prepare for Emergency Response Specialized training to deal with – Water and smoke damage – Structural damage – Flooding – Hazardous materials

39 Salvage and Recovery Salvage – Damage assessment – Salvage assets – Cleaning – Restoring the facility to operational readiness Recovery – Helping the BCP team get alternate sites up and running

40 Financial Readiness Insurance Cash reserves Line of credit Pre-purchased assets Letters of agreement – For emergency use of materials Standby assets

41 Notifying Personnel Employees need to know if facilities are closed and where to report for work Normal communications may be down – SMS messages often work even when cellphone systems are congested Audio conference bridges – More than one provider

42 Physical and Logical Security Looting and vandalism are threats—physical fences and guards needed Protecting information – Access controls – Authorization – Audit logging – Intrusion detection – Firewalls – Encryption – Backup – Physical access controls – Environmental controls – Personnel controls

43 Testing the DRP Checklist Structured walkthrough – Group reads through the documents – Record issues on a whiteboard or flipchart – Requires two to eight hours

44 Testing the DRP Simulation – Declare a fake emergency – Reads out announcements like news briefs – DR team discuss actions in a conference room, or at the emergency response center

45 Testing the DRP Parallel test – Run real DR activities on systems that are running alongside the real active systems – DR team duplicates real work – Difficult to set up but accurate and low-risk

46 Testing the DRP Interruption or Cutover – Primary systems are shut off during real business operations – Ultimate test of DR systems

47 Creating Competitive Advantage BCP and DRP can be seen as lost money – Preparing for something that may never happen But real business benefits come two ways – Improved products and services from a more mature company – Opportunity to market superior reliability by telling clients about the BCP and DRP

Download ppt "CISSP For Dummies Chapter 11 Business Continuity and Disaster Recovery Planning Last updated 11-26-12."

Similar presentations

Museum Presentation Intermuseum Conservation Association.

Museum Presentation Intermuseum Conservation Association.
Practical Preparations Planning for Safety and Emergencies.

Practical Preparations Planning for Safety and Emergencies.
Business Plug-In B4 MIS Infrastructures.

Business Plug-In B4 MIS Infrastructures.
Reliability of the electrical service Business Continuity Management Business Impact Analysis (BIA) Critical ITC Services Minimum Business Continuity Objective.

Reliability of the electrical service Business Continuity Management Business Impact Analysis (BIA) Critical ITC Services Minimum Business Continuity Objective.
CIOassist Technologies Your CIO on Demand… Business Continuity Planning Our Offering CIOassist Technologies (www.cioassist.in)www.cioassist.in

CIOassist Technologies Your CIO on Demand… Business Continuity Planning Our Offering CIOassist Technologies (
DISASTER CENTER Study Case DEMIRBANK ROMANIA “Piata Financiara” ConferenceJanuary 29, 2002 C 2002.

DISASTER CENTER Study Case DEMIRBANK ROMANIA “Piata Financiara” ConferenceJanuary 29, 2002 C 2002.
JOELLE QUIAPO FOLA OYEDIRAN GREG SWENSON SUKHI BEDI CHENYU GONG Disaster Recovery and Business Continuity Planning: Testing an Organization’s Plans What.

JOELLE QUIAPO FOLA OYEDIRAN GREG SWENSON SUKHI BEDI CHENYU GONG Disaster Recovery and Business Continuity Planning: Testing an Organization’s Plans What.
Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)

Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)
Business Continuity & Disaster Recovery

Business Continuity & Disaster Recovery
Business Continuity Planning and Disaster Recovery Planning

Business Continuity Planning and Disaster Recovery Planning
TEL382 Greene Chapter 11. 10/27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.

TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
Planning for Contingencies

Planning for Contingencies
Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin CHAPTER FIVE INFRASTRUCTURES: SUSTAINABLE TECHNOLOGIES CHAPTER.

Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin CHAPTER FIVE INFRASTRUCTURES: SUSTAINABLE TECHNOLOGIES CHAPTER.
Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.

Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.
Saving Your Business from a Data Loss Randy Clark.

Saving Your Business from a Data Loss Randy Clark.
1 Disaster Recovery Planning & Cross-Border Backup of Data among AMEDA Members Vipin Mahabirsingh Managing Director, CDS Mauritius For Workgroup on Cross-Border.

1 Disaster Recovery Planning & Cross-Border Backup of Data among AMEDA Members Vipin Mahabirsingh Managing Director, CDS Mauritius For Workgroup on Cross-Border.
Gulf Coast Energy International Business Continuity / Disaster Recovery Planning and Design Proposal Prepared by Andrew Rolf, Felipe Torres, Pranay Jaiswal.

Gulf Coast Energy International Business Continuity / Disaster Recovery Planning and Design Proposal Prepared by Andrew Rolf, Felipe Torres, Pranay Jaiswal.
John Graham – STRATEGIC Information Group Steve Lamb - QAD Disaster Recovery Planning MMUG Spring 2013 March 19, 2013 Cleveland, OH 03/19/2013MMUG Cleveland.

John Graham – STRATEGIC Information Group Steve Lamb - QAD Disaster Recovery Planning MMUG Spring 2013 March 19, 2013 Cleveland, OH 03/19/2013MMUG Cleveland.
CHAPTER OVERVIEW SECTION 5.1 – MIS INFRASTRUCTURE

CHAPTER OVERVIEW SECTION 5.1 – MIS INFRASTRUCTURE
Business Continuity and You! The Ohio State University Business & Finance Enterprise Continuity Program Quarterly Update October 2008Business and Finance.

Business Continuity and You! The Ohio State University Business & Finance Enterprise Continuity Program Quarterly Update October 2008Business and Finance.

Similar presentations

Ads by Google