Loading...

Business Continuity and Disaster Recovery

  • Disaster Classifications

    • Natural Disaster (Flood, Storms, Fire, Hurricane, Tornado, Earthquake, etc.)

    • Man-Made Disaster (Fires, Acts of Terrorism, Bombings/Explosions, Power Outages,
      Network, Utility, and Infrastructure Failures, Hardware/Software Failures, Strikes/Picketing, Theft/Vandalism ) (Most common Classification) (include Technical-(malware))

  • Terms and Definition

    • Business Continuity Plan (BCP)

    • BCP will Contain:

      • Crisis Communication Plan

      • Occupant Emergency Plan (OEP)

      • Continuity of Operation Plan (COOP)

      • Cyber Incident Response Plan

      • Information System Contingency Plan (ISCP)

      • Disaster Recovery Plan (DRP)

      • Business Recovery Plan (BRP)

    • Disaster Recovery Plan (DRP)

    • Disaster Recovery Process

      • Respond

      • Activate Team

      • Communicate

      • Assess

      • Reconstitution

  • Categories of Disruptions

    • Incident: Non disaster:inconvenience, hard drive failure

    • Emergency/Crisis

    • Disaster

    • Catastrophe

  • Disaster Recovery Program:

    • • Critical Application Assessment

    • • Backup Procedures

    • • Recovery Procedures

    • • Implementation Procedures

    • • Test Procedures

    • • Plan Maintenance

  • BCP Life Cycle Stages

    • NIST (7 steps)

    • Project Initiation

    • Business Impact Analysis

    • Identify Preventive Controls (Recovery Strategy)

    • Develop Recovery Strategies (Plan Design and Development)

    • Develop the Contingency Plan (Implementation)

    • Testing the Plan, Training and Exercise (Testing)

    • Maintain the Plan (Continual Maintenance)

    • ISC2 (4 steps)

    • Project Scope and Planning

      • Organisation Review (BOA)

      • Team Selection

      • Resource Requirement

      • Legal and Regulatory Requirement

    • Business Impact Analysis (BIA)

      • Identify Priorities

      • Risk Identification

      • Likelihood Assessment

      • Impact Assessment

      • Resource Prioritization

    • Continuity Planning

      • Strategy development

      • Provisions and processes

      • People

      • Buildings and Facilities

      • Infrastructure

    • Plan Approval and Implementation

      • Plan approval

      • Plan implementation

      • Training and education

      • BCP Documentation

      • Continuity Planning Goals

      • Statement of Importance

      • Statement of Priorities

      • Statement of Organizational Responsibility

      • Statement of Urgency and Timing

      • Risk Assessment

      • Risk Acceptance/Mitigation

      • Vital Records Program

      • Emergency-Response Guidelines

      • Maintenance

      • Testing and Exercises

  • Recovery Strategy

    • Business Process Recovery

    • Facility Recovery:

    • Redundant Site

    • Hot Site

    • Warm Site

    • Cold Site

    • Reciprocal Agreement

    • Rolling Hot-Site (MRU)

    • Multiple Processing Center

    • Hardware Backups

    • Software Backups

    • Supply and Technology Recovery

    • User environment recovery

    • Insurance

    • Cyberinsurance

    • Business Interruption Insurance

    • Data Recovery

    • Data Backup Alternatives

      • Electronic Vaulting

      • Remote Journaling

      • Remote Mirroring

      • Tape Vaulting

  • Business Continuity Planning

    • Provide Immediate and appropriate response to emergency situation

    • Protect Lives and ensure safety

    • Reduce Business Impact

    • Resume Critical Business Functions

    • Work with outside vendors during the recovery period

    • Reduce confusion during a crisis

    • Ensure survivability of the business

    • Get "up and running" quickly after a disaster

  • Contingency Plan Teams

    • Damage assessment team

    • Legal team

    • Media relations team

    • IT recovery team

    • Relocation team (facilities)

    • Restoration team

    • Salvage team

    • Security team

  • BIA Steps

    • Select individuals to interview for data collection

    • Data Gathering (surveys, questionnaires, Quantitative and Qualitative)

    • Identify Critical Function

    • Identify resource needed to perform critical functions

    • Calculate how long the functions can survice without these resources

    • Identify vulnerabilities/threat to the functions

    • Calculate the risk for the functions

    • Document findings and Report to Management

  • DR Testing Exercises

    • DRP Review

    • Read-Through/Checklist Exercise aka “Desk check” test

    • Walk-Through/ Tabletop Exercise

    • Simulation Test

    • Parallel Test

    • Full Interruption Test

  • Business Impact Metrics

    • Maximum Tolerable Downtime Maximum Tolerable Outage-(MTD/MTO)

    • Recovery Time Objective (RTO)

    • Recovery Point Objective (RPO)

    • Mean Time Between Failures (MTBF)

    • Mean Time To Repair (MTTR)

    • Work Recovery Time (WRT)

  • When to Update Plan

    • Business Unit changes

    • Business Strategy changes

    • Business Process changes

    • IT System changes

  • BIA Reports

    • List of Critical Processes

    • List of MTD by process

    • Criticality Rankings for functions

    • Prioritized list of systems and applications

    • Priotitized list of non-IT resources

    • List of RTOs

    • List of RPOs