Disaster & Recovery Planning Discussion
(APA format)(250 words)
1. What are five key elements that a security policy should have in order to remain viable over time?
2. Briefly describe three key downtime metrics
Principles of Incident Response and Disaster Recovery, 2nd Edition
Chapter 02
Planning for Organizational
Readiness
1
1
Objectives
Discuss why an individual or group needs to be appointed to create a contingency policy and plan
Describe the elements needed to begin the contingency planning process
Define business impact analysis and describe each of its components
List the steps needed to create and maintain a budget used for the contingency planning process
Principles of Incident Response and Disaster Recovery, 2nd Edition
2
2
Introduction
Planning for contingencies
Complex and demanding process
Systematic methodology
Organize the planning process
Prepare detailed and complete plans
Commit to maintaining those plans
Rehearse plans with a military rigor
Completed after normal working hours
Maintain the processes
Principles of Incident Response and Disaster Recovery, 2nd Edition
3
3
Beginning the Contingency Planning Process
Contingency planning management team (CPMT)
Consists of an individual or team
CPMT responsibilities
Obtain commitment and support
Manage and conducting the overall CP process
Write the master CP document
Conduct the business impact analysis (BIA)
Assist in identifying and prioritizing threats and attacks
Assist in identifying and prioritizing business functions
Principles of Incident Response and Disaster Recovery, 2nd Edition
4
4
Beginning the Contingency Planning Process (cont’d.)
CPMT responsibilities (cont’d.)
Organize and staff subordinate teams leadership
Incident response
Disaster recovery
Business continuity
Crisis management
Provide guidance to and integrate the work of the subordinate teams
Principles of Incident Response and Disaster Recovery, 2nd Edition
5
5
Beginning the Contingency Planning Process (cont’d.)
CPMT positions
Champion
Project manager
Team members
Representatives from other business units
Business managers
Information technology managers
Information security managers
Representatives from subordinate teams
Principles of Incident Response and Disaster Recovery, 2nd Edition
6
6
Beginning the Contingency Planning Process (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd Edition
7
7
Commitment and Support of Senior Management
Clear and formal senior executive management commitment required
Prevents CP process failure
Managers and employees provide time and resources
Support gained from communities of interest
Each should complement the others
Information security communities of interest
Information security managers and professionals
Information technology managers and professionals
General management managers and professional
Principles of Incident Response and Disaster Recovery, 2nd Edition
8
8
Information Security Management and Professionals
Protect information systems and stored information from attacks
Tightly focused on protecting system integrity and confidentiality
Sometimes lose sight of availability
Principles of Incident Response and Disaster Recovery, 2nd Edition
9
9
Information Technology Management and Professionals
Design, build, or operate information systems
IT managers and skilled professionals
Systems design, programming, networks
Related disciplines categorized as information technology (IT)
Same objectives as information security community
Focus
System creation and operation costs
System users ease of use
System creation timeliness; transaction response time
Principles of Incident Response and Disaster Recovery, 2nd Edition
10
10
Organizational Management and Professionals
Includes executive management, production management, human resources, accounting, legal, and others
IT community category reference
Users of information technology systems
Information security community category reference
Security subjects
All IT systems and information security objectives
Implement broader organizational community objectives and safeguard effective use and operation
Principles of Incident Response and Disaster Recovery, 2nd Edition
11
11
Elements Required to Begin Contingency Planning
Four required CP process elements
Planning methodology
Policy environment (enables planning process)
Understanding causes and effects of core precursor activities (business impact analysis)
Access to financial and other resources
Articulated and outlined by the planning budget
Development of CP policies and plans
Occurs once CPMT organized and staffed
Expands the four elements
Principles of Incident Response and Disaster Recovery, 2nd Edition
12
12
Elements Required to Begin Contingency Planning (cont’d.)
Complete CP development methodology adaption
NIST Special Publications 800-34, Rev. 1, Contingency Planning Guide for Federal Information Systems (2010)
Special Publications 800-61, Rev. 2, Computer Security Incident Handling Guide (2012)
Complete process
Form the CPMT
Develop contingency planning policy statement
Conduct the business impact analysis (BIA)
Principles of Incident Response and Disaster Recovery, 2nd Edition
13
13
Elements Required to Begin Contingency Planning (cont’d.)
Form subordinate planning teams
Develop subordinate planning policies
Integrate the BIA
Identify preventive controls
Organize response teams
Create contingency strategies
Develop subordinate plans
Ensure plan testing, training, and exercises
Ensure plan maintenance
Principles of Incident Response and Disaster Recovery, 2nd Edition
14
14
Contingency Planning Policy
Required for effective contingency planning
Purpose of policy
Define the CP operations scope
Establish managerial intent with regard to timetables for incident response
Recovery from disasters
Reestablishment of operations for continuity
Establish responsibility for the development and operations of the CPMT in general
Provide specifics on CP-related team constituencies
Principles of Incident Response and Disaster Recovery, 2nd Edition
15
15
Contingency Planning Policy (cont’d.)
CP policy sections
Introductory statement
Scope and purpose statement
Call for periodic risk assessment and BIA
Specification of major CP components to be designed
Call for, and guidance in, selection of recovery options and BC strategies
Requirement to test the plans on a regular basis
Identification of key regulations and standards impacting CP planning
Principles of Incident Response and Disaster Recovery, 2nd Edition
16
16
Contingency Planning Policy (cont’d.)
Identification of key individuals responsible for CP operations
Challenge to individual members
Asking for their support
Reinforcing their importance in the overall CP process
Additional administrative information
Each CP meeting should be documented
Principles of Incident Response and Disaster Recovery, 2nd Edition
17
17
Business Impact Analysis
Business impact analysis (BIA)
Investigation and assessment of the impact that various events or incidents can have on the organization
Provides detailed identification and prioritization of critical business functions
Different from the risk management process
Begins with prioritized list of threats and vulnerabilities
Question
If an attack succeeds, what do you do next?
Principles of Incident Response and Disaster Recovery, 2nd Edition
18
18
Business Impact Analysis (cont’d.)
Five “keys to BIA success”
Set the project scope carefully
Initiate data-gathering process
Find information senior managers need
Seek out objective rather than subjective data
Determine higher management needs prior to data collection
Gain validation of the results:
Derived from risk assessment and BIA
From owners of the business processes being examined
Principles of Incident Response and Disaster Recovery, 2nd Edition
19
19
Business Impact Analysis (cont’d.)
CPMT conducts the BIA in three stages
Principles of Incident Response and Disaster Recovery, 2nd Edition
20
20
Determine Mission/Business Processes and Recovery Criticality
First major BIA task
Analyze and prioritize business processes
Based on relationships to mission
Evaluate independently to compare with organization as a whole
Business process = “mission/business process”
Task performed in support of the overall mission
Collect critical information before prioritizing
Avoid “turf war”
Useful tool: BIA questionnaire
Principles of Incident Response and Disaster Recovery, 2nd Edition
21
21
Determine Mission/Business Processes and Recovery Criticality (cont’d.)
Weighted analysis table resolves most critical issues
Weighted analysis process
Identify organization categories
Assign weights to each category
Assigned weights add to a value of one (100 percent)
Identify various business functions
Importance value assessed on a scale of one to 10
Weights are multiplied by the scores in each category
Weights summed to obtain that business function’s overall value to the organization
Principles of Incident Response and Disaster Recovery, 2nd Edition
22
22
Determine Mission/Business Processes and Recovery Criticality (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd Edition
23
23
Determine Mission/Business Processes and Recovery Criticality (cont’d.)
NIST Business Process and Recovery Criticality
NIST Special Publication 800-34 Rev. 1
Large quantities of information needed
BIA data collection process needed
Principles of Incident Response and Disaster Recovery, 2nd Edition
24
24
Determine Mission/Business Processes and Recovery Criticality (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd Edition
25
25
Key Downtime Metrics
Maximum tolerable downtime (MTD)
Total amount of time the system owner/authorizing official willing to accept for a process outage
Includes all impact considerations
Recovery time objective (RTO)
Time period within which systems, applications, or functions must be recovered after an outage
Recovery point objective (RPO)
Point in time to which lost systems and data can be recovered after outage; determined by business unit
Principles of Incident Response and Disaster Recovery, 2nd Edition
26
26
Key Downtime Metrics (cont’d.)
NIST Special Publication 800-34 Rev. 1
Contains additional definitions for MTD, RTO, RPO
Reducing RTO requires mechanisms to shorten start-up time or provisions
To make data available online at a failover site
Reducing RPO requires mechanisms to increase data replication synchronicity between production systems and backup implementations
Critical need: avoid exceeding MTD
RTO must be shorter than MTD
Principles of Incident Response and Disaster Recovery, 2nd Edition
27
27
Cost Balance Point
Different for every organization and system
Based on financial constraint, operating requirement
Principles of Incident Response and Disaster Recovery, 2nd Edition
28
28
Prioritize Information Assets
Helpful to understand information assets used by prioritized processes
High-value information assets
May influence a particular business process valuation
Task normally performed as part of the risk-assessment function of risk management
Perform task now if organization has not performed this task
Principles of Incident Response and Disaster Recovery, 2nd Edition
29
29
Identify Resource Requirements
Need to determine resources needed to recover prioritized processes and associated assets
Resource intensive processes: IT functions
Resources require extensive sets of information processing, storage, and transmission
Supporting customer data, production data, and other organizational information
Business production-oriented processes
Require complex or expensive components to operate
Principles of Incident Response and Disaster Recovery, 2nd Edition
30
30
Principles of Incident Response and Disaster Recovery, 2nd Edition
31
31
Identify System Resource Recovery Priorities
Last stage of the BIA
Prioritize resources associated with the mission/business processes
Brings better understanding of what must be recovered first
Create additional weighted tables of the resources
Develop a custom-designed “to-do” list
Use a simple valuation scale
Primary/Secondary/Tertiary
Critical/Very important/Important/Routine
Principles of Incident Response and Disaster Recovery, 2nd Edition
32
32
BIA Data Collection
Not a discrete step
Methods
Online questionnaires
Facilitated data-gathering sessions
Process flows and interdependency studies
Risk assessment research
IT application or system logs
Financial reports and departmental budgets
BCP/DRP audit documentation
Production schedule
Principles of Incident Response and Disaster Recovery, 2nd Edition
33
33
Online Questionnaires
Online or printed questionnaire
Identify and classify
Business functions and impact they have on other organization areas
Enables a structured collection method
Collect information directly from those most knowledgeable
Examples
Web site for the Texas State Office of Risk Management BIA questionnaire areas
See Table 2-3 and Table 2-4
Principles of Incident Response and Disaster Recovery, 2nd Edition
34
34
Online Questionnaires (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd Edition
35
35
Online Questionnaires (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd Edition
36
36
Facilitated Data-Gathering Sessions
Focus group (facilitated data-gathering session)
Collecting information directly from the end users and business managers
Individuals brought together
Brainstorm answers to BIA process questions
To yield quantity or quality of information desired
Ensure a relaxed, productive session
Provide clear session structure
Encourage dialog
Restrict managers’ ability to take control
Principles of Incident Response and Disaster Recovery, 2nd Edition
37
37
Process Flows and Interdependency Studies
Systems diagramming
Documents ways systems operate
Charts process flows and interdependency studies
Used for both manual and automated systems
Common diagramming techniques
Use case diagrams and supporting use cases
Specifically designed to help understand interactions between entities and business functions
Principles of Incident Response and Disaster Recovery, 2nd Edition
38
38
Principles of Incident Response and Disaster Recovery, 2nd Edition
39
39
Process Flows and Interdependency Studies (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd Edition
40
40
Principles of Incident Response and Disaster Recovery, 2nd Edition
41
41
Process Flows and Interdependency Studies (cont’d.)
Uniform modeling language (UML) models
Class diagrams, sequence diagrams, collaboration diagrams
Traditional systems analysis and design approaches
Workflow, functional decomposition, and dataflow diagrams
Quite complex
Only use if organization has them in place
Principles of Incident Response and Disaster Recovery, 2nd Edition
42
42
Principles of Incident Response and Disaster Recovery, 2nd Edition
43
43
Principles of Incident Response and Disaster Recovery, 2nd Edition
44
44
Principles of Incident Response and Disaster Recovery, 2nd Edition
45
45
Risk Assessment Research
Risk assessment and risk management effort
Provides a wealth of information for BIA effort
Some modification may be necessary
Risk management process
Primary starting point for the BIA
Alternative efforts required if risk assessment not performed
Teams may collect information from outside sources on risk assessment
Principles of Incident Response and Disaster Recovery, 2nd Edition
46
46
IT Application or System Logs
IT staff
Valuable in determining categorical data
Frequency of occurrence
Probability of success
Provide information from various logs
Logs collect and provide reports
Failed login attempts, probes, scans, denial-of-service attacks, malware detected
Provides more accurate attack environment description
Principles of Incident Response and Disaster Recovery, 2nd Edition
47
47
Financial Reports and Departmental Budgets
Documents from normal operations
Provide insight into business operations
Costs and revenues provided by each functional area
Useful in prioritizing business areas and functions
Provides insight into the area’s profitability and revenues contribution
Calculating business impact most common method
Review financial reports and budgets
Lost sales, idle personnel costs, and other opportunity costs easily obtained
Principles of Incident Response and Disaster Recovery, 2nd Edition
48
48
Audit Documentation
Paid external consultant audits
Used by larger organizations and publicly traded firms
Audit function compliance
Federal and state regulations
National or international standards,
Part of proactive ongoing improvement program
Audit reports
Provide additional information for the BIA process
Principles of Incident Response and Disaster Recovery, 2nd Edition
49
49
Production Schedules
Information valuable in the completion of the BIA
Production schedules, marketing forecasts, productivity reports, other business documents
Include information collected from multiple sources
Rather than redundantly re-collecting it from the same sources
If information not collected directly by the BIA team
Make sure it is current and accurate
Undated information often worse than no information
Principles of Incident Response and Disaster Recovery, 2nd Edition
50
50
Budgeting for Contingency Operations
Incident response
May not require dedicated budgeting
Disaster recovery and business continuity
Require ongoing expenditures, investment, and service contracts to support their implementation
Many organizations are “self-insured”
Put money into an account
Draw upon it should replacements be required
Some organization forego “self-insured” investments
Due to tight budgets and drops in revenues
Principles of Incident Response and Disaster Recovery, 2nd Edition
51
51
Incident Response Budgeting
IR capabilities
Part of a normal IT budget
Data protection and response, backup and recovery methods
Uninterruptible power supplies (UPSs)
Antivirus/antispyware/antimalware software
Redundant arrays of independent disks (RAID)
Network-attached storage (NAS) or storage area networks (SANs)
Additional expenses
Protection of user data outside common storage areas
Principles of Incident Response and Disaster Recovery, 2nd Edition
52
52
Incident Response Budgeting (cont’d.)
Required budgeting
Maintenance of redundant equipment
Use the “rule of three”
Keep an online production system
Keep an online or very nearly online backup system
Keep an offline testing and development system
Online “hot” servers have redundancy incorporated
Backup or “warm ”server
Provides redundant functions standing by in a near-online state
Principles of Incident Response and Disaster Recovery, 2nd Edition
53
53
Disaster Recovery Budgeting
Number one DR budgetary expense
Insurance policies
Provide for the capabilities to rebuild and reestablish operations at the primary site
Data loss policies
Many organizations cannot afford them
Losses from a distributed denial-of-service attack (DDoS) not so familiar
Insurance difficult to estimate exactly
Many expenses not covered by insurance
Loss of water, electricity, data, and the like
Principles of Incident Response and Disaster Recovery, 2nd Edition
54
54
Business Continuity Budgeting
Requires the largest budget expenditure
Staggering cost to maintain high level of redundancy
Example: service level agreements (SLAs) for hot sites
Set aside “war chest” of funds for items needed during continuity operations
Safety deposit boxes at a local bank
Store corporate credit cards, purchase orders, cash
Consider nonsalaried employee overtime
Principles of Incident Response and Disaster Recovery, 2nd Edition
55
55
Crisis Management Budgeting
Fundamentals of crisis management
Focused physical and psychological losses associated with catastrophic disasters
Primary budget item
Employee salaries if unable to come to work
Establish a minimum budget for paid leave
Other items
Funeral and burial expenses; employee counseling services
Principles of Incident Response and Disaster Recovery, 2nd Edition
56
56
Summary
Approach CP using a systematic methodology
CPMT responsible for contingency policy and plans
Obtains commitment and support, manages the overall process, writes documents, conducts the BIA, organizes and staffs leadership, provides guidance
Roster includes champion, project manager, others
Effective CP begins with effective policy
Policy provides guidance from executives
Policy contains statements, calls for action, guidelines and additional administrative information
Principles of Incident Response and Disaster Recovery, 2nd Edition
57
57
Summary (cont’d.)
BIA: investigation and assessment of event impact
Detailed identification and prioritization of critical business functions
Key element: placing priorities and values on mission/business process
Insurance : number-one budgetary expense for DR
Larger deductibles provide lower monthly premiums
Set aside funds to cover deductibles
Business continuity: largest budget expenditure
Consider employee overtime, employee loss expenses
Principles of Incident Response and Disaster Recovery, 2nd Edition
58
58
