Documente Academic
Documente Profesional
Documente Cultură
Exercise 5- Risk Mitigation and BC/DR Plan Development- Chapters 7 & 8 of Textbook
Developed by Richard Halstead-Nussloch, Version 05Jan15
Course Textbook: Susan Snedaker and Chris Rima Business Continuity & Disaster
Recovery for IT Professionals 2nd Edition. Burlington:Syngress, 2014, ISBN-13 978-012-410526-3.
Policies:
Submissions made through a means other than the D2L Dropbox will be ignored
and earn a 0.
Submissions not in an rtf or pdf file or with the original questions and/or
formatting removed from the file earn a 0.
Second chances might be requested at any time through D2L email, and are
awarded at the sole discretion of the instructor.
Being successful in this course requires you to understand how mitigation of risk plays a
significant role in planning for and achieving business continuity. Also, all the BC/DR
planning efforts should be documented in a plan. This exercise intends to aid you in
doing so.
Research what you read and other information business continuity and risk
mitigation and also BC/DR plan development
Respond to this assignment within the rtf file (leaving all questions and formatting
intact)
Solution: According to author, the steps taken to reduce the adverse effects caused by
natural threats and risks to the company is referred as risk mitigation.
For an instance, fire extinguishers are arranged in every corner of the building to use
them during fire emergency. This can mitigate the risk of things getting burnt in the
fire.
What four types of risk mitigation strategies does the author describe?
Comment on the four types chosen.
Risks having very low priority are usually accepted such as, software CDs in the
shelf are likely to have 2% to fail when required. The alternative is replacing it with a
new CD and can delay the process by a day or two which is acceptable.
Avoidance: The name itself suggests the process of avoiding risks, based on risk
assessment report and BIA, risks with high probability are taken into account and
expenses are paid to mitigate or avoid the occurrence of the threats.
Limitation: The combined factors of risk acceptance and avoidance would be risk
limitation. For an instance, a service based company can accept a disk failure once in
while which avoids the backups to happen.
Transference: Transferring the services within the company to third party vendors
which is just like transferring the responsibilities which can reduce the probability of
a risk to occur. Payroll, customer service support can stand as the examples for risk
transference.
What is the Cost vs. Time for Risk Mitigation and how is it related to
business continuity planning?
Solution:
The costs that are directly proportional to each other. More the time more the cost.
These costs include expenses for resources and risk mitigation steps based on
business impact analysis. Sometimes the cost of mitigating the risk will be high than
cost of assuming the risk and its consequences. The probability and impact of each
risk should be evaluated against the mitigation strategy cost before implementing the
contingency plan in the event or after business disruption.
Mitigation strategies that cost less than risk probability calculation should be given
serious consideration. Taking early steps to reduce the probability of an adverse risk
occurring may be more effective and less costly than repairing the damage after a risk
has occurred. However, some risk mitigation options may simply be too costly in
time or money to consider. Mitigation activities should be documented in the Risk
Register, and reviewed on a regular basis.
What are the three options for risk mitigation during recovery and the cost
relationship of these options?
Pre-establish: Cost for the supply of resources is given well before a disaster
which saves time and cost to the company. The cost for this option is low per unit
since everything (payment) is timed (well in advance).
What is done when we analyze the recovery time of risk mitigation options?
What is the role of the MTD (maximum tolerable downtime) in this analysis?
Solution: During recovery planning, every company decides MTD levels for all
the business functions and processes based on their criticality based on BIA.
MTD varies accordingly. Higher the business impact of a process, low the
tolerance due to unavailability.
Pre-established and pre-arranged usually have low MTDs since they will be
already preset and ready to go whenever required. The MTD for all the business
operations required to resume the business should be identified and compared
with that of recovery time of options and those options that doesnt meet MTD
requirements should be discarded and the other acceptable options should be
assessed in terms of cost and capability.
What does it mean to trade-off the cost of recovery options with their
capability? What is the importance of this trade-off in business continuity
planning? What attributes are typically used in such trade-off analyses?
Post completion of the risk assessment and BIA, mitigation strategies are
developed for the business processes to run. The selection of mitigation strategy
generally involves the trade-off between the cost, capability and effectiveness.
Cost to the company for developing mitigation strategy depends on the capability
of the strategy and the size of the company. Therefore, the size and the
complexity of the organization should be taken into account while developing the
mitigation strategies. There exists a trade-off between cost of recovery and the
recovery period. Cost recovery time trade off should be considered while
developing the mitigation strategies. The cost-recovery time will not be linear as
the cost to shorten the recovery time, This is seen when it is required to recover
critical activities, processes, and systems, within minutes which enables the
organization in making investment in replication of systems, mirroring of data,
redundancy of communication etc.
The attributes that are typically used in trade off analysis are:
The quality of the product, service, or data associated with the option.
What is done typically when existing controls are reviewed for risk
mitigation?
Solution:
When the existing controls are reviews, company can come up with a robust
strategy and solutions which aids in resuming the business systems.
As we already know, recovery solutions are also designed based on bias, this can
be avoided by reviewing the recovery options and then comparing the optimal
solutions to the existing solutions. These existing controls have to be incorporated
into the risk mitigation strategies document and the corresponding BC/DR plans
should be changed over time. Any company should always review its existing
controls and test the robustness of them to make sure a company is ready to face a
business disruption.
What is done step-wise in developing a risk mitigation strategy for IT? What
are the critical inputs and outputs to this process? What use do you
recommend be made of the risk assessment (Exercise 3) and/or business
impact analysis (Exercise 4)?
Solution:
For developing a risk mitigation strategy, the following steps have to be taken:
1. Gather your recovery data
2. Compare cost, capability, and service levels of options in each category
3. Determine if the options remaining are risk acceptance, avoidance,
limitation or transference and which, if any are more desirable
4. Select the option or options that meet best meet your companys needs
The inputs for developing a risk mitigation strategy are mentioned below:
Infrastructure
Software
System interface
People
Process
Data
Current and planned controls
Security testing
Threat probability
The outputs
Developing the methodology
Recommended controls
Schedule and risk categories
Roles and responsibilities of personnel in the event of disaster
Documentation regarding how the mitigation measures will be tracked etc.,
MTDs as per SLA
What are some information gathering methods and data points that you
would recommend for developing a risk mitigation strategy for personal1
business continuity?
Gathering data for risk mitigation is a significant undertaking. Enlisting SMEs from
around the company is a vital part.
Using scenario based questions lets the SMEs know what exactly Im thinking about.
The data should include business function, business process, criticality, and time to
recovery, dependencies, financial and operational impact and any other data if
necessary.
Discussions: Discussions held among employees and managers about their daily
routine in the office and main operations they perform which consider to be
critical to their respective departments.
If you are unclear about this requirement consider as those threats and their impacts that are in the way of
your personal business, i.e., those steps you need to take in maintaining your status as a student, e.g.,
assignments, records, etc.
Document review
Surveys
workshops
Solution: This varies form company to company, for an instance if risk mitigation
has to be applied for people, buildings and infrastructure.
Solution: Go kit is a collection of basic items one may need in the event of an
emergency. My go kit can contain the following items assuming at least 72hours.
What is the process for IT risk mitigation and what are the key elements for
cost-effectively accomplishing it? What should be done in reviewing critical
system priorities and what are the roles of risk assessment and business
impact analysis in doing so? What should the IT professional have when the
review of critical system priorities is complete?
Solution:
Risk mitigation plan can be represented as figure below
The main objective of risk management is to curtail the effects of possible threats of
unnatural events.
First step is to establish critical poitns where threats may take place follwoed by
identifying the set of mitigation strategies which can be applied to mitigate those risks
The risk mitigation strategies are contained in a crisis management plan and shall
form part of the initial emergency measures to take, in order to contain and prevent
the worsening of the damages caused by an accident or catastrophe.
Monitoring risks and mitigation: Effective project management becomes more
critical and will require rigid monitoring of all executions by way of an efficient and
constant communication with the team members. The project manager tracks the
progress of assigned tasks and inquires from team members of any issues that may
affect the successful completion of the projects objectives.
The process of rebuilding the computer system so that the operating system can
be installed and business operations can start running is called IT system
recovery.
As a part of IT recovery systems, Alternative plans can be
1. Alternate site
2. Fully mirrored site
3. Hot site
4. Warm site
5. Cold site
6. Offline & online data storage solutions
What questions do you have remaining after your review and analysis of
Chapter 6?
Nothing as of now
Q2) our course textbook covers many of the materials, frameworks and resources
for risk mitigation. Search the web for suitable additional and supplementary
Risk management is all about understanding risks that can impact your organizational
objectives, and implementing strategies to mitigate and manage those risks. In this article,
we examine the most common mitigation strategies and how they can be used to
effectively manage risk. When mitigating or managing risks, here are three steps to
consider:
1. What is the organization's appetite and tolerance for risk? Set the level of risk the
board and management is willing to take.
2. Prioritize, or rank, each risk for significance and likelihood. By ranking risk,
management is better able to determine the strategy that will be most effective.
3. Determine appropriate risk mitigation strategies. The four most common
mitigation strategies are avoidance, acceptance, transference, and control.
Avoidance
Some risks aren't worth taking in the first place. Is the risk a result of activities within the
core business or outside of it? If outside, and the level of risk is deemed relatively high,
Acceptance
Without risk there is no reward. If the risk is low enough, then accept it as a cost of doing
businessacknowledging that little to no action is being taken to mitigate that risk. An
entity could establish a contingency fund or build a contingency plan to minimize any
loss not previously anticipated from these risks.
Transference
Risk transference is the process of transferring any losses incurred to a third party, such
as through the use of insurance policies. Another method of transferring risk is to
outsource activities to a third party. If there are activities that are not core to the business,
then it might make more sense to transfer these activities to a third party to whose core
business they do belong, especially if internal resources are limited. Many back-office
functions, such as payroll and purchasing, are outsourced to service providers that
specialize in these areas.
Control
A control is a procedure used to either prevent a risk from occurring or detect a risk after
it has occurred. If the risk is worth taking and is part of an organization's core operating
activities, then controls can be used to mitigate and manage the risk.
Q3) Insert a worksheet in your spreadsheet from Exercises 3 and 4 with columns
that will help with a recommended set of risk mitigation steps. There are many
possibilities outlined in Chapter 6. If you cannot choose one, try these four
columns:
Supporting IT System (for your personal business, see footnote 1), e.g.,
Banking
List up to five IT systems that are part of your personal business in column one;
then, for each IT system, do some research to complete the other three columns.
Attach the spreadsheet to your assignment submission and your blog discussion
posting. What thoughts do you have about scaling up such a spreadsheet from your
personal business to the business of a larger organization, e.g., KSU?
Q4) Review, compare and analyze what you did on the worksheet for Exercise 3 and
4 (risk assessment and business impact analysis) and what you have just done for
Exercise 5 (risk mitigation). What ideas do you have about linking these analyses
together? Answer at least the question of whether you see a way to develop a risk
priority number2 that would be valuable for planning business continuity and
mitigation of risk.
Solution:
Risk analysis was to identify the possible risks to a company. It is useful to identify the
vulnerabilities for a business to run and calculate vulnerability and probability in
qualitative and quantitative methods.
Business impact analysis is to identify potential risks involved in a business due to
unavailability of services and calculate financial impacts and customer impact on the
company.
Both have common factor of criticality matrix. Both of the reports could be joined
together to make a perfect BIA. Both the reports can be combined which leads to failure
mode analysis. This calculate the probability of possible risks and impact of the risk to a
company or the equipment.
Risk mitigation is based on the risk assessment and BIA. In Risk assessment I calculated
the probability of the occurrence of the risk or threats to people, infrastructure and
process.
In BIA, I calculated the impact created by an unnatural event on people, process and
technology.
Risk mitigation helps in saving the cost to company, danger to people due to threat.
Based on the priority number mentioned in the risk assessment document. Risk
mitigation steps are evolved.
According to the author, business continuity plan has majorly two steps.
Set the tasks you can take which can reduce the risk before a disaster event.
The second part of the plan is defining the steps to be taken if a disaster occurs.
An efficient BC/DR plan should state risks, vulnerabilities and potential impact
due to each of them to business functions followed by mitigation strategies which
can be applied. A BC/DR plan can be break down as below
1. Identify risks
2. Assess vulnerability to risks
3. Determine potential impact on business
4. Identify mission critical business functions (completed till here)
5. Develop teams
6. Implement mitigation strategies
7. Develop plan activation guidelines
8. Develop plan transition guidelines
9. Develop and plan, training testing and auditioning procedures
10. Develop plan maintenance procedures
What phases of business continuity and disaster recovery does the author
describe? Comment on the phases described.
According to the author, there are 5 phases during the development of BC/DR
plan.
1. Activation phase
2. Recovery phase
3. Business continuity phase
4. Maintenance/review phase
5. Update appendices
Activation phase: Clear parameters are set as when to kick start the BC plan during
this phase. Company determines when to activate the BC/DR plan. A small glitch in
the company doesnt need a BC plan. Along with this, Authority is determined and
what the steps to be taken by the personnel is clearly defined in activation phase.
Activation includes initial response and notification, problem assessment and
escalation, disaster declaration, and plan implementation.
Recovery phase: It is the first phase that should be taken immediately after a disaster
has occurred. This state is triggered only when the disaster subsides. Many triggers
along with their respective MTD's are to be developed at this phase that defines the
situation to move from recovery phase to business continuity phase.
Business continuity phase: This phase includes the steps to be followed as a part of
BC plan. It generally defines the procedures for resuming operations, work around
procedures that should be followed and implemented and the manual procedures.
Finally it addresses the process of moving from temporary location to its repaired
facility, re-integration of the recovered systems and the synchronization of the
corrupted or lost data.
Review phase: Review phase is just like auditioning or testing the BC/DR plan. This
occurs irrespective of the disasters. For an instance, Fire drill is conducted once in
2months to check and verify the alertness of the employees ensuring their safety at all
times. Similarly, Data is tested and reviewed (data recovery) in this phase
What teams and key personnel are required as indicated by the author?
How should people be assigned to teams? How should they be assigned roles
and responsibilities?
A team is required to assess the damage to systems and begin the DR plan once it
is activated. This IT team shall work closely with rest of the operations team
make Dr Plan successful. Before deciding the team, it should have the expertise
on below functions
1. Operating system administration
2. Systems software
3. Server recovery (client server, Web server, application server, etc.)
4. Storage recovery
5. Database recovery
6. Network operations recovery
7. LAN/WAN recovery
8. Application and data recovery
9. Telecommunications
10. Hardware salvage
11. Alternate site recovery coordination
Management
Key operations staff
BC/DR team members
Key suppliers, vendors, and contractors
Key customers
Emergency numbers (fire, police, etc.)
Media representatives or PR firm (if appropriate)
Other
Along with the contact information, contact tree should also be maintained that
defines the members responsible for contacting others in the event of the disaster thus,
giving scope for division of labor by making specific calls to specific people thereby
Streamlining the notification process and mass communication capability.
Solution:
Initially work breakdown structure, tasks resources and timelines for are allocated as
a part of risk mitigation strategy and any other tasks required to be done before any
disruption.
For an instance, buying infrastructure, uninterruptable power supplies, fire
suppression systems etc.
Once the tasks are defined and resources are allocated, they should be able to
implement the mitigation strategies as well as rest of the plan. For an instance,
creating a project with new initiatives which needs to be taken meeting risk
mitigation.
After all the tasks are done, roles, and responsibilities; defining plan phase transition
triggers; and gathering additional data are arranged accordingly. Alternate sites are taken
care later depending on the SLA.
The standard management process defines set of things to be identified and implanted
after all the resources and tasks are allocated.
Fully mirrored site: Mirrored site is exact replica of the main site with exact
functionality and availability. But this option is expensive
Mirror sites also increase the speed with which files or Web sites can be accessed:
users can download files more quickly from a server that is geographically closer
to them.
Hot site: A hot site is a commercial disaster recovery service that allows a
business to continue computer and network operations in the event of a computer
or equipment disaster. For example, if an enterprise's data center becomes
inoperable, that enterprise can move all data processing operations to a hot site. A
hot site has all the equipment needed for the enterprise to continue operation,
including office space and furniture, telephone jacks and computer equipment.
Cold Site: For a cold site, customer provides and installs all the equipment needed
to continue operations. A cold site is less expensive, but it takes longer to get an
enterprise in full operation after the disaster.
Warm site: A preventative warm site allows you to pre-install your hardware
and pre-configure your bandwidth needs. Then, if disaster strikes, all you have to
do is load your software and data to restore your business systems.
The selection criteria for an alternate site to continue the business operations are
1. Geographical location of the data center should be risk free from
all possible threats
2. It should have sufficient space to install all the infrastructure
3. Should be able to communicate with all the devices required for
operations to run
4. The area should have items which support basic life amenities
5. The site should have all the requirements to make the business
processes operational with minimum amount of time, effort and
cost.
SITE
COST
LOCATION
TIME
Cold
Low
None
None
Long
Fixed
Warm
Medium
Partial
Partial
Medium
fixed
Hot
High
Full
Full
Short
Fixed
Mobile
High
Depends on
Depends
depends
Not fixed
Null
None
Fixed
location
Mirrored
High
Null
Solution:
Before letting off the contract for business continuity services, the company should
assess the worth of their company and the amount they are going to pay for the
contract services.
If a companys downtime leads to a loss of 10,000$ and the services by third party
vendor is charging more than 10k then there is no point approaching them for
providing the services. Hence, before moving forward with a contract provider the
following points should be taken into account
Develop clear functional and technical requirements: The company should be
able to assess requirements and options. Since more options costs more, a
company should write down only those which are extremely necessary for
contract services. With the help of Subject matter experts and IT experts a list
of business functions must be specified which need protection from the
vendor
Determine required service levels: All the technical details should be provided
to the vendor and also our SLA metrics to vendor if possible so that he can
understand companys environment and come with a right quotation. This is
referred as request proposal
Compare vendor proposal/response to requirements: Compare all the
quotations from all different vendors. While taking a decision, it should be
satisfying our companys customers. Make sure their SLA is applicable for
our environment and decide whichever is better
Identify requirements not met by vendor proposal: Just in case if a single
vendor is offering one option which we need and another vendor is also
offering a different option which we need. We may club both the vendors
Identify vendor options not specified in requirements: There is a possibility
that vendors can offer few more options saying that even those are pretty
useful and are a must to the environment. But again, one should do some
independent research and discuss with SMEs if required and then take a
What roles do event logs, change control and appendices have in business
continuity planning?
Event logs helps tracking events, in order, over time, and can help in identifying
appropriate triggers for key activities. With these logs one can know what was
done, which user did it, at what time did it happen. All these things can also
become an evidence as well.
Certain regulatory or legal requirements should be followed by the company to
log specific events in the event log book. These should be mentioned in the
BC/DR plan therefore, enabling the team members to know about the notification
requirements.
What questions do you have remaining after your review and analysis of
Chapter 7?
Nothing as of now
Review and summarize your ideas and experience about risk mitigation and its
value in business continuity planning. Discuss the steps you might recommend
in scaling up what you did in this assignment for your personal business to a
larger organization such as KSU. Optionally, attach your spreadsheet and plan
outline to your discussion posting.
Risk mitigation, Risk assessment and Business impact analysis are three vital parts for
designing an efficient BC/Dr plan. Summary can be, as a first step, all the probable risks
must be assessed based on their occurrence priority numbers are given. This is called risk
assessment
Secondly, financial impact to the company is calculated due to the business disruption
and various business processes and dependent functions are mentioned during BIA and
financial impact is calculated due to unavailability of these services
Further, Risk mitigation plan is designed based on the priority numbers mentioned in risk
assessment phase and financial impact created by them in BIA phase. Risk mitigation
plan is developed and implemented accordingly.
For a bigger organization like KSU, Based on the Risk assessment I did in the last
assignment
Identify the possible threats -> Robust security
Identify the vulnerabilities -> strong network
Calculate the current value of the assets
Prepare a report focusing on the loss impact factor
Based on the probability of the occurrence of unnatural events form a team
Make sure risk strategy fits enough to face the disaster.
Document the work including all the analysis and reports and strategy developed
Perform frequent testing to know the functionality of the system
I would only test and review the data availability and maintain a cold or warm site
if possible so that college server is available even during the scheduled downtime.
My minor factors would be worrying about the network and security. (assuming
no earthquakes or tsunamis in Atlanta)
Sources and works used in completing this exercise (if none, please explicitly state so):
1. Susan Snedaker and Chris Rima Business Continuity & Disaster Recovery for IT
Professionals 2nd Edition. Burlington:Syngress, 2014.
2. Ready.gov. Build a Go-Kit. Retrieved on 5 January 2015 from
http://www.ready.gov/build-a-kit
3. "Risk Mitigation Strategies and Risk Mitigation Plan: Tips for Documentation &
Implementation in Project Management." Brighthub Project Management. N.p., n.d.
Web. 29 Mar. 2015. <http://www.brighthubpm.com/risk-management/47934-riskmitigation-strategies-and-risk-mitigation-plan/>.
4. "Disaster Recovery Hot, Warm, Cold Sites: Key Differences." Disaster Recovery Hot,
Warm, Cold Sites: Key Differences. N.p., n.d. Web. 29 Mar. 2015.
<http://www.corexchange.com/blog/disaster-recovery-hot-warm-cold-sites-keydifferences>.
=0CAcQ_AUoAQ&biw=1366&bih=667#imgdii=_&imgrc=gzSfpEgLhynSsM%253A%3
Bxbc3CELRwb2RM%3Bhttp%253A%252F%252Fwww.mitre.org%252Fsites%252Fdefault%25
2Ffiles%252Fimages%252Fase-rmfig1.gif%3Bhttp%253A%252F%252Fwww.mitre.org%252Fpublications%252Fsystem
s-engineering-guide%252Facquisition-systems-engineering%252Friskmanagement%252Frisk-mitigation-planning-implementation-and-progressmonitoring%3B498%3B441>.