Disaster Recovery Planning

and
Risk Management
 Overview
2

 Definition
 Disaster Recovery Planning
 Business Continuity Planning
 DRP/BCP activities
 Risk Assessment
 Formulating Your DRP
 DRP Outline- ISO 17799 Standard
 Executing your DRP
 Definitions
3

 Disaster Recovery Planning is primarily targeted as

ensuring recovery of the technological aspects of
the business
 Business Continuity Planning is aimed at ensuring
that the organisation as a whole can continue to
function and includes all DRPs with the organisations
Robson (1997)
 Need for DRP/BCP
4

 Many modern business operate 24x7x365

 Eg WWW, e-commerce etc
 According to Gartner Research (2001)
 Customers expect supplies and services to continue— or
resume rapidly— in all situations.
 Shareholders expect management control to remain
operational through any crisis
 Employees expect their lives and livelihoods to be protected,
and suppliers expect the same of their revenue streams
 Regulatory agencies expect their requirements to be met,
regardless of circumstances
 Hidden Benefits of the Planning Process
5

 Emergency planning efforts have led to significant

improvements in the daily operations of many business
units.
 While researching and documenting an emergency plan,
hundreds of single points of failure (SPOFs) may be
found.
 A SPOF is any single input to a process that, if missing, would
cause the process or several processes to be unable to function.
 Once identified, these SPOFs often can easily be eliminated
 Hidden Benefits of the Planning Process
6

 Planning process enables that you to build in

“redundancy” into your systems, i.e. duplication
 These redundant systems become your backups!
 Through load sharing, backup systems can be used to
increase efficiency during normal daily operations.
 Organisation is forced to critically evaluate its
operations and eliminate inefficiencies
DRP/BCP ACTIVITIES
 DRP/BCP Activities
8

 Generally recognized that BCP/DRP are vital

activities
 Develop a flow-chart which summarises the
process of all recovery activities
 Creation of BCP/DRP is a complex activity
 Prior to creation of plan it is essential to consider
the potential impacts of disaster and to
understand the underlying risks
 Once in place plans must be maintained, tested,
and audited regularly
DISASTER RECOVERY
PLANNING
 Scope of DRP
10

 Must include how to deal with various risks

 Identification of processes, systems, functions, and
suppliers that are most critical and at risk.
 Step to be taken in the event of a disaster
 Crisis communication and notification plans for
employees and stakeholders.
 Scope of DRP
11

 Identification of required resources

 Suppliers/vendors
 Alternative site arrangements
 Hot, Warm, Cold sites
 Storage locations
 Financial resources
 Human resources
 General Supplies
 Other Information
 External contacts
 Critical staff contact details
 Insurance
 Telecommunications providers
RISK ASSESSMENT
 What is “RISK”?
13

 There are many definitions of risk

 “the probability of a material deviation from an
anticipated outcome”
 Thus;
 Risk is a probability
 Risk refers not just to probabilities of losses, or of gains,
but to probabilities of deviations - either downward
losses or upward gains.
 Risk exists only if an objective exists
 Types of Risks
14

 Natural Disasters (Earthquake, Fire, Flood, Storms)

 Terrorist Acts (Weapons of Mass Destruction)
 Power Disruptions/Failure
 Software/Hardware Failures
 Deliberate attacks due to Hackers, Viruses, etc.
 Processing Shutdowns
 Labour Issues- Strikes, Walkouts etc
 What Should We Cover?
15

 Three areas that we need to analyse;

 Threats: events/situations that would cause financial or
operational impact to the organisation. These are measured
in probabilities
 Assets: Physical and financial assets owned by firm. Also
potential earnings/revenues lost for the duration of the
incident, additional costs to recover, fines and penalties
incurred, lost good will or competitive advantages all are
components in the assets figure.
 Mitigating factors: are the protection devices, safeguards,
and procedures in place that reduce the effects of the
threats, e.g. uninterruptible power supplies (UPS) and
backup generators, fire control systems to control the
spread of fire, and access card readers to control physical
access to company space
 Leading Causes of Downtime
16

Source: CIO Magazine, 1998

FORMULATING YOUR DRP
 Developing a DRP
18

1. Project Initiation
2. Risk Assessment
3. Business Impact Analysis
4. Definition of Resource Requirements
5. Developing The Plan
6. Testing The Plan

 Other activities
 Develop testing/maintenance schedule
 Step 1- Project Initiation
19

 Understand the problem and existing

environment
 Define the scope of the planning effort.
 Steering Committee established and staffed as
necessary.
 Raising of awareness in the organisation
regarding the need for DRP/BCP
 Step 2- Risk Assessment
20

 Assess Security of the computing environment,

both physical and logical
 Analyse organisation’s external & internal
environments and identify any possible risks
 Analyse and document current practices e.g
operating procedures, backup procedures any
existing contingency plans
 Identify all risks in terms of probability of
occurrence (High/Low) and impact on organisation
(High/Low).
 Step 3- Business Impact Analysis (BIA)
21

 BIA identifies critical systems, processes and functions

Personnel and how long organisation can survive
without these
 Assess the economic impact of incidents and disasters
 Report is then used as a basis for identifying systems
and resources required to support the critical services
provided by information processing and other services
and facilities.
 Step 4- Resource Requirements
22

 Based on results of Steps 2 & 3, a working

document of recovery requirements and recovery
options is developed.
 This draft is used as the basis for analysing
alternative recovery strategies.
 Must include detailed requirements for hardware,
software, telecommunications, documentation,
suppliers, premises and personnel (including
organisational charts for each unit and the
organisation as a whole)
 Each business unit/department must be covered in
detail
 Step 5 - Developing The Plan
23

 Recovery plan components are defined and

properly documented
 Any changes/upgrades recommended as a result
of the previous step are implemented
 Also supplier contracts may need review as part
of this activity
 Recovery standards are also developed during
this phase
 Step 6 - Testing and Maintenance
24

 Plan(s) will require testing before “sign off”

 After successful tests, a regular schedule of testing
will be required as part of ongoing plan
maintenance
 Recommend that you involve auditors
(internal/external) in testing to ensure that all
aspects have been covered
 Correct any anomalies and publish final plan when
sign off has been given by steering
committee/senior management and auditors
 Other Activities
25

 Develop a regular testing and maintenance

schedule
 Define who will be responsible for the above
 The plan is a living document and one that will
require continuous review and updating as
conditions change
 Problems Encountered During DRP/BCP
26

 Information overload
 DRP planners need to constantly deal with change in all
aspects of the business
 This is usually a task activity assigned to someone
who already has other responsibilities
 Lack of senior management focus
 Increasing complexity of technology
DRP STANDARDS
 Standards
28

 ISO/International Electro-technical Commission

(IEC) 17799:2000
 ISO/IEC 17799:2000, 2000 Information
Technology— Code of practice for information
security management, an international version of
British Standard 7799-1:1999, (published December
2000)
 Standards
29

 ISO/IEC Technical Report (TR) 13335

 ISO/IEC Technical Report (TR) 13335, Guidelines for
the Management of IT Security (GMITS), 13335-2:
Managing and Planning IT Security, contains
requirements for procedural security, including business
continuity.
 Standards
30

 ISO 9002
 National Institute of Standards and Technology
(NIST) Special Publications (SP) 800 Series
 ISO 17799
31

 ISO17799 is a detailed security standard

 It is organised into ten major sections each covering
a different topic or area
 Based on the British Standard BS 7799
 ISO 17799
32

1. Business Continuity Planning

 Addresses the interruptions to business processes from
the effects of major failures/disasters.
2. System Access Control
 Controls access to information
 Prevents unauthorised access to IS/IT
 Ensures protection of networked services
 Prevents unauthorised computer access
 Detects unauthorised activities
 Ensures information security when using mobile
computing and tele-networking facilities
 ISO 17799
33

3. System Development and Maintenance

 Ensure security is built into operational systems
 Prevent loss, modification or misuse of user data in
application systems
 Protect confidentiality, authenticity, and integrity of
information
 Ensure IT projects and support activities are
conducted in a secure manner
 Maintain the security of application system software
and data.
 ISO 17799
34

4. Physical and Environmental Security

 Prevent unauthorised access, damage and interference to business
premises and information
 Prevent loss, damage or compromise of assets and interruption to
business activities
 Prevent compromise/theft of information and information processing
facilities.
5. Compliance
 Avoid breaches of any criminal or civil law, statutory, regulatory or
contractual obligations and of any security requirements
 Ensure compliance of systems with organisational security policies and
standards
 Maximize the effectiveness of and to minimize interference to/from the
system audit process.
 ISO 17799
35

6. Personnel Security
 Reduce risks of human error, theft, fraud or misuse of facilities
 Ensure that users are aware of information security threats and
concerns, and are equipped to support the corporate security policy in
the course of their normal work
 Minimise the damage from security incidents and malfunctions and
learn from such incidents

7. Security Organisation
 Manage information security within the Company
 Maintain the security of organisational information processing facilities
and information assets accessed by third parties
 Maintain the security of information when the responsibility for
information processing has been outsourced to another organisation.
 ISO 17799
36

8. Computer & Network Management

 Ensure the correct and secure operation of information processing facilities
 Minimise the risk of systems failures
 Protect the integrity of software and information
 Maintain the integrity and availability of information processing and
communication
 Ensure the safeguarding of information in networks and the protection of
the supporting infrastructure
 Prevent damage to assets and interruptions to business activities
 Prevent loss, modification or misuse of information exchanged between
organizations.
9. Asset Classification and Control
 Maintain appropriate protection of corporate assets and to ensure that
information assets receive an appropriate level of protection.
10. Security Policy
 Provide management direction and support for information security.
EXECUTING YOUR DRP
 Activating the Disaster Event
Occurs
Recovery Plan
38 *
Assess
situation
• Use an appropriate scheme
for situational assessments, Classed as a disaster
e.g.: Contact
 Green Recovery
Team
 No Action
 Advise DRP manager
 Amber Execute Not a
Plan disaster
 Advise DRP manager
Continue with
 Implement recovery
appropriate aspects activities
of DRP Re-assess
 Red situation
 Advise DRP manager
 Implement full DR
Plan
Stand
SIM Down
 Summary
39

 In most organisations BCP/DRP, it is usually

managed IS/IT due to ubiquitous nature of IS/IT
 Complacency in many situations as DRP for IT is
mistakenly believed to be BCP for entire
organisation
 BCP/DRP are “living” documents that need
frequent testing and updating
 Thus;
 You cannot afford not to have a DRP/BCP
 If you don’t have one, begin planning immediately
 You will need to work with and include all areas of the
organisation
“Those who are good at getting rid of
trouble are those who take care of it
before it arises”
Sun Tzu, The Art Of War

40