Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Business Continuity Module 8

No description
by

Faham Usman

on 23 May 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Business Continuity Module 8

Information Security
Module 8
Business Continuity
Awareness Campaign
Agenda
Salim is your Cyber Security Advisor.
Aims at promoting, building and ensuring a safer & secure cyber environment and culture in the UAE.
About aeCERT
One of the initiatives of the UAE Telecommunications Regulatory Authority.
aeCERT is the United Arab Emirates Computer Emergency Response Team.
About aeCERT
Technical Recovery Strategies
Organization Security Management
Awareness & Trainings
Disaster
Standards
Business Continuity Planning
Criticality Classification
Creating a BCP
Conclusion
BCP Phases
Contact
aeCERT
Salim (aeCERT)
@salim_aecert
For more information
www.aecert.ae
info@aecert.ae
Questions
The attacker intercepts the encrypted packet and compares it with the original one allowing him to get encryption key

The Terminologies
Business Continuity Plan (BCP):
It refers to a document which describes how an organization responds in case of a disaster event, to ensure the continuation of its critical business functions without any unacceptable delay or change

The Terminologies
Business Resumption Planning (BRP):
It refers to a document which describes how an organization develops a procedure to initiate recovery of its business operation immediately after an outage or disaster.
The Terminologies
Continuation of Operations
Plan (COOP):
It refers to a document which describes how an organization develops a procedure and capabilities to sustain its critical strategic functions at DR site for up to 30 days
The Terminologies
The Terminologies
It refers to a document which describes a procedure to immediate and temporary restoration of critical computing and network after natural or man-made disaster
Disaster Recovery Planning (DRP):
Crisis Communication Plan (CCP):
It refers to a document which summarizes the procedures for circulating status reports to public and personnel in the event of any disaster
Organization Security Management
Security Policy
Organizational Design
Asset Classification
and Control
Compliance
Personnel Security Awareness Education
Access Control
Physical and
Environmental Security
System Development
and Maintenance
Communications &
Operations Mgmt.
Business Continuity
Management
What Can Disrupt Your Business?
What is a Disaster?
Disaster is defined as an unplanned or sudden event or point in time when you are not able to provide your customers or users the minimum level of services they are expecting
Types of Disasters
Natural
Earthquakes, floods, storms (i.e., thunder, hail, lightning, floods, snow, winter ice), tornadoes, hurricanes, volcanic eruptions, natural fires
System/technical
Earthquakes, floods, storms (i.e., thunder, hail, lightning, floods, snow, winter ice), tornadoes, hurricanes, volcanic eruptions, natural fires
Supply Systems
Earthquakes, floods, storms (i.e., thunder, hail, lightning, floods, snow, winter ice), tornadoes, hurricanes, volcanic eruptions, natural fires
Man-made
Earthquakes, floods, storms (i.e., thunder, hail, lightning, floods, snow, winter ice), tornadoes, hurricanes, volcanic eruptions, natural fires
Political Events
Earthquakes, floods, storms (i.e., thunder, hail, lightning, floods, snow, winter ice), tornadoes, hurricanes, volcanic eruptions, natural fires
Business Continuity Scenarios
Large-scale natural disasters (hurricanes, earthquakes)
Power outage caused by storms
Malfunctioning software
Server malfunction
Failed hard drive
Office fire
Computer virus outbreak
Terrorist attack
Pandemic disease outbreak
Why Doesn’t Everyone Plan?
The “Human” element
The “It’s not going to happen to me” philosophy
Business Continuity
It refers to;
An activity performed by an organization for the continuation of critical business processes when a disaster strikes its data processing capabilities
Those activities are performed daily to maintain service, consistency, and recoverability
02
01
Business continuity plan process cycle
Threats
Key Assets
Vital Services
Risk
Mitigation Options
ID Risk
Staff
Update Periodically
Natural Disasters
Market
Political
Malicious
Accidents
Business Continuity: Scope
Nessus is a vulnerability scanner, which looks for the vulnerabilities in applications and operating systems.
Includes
Business Continuity Planning
IT contingency plan is defined as a strategy which involves the planning, procedures and technical measures to ensure the adequate recovery of IT critical systems, applications and operations after a disaster
Business Continuity Planning
Contingency planning generally includes following approaches for restoring of disrupt IT services;

Why Continuity Planning?

Terrorist attacks
Natural Disasters
Economic Frauds
Legislative and Regulatory requirements
Example U.S. attacks Sep 9/11
Hurricane Katrina, flood, fire, tornado, earthquakes etc.
Example Corruption cases e.g. China Railway, Indonesia Judge corruption case etc.
HIPPA, SOX, GLB and the patriot act 2001
Why have a Business plan?

According to a research by NARA (National Archives & Records Administration) U.S.
Nearly 90% of all small businesses don't have a
continuity plan in place
Only 43% of businesses suffering a disaster ever recover sufficiently to resume business. Of those that do reopen, only 29% are still operating two years later

93% of businesses that lost their data-center for more
than 9 days filed for bankruptcy within one year of the disaster
Nearly 90% of all small businesses don't have a
continuity plan in place
Success, Recovery or Failure

Broad BCP Objectives

Availability
– the main focus
Confidentiality
– still important
Integrity
– still important
01
Create, document, test and update a plan that will;
Minimize the loss of an organization
Meet legal and regulatory requirement
Allow time restoration of critical business functions and operations
Types of Potential Loss

Revenue Loss
Extra Expense
Compromised Customer Services
Embarrassment or Loss of Confidence Impact
Hidden Benefits of Continuity Planning
Creating a BCP

It’s an on-going process, not a project with a beginning and an end
Create, test, maintain and update critical business functions and process that may change
The BCP team must include both business and IT personnel
Senior Management support must be required
The Five BCP Phases

1. Project Management & Initiation

Establish need (risk analysis)
Get management support
Establish team (functional, technical, BCC (Business Continuity
Coordinator)
Create work plan (scope, goals, methods, timeline)
Prepare and Present Initial report to management
Obtain management approval to proceed
BCP Team Members

Senior management.
BCP Planner/Coordinator.
Recovery team members.
Business Unit representatives.
Crisis management team.
User community.
Systems and Network Engineers.
Information Security Department.
Legal representatives
2. Business Impact Analysis (BIA)

Definition: BIA is a management level analysis that identifies the impact of unavailability of an organization’s critical business functions
Goal: To obtain formal agreement with senior management on the MTD (Maximum Tolerable Downtime) for each time-critical business resource
It only identifies consequences and doesn’t consider what types of incidents cause a disruption
BIA Purpose?

Identify an organization’s business functions and determine how critical those functions are to the organization
01
Identify any concerns that staff or management may have
Prioritize critical systems
Analyze the impact of an outage
Determine recovery windows for each business function
02
03
04
05
BIA Phases

Choose information gathering methods (surveys, interviews, software tools).
Select interviewees.
Customize questionnaire.
Analyze information.
Identify time-critical business functions.
Assign maximum tolerable downtimes (MTDs).
Rank critical business functions by MTDs.
Document, prepare, and report recommendations.
Obtain management approval.
Critical Business Function Categories

Critical Business Function Categories

BIA Examples

A website order department lists the following tasks and recovery time periods;
Receive orders electronically via e-commerce Web site: Critical/Essential
Receive orders by facsimile machine: Critical/Essential
Receive orders by phone system: Critical/Essential
Input orders into ordering system: Important
Process orders: Important
Issue and mail(send) invoices: Important
3. Recovery Strategies

Recovery strategies are based on MTDs (Maximum)
Predefined
01
Management-approved
02
Recovery Strategies
Different technical strategies
Different costs and benefits
How to choose?
Different technical strategies
Driven by business
requirements
Recovery Strategies
Business operations
Facilities & supplies
Users (Employees and end-users)
Network, Data Center (technical)
Data (Off-site Data and Application Backups)
01
02
03
04
05
Technical Recovery Strategies
Network Disaster Recovery
Redundancy
Includes:
Routing protocols
Fail-over
Multiple paths
Alternative Routing
>1 Medium or
> 1 network provider
Diverse Routing
Multiple paths,
1 medium type
Last-mile circuit protection
E.g., Local: microwave & cable
Long-haul network diversity
Redundant network providers
Disruption vs. Recovery Costs
Cost
Service Downtime
Alternative Recovery
Strategies
* Cold Site
Minimum Cost
Time
Technical Recovery Strategies
Technical Recovery Strategies & Methods
Hot: Fully equipped site
Warm: Missing key components
Cold: Empty data center
Mirror: Full redundancy
Mobile: Trailer full of computers
Subscription Service Sites
Technical Recovery Strategies & Methods
Mutual Aid Agreements
I’ll help you if you’ll help me!
Inexpensive
Usually not practical
Technical Recovery Strategies & Methods
Maybe not enough spare capacity for critical operations
Expensive
Redundant Processing Sites (Data Centers)
Technical Recovery Strategies & Methods
Service Bureaus
Many clients share facilities
Almost as expensive as a hot site
Must negotiate agreements with other clients
Technical Recovery Strategies & Methods
Data
Backups of data and applications
Off-site VS On-site storage of media
How fast can data be recovered?
How much data can you lose?
Security of off-site backup media
Types of backups
Full
Incremental
Differential, etc.
Off-Site Storage is Critical
Backup media must be stored off-site
Critical, non-media and documents must be available at DR or an off-site location
These documents should also include the detailed Business Continuity and Disaster Recovery Plan (BCP and DRP).
These backup documents and media should be accessible to appropriate
employees or BCP teams during an actual disaster or exercise(simulation).
4. Plan Development and Implementation
Determine management concerns and priorities.
Determine planning scope.
Establish outage assumptions.
Identify recovery strategies for mission-critical applications and systems of an organization at alternate sites.
Develop service function recovery plans which should include information processing and telecommunications
Plan Development and Implementation
Develop service function
recovery plan which includes
information processing
and telecommunications
Develop business function
recovery plans and
procedures.
Review and outline how the organization will interface with external groups. (Communication)
Develop facility recovery
plans.
Plan Development and Implementation
Initial disaster response
Resume critical business ops
Resume non-critical business ops
Restoration (return to primary site)
Interacting with external groups (customers, media, emergency responders)
Sample plan phases
BCP Components
01
03
05
02
04
06
Awareness of Roles and
Responsibilities
Defined RTO (Recovery Time Objectives)
Risk Management to identify & reduce risks
Alternate Processes (telecommuting, distance learning)

Alternate recovery locations
Off-site storage of critical media and non-media items
5.Testing, Maintenance, Awareness, Training
Testing
Maintenance
Awareness
Training
Testing
You don’t have a plan, until it’s tested
Types of testing
Maintenance
Resolve all problems/deficiencies found during testing.
Implement change management
Audit and address audit findings
Annual review of plan
Build plan into organization
Awareness & Trainings
BCP team is probably the DR team
All staff should be trained in the business recovery process
BCP training must be an on-going process.
BCP training needs to be part of the standard on-boarding and should be built into the corporate culture
Management Sponsorship is Key to Success
To identify BCP as a Top priority, Senior Management, Board of Directors, President, Vice Presidents and business unit heads’ support is a must
Executives and senior managers must actively support the BCP Process.
BCP coordinators within business units and departments should take ownership of their plans and should be involved in developing, implementing and testing the Business Continuity plan
Communication is Critical
Contact information for all team members must be current
Make sure employees have Emergency Wallet Cards with key phone numbers

Periodical review of Business Continuity plan
Communication is Critical
Program
People
Process
Premises
Providers
Profile
Performance
Common BCP Drawbacks
Incomplete
Inadequate
Impractical
Overkill
Improperly communicated
Untested
Uncoordinated
Out of Date
Lacking Recovery
Shortcomings of BCP plans can be;
Common BCP Drawbacks
BS 25999-1, Business continuity management, Part 1: Code of practice, The British Standards Institution, United Kingdom.
HB 221, Business Continuity Management, Standards Australia, Australia.
HB 292 , A practitioners guide to business continuity management, Standards Australia, Australia
BCP Industrial and Professional Standards
BS ISO/IEC 17799 (2005), Code of practice for information security management, The British Standards Institution, United Kingdom
ISO 22301 Business Continuity Management
NFPA 1600, Standard on Disaster/Emergency Management and Business Continuity Programs, The National Fire Protection Association, United States.
Defense Security Service (DSS), formally known as Defense Investigative Services (DIS).
National Institute of Standard and Technology (NIST).
BCP Current Regulations/Standards
US - Securities and Exchange Commission - NASD Rules 3510 & 3520 and the NYSE Rule 446
01
Basel II & E-banking
02
UK Civil Contingencies Act
03
Sarbanes Oxley
04
UK FSA – BCM Guidance
05
PAS 56 and from Summer
2006 BSI

06
King II in South Africa
07
Singapore - MAS BCM Standard
08
Australian Standard for BCM
09
US - NFPA 1600
10
BS 25999-1 Business Continuity Standard
02
BS 25999-1 Standard
Business Continuity Management
A Changing World
02
ISO 17799-01
BS7799-02
COBIT
ITIL
IT Baseline
MAS
China
APO
Corporate Governance
Basel II
Sarbanes Oxley Act
AIPA
CCA, Comp Act
NF Z 42-013
King II
GDPdU & GoBS
Step 1: Define Threats Resulting in Business Disruption
02
FireEye platform is based on;
Which business processes are of strategic importance?
What disasters could possibly occur?
What impact would they have, on the organization
Step 1: Define Threats Resulting in Business Disruption
02
FireEye platform is based on;
Negligible
Minor
Major
Crisis
Step 1: Define Threats Resulting in Business Disruption
Step 2: Define Recovery Objectives
02
Step 3
Attaining Recovery Point
Objective (RPO)
Step 4
Attaining Recovery Time
Objective (RTO)
Business Continuity
02
Criticality Classification
02
Critical
Vital
Non-Sensitive
Sensitive
Conclusion
02
Sensitive
Perform Business Impact Analysis
Prioritize services to support critical business processes
Determine alternate processing modes for critical and vital services
Develop the Disaster Recovery plan for IS systems recovery
Develop BCP for business operations recovery and continuation
Test the plans
Maintain plans
Full transcript