CISSP CBK 8 – Business Continuity Planning & Disaster Recovery Planning

BCP / Business Continuity Planning

Prime elements:
– Scope and Plan Initiation
– Business Impact Assessment
– Business Continuity Plan Development
– Plan Approval and Implementation

Scope and Plan Initiation: Marks the beginning of the BCP process It entails creating the scope for the plan.

Roles and Responsibilities

The BCP Commitee: Should be formed and given the responsibility to create, implement and test the plan. Is made up of representatives from senior management, all functional business units, information systems and security administrator.

Senior Management’s Role: Is ultimate responsible for all four phases of the plan.

BIA / Business Impact Assessment: Is a process used to help business units understand the impact of a disruptive event. The impact may be financial (quantitative) or operational (qualitative, such as the inability to respond to customer). A vulnerability assessment is often a part of the BIA process. It identifies the company’s critical systems needed for survival and estimates the outage time that can be tolerated by the company as a result of a disaster or disruption.

Three main primary goals of BIA

 – Criticality Prioritization: Every critical business unit process must be identified and prioritized and the impact of a disruptive event must be evaluated.

 – Downtime Estimation: Estimates the MTB / Maximum Tolerable Downtime that the business can tolerate and still remain a viable company.

 – Resource Requirements: The resource requirements for the critical processes are also identified at this time, with the most time-sensitive processes receiving the most resource allocation.

Four steps of BIA

 – Gathering the needed assessment materials: Identifying which business units is critical to continuing an acceptable level of operations.

 – Performing the vulnerability assessment: Is smaller than a full risk assessment and is focused on providing information that is used solely for the BCP or DRP. A function is to conduct a loss impact analysis. Critical support areas must be defined.

 – Analyzing the information compiled:

Business Continuity Plan Development: Refers to using the information collected in the BIA to develop the actual business continuity plan. This includes the areas of plan implementation, plan testing and ongoing plan maintenance.

Two main steps –

 – Defining the continuity strategy: How the business is supposed to manage a disaster disruption.

 – Documenting the continuity strategy: Creation of documentation for the results.

Plan Approval and Implementation: Involves getting the final senior management sign-off, creating enterprise-wide awareness of the plan and implementing a maintenance procedure for updating the plan as needed.

DRP / Disaster Recovery Planning

Is a comprehensive statement of consistent actions to be taken before, during and after a disruptive event that causes a significant loss of information systems resources. The primary objective is to provide the capability to implement critical processes at an alternate site and return to the primary site and normal processing within a time frame that minimizes the loss to the organization, by executing rapid recovery procedures.

Disaster planning process phases:

– Data Processing Continuity Planning

– Data Recovery Plan Maintenance

Data Processing Continuity Planning: Common alternative processing types –

– Mutual aid agreements / Reciprocal agreements: Is an arrangement with another company that may have similar computing needs. Advantages is low cost. Disadvantages is that it is highly unlikely that each organization’s infrastructure will have the extra capacity to enable full operational processing during the event.

– Subscription services:

– Hot site: Is a fully configured computer facility with electrical power, heating, ventilation and air conditioning (HVAC) and functioning file/printer servers and workstations. Advantage is a 24/7 availability. Disadvantage is that it is expensive, the service provider might oversell capacity, security exposure when information is stored in two places and may be administrative resource intensive when controls must be implemented twice.

– Warm site: Is a facility readily available with electrical power and HVAC and computers, but the applications may not be installed. Advantages is that costs is less than a hot site, more flexible in the choice of site(location) and less administrative resources than a hot site. Disadvantage is the difference in amount of time and effort it will take to start production processing at the new site.

– Cold site: Is ready for equipment to be brought in during emergency, but no hardware resides at the site. Advantages is low cost. Disadvantage is that it may not work when a disaster strikes.

 – Multiple centers: The processing is spread over operations centers, creating a distributed approach to redundancy and sharing of available resources. Advantage is low cost. Disadvantage is that a major disaster could easily overtake the processing capability of the sites.

 – Service bureaus: Contract with a service bureau to provide all alternate backup processing services. Advantage is quick response and availability Disadvantage is the expense and resource contention during a large emergency.

 – Other data center backup alternatives:

    – Rolling/mobile backup sites

    – In-house or external supply of hardware replacements

    – Prefabricated buildings

Three concepts used to create a level of fault tolerance and redundancy in transition processing:

 – Electronic vaulting: Refers to the transfer of backup data to an off-site location. This is primarily a batch process of dumping the data through communications lines to a server at an alternative location.

 – Remote journaling: Refers to the parallel processing of transactions to an alternate site. A communication line is used to transmit live data as it occurs.
– Database shadowing: Uses the live processing of remote journaling but creates even more redundancy by duplicating the database sets to multiple servers.

Data Recovery Plan Maintenance: Keeping the plans up-to-date and relevant.

Testing the DRP / Disaster Recovery Plan:

Types of test types –

 – Checklist: Copies of plan are distributed to management for review.

 – Structured Walk-Through: Business unit management meets to review the plan.

 – Simulation Test: All support personnel meet in a practice execution session.

 – Parallel Test: Critical systems are run at an alternate site.

 – Full-Interruption Test: Normal production shut down, with real disaster recovery processes.

Primary elements of the disaster recovery process

 – The recovery team: Will be clearly defined with the mandate to implement the recovery procedures at the
declaration of the disaster. The primary task is to get the pre-defined critical business functions operating at the alternate backup processing site.

 – The salvage team: Will be dispatched to return the primary site to normal processing environmental conditions. This team is often given the authority to declare when the site is resumptive or not.

 – Normal operations resume: Full procedures on how the company will return production processing from the alternate site to the primary site with the minimum of disruption and risk. The emergency is not over until all operations are back in full production mode at the primary site.

 – Other recovery issues:

    – Interfacing with external groups

    – Employee relations

    – Fraud and crime

    – Financial disbursement

    – Media relations