1

13. Business Continuity &

Disaster Recovery Planning
ISA 562
Internet Security Theory & Practice
2
Objectives
Response to save business and human life
Recovery activities after a disaster to normal
operations
Recovery plans to resume interrupted critical
business
Introduction
Need to process critical business systems in the
event of disruption to normal business data
processing operations.
Ensure the availability of critical information
system resources in the event of an expected
network interruption or disaster
Many kinds of plans
Contingency plans, Business Continuity Planning
(BCP), Disaster Recovery Planning (DRP)

3
BCP and DRP Life cycle
Steps of BCP and DRP project life cycle
Project Scope Development and planning
Business Continuity analysis (BIA) and functional
requirements ( for BIA steps, please see the book)
Business Continuity and Recovery Strategy
Plan Design and Development
Restoration
Feedback
4
Project Scope and Development Planning
Higher managements commitment to go through the
different steps of the project.
Deliverables
Project scope definition
Producing a Project plan
Dedicating a steering committee for the project
The BCP should be aligned with the organization's mission
Business continuity steering committee should
know the mission statement in order to place the scope
should have required authorization
Resources requirement need to be know at this stage
Budget requirements are estimated and validated
Personnel availability
Knowing key points of contact or personnel in an emergency

5
Business Impact Analysis (BIA)
Evaluates all business functions against a
common criterion to assess potential impacts to
the business by an interruption
The following fall under the BIA
Preparing a BIA format
Assess Potential impacts
Prioritize: very important for business functions
Elements to consider
Analysis of different threats for the business
Identification of critical business functions and units
Emergency Assessment
3
rd
party considerations
6
Different cases which need to be considered
Threats analysis
Human Made threats, Natural threats, IT threats Etc
Identify critical business functions: some characteristics
Time Sensitivity, Data Integrity, Etc
Their impact on business: Financial & Operational Impact , Reputation etc
Emergency Assessment
Affected Areas
Alerting procedures
Security and safety procedures and guidelines
Etc
3
rd
party considerations
Need to look at Down stream liabilities and upstream impacts
Compliance requirements, SLA Agreements, etc




7
Business Continuity and recovery Strategy
Business Unit Priorities: Business units are
examined for BIA identified critical functions
Critical processes and functions are reviewed by the
Steering committee and establishes priorities
The Committee looks at the minimum resources required
for the identified functions
Priorities are documented
Recovery time Objective (RTO) is the assed time by
which a critical function must be recovered
Recovery point objective (RPO) measures data integrity
requirement or the tolerance for the amount of data loss
Cost/Benefit analysis
8
Recovery Alternatives
Three approaches for recovery
Dedicated site operated by the organization
Multiple processing centers
Commercially leased facility
Hot site / cost high
Worm site / cost moderate
Cold site / cost lowest
Agreement with an Internal or external facility
Identify organizations with equivalent IT configurations and
backup technologies and establish an agreement
Types of agreements
Reciprocal or Mutual Aid
Contingency
Service Bureau

9
Backup
Strategies
Replication
Storage Area network
Electronic Vaulting, etc
Location and Storage Criteria
Maybe stored in several locations for different purposes
On-site storage, Off-site storage, Near-site storage
Resilience Strategies
Improve an organization's continuity and resilience
IT and Site Resilience etc

10
Plan Design Development
Emergency Response Procedures
Life , Health & safety
Damage Assessment
Event Reporting
Disaster Declaration, etc
Personnel Notifications
List of people to notify
Defining the role of the Executive crisis Management
Executive Succession Planning, etc
Backup and off-site storage
Inventory list is compiled and documented
Facility Accessibility and Resilience
Communication in Emergency
Emergency and Business communication system should be in place
Data communication priorities in networks should be agreed upon
11
Plan Design Development (Continued)
Alterative site considerations
The ability to support the required infrastructure, environmental and space
demands should be analyzed: Utilities, Communications, etc
Logistics and supplies
How resources are acquired or procured, transported and maintained
Personnel and materials transportation
Remote worker environment activation
Emergency funds access, etc
Documentation
BCP & DRP activation and de-activation plans and procedures are
documented
Activity and status reports
Checklists etc
Business Continuity and resumption planning
Contracts for emergency vendor services
Risk Avoidance and mitigation planning
Emergency business Recovery procedures
12
Implementation
Includes Training, Testing, Recovery and Audit
Training
Increasing the organization's awareness of the BC and DR
business case
Different kinds of training for different attendees
All people training, Operation teams, Recovery teams etc
Testing
Confirms that the plan meets its emergency, recovery and
restoration objectives
Measures the accuracy of the plans
Allow management to evaluate personnel readiness for an
adverse event
13
Implementation (continued)
Test Plans
Each time tests are scheduled, a test plan should be written, it
should contain
Objectives and success criteria
Details
Schedule
Post-test review
Test types
Several test types exists which server different purposes
Checklist test
Structured walk-through
Simulation
Parallel testing
Testing follow-up
Identifying existing deficiencies
Plan should be routinely assessed
Should be scheduled for testing for example annually
14
Implementation (continued)
Recovery procedures
Site migration
Local Recovery procedures
Transfer and recovery, etc.
Audit
Ensures an organization has an effective BC and DR
capability
Measures compliance
Addressing audit findings
15
Restoration
Restoration of primary location
Primary facility must be stabilized and secured and then
more detailed damage assessment is conducted
Procurement
Has an essential role in supporting restoration
Consolidating acquisitions and Disposition
Costs reporting
Data Recovery
Reversal procedures
Business process recovery point
Journal and process synchronization
Relocation to primary site
Restoration order and prioritization
End of disaster declaration
16
Feedback and plan management
Post-recovery reporting
Identification or remediation of plan gaps
Record Lessons learned
Performance metric review
Plan review and evaluation
Training of key personnel
Communication
Plan distribution
Communicate the plan to stakeholders
17
References
ISC2 CBK Material
CISSP-All-in-one book

18