(Ebook) CISSP Business Continuity Planning - BCP

Business Continuity Planning
• Note: these are slides that were part of a CISSP

prep course that I partly developed and taught while I
was with Ernst and Young.
• While these slides are dated – August 1999 - the

core information is still relevant.
• Contact me w/ any questions or comments –
• Ben Rothke, CISSP brothke@hotmail.com
CBK REVIEW - August 1999 E 1

Introduction
• The Problem - Reasons for BCP
• Principles of BCP
• Doing BCP
– The steps
– What is included
– The stages of an incident

Definitions
A contingency plan is:
“A plan for emergency response, backup operations, and post-
disaster recovery maintained by an activity as a part of its
security program that will ensure the availability of critical
resources and facilitate the continuity of operations in an
emergency situation…”
(National Computer Security Center 1988)
1997-98 survey >35% of companies have no plans

Definitions of BCP
• Disaster Recovery
• Business Continuity Planning
• End-user Recovery Planning
• Contingency Planning
• Emergency Response
• Crisis Management
The goal is to assist the organization/business to continue

functioning even though normal operations are disrupted
Includes steps to take

– Before a disruption
– During a disruption
– After a disruption

Reasons for BCP
• It is better to plan activities ahead of time rather
than to react when the time comes
– “Proactive” rather than “Reactive”
– Take the correct actions when needed
– Allow for experienced personnel to be absent

Reasons for BCP
“Proactive” rather than “Reactive”
• Maintain business operations
– Saves time, mistakes, stress and $$
– Keep the money coming in
– Short and long term loss of business
– Have necessary materials, equipment, information on hand
– Planning can take up to 3 years

Reasons for BCP
• Effect on customers
– Public image
– Loss of life

Reasons for BCP
• Legal requirements
– ‘77 Foreign Corrupt Practices Act/protection of stockholders
• Management criminally liable

Reasons for BCP
• Legal requirements
– ‘77 Foreign Corrupt Practices Act/protection of stockholders
– Federal Financial Institutions Examination Council (FFIEC)
– FCPA SAS30 Audit Standards
– Defense Investigative Service
– Legal and Regulatory sanctions, civil suits

Definitions
• Due Care
– minimum and customary practice of responsible protection
of assets that reflects a community or societal norm
• Due Diligence
– prudent management and execution of due care

The Problem
• Utility failures
• Intruders
• Fire/Smoke
• Water
• Natural disasters (earthquakes, snow/hail/ice,
lightning, hurricanes)
• Heat/Humidity
• Electromagnetic emanations
• Hostile activity
• Technology failure

Recent Disasters
• Bombings
– ‘92 London financial district
– ‘93 World Trade Center, NY
– ‘93 London financial district
– ‘95 Oklahoma City
• Earthquakes
– ‘89 San Francisco
– ‘94 Los Angeles
– ‘95 Kobe, JP
• Fires
– ‘95 Malden Mills, Lawrence, MA
– ‘96 Credit Lyonnais, FR
– ‘97 Iron Mountain Record Center, Brunswick, NJ

Recent Disasters
• Power
– ‘92 AT&T
– ‘96 Orrville, OH
– ‘99 East coast heat/drought brownouts
• Floods
– ‘97 Midwest floods
• Storms
– ‘92 Hurricane Andrew
– ‘93 Northeast Blizzard
– ‘96 Hurricanes Bertha, Fran
– ‘98 Florida tornados
• Hardware/Software
– Year 2000

The Problem
• Utility failures
• Intruders
• Fire/Smoke
• Water
• Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes)
• Heat/Humidity
• Electromagnetic emanations
• Hostile activity
• Technology failure
• Failure to keep operating
Fortune 1000 study
– Average loss $78K, up to $500K
– 65% failing over 1 week never reopen
– Loss of market share common

Threats
• From Data Pro reports
– Errors & omissions 50%
– Fire, water, electrical 25%
– Dishonest employees 10%
– Disgruntled employees 10%
– Outsider threats 5%

The Controls
• Least Privilege
– Information security
• Redundancy
– Backed up data
– Alternate equipment
– Alternate communications
– Alternate facilities
– Alternate personnel
– Alternate procedures

The Steps in a BCP - Initiation
• Project initiation
– Executive commitment and support MOST CRITICAL
– Business case to obtain support
– Sell the need for DRP (price vs benefit)
– Build and maintain awareness
– On-going testing & maintenance
– Top down approach
– Project planning, staffing
• Local support/responsibility

The Steps in a BCP - 1
• Impact Assessment (Impact Analysis/Vulnerability
Assessment/Current State Assessment/Risk
Assessment )
Purpose
– Identify risks
– Identify business requirements for continuity
– Quantify impact of potential threats
– Balance impact and countermeasure cost
– Establish recovery priorities

Benefits
• Relates security objectives to organization mission
• Quantifies how much to spend on security measures
• Provides long term planning guidance
– Site selection
– Building design
– HW configuration
– SW
– Internal controls
– Criteria for contingency plans
– Security policy
• Protection requirements
• Significant threats
• Responsibilities

• Risk Assessment
– Potential failure scenarios
– Likelihood of failure
– Cost of failure (loss impact analysis)
• Dollar losses
• Additional operational expenses
• Violation of contracts, regulatory requirements
• Loss of competitive advantage, public confidence
– Assumed maximum downtime (recovery time frames)
• Rate of losses
• Periodic criticality
• Time-loss curve charts

• Risk Assessment/Analysis
– Potential failure scenarios (risks)
– Likelihood of failure
– Cost of failure, quantify impact of threat
– Assumed maximum downtime
– Annual Loss Expectancy
– Worst case assumptions
– Based on business process model? Or IT model?
– Identify critical functions and supporting resources
– Balance impact and countermeasure cost
• Key -
– Potential damage
– Likelihood

Definitions
• Threat
– any event which could have an undesirable impact
• Vulnerability
– absence or weakness of a risk-reducing safeguard, potential
to allow a threat to occur with greater frequency, greater
impact, or both
– Exposure
– a measure of the magnitude of loss or impact on the value
of the asset
• Risk
– the potential for harm or loss, including the degree of
confidence of the estimate

Definitions
• Quantitative Risk Analysis
– quantified estimates of impact, threat frequency, safeguard
effectiveness and cost, and probability
– Powerful aid to decision making
– Difficult to do in time and cost
• Qualitative Risk Analysis
– minimally quantified estimates
– Exposure scale ranking estimates
– Easier in time and money
– Less compelling
• Risk Analysis is performed as a continuum from fully
qualitative to less than fully quantitative

Results
• Loss impact analysis
• Recovery time frames
– Essential business functions
– Information systems applications
• Recommended recovery priorities & strategies
• Goals
– Understand economic & operational impact
– Determine recovery time frame (business/DP/Network)
– Identify most appropriate strategy
– Cost/justify recovery planning
– Include BCP in normal decision making process

Risk Management Team
• Management - Support
• DP Operations
• Systems Programming
• Internal Audit
• Physical Security
• Application owners
• Application programmers

Preliminary Security Exam
• Asset costs
• Threat survey
– Personnel
– Physical environment
– HW/SW
– Communications
– Applications
– Operations
– Natural disasters
– Environment
– Facility
– Access
– Data value

Preliminary Security Exam
• Asset costs
• Threat survey
• Existing security measures
• Management review

Threats
• Unauthorized access • Illogical processing
• Hardware failure • Translation of user needs
• Utility failure (technical requirements)
• Natural disasters • Inability to control technology
• Loss of key personnel • Equipment failure
• Human errors • Incorrect entry of data
• Neighborhood hazards • Concentration of data
• Tampering • Inability to react quickly
• Disgruntled employees • Inability to substantiate
• Emanations processing
• Safety • Concentration of
• Improper use of technology responsibilities
• Repetition of errors • Erroneous/falsified data
• Cascading of errors • Misuse

Threats
• Uncontrolled system access
• Ineffective application security
• Operations procedural errors
• Program errors
• Operating system flaws
• Communications system failure
• Utility failure

Risk Analysis Steps
• 1 - Identify essential business functions
– Dollar losses or added expense
– Contract/legal/regulatory requirements
– Competitive advantage/market share
– Interviews, questionnaires, workshops
• 2 - Establish recovery plan parameters
– Prioritize business functions
• 3 - Gather impact data/Threat analysis
– Probability of occurrence, source of help
– Document business functions
– Define support requirements
– Document effects of disruption
– Determine maximum acceptable outage period
– Create outage scenarios

Risk Analysis Steps
• 4 - Analyze and summarize
– Estimate potential losses
• Destruction/theft of assets
• Loss of data
• Theft of information
• Indirect theft of assets
• Delayed processing
• Consider periodicity
– Combine potential loss & probability
– Magnitude of risk is the ALE (Annual Loss
Expectancy)
– Guide to security measures and how much to spend

Results
• Significant threats & probabilities
• Critical tasks & loss potential by threat
• Remedial measures
– Greatest net reduction in losses
– Annual cost

Information Valuation
• Information has cost/value
– Acquire/develop/maintain
– Owner/Custodian/User/Adversary
• Do a cost/value estimate for
– Cost/benefit analysis
– Integrate security in systems
– Avoid penalties
– Preserve proprietary information
– Business continuity
• Circumstances effect valuation timing
• Ethical obligation to use justifiable tools/techniques

Conditions of Value
• Exclusive possession
• Utility
• Cost of creation/recreation
• Liability
• Convertibility/negotiability
• Operational impact
• Market forces
• Official value
• Expert opinion/appraisal
• Bilateral agreement/contract

Scenario
• A specific threat (potential event/act) in which assets are
subject to loss
• Write scenario for each major threat
• Credibility/functionality review
• Evaluate current safeguards
• Finalize/Play out
• Prepare findings

• Strategy Development (Alternative Selection)
– Management support
– Team structure
– Strategy selection
• Cost effective
• Workable

• Implementation (Plan Development)
– Specify resources needed for recovery
– Make necessary advance arrangements
– Mitigate exposures

• Risk Prevention/Mitigation
– Risk management program
– Security - physical and information (access)
– Environmental controls
– Redundancy - Backups/Recoverability
• Journaling, Mirroring, Shadowing
• On-line/near-line/off-line
– Insurance
– Emergency response plans
– Procedures
– Training

• Decision Making
– Cost effectiveness
• Total cost
– Human intervention requirements
• Manual functions are weakest
– Overrides and defaults
• Shutdown capability
• Default to no access
– Design openness
– Least Privilege
• Minimum information
• Visible safeguards
– Entrapment
• Selected vulnerabilities made attractive

• Decision Making
– Independence of controller and subject
– Universality
– Compartmentalization, defense in depth
– Isolation
– Completeness
– Instrumentation
– Acceptance
– Sustainability
– Auditability
– Accountability
– Recovery

Remedial Measures
• Alter environment
• Erect barriers
• Improve procedures
• Early detection
• Contingency plans
• Risk assignment (insurance)
• Agreements
• Stockpiling
• Risk acceptance

Remedial Measures
• Fire
– Detection, suppression
• Water
– Detection, equipment covers, positioning
• Electrical
– UPS, generators
• Environmental
– Backups
• Good housekeeping
• Backup procedures
• Emergency response procedures

• Plan Development
– Specify resources needed for recovery
– Team-based
– Recovery plans
– Mitigation steps
– Testing plans
– Prepared by those who will carry them out

Included in a BCP
• Off-site storage
– Trip there - secure? Timely?
– Physical layout of site
– Fire protection
– Climate controls
– Security access controls
– Backup power

Included in a BCP
• Alternate site
– Hot/Warm/Cold(Shell) sites
– Reciprocal agreements/Multiple sites/Service bureaus
– Trip there - secure? Timely?
– Physical layout of site
– Fire protection
– Climate controls
– Security access controls
– Backup power
– Agreements

Included in a BCP
• Alternate site
• Backup processing
– Compatibility
– Capacity
– Journaling - maintaining audit records
• Remote journaling - to off-site location
– Shadowing - remote journaling and delayed mirroring
– Mirroring - maintaining realtime copy of data
– Electronic vaulting - bulk transfer of backup files

Included in a BCP
• Alternate site
• Communications
– Compatibility
– Accessibility
– Capacity
– Alternatives

Included in a BCP
• Alternate site
• Communications
• Work space
– Accessibility
– Capacity
– Environment

Included in a BCP
• Alternate site
• Communications
• Work space
• Office equipment/supplies/documentation
• Security
• Critical business processes/Management
• Testing
• Vendors - Contact info, agreements
• Teams - Contact info, transportation
• Return to normal operations
• Resources needed

Complications
• Media/Police/Public
• Families
• Fraud
• Looting/Vandalism
• Safety/Legal issues
• Expenses/Approval

The Steps in a BCP - Finally
• Plan Testing
– Proves feasibility of recovery process
– Verifies compatibility of backup facilities
– Ensures adequacy of team procedures
• Identifies deficiencies in procedures
– Trains team members
– Provides mechanism for maintaining/updating the plan
– Upper management comfort

• Plan Testing
– Desk checks/Checklist
– Structured Walkthroughs
– Life exercises/Simulations
– Periodic off-site recovery tests/Parallel
– Full interruption drills

• Test
– Hardware
– Software
– Personnel
– Communications
– Procurement
– Procedures
– Supplies/forms
– Documentation
– Transportation
– Utilities
– Alternate site processing
– Security

• Test
– Purpose (scenario)
– Objectives/Assumptions
– Type
– Timing
– Schedule
– Duration
– Participants
• Assignments
– Constraints
– Steps

• Alternate Site Test
– Activate emergency control center
– Notify & mobilize personnel
– Notify vendors
– Pickup and transport
– tapes
– supplies
– documentation
– Install (Cold and Warm sites)
– IPL
– Verify
– Run
– Shut down/Clean up
– Document/Report

• Plan Update and Retest cycle (Plan Maintenance)
– Critical to maintain validity and usability of plan
• Environmental changes
• HW/SW/FW changes
• Personnel
– Needs to be included in organization plans
• Job description/expectations
• Personnel evaluations
• Audit work plans

BCP by Stages
• Initiation
• Current state assessment
• Develop support processes
• Training
• Impact Assessment
• Alternative selection
• Recovery Plan development
• Support services continuity plan development
• Master plan consolidation
• Testing strategy development
• Post transition transition plan development

BCP by Stages
• Implementation planning
• Quick Hits
• Implementation, testing, maintenance

End User Planning
• DP is critical to end users
• Difficult to use manual procedures
• Recovery is complex
• Need to plan
– manual procedures
– recovery of data/transactions
– procedures for alternate site operation
– procedures to return to normal

The Real World
• DR plans normally involve
– Essential DP platforms/systems only
– A manual on the shelf written 2-3 years ago
– Little or no user involvement
– No provision for business processes
– No active testing
– Resource lists and contact information that do not match
current realities

Stages in an Incident
• Disaster
– interruption affecting user operations significantly

• Disaster
• Initial/Emergency response
– Purpose
• Ensure safety of people
• Prevent further damage
– Activate emergency response team
– Covers emergency procedures for expected hazards
– Safety essential
– Emergency supplies
– Crisis Management plan - decision making

• Disaster
• Initial response
• Impact assessment
– Activate assessment team
– Determine situation
• What is affected?
– Decide whether to activate plan

• Disaster
• Initial recovery
– Initial recovery of key areas at alternate site
– Detailed procedures
– Salvage/repair - Clean up

• Disaster
• Initial recovery
• Return to normal/Business resumption
– Return to operation at normal site
– “Emergency” is not over until you are back to normal
– Requires just as much planning - Parallel operations

Special Cases
• Y2K
– Incidents will happen in a particular time frame
– Alternate sites won’t help
– Redundant equipment won’t help
– Backups won’t help
– Involves automated equipment and services

Final Thoughts
• Do you really want to activate a DR/BCP plan?
– Prevention
– Planning

(Ebook) CISSP Business Continuity Planning - BCP

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

(Ebook) CISSP Business Continuity Planning - BCP

Hochgeladen von

Copyright:

Verfügbare Formate

Business Continuity Planning

• Note: these are slides that were part of a CISSP

• While these slides are dated – August 1999 - the

CBK REVIEW - August 1999 E 1

CBK REVIEW - August 1999 E 2

1997-98 survey >35% of companies have no plans

CBK REVIEW - August 1999 E 3

The goal is to assist the organization/business to continue

Includes steps to take

CBK REVIEW - August 1999 E 4

CBK REVIEW - August 1999 E 5

CBK REVIEW - August 1999 E 6

CBK REVIEW - August 1999 E 7

CBK REVIEW - August 1999 E 8

CBK REVIEW - August 1999 E 9

CBK REVIEW - August 1999 E 10

CBK REVIEW - August 1999 E 11

CBK REVIEW - August 1999 E 12

CBK REVIEW - August 1999 E 13

CBK REVIEW - August 1999 E 14

CBK REVIEW - August 1999 E 15

CBK REVIEW - August 1999 E 16

CBK REVIEW - August 1999 E 17

CBK REVIEW - August 1999 E 18

CBK REVIEW - August 1999 E 19

CBK REVIEW - August 1999 E 20

CBK REVIEW - August 1999 E 21

CBK REVIEW - August 1999 E 22

CBK REVIEW - August 1999 E 23

CBK REVIEW - August 1999 E 24

CBK REVIEW - August 1999 E 25

CBK REVIEW - August 1999 E 26

CBK REVIEW - August 1999 E 27

CBK REVIEW - August 1999 E 28

CBK REVIEW - August 1999 E 29

CBK REVIEW - August 1999 E 30

CBK REVIEW - August 1999 E 31

CBK REVIEW - August 1999 E 32

CBK REVIEW - August 1999 E 33

CBK REVIEW - August 1999 E 34

CBK REVIEW - August 1999 E 35

CBK REVIEW - August 1999 E 36

CBK REVIEW - August 1999 E 37

CBK REVIEW - August 1999 E 38

CBK REVIEW - August 1999 E 39

CBK REVIEW - August 1999 E 40

CBK REVIEW - August 1999 E 41

CBK REVIEW - August 1999 E 42

CBK REVIEW - August 1999 E 43

CBK REVIEW - August 1999 E 44

CBK REVIEW - August 1999 E 45

CBK REVIEW - August 1999 E 46

CBK REVIEW - August 1999 E 47

CBK REVIEW - August 1999 E 48

CBK REVIEW - August 1999 E 49

CBK REVIEW - August 1999 E 50

CBK REVIEW - August 1999 E 51

CBK REVIEW - August 1999 E 52

CBK REVIEW - August 1999 E 53

CBK REVIEW - August 1999 E 54

CBK REVIEW - August 1999 E 55

CBK REVIEW - August 1999 E 56

CBK REVIEW - August 1999 E 57