Information security and risk management
Managing Risk in Information Systems
Lesson 13
Business Continuity Planning
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
What Is a Business Continuity Plan?
The BCP is a plan designed to help an organization continue to operate during and after a disruption
Business Impact Analysis (BIA) is part of a BCP
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The scope of the BCP includes the IT systems, facilities, and personnel. The BCP identifies elements that are mission-critical and need to continue to operate. Non-mission-critical elements that do not need to continue aren’t addressed by the BCP.
2
What Is a Business Continuity Plan?
BIA key objectives that directly support the BCP:
BIA identified critical business functions (CBFs)
BIA identified critical processes supporting the CBFs
BIA identified critical IT services supporting the CBFs, including any dependencies
BIA determined acceptable downtimes for CBFs, processes, and IT service
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3
Business Continuity Plan vs. Disaster Recovery Plan
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
BCP
Covers all functional areas of a business, it ensures the entire business can continue to operate in the event of a disruption.
Includes a BIA, and also address other non-technical elements of the event.
Focused on getting the overall business functions back to normal.
DRP
Is a function of the IT department,
Includes the elements necessary to recover from a disaster, once one is declared.
Involves copying the critical data to media or online and then, if required, moving the IT operations off site to recover, if required.
Focused on restoring and recovering IT functions.
4
BCP
Covers all functional areas of business
Includes a business impact analysis (BIA)
Focused on business function recovery
DRP
Function of the IT department
Focused on IT function recovery
Recovery from a declared disaster
Elements of a BCP Report
Purpose and scope
Assumptions and planning principles
Incidents to be included or excluded
Strategy
Priority
Required Support
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Scope includes the location, the systems, the employees and the vendors.
The BCP includes basic assumptions and planning principles. A decision must be made as to which incidents will be included and which will be excluded. The BCP includes a strategy to deal with location, notification, and transportation. If the company has more than one location, a strategy for each is required. How do you transport equipment and personnel; do you include supplies at each location or transport them; how do you communicate once you arrive at the other location; what are the priorities; what support will be needed during the process. During the notification and activation phase, mission-critical personnel must respond quickly; some will remain at the original location while others will go to the new location.
5
Elements of a BCP Report (continued)
System description and architecture
Overview
Functional Description
Sensitivity of Data and Criticality of Operations
Critical Equipment, Software, Data, Documents and Supplies
Telecommunications
Responsibilities
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The System description and architecture must be documents – what are the critical systems and supporting architectures. The BCP needs an overview that describes the systems as a big picture. Next there needs to be a functional description that details the systems. Next there must include information on the sensitivity (or classification) of the data as well as which of the operations are critical. Next identify the critical equipment, software, data, documents and supplies. Finally identify how you will connect the systems internally and externally when at the new location.
A number of teams are needed for the BCP. The Emergency Management Team includes senior managers who have overall authority for the recovery of the systems. The Damage Assessment Team assesses the damage and declares the severity of the incident. The Technical Recovery Team recovers the critical IT resources.
6
Elements of a BCP Report (continued)
Phases
Notification/Activation Phase
Recovery Phase
Reconstitution (return to operations) Phase
Plan training, testing, and exercises
Plan maintenance
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Phases include the Notification and Activation phases; the Recovery phase and the Reconstitution phase.
It is critical to perform training, testing and exercises annually and then maintain the plan when these events determine a change must be made
7
Phases within a BCP Plan
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Phases include the Notification and Activation phases; the Recovery phase and the Reconstitution phase.
The Notification phase occurs when the incident starts or is about to start. The Activation phase occurs when the teams are activated.
During the Recovery phase the Technical Recovery Team restore temporary operations to critical systems, repair damage done to original systems and recover damage to original systems. Recovery planning often takes the form of a disaster recovery plan (DRP). The recovery’s success depends on the work done to prepare the DRP.
The Reconstitution phase deals with returning functions back to normal. This includes both the critical functions and the non-mission-essential functions. This phase begins when either the damage is repaired or management decides to move operations permanently to an alternate location.
During the recovery and reconstitution phases, operations are running at two separate locations at the same time. An organization will often keep the alternate location up and operational until it is sure the original location is operational. After all functionality is tested and confirmed, operations are switched over completely.
8
Notification/activation phase
Recovery phase
Reconstitution phase
Defining Data that Needs to Be Protected
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The BCP should list all the critical components for the system.
There are two reasons for including this data:
First, it makes it clear which components are needed for the critical business functions (CBF).
Second, it provides a list that you can use to restore the system from scratch.
This list includes any equipment, such as servers, switches, and routers.
The servers may need to be rebuilt from scratch. Therefore, the BCP should list the operating system and any applications needed to support the system.
If an image is used to rebuild servers, it will list the version number.
Data can include a database hosted on the system.
It can also include any type of files, such as documents or spreadsheets.
Last, the list can include any needed supplies:
This can be simple office supplies, such as printer paper and toner.
For some systems, it can include technical supplies, such as special oils for machinery or tools needed for maintenance.
9
Identify all critical components for the system
Identify all equipment ~ servers, switches, routers
Include databases hosted on the system
Include files ~ documents or spreadsheets
Include necessary supplies
Steps for Implementing a BCP
Create BCP scope statements
Conduct business impact analysis (BIA)
Identify countermeasures and controls
Develop individual disaster recovery plans (DRPs)
Implement training
Test and exercise plans
Maintain and update plans
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
10
BCP Best Practices
Complete the BIA early
Exercise caution when returning functionality from alternate locations
Restore least critical functions first
Review and update the BCP
Test all individual pieces of the plan
Conduct test exercises of the plan
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Complete the BIA early—Ensure the BIA is done early in the process for the BCP.
Without the BIA, you won’t know what systems are critical.
Exercise caution when returning functionality from alternate locations—When restoring functionality from an alternate location to the primary location, consider these best practices:
Restore least critical functions first to the primary location—This allows you to get the bugs out of the process without affecting critical functions.
Review and update the BCP regularly—The BCP coordinator should review and update the BCP at least annually.
If critical systems are changed or modified between annual reviews, the BCP should be reviewed when those changes or modifications occur.
Test all the individual pieces of the plan—This includes basic procedures, such as recalls.
Exercise the plan—Verify the plan works by performing test exercises.
These exercises should not affect normal operations.
11