BUSINESS CONTINUITY PLANNING / DISASTER RECOVERY PLANNING Bbharathrao.wordpress.com
Dec 01, 2014
BUSINESS CONTINUITY PLANNING / DISASTER RECOVERY PLANNING
Bbharathrao.wordpress.com
Bbharathrao.wordpress.com
Business Continuity Plan
BCP is the creation and validation of a practical logistical plan for how
an organization will recover and restore
partially or completely within a predetermined time after a disaster
has occurred.
Bbharathrao.wordpress.com
GENERAL CONCEPT
A common man’s view
Bbharathrao.wordpress.com
Business Continuity Planning Lifecycle
Analysis
Solution Design
Implementation
Testing and Acceptance
Maintenance
Bbharathrao.wordpress.com
Need for BCP/DRP
Bbharathrao.wordpress.com
Objectives Goals Areas
Minimize loss by Minimizing the cost associated with disruptions
Identify weaknesses
Business Resumption Planning
Enable the Organization to survive a disaster
Minimize the duration of a serious disruption to b/s operations
Disaster Recovery Planning
Facilitate effective co-ordination of recovery tasks
Crisis Management
Reduce the complexity of the recovery effort
Bbharathrao.wordpress.com
Developing a BCP
Bbharathrao.wordpress.com
Initiate
Obtain understanding of the existing and projected systems
Establish a ‘Steering Committee’
Develop a Master Schedule and milestones
Bbharathrao.wordpress.com
Perform Risk Assessment
To identify threats and
exposures to each to the CBS Perform a Business
Impact Analysis
Bbharathrao.wordpress.com
Choose Recovery Strategy
Plan Development
• Determine all available options and strategies• Business – Logistics,
HR, Accounting
• Technical – IT (Client – Server, Mainframes, Databases, Networks
Identify Recovery Strategy
• Recovery plan components and standards are defined, developed and documented
• Define notification procedures
• Establish Business recovery teams for each CBS
Bbharathrao.wordpress.com
Test and Validate
• Validate the BCP
• Develop and document contingency test plans
• Prepare and execute tests
• Maintenance
• Update disaster recovery plans and procedures
Bbharathrao.wordpress.com
Working of a BCP Process
Bbharathrao.wordpress.com
Differentiation of BCP and DRP
Business Continuity Plan: It is the process of defining arrangements and
procedures that enable an organization to continue as a viable entity. It
addresses the recovery of a company’s critical business functions after an
interruptionDisaster Recovery Plan: It involves
making preparations for a disaster and also addresses the procedures to be followed during and after a loss. It is specific to the information system
function
Bbharathrao.wordpress.com
Types of Disaster Recovery Plans
Emergency Plan Backup Plan
It specifies actions to be undertaken when the disaster happen
It specifies the type of backup to be kept, frequency of backup to be undertaken, procedures, location, personnel, priorities assigned and a time frame
Identification of situations which requires plan to be invoked
It needs continuous updates as changes occur
Bbharathrao.wordpress.com
Types of Disaster Recovery Plans
Recovery Plan Test Plan
It specifies procedures to restore full information system capabilities
Final Component
Formation of a recovery committee, specify responsibilities and guidelines for proper functioning
Identification of deficiencies in the emergency, backup or recovery plans or tin the preparation of an organization for facing a disaster
Bbharathrao.wordpress.com
Threats and Risk Management
•Lack of Integrity•Lack of Confidentiality•Unauthorized Access•Hostile Software
•Disgruntled Employees•Hackers and computer crimes•Terrorism and Industrial espionage
Bbharathrao.wordpress.com
Types of Backup
Full Backup
Incremental Backup
Differential Backup
Mirror Backup
IT captures all files on the disk or within the folder selected for backup
It captures files that were created or changed since the last backup, regardless the backup type
It stores files that have changed since the last full backup.
It is identical to a full backup, with the exception that the files are not compressed in zip files and they cannot be protected with a password
Bbharathrao.wordpress.com
Alternative Processing Facility Arrangements
It is useful when the organization can tolerate some downtime
Organization requires minimum facilities at an alternative location to run its regular operations
It is inexpensive
Cold
site Useful when fast recovery is critical
Organization requires all the facilities at an alternative location
It is expensive
Hot site
Bbharathrao.wordpress.com
Provides intermediate level of backup
Organization can tolerate some downtime
Organization requires only essential facilities at an alternative location
Warm
Site
Two or more organizations might agree to provide backup facilities to each other in the event of one suffering a disaster
It is relatively cheap
Each participant must maintain sufficient capacity to operate another’s critical system
Reciprocal
Agreement
Alternative Processing Facility Arrangements
Bbharathrao.wordpress.com
Insurance
• The purpose of insurance is to spread the economic cost and risk loss from an individual or business to a large number of people.
• Policies are contracts that obligate the insurer to indemnify the policyholder from specific risks in exchange of a premium
• Adequate insurance coverage is a key consideration while developing a BRP/DRP and performing a risk analysis
Bbharathrao.wordpress.com
Activities considered while testing BRP/DRP plan
• Defining the boundaries
• Scenario
• Test Criteria
• Assumptions
• Briefing Session
• Checklists
• Analysing the test
• Debriefing session
Bbharathrao.wordpress.com
Audit of DR/BR plan
• Based on the BIA
• Key employees have participated in the development
• Plan is simple and is realistic in assumptions
• Review the existing DR/BR plan
• Gather
background info regarding its preparation
• Does the DR/BR plan include provisions for personnel, building, utilities and transportation and IT
• Does the BR/DR plan include
contact details of of suppliers of essential equipment
• Does the DR/BR plans include provisions for the approval to expend funds that were not budgeted for the period? Recovery may be costly
Bbharathrao.wordpress.com
Sources
• ISCA Study Material – Volume 1 – ICAI Publication
• Comprehensive Guide on Information Systems Audit – Volume II – Commissioned by IT Committee of ICAI
• Guide to Implementing Enterprise Risk Management – Internal Standards Board - ICAI
• Information Systems Control Audit – Prof.Jignesh Chhedda – VORA Book Agency
Bbharathrao.wordpress.com
Thanks
Bharath Rao B
/bharathraob
Bbharathrao.wordpress.com