BusinessContinuityand

DisasterRecovery:

CriticalMeasuresforBusinessSurvivalAllanCarey

ProgramManager

InformationSecurityServicesAgendaSeptember11thEffectDefiningBCandDRTheImportanceofSecurityConclusionsPre-September11EconomyentersintorecessionSomecompanieshavebusinesscontinuityplans,ontheshelfPlanswereinsufficientInitiativesdrivenwitha“bottomsup”approachTheSeptember11thEffectTheSeptember11thEffectTerroristattackscausemorethan$50billionininfrastructuredamageDramaticallyraisedawarenessPhysicalandcybersecurityBusinessleaderscloselyexamininginternalsecurity,continuity,andrecoveryplans90%ofCEOshavereviewedDRplans*Manydiscoverinadequateinvestments*Source:BoozAllenHamiltonsurvey,Jan.23,2002*Source:APorReutersPost-September11EconomicrecessionexacerbatedBCPservicesgainingmomentuminthemarketplaceSecurityservicesfirmscontinueportfoliobuildouttoincludeBCPandincidentreadinessDevelopmentforNationalStrategytoSecureCyberspaceunderwayInformationSecuritySpendingPlans2002vs.2001N=320AgendaSeptember11thEffectDefiningBCandDRTheImportanceofSecurityConclusionsTypesofContingencyPlans/publications/drafts/ITcontingency-planning-guideline.pdfPlanPurposeScopeBusinessContinuityPlan(BCP)ProvideproceduresforsustainingessentialbusinessoperationswhilerecoveringfromasignificantdisruptionAddressesbusinessprocesses;ITaddressedonlyinthecontextofsupportingbusinessprocessBusinessRecovery(orResumption)Plan(BRP)ProvideproceduresforrecoveringbusinessoperationsimmediatelyfollowingadisasterAddressesbusinessprocesses;notIT-focusedContinuityofOperationsPlanEstablishproceduresandcapabilitiestosustainanorganization’sessential,strategicfunctionsatanalternatesiteforupto30daysAddressessubsetofanorganization’smissionsdeemedcritical;notIT-focusedContinuityofSupportPlanEstablishproceduresandcapabilitiesforrecoveringamajorapplicationorgeneralsupportsystemSimilartoITcontingencyplan;addressesITsystemdisruption;notbusinessprocessfocusedDisasterRecoveryPlan(DRP)ProvidedetailedprocedurestofacilitaterecoveryofcapabilitiesatanalternatesiteOftenIT-focused;limitedtomajordisruptionswithlong-termeffectsIncidentResponsePlanDefinestrategiestodetect,respondto,andlimitconsequencesofmaliciouscyberincidentFocusesoninformationsecurityresponsestoincidentsaffectingsystemsand/ornetworksOccupantEmergencyPlanProvidecoordinatedproceduresforminimizinglossoflifeorinjuryandprotectingpropertydamageinresponsetoaphysicalthreatFocusesonpersonnelandpropertyparticulartothespecificfacility;notbusiness-orIT-focusedWhatisBusinessContinuity? Businesscontinuitydescribestheprocessesandproceduresanorganizationputsinplacetoensurethatessentialfunctionscancontinueduringandafteradisaster.Businesscontinuanceplanningseekstopreventinterruptionofmission-criticalservices,andtoreestablishfullfunctioningasswiftlyandsmoothlyaspossible.WhatisBusinessContinuity?Simplyput,it’sthemeansofkeepinganorganizationupandrunning24x7despiteanyexpectedorunexpecteddisruption.Mayinvolvehighlyavailable,“alwayson”infrastructuresthatmaketraditionalrecoveryobsoleteMayinvolvetraditionaldisasterrecoveryservices,I.e.hot/coldsite,databackup,mobilerecovery,contingencyplanning(reactiveapproach)ORMayinvolvesecurityservices(proactiveapproach)SECURITYRECOVERYHighAvailabilityContinuityServicesWhatisDisasterRecovery? Disasterrecoverydescribeshowanorganizationistodealwithpotentialdisasters.Adisasterrecoveryplan(DRP)consistsoftheprecautionstakensothattheeffectsofadisasterwillbeminimized,andtheorganizationwillbeabletoeithermaintainorquicklyresumemission-criticalfunctions.WhatisDisasterRecovery?It’sacrucialcomponentofbusinesscontinuitythataddressesmoreoftheITfunctionsnecessarytoresumebusinessoperationsduetoanexpectedorunexpecteddisruption.Mayinvolvehighlyavailable,redundantinfrastructuresi.e.,hot/coldsite,bandwidthcapacity,scalablenetworkMayinvolvetraditionaldatabackupservices,i.e.,datareplication,offsitedatabackupstorage,mobilerecovery,(reactiveapproach)Mayinvolvesecurityservices(proactiveapproach)SECURITYDATABACKUPHighAvailabilityRecoveryServices7-StepProcessReview/refreshordevelopsecurity,disasterrecovery,andBCplansDevelopcontingencyplanningpolicyConductbusinessimpactanalysis(BIA)IdentifypreventativecontrolsDeveloprecoverystrategiesDevelopcontingencyplanPlantesting,trainingandsimulationsMaintaintheplanSource:NISTAgendaSeptember11thEffectDefiningBCandDRTheImportanceofSecurityConclusionsSilosofSecuritySecurityoftenresidesinmanydifferentdepartmentsLackofcommunicationandcoordinationDelayedresponseProlongedrecoverycycleManagementFacilitiesITDepartmentEnterprisePublicRelationsHumanResourcesFinancePost-911AssessmentNotjustaGovernmentproblemUScorporationsrepresentthemostvulnerableCurrentGovernmentspendingmainlyfocusedonphysicalsecurity(i.e.,gates,guns,guards,&dogs)NosignificantGovernmentspendingonITsecurityuntillate2003/2004ConvergenceofphysicalandITsecurityin2005and2006TheNeedforSecurityandBCPlanningEnterprise-widesecurityandBCstrategyMorecommunicationandcoordinationacrossbusinessunitsImprovedresponseandbetteraccountabilityManagementFacilitiesITDepartmentEnterpriseSecurityPublicRelationsHumanResourcesFinanceCross-functionalSecurityandBCProgramEnterpriseRiskManagementPhysicalSecuritySurveillanceBiometricsTokensGuardsAuthorizationAdministrationInfrastructureSecurityFWandVPN3AsIDnASecureContentAssessDesignDeployManageMonitorRespondDRandBCPStorageServersLoadbalancingHighAvailabilityRedundancyRecoverySupplyChainEve