risk management and business continuity planning
TRANSCRIPT
Risk Management and Business Continuity Planning
Risk Analysis & Assessment What could happen (threat event)? If it happened, how bad could it
be (threat impact)? How often could it happen (threat
frequency, annualized)? How certain are the answers to
the first three questions (recognition of uncertainty)?
Risk Management What can be done (risk
mitigation)? How much will it cost
(annualized)? Is it cost effective (cost/benefit
analysis)?
Business Continuity Planning The phases of a disaster recovery
plan process are Awareness and discovery Risk assessment Mitigation Preparation Testing Response and recovery
Risk Analysis Steps
Identify assets Determine vulnerabilities Estimate likelihood of exploitation Compute expected annual cost Survey applicable controls and their
costs Project annual savings of control
Identify assets Hardware
processors, boards, keyboards, monitors, terminals, microcomputers, workstations, tape drives, printers, disks, disk drives, cables, connections, communications controllers, and communications media
Software source programs, object programs, purchased programs, in-house
programs, utility programs, operating systems, systems programs (such as compilers), and maintenance diagnostic programs
Data data used during execution, stored data on various media, printed data,
archival data, update logs, and audit records People
skills needed to run the computing system or specific programs Documentation
on programs, hardware, systems, administrative procedures, and the entire system
Supplies paper, forms, laser cartridges, magnetic media, and printer fluid
Determine VulnerabilitiesAsset Secrecy Integrity AvailabilityHardware Overloaded,
destroyed, tampered
failed stolen destroyed unavailable
Software Stolen, copied, pirated
impaired by Trojan horse modified tampered with
deleted misplaced usage expired
Data Disclosed, accessed, inferred
damaged - software error - hardware error - user error
deleted misplaced destroyed
People quit retired terminated on vacation
Docs lost stolen destroyed
Supplies lost stolen damaged
Causes of Vulnerabilities
Estimate Expected Loss Legal obligations for preserving
confidentiality/integrity Business agreements on the expected service Cost due to public disclosure Benefit to competitor due to compromise of
data Loss of future business, credibility Computational cost and outsourcing
possibility Value to other from the data Cost of data recovery/reconstruction
Vulnerabilities to Controls
BCP BCP should include all critical resources
IT People Facilities Specialized equipment
BCP is a high-level concern for enterprises Maintaining Financial confidence Reputation of the business
Phase 1: Business Impact and Risk Analysis Identify what the enterprise has at
risk Which business processes are most
critical Prioritize risk management and
recovery investments Identify the enterprise’s vulnerability
to risks so that they can be mitigated in the project design phase
Phase 2: Develop and Implement Plan Develop recovery strategies and processes Create team responsible for the daily
operation of the processes create detailed plans and procedures. Two types of teams are possible:
First, a team of technical people who know what to do given an outline of a plan
Second, a team of people who will follow the given plans word-by-word
A good team should include both types of members Select team members based on their availability,
background etc
Phase 3: Maintain the Plan Plan must be tested and kept up to
date Test the recovery plan before
implementation to ensure requirements can be met
Keep the plan current by initiating a review of every change to business processes or systems
Test the plan to see when it will fail and not when it succeed
Causes of Business Interruptions Computer virus (7%) Human error (32%) Software failure (14%) Hardware/system failure (44%) Site disaster (3%)
(source: Computer Associates)
BCP Framework components Infrastructure Management IT Service Management Database and Application
Management Storage Management and
At the center of it all
Security Management
Security Management Components Identity and Access Management Secure Content Management Integrated threat Management Vulnerability and Remediation
Infrastructure Management IT asset discovery, inventory and life-
cycle management Mapping of IT assets to business
processes Operations management Business Service management
Deliver Support Monitor Measure Account
Storage Overheads Only 26% of data is of current use
19% is duplicate 43% is old data 7% is unused 5% has no owner
Still all data needs to be backed up(Source: Computer Associates)
Storage Management Identify Classify Define Automate
Database and Application Management
Data protection Security Performance and availability Access control and user provisioning Application performance management Data management, migration,
optimization
Some Continuity Plans Commercial Recovery sites
Hot-site A complete alternate data center where all
hardware software facilities are available to the organization to recover their businesses
Comdisco, IBM, SunGard Cold site
Space where an organization can setup operation during disaster times
Mobile or Porta sites Small standalone units that can be brought to the
end user for deployment
Services by Major Vendors
Some Continuity Plans… Data Storage and Software
Backup Off-site Storage : data is sent to off-
site using tapes, disks Electronic Vaulting (or Advanced
Recovery Services) : An on-line storage capacity, where users can send data directly for backup