Video Content Lesson 6

Question 2

Business Continuity Plans (Project Scope)

Answer 2

Industry and Professional Standards
Legislative Compliance
Overview
Organization Analysis
Planning Team
Resource Requirements
Legal Requirements

Question 3

Industry and Professional Standards

Answer 3

National Standard on Preparedness (NFPA 1600)
ISO 17799 (Comprehensive set of controls comprising best practices in Information Security)
DSS (Defense Security Service) (Personnel Security Investigation, Industrial Security, Security Education)
NIST (National Institute of Standards and Technology)
Good Business Practice and Standard of Due Care (what would a reasonable man do under normal circumstances?)

Question 4

Legislative Compliance

Answer 4

HIPAA (Health Insurance Portability and Accountability Act) (document retention, mandatory document destruction)
GLB (Graham-Leach-Bliley) (protect customer information from any anticipated threats or hazards)
Patriot Act (several sections that require information be available when required)
International Regulations
Industry Regulations and Requirements

Question 5

Overview

Answer 5

Business Continuity Plan (BCP)
Ensures business can continue in the event of an interruption
4 Distinct Phases of BCP
1-Business Organization Analysis
2-Planning Team
3-Required Resource Assessment
4-Legal and Regulatory Resource Requirements

Question 6

Organization Analysis

Answer 6

Understand business and business practices
1-Critical Business Functions
2-Tangible and Intangible Value
Identify All Stakeholders in Business Continuity Plan (Operational Departments, Critical Support Services, Senior Executives)

Question 7

Planning Team

Answer 7

Involve personnel from various levels and areas in the organization
Consider representatives from (Core Services Departments, Critical Support Departments, IT Department, Security Department, Legal Department, Upper Management (requires support from them for time committments, interruption of regular service, budget))

Question 8

Resource Requirements

Answer 8

Planning team must fully consider all required resources
Budget to purchase resources (Time requirements)
BCP testing, training, and maintaining phase (may require substantial equipment purchases)
BCP Implementation (to enforce business continuity because it has been interrupted)

Question 9

Legal Requirements

Answer 9

Legal requirements may supersede business requirements
BCP may be required to be maintained according to published standards
Business may have contractual obligations to customers
BCP may be a contract stipulation
A sound BCP may satisfy due care and due diligence requirements

Question 10

Business Impact Analysis

Answer 10

Overview
Interruption
Resource Prioritization
Continuity Strategy
BCP Approval

Question 11

Overview

Answer 11

Identifies Critical resources and threats to those resources
1-Establish business priortie (Biggest business impact is top priority)
2-Risk assessment (identify and categorize risks, quantify as much as possible)
3-Identify Alternative means (can business be done a different way)

Question 12

Interruption

Answer 12

Loss of revenue/profits (some losses may be unrecoverable)
Loss of reputation (can customers trust be recovered?)
Legal or regulatory violations (penalties could be severe)

Question 13

Resource Prioritization

Answer 13

Business Unit Priorities (What business functions are the most important?)
Allocate BCP budget to most severe risks first, then countinue dow the prioritized list
Consider both qualitative and quantitative risk priority rankings

Question 14

Continuity Strategy

Answer 14

BCP team establishes procedures to protect provisions and processes (People are highest priority-no exceptions) (protect and provide for their immediate needs)
Building and facilities (protect facilities or offer alternatives)
Infrastructure (communications, protect and provide alternatives)

Question 15

BCP Approval

Answer 15

Put BCP together
Document BCP
Submit BCP for approval (ensure upper MGT fully endorses the plan)
Implement the BCP (Put all controls in place, Acquire and install any necessary hareward and software)
Train BCP participants

Question 16

DRP Planning and Recovery

Answer 16

Overview
Identification
Crisis management
Recovery
Data Center Alternatives
More Alternatives
Processing Agreement

Question 17

Overview

Answer 17

Disaster Recover Plan (DRP)
Restores Critical Business Functions after a disaster
The Goal is to restore to a point prior to the disaster
DRP picks up where the BCP stops
DRP covers disasters not specifically addressed in the BCP
Planning Team can be same as BCP team
Some organizations approach their BCP and DRP as a unified process

Question 18

Identification

Answer 18

Initial step of DRP is to identify possible disasters (Consider local factors, weather, seismic events, geography)
Natural disasters (Earthquakes, Floods, Storms (Hurricans, Tornadoes, Electrical Storms), Fires)
Man-made disasters (Fires, Bombing, Power or other utility outages, Terrorism, Hardware/Software failures, Strikes, Thefts)

Question 19

Crisis Management

Answer 19

1-Handle the Crisis First
In all cases, people are more important than the business
2-Follow the DRP (eliminates making decisions under pressure) (pilots use these)

Question 20

Recovery

Answer 20

How will the recovery be accomplished? (Rebuild ability for business to function–Recovery time objective (How long will it take?))
Recovery point objective (at what point is the recovery consider complete?)
Maximum tolerable downtime (How long can the business afford to be down?) (May be longer than recovery time objective)

Question 21

Data Center Alternatives

Answer 21

If We have LOST Data Center
Provide infrastructure for critical business processes
Identify Alternatives (Cold Site, Warm Site, Hot Site, Mobile Site, Selection Criteria)
Cold Site (bare room with basics, least expensive option, requires the most work and time to restore operations, takes 24 hours or more to bring up to working condition)
Warm Site (Cold Site Plus Computer Hardware, loaded basic operating software, pretty much ready to go with applying patches, etc. 12 hours to bring up)
Hot Site (Facility with the same hardware and software capabilities as the  primary data center, software and data are up to date, very expensive, administrators must keep both sites up to date, Short cutover time)
Mobile Site (Trailer as cold site or warm site)

Question 22

More Alternative

Answer 22

Selection Criteria (cost, maintenance overhead, maximum allowable downtime, if using warm/cold site bring system up must use all personnel and be NUMBER 1 Priority

Question 23

Process Agreement

Answer 23

Reciprocal agreement with a similar company (each company will be backup for the other company-potentially add you if problem arrises)
Mutual Processing agreement (Similar to above but share all the time)

Question 24

Recovery Plan

Answer 24

Emergency Response
Data Backup
Backup Types
Off-site Storage
Utilities
Logistics
Emergency Services

Question 25

Emergency Response

Answer 25

Develop checklists and train personnel how to use them
Notify Personnel of emergency
Work with others (IT, management, emergency workers, law enforcment)

Question 26

Data Backup

Answer 26

Recovery requires that a secondary copy of data exists (the purpose is to bring the data back up online) Backups and off-site storage (real-time replication, fault-tolerant mechanisms, logs) What must be backed up to recover from total loss? Identify it Operating system, software, and configuration and data files MUST be available How often do you back up? (dependent on volatility and recovery time Replication system Log-based replication

Question 27

Backup Types

Answer 27

Full backup Requires lots of Incremental Backup (time/date stamp changed since last backup) Differential Backup (backup to last full backup; less time to recover than using incremental backup) Online Backup (backup while database is online) Offline Backup (backup while database is offline)

Question 28

Off-site Storage

Answer 28

Proper storage facility for backups Geographically separate from primary source Environmentally-controlled Secure transport and storage Enter Software Escrow arrangements (protected copies of licensed software, protection from a disaster with the software provider)

Question 29

Utilities

Answer 29

External Communications (verify providers disaster plans) This includes data services Utilities (Electricity, Water, Telephone)

Question 30

Logistics

Answer 30

Able to Transport your goods? | Bringing goods in (provider may have strike)

Question 31

Emergency Services

Answer 31

Develop relationships with Fire, Medical, and Law Enforcement Document everything Make Document available and visible Planning for RESPONSE to a Disaster

Question 32

Recovery Plan Implementation

Answer 32

Make sure that it is formally adopted All Personnel are fully trained Test it

Question 33

Overview

Answer 33

Present the plan to upper managerment Plans success depends on top-down support Have upper MGT announce/unveil plan After acceptance, begin implementation process Make sure the plan is driven by upper MGT

Question 34

Training

Answer 34

First step in Implementation Make sure all participants understand how to fulfill their roles in the recovery process (Assign roles, make sure that each person is confortable with their role, ensure they know how to ful their roles) 2nd Step Conduct overall awareness campaigns (make everyone else aware of who the players are and what they will be doing should the plan be enacted) Make sure that all personnel are kept current Whenever configurations change, the disaster recovery plan has to be revisited, revalidated and should also change (any time any part of the plan is changed, let everyone know) Ensure all documentation is current and easily accessible

Question 35

Checklist Test

Answer 35

The last step is to test the plan Checklist test is simplest and easiest test (submit checklist to each team member, each DRP team member follows all of the steps and gives feedback, functions as a test and makes every member aware of what the checklists look like)

Question 36

Structured Walk-through

Answer 36

Next type of test (not full blown test but uses role playing around a table) Provides opportunities for immediate feedback and open discussion

Question 37

Simulation Test

Answer 37

``` Another test (takes role playing further DRP team evaluates specific scenarios and partially tests by simulating as much of the disaster as feasible without disrupting the business ```

Question 38

Parallel Test

Answer 38

Next Test Enables full processing functionality at the alternate site Warm/Cold site and bring it up to spead Let primary data center run but bring up alternate site to see how well it works

Question 39

Full-interruption Test

Answer 39

The only REAL test (others simulate) Pull plug on data center MUST have prior upper MGT support Can cause substantial business process interruption