8 CISSPGuidetoSecurityEssentials_Ch04.pdf

Full Transcript

CISSP Guide to Security
Essentials,
Second Edition
Chapter 4
Business Continuity and
Disaster Recovery Planning
© 2016 Cengage Learning®. May not be scanned, copied or duplicated, or
posted to a publicly accessible website, in whole or in part.
 Objectives

Running a business continuity and disaster recovery planning project
Developing business continuity and disaster recovery plans
Testing business continuity and disaster recovery plans
Training users
The business continuity and disaster recovery planning life cycle

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 2
posted to a publicly accessible website, in whole or in part.
 What Is a Disaster?

Any natural or man-made event that disrupts the operations of a
business in such a significant way that a considerable and
coordinated effort is required to achieve a recovery.

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 3
posted to a publicly accessible website, in whole or in part.
 Natural Disasters

Geological: earthquakes, volcanoes, lahars, tsunamis, landslides, and
sinkholes
Meteorological: hurricanes, tornados, wind storms, hail, ice storms,
snow storms, rainstorms, and lightning
Other: avalanches, fires, floods, meteors and meteorites, and solar
storms
Health: widespread illnesses, quarantines, and pandemics

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 4
posted to a publicly accessible website, in whole or in part.
 Natural Disasters

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 5
posted to a publicly accessible website, in whole or in part.
 Man-Made Disasters

Labor: strikes, walkouts, and slow-downs that disrupt services and
supplies
Social-political: war, terrorism, sabotage, vandalism, civil unrest,
protests, demonstrations, cyber attacks, and blockades
Materials: fires, hazardous materials spills
Utilities: power failures, communications outages, water supply
shortages, fuel shortages, and radioactive fallout from power plant
accidents

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 6
posted to a publicly accessible website, in whole or in part.
 How Disasters Affect Businesses

Casualties
– Employees or their family members are killed, injured, frightened, or
caring for others
Direct damage to facilities and equipment
Transportation infrastructure damage
– Delays deliveries, supplies, employees going to work
Communications outages
Utilities outages

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 7
posted to a publicly accessible website, in whole or in part.
 How BCP and DRP Support Data Security

Security pillars: C-I-A
– Confidentiality
– Integrity
– Availability
BCP and DRP directly support availability

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 8
posted to a publicly accessible website, in whole or in part.
 BCP and DRP Differences and Similarities

BCP
– activities required to ensure the continuation of critical business
processes in an organization
– alternate personnel, equipment, and facilities
DRP
– assessment, salvage, repair, and eventual restoration of damaged
facilities and systems

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 9
posted to a publicly accessible website, in whole or in part.
 Industry Standards Supporting BCP and DRP

ISO 27001: Code of Practice for Information Security Management.
Section 14 addresses business continuity management.
ISO 27002: Code of Practice for Information Security Management. Section
14 addresses business continuity management.
ISO 22301: Business Continuity Management Systems.
NIST 800-34: Contingency Planning Guide for Information Technology
Systems. Seven step process for BCP and DRP projects.
NFPA 1600: Standard on Disaster / Emergency Management and Business
Continuity Programs.
NFPA 1620: The Recommended Practice for Pre-Incident Planning.
HIPAA: Requires a documented and tested disaster recovery plan.
CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 10
posted to a publicly accessible website, in whole or in part.
 Benefits of BCP and DRP Planning

Reduced risk
Process improvements
Improved organizational maturity
Improved availability and reliability
Marketplace advantage

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 11
posted to a publicly accessible website, in whole or in part.
 The Role of Prevention

Not prevention of the disaster itself, but prevention of surprise and
disorganized response
Reduction in impact of a disaster
– Better equipment bracing
– Better fire detection and suppression
– Contingency plans that provide [near] continuous operation of critical
business processes
– Prevention of extended periods of downtime

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 12
posted to a publicly accessible website, in whole or in part.
 Running a BCP/DRP Project

Pre-project activities
Perform a Business Impact Assessment (BIA)
Develop resumption and recovery plans
Test resumption and recovery plans

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 13
posted to a publicly accessible website, in whole or in part.
 Pre-Project Activities

Obtain executive support
Formally define the scope of the project
Choose project team members
Develop a project plan
Develop a project charter

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 14
posted to a publicly accessible website, in whole or in part.
 Performing a Business Impact Assessment

Survey critical processes
Perform threat, risk analyses
Develop key metrics
– Maximum tolerable downtime, recovery time objective, recovery point
objective
Develop impact statements
Perform criticality analysis

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 15
posted to a publicly accessible website, in whole or in part.
 Survey In-Scope Business Processes

Develop interview / intake template
Interview a rep from each department
– Identify all important processes
Identify dependencies on systems, people, equipment
Collate data into database or spreadsheets
– Gives a big picture, all-company view

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 16
posted to a publicly accessible website, in whole or in part.
 Threat and Risk Analysis

Identify threats, vulnerabilities, risks for each key process
– Rank according to probability, impact, cost
– Identify mitigating controls

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 17
posted to a publicly accessible website, in whole or in part.
 Determine Maximum Tolerable Downtime (MTD)

For each business process
Identify the maximum time that each business process can be
inoperative before significant damage or long-term viability is
threatened
Probably an educated guess for many processes
Obtain senior management input to validate data
Publish into the same database / spreadsheet listing all business
processes

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 18
posted to a publicly accessible website, in whole or in part.
 Develop Statements of Impact

For each process, describe the impact on the rest of the organization
if the process is incapacitated
Examples
– inability to process payments
– inability to produce invoices
– inability to access customer data for support purposes

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 19
posted to a publicly accessible website, in whole or in part.
 Record Other Key Metrics

Examples
– Cost to operate the process
– Cost of process downtime
– Profit derived from the process
Useful for upcoming criticality analysis

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 20
posted to a publicly accessible website, in whole or in part.
 Ascertain Current Continuity and Recovery
Capabilities
For each business process
– Identify documented continuity capabilities
– Identify documented recovery capabilities
– Identify UNdocumented capabilities
What if the disaster happened tomorrow

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 21
posted to a publicly accessible website, in whole or in part.
 Develop Key Recovery Targets

Recovery time objective (RTO)
– Period of time from disaster onset to resumption of business process
Recovery point objective (RPO)
– Maximum period of data loss from onset of disaster counting backwards
Recovery consistency objective (RCO)
– Measure of integrity and consistency of data in an emergency operations
system as compared to original production system
Recovery capacity objective (RCapO)
– Measure of processing capacity of emergency operations system as
compared to original production system
CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 22
posted to a publicly accessible website, in whole or in part.
 Develop Key Recovery Targets (cont.)

Obtain senior management buyoff on MTD, RTO, RPO, RCO, and
RCapO
Publish into the same database / spreadsheet listing all business
processes

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 23
posted to a publicly accessible website, in whole or in part.
 Sample Recovery Time Objectives

RPO Technology(ies) required
8-14 days New equipment, data recovery from backup
4-7 days Cold systems, data recovery from backup
2-3 days Warm systems, data recovery from backup
12-24 hours Warm systems, recovery from high speed backup media
6-12 hours Hot systems, recovery from high speed backup media
3-6 hours Hot systems, data replication
1-3 hours Clustering, data replication
< 1 hour Clustering, near real time data replication

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 24
posted to a publicly accessible website, in whole or in part.
 Criticality Analysis

Rank processes by criticality criteria
– MTD (maximum tolerable downtime)
– RTO (recovery time objective)
– RPO (recovery point objective)
– RCO (recovery consistency objective)
– RCapO (recovery capacity objective)
– Cost of downtime or other metrics
– Qualitative criteria
Reputation, market share, goodwill

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 25
posted to a publicly accessible website, in whole or in part.
 Improving System and Process Resilience

For the most critical processes (based upon ranking in the criticality
analysis)
– Identify the biggest risks
– Identify cost of mitigation
– Can several mitigating controls be combined
– Do mitigating controls follow best / common practices

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 26
posted to a publicly accessible website, in whole or in part.
 Developing Business Continuity and Disaster
Recovery Plans
For the most critical processes (based upon ranking in the criticality
analysis)
– Develop continuity plans and recovery plans
Must meet RTO, RPO, RCO, and RCapO objectives
Develop budget for plan development
Develop budget for response and recovery effort
Revise as needed

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 27
posted to a publicly accessible website, in whole or in part.
 Select Recovery Team Members

Selection criteria
– Location of residence, relative to work and other key locations
– Skills and experience (determines effectiveness)
– Ability and willingness to respond
– Health and family (determines probability to serve)
– Identify backups
Other team members, external resources

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 28
posted to a publicly accessible website, in whole or in part.
 Emergency Response

Personnel safety: includes first-aid, searching for personnel, etc.
Evacuation: evacuation procedures to prevent any hazard to workers.
Asset protection: includes buildings, vehicles, and equipment.
Damage assessment: this could involve outside structural engineers
to assess damage to buildings and equipment.
Emergency notification: response team communication, and keeping
management and organization staff informed.

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 29
posted to a publicly accessible website, in whole or in part.
 Damage Assessment and Salvage

Determine damage to buildings, equipment, utilities
– Requires inside experts
– Usually requires outside experts
Civil engineers to inspect buildings
Government building inspectors
Salvage
– Identify working and salvageable assets
– Cannibalize for parts or other uses

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 30
posted to a publicly accessible website, in whole or in part.
 Notification

Many parties need to know the condition of the organization
– Employees, suppliers, customers, regulators, authorities, shareholders,
community
Methods of communication
– Telephone call trees, web site, signage, media
– Alternate means of communication must be identified

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 31
posted to a publicly accessible website, in whole or in part.
 Personnel Safety

The number one concern in any disaster response operation
– Emergency evacuation
– Accounting for all personnel
– Administering first-aid
– Emergency supplies
Water, food, blankets, shelters
On-site employees could be stranded for several days

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 32
posted to a publicly accessible website, in whole or in part.
 Communications

Communications essential during emergency operations
Considerations
– Avoid common infrastructure
– Diversify mobile services
– Consider two-way radios
– Consider satellite phones
– Consider amateur radio

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 33
posted to a publicly accessible website, in whole or in part.
 Public Utilities and Infrastructure

Often interrupted during a disaster
– Electricity: emergency generation: UPS, generator
– Water: building could be closed if no water is available
– Natural gas: heating
– Wastewater: if disabled, building could be closed
Emergency supplies
– Drinking water, sanitation, spare parts, waste bins

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 34
posted to a publicly accessible website, in whole or in part.
 Logistics and Supplies
Food and drinking water
Blankets and sleeping cots
Sanitation
Tools
Spare parts
Waste bins
Information
Communications

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 35
posted to a publicly accessible website, in whole or in part.
 Business Resumption Planning

Alternate work locations
Alternate personnel
Communications
– Emergency, support of business processes
Standby assets and equipment
Access to procedures, business records

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 36
posted to a publicly accessible website, in whole or in part.
 Restoration and Recovery

Repairs to facilities, equipment
Replacement equipment
Restoration of utilities
Resumption of business operations in primary business facilities

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 37
posted to a publicly accessible website, in whole or in part.
 Improving System Resilience and Recovery

Off-site media storage
– Assurance of data recovery
Server clusters
– Improved availability
– Geographic clusters
Data replication
– Hardware, OS, DBMS, application
– Current data on multiple servers even in remote places

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 38
posted to a publicly accessible website, in whole or in part.
 Training Staff

Everyday operations
Recovery procedures
Emergency procedures
Resumption procedures

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 39
posted to a publicly accessible website, in whole or in part.
 Testing Business Continuity and Disaster Recovery Plans

Five levels of testing
– Document review
– Walkthrough
– Simulation
– Parallel test
– Cutover test

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 40
posted to a publicly accessible website, in whole or in part.
 Document Review

Review of recovery, operations, resumption plans and procedures
Performed by individuals
Provide feedback to document owners
Least impact, lowest risk, least benefit

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 41
posted to a publicly accessible website, in whole or in part.
 Walkthrough

Group discussion of recovery, operations, resumption plans and
procedures
Performed by teams
Brainstorming and discussion brings out new issues, ideas
Provide feedback to document owners
Low impact, lowest risk, moderate benefit

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 42
posted to a publicly accessible website, in whole or in part.
 Simulation

Walkthrough of recovery, operations, resumption plans and
procedures in a scripted “case study” or “scenario”
Performed by teams
Places participants in a mental disaster setting that helps them
discern real issues more easily
Low impact, low risk, moderate benefit

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 43
posted to a publicly accessible website, in whole or in part.
 Parallel Test

Full or partial workload is applied to recovery systems
Performed by teams
Tests actual system readiness and accuracy of procedures
Production systems continue to operate and support actual business
processes
Moderate impact, low risk, moderate benefit

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 44
posted to a publicly accessible website, in whole or in part.
 Cutover Test

Production systems are shut down or disconnected; recovery systems
assume full actual workload
Performed by teams
Tests actual system readiness and accuracy of procedures and
capacity of recovery systems
Moderate to high impact, high risk, high benefit

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 45
posted to a publicly accessible website, in whole or in part.
 Maintaining Business Continuity and Disaster
Recovery Plans
Events that necessitate review and modification of DRP and BCP
procedures:
– Changes in business processes and procedures
– Changes to IT systems and applications
– Changes in IT architecture
– Additions to IT applications
– Changes in service providers
– Changes in organizational structure

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 46
posted to a publicly accessible website, in whole or in part.
 Summary

Natural and man-made disasters affect businesses through direct
damage, and damage to transportation and utilities.
BCP is concerned with continuation of processes; DRP is concerned
with recovery of facilities.
Benefits of BCP and DRP include process improvement, reduced risk,
and market advantage.

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 47
posted to a publicly accessible website, in whole or in part.
 Summary (cont.)

The components of a Business Impact Assessment (BIA) are:
– Inventory processes
– Perform risk and threat assessment
– Assign recovery targets
– Perform criticality assessment

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 48
posted to a publicly accessible website, in whole or in part.
 Summary (cont.)

Several key metrics are developed in a BIA:
– MTD (maximum tolerable downtime)
– RTO (recovery time objective)
– RPO (recovery point objective)
– RCO (recovery consistency objective)
– RCapO (recovery capacity objective)
– Possibly others (cost of downtime, recovery)

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 49
posted to a publicly accessible website, in whole or in part.
 Summary (cont.)

The components of a DRP and BCP plan are:
– Emergency response
– Damage assessment and salvage
– Communications
– Personnel evacuation and safety
– Restoration and recovery
– Business resumption

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 50
posted to a publicly accessible website, in whole or in part.
 Summary (cont.)

The types of BCP and DRP plan testing are:
– Document review
– Walkthrough
– Simulation
– Parallel test
– Cutover test

CISSP Guide to Security Essentials, 2e © 2016 Cengage Learning®. May not be scanned, copied or duplicated, or 51
posted to a publicly accessible website, in whole or in part.