Chapter 21 - 01 - Understanding BC and DR Concepts PDF
Document Details
Uploaded by barrejamesteacher
null
Tags
Summary
This document discusses business impact analysis (BIA) and disaster recovery (DR). It explains the process of performing a BIA, including the phases of initiation, acquisition of information, analysis of information, documentation of findings, and presentation of the BIA report to management. It also covers the reasons for conducting a BIA and the process of performing a BIA.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Business Continuity and Disaster Recovery Business Impact Analysis Business impact analysis (BIA) is a systematic process that...
Certified Cybersecurity Technician Exam 212-82 Business Continuity and Disaster Recovery Business Impact Analysis Business impact analysis (BIA) is a systematic process that determines and evaluates the potential effects of an interruption to critical business operations as a result of a disaster, an accident, or an emergency BIA ascertains the recovery time and recovery requirements for various disaster scenarios The underlying assumption in a BIA is that while each component of an organization depends on the continuous functioning of every other component, some components o are more crucial than the others. Hence, these critical components should receive a larger funding and their recovery should be prioritized in the wake of a disaster Business Impact Analysis (Cont’d) The Process of Performing a Business Impact Analysis Phase 1:Initiation of the BIA © Q ABIAis initiated upon the approval of the senior management. The initiation phase can be divided into the following two steps: » Step 1: Describing the objectives and scope of the BIA » Step 2: Forming a BIA project team Phase 2: Acquisition of Information 0 Q The BIA project team adopts different information-gathering methods such as interviews and questionnaire surveys Q The collected information is reviewed, documented and summarized in tables, schedules, and diagrams Phase 3: Analysis of Information Q0© QO The information collected is evaluated and reviewed manually or screened by computer systems to provide a prioritized list of business processes or functions Phase 4: Documentation of Findings Q The findings are documented, and the BIA report is prepared Phase 5: Presentation of the BIA Report to the Management QO O The final BIA report is submitted to the senior management for decision-making O The senior management relies on the BIA report for developing strategies for the DRP and formulating a BCP Business Impact Analysis The business impact analysis (BIA) systematically evaluates and determines the potential effects of an interruption to critical business operations due to emergencies and accidents such as labor disputes, supplier failure, political turmoil, terrorist attacks, natural or man-made disasters, cyberattacks, and utility failures. Since the BIA focuses on minimizing the effects of the aforementioned risks, it should be included in the BCP. Specifically, the BIA has a planning and an exploratory component; the former focuses on risk-reduction strategies, and the latter Module 21 Page 2318 Certified Cybersecurity Technician Copyright © by EG-Gouncil EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Business Continuity and Disaster Recovery identifies vulnerabilities. The BIA results in a report that helps an organization to determine potential risks and their impacts on its critical assets. In other words, the BIA report provides a comprehensive description of the risks and their impacts on business operations after a disruption. The basic assumption behind the BIA is that every component of an organization depends on the continuous functioning of all other components. However, certain components play a more important role, and hence need a larger allocation of funds following a disruption. Overall, the due diligence assessment of the BIA helps an organization to develop a strategic plan of action for recovering from adverse events. Hence, businesses conduct a BIA to enhance the robustness of their DR program. Reasons for Conducting Business Impact Analysis = BIA assists in decision-making in the event of operational interruptions caused by disasters. = BIA helps in the allocation of resources during the non-operational period. = BIA provides the criteria for testing an organization's recovery plans. The Process of Performing a Business Impact Analysis There are no fixed guidelines for conducting a BIA. Based on the overall manner of execution in most companies, the multi-phase BIA process can be elaborated as follows: = Phase 1: Initiation of the BIA A BIA is initiated upon the approval of the senior management. The initiation phase can be divided into the following two steps. o Step 1: Describing the objectives and scope of the BIA Organizations should clarify the objective for conducting a BIA. o Step 2: Forming a BIA project team The senior management should form a separate for conducting a BIA analysis. For this purpose, the management can either recruit skilled and knowledgeable personnel internally or outsource the BIA to third parties. = Phase 2: Acquisition of Information The BIA project team can adopt different information-gathering methods such as interviews and questionnaire surveys. Questionnaires are extensively used as survey tools; in the given context, a questionnaire consists of a set of targeted questions that aim to assess the potential effects of interruption or disruption and determine assets that are critical to different business functions. The collected information is reviewed and documented in a clear and coherent manner, which is re-evaluated for accuracy. This information is summarized in tables, schedules, and diagrams. Module 21 Page 2319 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Business Continuity and Disaster Recovery = Phase 3: Analysis of Information The information collected is evaluated and reviewed manually or screened by computer systems. The objectives of reviewing the information are as follows: o To provide a prioritized list of business processes or functions, placing the most important ones on the top of the list. o To determine the technology and personnel required for maintaining the operations at an optimal level. o To establish the length of time or recovery time frame required to recover the function or process and restore organizational operations. = Phase 4: Documentation of Findings In this phase, the findings are documented and the BIA report is prepared. = Phase 5: Presentation of the BIA Report to the Management The final BIA report is submitted to the senior management for decision-making. The senior management relies on the BIA report for developing strategies for the DRP and formulating a BCP. Since a BIA examines the recovery point objectives (RPOs) and the recovery time objectives (RTOs), it serves as a starting point for developing a DR strategy. Module 21 Page 2320 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Business Continuity and Disaster Recovery Recovery Time Objective A recovery time objective (RTO) is defined as the maximum tolerable length of time that a computer, system, network, or application can remain dysfunctional after a failure or disaster RTO defines the extent to which an interruption affects normal business operations and the amount of revenue loss due to such an interruption RTO is expressed in minutes. For example, an RTO of 45 minutes implies that the IT operations must be restarted within 45 minutes Recovery Time Objective A recovery time objective (RTO) is defined as the maximum tolerable length of time that a computer, system, network, or application can remain dysfunctional after a failure or disaster. These disruptions or outage can also be attributed to single points of failures that can be minimized by reducing the number of dependencies in a system or application design, implying that a weakness in one point cannot impact other points. Established by the process owner during the BIA, an RTO is a metric that calculates how fast an organization can recover its services and the IT infrastructure following a disaster event. It also calculates the mean time to repair the glitch for restoring business operations. It can be defined as the mean time for replacement or recovery. In other words, it measures the time taken by an organization to return to its pre-disaster operational levels. It is measured in seconds, minutes, hours, or days. An RTO of 45 min indicates that an organization can maintain its operations for that duration after the disruption of its infrastructure and the resulting data loss. If the organization fails to restore the infrastructure and data within 45 minutes, then the business may suffer an irreparable loss. Thus, RTO determines the extent to which a disaster interrupts normal operations and the resulting loss of revenue per unit time; hence, it is crucial to the DRP. These factors entirely depend on the affected application(s) and the equipment. Several studies have been conducted to identify the cost of application downtime. The studies have indicated that the cost depends on the immediate, short-term, and tangible factors as well as on the long-term and intangible effects. In this context, it must be noted that the right DR technologies can minimize the downtime costs. Pre-defining the RTO for an application can help a security professional to determine the suitable DR technologies that can restore the application after a disruption. For example, redundant data backup on external hard drives may be the best DR solution for an application with an RTO of 60 minutes. Similarly, offsite storage Module 21 Page 2321 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Technician Exam 212-82 Exam 212-82 Business Continuity and Disaster Recovery on a remote web server or a recordable compact disk may be best suited for an application with an RTO of 4 days (96 hours). Module 21 Page 2322 EG-Council Certified Cybersecurity Technician Copyright © by EG-Gounell All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Business Continuity and Disaster Recovery -. J Recovery Point Objective Recovery point objective (RPO) is the maximum time frame for which an organization loses data after a major IT outage RPO provides a foundation for designing DR and BC solutions RECOVERY D [j l:’i Qi Every organization must calculate how long it V= =2._ can operate without the required data before suffering a failure Recovery Point Objective A recovery point objective (RPO) is the maximum time frame for which an organization loses data after a major IT outage. It determines the acceptable amount of data loss an enterprise can suffer in case of a disruption. An RPO sets goals for designing a BC, a DR, or high availability (HA), and hence it is crucial to DRP. Expressed in seconds, minutes, hours, or days, RPO can be measured from the time the hosting services become unavailable. Pre-defining an RPO for a given system can help in determining the minimum frequency of backup. Like an RTO, an RPO allows the security professional to choose optimal procedures and DR technologies for a system. For example, 3-hourly-backups on external redundant hard drives are suitable for a system with an RPO of 3 hours. Similarly, backups at an interval of 96 hours on a recordable compact disk or tape are considered suitable for a system with an RPO of 4 days (96 hours). Module 21 Page 2323 Certified Cybersecurity Technician Copyright © by EC-Gouncil EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.