Understanding BCP, DRP, and COOP ◾ 287
© 2011 by Taylor & Francis Group, LLC
3
Cost and Risk
Utilize current infrastructure (leverage
investment in hardware, software, personnel)
The risk is overtaxing resources
Outsourced infrastructure (including
overtaxing and access security)
Shared responsibility (supply chain
partners)
4
Retention Period/
Compliance Policy
Day-to-day
Monthly
Periodic within or at yearly intervals
1, 3, 5, … year intervals
288 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
e cost for any outage can be calculated using a variety of data. For example, if you
are processing customer orders, you can calculate the total value of historic order levels
against your recovery time objectives. Remember to add in any penalty payments.
What are the points of contact between the current process or system and any
other systems on which it depends? e answer to this question gives us the next layer
of the onion and how it interfaces with the current one. For example, the sales process
may involve personnel working with a customer relationship management (CRM) sys-
tem. e point of contact there may be via a Web portal into the CRM application.
e CRM application is itself a system that may consist of Web servers, CRM
application servers, and database servers, all with the portal as a point of contact
with the sales process. Later you may consider the CRM layer and its points of
contact with, for example, the storage systems, if they are administered separately.
At the end of the chain, of course, are basic infrastructure resources and systems
such as electric power, telecommunications connections, and environmental con-
trol systems—these must be considered as well since they may well be impacted by
some of the disruptions for which contingency planning is being undertaken.
What are the critical roles in the process? e point of this information is two-
fold. First, in many cases these roles must be taken into account for recovery. If a
process requires the intervention of a person for monitoring, management, analysis,
or maintenance on a regular basis, how long can the process run without that role
in a crisis? For IT systems, in particular, there may be IT administrator roles that
will play a critical part both in the recovery and in running systems for the duration
of the crisis. e second reason these roles are important is that the people in them
represent critical sources of information for determining system dependencies and
requirements. ese are the people who must be closely involved both in this phase
of the planning and in subsequent testing.
Essentially, the same analysis should be performed for data and roles. Again,
what is the impact that results from unavailability or loss of data or from the inabil-
ity of someone to fulll a specic role? In the latter case, this may occur because the
person is injured or otherwise prevented from performing his or her duties, but it
may also be a result of the lack of access. If an epidemic were to occur, for example,
so that people were required to work from home, as happened during the SARS
epidemic in 2003, people might be quite capable of working, but unable to do so
because they lack access to the resources they need.
Carrying out this sequence of analyses yields, in eect, a full chart of dependen-
cies that runs from the outermost layer of business processes to the innermost layer
of core infrastructure on resources, people, and data. is is a very valuable tool
for later test development and maintenance and should be included in the disaster
recovery plan in the System Description and Architecture section described later.
Once this analysis is complete, it is time to develop recovery priorities for IT systems
and individual components, beginning with the latter. is task is straightforward
if the work described in this section has been done thoroughly, since the priorities
Understanding BCP, DRP, and COOP ◾ 289
© 2011 by Taylor & Francis Group, LLC
follow naturally from the outage impact and allowable outage times recorded for
each component. ere are many possible scales that may be used for labelling
priorities, from a simple high-medium-low qualitative scale to a numerical scale
to a scale more focused on business impact, such as “customer-facing high” versus
“management and control” versus “low priority maintenance.” Whatever scale you
use, it is important that the scale be uniform across all systems based on business
impact. In some cases it may be all right to use a dierent scale internally within a
process or system, as long as system-level values remain mutually consistent.
Recovery priorities must be developed at the system level as well. Consistency is
obviously vital—it will not work for one system to have a higher priority than another
system on which it critically depends, unless it can continue to function without the
dependency at an acceptable level. It is convenient to transfer system level priorities
to a Master System Information Form (SIF), which lists each system together with
a very brief description of its purpose, the recovery priority, maximum outage time
and business impact, major dependencies on other systems, and a brief description
of the recovery strategy after it has been developed in Step 4.
Planning, Designing, and Development of Plans
e planning process for developing the business continuity plan (BCP) and the disas-
ter recovery plan (DRP) is not too dissimilar to any other project planning activity.
Step 1. Develop the Planning Policy Statement
Step 2. Conduct a Business Impact Analysis
Step 3. Conduct a Risk Assessment
Step 4. Develop Detailed Plans
Step 1: Develop the Planning Policy Statement
Consensus by executive board members and a collective understanding that there
is a need for business continuity and disaster recovery is a realization that does not
come easily within many organizations, yet it is critical for continuity of operations
and mitigation against loss of business. is realization often comes too late. Take for
example the IRA bombing at Canary Wharf in February 1996. e immediate dam-
age to buildings was estimated at £85 million. e consequential loss to businesses
that were unable to continue operations following their evacuation has never been
reported. None, however, had the ability to move operations in a timely manner.
e “it will never happen to us” attitude to providing a level of business insur-
ance has for many organizations changed as the impact of political and natural
incidents is reported in the press and the consequences illuminated.
290 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
e Planning Policy Statement should identify the organization’s overall con-
tingency objectives and provide a framework and the individual responsibilities
for contingency measures. ese measures fall into a number of categories and
will vary from organization to organization depending on culture, political stance,
market sector, and whether public or private sector. e following are examples of
what you might include but is by no means a denitive list.
Aligning to your ethics as a CISSP, clearly a primary inclusion should be to
protect human life. us your policy needs to identify this as a priority statement.
Minimizing loss and risk to the organization and maximizing the ability to
recover will naturally form a part of your policy plan, as without either of these
there will be no business. is may sound obvious, yet how many times do we over-
look the obvious while focusing on what are actually less business-critical issues?
We live in a litigious world where alleged breaches of contract and subsequent
scal penalties can lead to the demise of organizations that do not have the ability
to pay. Further, in the UK, inappropriate handling of information can lead to nes
by the Information Commissioners Oce and consequential brand damage which
could, with the right planning policy, have been mitigated; thus maintaining cus-
tomer condence and goodwill can be critical to business continuity.
So, in our policy plan, we need to dene from a strategic perspective what is
at stake if we fail to plan. We can identify from a holistic perspective an overview
of a preliminary business impact analysis. Dierent incidents will aect dierent
organizations in dierent ways and to greater and lesser extents.
Finally, we need to think about a recovery strategy. Consider what would be
most appropriate for your organization structure. Perhaps you work in a global
organization; you might consider a recovery strategy that employs resources from
across the globe rather than in a similar geographic location. Of course, your recov-
ery strategy will reect the maturity, the size of your organization, and the nature
of your business.
Developing the strategic policy plan will not be an easy task and will require
input and agreement from all board members. Your role will be to convince each
of its importance to the continued survival of your organization. However, once
completed, you can then start the journey to develop the granular level of detail
that will give your policy life.
Step 2: Business Impact Analysis
e rationale for undertaking the construction of business continuity and disaster
recovery plans is based on the precept that at some point in time something may
occur that will aect the business, potentially leading to damage to brand reputa-
tion, nancial loss, or loss of human life. e consequence of such outcomes can be
mitigated to some extent, as discussed during your CISSP education.
Understanding BCP, DRP, and COOP ◾ 291
© 2011 by Taylor & Francis Group, LLC
is section starts with a refresher to refamiliarize your understanding of risk,
risk management, and possible risk strategies that could inuence the development
of your plans.
Determining Critical Needs
To determine the critical needs of the organization, each department should docu-
ment all the functions performed within that department. An analysis over a period
of two weeks to one month can indicate the principal functions performed inside
and outside the department, and assist in identifying the necessary data require-
ments for the department to conduct its daily operations satisfactorily. Some of the
diagnostic questions that can be asked include the following:
1. If a disaster occurred, how long could the department function without the
existing equipment and departmental organization?
2. What are the high priority tasks including critical manual functions and pro-
cesses in the department? How often are these tasks performed, e.g., daily,
weekly, monthly, etc.?
3. What stang, equipment, forms, and supplies would be necessary to per-
form the high priority tasks?
4. How would the critical equipment, forms, and supplies be replaced in a
disaster situation?
5. Does any of the above information require long lead times for replacement?
6. What reference manuals and operating procedure manuals are used in the
department? How would these be replaced in the event of a disaster?
7. Should any forms, supplies, equipment, procedure manuals, or reference
manuals from the department be stored in an o-site location?
8. Identify the storage and security of original documents. How would this
information be replaced in the event of a disaster? Should any of this infor-
mation be in a more protected location?
9. What are the current microcomputer backup procedures? Have the backups
been restored? Should any critical backup copies be stored o site?
10. What would the temporary operating procedures be in the event of a disaster?
11. How would other departments be aected by an interruption in the department?
12. What eect would a disaster at the main computer have on the department?
13. What outside services/vendors are relied on for normal operation?
14. Would a disaster in the department jeopardize any legal requirements for
reporting?
15. Are job descriptions available and current for the department?
16. Are department personnel cross-trained?
17. Who would be responsible for maintaining the department’s contingency plan?
18. Are there other concerns related to planning for disaster recovery?
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.