312 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
You should ensure that any test you undertake, whether technical (relating to
the operation of the IT systems) or nontechnical (relating to all associated activi-
ties), has clear objectives. For example, measure the time needed to get your main
IT system running following a disruption or to test how long it takes to contact all
key personnel in the event of a disaster. is will enable you to measure the success,
or otherwise, of each exercise and highlight areas in need of further attention.
Any initial testing should be followed by further tests on a regular basis. In
particular, details of any changes to IT systems should be included in the plan, and
tests should be undertaken on the new systems.
Over time, things change. Hardware components are replaced, software is
upgraded, networks are recongured, data sizes grow, and people come and go. All
this is a normal part of the life of an IT environment. And all of it can impact the
performance of your disaster recovery systems. Although these systems were fully
tested when rst installed, the dynamic nature of the environment makes it critical
that testing continues to take place regularly and that personnel training be up to
date. ere are many dierent types and levels of testing. Generally speaking, they
span two key dimensions: scope and realism.
Test Scope
Scope refers to the degree to which you are testing a full system or just individual
components, or whether you are testing individual platforms or end-to-end busi-
ness processes. Dene the boundary and identify the external links feeding data to
and receiving information from the bounded system.
Ensure that you have mapped all of the components, the people involved, the
applications used to process the data, and the platforms upon which the processing
takes place.
All systems have customers and suppliers whether they are internal or external
to your organization. Where possible, include your internal customers and suppli-
ers as they will be able to provide you with valuable information, and their presence
will assist in developing their understanding of how your systems work and where
the challenges lie in the event of an incident.
External customer-facing representatives should also be present wherever pos-
sible. eir input to helping you understand the business consequences of your
actions will also be invaluable. You may not be fully conversant with the details of
the Service Level Agreements and any penalty payments that may arise as a result
of downtime.
Book an appropriate location and invite representatives for all processes involved
in the scope. Where you have outsourced processes, on shore or o shore, it may not
be possible for those representatives to be physically present. You therefore need to
set up conference call facilities to enable them to participate.
Understanding BCP, DRP, and COOP ◾ 313
© 2011 by Taylor & Francis Group, LLC
Where your end-to-end business process is complex, you may nd that while
the individual components have developed BC and DR plans, there has never been
an opportunity to test multiple component failure. e results of conducting such
an exercise can be very revealing. Each component lead will vie for priority restora-
tion, not fully understanding where their component ts into the end-to-end busi-
ness process. Further, your RTOs for each component may not be realistic. Using
project management tools for dependencies and critical path analysis will reveal
the actual maximum downtime, which is clearly not the sum of all RTOs, as some
components may be recovered concurrently while others have dependencies and
can only be recovered consecutively or contiguously.
Tracking and mapping the component recovery during the test will provide you
with valuable information to update your BC and DR plans.
Realistic Testing
Realism refers to the degree to which you are performing exactly the procedures
that you would during a disaster—a classroom role-playing test in which you talk
through steps without actually doing them is one extreme and a full execution
is the other. In both cases, one side of the spectrum tends to be less expensive and
less disruptive to day-to-day operations, but also less reliable in its results.
In general, it is a good idea to do a mix. Less disruptive tests can be carried out
more often. Problems found and xed that way avoid the typically higher impact
and cost of nding the issues during a live test. e NIST guide states, “It is impor-
tant that a test never disrupts normal operations.” We would modify that. If never
disrupting normal operations means never performing a full disaster recovery exer-
cise, then it is necessary to occasionally disrupt normal operations. Such disruptive
tests should be kept to a minimum, perhaps once or a few times a year, as long as
component and subsystem testing are carried out more regularly. It is important to
remember that it is always less expensive to expose yourself to the cost of a full test
in a planned way than to discover during a disaster that a subtle missed dependency
leads you to being unable to recover at all. I should note nally that it is important
to be thinking about the testing side of your plan throughout the previous steps,
since testing represents a signicant part of the total cost of your disaster recovery
plan. In particular, when considering particular solutions and vendors, make test-
ability part of the evaluation process.
Proper training is equally vital. Training in disaster recovery procedures should
be considered part of the regular orientation of new hires if they have any role at all
in implementing the plan. Key disaster recovery personnel should undergo frequent
enough training that they are intimately familiar with the procedures that they will
have to carry out under the plan. As noted in the NIST guide, ideally they should
be trained well enough that they can execute their responsibilities without the aid
of the actual disaster recovery plan document.
314 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Step 7: Plan Maintenance
If it is worth the money and eort to develop a disaster recovery plan, it is also worth
the eort to ensure that the plan accurately reects current requirements and sys-
tems. Otherwise, it is only a matter of time before the two diverge suciently to put
your capacity to recover from a disaster in real jeopardy. For the most part, this step
is beyond the scope of this document, but I oer one thought. ere are three natural
points at which the plan can be reviewed: during testing, in a regular annual or semi-
annual review devoted specically to the task of review, and when changes are made
in either the IT systems being protected or in the business processes they support.
e rst two fall directly under the purview of those responsible for disaster
recovery planning and so can be planned for directly. e last requires that con-
sideration of the impact of changes on the disaster recovery plan be introduced as
a standard consideration in procedures that are outside the scope of direct concern
of those responsible for the DR plan. As a result, it requires that, one way or another,
those responsible for changes in the systems take on a certain level of responsibility
for DR plan impact. While this may be dicult, it makes maintaining a correct
DR plan signicantly less costly than discovering changes later, through testing or
an annual review.
Section Summary
is section has considered the steps and challenges in developing the project plans
to develop the business continuity plan and the disaster recovery plan.
Third-Party Dependencies
Vendor Support Services
Having support services from your major vendors in place adds strong value to
disaster recovery planning. For example, specic managed hot standby sites or on-
site services with rapid response times can signicantly ease disaster recovery. Key
questions regarding vendor support include the following:
◾ Are support contracts in place?
◾ Has the disaster recovery plan been reviewed by the vendors, and are the
vendors included in the escalation processes?
◾ Does the vendor have sucient resources to support the disaster recovery?
Most vendors have experience handling disaster situations and can oer additional
support. Many organizations oer a wide range of service and support solutions and
can often assist with limiting downtime in the case of an unexpected outage.
Understanding BCP, DRP, and COOP ◾ 315
© 2011 by Taylor & Francis Group, LLC
Recovery Strategies
Methods of recovery might include the following:
◾ Carrying out activities manually until IT services are resumed
◾ Sta at an aected building moving to another location
◾ Agreeing with another business to use each other’s premises in the event of
a disaster
◾ Arranging to use IT services and accommodation provided by a specialist
third-party standby site
Types of Contingencies
1. In-house: e option with the least risk, but potentially the most expensive,
is to set up an in-house contingency. Such a facility could be put in for every-
thing from oce space or warehouse space to production environments.
Some advantages of this option would include the following:
N Facility is built to the exact required specications.
N Facility can be accessed without time constraints on occupation.
N Testing can be facilitated at any time or at any activation level.
Some disadvantages would include the following:
N Cost of the facility
N Depreciation of additional assets
N Maintenance and update requirements
2. ird-Party Contracts: Computing facilities that have a varying degree of
space or hardware in place to facilitate a recovery.
3. Cold Site: Usually consisting of a shell or computer room space with mini-
mum or little equipment already on the oor. Environmentals are usually in
place but not activated.
4. Warm Site: Computing facility that has some equipment available, although
it may not be powered up and running. Some special equipment may need to
be procured. Systems and applications have to be set up and installed.
5. Hot Site: Computing facility that matches your hardware/software/network
requirements and is loaded with your operating system. e equipment is up
and running at all times and, normally, secondary backup sites are available.
6. Reciprocal: If an organization enters into an agreement to assist another part
of the organization or a totally separate organization, then this is termed a
reciprocal arrangement. Such agreements for reciprocal recovery ensure that
should one site be aected, the facilities of the other become available to the
agreeing party. It should be noted that when one business relocates to another,
the impact of the disaster is sometimes exported to that second business.
316 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Recommendations
Site
Selecting a location for your disaster recovery site is an important decision. Too
near your site of operations and the DR site could be impacted by the same event
as that which required the move in the rst place such as climate or environmental
disasters, political uprisings, war, or loss of utilities or services. However, selecting
Ownership In-house Contracted Ad-hoc
Recovery Time
Months • Rebuild or
relocate
• Extend
commercial
recovery site
contract
(if permitted)
• Rebuild, rent
or purchase
Weeks • Prefabricated
buildings on site
• Adapt buildings
from other users
• Expansion at
recovery site
• Contracted
prefabs and
mobile units
• Furnished
offices
• Subcontract
processes
Days • In-house
recovery site
• Budge-up
• Home-working
• Commercial
recovery site
• Reciprocal
agreements
• Mobile facilities
• Subcontract
processes
• Managed
officers
(if available)
Hours • Diverse locations
with staff
redeployed from
other tasks
• Relocate a small
team only to
contracted
commercial
recovery site
• None
Immediate • Diverse locations • Initiate
contracted
service
agreements
• None
Figure 4.12 Time to recover options.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.