Understanding BCP, DRP, and COOP ◾  297
© 2011 by Taylor & Francis Group, LLC
cannot ignore the threats that can occur by natural, terrorist, or other man-made
activities. Clearly the signicance of this type of threat will be context and business
structure dependent and should be considered on an individual basis.
People-Based Threats
Pandemics
Pandemic has become a familiar term in the world of business continuity and disas-
ter recovery. Its literal meaning can be translated from its Greek origin as pan
meaning all and demos meaning people. e word has become associated with the
spread of infection that impacts the mass population, immobilizing workforces,
which threatens to undermine business operations.
Governments will impose travel restrictions to contain any outbreaks.
Employees will be distracted from their work over concerns for family and friends.
All of these issues provide a challenge to organizations that may be faced with
operating with a reduced workforce. Your business continuity and disaster recov-
ery strategies need to accommodate the need to transfer operations outside your
geographic location.
Industrial Action
Sociological and economic factors, and the level of acceptance of the implementation
of policy by management have inuenced the level of industrial action among the
Owners
Value
Wish to minimize
Impose
Countermeasures
To reduce
at may
possess
Risk
Leading to
at increase
to
to
reats
Assets
Wish to abuse and/or may damage
at
exploit
Give
rise to
reat agents
May be aware of
at may be
reduced by
Vulnerabilities
Figure 4.8 Generic structure used to evaluate threats and vulnerabilities.
(Common Criteria for IT Security Evaluation, ISO, 1998.)
298 ◾  Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
workforce. In recent years, the rate of industrial action has been variable. However,
this does not negate the need to include provision for alternative resources in the
event that industrial action could occur.
Separate from your business continuity and disaster recovery plans, you would
be advised to develop a set of industrial action plans for operational, tactical, and
strategic levels of your organization. Hopefully you will never have to employ them,
but at least you will be prepared.
Theft
e theft of components or IT, network, or other business assets is a criminal
oense and should be treated as such when you are conducting your investigation.
You should follow a forensic approach to securing your crime scene and collecting
data. e theft of a laptop or any small component may seem trivial; however, the
consequences can be signicant.
An organization, which will remain anonymous, was conducting a planned
systems outage to service components. During the service, two brass cylinders were
removed and cleaned, then set aside to be reconnected the next day. However, an
enterprising employee realized that they could sell the cylinders for $75 each and
promptly increased their bank balance by doing so.
e cost to the organization was not $150. First the cylinders had to be ordered
and there was a lead-time of two weeks. e system could not be reconnected until
the cylinders were in placethe consequence was two weeks’ loss of productivity
and revenue generation. is sum totaled $500,000.
e organization had mitigated by taking insurance and promptly claimed for
the business losses. However, the insurance company deemed that the company was
complicit and negligent and thus no payment was made. is is a real example of
understanding the business impact and risk consequences to the end-to-end process.
Critical Business Processes
Business functions, processes, activities, and systems can be classied as core and
non-core. e core business functions/processes are those without which the busi-
ness would collapse. e non-core business functions/processes, activities systems
are those that provide support and improve eectiveness and eciency. eir loss,
however, while impairing productivity, will not cause the collapse of the business.
us we should focus our primary attention on the design, development, and deliv-
ery of BR, DR, and COOP for the core business functions. ese become our
critical systems.
Once the critical needs have been documented, management can set priorities
within departments for the overall recovery of the organization. Activities of each
department could be given priorities in the following manner:
Understanding BCP, DRP, and COOP ◾  299
© 2011 by Taylor & Francis Group, LLC
Essential activities: A disruption in service exceeding one day would seriously
jeopardize the operation of the organization.
Recommended activities: A disruption of service exceeding one week would
seriously jeopardize the operation of the organization.
Nonessential activities: is information would be convenient to have but
would not detract seriously from the operating capabilities if it were missing.
Recovery Time and Recovery Point Objectives (RTO and RPO)
Recovering both business processes and business systems in order of criticality to meet-
ing the business needs depends upon accurate plans and good communication.
RPOs are determined by the amount of data/transactions that can aord to be
lost. Possible RPO tiers are as follows:
Tier A: No data loss
Tier B: RPO of less than 24 hours
Tier C: RPO of last backup (in most cases will be 24–36 hours)
RTOs are usually tiered. You’ll need to look at your company’s unique require-
ments as to how many tiers are appropriate for your organization—more than ve
usually becomes unmanageable. An example would be four tiers for RTO.
RTO and RPO need to be dened whether you are recovering at your own
alternative data center or you are recovering at a cold or hot site operated by a third
party. ird-party providers now have advanced recovery services that can meet
high availability requirements for RTO and RPO.
As part of your strategic planning, you will need to determine the following answers
from the business owners who will assist you in determining RTO and RPO:
1. What does this business process use to do its work?
2. What resources (people, skill sets, other tools) are needed for this process to
continue to function in a disaster scenario?
3. What vital information ows through this business process, either from
another process or to another process? What other business processes are
dependent on the activities of this process?
4. What activities of the process can be done manually, if needed? What manual
work around procedures could be put in place to minimize either the nan-
cial or nonnancial impacts?
5. What would be the direct nancial loss to your company if this business
process were not available for 24 hours? One week? ree weeks? How is this
loss calculated? What components contribute to this loss?
6. Does this business process have business cycles? Would a signicant loss to
your company be dierent at dierent times of the year? What months are
critical? Are there times of the month that are more critical than others?
300 ◾  Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
7. What is the business recovery plan? Are there subject-matter experts outside the
aected area who could process the work if critical employees are not available?
8. What are the negative impacts of the following nonnancial concerns if this
process does not function for 24 hours? One week? ree weeks? Do your
disaster recovery time objectives meet your business requirements? What will
the impact be on the following areas:
a. Cash ow (generation of revenue)
b. Public image
c. Shareholder condence
d. Financial reporting
e. Managerial control (for example, approval levels)
f. Productivity
g. Competitive advantages
h. Industry image
i. Customer service
j. Vendor relations
k. Legal/contractual violations
l. Regulatory requirements
m. Employee morale
n. Consumer condence
9. For each day of outage, how long will it take to handle the backlog of work,
in addition to other daily work, when this process is back in operation?
10. What expenses would be incurred if this process were disrupted?
a. Temporary employees
b. Emergency purchases (supplies, oce machines, etc.)
c. Rental/lease of equipment
d. Wages paid to idle sta
e. Overtime
f. Temporary relocation of employees to alternate business recovery loca-
tion (assume not working from home)
11. What other vulnerabilities and exposure exist with this business process?
In most circumstances, the denition of RTO and RPO will be an iterative
process. ere is no absolute formula. ere is also a negotiation process with the
business owner to balance the risk with the cost. at is, there may initially be a
requirement for a short RTO and RPO. But after weighing the costs of the solu-
tion, the business owner may accept a longer RTO and RPO that would be less
costly. How much risk is the business owner willing to take for what cost?
As with other business continuity plan components, an annual review of the
RTO and RPO requirements should be done to capture changes to both the busi-
ness environment and the systems environment.
Understanding BCP, DRP, and COOP ◾  301
© 2011 by Taylor & Francis Group, LLC
Risk Assessment and Management
If your organization does not already have a risk strategy, you should take the time
to work with the risk managers. Most large organizations have risk registers that
identify the risks in business terms; the consequences of those risks, usually nan-
cial and damage to reputation; and mitigations. e mitigations are translated into
activities that can in turn be audited to ensure that they have been implemented
and are achieving the perceived results. (See Figures4.9 and 4.10.)
If we choose to accept the risk and do nothing, we will need to prove that the
level of risk, the probability of an attack, and the level of damage have been calcu-
lated, and that a cost/benet analysis has been conducted for all possible control
mechanisms to provide evidence to demonstrate that the value of the asset does not
justify the cost of protection. In such instances, it is important to have recorded,
auditable proof that can be presented should the event occur.
Reduce
Impact
Probability
LOW
HIGH
HIGH
LOW
Where the probability of a
threat occurring is HIGH
AND
e impact to the security
of the information system
is HIGH
THEN
steps should be taken to
REDUCE
the SEVERITY of the loss by
implementing
appropriate security features.
Figure 4.9 Risk reduction matrix.
Accept
Impact
Probability
LOW
HIGH
HIGH
LOW
Where the probability of a
threat occurring is LOW
AND
e impact to the security
of the information system
is LOW
THEN
generally, the COST to
implement security features
will outweigh the value of the
assets to be protected and the
risk will be ACCEPTED.
Figure 4.10 Risk acceptance matrix.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.78.136