Embed Size (px)
Citation preview
Prepared: 04/13/23 1
Corp. AWS Overview
Security & Business Continuity
04/13/23 2
Introduction
To preserve of the business in the face of major disruptions to normal business operations.
Describe objectives of the domain– Theoretical– Practical– Significance
04/13/23 3
Domain Topics
BCP vs. DRP BIAs Contingency Planning End User Environment Backup Alternatives Recovery and Restoration Choosing a Software Backup Facility Testing and Drills Emergency Response
04/13/23 4
Information Security Requirements BCP and DRP are part of the Security Policy and
Program. Policy statement set by executive staff. Not optional. Must include the business. This is true at Corp.
04/13/23 5
BCP vs. DRP Business Continuity Planning is addresses the needs to
maintain the business until the situation returns to normal (pre-disaster situation).
Disaster Recovery Planning is aimed at minimizing the effects of a impact and ensuring that resources, personnel, and business processes are able to resume in a timely manner.
BCP’s goal is to keep the business running… DRP’s goal is to resume a lost part of the business. Just because you lose a system, you may not implement
BCP.– E.g.. Server crash, 4 hour SLA, 2 hour rebuild– E.g.. System crash, 3 hour failover & expense, 5 hour recovery
04/13/23 6
EmergencyEmergencyManagement TeamManagement Team
Crisis Management TeamCrisis Management Team
Business ResumptionBusiness Resumption
Business Resumption Business Resumption Resource Support TeamResource Support Team
Cohesive Response
Vital Records
FacilitiesServices
InformationTechnology
Communications
PurchasingMaintenance
Space Planning
Security
04/13/23 7
Business Impact Analysis
A BIA is performed before a plan is written to identify the areas that are at greatest financial or operation loss in the event of a disaster or disruption.
How?• develop materials
• gather information (quantitative & qualitative)
• analyze and interpret
• prepare and recommend
Corp. Practice: Corp. completed an initial BIA in December of 2001. It is red cover and wascompiled from 200+ key business personnel. Managed at IT Staff and Audit Level.
04/13/23 8
BIA cont.
Major deliverable– Identify vulnerabilities
04/13/23 9
Establishment of Priorities
Organizing when to do what Resource limitations
– facilities– people– hardware– backup
Corp. Practice: We have tiered priorities and people response. We are taking that down to aview per site and datacenter.
04/13/23 10
Critical Business Functions
What is most important to a company. Identified by senior management. Supports or defines the mission of the
company. Almost always the money chain. Measured in cost per hour of downtime.
04/13/23 11
Create RequisitionIssue P.O.Manage Purchase OrderManage Receiving VariancesManage ContractsRequest Supplier Quote (RFQ)Certify SuppliersMaintain Supplier Master DataManage Supplier PerformanceDisposition Unneeded MaterialManage Replenishment ProgramsReview Stock StatusCreate Labor Resource PlanCreate Local/Factory Capacity PlanEvaluate Global CapacityCreate Detailed Factory PlanCreate Production OrderRequest MaterialsDevelop Inventory StrategyManage Global Inventory Levels
ORDER
SHIP
CLOSEPAY
BUILDBus
ines
s
Proc
esse
s
Processes to Plans
Identify Business Processes Select Required Functions Identify Macro Processes Develop Plans
04/13/23 12
Emergency Response
Save lives, not a recovery exercise Reduce further injuries Secure the facilities Contain the situation
Corp. Practice:
04/13/23 13
Crisis Management
Coordinated disaster response. To mitigate further disruptions,
containment, secure facilities, coordinate and control external communications and activities.
Corp. Practice: CEOC - super event. EOC- Life and Limb IT-ERP is the team for IT.
04/13/23 14
Emergency Assessment
Understand the impact Determine the correct response
Corp. Practice: Done at the site level..
04/13/23 15
External Communications
Media Training Impact Perception vs. Reality
Corp. Practice: No one should talk to the press unless you have been approved and trainedto do so.
04/13/23 16
Containment Priorities
Life and Limb Assets Records
04/13/23 17
Training/Testing/Drilling
Checklist Test (Contact and part of SWT)
Structured Walkthrough (Structured Walkthrough)
Simulation (Functional)
Parallel (Functional)
Full-Interruption (Integrated)
Prepare people to react, respond, and resume operations under stressful and time critical situations. Mature our skill levels.
Corp. Practice: Contact done Quarterly, Structured Walkthroughs at least twice a year,Functional Test at least yearly, Integrated test performed once every two years.
04/13/23 18
Test Types – Contact Verification Validate Information for:
– Employees– Team members– Emergency Authorities– Vendor representatives– Customer representatives– Business partners– Media outlets / silos– Other stakeholders
Street Address
Cellular
Pager
Work
Home
Verify available contact
elements
04/13/23 19
Recovery Plan Development
BIA, SPOF's, Mitigation, Strategy, Priority, Scope, Approvals
Written for the recovery team. More generic.
Corp. Practice: BIA, SPOF Analysis, Strategy, Priority, Approval, Scope, Plan Creation (Process, Team, Positions, Tasks, Resources), Peer Review (SWC), Contact Test
04/13/23 20
Documentation
How to recover Essential steps Written for a specific audience Aims to document critical decisions before
the crisis
Corp. Practice: The system of record for IT is XXXXX The business uses MS-word. When they automate further, it will be in XXXx system.
04/13/23 21
Logistics and Supplies
Coordinated response for people to get the needed resources delivered to meet the recovery priorities and recovery objectives.
Why-– predefined streamlined processes provide real
time response instead of normal approval cycles which may have broken down when the disaster occurred
Corp. Practice: Driven by Priorities. Simplified to remove processes like procurement and approvals.
04/13/23 22
Data Recovery
RPO- Recovery Point Objective Recovery Priorities
Corp. Practice: IT staff has stated that we want no data loss. Hasn’t funded. RecoveryPriorities are being set per data center.
04/13/23 23
Backups and Offsite Storage
Types– Full –everything
– Incremental –modified files since last any backup
– Differential –everything since last full
Methods
Backup Facility –– accessible in your timeframes to recover
– available on demand
– fire “proof”
Corp. Practice: Strategy is undergoing major revisions. IT is your best source for program information.
04/13/23 25
Cold, Warm, Hot, Mobile Sites Subscription Services – for a fee. Cold Site – basic environment, electrical wiring,
air conditioning, plumbing, and flooring. (may take weeks to activate)
Warm Site – cold site basics plus some services (servers, backups, network)
Hot Site – everything for a quick failover. Usually less than 4 hours. Costly
Mobile Sites – e.g.. PBx in a flatbed, crash kits
Corp. Practice: We have a mixture. Moving away from subscriptions and toward companyowned internal hot sites.
04/13/23 26
A Successful Business Continuity Program
Testing
Up-to-DatePlan
TrainedPersonnel
Strategy
IBM S/370
Laptop computer
IBM PS/2
Business Continuity!!!
04/13/23 27
BCP/DRP Events
Links– DRJ (Disaster Recovery Journal)– DRI (Disaster Recovery Institute)– BCI (Business Continuity International)– Contingency Planning
04/13/23 28
Program Interdependency
Basic InfrastructureFacilities Power
Biz Apps/InfrastructureSAP WOM
Biz Functions Order Build Ship Close
Enabling Apps/Services Messaging Voicemail Conferencing Security
Basic Services Network Internet Intranet Telephony
IT Core BCP
Focus
Business BCP Focus
App/Service BCP Focus
External Requirements
04/13/23 29
Summary
Key Topics• BCP vs. DRP
• BIAs
• Contingency Planning
• End User Environment
• Backup Alternatives
• Recovery and Restoration
• Choosing a Software Backup Facility
• Testing and Drills
• Emergency Response
04/13/23 30
Questions
Why perform a risk analysis:– inventory assets– identify single points of failure– identify all data in all systems– review all procedures in all places
04/13/23 31
Questions
Primary function of the DR committee:– identify strategies– recover– identify weaknesses in systems– prepare for a disaster
04/13/23 32
Questions
Major purpose of a written plan:– satisfy auditors– satisfy regulatory authorities– minimize the pressure to make decisions– coordinate all parties
04/13/23 33
Questions
The ultimate goal of a disaster recovery plan is: – get operations up and running quickly– restore at least partial operations– get operations up and running efficiently– restore operations to a pre-disaster state
04/13/23 34
Questions
During a disaster, which procedures require coordinated efforts of a disaster recovery specialist and IS security specialists? – notifying employees– retrieving supplies– returning to the original site– recovering lost data
04/13/23 35
Questions
A proactive disaster recovery plan includes all but – UPS– emergency procedures– a provision for recovery after the disaster– a fire extinguisher
04/13/23 36
Questions
DRP and Security policies are:– separate but complementary– separate without substitution– can be one document– separate and diverse
04/13/23 37
Questions
Major purpose of a written plan:– minimize the pressure to make decisions
The ultimate goal of a disaster recovery plan is: – restore operations to a pre-disaster state
04/13/23 38
Questions
During a disaster, which procedures require coordinated efforts of a disaster recovery specialist and IS security specialists? – recovering lost data
Primary function of the DR committee:– recover
Why perform a risk analysis:– identify single points of failure
04/13/23 39
Questions
A proactive disaster recovery plan includes all but – a provision for recovery after the disaster
DRP and Security policies are:– separate but complementary
