Embed Size (px)
DESCRIPTION
Citation preview
Prepared by: Jan Wong
ManagementInformation
Systemsin Organizations
DISASTERRECOVERY PLAN
The Learning Outcomes
At the end of this session you should be able to:
the importance of disaster recovery in an organization
backup systems and system recovery
EXAMINE
DISCUSS
the steps in risk management approachDESCRIBE
DangerJeopard
y
Peril
Hazard
Menace
Threat RISKS
What is RISK?
Thinking about risk• Chance (probability)
of something happening
• Impact (cost) if it happens
Is it possible to protect against every risk?
“The chance of a negative outcome”
Risk Management Approach
A risk-management approach helps identify threats and select cost-effective
security measures.
Risk-management analysis can be enhanced by the use of DSS software packages. Calculations can be
used to compare the expected loss with the cost of preventing it.
A business continuity plan outlines the process in which businesses should recover from a major disaster
“What is it all about?”
What are the STEPS in RISK
MGMT.?
Assessment of assets
Determine the value and importance of assets Infrastructure:
hardware, networks, security environment itself
Software environment
Staff Cost of replacement Cost of loss of use
STEP 1:
Vulnerability of assets
List all potential threats
Review the current protection/controls system
Record weaknesses in the current protection system in view of all the potential threats
STEP 2:
Loss analysis
Assess the probability of damage
Specify the tangible and intangible losses that may result
STEP 3:
Protection analysis
Provide a description of available controls that should be considered – general, application, network etc
Probability of successful defense
The cost
STEP 4:
Cost Benefit Analysis
Compare cost and benefits
Decide on which controls to install
STEP 5:
Controls to Mitigate Risk
Intended to: Prevent accidental
hazards Deter intentional
acts Detect problems
ASAP Enhance damage
recovery Correct problems
comprehensively
IT Security in the 21st Security
Increasing the Reliability of Systems
Fault tolerance to keep the information systems working, even if some parts fail.
Intelligent Systems for Early Detection of
problems Detecting intrusion
Backing-up Systems
Why do we need to back up systems? Because systems fail
Impact From minor irritation
to business closedown
Back up system to: Periodic in Local
storage Periodic in Remote
storage Mirror site – local Mirror site – distant
Withstand fault tolerance
System Disaster – it happens!
• Think about: Loss of power Cyber crime Traumatic damage Hardware failure Statutory Requirement
System Recovery and Business
Continuity
• Is there a relationship between the two?
• Here are some key thoughts about disaster recovery by Knoll (1986): The purpose of a recovery plan is to keep
the business running after a disaster occurs Recovery planning is part of asset
protection Planning should focus first on recovery from
a total loss of all capabilities
How to ensure that the recovery system works
• Proof of capability usually involves some kind of what-if analysis that shows that the recovery plan is current
• All critical applications must be identified and their recovery procedures addressed in the plan
Disaster Recovery Plan
• In other words: BACK UP PROCEDURES
• In the event of a major disaster it may be necessary to move to another back up location.
Disaster Recovery Plan Considerations
PGM
Disaster Recovery
Plan
FacilitiesCustomers
CommunicationsInfrastructure
ComputerEquipment
BusinessInformation
KnowledgeWorkers
Disaster Recovery Plan
1. HOT SITE VENDORS External hot site vendors provide access to
a fully configured back up data center. Following the 1989 San Francisco
earthquake Charles Schwab were up and running in New Jersey the following morning.
PGM
Disaster Recovery Plan
2. COLD SITE VENDORS Provide empty office space with special
flooring, wiring and ventilation. In an emergency the affected company
moves its own or leased computers to the cold site.
These back up sites may work well for a company with centralised computing facilities but what can a company with a distributed network system do?
PGM
Methods to Control & Secure I.S.
1. Physical access control
2. Uninterrupted power supply (UPS)
3. Generator
4. Humidity control
5. Temperature control
6. Water Detector
7. Raised Floors
8. Fire Extinguisher
9. AlarmPGM
THINGS TO TAKE NOTE OFF
• Risk management approach (the 5 steps)
• What are the different risk mitigation controls?
• Types of back-up systems
• What is a disaster recovery plan?
• What should be considered in a disaster recovery plan?
M a n a g i n g S y s t e m S e c u r i t y
IT’S TIME FOR SOME DISCUSSIONS!
• List and briefly describe the steps involved in risk analysis of controls.
• Define and describe a disaster recovery plan.
• What are “hot” and “cold” recovery sites?
• Explain why risk management should involve the following elements: threats, exposure associated with each threat, risk of each threat occurring, and cost of controls, as well as assessment of their effectiveness.
• Why should information control and security be a prime concern to management?
IT’S TIME FOR ANIN-CLASS ACTIVITY!
• Get into groups of 5-6 members
• Using the Risk Management Approach (5-Steps), apply it to your company / one company of your choice as below: GSC Cinemas Ticketing / Fashion Retail (brick-and-mortar) /
IBM / Malaysian Airlines Ticketing / Hilton Hotel Reservation / Facebook
• Suggest which Risk Mitigation Control should you implement and how it can help you mitigate your risk
• Present your approach the class
C o m i n g s o o n … n e x t c l a s sManagementInformation
Systemsin Organizations
DISASTERRECOVERY PLAN
What is a disaster recovery plan? How does it minimize risk?
