Tuesday, April 24, 2012

The Disaster Recovery Plan - Part 4

IT Disaster Recovery Planning Process

Developing a technical disaster recovery strategy is just one step in the overall IT Disaster Recovery Planning process. This process is common to all IT systems and utilizes the following six steps:
  1. Develop the Business Contingency Planning Policy and Business Process Priorities
  2. Conduct a Risk Assessment
  3. Conduct the Business Impact Analysis (BIA)
  4. Develop Business Continuity and Recovery Strategies
  5. Develop Business Continuity Plans
  6. Conduct awareness, testing, and training of the DRP
  7. Conduct Disaster Recovery Plan maintenance and exercise
The objective is to design a technical recovery strategy in step 4. Since this step is being accomplished before a Business Impact Analysis (BIA) can be performed in step 3, the recovery strategy is developed into a standard suite of service offerings that can be activated after the BIA has been completed. A BIA can take months to complete and some organizations do not have the budget for this. However, management should understand the potential return on investment for conducting a BIA.

The goal of the BIA is to define objectives for the recovery of host computing systems that run the applications that support the business processes. These objectives are stated as the Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO is the number of hours or days management has put on resuming a business process or a system. RPO describes the age of the data you want the ability to restore to in event of a disaster. For example, if the RPO is 8 hours, systems should be restored in the state they were in no longer than 8 hours ago. The technical disaster recovery strategy depends upon meeting RTO and RPO specifications. The RTO and RPO requirements determine which option of disaster recovery plan to implement.

Recovery time, and how current data is are key components in determining the level of service a business process requires in the event of a major disruption. To properly implement a disaster recovery plan, one must know the RTO and RPO that the organization is willing to accept in case of a disaster. The technical disaster recovery strategy of different options of recovery is based upon a combination of these requirements.

Often times, in regards to business continuity, business and IT units are not on the same page. "As companies become more dependent on information, the business-continuity tolerance for information loss becomes less and less, particularly in e-business," says Don DeMarco, Director, IBM Business Continuity and Recovery Services. Although recovery management (maintaining an ITbased contingency plan and IT recovery plan) is an element of the systems management discipline, DeMarco says, "The decision as to the acceptable amount of risk for information loss must come from upper management."

For example, IBM uses RTO and RPO to classify the two objectives management must consider in business continuity. RTO is used by management to determine the amount of time needed to set up IT capabilities in order to resume critical business processes. RPO is something that management tends to forget. During an outage when business processes cannot be performed, how much data can the organization afford to lose and how current must data being recovered be? A manager of a bank cannot afford to loose six hours worth of data. Management must decide what are the acceptable levels of risk.

source:// SANS Institute InfoSec Reading Room
Posted by No comments:
Tags: , , , , , , , , ,

Monday, April 23, 2012

The Disaster Recovery Plan - Part 3

Disaster Recovery Plan

In its full context, the focus of a Disaster Recovery Plan (DRP) is to restore the operability of systems that support mission-critical and critical business processes. The objective is for the organization to return to normal operations as soon as possible. Since many mission-critical and critical business processes depend on a technology infrastructure consisting of applications, data, and IT hardware, the DRP should be an IT focused plan. Every organization should develop a Disaster Recovery Plan for all applications. Restoration of systems does not necessarily imply technology redundancy. The DRP may call for some procedures to be completed manually. The decision to revert to manual procedures, rather than to build and maintain an IT infrastructure is a cost-driven decision made by the organization. Having a DRP in place reduces the risk that the length of time that a disruption in a business process does not go beyond what has been determined to be acceptable by management in the organization. During the recovery phase, the focus is on establishing controls over occurring events to limit the risk of any additional loses.

source:// SANS Institute InfoSec Reading Room
Posted by No comments:
Tags: ,

Saturday, April 21, 2012

The Disaster Recovery Plan - Part 2

Disaster Recovery Process

A disaster is defined as a sudden, unplanned catastrophic event that renders the organizations ability to perform mission-critical and critical processes, including the ability to do normal production processing of systems that support critical business processes. A disaster could be the result of significant damage to a portion of the operations, a total loss of a facility, or the inability of the employees to access that facility.

The disaster recovery process consists of defining rules, processes, and disciplines to ensure that the critical business processes will continue to function if there is a failure of one or more of the information processing or
telecommunications resources upon which their operations depends. The following are key elements to a disaster recovery plan:
  • Establish a planning group
  • Perform risk assessment and audits
  • Establish priorities for applications and networks
  • Develop recovery strategies
  • Prepare inventory and documentation of the plan
  • Develop verification criteria and procedures
  • Implement the plan
Key people from each business unit should be members of the team and included in all disaster recovery planning activities. The disaster recovery planning group needs to understand the business processes, technology, networks, and systems in order to create a DRP. A risk and business impact analysis should be prepared by the disaster recovery planning group that includes at least the top ten potential disasters. After analysing the potential risks, priority levels should be assigned to each business process and application/ system. It is important to keep inventory up-to-date and have a complete list of equipment, locations, vendors, and points of contact.

The goal is to provide viable, effective, and economical recovery across all technology domains. The following can be used to classify organization applications and/or systems:

(Mission Critical) :
  • Mission Critical to accomplishing the mission of the organization
  • Can be performed only by computers
  • No alternative manual processing capability exists
  • Must be restored within 36 hours
(Critical) :
  • Critical in accomplishing the work of the organization
  • Primarily performed by computers
  • Can be performed manually for a limited time period
  • Must be restored starting at 36 hours and within 5 days(Essential) :
(Essential) :
  • Essential in completing the work of the organization
  • Performed by computers
  • Can be performed manually for an extended time period
  • Can be restored as early as 5 days, however it can take longer(Non-Critical) :
(Non-Critical) :
  • Non-Critical to accomplishing the mission of the organization
  • Can be delayed until damaged site is restored and/or a new computer
  • system is purchased
  • Can be performed manually
The disaster recovery process will identify the risks and exposures to mitigate their consequences to a level acceptable to senior management. These risks and exposures will assist in identifying the level of recovery required. Requirements will determine which recovery strategy option is needed to support those
requirements.

source:// SANS Institute InfoSec Reading Room
Posted by No comments:
Tags: , ,

Friday, April 20, 2012

The Disaster Recovery Plan - Part 1

Relationship to the Business Continuity Plan

The Business Continuity Plan may be written for a specific business process or may address all mission-critical business processes. The BCP is an umbrella plan whose major sub-components include the Disaster Recovery Plan.

Information systems are considered in the BCP only in terms of their support of those business processes. A Business Continuity Plan (BCP) consists of the following component plans:

· Business Resumption Plan
· Occupant Emergency Plan
· Incident Management Plan
· Continuity of Operations Plan
· Disaster Recovery Plan

The Business Resumption Plan, Occupant Emergency Plan, and Continuity of Operations Plan do not deal with the Information Technology (IT) Infrastructure. The Incident Management Plan (IMP), which does deal with the IT infrastructure, establishes structure and procedures to address cyber attacks against an organization’s IT systems and generally does not involve activation of the Disaster Recovery Plan.


source:// SANS Institute InfoSec Reading Room
Posted by No comments:
Tags: , , , , ,

Architects

are defined by their experience in integrating multiple systems
Posted by No comments:
Tags: , ,
Subscribe to: Posts (Atom)