Business Continutiy/Disaster Recovery 4370

what contributed to 1/3 of frauds

internal control weaknesses

what is the best detection method to limit fraud duration and loss?

IT controls

what are the primary internal control weaknesses that contribute to fraud

1. lack of internal controls

2. ovveride existing internal controls

3. Lack of management review

4. lack of competent personnel oversight in role

5. poor tone at the top

6. lack of independent checks/audits

7. other

top 12 risks

1. cyber attacks (state-sponsored)

2. cyber attacks (criminal)

3. major It interruption

4. information security

5. privacy and data protection laws

6. serious supply chain distribution

7. failure of critical national infrastructure

8. extreme violence

9. terrosits attacks

10. pandemic

11. a man made disaster

12. wide scale flooding

Natural Disasters

Random problems that cannot be prepared for

Types of outages

natural diasters

man made disasters

subset of both

man made disasters

• sabotage of property, computer systems, information

• terrorist

• strikes/protest

• denial of service

• viruses

subset of both natural and man made disasters

• infrastructure failures

• communication failures

• transportation outages

Causes for Unavailability of Critical Business Systems

• hard/software failure

• Telecomms failure

• third party failure

• operational error

• malicious technical acts

what are the benefits of BCM

1. reduced time to identify/contain data breaches

2. valuable to incident response planning

3. reduces costs of data breach

4. substantial costs per day savings

5. reduces data breaches

6. minimizes distributions to operations

7. improves resilience of IT operations

8. diminishes negative impact on reputation

9. DR automation reduces costs per day

ISO/IEC 38500:2008

provides guiding principles for directors of organizations on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations.

who does ISO/IEC 38500:2008 guide

senior managers;

members of groups monitoring the resources within the organization;

external business or technical specialists, such as legal or accounting specialists, retail associations, or professional bodies;

vendors of hardware, software, communications and other IT products;

internal and external service providers (including consultants);

IT auditors.”

those involved in designing and implementing the management system of those policies and processes that support governance.

The objectives of the ISO 38500 standard are:

Assuring stakeholders that they can have confidence in the organization's corporate governance of IT

Informing/guiding Directors in governing the use of IT in their organization

Providing a basis for objective evaluation of the corporate governance of IT

ISO 22301:2012 Societal security - Business continuity management systems - Requirements

formally specifies a Business Continuity Management System (BCMS) for any type or size of organization.

what accompanies and expands ISO 22301

ISO 22313:2012 Societal security

KEY CLAUSES OF ISO 22301:2012

Clause 4: Context of the organization

Clause 5: Leadership

Clause 6: Planning

Clause 7: Support

Clause 8: Operation

Clause 9: Performance evaluation

Clause 10: Improvement

Key concepts to understand in understanding your business context

• Maximum Acceptable Outage (MAO)

• Minimum Business Continuity Objective (MBCO)

Maximum Acceptable Outage (MAO)

The time it would take for adverse impacts to become unacceptable. This is the same as ‘maximum tolerable period of disruption (MTPD)

Minimum Business Continuity Objective (MBCO)

the minimum level of services and/or products that is acceptable to the organization to achieve its business objectives during a disruption.

Business Impact Analysis (BIA) identifies

the critical processes that support its key products and services, and

the interdependencies between processes and the resources required to operate the processes at a minimally-acceptable level.

General Structure of a capability Map

It capabilities supporting business process → Business Processes comprising business capabilities → Needed Business Capabilities in order to achieve performance outcomes →Metrics indicating business model success → Business Model

Metrics indicating business model success:

Financial Performance Outcomes

Customer/Client Performance Outcomes

Business Model

Customer Value Proposition

Profit Model

Stages of BIA

Threat attack identification and prioritization

Business unit analysis

Attack success scenario development

Potential damage assessment

Subordinate plan classification

what does BIA assume

security controls have been bypassed, have failed, or have proven ineffective, and attack has succeeded

what iso standard to apply to implement risk assessment

ISO 31000

Goal risk assessment

is to establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyzes, and evaluates the risk of disruptive incidents to the organization.

what is an integral component of corporate strategy

The business continuity strategy

When to create a business continuity strategy?

After requirements have been established through the BIA and the risk assessment

Business continuity strategy

enable the organization to protect and recover critical activities based on organizational risk tolerance and within defined recovery time objectives.

Business continuity procedures

establish an appropriate internal and external communications protocol

be specific regarding the immediate steps that are to be taken during a disruption

be flexible to respond to unanticipated threats and changing internal and external conditions

focus on the impact of events that could potentially disrupt operations

be developed based on stated assumptions and an analysis of interdependencies

be effective in minimizing consequences through implementation of appropriate mitigation strategies

why should procedures be documented?

to ensure continuity of activities and management of a disruptive incident.

How to ensure continuity procedures are consistent with objectives?

test them regularly.

Exercising and testing

are the processes of validating business continuity plans and procedures to ensure the selected strategies are capable of providing response and recovery results within the timeframes agreed to by management.

ISO/IEC 27031:2011 Information technology

Security techniques — Guidelines for information and communications technology readiness for business continuity

ICT Readiness for Business Continuity (IRBC)

a general term for the processes described in the standard] supports Business Continuity Management (BCM) “by ensuring that the ICT services are as resilient as appropriate and can be recovered to pre-determined levels within timescales required and agreed by the organization.”

ICT readiness encompasses

• Preparing organization’s ICT against unforeseeable events that could change the risk environment and impact ICT and business continuity

• Leveraging and streamlining resources among business continuity, disaster recovery, emergency response and ICT security incident response and management activities.

ICT readiness is important for business continuity purposes because

ICT is prevalent and many organizations are highly dependent on ICT supporting critical business processes;

ICT also supports incident, business continuity, disaster and emergency response, and related management processes;

Business continuity planning is incomplete without adequately considering and protecting ICT availability and continuity.

A business continuity plan comprises

an organization’s strategies to prepare for future national, regional or local crises that could jeopardize its capacity to continue with its core mission, as well as its long term stability

Business continuity management is an integral part of

holistic risk management

ISO 31000 Risk management

recognizes the variety of the nature, level and complexity of risks and provides generic guidelines on principles and implementation of risk management. To apply these generic guidelines in a specific situation, this International Standard sets out how an organization should understand the specific context in which it implements risk management

risk management process

1. establish context

2. identify risks

3. analyze risks

4. evaluate risks

5. treat risks

6. monitor

7. communicate

Disaster recovery planning (DRP

is planning the preparation for, and recovery from, a disaster

contingency planning team must decide

which actions constitute disasters and which constitute incidents

Continuity Strategies

Incident response plans (IRPs); disaster recovery plans (DRPs); business continuity plans (BCPs)

what does IRP focus on

focuses on immediate response; if attack escalates or is disastrous, process changes to disaster recovery and BCP

DRP focus

typically focuses on restoring systems after disasters occur; as such, is closely associated with BCP

BCP

occurs concurrently with DRP when damage is major or long term, requiring more than simple restoration of information and information resources

what is the simpliest continuity strategy?

BCP

Development of BCP

selecting a continuity strategy and

integrating off-site data storage and recovery functions into this strategy

Example strategy:

Keep 3 copies of data: 1 primary, 2 backups

Use 2 different types of media

Keep 1 set in the cloud in DRaaS (disaster recovery as a service) or BaaS (backup as a service)

DRaaS

• public cloud

• private cloud

• managed cloud services

public cloud

– typically uses customer‐managed software for setting up and controlling cloud-based DR resources

private cloud

typically uses customer‐managed software for setting up and controlling cloud-based DR resources

managed cloud services

cloud offering includes DRaaS as a part of a standard, hands‐free offering

Dedicated recovery site options

hot warm cold sites

which sites are fully operational

hot

which sites have fully optional hardware but no software

warm

cold sites

rudimentary services and facilities

shared site options

• time share

• service bureaus

• mutual agreement

time share

A hot, warm, or cold site that is leased in conjunction with a business partner or sister organization

Service Bureaus / Cloud Providers

An agency that provides a service for a fee

Mutual agreement

A contract between two or more organizations that specifies how each will assist the other in the event of a disaster.

Options for getting operations up and running include

Electronic vaulting

Remote journaling

Database shadowing

Cloud storage

PP2. Risk Assessment

Identify risks that could impact an entity’s resources, processes or reputation.

Assess risks to determine the potential impacts to the entity, enabling the entity to determine the most effective means to reduce them.

PP3. Business Impact Analysis

Identify and prioritize all of the entity’s functions, processes, and dependencies in order to determine the greatest impact upon the entity should the functions not be available. This analysis should be retained and available to assist the entity in understanding incidents and/or the resulting consequences. Quantify the impact to the entity, its services, and the affected parties.

Analyze, document, and communicate the findings to highlight all gaps between the entity’s requirements and its current capabilities.

Major steps in contingency plan

1. BIA

2. IRP

3. DRP

4. BCP

What is a Business Impact Analysis (BIA)

Investigation and assessment of the impact that various risks or attacks can have on the organization