Disaster Recovery Planning - Key Concepts (Ch 2)

Planning for Contingencies (Ch 2)

• CLO: Analyze the need for disaster recovery planning.
• Objectives (brief): identify who creates contingency policy, understand elements to begin contingency planning, create an effective policy, become familiar with the BIA and its components, know steps to create/maintain a budget for enabling contingency planning.

Beginning the Contingency Planning Process

• Contingency Planning Management Team (CPMT) responsibilities:
  • Obtain senior management commitment and support
  • Write the contingency plan document
  • Conduct the Business Impact Analysis (BIA): identify and prioritize threats/attacks and business functions
• Organize subordinate teams: Incident Response (IR), Disaster Recovery (DR), Business Continuity (BC), Crisis Management

Beginning the Contingency Planning Process (Roster)

• Typical CPMT roster:
  • Champion: high-level manager with influence/resources; strategic vision
  • Project manager: leads project
  • Team members: from business, IT, information security
  • Representatives from other units (HR, PR, finance, legal, facilities, etc.)
  • Representatives from IR, DR, BC teams

Commitment and Support of Senior Management

• Contingency planning fails without clear formal commitment from senior management
• Senior-management emphasis encourages subordinates to invest in the process
• Communities of interest: groups united by shared interests/values within the organization

Communities of Interest in Information Security

• Three communities of interest with roles/responsibilities:
  • Information security management and professionals: focus on integrity/confidentiality; may overlook availability
  • Information technology management and professionals: design, build, operate systems; focus on costs, usability, timing
  • Organizational management and professionals: executives, production management, HR, accounting, legal; users of IT systems

Elements to Begin Contingency Planning

• Required elements:
  • Planning methodology
  • Policy environment to enable planning
  • Business Impact Analysis (BIA)
  • Planning budget (access to resources)
• CPMT begins development of the CP document
• CP document provides a $7$-step contingency process to develop/maintain the program

7-step Contingency Process

• $1$ Develop the contingency planning policy statement
• $2$ Conduct the BIA
• $3$ Identify preventive controls (measures to reduce effects of disruptions)
• $4$ Develop recovery strategies
• $5$ Develop an IT contingency plan
• $6$ Conduct plan testing, training, and exercises
• $7$ Maintain the plan

Contingency Planning Policy

• Established by executive management
• Defines the scope of CP operations
• Establishes response times, DR, and resumption of operations
• Establishes responsibility for development/operation of the CPMT

Business Impact Analysis (BIA)

• BIA: investigates/assesses impact of attacks; provides detailed scenarios of effects; assumes risk controls bypassed or failed
• BIA addresses what to do if an attack succeeds

BIA Stages (CPMT conducts in $five$ stages)

• Threat attack identification and prioritization
• Business unit analysis
• Attack success scenario development
• Potential damage assessment
• Subordinate plan classification

Threat or Attack Identification and Prioritization

• Convert risk-management threats into a list of attacks; create attack profiles
• Primarily information-security-related, but include work stoppages, pandemics, etc.
• Categorize attacks; use weighted analysis to prioritize

Weighted Analysis for Attacks

• Use a weighted table to prioritize attacks (e.g., weights for probability of occurrence, probability of success, extent of damage, cost to restore)
• Example weights in practice: $0.2, 0.3, 0.2, 0.3$ per criterion, leading to a total score

Business Unit Analysis

• Analyze and prioritize business functions within the organization
• Prioritize restoring main revenue-producing operations
• Avoid turf wars; focus on critical functions
• Assign weights to critical functions using a weighted analysis table

Attack Success Scenario Development

• Attack scenario (attack profile): depicts effects of each threat on prioritized functions
• Should include attack methodology, indicators, and broad consequences
• One attack may impact many business functions

Potential Damage Assessment

• End-case costs for best, worst, and most likely outcomes
• Helps identify what must be done to recover from each case
• Include costs of actions by response teams; may justify more protective measures

Subordinate Plan Classification

• Subordinate plan deals with aftermath
• May be part of SOPs or existing DR/BC plans
• Classify attacks as disastrous or not
• Disastrous attacks: typically cannot be stopped safely during the event (e.g., hurricanes, fires, floods, tornadoes)

BIA Data Collection

• Methods to collect BIA data:
  • Online questionnaires
  • Facilitate data-gathering sessions
  • Process flows and interdependency studies
  • Risk assessment research
  • IT application/system logs
  • Financial reports and departmental budgets
  • BCP/DRP audit documentation
  • Production schedules

BIA Data Collection: Online Questionnaires

• Structured data collection from subject-matter experts
• Questions cover:
  • Function description, dependencies, impact profile, operational/financial impacts
  • Work backlogs, recovery/technology resources, PC/network requirements, etc.

BIA Data Collection: Focus Groups and Analysis Techniques

• Facilitated data-gathering sessions (focus groups)
• Process flows and interdependencies, including:
  • Use case diagrams, UML models, workflow, functional decomposition, data-flow diagrams
• Example diagrams: use case, class, sequence, collaboration

BIA Data Collection: Key Data Types

• Risk assessment inputs
• IT logs (failed logins, probes, scans, DoS, malware)
• Financial reports and budgets
• Audit documentation (regulatory/compliance)
• Production schedules and forecasts

BIA Data Collection: Key Concepts

• Recovery Point Objective (RPO): $RPO$: point in time by which data must be recovered; e.g., how much data can be lost
• Recovery Time Objective (RTO): $RTO$: maximum downtime allowed before operations must be resumed

Budgeting for Contingency Operations

• Budgets across domains:
  • Incident Response Budgeting: usually part of IT budget; includes backups, UPS, antivirus, RAID, SANs; redundancy maintenance; Rule of $3$: three levels of computer environments (hot, warm, cold)
  • Disaster Recovery Budgeting: insurance covers rebuilding; data-loss policies; other uninsured losses (service outages, utilities)
  • Business Continuity Budgeting: service contracts, mobile equipment, temporary sites, overtime
  • Crisis Management Budgeting: employee salaries/benefits

Summary

• Contingency planning starts with the CPMT, planning document, senior-management commitment, and the BIA
• CP process requires: planning methodology, policy environment, BIA, and budgetary resources
• Key steps: policy development, BIA, preventive controls, recovery strategies, IT contingency plan, testing/training, maintenance
• CP policy contents: introduction, scope/purpose, periodic risk assessment/BIA, CPMT components, recovery options, testing, applicable regulations/standards, key individuals, organizational support
• BIA contents: threat identification/prioritization, business-unit analysis, attack scenarios, potential damage, subordinate plan classification
• Budgeting categories: incident response, DR, BC, and crisis management; Rule of $3$ for redundancy