Disaster Recovery Plan / Enterprise Continuity Plan

Editor's Notes

• #2: Western Governors UniversityMaster of Science, Information Security and AssuranceFXT2 – Disaster Recovery Planning, Prevention and ResponseMarcelo Braga SilvaStudent ID: 000200452
• #3: This Agenda will cover the requirements for the Task 1 of the FXT2 course, part of the Master of Science, Information Security and Assurance program at WGU.January, 2014.
• #4: According to Goble, Fields, & Cocchiara (2002), resilient infrastructures are those ones that are “capable of proactively responding to both anticipated and unexpected stress and strains” (p. 2).Thus, following below an introduction on the Disaster recovery Plan and Enterprise Continuity Plan:Why DRP/ECP?In case some infrastructure failure, if the university is not well prepared to respond to such unexpected event, it can lose some business opportunities, students and partners, reputation and credibility, research data, and even its most valuable information and applications.Benefits of a DRP/ECPIdentification of critical applications and services for the businessIdentification and preparedness for the major risksReduce the downtimes of applications and services Improve operational effectiveness and resilienceProtection of assetsBe compliance with national and international laws and standardsImprove securityDemonstrate continuity capabilities for the market, including customers, partners and shareholdersThree vital Ingredients of a successful DRP/ECP (Goble, G., Fields, H., & Cocchiara, R. 2002, p. 9)Recovery  Safe, rapid, offsite data recoveryHardening  The fortification of all or part of the infrastructureRedundancy  The duplication of all or part of the infrastructure Defensive Posture / Offensive PostureDefensive Posture components:Recovery Hardening Redundancy Offensive Posture components:AccessibilityDiversificationAutonomic computing
• #5: The DRP/ECP team are composed by different teams. One of the key teams is the Emergency Management Team (EMT)According to Hiles (2007), the EMT’s role is “to take business decisions, assess and make judgments on business priorities and to facilitate and support the business continuity manager. It also has an important role in marketing, public relations and media management issues.”Following below some roles of the DRP/ECP team members:Emergency Management Team Composed by key senior managers, Public relations and marketing and Business continuity manager or coordinator.Damage Assessment TeamThe Damage Assessment Team assesses the damage to the Data Center and reports to the EMT.Restoration TeamThis team brings the Production site systems and applications to operational mode in a DR site. And also brings they back to the production site.Operations TeamThe Operations Team assists in the recovery operations of infrastructure, systems and services.Customer Support TeamThis is the team that assists the customers (external/internal) during the disaster, until operations are resumed.Salvage/Reclamation TeamThe Salvage/Reclamation Team manages the restoration or rebuilding of the Data Center.Administrative Support TeamThe Administrative Support Team cooperate with logistical and organizational support for all other teams.
• #6: This six layers represent the “Framework for resiliency” (Goble, Fields, & Cocchiara, 2002).This framework enables management and technical teams to lead the Enterprise to a successful Disaster Recovery Plan.
• #7: When we talk about preparedness for anticipated and unexpected events, the Strategy layer is the first one to be discussed. On this layer, some assessments will examine components such as vulnerabilities and risks regarding to the enterprise, taking in account its industry position and its competitively. Also, the enterprise’s strategies and the baseline organizational culture will be examined. (Goble, Fields, & Cocchiara, 2002)
• #8: Organizational changes are required to build a successful resiliency plan.It requires an Executive sponsor, usually a senior business leader or a Vice President.Roles, Responsibilities and AccountabilitiesWell defined communication protocolCross-line-of-business linkageSkills that are critical to the company
• #9: The resiliency plan should focus on the business and IT process and procedures that are critical for the organization’s operation and its infrastructure. A successful plan requires identify:What are the minimum required functionalities during disruptive eventsAlternate process and procedure that will allow operations to continueProcesses to achieve better workload balanceAll processes and the contingency plan must be clear to all organization’s stakeholdersBusiness processes that support Virtual, flexible and distributed workplaces. (Goble, Fields, & Cocchiara, 2002).
• #10: 21st Century organizations rely on good, valuable and reliable information, whether they are about customers, employees, competitors, products or suppliers, and the systems responsible for processing and analysing those information as well. Thus, multiples data and application sources are required. Data and Application diversificationArchitectures standardizationEnsure performance, availability and scalability
• #11: Technology is a key component to create a resilient business. The IT infrastructure and the budget assigned to it must be aligned to the organization’s resiliency goals.Technology components when planning resiliency:Hardware architectureSystem softwareMiddlewareNetworksSecurity Solutions Levels of availability that should be aligned to the resiliency objectives:ReliabilityRedundancyFailoverSingle point of failure: Should be known and addressedHigh-Availability (HA) components in the infrastructure should be examined.Continuous replication across different sites (Primary/Secondary)
• #12: When examining the resiliency level of the enterprise’s facilities:Environment considerationsGeographical locationDispersionSecurity Access (Physical and logical security)Power protection (UPS, batteries, Generators, etc.)Heating and cooling (Pods, Racks, small rooms, UPS rooms)Provide and testing the security mechanisms and equipment.
• #13: Strategy: Risks, Vulnerabilities and competitively will be assessed, taking in account the position the university has in comparison to the other universities, regional and national.Organization: The university needs a executive support for the plan, and for all organizational changes that the university will need for a successful DRP.Business and IT Processes: The university will have to change some IT process in order to enable employees and students to leverage the university’s infrastructure beyond of the three-floor facilities that it has currently.Data and Applications: Currently the university uses the Microsoft SharePoint for all data. However, for a good resilient plan, some diversification of data and application should be implemented, and high availability by implementing redundant servers across different sites also recommended.Technology: The university has only one server for each application: One Exchange Server and one SharePoint Server. Currently there is no redundancy neither additional servers for failover in case of disaster, or even to recover from a simple hardware failure. Thus, there is a single point of failure and it’s something that will be addressed in the technology layer of the Framework for Resiliency.Facilities: There are physical risks to the operations. Blizzards could potentially knock out power and earthquakes could damage the building.
• #14: BS 25999-1 (2006) requires that “the organization should have a process for identifying and delivering the BCM awareness requirements of the organization and evaluating the effectiveness of its delivery.”Risk evaluation and controlBusiness impact analysisEmergency response and operationsIncident managementDeveloping and implementing DRP/ECPsMaintaining and exercising BCPsPublic relations, media and crisis communication
• #15: The university should look for the following characteristics on outside expertise to assist with the development of a DRP:Acts as a facilitator whenever it is appropriateAvoids “quick fixes” and produces solid lasting solutionsUnderstands and acts to further the client’s missionDoes not confuse the client by talking in a different languageOnly makes promises when they can be keptKeeps a good relationship with others in the companyMinimizes dependency of the client on the consultantEncourages the client’s competence, confidence and commitmentWorks with the client on the problem solutionFocuses on the relationship with the client and technical problemsDoesn’t take on any of the client’s responsibilities.Hiles, A. (2007).
• #16: BSI 25999-1 Business Continuity Management Code of Practice requires that “the organization should have a process for identifying and delivering the BCM awareness requirements of the organization and evaluating the effectiveness of its delivery.” (Hiles, 2011)Establish goals and ComponentsTraining the team leaders (“Train the trainers”) and other team membersCover the skills gaps in the Enterprise Continuity team, indicated in BS 25999/DRII Common Body of KnowledgeTrain the EC team through exercising the plan (Hiles, 2011).Disseminate all information related to the Disaster Recovery Plan and Enterprise Continuity Plan and Policy, including priorities and objectives, deliverables, level of acceptance of disruption and recovery time.Define the training/awareness methodInduction training for new hiresArticles, news and letters in corporate newslettersUse of internal web pages, blogs and Intranet.Conducting tests and exercises, with observersIdentify the target / audienceAll stakeholders: members of the Business Continuity team and other enterprise staff (Employees, contractors and consultants).Implementing the awareness program (next slide)
• #17: Maiwald & Sieglein (2002) stated that we “should take advantage of every possible method to keep users interested and engaged”. Therefore, following below some training methods to be implemented as part of the DRP/ECP awareness campaign:Include DRP/ECP in the New Hire OrientationThe organization’s information security policies and procedures should be covered during the Orientation (Maiwald & Sieglein, 2002)The new hires should be compliant with all security policies and proceduresThe new hires should read and sign the Acceptable Use Policy and any other document related to the Information SecurityFormal trainingVendor’s specific training for the infrastructure and security teams: Network devices (Switches, routers, load balancers, gateways); Security solutions (Firewalls, proxies, IDS, IPS, Antivirus, HSMs); Servers (hardware, Operating Systems, Virtualization) among others.Internal training in accordance with each stakeholders group.Awareness seminars and Brown bag sessionsProvide information about new technologies within the company and the security related to themProvide the latest and useful information regards the DRP/ECPTell them how they can help in case of some unexpected event comes upExplain how the company is counting on them to have a successful DRP/ECP implementedNewsletter and IntranetImplement a quarterly Awareness Newsletter for end-usersCreate an area in the company Intranet dedicated to the DRP/ECP awarenessAdd some security-related information, including external links to vendor’s website and articlesDRP/ECP quizzesPeriodically enable some quizzes in the Intranet and also during some seminars and trainings, and promote some raffles as an way to encourage them.