Disaster Recovery Planning: Is Your Plan in Place? Presented by: Steve Shofner, CISA, CGEIT

Similar documents
Introduction to Business continuity Planning

CANVAS DISASTER RECOVERY PLAN AND PROCEDURES

INFORMATION SECURITY- DISASTER RECOVERY

Disaster recovery strategic planning: How achievable will it be?

BUSINESS CONTINUITY. Topics covered in this checklist include: General Planning

DR Planning. Presented by. Matt Stolk Associate Director Northwest Regional Data Center Florida State University

Table of Contents. Sample

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

BCP At Bangkok Bank, Thailand

Module 4 STORAGE NETWORK BACKUP & RECOVERY

TEL2813/IS2820 Security Management

Business continuity management and cyber resiliency

Certified Information Systems Auditor (CISA)

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

Florida State University

Emergence of Business Continuity to Ensure Business and IT Operations. Solutions to successfully meet the requirements of business continuity.

The Key to Disaster Recovery

A Practical Guide to Avoiding Disasters in Mission-Critical Facilities. What is a Disaster? Associated Business Issues.

10 Reasons Why Your DR Plan Won t Work

Business Continuity & Disaster Recovery

Data Recovery Policy

How to Conduct a Business Impact Analysis and Risk Assessment

Business Continuity Management Program Overview

Infocomm Professional Development Forum 2011

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

IPMA State of Washington. Disaster Recovery in. State and Local. Governments

The Problem. Business Continuity/ Disaster Recovery. Course Outline and Structure. The Problem The Coverage. Sean Gunasekera

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Information Security Policy

Template. IT Disaster Recovery Planning: A Template

It s Not If But When: How to Build Your Cyber Incident Response Plan

Business Continuity Management

DISASTER RECOVERY PRIMER

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Now I can sleep at night

Public and Private Interdependencies Filling a Gap in Most Continuity Plans

Business Continuity Planning

Appendix 3 Disaster Recovery Plan

University Information Systems. Administrative Computing Services. Contingency Plan. Overview

3.4 DISASTER RECOVERY (L , M.3.9, comp_req_id 806)

Disaster Recovery Is A Business Strategy

Emergencies: Protecting Staff & Assets. Presented By: Tom Heebner, CSP, ARM, ABCP AVP / Risk Consultant HUB International Limited

What to Look for in a DRaaS Solution

Version v November 2015

Internet of Things Toolkit for Small and Medium Businesses

The 10 Disaster Planning Essentials For A Small Business Network

Business Continuity Management Standards A Side-by-Side Comparison

For ACP-South Texas chapter program meeting in October 2012 only. Do not cite, copy or distribute without the author's consent. 1

Business Continuity - An Inside Perspective

THE STATE OF CLOUD & DATA PROTECTION 2018

Build a viable plan for disaster recovery and crisis management.

Security Guideline for the Electricity Sector: Business Processes and Operations Continuity

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC

November 14, Emergency Management and Hurricane Irma. Florida Human Resources People and Strategy (FLHRPS)

SharePoint Cincy 2011

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Backup vs. Business Continuity

Contingency Planning

Saving SharePoint Admin 100 (Sponsor) Sean McDonough Idera

Business Continuity: How to Keep City Departments in Business after a Disaster

Google Cloud & the General Data Protection Regulation (GDPR)

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 13 Business Continuity

BME CLEARING s Business Continuity Policy

Heavy Vehicle Cyber Security Bulletin

Disaster Recovery Planning Blackout. Katrina

Cyber Resilience. Think18. Felicity March IBM Corporation

Version v November 2015

Why you should adopt the NIST Cybersecurity Framework

Business Continuity Risk Management IT Service Continuity

Disaster Recovery and Business Continuity Planning (Mile2)

Application Lifecycle Management on Softwareas-a-Service

Business Continuity Planning Keeping Pace with New Technology

Granted: The Cloud comes with security and continuity...

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Disaster recovery planning for health care data and HIPAA compliance regulations

Disaster Recovery Plan

NUIT Tech Talk. Emergency Preparedness. March 1, Sharlene Mielke. Jay Bagley. Disaster Recovery / Business Continuity Coordinator

Agenda. Definitions. Components. Things to Consider. Exercise Approaches. Audit Approaches. Disaster Recovery / Business Continuity 1

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

Applying Mitigation. to Build Resilient Communities

IBM Incentive Compensation Management on Cloud

IT-BCP Survey 2014 Report

TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY

Business Continuity & Disaster Recovery

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Disaster Planning Essentials and Disaster Planning Checklist

Cloud Disaster Recovery: Public, Private or Hybrid Cloud Solutions Supporting Disaster Recovery

Implementing a Global Business

IT CONTINUITY, BACKUP AND RECOVERY POLICY

BUSINESS CONTINUITY PLAN Document Number: 100-P-01 v1.4

Nine Steps to Smart Security for Small Businesses

Introduction. Overview. Every Crisis Management Team Needs a Critical Decision Checklist. Presented by Roseanne Rostron, CBCP President Raido Response

Our key considerations include:

Trust Services Principles and Criteria

TSC Business Continuity & Disaster Recovery Session

Introduction. Read on and learn some facts about backup and recovery that could protect your small business.

Threat and Hazard Identification and Risk Assessment (THIRA) In Progress Review (IPR) July 2012

Continuity of Business

Transcription:

Disaster Recovery Planning: Is Your Plan in Place? Presented by: Steve Shofner, CISA, CGEIT 1

The material appearing in this presentation is for informational purposes only and is not legal or accounting advice. Communication of this information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials may have been prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a professional should be sought. 2

AGENDA What is a Disaster? Disaster Recovery vs. Business Continuity Drivers for Having a Disaster Recovery Plan How Do You Get Started? Disaster Recovery Plan Structure Key Considerations Testing the Disaster Recovery Plan Resources Questions? 3

DISASTERS Sudden, calamitous event that brings great damage, loss or destruction. (Source: Merriam-Webster dictionary) Natural Earthquake Flood Hurricane Drought Twister Tsunami Cold/Heat wave Thunderstorm Mudslide Man-Made Riots War Terrorism Power outages Sprinkler system bursts Equipment sabotage Arson Epidemic Pollution Transportation accident Food poisoning Technological Database corruption Hacking Viruses Internet worms 4

DISASTERS COME IN ALL SIZES Small Large 5

OBJECTIVES OF DISASTER RECOVERY VS. BUSINESS CONTINUITY Disaster Recovery Successfully recover IT systems in the shortest timeframe possible Business Continuity Continue critical business functions in the absence of key resources (considering customers, suppliers, regulators, and others) 6

DRIVERS FOR HAVING A DISASTER RECOVERY PLAN High availability of data is required by your industry Regulatory requirements o Federal Emergency Management o Government Contractor Contractual obligation with a business partner Makes good business sense! 7

HOW DO YOU GET STARTED? Conduct a Risk Assessment Identify critical data Conduct a Business Impact Analysis (BIA) Create a data backup process Determine resources needed during a recovery effort 8

CONDUCT A RISK ASSESSMENT Consider the risks to your organization and the probability of each happening: Natural Earthquake Flood Hurricane Drought Twister Tsunami Cold/Heat Wave Thunderstorm Mudslide Man-Made Riots War Terrorism Power outages Sprinkler system bursts Equipment sabotage Arson Epidemic Pollution Transportation Accident Food Poisoning Technological Database corruption Hacking Viruses Internet worms 9

COMMON PLANNING PITFALL You do not need to develop individual contingencies for each type of risk/disaster. Focus on the absence of key resources, such as (but not limited to) data, regardless of the reason. (for this presentation, we will focus on data) 10

IDENTIFY CRITICAL DATA (RESOURCES) Evaluate processes with owners, identifying how/where critical data is input from, processed, stored, and exported to: What type (s) of data is required? What type(s) are key / critical? When, how, and where is data input from? Who owns that data? What processing happens with that data? Where is the data stored (e.g., systems involved, storage area networks, other media)? When, where, and how is data exported? 11

BUSINESS IMPACT ANALYSIS (BIA) Identifies business units, operations, and processes essential to the survival of the business. Considerations: Life or death situation Potential for significant loss of revenue Obligations to external parties may be jeopardized Quantify impacts where possible Determine: RTO Recovery time objective RPO Recovery point objective Critical for determining the order and priority of system recovery 12

DATA BACKUPS Questions to ask: Is your data backed up? How often? Where? (network storage, tape media, offsite/onsite) How is it stored and is it adequately secured? Is the restoration process tested? Regularly? How often? Work with IT staff to identify the critical resources required to recreate the data (includes hardware, database software, operating system, application configuration data, backed-up data, etc.) 13

IDENTIFY RESOURCES REQUIRED FOR RECOVERY EFFORT Alternate recovery site (co-location facilities, hotel meeting rooms, executive suites, etc.) o Hot / Warm / Cold? Server equipment (virtualized or physical, type/model, hardware configuration, storage equipment) o How quickly can equipment be purchased and acquired? Software including operating system type, database environment, application, and configuration settings. Backup management software Backup media equipment (backup equipment LTOs, SDLT, DDS) Backup media Connectivity (Internet, VPNs/links to partners, extranets) Critical IT staff (System Administrators, Database Administrators) 14

CLOUD CONSIDERATIONS Your Organization Network Cloud Provider (SaaS, PaaS, IaaS) Network Cloud Provider (SaaS, PaaS, IaaS) 15

CLOUD SERVICE CONSIDERATIONS Your Organization Cloud Service Provider Data Center Provider Outsourced Software Development Tier 1 Support 16

CLOUD MANAGEMENT CONSIDERATIONS Understand the vendor s environment Understand the vendor s disaster recovery / business continuity plan o DR is often separate from service level agreements (e.g., 99.999% uptime) in many agreements, which often have disaster / force majeure ( acts of God ) exceptions. Understand what guarantees they provide in DRP/BCP situations. o Obtain and review a Service Organization Controls (SOC) report Ensure there is an audit clause in your agreement 17

DISASTER RECOVERY PLAN STRUCTURE Assumptions (communications infrastructure in place, primary location still available, primary IT staff available) Roles and Responsibilities Declaration of a Disaster Equipment Salvage (procurement) System Recovery Process (alternate site) Resumption at Primary Site Declare End of Disaster (debrief) 18

CONSIDERATIONS Key staff (and/or vendors) may or may not be available during the recovery effort o Plan for Primary, Secondary, Tertiary, others o Ensure adequate decision-making and spending authority in advance Communications and infrastructure for the region may/may not be functioning Escalation plan and related timelines Recovery procedures should provide enough detailed so that alternate resources can follow if needed Recover all vs. subset of the required systems to meet critical (not all) business processes There will be performance degradation Functionality may be limited 19

ROLES AND RESPONSIBILITIES The Disaster Recovery Team includes Disaster Recovery Coordinator C-level individual or manager who directs the teams and serves as the leader of the recovery efforts Media/Communications Representative Salvage Team C-level manager, legal counsel or similar spokesperson who ensures a consistent message is communicated to the media IT and business unit staff who assess the equipment to determine if damage is minimal or extensive, and if new equipment needs to be procured Recovery Team IT team responsible for system rebuilding and data restoration Backup Support Staff The secondary individuals who can assume the role of the primary who may not be available 20

DECLARATION OF A DISASTER Criteria for invoking the disaster recovery plan Severe disruption to service Potential for major data loss Data security may have been compromised Initiating the call tree process Disaster Recovery Coordinator starts the notification and activates the other teams involved in the recovery effort Business unit managers responsible for notifying their teams 21

GET THE WORD OUT! Key Stakeholders: o Customers o Employees o Suppliers o Insurance providers o Civic agencies (e.g., Police, Fire, National Guard) o Local media Communication Channels: o Intranet o Externally-hosted website (consider mobile) o Phone o Automated phone service (call-out, dial-in, or both) o Print media o Mail o Bulletin board 22

DISASTER RECOVERY ACTIVITIES - EQUIPMENT SALVAGE Primary site may be available, but access is restricted due to danger Survey damage to assets for insurance purposes Determine if anything can be saved or serviced by the vendor immediately Device/Server support agreements need to be leveraged Test potentially damaged systems before relying on them for recovery operations Initiate emergency procurement process for immediate hardware, software, and appliance needs 23

DISASTER RECOVERY ACTIVITIES - SYSTEM RECOVERY PROCESS (ALTERNATE SITE) IT team members are heavily involved with assistance from various operations teams depending on system being recovered Rebuild (makeshift) network, ensuring security from Internet-based threats Think about connections that need to rerouted or pointed to recovery site Acquire or rebuild server hardware and install base operating system and patches Install and configure application and database software Consider controls (IT and non-it) Configure accordingly and test Initiate data restoration process Test processing functions with business unit representatives Get satisfactory response before deeming system operable and live in the recovery environment 24

DISASTER RECOVERY ACTIVITIES - RESUMPTION AT PRIMARY SITE Primary site has been declared safe by Fire Department, inspectors, other officials Connections to Internet and WAN have been re-established Replicate data back or move the recovery system for use as the primary system Re-establish connections or DNS pointers to primary site Test functionality with business process owners and get satisfactory response 25

BUSINESS CONTINUITY Questions: o How will you continue delivering your process/service? o How will you manage employees (e.g., payroll)? o How will you manage vendors? o Others? Considerations: o Alternate manual/paper-based methods o Alternate controls (Financial, Operational, ITGCs, Security, etc.) 26

DECLARING THE END OF THE DISASTER Communication to media, business partners, clients, other stakeholders Debrief with disaster recovery team members on what was good and where improvements need to be made Update the disaster recovery plan with new lessons learned 27

KEY CONSIDERATIONS Human safety is #1 Data security Remote work access Equipment acquisition Media storage DNS Sufficient insurance 28

DISASTER RECOVERY PLAN TESTING 1. Table top test 2. Structured walk-through 3. Parallel simulation 4. Live production simulation Test on an annual basis Keep your plan current Include all stakeholders (including vendors) 29

Cost of Planning & Mitigations ($) 30 HOW MUCH PLANNING AND MITIGATION IS ENOUGH? Target Level of Planning Length of Downtime / Absence of Critical Resource 30

RESOURCES NIST Contingency Planning Guide for Federal Information Systems http://csrc.nist.gov/publications/nistpubs/800-34- rev1/sp800-34-rev1_errata-nov11-2010.pdf Disaster Recovery Journal drj.com Business Recovery Manager s Association brma.com DRII the Institute for Continuity Management drii.org Moss Adams IT Consulting Group www.mossadams.com 31

PRESENTER Steve Shofner, CISA, CGEIT steve.shofner@mossadams.com 415-677-8263 (office) 510-681-6638 (cell) 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback