Disaster Recovery Plan / Enterprise Continuity Plan
Denunciar
Compartilhar
•13 gostaram•18,532 visualizações
Disaster Recovery Plan / Enterprise Continuity Plan
•13 gostaram•18,532 visualizações
Denunciar
Compartilhar
Baixar para ler offline
Disaster Recovery Plan / Enterprise Continuity Plan
Mais conteúdo relacionado
Mais procurados
Mais procurados(20)
Destaque
Destaque(19)
Similar a Disaster Recovery Plan / Enterprise Continuity Plan
Similar a Disaster Recovery Plan / Enterprise Continuity Plan(20)
Último
Último(20)
Disaster Recovery Plan / Enterprise Continuity Plan
- 1. DRP/ECP Disaster Recovery Plan / Enterprise Continuity Plan Marcelo Silva
- 2. Agenda Introduction Roles of DRP/ECP The 6 Resilience Layers Training for the DRP team Choosing outside expertise to assist with development of a DRP Developing a DRP/ECP awareness campaign Implementing a DRP/ECP awareness campaign
- 3. Introduction Why DRP/ECP? Benefits of a DRP/ECP Three vital Ingredients of a successful DRP/ECP Defensive Posture / Offensive Posture
- 4. Roles of DRP/ECP Emergency Management team (EMT) Damage Assessment Team Restoration Team Operations Team Customer Support Team Salvage/Reclamation Team Administrative Support Team
- 5. The 6 Resilience Layers 1. 2. 3. 4. 5. 6. Strategy Organization Business and IT Processes Data and Applications Technology Facilities and security
- 6. The 6 Resilience Layers 1.Strategy Strategy is the first layer to be discussed On this layer, the below components will be assessed and examined: Vulnerabilities Risks Competitive edge baseline organizational culture
- 7. The 6 Resilience Layers 2.Organization Executive sponsor Roles, Responsibilities and Accountabilities Well defined communication protocol Cross-line-of-business linkage Skills that are critical to the company
- 8. The 6 Resilience Layers 3.Business and IT Process A successful plan requires identify: The minimum required functionalities during disruptive events Alternate process/procedure that will allow operations to continue Processes to achieve better workload balance All processes and the contingency plan must be clear to all organization’s stakeholders Business processes that support Virtual, flexible and distributed workplaces
- 9. The 6 Resilience Layers 4.Data and Applications Good, valuable and reliable information Data and Application diversification Architectures standardization Ensure performance, availability and scalability
- 10. The 6 Resilience Layers 5.Technology Technology components when planning resiliency: Hardware architecture System software Middleware Networks Security Solutions Levels of availability that should be aligned to the resiliency objectives: Reliability Redundancy Failover
- 11. The 6 Resilience Layers 6.Facilities and Security Level of the enterprise’s facilities: Environment considerations Geographical location Dispersion Security Access (Physical and logical security) Power protection Heating and cooling
- 12. The 6 Resilience Layers Examples 1. 2. 3. 4. 5. 6. Strategy The university position in comparison to others Organization Executive support Business and IT Processes IT Processes changing Data and Applications SharePoint Server for all data – Diversification is required Technology No additional Exchange or SharePoint server Facilities and security Eminent power outage in case of disaster
- 13. Training for the DRP team Risk evaluation and control Business impact analysis Emergency response and operations Incident management Developing and implementing DRP/ECPs Maintaining and exercising BCPs Public relations, media and crisis communication
- 14. Choosing outside expertise to assist with development of a DRP Consultant that: Acts as a facilitator whenever it is appropriate Produces solid lasting solutions Understands and acts to further the client’s mission Only makes promises when they can be kept Minimizes dependency of the client on the consultant Encourages the client’s competence, confidence and commitment Works with the client on the problem solution Focuses on the relationship with the client and technical problems Doesn’t take on any of the client’s responsibilities.
- 15. Developing a DRP/ECP awareness campaign Establish goals and Components Define the training/awareness method Identify the target / audience Implementing the awareness program
- 16. Implementing a DRP/ECP awareness campaign Include DRP/ECP in the New Hire Orientation Formal training Awareness seminars and Brown bag sessions Newsletter and Intranet DRP/ECP quizzes
- 17. References Hiles, A. (2007). The Definitive Handbook of Business Continuity Management, Second Edition. John Wiley & Sons. Hiles, A. (2011). The Definitive Handbook of Business Continuity Management, Third Edition. John Wiley & Sons. Goble, G., Fields, H., & Cocchiara, R. (2002). Resilient Infrastructure: improving your business resilience. IBM Global Services. Maiwald, E., & Sieglein, W. (2002). Security Planning & Disaster Recovery. Berkeley, CA: McGraw-Hill/Osborne. BS 25999-1 (2006). Business Continuity Management - Code of Practice. BSI. BS 25999-2 (2007). Business Continuity Management - Specification. BSI.
Notas do Editor
- Western Governors UniversityMaster of Science, Information Security and AssuranceFXT2 – Disaster Recovery Planning, Prevention and ResponseMarcelo Braga SilvaStudent ID: 000200452
- This Agenda will cover the requirements for the Task 1 of the FXT2 course, part of the Master of Science, Information Security and Assurance program at WGU.January, 2014.
- According to Goble, Fields, & Cocchiara (2002), resilient infrastructures are those ones that are “capable of proactively responding to both anticipated and unexpected stress and strains” (p. 2).Thus, following below an introduction on the Disaster recovery Plan and Enterprise Continuity Plan:Why DRP/ECP?In case some infrastructure failure, if the university is not well prepared to respond to such unexpected event, it can lose some business opportunities, students and partners, reputation and credibility, research data, and even its most valuable information and applications.Benefits of a DRP/ECPIdentification of critical applications and services for the businessIdentification and preparedness for the major risksReduce the downtimes of applications and services Improve operational effectiveness and resilienceProtection of assetsBe compliance with national and international laws and standardsImprove securityDemonstrate continuity capabilities for the market, including customers, partners and shareholdersThree vital Ingredients of a successful DRP/ECP (Goble, G., Fields, H., & Cocchiara, R. 2002, p. 9)Recovery Safe, rapid, offsite data recoveryHardening The fortification of all or part of the infrastructureRedundancy The duplication of all or part of the infrastructure Defensive Posture / Offensive PostureDefensive Posture components:Recovery Hardening Redundancy Offensive Posture components:AccessibilityDiversificationAutonomic computing
- The DRP/ECP team are composed by different teams. One of the key teams is the Emergency Management Team (EMT)According to Hiles (2007), the EMT’s role is “to take business decisions, assess and make judgments on business priorities and to facilitate and support the business continuity manager. It also has an important role in marketing, public relations and media management issues.”Following below some roles of the DRP/ECP team members:Emergency Management Team Composed by key senior managers, Public relations and marketing and Business continuity manager or coordinator.Damage Assessment TeamThe Damage Assessment Team assesses the damage to the Data Center and reports to the EMT.Restoration TeamThis team brings the Production site systems and applications to operational mode in a DR site. And also brings they back to the production site.Operations TeamThe Operations Team assists in the recovery operations of infrastructure, systems and services.Customer Support TeamThis is the team that assists the customers (external/internal) during the disaster, until operations are resumed.Salvage/Reclamation TeamThe Salvage/Reclamation Team manages the restoration or rebuilding of the Data Center.Administrative Support TeamThe Administrative Support Team cooperate with logistical and organizational support for all other teams.
- This six layers represent the “Framework for resiliency” (Goble, Fields, & Cocchiara, 2002).This framework enables management and technical teams to lead the Enterprise to a successful Disaster Recovery Plan.
- When we talk about preparedness for anticipated and unexpected events, the Strategy layer is the first one to be discussed. On this layer, some assessments will examine components such as vulnerabilities and risks regarding to the enterprise, taking in account its industry position and its competitively. Also, the enterprise’s strategies and the baseline organizational culture will be examined. (Goble, Fields, & Cocchiara, 2002)
- Organizational changes are required to build a successful resiliency plan.It requires an Executive sponsor, usually a senior business leader or a Vice President.Roles, Responsibilities and AccountabilitiesWell defined communication protocolCross-line-of-business linkageSkills that are critical to the company
- The resiliency plan should focus on the business and IT process and procedures that are critical for the organization’s operation and its infrastructure. A successful plan requires identify:What are the minimum required functionalities during disruptive eventsAlternate process and procedure that will allow operations to continueProcesses to achieve better workload balanceAll processes and the contingency plan must be clear to all organization’s stakeholdersBusiness processes that support Virtual, flexible and distributed workplaces. (Goble, Fields, & Cocchiara, 2002).
- 21st Century organizations rely on good, valuable and reliable information, whether they are about customers, employees, competitors, products or suppliers, and the systems responsible for processing and analysing those information as well. Thus, multiples data and application sources are required. Data and Application diversificationArchitectures standardizationEnsure performance, availability and scalability
- Technology is a key component to create a resilient business. The IT infrastructure and the budget assigned to it must be aligned to the organization’s resiliency goals.Technology components when planning resiliency:Hardware architectureSystem softwareMiddlewareNetworksSecurity Solutions Levels of availability that should be aligned to the resiliency objectives:ReliabilityRedundancyFailoverSingle point of failure: Should be known and addressedHigh-Availability (HA) components in the infrastructure should be examined.Continuous replication across different sites (Primary/Secondary)
- When examining the resiliency level of the enterprise’s facilities:Environment considerationsGeographical locationDispersionSecurity Access (Physical and logical security)Power protection (UPS, batteries, Generators, etc.)Heating and cooling (Pods, Racks, small rooms, UPS rooms)Provide and testing the security mechanisms and equipment.
- Strategy: Risks, Vulnerabilities and competitively will be assessed, taking in account the position the university has in comparison to the other universities, regional and national.Organization: The university needs a executive support for the plan, and for all organizational changes that the university will need for a successful DRP.Business and IT Processes: The university will have to change some IT process in order to enable employees and students to leverage the university’s infrastructure beyond of the three-floor facilities that it has currently.Data and Applications: Currently the university uses the Microsoft SharePoint for all data. However, for a good resilient plan, some diversification of data and application should be implemented, and high availability by implementing redundant servers across different sites also recommended.Technology: The university has only one server for each application: One Exchange Server and one SharePoint Server. Currently there is no redundancy neither additional servers for failover in case of disaster, or even to recover from a simple hardware failure. Thus, there is a single point of failure and it’s something that will be addressed in the technology layer of the Framework for Resiliency.Facilities: There are physical risks to the operations. Blizzards could potentially knock out power and earthquakes could damage the building.
- BS 25999-1 (2006) requires that “the organization should have a process for identifying and delivering the BCM awareness requirements of the organization and evaluating the effectiveness of its delivery.”Risk evaluation and controlBusiness impact analysisEmergency response and operationsIncident managementDeveloping and implementing DRP/ECPsMaintaining and exercising BCPsPublic relations, media and crisis communication
- The university should look for the following characteristics on outside expertise to assist with the development of a DRP:Acts as a facilitator whenever it is appropriateAvoids “quick fixes” and produces solid lasting solutionsUnderstands and acts to further the client’s missionDoes not confuse the client by talking in a different languageOnly makes promises when they can be keptKeeps a good relationship with others in the companyMinimizes dependency of the client on the consultantEncourages the client’s competence, confidence and commitmentWorks with the client on the problem solutionFocuses on the relationship with the client and technical problemsDoesn’t take on any of the client’s responsibilities.Hiles, A. (2007).
- BSI 25999-1 Business Continuity Management Code of Practice requires that “the organization should have a process for identifying and delivering the BCM awareness requirements of the organization and evaluating the effectiveness of its delivery.” (Hiles, 2011)Establish goals and ComponentsTraining the team leaders (“Train the trainers”) and other team membersCover the skills gaps in the Enterprise Continuity team, indicated in BS 25999/DRII Common Body of KnowledgeTrain the EC team through exercising the plan (Hiles, 2011).Disseminate all information related to the Disaster Recovery Plan and Enterprise Continuity Plan and Policy, including priorities and objectives, deliverables, level of acceptance of disruption and recovery time.Define the training/awareness methodInduction training for new hiresArticles, news and letters in corporate newslettersUse of internal web pages, blogs and Intranet.Conducting tests and exercises, with observersIdentify the target / audienceAll stakeholders: members of the Business Continuity team and other enterprise staff (Employees, contractors and consultants).Implementing the awareness program (next slide)
- Maiwald & Sieglein (2002) stated that we “should take advantage of every possible method to keep users interested and engaged”. Therefore, following below some training methods to be implemented as part of the DRP/ECP awareness campaign:Include DRP/ECP in the New Hire OrientationThe organization’s information security policies and procedures should be covered during the Orientation (Maiwald & Sieglein, 2002)The new hires should be compliant with all security policies and proceduresThe new hires should read and sign the Acceptable Use Policy and any other document related to the Information SecurityFormal trainingVendor’s specific training for the infrastructure and security teams: Network devices (Switches, routers, load balancers, gateways); Security solutions (Firewalls, proxies, IDS, IPS, Antivirus, HSMs); Servers (hardware, Operating Systems, Virtualization) among others.Internal training in accordance with each stakeholders group.Awareness seminars and Brown bag sessionsProvide information about new technologies within the company and the security related to themProvide the latest and useful information regards the DRP/ECPTell them how they can help in case of some unexpected event comes upExplain how the company is counting on them to have a successful DRP/ECP implementedNewsletter and IntranetImplement a quarterly Awareness Newsletter for end-usersCreate an area in the company Intranet dedicated to the DRP/ECP awarenessAdd some security-related information, including external links to vendor’s website and articlesDRP/ECP quizzesPeriodically enable some quizzes in the Intranet and also during some seminars and trainings, and promote some raffles as an way to encourage them.