1

Chapter-4: Business Continuity Planning

and Disaster Recovery Planning
PAPER-6 PART-4 OF 5
CA A.RAFEQ, FCA

Learning Objectives
2

To understand the concept of Business Continuity Management

To understand the key phases and components of a Business
Continuity Plan
To understand the key aspects of Business Continuity Plan
implementation
To learn about Back-up and Disaster Recovery Planning
To learn how to audit a Business Continuity Plan

Topics Covered
3

PART-4
4.13 Types of Plans
4.14 Types of Back-ups
4.15 Alternate Processing Facility Arrangements
4.16 Disaster Recovery Procedural Plan

4.13

Types of Plans

Emergency Plan
Back-up Plan
Recovery Plan
Test Plan

Emergency Plan
5

Emergency plan specifies the actions

Management must identify situations
Actions to be initiated
Security review program

Four aspects of the emergency plan

6

Plan must show who is to be notified immediately

when the disaster occurs
Plan must show actions to be undertaken
Any evacuation procedures required must be
specified
Return procedures

Back-up Plan
7

Type of backup
Could be complex
Difficult to specify
Backup plan needs
continuous updating
Key responsibilities
Backup task
Hardware and software must
be updated

Recovery Plan
8

Backup plan is intended to restore operations

Recovery plan should identify a recovery committee
Indicate Applications
Recovery committee must understand their
responsibilities
Review and practice executing their responsibilities
Committee members

Test Plan
9

Final component of a disaster recovery plan is a test plan

Identify deficiencies
Enable a range of disasters
Test plans must be invoked
Top managers
Real disaster

4.14

Types of Back-ups

10

Full Backup

Mirror
back-up

Types
of Backups

Differential
Backup

Incremental
Backup

Full Backup
11

Backup captures all files

Backup generation contains
every file
Realistic proposition for backing
up a large amount of data

Incremental Backup
12

Incremental backup captures files

Economical method
Saves a lot of backup time and space
Incremental backup are very difficult to
restore

Differential Backup
13

Differential backup stores files that have

changed
Differential backup is obviously faster
Differential backup is a two-step
operation
Restoring from the last full backup
Differential backup probably includes files
that were already included

Mirror back-up
14

Mirror backup is identical to

a full backup.
Backup is most frequently
used to create an exact
copy.

Question
15

4. Briefly explain the various types of

systems back-up for the system and
data together.(5 Marks) (Nov 2008)

Answer
16

Types of systems Back-ups

When the back-ups are taken of the system and data together,
they are called total systems back-up.
System back-up may be

Differential
Incremental
Full Backup Backup
Backup

Mirror
back-up

Answer
17

Full Backup: Every backup generation contains every file in the backup set.
However, the amount of time and space such a backup takes prevents it from
being a realistic proposition for backing up a large amount of data.
This is the simplest form of backup with a single restoring session for restoring
all backed-up files.
Differential Backup: It contains all the files that have changed since the last
full backup.
This is in contrast to incremental backup generation, which holds all the files
that were modified since the last full or incremental backup.
It is faster and more economical in using the backup space, as only the files
that have changed since the last full backup are saved.

Answer
18

Incremental Backup: Only the files that have changed since the last full
backup / differential backup / or incremental backup are saved.
This is the most economical method, as only the files that changed since
the last backup are backed up.
This saves a lot of backup time and space. Normally, it is difficult to
restore as you have to start with recovering the last full backup, and then
recovering from every incremental backup taken since.

Mirror back-up: It is identical to a full backup, with the

exception that the files are not compressed in zip files and
they cannot be protected with a password.
A mirror backup is most frequently used to create an exact
copy of the backup data.

4.15 Alternate Processing Facility

Arrangements
19

Cold
site
Warm
site
Hot site

Recipro
cal
agreem
ent

Cold site
20

Organisati
on can
tolerate
some
downtime

Cold site
has all the
facilities

Establish its
own coldsite facility

Hot site
21

Organisation
might need hot
site backup

Hardware and
operations
facilities

A hot site is
expensive to
maintain

Shared with
other
organisations

Warm site
22

A warm site
provides an
intermediate
level

Cold-site
facilities in
addition

Warm site might

contain selected
peripheral
equipment

Reciprocal agreement
23

Two or more
organisations
Backup option is
relatively cheap

Reciprocal agreement
24

How soon the site will be made available subsequent to a disaster

The number of organizations that will be allowed to use the site concurrently
in the event of a disaster
The priority to be given to concurrent users of the site in the event of a
common disaster
The period during which the site can be used
The conditions under which the site can be used
The facilities and services the site provider agrees to make available
What controls will be in place and working at the off-site facility

Question
25

A company has decided to outsource a third

party site for its alternate back-up and recovery
process.
What are the issues to be considered by the
security administrator while drafting the contract?
(5 Marks) (May 2010)

Answer
26

If a third party site is to be used for backup and

recovery purposes, security administrators must ensure
that a contract is written to cover the following issues
How soon the site will be made available
subsequent to a disaster
The number of organizations that will be allowed to
use the site concurrently in the event of a disaster
The priority to be given to concurrent users of the
site in the event of a common disaster
The period during which the site can be used

Answer
27

The conditions under which the site can be used

The facilities and services the site provider agrees to make
available
What controls will be in place and working at the off-site
facility
The above are the main issues that should be covered while drafting a
contract. These issues are often poorly specified in reciprocal
agreements. Moreover, they can be difficult to enforce under a
reciprocal agreement because of the informal nature of the agreement

Question
28

Discuss the various backup options

considered by a security administrator
when arranging alternate processing
facility.
(4 Marks) (May 2011)

Answer
29

Security administrators should

consider the following backup options
while arranging alternate processing
facility:

Cold site
Hot site
Warm site
Reciprocal agreement

Answer
30

Cold site
If an organization can tolerate some down time, cold site backup might
be appropriate
A cold site has all the facilities needed to install a mainframe system,
raised floors, air conditioning, power, communication lines, and so on
An organization can establish its own cold site facility or enter into an
agreement with another organization to provide a cold site facility

Answer
31

Hot site
If fast recovery is critical, an organization might
need hot site backup
All hardware and operations facilities will be
available at the host site
In some cases, software, data and supplies might
also be stored there
A hot site is expensive to maintain
They are usually shared with other organizations
that have hot site needs

Answer
32

Warm site
It provides an intermediate level of backup
It has all cold site facilities in addition with hardware that might
be difficult to obtain or install
For example, a warm site might contain selected peripheral
equipment plus a small mainframe with sufficient power to
handle critical applications in the short run

Answer
33

Reciprocal agreement

Two or more organizations might agree

to provide backup facilities to each other
in the event of one suffering a disaster
This backup option is relatively cheap,
but each participant must maintain
sufficient capacity to operate another's
critical system

4.16 Disaster Recovery Procedural Plan

34

Conditions for activating the plans

Emergency procedures
Fall-back procedures
Resumption procedures
Maintenance schedule
Awareness and education activities
Responsibilities of individuals

Disaster Recovery Procedural Plan

35

Resumption procedures, which describe the actions to be taken to

return to normal business operations
A maintenance schedule, which specifies how and when the
plan will be tested, and the process for maintaining the plan
Awareness and education activities, which are designed to
create an understanding of the business continuity, process and
ensure that the business continues to be effective
The responsibilities of individuals describing who is responsible for
executing which component of the plan. Alternatives should be
nominated as required

Disaster Recovery Procedural Plan

36

Contingency plan document distribution list

Detailed description of the purpose and scope of the plan
Contingency plan testing and recovery procedure
List of vendors doing business with the organization, their contact numbers
and address for emergency purposes
Checklist for inventory taking and updating the contingency plan on a
regular basis
List of phone numbers of employees in the event of an emergency

Disaster Recovery Procedural Plan

37

Emergency phone list

for fire, police,
hardware, software,
suppliers, customers,
back-up location, etc

Medical procedure to
be followed in case of
injury

Back-up location
contractual agreement,
correspondences

Insurance papers and

claim forms

Primary computer
centre hardware,
software, peripheral
equipment and
software configuration

Disaster Recovery Procedural Plan

38

Location of data and program files, data dictionary,

documentation manuals, source and object codes and backup media.
Alternate manual procedures to be followed such as
preparation of invoices.
Names of employees trained for emergency situation, first
aid and life saving techniques.
Details of airlines, hotels and transport arrangements.

Questions
39

3. What do you understand

by the term Disaster? What
procedural plan do you
suggest for disaster recovery?
(10 Marks) (Nov 2008)

4. (A) Explain the various

general components of
Disaster Recovery Plan
(8 Marks) (Nov. 2011)

Answer
40

The term disaster can be defined as an

incident which jeopardizes business
operations and/or human life. It could be
due to sabotage (human) or natural.
Following is the procedural plans for disaster
recovery.
Disaster Recovery Procedural Plan:
Normally disaster recovery procedural plan
is made when the system is normally working.
After visualizing the disaster the action to be
taken by different people of the
organization are to be documented.

Answer
41

This recovery and planning document may include

the following areas
The conditions for activating the plans, which describe the
process to be followed before each plan, are activated.
Emergency procedures, which describe the actions to be
taken following an incident which jeopardises business
operations and/or human life.
This should include arrangements for public relations
management and for effective liaison with appropriate
public authorities e.g. police, fire, services and local
government.

Answer
42

Fall-back procedures which describe the actions to be taken to move

essential business activities or support services to alternate temporary
locations, to bring business process back into operation in the required
time-scale

Resumption procedures, which describe the actions to be taken to return

to normal business operations

A maintenance schedule, which specifies how and when the plan will be
tested, and the process for maintaining the plan

Answer
43

Awareness and education activities, which are designed to create an

understanding of the business continuity, process and ensure that the
business continues to be effective
The responsibilities of individuals describing who is responsible for
executing which component of the plan. Alternatives should be
nominated as required

Contingency plan document distribution list

Detailed description of the purpose and scope of the plan

Answer
44

Contingency plan testing and recovery

procedure.
List of vendors doing business with the
organization, their contact numbers and
address for emergency purposes.
Checklist for inventory taking and
updating the contingency plan on a
regular basis.
List of phone numbers of employees in
the event of an emergency.

Answer
45

Emergency phone list for fire, police, hardware, software,

suppliers, customers, back-up location, etc.
Medical procedure to be followed in case of injury
Back-up location contractual agreement, correspondences
Insurance papers and claim forms
Primary computer centre hardware, software, peripheral
equipment and software configuration

Answer
46

Location of data and program files, data dictionary,

documentation manuals, source and object codes and
back-up media
Alternate manual procedures to be followed such as
preparation of invoices
Names of employees trained for emergency situation,
first aid and life saving techniques
Details of airlines, hotels and transport arrangements

Summary
47

PART-4
4.13

Types of Plans

4.14

Types of Back-ups

4.15

Alternate Processing Facility Arrangements

4.16

Disaster Recovery Procedural Plan

48

Thank you!