2 Prepare Disaster Recovery and Contingency Plan

Download as pdf or txt
Download as pdf or txt
You are on page 1of 39

COMPETENCY TWO

Prepare Disaster Recovery


and Contingency Plan

1
Prepare Disaster Recovery
and Contingency Plan

Evaluate impact of system on business continuity


Evaluate threats to system
Formulate prevention and recovery strategy
Develop disaster recovery plan to support strategy

2
Introduction
•Most businesses depend heavily on technology
and automated systems, and their disruption
for even a few days could cause severe financial
loss and threaten survival.
•The continued operations of an organization
depend on management’s awareness of
 potential disasters
 ability to develop a plan to minimize
disruptions of critical functions.
 capability to recovery operations successfully.
3
•A disaster recovery plan is a comprehensive
statement of consistent actions to be taken
before, during and after a disaster.

•The primary objective of disaster recovery


planning is to protect the organization in the
event that all or part of its operations and/or
computer services are rendered unusable.

4
Evaluate impact of system on business continuity

Business continuity analysis:

 the effects resulting from disruption of


business
functions and processes.
•Operational and financial impacts point in time
• Business requirements –
the detailed set of knowledge worker
requests that the system must meet in order
to be successful.
• The business requirement states what the
system must do from a business
perspective.
5
• security environment
• Business-critical functions
 financial systems
 customer service functions
 payroll
useful way to identify:
from documentation
from discussion with business area
and project team.
everyone who will be involved in using
the system.
• Potential impacts of business risk and
threats on IT systems are assessed.
6
Assessing and analyzing business risk and threats
on IT system

Risk is defined as “the possibility that an event will


occur and adversely affect the achievement of
objectives.”
 Risk assessment is a systematic process for
identifying and evaluating events (i.e., possible risks
and opportunities) that could affect the achievement
of objectives, positively or negatively.

7
Risk Analysis Techniques

The risk analysis process provides the foundation for the


entire recovery planning effort.

A risk analysis: involves identifying the most probable threats


to an organization and analyzing the related vulnerabilities
of the organization to these threats.

A risk assessment: involves evaluating existing physical and


environmental security and controls, and assessing their
adequacy relative to the potential threats of the organization.

8
A business impact analysis: involves identifying the critical
business functions within the organization and determining the
impact of not performing the business function beyond the
maximum acceptable outage.

Types of criteria that can be used to evaluate the impact include:


customer service, internal operations, legal/statutory and
financial.

Most businesses depend heavily on technology and automated


systems, and their disruption for even a few days could cause
severe financial loss and threaten survival.
9
Risk analysis process

possible threats that could arise inside or outside the organization


need to be assessed.

the exact nature of potential disasters or their resulting consequences


are difficult to determine,

it is beneficial to perform a comprehensive risk assessment of all


threats that can realistically occur to the organization.

The goals of business recovery planning are to ensure the safety of


customers, employees and other personnel during and following a
disaster.

10
Cont..
The relative probability of a disaster occurring
should be determined.
Items to consider in determining the probability of
a specific disaster should include:-
1. geographic location
2. topography of the area
3. proximity to major sources of power
4. bodies of water and airports,
5. degree of accessibility to facilities within the organization
6. history of local utility companies in providing uninterrupted
services
7. history of the area’s susceptibility to natural threats, proximity
to major highways which transport hazardous waste and
combustible products.

11
Potential exposures may be classified as natural, technical, or human
threats. Examples include:

1. Natural Threats: flooding, fire, seismic activity, high winds, snow and
ice storms, volcanic eruption.
2. Technical Threats: power failure/fluctuation, heating, ventilation or air
conditioning failure, malfunction or failure of CPU, failure of system
software, failure of application software, telecommunications failure, gas
leaks, communications failure.
3. Human Threats: robbery, bomb threats, vandalism, terrorism, civil
disorder, chemical spill, war, biological contamination, radiation
contamination, hazardous waste, vehicle crash, computer crime.

12
Considerations in analyzing risk include:

1. Investigating the frequency of particular types of


disasters (often versus seldom).
2. Determining the degree of predictability of the disaster.
3. Analyzing the speed of onset of the disaster (sudden
versus gradual).
4. Determining the amount of forewarning associated
with the disaster.
5. Estimating the duration of the disaster.

6. Considering the impact of a disaster based on two


scenarios:
a. Vital records are destroyed
b. Vital records are not destroyed.
13
7. Identifyingthe consequences of a disaster, such as;
a. Personnel availability
b. Personal injuries
c. Loss of operating capability
d. Loss of assets
e. Facility damage.

8. Determining the existing and required redundancy levels


throughout the organization to accommodate critical systems and
functions, including;
a. Hardware
b. Information
c. Communication
d. Personnel
e. Services
14
9. Estimating potential Birr loss;
a. Increased operating costs
b. Loss of business opportunities
c. Loss of financial management capability
d. Loss of assets
e. Negative media coverage
f. Loss of stockholder confidence
g. Loss of goodwill
h. Loss of income
i. Loss of competitive advantage
j. Legal actions.

15
10. Estimating potential losses for each business
function based on the financial and service impact,
and the length of time the organization can operate
without this business function.
The impact of a disaster related to a business
function depends on the type of outage that occurs
and the time that elapses before normal operations
can be resumed.
11. Determining the cost of contingency planning
16
Assessing business risk and threats on it
system
The objectives and events under consideration determine the
scope of the risk assessment to be undertaken. Examples of
frequently performed risk assessments include:

1. Strategic risk assessment: Evaluation of risks relating


to the organization’s mission and strategic objectives,
typically performed by senior management teams in
strategic planning meetings, with varying degrees of
formality.
17
2. Operational risk assessment. Evaluation of the risk of loss
(including risks to financial performance and condition)
resulting from inadequate or failed internal processes,
people, and systems, or from external events.

3. Compliance risk assessment. Evaluation of risk factors


relative to the organization’s compliance obligations,
considering laws and regulations, policies and procedures,
ethics and business conduct standards, and contracts, as well
committed.
18
4. Internal audit risk assessment. Evaluation of risks related
to the value drivers of the organization, covering strategic,
financial, operational, and compliance objectives.

5. Financial statement risk assessment. Evaluation of risks


related to a material misstatement of the organization’s
financial statements through input from various parties such
as the controller, internal audit, and operations.

19
6. Fraud risk assessment. Evaluation of potential instances

of fraud that could requirements, financial reporting


integrity, and other objectives.

7.Market risk assessment. Evaluation of market


movements that could affect the organization’s
performance or risk exposure, considering interest rate
risk, currency risk, option risk, and commodity risk.

20
8 Credit risk assessment. Evaluation of the potential that a
borrower or counterparty will fail to meet its obligations
in accordance with agreed terms.

9. Customer risk assessment. Evaluation of the risk


profile of customers that could potentially impact the
organization’s beliefs and financial position.

21
10.Supply chain risk assessment. Evaluation of the risks
associated with identifying the inputs and logistics needed
to support the creation of products and services

11. Product risk assessment. Evaluation of the risk factors


associated with an organization’s product, from design
and development through manufacturing, distribution,
use, and disposal.

22
12. Security risk assessment. Evaluation of potential violate in an
organization’s physical assets and information protection and security.

13.Information technology risk assessment. Evaluation of potential


for technology system failures and the organization’s return on information
technology investments. This assessment would consider such factors as
processing capacity, access control, data protection, and cyber crime. This is
typically performed by an organization’s information technology risk and
governance specialists.

14. Project risk assessment. Evaluation of the risk factors associated


with the delivery or implementation of a project, considering stakeholders,
dependencies, timelines, cost, and other key considerations. This is typically
performed by project management teams.

23
STEPS IN THE RISK MANAGEMENT PROCESS
• Risk assessments provide a basis for establishing appropriate
policies and selecting cost-effective Techniques to implement these
policies.

• Since risks and threats change over time, it is important that


organizations periodically reassess risks and reconsider the
appropriateness and effectiveness of the policies and controls they
have selected

24
Risk management process typically
includes six steps. These steps are

1. Determining the objectives of the organization,

2. Identifying exposures to loss,

3. Measuring those same exposures,

4. Selecting alternatives,

5. Implementing a solution, and

6. Monitoring the results.

25
Businesses have several alternatives for the management of risk, including
avoiding, assuming, reducing, or transferring the risks. Avoiding risks, or
loss prevention, involves taking steps to prevent a loss from occurring, via
such methods as employee safety training.

26
Five characteristics of a strong risk management programme

1. Senior management champions the programme


As with so many business initiatives, the success of a risk
management programme depends on the active support of senior
management.

2. They are inclusive

Effective risk management programs do not rely on the work and


resources of any single person or group within the organization. While
often led by a risk management officer, the best programs draw on the
input and co operation of every part of the organization.
27
3. They are transparent

Risk management programs work best and companies reap the greatest possible
benefit from them when their goals, processes and results are shared with all the
company’s stakeholders.

4. They are holistic

The best risk management programs not only address all the risks to which modern
corporations are susceptible, they also consider how these various risks can affect
the company’s stakeholders and operations.

5. They are proactive


Effective risk management programs do not merely insure companies against
downside risks, they also include proactive systems and processes to maximize the
opportunities presented by variable risks.

28
Basic Elements of the Risk Assessment Process

As reliance on computer systems and electronic data has grown,


information security risk has joined the array of risks that
governments and businesses must manage. Regardless of the types of
risk being considered, all risk assessments generally include the
following elements.
1. Identifying threats that could harm and, thus, adversely affect
critical operations and assets. Threats include such things as
intruders, criminals, disgruntled employees, terrorists, and natural
disasters.
2. Estimating the likelihood that such threats will materialize based on
historical information and judgment of knowledgeable individuals.
29
3. Identifying and ranking the value, sensitivity, and criticality of the
operations and assets.

4. Estimating, for the most critical and sensitive assets and operations,
the potential losses or damage that could occur if a threat
materializes, including recovery costs.

5. Identifying cost-effective actions to mitigate or reduce the risk.


These actions can include implementing new organizational policies
and procedures as well as technical or physical controls.

6. Documenting the results and developing an action plan.

30
Challenges Associated With Assessing Information Security Risks

Reliably assessing information security risks can be more difficult than


assessing other types of risks, because the data on the likelihood and costs
associated with information security risk factors are often more limited
and because risk factors are constantly changing.

1. data are limited on risk factors, such as the likelihood of a sophisticated


hacker attack and the costs of damage, loss, or disruption caused by events
that exploit security weaknesses;

2. some costs, such as loss of customer confidence or disclosure of sensitive


information, are inherently difficult to quantify;

31
3. although the cost of the hardware and software needed to strengthen
controls may be known, it is often not possible to precisely estimate the
related indirect costs, such as the possible loss of productivity that may
result when new controls are implemented; and

4. even if precise information were available, it would soon be out of


date due to fast-paced Changes in technology and factors such as
improvements in tools available to would-be intruder.

32
Strategies for dealing with risk
 There are two main strategies for dealing with risk (apart from
ignoring it in the hope it will go away): prevent or recover.
Prevention

 With prevention you attempt to decrease the probability (maybe


even to 0) of the event occurring or causing damage. Many events
can never be totally eliminated but their impact may be minimised.

33
Recovery
 Recovery procedures are put in place to ensure that the system can be

quickly restored after the event occurs.

Recovery and prevention options

The recovery or prevention option chosen will vary depending upon


the threat being analysed. Some of the more common options are
listed in the following table.

34
35
36
Cost of recovery and prevention options

• When deciding which options to adopt, you need to weigh the


possible cost of the risk event against the cost of the recovery or
prevention option (single incident cost). A simple formula can be
used to calculate how much money to allocate to a recovery or
prevention measure for the known value of an asset.

• Loss= Single Incident Cost X Rate of Threat Occurrence

37
The loss of critical systems can cost major organizations, such as
banks, large sums of money.

They are therefore willing to invest in backup sites to keep their


systems running in the event of a major disaster. Their numerous
branches and offices provide locations in which they can site the
backup equipment.

While a typical small business can still suffer a relatively large loss
in the case of critical system failure, it will probably not choose to
create a backup site because of the high cost.
38
Available options

In choosing risk prevention and recovery options to employ you


need to consider:

• how critical the system is and how far the organization relies on it

• the surrounding infrastructure and how susceptible the organization


is to a risk event

• the existing procedures and controls used and how these may be
enhanced

• the equipment that may be available to prevent or recover from the


event
39

You might also like