Planning for Disaster Disaster

(1)

Planning for Disaster

Ramesh Ramani CISM CGEIT

Paramount-Dubai

(2)

Agenda

g

• Disaster Management-Introduction

g

• Examples

• BCP and IT Continuity

BCP and IT Continuity

• Process of Disaster Management-PDCA

• Disaster Management Framework

• Project Execution

T

i

l Pl

• Typical Plan

(3)

Disaster Management

• Discipline of dealing with and avoiding

risks

• Discipline that involves preparing for

disaster BEFORE it occurs,

• Sometimes referred to as Business

Continuity Planning (BCP)

(4)

Definitions-Disaster

“

situation or event which overwhelms local capacity, necessitating a it ti t hi h h l l l it it ti request to a national or international level for external assistance.” “An o er helming ecological disr ption occ rring on a scale s fficient “An overwhelming ecological disruption occurring on a scale sufficient to require outside assistance”

“exceptional events that kill or injure a large number of people”exceptional events that kill or injure a large number of people

“Strategic and Tactical capability of an organisation to plan for and respond to incidents and business disruptions in order to continue respond to incidents and business disruptions in order to continue business operations to an acceptable pre defined level”-BS 25999

(5)

Examples-Disaster

•Japan-March 2011

Middl E

t

•Middle East

•Tsunami-December 2006

•Haiti Earthquake

q

•Oil Spill-Gulf of Mexico

•9-11

•Flooding Mumbai-2005

Flooding Mumbai-2005

•Power Outage Dubai-2005

•Flooding Sharjah-2009

V l

A h E

(6)

Middle East

• People-Expat Dependency

p

y

• Volatility

• Absence of Laws/Regulations

• Monopolistic-Telco/Power etc

• BCP-Not generally available in SME

(7)

IT and BCP

• Industry age to information age

y g

g

• Information itself is becoming business

• International Standards

– ISO 27001:2005-Information Security

BS 25999 Business Continuity

– BS 25999-Business Continuity

– BS 25777-IT Service Continuity

(8)

Disaster Management

(9)

PM Framework-DR

Risk Assessment (Critical Assets) Vulnerability

Value Threat

RTO / RPO / Max Outage Business Impact Analysis Threat

Business Continuity Plan g BS 25999

Disaster Recovery Strategy Plan Drawing of IT Continuity Plan BS 25777

Existing setup / Redundancy / New

Technologies

f

Drawing of RFP for DR site

Technologies

Testing DRP

(10)

Risk Management

Plan Risk Assessment Vulnerability

Th Processes

Technical

Risk Mitigation Plan

Threat

People Processes. Procedures Asset Value

Do _{Risk Mitigation} Products, Processes or People Controls

Audit Internal Audit

Check Audit Internal Audit

Check

Continual Improvement Closing of Audit Gaps/Raising the Bar Act

(11)

Project Execution and

Deliverables

Aim-Provide initial planning and preparation for the assignment. g

Initial Plan Acquire/_Analyze Data

Develop

BCMS/ISMS ImplementBCMS/ISMS

Test

BCM/S/ISMS Continual_Improvement

1. Scope and Service Acceptance Document C 2. ISMS/BCMS Scope definition

3. BC/IS Policy Statement C

4. BCM/Information Security Steering Committee Charter C

(12)

Project Execution and

Aim

Deliverables

Aim

- to collect all relevant data pertaining to the

scope

- develop BIA/Risk Assessment

methodology

- perform asset enumeration/valuation

Develop

Test

1. BIA/Risk Assessment Methodology

2. Information Asset Valuation/Critical Asset Valuation-C,I,A-C

(13)

Project Execution and

Aim-Perform BIA/ Risk Assessment on the identified critical /IT assets and

Deliverables

on the identified critical /IT assets and develop BCP/Risk Treatment Plan. Develop mandatory policies and controls

Develop

Test

1. Vulnerability Assessment-C 2. Threat Assessment-C 3. Risk Assessment Report (IS) 4. BIA (RTO/RPO)

5. BCP/DRP

6. Risk Mitigation & Treatment Plan C 7 Statement of Applicability (ISO 27001) 7. Statement of Applicability (ISO 27001) 8. BCP/DR Policies and Procedures C? 9. IS Policies and Procedures C ? 10. SOA (ISO 27001)

11. BS 25999 Mandatory Controls 12. Control Implementation Roadmap

(14)

Project Execution and

Deliverables

Aim-Implement BCP/Risk Mitigation Controls based on the BCP/control implementation road map

Develop

Test

1. Implement controls identified 2. People (Training/Duties) C 3. Implementing products C? 4. Implementing Processes

(15)

Project Execution and

Deliverables

Aim

- To Test the BCP/DRP -To audit the ISMS

Prepare for ISO 27001/BS 25999 Certification

Develop

Test

1. BC/DR Test Results 2. ISO 27001 Audit Reports

(16)

Project Execution and

Aim-Continual Improvement of BCMS/ISMS

Deliverables

BCMS/ISMS

Develop

Test

Certification against BS Certification against BS

(17)

Typical BC Plan

•Introduction •Definitions •Definitions •Abbreviations

•Mission, objectives and intent •Key plan assumptionsKey plan assumptions

•Business impact analysis •Disaster recovery strategy

•Disaster recovery organizationy g

•Disaster recovery management team responsibilities •Disaster recovery emergency procedures

•Plan administration •Change management

•Maintenance of the disaster recovery plan •Testing of the disaster recovery plan

(18)

Typical Disaster Recovery Organisation

Senior Recovery Manager

Recovery Manager Administration Assistant Damage Ph i l S i Infrastructure R i T Application R i T Assistant Damage

Assessment Physical Security Restoration Team Leader Restoration Team Leader Network Hardware ERP POS Network Hardware Other Applications

(19)

Basic Principles-DR

• Minimize injury to personnel

Mi i i

d

t

i

t

d f

iliti

• Minimize damage to equipment and facilities

• Achieve a report of injury to personnel and damage

assessment within XX hours of the interruption

p

• Recover IT capabilities and functionality within the

Critical Time Frames specified

• In an emergency situation where life is threatened or you

are in danger of physical harm, immediately leave the

facility.

N

l

lf i

d

it

ti

t k

Never place yourself in a dangerous situation or take

unnecessary risks.

(20)

Senior Recovery Manager Responsibilities

• Pre-Disaster

• Approves the final Disaster Recovery Planpp y

• Ensures the Disaster Recovery Plan is maintained

• Ensures Disaster Recovery training is conducted

• Authorizes periodic Disaster Recovery Plan testing

• Post Disaster

• Post-Disaster

• Declares that a disaster has occurred and the Disaster Recovery Plan is activated

• Determines the plan strategy to be implemented

D t i lt t t b (if ) d th t b f

• Determines alternate team members (if any) and other support members of

the recovery process

• Authorizes travel and housing arrangements for team members

• Authorizes expenditures

• Manages and monitors the overall recovery process

• Advises Senior Business Managers and user management on the status of

the disaster recovery efforts

(21)

Check Off List-Network Assistant

Mi i T t t ki th biliti i d ithi th C iti l Ti F

Mission: To restore networking the capabilities required within the Critical Time Frames specified

• Upon notification of a disaster by the Management Team assemble at the designated site for a briefing on the extent of damages, escalation plan implemented and support

required required.

• Contact Telco for connecting up DR Site

Connectivity Reference Number

Bandwidth Telco Reference Number Telco Contact (land line) TelcoContact (Mobile)

• Indicate to DRT as to resumption details of network

• Work closely with software hardware and restoration team to restore servicesWork closely with software, hardware and restoration team to restore services • Provide internal communication to team members as required

• (Network Assistant should be provided with three additional mobile phones as an emergency measure)

Under no circumstances should the Network Assistant make any public statements regarding the disaster, its cause or its effect on the operations

(22)

Information Technology Checklist-Plan

Administration

• Change in LAN server(s) terminals or personal computerChange in LAN server(s), terminals, or personal computer workstations

• Change in operating system and utility software programs • Change in the design of production systems or files

• Addition of deletion of a production system

• Change in the scheme of backing up data or equipment • Change in the communications network design

Ch i l i t th I f ti T h l

• Change in personnel assignments or the Information Technology organization

• Change in off-site storage facilities, location or methods of cycling items

• Improvements or physical change to the current LAN data center • Review of time frames for availability and delivery of replacement

(23)

Corporate Checklist-Plan Administration

Corporate Checklist Plan Administration

• Is the Disaster Recovery Plan in conformance with the corporate by laws?

• Are Executive Management and the Board of Directors aware of the state and status of the Disaster Recovery Plan and Processes?

• Has a new division or department been formed?

H t b d l d f t i ?

• Has a new system been developed for computer processing? • Has a system for computer processing been discontinued? • Have individuals within the Recovery Team been transferred,

promoted or terminated? promoted or terminated?

• Has an internal system been significantly modified to change the basic functions, data flow requirements or accounting requirements? • Has a sales office been opened, moved or closed?

(24)

Testing-Principles

Complexity Frequency Participants Process Techniques Type Low High Review & Challenge the contents of the plan •Audit •Validation •Verification Checklist Extended Checklist check to see interaction & roles of participants •Scenario •Freeplay •Controlled •Time lapse •Unannounced Live Walkthrough ‘P ll th l ’ F ll Incorporated associated plans. Simulate disaster Simulation •Live •Tabletop •Individual components •Integrated Components

‘Pull the plug’ test. Shut down data center

Full-Interruption

High Low

(25)

Testing Check List

Type Techniques Process Participants Frequency Duration

Checklist • Audit • Validation • Verification 1.Review & Challenge the contents of the plan 2.Check all Check

off lists are

• Recovery Manager • Network Assistant • Restoration Team (2 Members) Once a month 4 Hrs present and updated 3.Check back Up Tapes 4.Visit DR Site and

ensure infrastructure infrastructure /back up tapes available 5.Verify DR Team contacts

Simulation 1 Scenario 1 Extended Recovery Manager After One Non Simulation 1 • Scenario • Controlled 1.Extended Checklist check to see interaction & roles of participants 2. Actual • Recovery Manager • Network Assistant • Software Assistant • Hardware Assistant • Restoration Team (All

Members)

• After Completion of minimum six check list type testing • Once in two months One Non-worki ng day Restoration of back up tapes thereafter

(26)

Testing Check List (Cont )

Testing Check List (Cont.)

Simulation 2 •Unannounced •Live

Extended Checklist check to see interaction & roles

Full Recovery Team _{•After Completion} of Minimum two Simulation 1 One Non-Working Day of participants 2. Actual Restoration of back up tapes Testing

•Once in six months thereafter

Full Interruption Announced Full and thorough check of DRP

Full Recovery Team

Businesses •After Completion of Minimum three simulation testing •To be done only once C b d One Non Working Day •Can be done without affecting any business if proper timings are chosen to conduct this test