The Importance Of Business Continuity And Disaster
Recovery Planning
By Aqel M. AqelInformation Systems Audit & Control Association
Rolling Meadows Illinois – USA (www.isaca.org)
CISA – Coordinator / Research Director - Riyadh Chapter
Dec 2014
Why BCP & DRP
• Successful businesses expect the unexpected and plan for it.
• Disruptions to your business can result in:
• Data risk, • Revenue loss, • Failure to deliver services
• That’s why organizations need strong business continuity planning.
John Sharp, 2012, The Route Map to Business Continuity Management: Meeting the Requirements of ISO 22301’ by
A Good Plan Increases Your Chances of Recovery
Concepts and Terminology
• Business continuity describes the processes and procedures an organization must put in place to ensure that mission-critical functions can continue during and after a disaster.
• Disaster recovery refers to specific steps taken to resume operations in the aftermath of a catastrophic disaster (natural or national emergency)
Reasons behind Disasters • Environmental
Disasters
• Tornado & Hurricane
• Power Grid Failure
• Flood
• Snowstorm
• Earthquake
• Electrical storms
• Fire
• Fire
• Sink Holes
• Landslides
Man Made DisruptionsTerrorist AttackSabotage التخريب
War / TheftArson الحريق المتعمد
Labor Disputes
Equipment or System FailureInternal power failureAir conditioning failureCooling plant failureEquipment failure
IT Failures and Security BreachesCyber crimeLoss of records or dataDisclosure of sensitive informationIT system failure
More Concepts and Terminology
Recovery Point Objective (RPO) measures the ability to recover files by specifying a point in time restore of the backup copy.
Recovery Time Objective (RTO) measures the time that it takes for a system to be completely up and running in the event of a disaster.
Source: Network Servers 2011
More Concepts and Terminology
• Recovery Point Objective (RPO) measures the ability to recover files by specifying a point in time restore of the backup copy. i.e.
• Amount of data lost from failure, measured as the amount of time from a disaster event
• It's determined by the amount of time between data protection events and reflects the amount of data that potentially could be lost during a disaster recovery.
• The metric is an indication of the amount of data at risk of being lost.
• Recovery Time Objective (RTO) measures the time that it takes for a system to be completely up and running in the event of a disaster. i.e.
• Targeted amount of time to restart a business service after a disaster event.
• It is related to downtime. The metric refers to the amount of time it takes to recover from a data loss event and how long it takes to return to service.
• RTO refers then to the amount of time the system's data is unavailable or inaccessible preventing normal service.
RPO and RTO
RTO and RPO
Source: http://wikibon.org/w/images/0/04/RPO_RTO_Horison.jpg
Facts
• The US Chamber of Commerce reported that:
•the economic losses in 2011, as a result of natural disasters, reached $380 million.
• Federal Emergency Management Agency (www.fema.gov) reports:
•40-60% of businesses that close due to disaster never reopen!!
(source: https://telovations.wordpress.com/tag/revenue-lost-due-to-natural-disaster/
Facts
Source: FreeForm Dynamics 2011
• Only 23% of Respondents said: yes, there is a formal DR plan in place.
Facts
• Numbers Speaks!
Facts
Source: http://www.e-janco.com/DRP_BCP_Audit.html
Facts
Source: http://powerwindows.wordpress.com/2010/10/25/windows-geoclusters-stretch-clusters-and-recoverpointce-failover/
• Cost of downtime does not propagate linearly!
Facts
• What part of IT infrastructures are covered by BC/DR plans
Source: Howard Marks (2008) http://www.informationweek.com/practical-disaster-recovery-for-midsize-companies/d/d-id/1075012?
Facts
Source: Howard Marks (2008) http://www.informationweek.com/practical-disaster-recovery-for-midsize-companies/d/d-id/1075012?
• What are the barriers to adoption of a business continuity plan?
• Cost and complexity are
• Lack of skills is a reason as well.
Facts
http://www.crn.com/slide-shows/storage/240006796/8-surprising-disaster-recovery-stats.htm/pgno/0/7
86% of companies experienced
one or more instances of system downtime in the previous 12 months.
Downtimes lasted 2.2 days on the average and cost each business an average of $366,363 a year.
33% of businesses admitted they do not back up virtual servers as often as they do their physical servers.
PoliciesSupport
MotivationSponsoring &
follow up
ProceduresPolicies
Tools
Roles and Responsibilities
Methodologies / Best Practices
Training
ValidationAudit
ProgramsReports
Awareness
Source: Aqel M. Aqel, IT Security in your firm, what is it, & how to achieve it. (2011).
Monitoring
Execution
Leadership
Actionable model
ISO 22301
In 2012, BCI in partnership with BSI launch of ISO 22301, the new global standard for business continuity management.
ISO 22301
• Provides a comprehensive
set of controls based on BCM
best practice.
• Covets the whole BCM
lifecycle.
• Defines the strategic and
tactical capability of an
organization to plan for and
respond to incidents.
• It is generic and offers
organizations guidance on
putting their BCM systems in place.
ISO 22301 – 2012 key Clauses
• Clause 1: Scope• Clause 2: Normative References• Clause 3: Terms and Conditions• Clause 4: Context of the organization• Clause 5: Leadership• Clause 6: Planning• Clause 7: Support• Clause 8: Operation• Clause 9: Performance evaluation• Clause 10: Improvement
ISO 22301 - Clause 4: Context of the organization
ISO 22301 – Clause 5: Leadership
• Top management needs to demonstrate an ongoing commitment to the BCMS.
• Integrating the BCMS requirements into the organization’s business processes
• Providing the necessary resources for the BCMS
• Communicating the importance of effective business continuity management
• Ensuring that the BCMS achieves its expected outcomes
• Directing and supporting continual improvement
• Establish and communicate a business continuity policy
• Ensuring that BCMS objectives and plans are established
• Ensuring that the responsibilities and authorities for relevant roles are assigned
ISO 22301 – Clause 6: Planning
• Establishing strategic objectives and guiding principles for the BCMS.
• The business continuity objectives must: be consistent with the business continuity policy;
• Ttake into account the minimum level of products and services that is acceptable to the organization to achieve its objectives;
• be measurable;
• take into account applicable requirements;
• be monitored and updated as appropriate
ISO 22301 – Clause 7: Support
• Using the appropriate resources for each task. • Competent staff with relevant (and demonstrable)
• Training and supporting services
• Awareness and communication.
• Both internal and external communications of the organization must be considered in this area.
• The requirements on the creation, update and control of documented information are also specified in this clause.
ISO 22301 – Clause 8: Operation
• Business Impact Analysis (BIA):
• Risk assessment
• Business continuity strategy:
• Business continuity procedures:
• Exercising and testing
ISO 22301 – Clause 9: Performance evaluation
• ISO 22301 requires permanent monitoring of the system as well as periodic reviews to improve its operation:
• monitoring the extent to which the organization’s business continuity policy, objectives and targets are met;
• measuring the performance of the processes, procedures and functions that protect its prioritized activities;
• monitoring compliance with this standard and the business continuity objectives;
• monitoring historical evidence of deficient BCMS’ performance
• conducting internal audits at planned intervals; and
• evaluating all this in the management review at planned intervals.
ISO 22301 – Clause 10: Improvement
• Continual improvement:• all the actions taken throughout the organization to increase effectiveness
(reaching objectives) and efficiency (an optimal cost/benefit ratio) of security processes and controls to bring increased benefits to the organization and its stakeholders.
More information
• The American Institute of Certified Public Accountants (AICPA)• Information Systems Audit and Control Association (ISACA)• Association of Information Technology Professionals (AITP)• Institute of Internal Auditors (IIA)• International Association for Computer Information Systems (IACIS)• Information Systems Security Association (ISSA)• International Disaster Recovery Association (IDRA)• Business Recovery Managers Association (BRMA)• British Standards Institute (BSI)• http://www.slideshare.net/AhmedRiad2/ss-38345026
Thank you