A major incident or a disaster can bring a business to a complete bankruptcy if no plans exist to deal with such abnormal situations. Several companies did not survive and went out of business upon experiencing such situations.
Organizations should have disaster recovery plans (DRPs); documented pro- cesses or sets of procedures to recover from problems or disasters and protect busi- ness assets and infrastructure in the event of a disaster. Disasters are problems at large scales that can occur due to natural causes (e.g., flooding, earthquakes, fire) or human-made problems (e.g., security breaches, large-scale systems’ failures, power or network outage, terrorisms). Most security controls target the goal of preventing disasters and problems from occurring. Nonetheless, plans should also put in place for recovering from disasters once they occurred.
To properly plan for DRP and determine what should be protected, business RTO (recovery time objective; maximum acceptable amount of resource downtime) and RPO (recovery point objective; maximum acceptable amount of data loss) should
Fig. 3.2 An example of creating Windows restore
K0026: Knowledge of Disaster Recovery Continuity of Operations Plans
be determined. They measure how much data and time a system can afford to miss or lose.
RPO measures how much data a system can lose since the last backup. RTO measures how quickly a system needs data or resources to be restored. Accidents can happen, and no support system can guarantee 100% uptime; hence, RPO and RTO metrics set the limit of how much the system critical resources can afford failures.
DRP plan should include details on responsible personnel and how to reach them in urgent cases. It should explicitly describe the roles and duties of the different personnel involved, points of contacts, etc. The plan should be realistic and periodic exercises are necessary to ensure the validity of the plan and also build employees’
awareness and training on such plans. Frequent plan exercises can also ensure that planning procedures are current and represent or reflect the most up-to-date system state and resources. Employees and different teams’ responses should be studied and feedback should help assess and improve the process. The plan should be vis- ited at least once a year to make sure that it is up-to-date and is aligned with the current business mission, priorities, resources, capabilities, and risks.
In addition to training and exercises, testing a DRP plan can take different forms such as:
• Checklist review: Verify the content of the DRP plan against known standards.
• Tabletop exercise: Scenario-based verification. Team can pick different scenarios of disasters and walk through and evaluate DRP against those scenarios.
• Dry run tests: Test system functions (e.g., fail or interrupt such function), one at a time.
In order to protect critical resources, DRP should consider backups for data and critical system assets off-sites (i.e., in different physical locations from live or oper- ational systems). Different options exist that balance between cost and downtime or availability:
• Complete or hot site: This is an off-site or backup site that can run, instead of the operational site within a very short amount of time. This option is the best in terms of availability but very expensive to acquire and also expensive to maintain.
• Cold site: This represents the opposite option of hot site. Price can be affordable but will take time and extra resources to be able to operate as a main site.
• Warm site: A warm site is an intermediate option between hot and cold site to balance between cost and downtime.
• Mobile site (e.g., on a car or truck).
• Shared site (with some other businesses that have similar goals or business functions).
Business Continuity Plan (BCP) focuses on ensuring that most business func- tions operate with no interruption. BCP shares many similarities with DRP. Similar to business continuity plan (BCP), DRP targets assets availability and reducing main business functions’ downtime and data loss. In the security scope, for both DRP and BCP, human safety and data privacy are also very important goals.
49
BCP focuses on sustaining business mission and critical functions. DRP focuses on finding alternative locations, operations, or services, once those are interrupted in the main business site or workflow. BCP is more comprehensive than DRP and hence includes DRP, COOP, and business resumption plan.
Both BCP and DRP plans should include alternative details for main infrastruc- ture disruptions. For example, if a disaster occurs that prevents employees from working physically from company locations, how they will communicate if they need to work from home. The plans should also identify critical system assets and functions. They should show how such assets and functions will be protected and how they will be accessed or restored in disaster situations.
A Continuity of Operations Plan; COOP (also called Continuity of Government Plan), as defined by: National Continuity Policy Implementation Plan (NCPIP) and the National Security Presidential Directive51/Homeland Security Presidential Directive20 (NSPD-51/HSPD-20), is “an effort within individual executive depart- ments and agencies to ensure that Primary Mission Essential Functions (PMEFs) continue to be performed during a wide range of emergencies, including localized acts of nature, accidents and technological or attack-related emergencies,” Fig. 3.3, (fema.gov).
In the core of COOP: Primary and Mission Essential Functions (PMEFs and MEFs) and National Essential Functions represent the main US government essen- tial functions (fema.gov). Private sector business can define their critical business functions or activities and develop a COOP plan to ensure that functions will not be interrupted by disasters, security problems, etc. COOP plan should also include orders of sessions and delegation of authorities to ensure who will do what in disas- ter situations. NSPD-51/HSPD-20 standard identifies the following COOP require- ments: Essential Functions, Orders of Succession, Delegations of Authority,
Fig. 3.3 COOP (fema.
gov)
K0026: Knowledge of Disaster Recovery Continuity of Operations Plans
Continuity Facilities, Continuity Communications, Vital Records Management, Human Capital, Tests, Training, and Exercises (TT&E), Devolution of Control and Direction, and Reconstitution. COOP plan can be activated whenever it is impossi- ble for employees to reach their working places (e.g., based on a wide range of natu- ral and human-made disasters).
Business Process and Impact Analysis (BPA/BIA)
For DRP, BCP, and COOP, it is important to conduct Business Process Analysis (BPA) and also Business Impact Analysis (BIA). NIST SP 800-34, Rev. 1, defined BIA as “the analysis of an information system’s requirements, functions, and inter- dependencies.” BIA identifies the system critical functions and resources and what impact such functions or resources, if they failed, will have on the business.
A BIA is important to correlate information systems with critical business pro- cesses. BPA examines and maps the business functional processes, workflows, activities, personnel expertise, systems, data, and facilities to a business function or requirement. BPA analyzes the costs and constraints of individual process activities to identify areas for improvement and increased efficiency.
FCD and CGC
Federal Continuity Directive (FCD) provides direction to Federal government for developing continuity plans and programs. Continuity Guidance Circular (CGC) provides continuity guidance or plan for non-Federal entities and private sector organizations.