Disaster Recovery And

Business Continuity

Adv. Prashant Mali

[BSc.(Phy.), MSc.(Comp. Sci.),CNA, LLB]
Cyber Law ,Cyber Security & IPR Expert

www.cyberlawconsulting.com
Session Overview

❚ What is Business Continuity Planning

(BCP) or Disaster Recovery Planning
( DRP)?
❚ Need for BCP / DRP
❚ Objectives of BCP/DRP
❚ Planning & Implementing BCP/DRP

www.cyberlawconsulting.com
What is BCP or DRP ?

❚ BCP, the primarily the responsibility of senior

management,
❚ Is collection of plans, policies and procedures to
improve the ability of organisation to continue
its normal business operations under adverse or
disastrous conditions
❚ So as to decrease the loss due to such adverse
of disastrous conditions

www.cyberlawconsulting.com
Need for BCP / DRP

❚ Organizational Strategies & Standards

❚ Events beyond human control like,
earthquake, bomb blast, etc.
❚ Business should continue
❚ Legal & Statutory requirements
❚ Competition

www.cyberlawconsulting.com
Objectives of BCP

❚ Plan for continuity of business under

disaster and non-disaster events
❚ Limiting the tangible & Intangible losses
of disaster events
❚ Most often, in the event of a disaster, it
is survival and not business as usual.
So, should aim at normal business
resumption

www.cyberlawconsulting.com
…Objectives of BCP

❚ Testing & evaluation of BCP

❚ Training & test personnel for the adverse
conditions
❚ Maintenance & Currency of BCP
…Objectives of BCP

Other
❚ Enables management to quantify and qualify the
resources like personnel, facilities etc.
❚ Manage the resources to support the required
operational commitment
❚ Test the awareness and skills of the personnel
in such events.
BCP – DRP

❚ A business continuity plan aims to sustain

mission critical business processes when
an unforeseen interruption occurs
❚ A disaster recover plan is a
comprehensive statement of consistent
actions to be taken before, during and
after a disruptive event that causes a
significant loss occurs

www.cyberlawconsulting.com
 Steps in BCP
Initiate
❚ Establish a BCP workgroup
Perform
Risk ❚ Develop high-level BCP strategy
Assessment
❚ Develop master schedule and
Choose milestones
Recovery
strategy ❚ Obtain management support
Test and
Validate

www.cyberlawconsulting.com
 …Steps in BCP
Initiate
❚ Perform a risk assessment
Perform
Risk
exercise
Assessment ❚ Identify threats and exposures
Choose to each of the core business
Recovery
strategy
processes
Test and
Validate

www.cyberlawconsulting.com
 …Steps in BCP
Initiate
❚ Identify recovery strategy
Perform
Risk ❚ Define notification procedures
Assessment
and
Choose ❚ Procedures activating
Recovery
strategy contingency plans
Test and ❚ Establish business recovery
Validate teams for each core business
process
www.cyberlawconsulting.com
 …Steps in BCP
Initiate
❚ Validate the company’s
Perform
Risk
business continuity plans
Assessment ❚ Develop and document
Choose contingency test plans
Recovery
strategy ❚ Prepare and execute tests
Test and ❚ Update disaster recovery plans
Validate and procedures

www.cyberlawconsulting.com
What is a disaster ?

❚ Disaster is a event that could affect the

continuity of normal business operation
of organisation

❚ Categorizations of Disaster Events

❙ Disaster
❘ Results unavailability of entire processing
facility
❘ Longer duration usually more than > 1
day
…Disaster
❙ Catastrophe
❘ Results in full/major destruction of
processing facility
❘ Alternate processing facility can be
temporarily utilized
❘ But, needs new permanent facility
❙ Non-Disaster
❘ Short term unavailability of the systems or
files
❘ Disruption is temporary and easy to restore
Business Continuity Plan
❚ Defining strategy and policy by senior
management
❚ Identifying and prioritizing critical business
functions by doing business impact analysis and
involving end users
❚ Identifying disaster events and evaluating its
impacts
❚ Identifying and evaluating recovery alternatives
…Business Continuity Plan

❚ Identifying and assigning responsibilities

to adequate personnel
❚ Testing and correcting the Business
Continuity Plan
❚ Reviewing and Maintaining the Business
Continuity Plan

www.cyberlawconsulting.com
Teams and
Responsibilities

❚ Emergency Action Team

❙ First response team – Bucket Team
❙ Fire wardens
❙ Deals with fire and other emergency
scenarios
❙ Orderly evacuation of personnel
❙ Securing of human life

www.cyberlawconsulting.com
…Teams

❚ Damage Assessment Team

❙ Assess the extent of damage
❙ Members with ability to assess damage,
estimate recovery time
❙ Knowledge of test equipment, networks,
systems, safety regulations and procedures
❙ Identify cause of disaster, impact and predict
downtime

www.cyberlawconsulting.com
…Teams

❚ Emergency Management Team

❙ Coordinating activities of all other teams and
handles key decision making
❙ Determine the activation of BCP
❙ Arrangement of finance for recovery
❙ Legal matters
❙ Public relations
❙ Media

www.cyberlawconsulting.com
…Teams

❚ Off-Site Storage Team

❙ Obtaining, packaging and shipping media and
records to the recovery facilities
❙ Establishing and overseeing an off-site
storage schedule for information created
during operations at the recovery site
❚ Software Team
❙ Restore system, loading and testing OS
❙ Resolving system level problems
…Teams

❚ Applications Teams
❙ Restores user packs and applications
programs
❙ Monitoring application performance and
database integrity
❚ Security Team
❙ Monitor security system and comm. links
❙ Resolve security conflicts
❙ Installation and functioning of sec. package

www.cyberlawconsulting.com
…Teams

❚ Emergency Operations Team

❙ Shift operators and shift supervisors reside at
the recovery site
❙ Manage operations during recovery
❙ Coordinating hardware installation
❚ Network Recovery Team
❙ Rerouting wide area voice and data comm.
Traffic

www.cyberlawconsulting.com
…Teams

❚ Network Recovery Team

❙ Reestablishing host network control and
access
❙ Provide on-going support data
communications and overseas
communications integrity
❚ Communications Team
❙ Work in conjugation with remote network
recovery team
www.cyberlawconsulting.com
…Teams

❚ Communications Team
❙ Soliciting and installing communications
hardware
❙ Work with local exchange carriers and
gateway vendors
❚ Transport Team
❙ Coordinating company employees to the site
❙ Also help in contacting, scheduling and
arranging lodgings
…Teams

❚ User Hardware Team

❙ Delivery and installation of terminal. Printers,
typewriters, photocopiers and other
necessary equipment
❙ Facilitate salvage efforts
❚ Data Preparation and Records Team
❙ Updates applications
❙ Oversea contract data-entry personnel
❙ Record salvage
…Teams

❚ Administrative Support Team

❙ Clerical support to the other teams
❙ Accounting, payroll
❚ Supplies Team
❙ Coordinating logistics
❙ Office and computer supplies

www.cyberlawconsulting.com
…Teams

❚ Salvage Team
❙ Manage relocation project
❙ More detailed analysis of damage
❙ Provides information to make decision about
reconstruction or relocation
❙ Insurance claims
❙ Immediate records salvage
❘ Paper documents and electronic media

www.cyberlawconsulting.com
…Teams

❚ Relocation Team
❙ Coordinates the process of moving from the
hot site to a new location or to the restored
original location
❙ Relocation of information system, processing
operations, communication traffic and user
operations
❙ Monitor transition to normal service levels

www.cyberlawconsulting.com
IS Auditor’s Role in BCP

❚ Offering suggestions for selecting

right strategy
❚ Can be facilitator as he or she has
thorough understanding of BCP

www.cyberlawconsulting.com
Policy Implementation

❚ What constitutes disaster?

❚ Who will decide or declare it?
❚ When can it happen?
❚ How to identify a disaster?
❚ How to estimate (time, efforts,
resources)
❚ The overall budget should provide for
it
Business Continuity
Planning

❚ Gather all the relevant facts

❚ Obtain reports on historical events
❚ Make risk analysis / impact analysis
❙ needs to be reviewed periodically
❚ Ascertain Legal liabilities
❚ Budgeting and obtaining
management approval
...BCP

❚ Align with other policies / procedures.

❚ Options available:
❙ In house
❙ Auditors
❙ Consultants
Business Impact Analysis

❚ Identify critical information resources for

business continuity
❚ Prioritization of critical systems
❚ Determine critical recovery time and
tolerance in monetary terms
❚ System ranking
❚ Needs involvement of IS personnel and
end users
Risk Ranking

❚ It is prioritization of systems on basis of

systems criticality and impact on business
continuity
❚ Sensitivity of an application is equal to
that of most sensitive data
❚ Users has varying degree of tolerance
-cost
❚ As processes become more automated
and more integrated, the ability to
prioritize systems more difficult
Classification of Systems

❚ Critical (level 1)
❙ Cannot be processed manually but must be
processed on schedule
❚ Vital (level 2)
❙ Can be processed manually but for a short period
of time
❚ Sensitive (level 3)
❙ Can be done manually for a long period of time
❚ Non Critical

www.cyberlawconsulting.com
Critical Recovery Time
❚ Critical Recovery Time Period
❙ Is a time frame within which business should
resume
❙ Before suffering significant losses.
❚ Depends on nature of business e.g.
Banks, broking house, mfg. house
❚ Depends on time of year or hour of
business when disaster occurs
www.cyberlawconsulting.com
…Critical Recovery Time
❚ Critical applications, systems software and
data should be recovered first
❚ Do not ignore desktop or end-user
applications and utilities like spread sheet,
notepad, etc.

www.cyberlawconsulting.com
Insurance

❚ Equipment and Facility insurance

❙ Loss or damage to property, including IS
Equipment and facilities
❚ Business interruption insurance
❙ Loss due to a disaster
❙ Continuing expenses during the time the
company is unable to operate
…Insurance
❚ Extra Expense
❙ Extremely important add-on to property
coverage
❙ Covers expenses incurred to avoid or
minimise the suspension of business
❚ Professional Liability
❙ Errors and Omissions
…Insurance

❚ Extra Equipment Coverage

❙ If the system is not adequately covered
❙ Various types of equipment breakdown
❚ Data Reconstruction
❙ Time spent on data restoration
❙ Not value of data
❚ Specialised Equipment Coverage
❙ Anything that doesn’t fit in usual insurance coverage
…Insurance

❚ Valuable Papers and Records

❙ Against direct physical loss or damage
❙ Covers cost of recreating document, data
reentry
❚ Fidelity Coverage
❙ Loss of organisational assets due to theft,
forgery and fraud

www.cyberlawconsulting.com
…Insurance

❚ Civil Authorities
❙ Civil authority prevents use of assets
❚ Media Transit
❙ Damage or loss during physical shipment of
data

www.cyberlawconsulting.com
How to Implement BCP?

❚ Identification of Threats
❚ Implementing Plan
❚ Various Teams Involved
❚ Disaster Recovery plan
❚ Maintenance of BCP

www.cyberlawconsulting.com
Identification of Threats
External Threats
❚ Natural Calamities like earthquake, flood, fire
❚ Hardware suppliers - Unreliable or incompatible
h/w
❚ Software Suppliers - Erroneous s/w. poor
documentation
❚ Contractors - e.g. untimely provision of service
❚ Other resources - e.g. communication services

www.cyberlawconsulting.com
…Identification of Threats

❚ Competitors - e.g. Sabotage, lawsuits, fair

and unfair competition
❚ Debt & equity holders - e.g. financial
distress through foreclosure on claims.
❚ Unions - e.g. strikes, sabotage

www.cyberlawconsulting.com
…Identification of Threats

❚ Government - e.g Financial distress

through onerous regulation
❚ Environmentalist - e.g. Unfavorable
publicity
❚ Criminals / hackers - e.g. Theft, extortion

www.cyberlawconsulting.com
…Identification of Threats

Internal Threats
❚ Management
❙ Failure to provide resources
❙ Inadequate planning an control
❚ Employees
❙ Errors
❙ Improper usr of facilities and services
❙ Theft, fraud, sabotage
…Identification of Threats

❚ Unions
❙ Strikes or harassment
❚ Unreliable systems
❙ H/w failure, S/w failure
Major Security threats

Major Security threats

• Fire
• Water
• Energy variations
• Structural damage
• Pollution due to smoke,chemicals
• Unauthorised intrusion
• Viruses and worms
• Misuse of software,data and services
Implementing Plan

Inventory Process
❚ Who should be involved?
❙ Staff from concerned department
❙ Purchase department
❙ Personal /HRD department
❙ Finance / accounts department
❙ Engineering / technical depts.
❙ Administration department
Implementing Plan

Inventory Process
❚ What should be inventorised?
❙ Manpower (specific for BCP /DRP ).. Who possesses
special skills?
❙ Building, plant & machinery, furniture & fixtures
❙ Communications equipment & facilities e.g. telephone
systems, modems, wiring systems, controllers,
switches
❙ Electrical equipment and facilities, wiring
…Implementing Plan
❙ Computer equipment and peripherals
❙ Computer data & software such as
O.S.,utilities ( defragmentation, forming
etc. ), application s/w
❙ Back-up facilities
❙ Stationary items e.g. computer
stationary
❙ Specific consumables e.g. printer
ribbons, cartridges
❙ Documents, forms and registers
www.cyberlawconsulting.com
Disaster Recovery Plan

❚ Disaster Recovery Plan consists of

❙ Emergency Plan
❙ Backup Plan
❙ Recovery Plan
❙ Test Plan

www.cyberlawconsulting.com
Emergency Plan

❚ Specifies emergencies and immediate

actions to be taken
❚ Who is to be notified e.g.
management, police
❚ What activities to be undertaken
❙ shutdown of equipment
❙ termination of power
www.cyberlawconsulting.com
…Emergency Plan

❚ Evacuation procedures required

❚ Return Procedures

www.cyberlawconsulting.com
Backup Plan

❚ Personal - Training & Rotation of staff…

so that the function does not become
person specifics
❚ Hardware and peripherals - Redundancy
❚ Facilities (such as transportation,
telecommunication etc.) - arrangement
with other companies

www.cyberlawconsulting.com
...Backup Plan

❚ Documentation
❙ Operating procedures, systems and program
documentation, special procedures, input source
documents, output documents
❙ A copy of current BCP plan at backup site & backup
plan at current site
❙ A copy of all important legal documents to be
available at backup site
...Backup Plan

❚ Supplies - stationary, ribbons etc

❚ Data / Information - inventory of files,
data
❙ Sensitive data to be stored in fire-proof
magnetic media container
❙ Automated backups as far as possible
❙ Backup, its restoration, retention and purging
...Backup Plan

❚ Software backup
❙ Systems s/w & Application software
❙ current Program patches for all backup
locations
❚ Electronic Vaulting
Alternative Site options

❚ Hot Site
❙ Fully Configured, ready to operate
❙ If owned… computer hardware and
data/software is available
❙ If shared… computer hardware / O.S. is
available, data & application software may
have to be loaded
❙ Expensive option can be used initially for
short period
...Alternative Sites Options

❚ Warm Site
❙ Partially configured, with network
connection and selected peripheral
equipment but without the main computer
❚ Cold Site
❙ Basic environment is available
❚ Duplicate Information processing facility
❙ Dedicated self-developed

www.cyberlawconsulting.com
...Alternative Sites Options

❚ Reciprocal agreement
❙ Two or more organisation agree to provide
backup facilities
❙ Low cost
❙ Often informal in nature and cannot be
enforced legally
❙ Confidentiality could be a concern

www.cyberlawconsulting.com
Contract with Alternative
site

❚ Configurations
❙ H/w, s/w whether adequate at all times?
❚ Speed of availability
❙ How early facility will be available?
❚ Subscribers per site
❙ Whether limited number of subscribers?
❚ Preference
❙ Priority in case of global disaster

www.cyberlawconsulting.com
...Contract

❚ Usage period
❙ How long the facility shall be available?
❚ Warranties
❙ Any liability limitations? e.g. lack of electricity.
Provision for generator
❚ Testing
❙ Whether testing is allowed at alternate site?
...Contract

❚ Reliability
❙ Technical and financial reliability
❚ Insurance coverage at alternate site ..
your insurance policy should also cover h/
w, s/w etc. at alternate site
Alternate hardware
facilities

❚ Vendor or third-party
❙ Vendor may not immediately supply in crisis
❙ Buy from used h/w market.. Mostly applicable
abroad
❙ Vendor supply can be best ensured at the
time of moving from hot site to warm / cold
site in phased manner
Telecommunication
Network

❚ Susceptible to..
❙ The same natural disasters
❙ Also sensitive to unique disastrous
events e.g. cable cuts, central switching
office disasters,hacking etc.
❙ Organisation’s responsibility and not
that of Local Exchange Carrier (LEC)
...Telecommunication
Networks

❚ Backing up of telecommunication
facilities such as
❙ Telephone voice circuits
❙ LAN, WAN
❙ Third party EDI providers
❙ UPS for telecom equipment
❚ Critical capacity requirement be
identified
www.cyberlawconsulting.com
Methods of Telecom
Continuity

❚ Redundancy
❙ Extra capacity is provided
❚ Alternative Routing
❙ Routing via alternating medium e.g.
copper, fiber optic
❙ Involves use of different networks, circuit
or end points
❙ Use of couriers as an alternative to
electronic transmission.
www.cyberlawconsulting.com
...Methods

❚ Diverse Routing
❙ Mix of redundancy and alternate routing
❙ Therefore time consuming and costly
❙ Generally alternative and diverse routing is
over terrestrial media and therefore is subject
to risk of decaying
...Methods

❚ Long Haul Network Diversity

❙ Alternate/redundancy/diverse routing for
LECs
❚ “Last Mile” Circuit Protection
❙ Alternate or redundancy for “last mile”
❚ Voice recovery
❙ Voice communication maybe necessary in
financial and other retail service
Recovery Plan

❚ Refers to procedures to restore original site

❚ Depends on type of disaster whether localised
or global
❚ Specific responsibilities and priorities
❚ Function of Salvage team
❙ makes more detailed assessment of damage
❙ provides information for filing insurance
❚ Relocation team manages the relocation
Test Plan

❚ To identify deficiencies in emergency,

backup and recovery plans
❚ Most tests falls short of a full-scale test of
all operations
❚ Should be comprehensive
❚ Must be scheduled properly
❚ Key recovery team members should be
involved
www.cyberlawconsulting.com
Test Execution
Analysis of the
❚ Pretest
Results
❚ Test
Quantify results
❚ Post-test rather than
Other types of test evaluating only
❚ Paper test observations
❚ Preparedness test Measures for
Quantification
❚ Full Operational test
Recovery Time spent
Document for all volume of work
scenarios performed at alternate
site
Accuracy
www.cyberlawconsulting.com
BCP Maintenance

❚ Responsibility of BCP Co-ordinator

❚ Should reflect changing environment
❙ Changes in business strategy may alter
significance of critical application
❙ New applications may be developed
❙ Changes in S/w or H/w environment
❙ Plan updating should be prompt
❚ Maintenance schedule be prepared

www.cyberlawconsulting.com
Auditing BCP / DRP

❚ Check for policy and support from senior

management for BCP
❚ Check whether risk assessment is proper
❚ Evaluating ability of personnel - IS &
users to respond to disaster
❚ Dependency on third party service
providers for business continuity purposes
is a major concern
www.cyberlawconsulting.com
...Auditing

❚ Evaluate BCP / DRP for their adequacy

and currency
❙ May not exist
❙ May partially meet requirements
❙ Fully meets requirements
❚ Evaluate the test results - If possible,
simulate few tests
❚ Check the inventories

www.cyberlawconsulting.com
...Auditing

❚ Evaluate the contract with back up site

vendors
❚ Check whether plan addresses upload of
data manually processed to computer
system on resuming to normalcy
❚ Evaluate security at back up facility & off-
site data storage site
❚ Review insurance coverage.
www.cyberlawconsulting.com
Any Questions?
Thank You
Contact:

prashant . mali@cyberlawconsulting.com
cyberlawconsulting@gmail.com
Cell: (91)(9821763157)

www.cyberlawconsulting.com