Cisa 10

CISA Examination Preparation Course
Section 10: Disaster Recovery and

Business Continuity
 Disaster Recovery Planning
 Business Impact Analysis
 Business Continuity Planning
 Backup and Off-Site Facilities
 Testing Contingency Plans
©
© 2009
2013 Global Knowledge
Security Training LLC.
Wits Technologies. All rights
All rights reserved.
reserved.
Section Objectives 10-2
At completion, you will be able to:
Describe disaster recovery planning
Explain business impact analysis
Define business continuity planning
Describe backup and off-site facilities
Draft testing contingency plans

Knowledge Guide
© 2013 Security Wits Technologies. All rights reserved.
Introduction 10-3
This section addresses business continuity and

disaster recovery.
An organization can have controls in place to manage
risk and ensure business processes are controlled,
yet not be prepared for disasters.
It is not a matter of whether disaster will occur, but
when.
As a CISA, you:
Must provide assurance that an organization’s policies
sufficiently guard against disruptions
Must verify that business continuity and disaster
recovery processes will ensure timely resumption of IT
services while minimizing the impact to the business
Introduction (cont.) 10-4
A CISA candidate should review the following

topics for the exam:
Threats that natural and man-made disasters
represent
BCP process in terms of how ISACA interprets it
Importance of business continuity and disaster
recovery, and the role an IT auditor plays in reducing
this threat.
Common methods for testing disaster recovery plans
Hardware and software alternatives for business
continuity

Defining Disaster 10-5
Disasters can be defined as:

Sudden
Resulting in interruption of business
Resulting in significant damage or loss

Disaster: Historical Perspective 10-6
Man has always had to deal with disasters.

What has changed is how we deal with them.
Example: The Titanic
Radio powered by a five-kilowatt motor generator
Backed up by an emergency generator and batteries
Guaranteed range of 250 miles under any weather
conditions
Could maintain communications over 400 miles
Had an antenna with a height of 205 feet above water
level
Considered the best wireless equipment of the day
Disaster: Historical Perspective
(cont.) 10-7
Example (cont.):
There was sufficient radio communication equipment,
but:
No procedures for monitoring of the radio frequency
No recognition of emergency distress calls
Of the 2,228 passengers and crew, only 705 survived.
The Titanic tragedy resulted in the passage of the
Federal Radio Act of 1912, which
Requires a separate frequency for distress calls
Requires an adequate number of lifeboats
Requires lifeboat drills
Requires escape route diagrams
Types of Disasters 10-8
Disasters organizations must plan for include:

Natural: Earthquakes, storms, fires, floods,
hurricanes, tornados, and tidal waves
System/technical: Outages,
malicious code, worms,
and hackers
Supply systems: Electrical power
problems, equipment outages,
utility problems, and water shortages
Human-made/political: Disgruntled
employees, riots, vandalism, theft,
crime, protesters, and political unrest
Disasters: More Recent Events 10-9
Event Year Cost

Katrina 2005 $100 billion
Andrew 1992 $30 billion
Charley 2004 $14 billion
Hugo 1989 $14 billion
Agnes 1972 $12 billion
Rita 2005 $10 billion
Camille 1969 $7.5 billion
Frederic 1979 $7 billion
Jeanne 2004 $6.9 billion
Floyd 1999 $6.5 billion

NIST SP 800-34 Contingency
Planning 10-10
NIST SP 800-34 defines the steps of contingency

planning as:
1. Develop the contingency planning policy statement.
2. Conduct the BIA (business impact analysis).
3. Identify preventive controls.
4. Develop recovery strategies.
5. Develop an IT contingency plan.
6. Plan testing, training, and exercises.
7. Plan maintenance.
Contingency Planning
Emergency
Risk Management Event Contingency Plan Execution
Security Control

The Role of the Business Continuity
Plan 10-11
Business continuity is the process of making the

plans to:
Ensure that critical business functions can withstand
a variety of emergencies
Reduce the risk of loss
The BCP process includes the following:

Scope and plan initiation
BIA (business impact assessment)
Business continuity plan development

The Role of the Disaster Recovery
Plan 10-12
Disaster Recovery is the process of:

Preparing for a disaster
Addressing procedures to be followed during and
after a loss
The goal is to minimize effects of a disaster and
allow the business to resume normal operations.
The DRP process includes the following:

DRP (disaster recovery planning) processes
Tests of the DRP
Disaster recovery procedures
Business Continuity and Disaster
Recovery 10-13
DRP
When combined, BCP
and DRP involve BCP
Recovery strategy
preparation, testing, Project management Plan design and

and updating of the and initiation development
actions required to Business impact Training and

protect critical assessment documentation
business processes Continuity

Testing
strategy planning
from the effects of
major system and BCP
Maintenance
documentation
network failures.

Combined BCP and DRP Planning 10-14
The combined steps of the BCP and DRP include:
Project management
and initiation
Business impact
Recovery strategy
assessment
Plan design and

Implementation
development
Testing Maintenance

Business Continuity Planning
Requirements 10-15
The BCP should provide

An immediate, accurate, and measured response to
emergency situations
Policies, procedures, and documentation needed to
assist in the recovery process
A database of resources available to aid the recovery
process
An approved list of vendors that may be able to help
during the recovery process
Needed documents and agreements required to
reduce outages (SLAs)

1. Project Management and Initiation 10-16
Before the BCP process can begin, it needs the support of

senior management.
Management must see the need to provide for the the BCP.

Establishing Need for the BCP 10-17
The Securities and Exchange Act of

1934 (amended 1977) states that:
Publicly held companies must keep
accurate records and maintain internal
control systems to safeguard assets;
this includes:
Computer systems and all
electronic data
Paper documents, records,
and important information
Penalty includes:
Up to $10,000 fine and/or
5 years imprisonment

BCP Lead 10-18
As the key person driving the BCP process, the

project manager must ensure that:
All elements of the plan are properly addressed

A sufficient level of research, planning, and analysis
has been performed

Team Members 10-19
Senior management and the team leader appoint team members.
Team members and the team lead work with management to

develop a plan strategy.
Each department should be represented.

Developing a Plan 10-20
As with any project management activity, this step includes:

Investigation
Definition
Feasibility analysis
Evaluation
Developing a plan requires establishing:
Goals
Objectives
Assignments
Financial resources
Time constraints
Expected goals and results

2. Business Impact Analysis 10-21
BIA is the place to start to evaluate what processes

are critical to the organization’s survival.
Goals of the BIA include:
Criticality prioritization
Determining what is most critical
Downtime estimation
Calculating how long of an outage the business can
tolerate and still remain viable
Resource requirements
Evaluating what resources are requirements for critical
processes

Business Impact Analysis (cont.) 10-22
BIA can be:
Qualitative
Intuition, gut feeling, non-dollar
based, (i.e., high, medium, low)
Quantitative
Dollar based ($1; $100; $1,000;
$1,000,000)

The team must identify:

Interdependencies between processes
Potential for backlogged transactions
Personnel issues (access, housing,
transportation)
The impact of legal and regulatory
requirements including:
Privacy and availability of customer data
Required notification of outage

BIA issues that are often overlooked:

Employee strike
Vandals
Disgruntled employees
Hackers
The BIA team should identify and rank the

top ten to twenty potential threats
BIA Non-dollar Issues 10-25
Reputation
“It takes many good deeds to build a good
reputation, and only one bad one to lose it.”
Benjamin Franklin
Consider the brand names on the following

slide….

BIA Non-dollar Issues (cont.) 10-26
Company Positive Impression Negative Impression

Cisco An industry leader of quality
networking equipment
A cheaply-made car released
Yugo in the US in the mid 1980’s
Dom A famous, high quality, and
Perignon expensive champagne
Arthur A firm that voluntarily surrendered
Andersen its licenses in 2002 over its
handling of the auditing of Enron
Rolls Known for high quality
Royce hand made automobiles
A fast-growing airline until a deadly
Value Jet
crash in the Florida Everglades in
1996
Enron A symbol of corporate fraud and
corruption
3. Recovery Strategies 10-27
Actions that will be followed and implemented

during a business interruption should be:
Agreed upon
Pre-defined
Management approved
Determined to be the best course of action
based on the analysis of data during the BIA

Recovery Strategies Objectives 10-28
Designed to meet the required recovery timeframes

(Maximum Tolerable Downtime)
Based on RPO (recovery point objectives) and RTO
(recovery time objectives)
RPO defines how current the data must be or how
much data an organization can afford to lose.
The greater the RPO, the more tolerant the process to
interruption.
RTO specifies the maximum elapsed time to recover
an application at an alternate site.
The greater the RTO, the longer the process can take
to be restored.
RTOs and RPOs 10-29
Wks Days Hrs Mins Secs Secs Mins Hrs Days Wks
Recovery point objective Recovery Time Objective
Database Clustering
shadowing
Remote data Remote
journaling replication
Online
restore
Tape Tape
backup restore

Recover Strategy Areas 10-30
User recovery
Business process recovery
Facility and supply recovery
Operational recovery
Data recovery
Business Process Recovery 10-31
Business and support units
Hardware
Software
Equipment
Data
Supplies
Furniture

Facility and Supply Recovery 10-32
Facility and inventory

Computers
Network
Voice and data telecommunications
Supporting services
Examples:
HVAC
Security
End-User Environment 10-33
Employee requirements
Payroll
Workspace
Needed procedures and documents
Notifications
Individual responsibility

Operational Recovery 10-34
Operational recovery requirements

Power
Networking
Communication
Computing
Examples:
Routers
Bridges
Switches
Data Recovery 10-35
Data recovery requirements
Backups
RAID
Electronic vaulting
Software escrow
Data Backup Alternatives 10-36
Off-site and on-site

Different types of backups:
Incremental
Differential
Full-backup
Electronic vaulting (backup files)

Remote journaling (transaction logs)
Database shadowing
HSM (hierarchical storage management)
On-Site/Off Site Backup 10-37
Secure
Controlled storage Shelf life
transfer retention
Data and
Labeling system
backup

Backup Types 10-38
Select Files Based

Backup Type Resets Archive Bit
on Archive Bit
Copy function No No
Full No Yes
Incremental Yes Yes
Differential Yes No

Offset Backup Options 10-39
Electronic Vaulting
A batch dump of backup data created offsite
automatically by the use of an electronic vaulting
provider
Remote Journaling
The parallel processing of transactions to an alternate
site
May only include moving the journal or transaction
logs to an off-site facility
Database Shadowing
Like remote journaling but creates duplicate database
sets to multiple servers for greater redundancy

Hierarchical Storage Management 10-40
On-line
(Hard drive)
Optical
Tape
off-line

Alternate Processing 10-41
Subscription services
Off-site redundant sites

Hot site
Warm site
Cold site
Multiple centers
Reciprocal agreement
Other data center options

Recovery Costs and Times 10-42
Recovery Options
$$$$
Redundant site
$$$
Hot site
$$
Warm site
$
Cold site
Cost
2 hrs 24 hrs 1 week 4 weeks
Time
Subscription Services and Off-Site
Facilities 10-43
Subscription services are third-party vendors that

provide alternate backup and processing facilities.
Hot site
Ready within hours for operation
Highly available
Warm site
Less expensive
Basic equipment and connections
Cold site
Not immediately available
(up to 30 days)
Low cost
Multiple Centers 10-44
The multiple-center (data center) idea is

to spread processing among several
operation centers.
Creates a distributed architecture

approach to redundancy

Reciprocal Agreement 10-45
Two organizations agree to support each other in the case of

a disruptive event or disaster
This has often been a real world solution, however not a
legally enforceable option
Is usually a verbal gentleman’s agreement rather than a
contract
Issues that need to be addressed:
Availability
Assistance
Interoperability
Conflicts of interests
Change control
Access

Other Data Center Options 10-46
Other data center backup alternatives:
Rolling/mobile backup sites

In-house or external supply of hardware
replacements
Prefabricated buildings

4. Plan Design and Development 10-47
At the design and development phase, the

team:
Creates the BCP plan
Documents approved actions to be carried

out in case of a disaster

Insurance 10-48
Insurance can be obtained for each of the

following:
IS equipment
Data centers
Software recovery
Business interruption
Documents, records, and important
papers

Insurance (cont.) 10-49
Insurance is not without its drawbacks, such as:

High premiums
Delayed claim payout
Denied claims
Problems proving financial loss
Most policies only pay for a percentage of actual
loss and do not cover:
Lost income
Increased operating expenses
Consequential loss

5. Implementation 10-50
During the implementation phase, the BCP is:

Approved by senior management
Added into related documents so that maintenance
activities are performed whenever there is a change
or update in infrastructure
Released and disseminated
to employees
(awareness program)

Approval 10-51
BCP must be approved by

management
Senior management is ultimately

responsible

Documentation 10-52
Should be written for:
Ease of understanding
Practicality
Clear indication of where/when to use
Location of BCP information:
Internal web site
Binder
Other
Awareness 10-53
Employee training should include:

Why a BCP is important
Who are the BCP coordinators
(team leaders)
When the BCP testing will occur
How the BCP is activated
What are each employees roles,
responsibilities, actions, etc

6. Testing the Plan 10-54
Testing and revising the plan
The disaster recovery and continuity plan

should be tested periodically because
An environment continually changes
Each time the plan is tested, more improvements
may be uncovered
The responsibility for periodic tests and

maintaining the plan should be assigned to a
specific person or persons.
Testing the Plan (cont.) 10-55
Different type of tests:
Desk-based evaluation
Paper test
Preparedness test
Parallel test
Full operational test

Desk-based evaluation 10-56
Copies of plan are distributed to

functional management.
Manager reviews plan alone.
Paper-based test

Paper Test 10-57
Managers review plan in a meeting.
May identify inter-dependencies
Paper-based test

Preparedness Test 10-58
Exercise is conducted with test equipment and

services.
Simulated environment is created

at backup facility.

Parallel Test 10-59
Exercise is conducted with some

production equipment and services.
Parallel production service is

running at backup facility.

Full Operational Test 10-60
All services are shut down at the

primary site.
All production systems are running

from the backup facility.

Limits of Tests 10-61
No test is the real thing.
Example: Fire drills

We do not typically set any fires.
Costs of tests

7. Maintaining the Plan 10-62
The plan’s maintenance can be incorporated into

change management procedures to ensure that any
changes in the environment are reflected in the
plan itself.
Regular maintenance requires:
Insert the maintenance responsibilities into job
descriptions
Include maintenance in personnel evaluations
Perform internal audits that include disaster recovery
and continuity documentation and procedures
Perform regular drills that use the plan

Maintaining the Plan (cont.) 10-63
When distributing new copies of the plan, make sure only the
latest version of the plan is available.
All old copies are to be collected and destroyed.
Also, there should be at least three copies of the plan; one
for marking up, one for use in an emergency on site, and one
stored offsite.
A plan must be physically printed as there is no guarantee
that information systems will be functional or accessible in
the event of a disaster.
The plan is of a need-to-know sensitivity and not everyone in
the organization gets to see the plan, and those that do may
not see all of the plan.
Only senior management and the BCP/DRP design team
know the whole plan.

Disaster Life Cycle 10-64
Analogy: Having a flat:

Emergency/Crisis management
Safely pulling off to the side of the road
Recovery
Removing the emergency spare tire
from the trunk
Jacking up the car
Placing the spare on the vehicle
Reconstitution
Having the original tire repaired or replaced
Resumption
Placing the repaired (or new) tire on the car
Heading on to the original destination

Emergency/Crisis Management 10-65
Primary goals of emergency/crisis management
Prevent or limit injury to people on site
Prevent or limit damage to assets
Prevent, restore, or limit the loss (degradation) of

vital business functions

Recovery 10-66
Teams should be established to deal with disaster

Recovery team
Open and activate alternate facility
Establish security:
Prevent fraud
Theft
Other crimes
Restoration team (Salvage)
Assess damage to original site
Orchestrate:
Repair
Salvage
Cleanup

Recovery (cont.) 10-67
Resumption team
Restore least critical work first
Prepare primary site for return to
processing
Other recovery issues

Media relations

Reconstitution 10-68
Restoration and reconstruction of the facility
Recovery of damaged or destroyed systems

Business Resumption 10-69
All transferred business and computer

processing operations are:
Moved from alternate site to the restored
primary site
Relocated to a new structure
Normal business operations and services are

re-established at the primary site and post-
recovery operations are completed.

Summary 10-70
In this domain we:
Describe disaster recovery planning

Explain business impact analysis
Define business continuity planning
Describe backup and off-site facilities
Draft testing contingency plans

Q&A 10-71
QUESTIONS?

Cisa 10

Uploaded by

Copyright:

Available Formats

You might also like

Cisa 10

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisa 10

Uploaded by

Copyright:

Available Formats

CISA Examination Preparation Course

Section 10: Disaster Recovery and

At completion, you will be able to:

Describe disaster recovery planning

Explain business impact analysis

Define business continuity planning

Describe backup and off-site facilities

Draft testing contingency plans

This section addresses business continuity and

A CISA candidate should review the following

© 2013 Security Wits Technologies. All rights reserved.

Disasters can be defined as:

© 2013 Security Wits Technologies. All rights reserved.

Man has always had to deal with disasters.

Disasters organizations must plan for include:

Event Year Cost

© 2013 Security Wits Technologies. All rights reserved.

NIST SP 800-34 defines the steps of contingency

© 2013 Security Wits Technologies. All rights reserved.

Business continuity is the process of making the

The BCP process includes the following:

© 2013 Security Wits Technologies. All rights reserved.

Disaster Recovery is the process of:

The DRP process includes the following:

preparation, testing, Project management Plan design and

actions required to Business impact Training and

business processes Continuity

© 2013 Security Wits Technologies. All rights reserved.

The combined steps of the BCP and DRP include:

Plan design and

© 2013 Security Wits Technologies. All rights reserved.

The BCP should provide

© 2013 Security Wits Technologies. All rights reserved.

Before the BCP process can begin, it needs the support of

© 2013 Security Wits Technologies. All rights reserved.

The Securities and Exchange Act of

© 2013 Security Wits Technologies. All rights reserved.

As the key person driving the BCP process, the

All elements of the plan are properly addressed

© 2013 Security Wits Technologies. All rights reserved.

Senior management and the team leader appoint team members.

Team members and the team lead work with management to

Each department should be represented.

© 2013 Security Wits Technologies. All rights reserved.

As with any project management activity, this step includes:

© 2013 Security Wits Technologies. All rights reserved.

BIA is the place to start to evaluate what processes

© 2013 Security Wits Technologies. All rights reserved.

BIA can be:

© 2013 Security Wits Technologies. All rights reserved.

The team must identify:

© 2013 Security Wits Technologies. All rights reserved.

BIA issues that are often overlooked:

The BIA team should identify and rank the

Consider the brand names on the following

© 2013 Security Wits Technologies. All rights reserved.

Company Positive Impression Negative Impression