Business Continuity and Disaster Recovery Part 1
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> That leads into talking about
00:00
disaster recovery and business continuity.
00:00
In the event that a disaster strikes,
00:00
redundancy is going to be key to getting back online,
00:00
backup and running and
00:00
enabling the continuity of the business.
00:00
You hear the terms BCP for
00:00
business continuity planning and
00:00
DRP for disaster recovery planning.
00:00
We often hear them together
00:00
or sometimes used interchangeably.
00:00
We want to make sure that we
00:00
know the difference between them.
00:00
A business continuity plan is
00:00
an overarching umbrella document that
00:00
includes many other plans that helps sustain
00:00
the organization in case of a disaster.
00:00
The DRP is more of a short-term document
00:00
that is focused on the immediacy of the disaster.
00:00
I've heard people saying the DRP is the sky's falling,
00:00
the BCP is the sky has fallen. How do we keep going?
00:00
Disaster recovery is really focused on restoring
00:00
IT services to operation based
00:00
on their criticality as quickly as possible.
00:00
When we talk about criticality,
00:00
we mean time sensitivity.
00:00
There are certain services that
00:00
while we are offline we lose money.
00:00
If we have an eco commerce site, for instance,
00:00
the longer the eco commerce site is unavailable,
00:00
the less money I'm generating.
00:00
That would be a very critical service.
00:00
There are seven stages or phases of
00:00
business continuity plan and lots of
00:00
different organizations have
00:00
their own documents they use.
00:00
This is NIST 800-34.
00:00
ISO 27031 has a framework of business continuity.
00:00
There are various plans available
00:00
and they're all performing the same functions.
00:00
We start out with project initiation.
00:00
Writing a business continuity plan is
00:00
a project and it should be managed as such.
00:00
We start with the project then we
00:00
move into the business impact analysis.
00:00
This is probably the most
00:00
critical step because it is where we
00:00
identify what elements are
00:00
critical and how critical they are.
00:00
That's going to be the driver for what we recover in
00:00
what we recover and how quickly we do so.
00:00
We identify our recovery strategies
00:00
then get our design and development.
00:00
We look to implement the plan,
00:00
we test it and maintain it.
00:00
Those are the seven phases.
00:00
Again, this goes back to NIST 800-34.
00:00
There are other frameworks out there in
00:00
the support business continuity planning.
00:00
If we look at the project initiation,
00:00
you're going to manage this as a project.
00:00
We have to have support and
00:00
buy-in from senior management.
00:00
A business continuity plan isn't something that you
00:00
write one afternoon over margarita at Chili's.
00:00
This is a lengthy process that needs funding and support.
00:00
Senior management is going to put their buy-in
00:00
in writing and they're going to sign off.
00:00
That's committing to support and
00:00
funding and the project manager should be named.
00:00
That's going to be the person who coordinates
00:00
the business continuity planning processes.
00:00
We figure out the scope of the plan.
00:00
We select members of the BCP team.
00:00
The business continuity planning team
00:00
should come from a diverse background.
00:00
You should have representation from throughout
00:00
the organization, including senior management.
00:00
On our next phase, this is the big one
00:00
because this is the business impact analysis.
00:00
This is where we do our research and identify and
00:00
prioritize all of our business
00:00
processes based on the criticality.
00:00
Again, criticality is time sensitivity.
00:00
This document is going to give us
00:00
metrics to determine how
00:00
quickly these critical devices need to be up online.
00:00
We'll talk about things like Recovery point objectives
00:00
, service level objectives.
00:00
We've already talked about MTBF and MTTR.
00:00
Let me just take a minute and talk
00:00
about service level objectives,
00:00
SLOs, not to be confused with SLAs.
00:00
Service level objectives,
00:00
the idea is that if we're in some disaster operations,
00:00
we're not going to be providing
00:00
100 percent of our normal service to our customers.
00:00
What we might say is in the event
00:00
that these services are unavailable,
00:00
we at least like to operate at 80 percent.
00:00
That's a service level objective.
00:00
It takes into consideration that
00:00
you can't operate at 100 percent.
00:00
What are we looking for,
00:00
striving for, in a reduced capacity?
00:00
A recovery point objective is tolerance for data loss.
00:00
How current must data be?
00:00
If I say I have an RPO one hour,
00:00
you need to restore all files up until an hour ago.
00:00
How much data am I willing to lose?
00:00
Recovery time objective,
00:00
RTO and MTD are sometimes used interchangeably.
00:00
Recovery time objective, Maximum Tolerable Downtime.
00:00
This is what's the maximum amount
00:00
of time we can be without
00:00
the service before we suffer loss that's unacceptable.
00:00
What's our maximum time?
00:00
We've already talked about mean time between failures,
00:00
the amount of time that the device will run,
00:00
we repair it, then it fails,
00:00
then we repair, then it fails.
00:00
MTTR is again, that
00:00
mean times to repair, just what it sounds like.
00:00
Also, we need to determine
00:00
minimum operating requirements because when
00:00
we restore these devices, for instance,
00:00
if I have software that has to
00:00
be up and running within nine minutes,
00:00
you better make sure I have the hardware
00:00
that will run that software, so to speak.
00:00
Any sort of environmental or application type requirement
00:00
should also be in the BIA.
00:00
The next phase, identify my recovery strategies
00:00
in the event of a disaster
00:00
assuredly their has been some loss.
00:00
Let me just say that it should go
00:00
without saying that if we always
00:00
place the physical safety of
00:00
our employees above anything else,
00:00
if there were ever to be
00:00
a decision process to make
00:00
where human life may be at risk,
00:00
we have to choose something different always.
00:00
After human life, we start to think about our facility
00:00
because that would be an area that
00:00
would cost us a great loss.
00:00
If our facility is damaged or
00:00
is unavailable for a period of time,
00:00
we may need somewhere to work.
00:00
Maybe our employees can work from home, but maybe not.
00:00
If not, we generally lease an off-site facility.
00:00
We might lease a cold site.
00:00
A cold site is really
00:00
just a bare-bones facility that
00:00
has heating and air conditioning.
00:00
There's nothing beyond that. It's just an empty building
00:00
or an empty space.
00:00
Obviously, coming into a cold site is
00:00
going to take a while to get back up and running.
00:00
Cold sites are the cheapest thing.
00:00
With a warm site, they're the basics,
00:00
but there's also furniture.
00:00
There are computer systems, there are telephones.
00:00
Again, that's just generic equipment, nothing on my own.
00:00
That will still take a bit of
00:00
time to get back up and rolling.
00:00
Speaking of rolling,
00:00
there's a rolling hot site.
00:00
Sometimes you see these.
00:00
They pull up in the event of a disaster like
00:00
a little mobile home on
00:00
wheels containing computer equipment,
00:00
perhaps, but something that we can
00:00
process some other data center operations.
00:00
It's really a short-term solution.
00:00
We can pay for a hot site.
00:00
That's a location that is under our ownership,
00:00
not ownership, but we have exclusive use to.
00:00
It's fully configured and has my equipment and
00:00
we just really need to come in and
00:00
restore from the latest backup.
00:00
You can get back up and running pretty quickly.
00:00
Mirrored site is usually on our ownership.
00:00
It's a branch office.
00:00
We can switch operations to the northwest region.
00:00
You've got access to our data. They're staffed.
00:00
They've all of the equipment that they need.
00:00
In order to make sure that it's
00:00
fully redundant in every way,
00:00
that could be very expensive.
00:00
There are certainly some recovery strategies
00:00
in relation to our facilities.
00:00
We also have to think about
00:00
>> personnel where job rotation
00:00
>> and training would help in any
00:00
>> of our processes as well.
Up Next
Similar Content
