Professional Documents
Culture Documents
FAKULTA INFORMATIKY
•P <?A
%, \J/ &
BACHELOR THESIS
Martin Hinca
Brno,2006
Declaration
Hereby I declare, that this paper is my original authorial work, which
I have worked out by my own. All sources, references and literature
used or excerpted during elaboration of this work are properly cited
and listed in complete reference to the due source.
11
Thanks
I would like to thank my advisor, Mr. Václav Matyáš, for introducing
me to this topic, as well as his guidance and invaluable contribution
to this thesis. My gratitude also belongs to my family and friends, for
their support and seemingly endless patience. And last but not least
to Ms. Miriam Claire, a writer and a friend, for her linguistic touch.
m
Abstract
The objective of this paper is to describe fundamental aspects of busi-
ness continuity planning, disaster recovery planning, and designing
a plan for ensuring continuity in a commercial environment com-
pany. This plan will be presented in two versions: one realistic, taking
into consideration the budget of the company, and the other idealis-
tic, heedless of any funding limits.
IV
Keywords
Business continuity planning, disaster recovery planning, IT security,
disaster preparedness, contingency planning, hazard mitigation, cri-
sis management.
v
Contents
1 Introduction 3
2 Contingency planning in a nutshell 5
2.1 Business continuity planning 5
2.1.1 About BCP 5
2.1.2 BCP components 6
2.1.3 What is a disaster? 6
2.1.4 Most common disaster causes 7
2.1.5 Can disasters be foreseen? 8
2.1.6 Possible disaster impact 8
2.1.7 BCP benefits and objectives 9
2.2 Disaster recovery 11
2.2.1 Disaster recovery plan 11
2.2.2 There's more to DRP than IT 11
2.3 Relation of disaster recovery to BCP 12
3 Creating a business continuity plan 13
3.1 The outline 13
3.2 Initiation of the plan 13
3.2.1 Policy 13
3.2.2 Defining responsibilities 13
3.3 Requirements and strategies 14
3.3.1 Identifying business threats 14
3.3.2 Risk and impact analysis 15
3.3.3 Prevention and recovery strategies 16
3.4 Plan Implementation 17
3.5 Operation and management 17
3.5.1 Testing the BC plan 17
3.5.2 Training and awareness of the staff 18
3.5.3 Reviewing of the plan 19
3.6 Common business continuity planning pitfalls 19
4 Developing a BC plan for VOtech 21
1
4.1 About VOtech, Ine 21
4.2 Initiating the planning process 22
4.2.1 VOtech resources 22
4.3 Threat identification, risk analysis, and strategy design 23
4.3.1 Neglected threats 23
4.4 Precautions taken 25
5 Conclusion 26
Bibliography 27
Appendix 29
A VOtech risk analysis 29
B VOtech security policy 37
B.l Physical security 37
B.l.l Entering the building 37
B.l.2 Fire protection 37
B.l.3 Containers f or storing backup data 38
B.1.4 Electronic monitoring system 38
B.l.5 Video monitoring system 38
B.2 Hardware and software IS security 38
B.2.1 Uninterrupted Power Supply (UPS) 38
B.2.2 Firewall and separation from the network . . . . 39
B.2.3 OS and application-level authentication 39
B.2.4 Network backup components 39
B.3 Organizational and personal security 40
B.3.1 Access monitoring 40
B.3.2 Building access for visitors 40
B.3.3 Entrance monitoring 40
B.3.4 Creation and storing of backup copies 40
2
Chapter 1
Introduction
Dependence of modern business on its information technology sys-
tem has been growing rapidly during the past decade. And yet sur-
veys keep showing that while technology in terms of power and ef-
fectiveness is steadily progressing at fast pace, IT security still isn't
viewed by many as a necessity. Quite commonly, it is far from the
level that would be appropriate for the consequences, should the sys-
tems it is meant to protect become compromised.
Furthermore, management of many companies would still rather
respond to the disasters as they come, instead of reaching prepared-
ness via creating a business continuity plan, which would serve as a
means of prevention. Experts argue that this is because the aware-
ness about the risks is low within the organization, and in many
cases, the responsibility for security is blurred and unclear. It is diffi-
cult to understand the obvious lack of interest, considering that over
half of the reporting companies indicate that a single hour of down-
time costs them more than $50K [AllOl], and in some cases, the stated
sums climbed well over $5 mil.
Meanwhile, the gap between the increasing security risks and
what companies do to address them continues to widen. Interdepen-
dency between companies has grown to such degree, that security
issues no longer affect only one company, but its business partners
as well.
One of the most persuasive factors that are pushing the interest in
security forward, is the extensive number of regulations and conse-
quences for not complying with them. Still, only 18 per cent of small
companies are able and willing to meet ISO 17799. [You05] [Thi03]
On the brighter side, IT security in every aspect seems to be com-
ing of age. Reported incidents ranging from virus and malware in-
3
1. I N T R O D U C T I O N
fections, all the way to natural disasters and terrorist attacks, have
added to the overall attention paid to the protection of information
technology. Also, the amount of companies specializing in providing
IT contingency plans is rising.
4
Chapter 2
5
2. C O N T I N G E N C Y P L A N N I N G IN A NUTSHELL
6
2. C O N T I N G E N C Y P L A N N I N G IN A NUTSHELL
• Manmade
• Natural disasters
- pollution, contamination
• Technical failures
7
2. C O N T I N G E N C Y P L A N N I N G IN A NUTSHELL
• Revenue generation
• Market share
8
2. C O N T I N G E N C Y P L A N N I N G IN A NUTSHELL
9
2. C O N T I N G E N C Y P L A N N I N G IN A NUTSHELL
S ^
sPtŕ
jŕ <fs (U
ŕ
K /t K / i r^/i
v/\( i/\j t/V -y
disaster original
strike state
10
2. C O N T I N G E N C Y P L A N N I N G IN A NUTSHELL
ii
2. C O N T I N G E N C Y P L A N N I N G IN A NUTSHELL
12
Chapter 3
13
3. CREATING A BUSINESS CONTINUITY PLAN
14
3. CREATING A BUSINESS CONTINUITY PLAN
15
3. CREATING A BUSINESS CONTINUITY PLAN
benefit from
Threats Vulnerabilities
decrease
Security Functions Risks Resources
16
3. CREATING A BUSINESS CONTINUITY PLAN
17
3. CREATING A BUSINESS CONTINUITY PLAN
Although this is normally not part of the planning process, even the
best laid plans can (and often do) go astray, because the details of the
plans may not be effectively communicated to the people responsible
for their implementation. Thus, I believe that training the staff is an
important step on the way to business continuity.
Clearly, a plan is only as good as the ability of the organization to
implement it. And that ability is highly dependent upon how famil-
iar and proficient are the staff members with the BC plan, as well as
executing the tasks. Even the least complicated plans require many
complex and interdependent tasks to be executed in coordination,
and under pressure.
It is unthinkable that the first time the staff will be reading and
trying to understand the plan, will be during the stressful hours fol-
lowing a disaster. But they also cannot be expected to read the BC
plan diligently, and learn their role by heart in advance, no matter
how well it is documented. Actually, it would be idealistic to expect
that most of them will even skim through the plan once. [Mor98]
Consequently, it is very important to take care that the plan is
conveyed to the employees in as efficient a way as possible. Keith
Hearnden describes and evaluates in his work a number of ways of
doing that. [Hea95]
As the most effective way, he considers a personal memo deliv-
ered to each and every employee, and compulsory training to in-
duce the plan. Though a little less effective, a less obtrusive approach
would be to incorporate the plan into staff handbook, conducting an
optional training, or sending the plan to everybody in an e-mail. As
poor, or even disastrous, he describes choosing an approach which
relies on the initiative of the employees. Documentation only avail-
able on request, or even no formal procedure, such as word of mouth,
can be an unpleasant setback for the BC plan quality. [Pat99]
Hearnden also claims that only a third of companies incorporate
said policies into their terms and conditions of employment, and that
only about 28 per cent of employees receive proper instructions and
training regarding an organizations' computer systems and security
policies.
18
3. CREATING A BUSINESS CONTINUITY PLAN
There are several common pitfalls one should heed when creating
a business continuity plan. It is considered to be a a strong indication
of low quality when the plans fall into one of the listed categories
[Lam02]:
Inadequate - The plan and strategies can't deal with the level of risk
that the organization deems acceptable.
19
3. CREATING A BUSINESS CONTINUITY PLAN
20
Chapter 4
21
4. DEVELOPING A BC PLAN FOR V O T E C H
It was clear from the very beginning, that this business continuity
plan would be slightly different from a typical one, because of the
circumstances. First of all, only the initial phases of plan creation are
covered, as the company will decide about possible implementation
when the preliminary plan has been created and delivered. Defining
responsibilities for this project doesn't make sense, neither.
Also, I am the only person working on the plan, which is some-
what of a setback, because usually an entire team of professionals
works on the plan to an extent far exceeding the scope of this paper.
Therefore, subtle differences to the theoretical process described in
chapter 3 had to be admitted.
I was pleasantly surprised by the enthusiasm the CEO of VOtech
showed, when he was presented with my proposal. He gave me the
green light, privilege and access to necessary information on a need-
to-know basis, and a much valued contact within the company's high
level management.
It's also important to note that this company had a security policy
and a basic recovery plan in place prior to my engagement. However,
the plan was not quite detailed, was in place mostly to oblige the
slovak laws and regulations, and could hardly be used in the times
of crisis.
22
4. DEVELOPING A BC PLAN FOR V O T E C H
23
4. DEVELOPING A BC PLAN FOR V O T E C H
24
4. DEVELOPING A BC PLAN FOR V O T E C H
25
Chapter 5
Conclusion
I was surprised at the lack of consistent, authoritative and univer-
sally valid information in this field. Business continuity planning is
not a young field within the area of information system security, and
yet I was unable to find an authoritative source of information. There
are very few books on this topic, which is believed to be caused by
the lack of market enthusiasm. Most continuity planning providers
jealously guard their know-how, so basically the only sources of in-
formation are generic articles, which IT journals occasionally pub-
lish.
However, while authors of renowned journals often differ on the
formalities of the plans, the core and principles thankfully remain the
same. This has led me to believe that the form is not very important
compared to the plan itself, and differences are tolerated. Business
continuity planning is more about common sense, than about elabo-
rate documents, or expensive software.
In other words, it doesn't really matter how the plan of a com-
pany is formulated and structured. It is only important to make sure
that a good plan, which doesn't have any fatal flaws like the ones
mentioned in section 3.6, is in place.
Contrary to how people often misinterpret BCP, it is not just an
on/off property. It's not sufficient to say that you have a continuity
plan, because proper planning is continuous and ever-changing, ad-
equately responding to changes and progress in the company itself.
Business continuity plans are not unlike insurance — although
the organizations hope they won't have to use the plan, in case some-
thing goes wrong, they benefit greatly if they do. After all, there must
be a reason why companies specializing in disaster recovery profit so
greatly compared to those providing continuity plans.
26
Bibliography
[AllOl] Eagle Rock Alliance. Cost of downtime. 2001.
[Bah03] Chad Bahan. The disaster recovery plan. Information Se
curity Reading Room, SANS Institute, June 2003.
[Bre98] Robert Breton. Replication strategies for high availability
and disaster recovery. Bulletin of the IEEE Computer Soci
ety Technical Committee on Data Engineering, 1998.
[Cas04] Carolyn Castillo. Disaster preparedness and business con
tinuity planning at Boeing: An integrated model. Journal
of Facilities Management, 3(l):8-26, March 2004.
[CC04] Virginia Cerullo and Michael J. Cerullo. Business conti
nuity planning: A comprehensive approach. Information
System Management Journal, 2004.
[CLW00] Manhoi Choy, Hong Va Leong, and Man Hon Wong. Dis
aster recovery techniques for database systems. Commu
nications of the ACM, pages 272-280, 2000.
[Dav03] Steve Davis. Developing continuity in government plan
ning. Disaster Recovery Journal, 16, Spring 2003.
[Hal04] Jiří Halouzka. Příručka manažera - business continuity
planning. DSM, Časopis o bezpečnosti, správě, a řízení
rizik informačních systémů, 2004.
[Hea95] Keith Hearnden. Business continuity planning: Part 1, con
temporary issues in corporate computing. Computer Au
dit Update, pages 3-10, May 1995.
[HS00] Petr Hanáček and Jan Staudek. Bezpečnost informačních
systémů. Úřad pro státní informační systém, 2000.
27
5. C O N C L U S I O N
[Rik03] Barb Rike. Prepared or not... that is the vital question. In-
formation Management Journal, May-June 2003.
28
Appendix A
Fire
This threat may affect: Integrity and availability of data,
building, hardware, and employees.
Typical scenario: Destruction of equipment in a single
server room.
Worst case scenario: Complete loss of the building and ev-
erything inside.
Likeliness: low
Level of impact: high
Seriousness: medium
Precautions taken: Fire extinguishers and alarms are
placed around the building. Servers
are placed in safe zones around the
building, and data is backed up.
Continuity strategy: The roles of the impacted servers
will be delegated to different servers
for the several days it'd take to re-
build that part of the building and get
new hardware up and running. In the
worst case scenario, it is possible to
move essential processes to a different
branch temporarily.
High budget precautions: Installing a fire-extinguishing system
and fire-resistant barriers throughout
the building.
High budget strategy: The hot-site will take over all pro-
cesses that have been disrupted,
while the damage is being repaired.
30
A. V O T E C H RISK ANALYSIS
32
A. V O T E C H RISK ANALYSIS
33
A. VOTECH RISK ANALYSIS
Power failure
This threat may affect: Availability of IS and data, continuity
of most processes.
Typical scenario: Power outage takes no more than an
hour.
Worst case scenario: The time without power is long, pos-
sibly due to a different disaster.
Likeliness: medium
Level of impact: low to high
Seriousness: medium
Precautions taken: An uninterrupted power supply de-
vice that can keep servers running for
several hours will be installed.
Continuity strategy: The network backbone and vital sys-
tems will be immediately switched to
the backup power source, which will
be able to provide enough power for
safe termination of applications and
devices, preventing corruption of the
data being processed.
High budget precautions: A stronger UPS system, able to keep
hardware in the entire building run-
ning for several hours will be in-
stalled. The company will also buy
a power generator, able to produce
enough power for the entire build-
ing with enough fuel for several days.
Emergency low-power lights will also
be installed.
High budget strategy: The UPS system will kick in instantly,
the generator might be turned on
manually later, depending on the out-
look of the situation.
34
A. V O T E C H RISK ANALYSIS
35
A. V O T E C H RISK ANALYSIS
Human error
This threat may affect: Availability of data and IS
Typical scenario: An incorrect command is entered,
and it does damage to an important
database.
Worst case scenario: A security administrator's mistake
leaves the company network open to
an attack.
Likeliness: medium
Level of impact: high
Seriousness: high
Precautions taken: All employees are properly trained,
depending on their position in the
company. The system will be regu-
larly checked for possible mistakes.
Continuity strategy: Largely depends on the mistake
caused. Typically, a team will be cre-
ated to undo the damage, and backup
tapes can be used to recover the data.
High budget precautions: A team of third party consultants will
be hired to help cope with this possi-
bility.
High budget strategy: In the event of critical processes being
disturbed, the hot-site will take over.
36
Appendix B
37
B. V O T E C H S E C U R I T Y P O L I C Y
38
B. V O T E C H S E C U R I T Y P O L I C Y
The company owns a backup for each of the network backbone de-
vices. In the event of a failure of some of them, it is possible to replace
them within a short span of time. The same is true for hardware run-
ning essential parts of the system.
39
B. V O T E C H S E C U R I T Y P O L I C Y
40