Important Announcement
PubHTML5 Scheduled Server Maintenance on (GMT) Sunday, June 26th, 2:00 am - 8:00 am.
PubHTML5 site will be inoperative during the times indicated!

Home Explore CISA All in one 2010 Guide

CISA All in one 2010 Guide

Published by mahendrasing2179, 2018-02-09 04:28:44

Description: CISA All in one 2010 -guide imp

Keywords: CISA,2010,ALL IN ONE

Search

Read the Text Version

Chapter 7: Business Continuity and Disaster Recovery 425Figure 7-3An auditorium wasused as a temporaryhospital during the1918 flu pandemic. about the early 21st century H5N1 avian flu and H1N1 swine flu have health authorities around the world concerned about the start of the next influenza pandemic. • Extraterrestrial impacts This category includes meteorites and other objects that may fall from the sky from way, way up. Sure, these events are extremely rare, and most organizations don’t even include these events in their risk analysis, but we’ve included it here for the sake of rounding out the types of natural events.Man-Made DisastersMan-made disasters are those events that are directly or indirectly caused by humanactivity, through action or inaction. The results of man-made disasters are similar tonatural disasters: localized or widespread damage to businesses that result in poten-tially lengthy interruptions in operations. Examples of man-made disasters include • Civil disturbances These can take on many forms, including protests, demonstrations, riots, strikes, work slowdowns and stoppages, looting, and resulting actions such as curfews, evacuations, or lockdowns. • Utility outages Failures in electric, natural gas, district heating, water, communications, and other utilities. These can be caused by equipment failures, sabotage, or natural events such as landslides or flooding. • Materials shortages Interruptions in the supply of food, fuel, supplies, and materials can have a ripple effect on businesses and the services that support them. Readers who are old enough to remember the petroleum shortages of the mid-1970s know what this is all about; Figure 7-4 shows a 1970s-era gas

CISA Certified Information Systems Auditor All-in-One Exam Guide426 Figure 7-4 Citizens wait in long lines to buy fuel during a gas shortage. shortage. Shortages can result in spikes in the price of commodities, which is almost as damaging as not having any supply at all. • Fires As contrasted to wildfires, here I mean fires that originate in or involve buildings, equipment, and materials. • Hazardous materials spills Many created or refined substances can be dangerous if they escape their confines. Examples include petroleum substances, gases, pesticides and herbicides, medical substances, and radioactive substances. • Transportation accidents This broad category includes plane crashes, railroad derailment, bridge collapse, and the like. • Terrorism and war Whether they are actions of a nation, nation-state, or group, terrorism and war can have devastating but usually localized effects in cities and regions. Often, terrorism and war precipitate secondary effects such as materials shortages and utility outages. • Security events The actions of a lone hacker or a team of organized cyber- criminals can bring down one system, one network, or many networks, which could result in widespread interruption in services. The hackers’ activities can directly result in an outage, or an organization can voluntarily (although reluctantly) shut down an affected service or network in order to contain the incident. NOTE It is important to remember that real disasters are usually complex events that involve more than just one type of damaging event. For instance, an earthquake directly damages buildings and equipment, but can also cause fires and utility outages.A hurricane also brings flooding, utility outages, and sometimes even hazardous materials events and civil disturbances such as looting.

Chapter 7: Business Continuity and Disaster Recovery 427How Disasters Affect OrganizationsDisasters have a wide variety of effects on an organization that are discussed in this section.Many disasters have direct effects, but sometimes it is the secondary effects of a disasterevent that are most significant from the perspective of ongoing business operations. A risk analysis is a part of the BCP process (discussed in the next section in thischapter) that will identify the ways in which disasters are likely to affect a particularorganization. It is during the risk analysis when the primary, secondary, and down-stream effects of likely disaster scenarios need to be identified and considered.Whoever is performing this risk analysis will need to have a broad understanding of theways in which a disaster will affect ongoing business operations. Similarly, thosepersonnel who are developing contingency and recovery plans also need to be familiarwith these effects so that those plans will adequately serve the organization’s needs. Disasters, by our definition, interrupt business operations in some measurable way. Anevent that has the appearance of a disaster may occur, but if it doesn’t affect a particularorganization, then we would say that no disaster occurred, at least for that particu-lar organization. It would be shortsighted to say that a disaster only affects operations. Rather, it isappropriate to understand the longer-term effects that a disaster has on the organization’simage, brand, and reputation. The factors affecting image, brand, and reputation have asmuch to do with how the organization communicates to its customers, suppliers, andshareholders, as with how the organization actually handles a disaster in progress. Some of the ways that a disaster affects an organization’s operations include • Direct damage Events like earthquakes, floods, and fires directly damage an organization’s buildings, equipment, or records. The damage may be severe enough that no salvageable items remain, or may be less severe, where some equipment and buildings may be salvageable or repairable. • Utility outage Even if an organization’s buildings and equipment are undamaged, a disaster may affect utilities such as power, natural gas, or water, which can incapacitate some or all business operations. Significant delays in refuse collection can result in unsanitary conditions. • Transportation Similarly, a disaster may damage or render transportation systems such as roads, railroads, shipping, or air transport unusable for a period. Damaged transportation systems will interrupt supply lines and personnel. • Services and supplier shortage Even if a disaster does not have a direct effect on an organization, if any of its critical suppliers feel the effects of a disaster, that can have an undesirable effect on business operations. For instance, a regional baker that cannot produce and ship bread to its corporate customers will soon result in sandwich shops without a critical resource. • Staff availability A communitywide or regional disaster that affects businesses is likely to also affect homes and families. Depending upon the nature of a disaster, employees will place a higher priority on the safety and

CISA Certified Information Systems Auditor All-in-One Exam Guide428 comfort of family members. Also, workers may not be able or willing to travel to work if transportation systems are affected or if there is a significant materials shortage. Employees may also be unwilling to travel to work if they fear for their personal safety or that of their families. • Customer availability Various types of disasters may force or dissuade customers from traveling to business locations to conduct business. Many of the factors that keep employees away may also keep customers away. NOTE The kinds of secondary and tertiary effects that a disaster has on a particular organization depend entirely upon its unique set of circumstances that constitute its specific critical needs.A risk analysis should be performed to identify these specific factors. The BCP Process The proper way to plan for disaster preparedness is to first know what kinds of disasters are likely, and their possible effects on the organization. That is, plan first, act later. The business continuity process is a life-cycle process. In other words, business conti- nuity planning (and disaster recovery planning) is not a one-time event or activity. It’s a set of activities that result in the ongoing preparedness for disaster that continually adapts to changing business conditions and that continually improves. The elements of the BCP process life cycle are • Develop BCP policy • Conduct business impact analysis (BIA) • Perform criticality analysis • Establish recovery targets • Develop recovery and continuity strategies and plans • Test recovery and continuity plans and procedures • Train personnel • Maintain strategies, plans, and procedures through periodic reviews and updates The BCP life cycle is shown in Figure 7-5. The details of this life cycle are described in detail in this chapter. BCP Policy A formal BCP effort must, like any strategic activity, flow from the existence of a formal policy and be included in the overall governance model that is the topic of Chapter 2 of this book. BCP should be an integral part of the IT control framework, not lie outside of it. Therefore, BCP policy should include or cite specific controls that ensure that key activities in the BCP life cycle are performed appropriately.




























































































Like this book? You can publish your book online for free in a few minutes!
Create your own flipbook