55915X Ch08.qxd 3/22/04 5:48 PM Page 391 Chapter 8 ✦ Business Continuity Planning and Disaster Recovery Planning 391 Disaster Recovery Plan Software Tools There are several vendors that distribute automated tools to create disaster recovery plans. These tools can improve productivity by providing formatted templates customized to the particular organization’s needs. Some vendors also offer specialized recovery software focused on a particular type of business or vertical market. A good source of links to various vendors is located at: www.intiss.com/intisslinks. In this type of agreement, both parties agree to support each other in the case of a disruptive event. This arrangement is made on the assumption that each organiza- tion’s operations area will have the capacity to support the other’s in time of need. This is a big assumption. There are clear advantages to this type of arrangement. It allows an organization to obtain a disaster-processing site at very little or no cost, thereby creating an alter- nate processing site even though a company may have very few financial resources to create one. Also, if the companies have very similar processing needs, that is, the same network operating system, the same data communications needs, or the same transaction processing procedures, this type of agreement may be workable. This type of agreement has serious disadvantages, however, and really should be considered only if the organization has the perfect partner (a subsidiary, perhaps) and has no other alternative to disaster recovery (i.e., a solution would not exist otherwise). One disadvantage is that it is highly unlikely that each organization’s infrastructure will have the extra, unused capacity to enable full operational pro- cessing during the event. Also, as opposed to a hot or warm site, this type of arrangement severely limits the responsiveness and support available to the organi- zation during an event and can be used only for short-term outage support. The biggest flaw in this type of plan is obvious if we ask what happens when the disaster is large enough to affect both organizations. A major outage can easily dis- rupt both companies, thereby canceling any advantage that this agreement might provide. The capacity and logistical elements of this type of plan make it seriously limited. Subscription Services Another type of alternate processing scenario is presented by subscription ser- vices. In this scenario, third-party commercial services provide alternate backup and processing facilities. Subscription services are probably the most common of the alternate processing site implementations. They have very specific advantages and disadvantages, as we will see. 55915X Ch08.qxd 3/22/04 5:48 PM Page 392 392 Part I ✦ Focused Review of the CISSP Ten Domains There are three basic forms of subscription services with some variations: ✦ Hot site ✦ Warm site ✦ Cold site Hot Site This is the Cadillac of disaster recovery alternate backup sites. A hot site is a fully configured computer facility with electrical power, heating, ventilation, and air con- ditioning (HVAC) and functioning file/print servers and workstations. The applica- tions that are needed to sustain remote transaction processing are installed on the servers and workstations and are kept up-to-date to mirror the production system. Theoretically, personnel and/or operators should be able to walk in and, with a data restoration of modified files from the last backup, begin full operations in a very short time. If the site participates in remote journaling, that is, mirroring transaction processing with a high-speed data line to the hot site, even the backup time may be reduced or eliminated. This type of site requires constant maintenance of the hardware, software, data, and applications to ensure that the site accurately mirrors the state of the produc- tion site. This adds administrative overhead and can be a strain on resources, especially if a dedicated disaster recovery maintenance team does not exist. The advantages to a hot site are numerous. The primary advantage is that 24/7 availability and exclusivity of use are assured. The site is available immediately (or within the allowable time tolerances) after the disruptive event occurs. The site can support an outage for a short time as well as a long-term outage. Some of the drawbacks of a hot site are as follows: ✦ It is seriously the most expensive of any alternative. Full redundancy of all processing components (e.g., hardware, software, communications lines, and applications) is expensive, and the services provided to support this function will not be cheap. ✦ It is common for the service provider to oversell its processing capabilities, betting that not all of its clients will need the facilities simultaneously. This situation could create serious contention for the site’s resources if a disaster were large enough to affect a major geographic region. ✦ There also exists a security issue at the hot site, as the applications may con- tain mirrored copies of live production data. Therefore, all of the security controls and mechanisms that are required at the primary site must be dupli- cated at the hot site. Access must be controlled and the organization must be aware of the security methodology implemented by the service organization. ✦ Also, a hot site might be administratively resource-intensive because controls must be implemented to keep the data up-to-date and the software patched. 55915X Ch08.qxd 3/22/04 5:48 PM Page 393 Chapter 8 ✦ Business Continuity Planning and Disaster Recovery Planning 393 Warm Site A warm site could best be described as a cross between a hot site and cold site. Like a hot site, the warm site is a computer facility readily available with electrical power, HVAC, and computers, but the applications may not be installed or config- ured. It might have file/print servers, but not a full complement of workstations. External communication links and other data elements that commonly take a long time to order and install will be present, however. To enable remote processing at this type of site, workstations will have to be delivered quickly and applications and their data will need to be restored from backup media. The advantages to this type of site, as opposed to the hot site, are primarily as follows: Cost. This type of configuration will be considerably less expensive than a hot site. Location. Because this type of site requires less extensive control and configu- ration, more flexibility exists in the choice of site. Resources. Administrative resource drain is lower than with the maintenance of a hot site. The primary disadvantage of a warm site, compared to a hot site, is the difference in the amount of time and effort it will take to start production processing at the new site. If extremely urgent critical transaction processing is not needed, this may be an acceptable alternative. Cold Site A cold site is the least ready of any of the three choices, but it is probably the most common of the three. A cold site differs from the other two in that it is ready for equipment to be brought in during an emergency, but no computer hardware (servers or workstations) resides at the site. The cold site is a room with electrical power and HVAC, but computers must be brought on-site if needed, and communi- cations links may be ready or not. File and print servers have to be brought in, as well as all workstations, and applications will need to be installed and current data restored from backups. A cold site is not considered an adequate resource for disaster recovery because of the length of time required to get it going and all of the variables that will not be resolved before the disruptive event. In reality, using a cold site will most likely make effective recovery impossible. It will be next to impossible to perform an in- depth disaster recovery test or to do parallel transaction processing, making it very hard to predict the success of a disaster recovery effort. 55915X Ch08.qxd 3/22/04 5:48 PM Page 394 394 Part I ✦ Focused Review of the CISSP Ten Domains There are some advantages to a cold site, however, the primary one being cost. If an organization has very little budget for an alternative backup-processing site, the cold site might be better than nothing. Also, resource contention with other organi- zations will not be a problem, and neither will geographic location likely be an issue. The big problem with this type of site is that having the cold site could engender a false sense of security. But until a disaster strikes, there’s really no way to tell whether it works or not, and by then it will be too late. Multiple Centers A variation on the previously listed alternative sites is called multiple centers, or dual sites. In a multiple-center concept, the processing is spread over several opera- tions centers, creating a distributed approach to redundancy and sharing of avail- able resources. These multiple centers could be owned and managed by the same organization (in-house sites) or used in conjunction with some sort of reciprocal agreement. The advantages are primarily financial because the cost is contained. Also, this type of site will often allow for resource and support sharing among the multiple sites. The main disadvantage is the same as for mutual aid: a major disaster could easily overtake the processing capability of the sites. Also, multiple configurations could be difficult to administer. Service Bureaus In rare cases, an organization may contract with a service bureau to fully provide all alternate backup-processing services. The big advantage to this type of arrangement is the quick response and availability of the service bureau, testing is possible, and the service bureau may be available for more than backup. The disadvantages of this type of setup are primarily the expense and resource contention during a large emergency. Other Data Center Backup Alternatives There are a few other alternatives to the ones we have previously mentioned. Quite often an organization may use some combination of these alternatives in addition to one of the preceding scenarios. Rolling/mobile backup sites. Contracting with a vendor to provide mobile backup services. This may take the form of mobile homes or flatbed trucks with power and HVAC sufficient to stage the alternate processing required. This is considered a cold site variation. In-house or external supply of hardware replacements. Vendor re-supply of needed hardware, or internal stockpiling of critical components inventory. The organization may have a subscription service with a vendor to send iden- tified critical components overnight. May be acceptable for a warm site but is not acceptable for a hot site. 55915X Ch08.qxd 3/22/04 5:48 PM Page 395 Chapter 8 ✦ Business Continuity Planning and Disaster Recovery Planning 395 Prefabricated buildings. It’s not unusual for a company to employ a service organization to construct prefabricated buildings to house the alternate pro- cessing functions if a disaster should occur. Not too different from a mobile backup site — a very cold site. Transaction Redundancy Implementations The CISSP candidate should understand the three concepts used to create a level of fault tolerance and redundancy in transaction processing. While these processes are not used solely for disaster recovery, they are often elements of a larger disas- ter recovery plan. If one or more of these processes are employed, the ability of a company to get back on-line is greatly enhanced. Electronic vaulting. Electronic vaulting refers to the transfer of backup data to an off-site location. This is primarily a batch process of dumping the data through communications lines to a server at an alternate location. Remote journaling. Remote journaling refers to the parallel processing of transactions to an alternate site, as opposed to a batch dump process like electronic vaulting. A communications line is used to transmit live data as it occurs. This feature enables the alternate site to be fully operational at all times and introduces a very high level of fault tolerance. Database shadowing. Database shadowing uses the live processing of remote journaling, but it creates even more redundancy by duplicating the database sets to multiple servers. See “Server Redundancy” in Chapter 3. Disaster Recovery Plan Maintenance Disaster recovery plans often get out of date. A similarity common to all recovery plans is how quickly they become obsolete, for many different reasons. The com- pany may reorganize and the critical business units may be different than when the plan was first created. Most commonly, changes in the network or computing infras- tructure may change the location or configuration of hardware, software, and other components. The reasons might be administrative: complex disaster recovery plans are not easily updated, personnel lose interest in the process, or employee turnover might affect involvement. Whatever the reason, plan maintenance techniques must be employed from the outset to ensure that the plan remains fresh and usable. It’s important to build maintenance procedures into the organization by using job descriptions that cen- tralize responsibility for updates. Also, create audit procedures that can report reg- ularly on the state of the plan. It’s also important to ensure that multiple versions of the plan do not exist because it could create confusion during an emergency. Always replace older versions of the text with updated versions throughout the enterprise when a plan is changed or replaced. 55915X Ch08.qxd 3/22/04 5:48 PM Page 396 396 Part I ✦ Focused Review of the CISSP Ten Domains Emergency management plans, business continuity plans, and disaster recovery plans should be regularly reviewed, evaluated, modified, and updated. At a minimum, the plan should be reviewed at an annual audit. The plan should also be re-evaluated: ✦ After tests or training exercises, to adjust any discrepancies between the test results and the plan ✦ After a disaster response or an emergency recovery, as this is an excellent time to amend the parts of the plan that were not effective ✦ When personnel, their responsibilities, their resources, or organizational structures change, to familiarize new or reorganized personnel with procedures ✦ When polices, procedures, or infrastructures change Testing the Disaster Recovery Plan Testing the disaster recovery plan is very important (a tape backup system cannot be considered working until full restoration tests have been conducted); a disaster recovery plan has many elements that are only theoretical until they have actually been tested and certified. The test plan must be created, and testing must be car- ried out in an orderly, standardized fashion and be executed on a regular basis. Also, there are five specific disaster recovery plan–testing types that the CISSP can- didate must know (see “The Five Disaster Recovery Plan Test Types” later in this chapter). Regular disaster recovery drills and tests are a cornerstone of any disas- ter recovery plan. No demonstrated recovery capability exists until the plan is tested. The tests must exercise every component of the plan for confidence to exist in the plan’s ability to minimize the impact of a disruptive event. Reasons for Testing In addition to the general reasons for testing we have previously mentioned, there are several specific reasons to test, primarily to inform management of the recov- ery capabilities of the enterprise. Other specific reasons are as follows: ✦ Testing verifies the accuracy of the recovery procedures and identifies deficiencies. ✦ Testing prepares and trains the personnel to execute their emergency duties. ✦ Testing verifies the processing capability of the alternate backup site. Creating the Test Document To get the maximum benefit and coordination from the test, a document outlining the test scenario must be produced, containing the reasons for the test, the objec- tives of the test, and the type of test to be conducted (see the five following types). 55915X Ch08.qxd 3/22/04 5:48 PM Page 397 Chapter 8 ✦ Business Continuity Planning and Disaster Recovery Planning 397 Also, this document should include granular details of what will happen during the test, including the following: ✦ The testing schedule and timing ✦ The duration of the test ✦ The specific test steps ✦ Who will be the participants in the test ✦ The task assignments of the test personnel ✦ The resources and services required (supplies, hardware, software, documen- tation, and so forth) Certain fundamental concepts will apply to the testing procedure. Primarily, the test must not disrupt normal business functions. Also, the test should start with the easy testing types (see the following section) and gradually work up to major simu- lations after the recovery team has acquired testing skills. It’s important to remember that the reason for the test is to find weaknesses in the plan. If no weaknesses were found, it was probably not an accurate test. The test is not a graded contest on how well the recovery plan or personnel executing the plan performed. Mistakes will be made, and this is the time to make them. Document the problems encountered during the test and update the plan as needed, then test again. The Five Disaster Recovery Plan Test Types Disaster recovery/emergency management plan testing scenarios have several lev- els and can be called different things, but there are generally five types of disaster recovery plan tests. The listing here is prioritized, from the simplest to the most complete testing type. As the organization progresses through the tests, each test is progressively more involved and more accurately depicts the actual responsive- ness of the company. Some of the testing types, for example, the last two, require major investments of time, resources, and coordination to implement. The CISSP candidate should know all of these and what they entail. The following are the testing types: Checklist review. During a checklist type of disaster recovery plan, copies of the plan are distributed to each business unit’s management. The plan is then reviewed to ensure the plan addresses all procedures and critical areas of the organization. This is considered a preliminary step to a real test and is not a satisfactory test in itself. Table-top exercise or structured walk-through test. In this type of test, mem- bers of the emergency management group and business unit management rep- resentatives meet in a conference room setting to discuss their responsibilities 55915X Ch08.qxd 3/22/04 5:48 PM Page 398 398 Part I ✦ Focused Review of the CISSP Ten Domains and how they would react to emergency scenarios by stepping through the plan. The goal is to ensure that the plan accurately reflects the organization’s ability to recover successfully, at least on paper. Each step of the plan is walked-through in the meeting and marked as performed. Major glaring faults with the plan should be apparent during the walk-through. Walk-through drill or simulation test. The emergency management group and response teams actually perform their emergency response functions by walk- ing through the test, without actually initiating recovery procedures. During a simulation test, all of the operational and support personnel expected to per- form during an actual emergency meet in a practice session. The goal here is to test the ability of the personnel to respond to a simulated disaster. The sim- ulation goes to the point of relocating to the alternate backup site or enacting recovery procedures, but it does not perform any actual recovery process or alternate processing. Functional drill or parallel test. Tests specific functions such as medical response, emergency notifications, warning and communications procedures, and equipment, although not necessarily all at once. Also includes evacuation drills, where personnel walk the evacuation route to a designated area where procedures for accounting for the personnel are tested. A parallel test is a full test of the recovery plan, utilizing all personnel. The goal of this type of test is to ensure that critical systems will actually run at the alternate processing backup site. Systems are relocated to the alternate site, parallel processing is initiated, and the results of the transactions and other elements are compared. Full-interruption or full-scale exercise. A real-life emergency situation is sim- ulated as closely as possible. Involves all of the participants that would be responding to the real emergency, including community and external organiza- tions. The test may involve ceasing some real production processing. The plan is totally implemented as if it were a real disaster, to the point of involv- ing emergency services (although for a major test, local authorities might be informed and help coordinate). Table 8-3 lists the five disaster recovery plan testing types in priority. Plan Viability Remember: The functionality of the recovery plan will directly determine the survivability of the organization. The plan shouldn’t be a document gathering dust in the CIO’s bookcase. It has to reflect the actual capability of the organization to recover from a disaster, and there- fore needs to be tested regularly. 55915X Ch08.qxd 3/22/04 5:48 PM Page 399 Chapter 8 ✦ Business Continuity Planning and Disaster Recovery Planning 399 Table 8-3 Disaster Recovery Plan Testing Types Level Type Description 1 Checklist Copies of plan are distributed to management for review. 2 Table-top Exercise Management meets to step through the plan. 3 Simulation All support personnel meet in a practice execution session. 4 Functional Drill All systems are functionally tested and drills executed. 5 Full-Scale Exercise Real-life emergency situation is simulated. Disaster Recovery Procedures This part of the plan details what roles various personnel will take on, what tasks must be implemented to recover and salvage the site, how the company interfaces with external groups, and what financial considerations will arise. Senior manage- ment must resist the temptation to participate hands-on in the recovery effort, as these efforts should be delegated. Senior management has many very important roles in the process of disaster recovery, including: ✦ Remaining visible to employees and stakeholders ✦ Directing, managing, and monitoring the recovery ✦ Rationally amending business plans and projections ✦ Clearly communicating new roles and responsibilities Information or technology management has more tactical roles to play, such as: ✦ Identifying and prioritizing mission-critical applications ✦ Continuously reassessing the recovery site’s stability ✦ Recovering and constructing all critical data Monitoring employee morale and guarding against employee burnout during a dis- aster recovery event is the proper role of human resources. Other emergency recovery tasks associated with human resources could include: ✦ Providing appropriate retraining ✦ Monitoring productivity of personnel ✦ Providing employees and family with counseling and support [...]... the return to the site The salvage team must identify sources of expertise, equipment, and supplies that can make the return to the site possible The salvage team supervises and expedites the cleaning of equip­ ment or storage media that might have suffered from smoke damage, the removal of standing water, and the drying of water-damaged media and reports Chapter 8 ✦ Business Continuity Planning and. .. Islamic and other Religious Law, and Civil Law The Common Law System is employed in the United States, United Kingdom, Australia, and Canada Civil Law Systems are used in France, Germany, and Quebec, to name a few Example: The United States Under the Common Law system of the United States, there are three branches of government that make the laws These branches are the legislative branch, the administrative... embezzlement, fraud, DoS, and wiretap­ ping to prosecute computer criminals The issues of digital signatures, e-commerce, and digital currency will certainly have to be addressed by the legal system as these technologies are deployed Law There are many types of legal systems in the world that differ in how they treat evi­ dence, the rights of the accused, and the role of the judiciary Examples of these dif­ ferent... have a different mandate from the recovery team They are not involved with the same issues the recovery team is concerned with, like creating production processing and determining the criticality of data The salvage team has the mandate to quickly and, more importantly, safely clean, repair, salvage, and determine the viability of the primary processing infrastructure after the immediate disaster has... ticular subject matter) ✦ The abbreviation for the code (U.S.C.) ✦ The statutory section number within the title ✦ The date of the edition or supplement Chapter 9 ✦ Law, Investigation, and Ethics For example, “18 U.S.C § 1001 (1992)” refers to Section 1001 in Title 18 of the 1992 edition of the United States Code Title 18 in the United States Code is Crimes and Criminal Procedures, and many computer crimes... matter in administrative codes At the federal level, these arrange­ ments are respectively called the Federal Register (Fed Reg.) and the Code of Federal Regulations (C.F.R.) A citation to the Code of Federal Regulations includes the following: ✦ The number of the C.F.R title ✦ The abbreviation for the Code (C.F.R.) ✦ The section number ✦ The year of publication Thus, the reference “12 C.F.R § 100.4... test? a If no deficiencies were found during the test, then the plan is probably perfect b The results of the test should be kept secret c If no deficiencies were found during the test, then the test was probably flawed d The plan should not be changed no matter what the results of the test 28 Which statement is true regarding the disbursement of funds during and after a disruptive event? a Because access... matter In the United States at the federal level, the session laws are found in the Statutes at Large (Stat.), and the statutory codes are held in the United States Code (U.S.C.) The statutory laws for the states are also arranged in these two categories Federal statutes are usually cited to the United States Code, and this citation con­ tains the following elements: ✦ The Code title number (each title... for the protection of information about private individuals that is held in federal databases, and grants access by the individual to these databases The law imposes civil and criminal penalties for violations of the provisions of the Act The Act assigns the U.S Treasury Department the responsibilities of implementing physical security practices, information management practices, and computer and net­... spokesperson The company should be accessible to the media so they don’t go to other sources; report your own bad news so as to not appear to be covering up Tell the story quickly, openly, and honestly to avoid suspicion or rumors Before the disaster, as part of the plan, determine the appropriate clearance and approval processes for the media It’s important to take control of dissemination of the story . happen during the test, including the following: ✦ The testing schedule and timing ✦ The duration of the test ✦ The specific test steps ✦ Who will be the participants in the test ✦ The task. executing the plan performed. Mistakes will be made, and this is the time to make them. Document the problems encountered during the test and update the plan as needed, then test again. The Five. example, the last two, require major investments of time, resources, and coordination to implement. The CISSP candidate should know all of these and what they entail. The following are the testing