Readings
- What is the difference between disaster recovery and business continuity? How are they related?
- What makes this so complicated and difficult for organizations?
Activity:
- Prepare a risk analysis for your household’s computer environment (computers, operating systems, network connections, peripherals, applications, etc.). Consider everything that you have learned in the last three weeks. Highlight the key risks, current controls, and propose future mitigations that might reduce your family’s risk exposure. Post your plan online.
Rich
Donald Hoxhaj says
1. What is the difference between disaster recovery and business continuity? How are they related?
Both disaster recovery and business continuity are practices employed by organisations to prevent any unforeseen risks or challenges in business operations. Disaster Recovery is a security planning strategy that safeguards an organization from negative events so that mission critical operations or important functions can be protected from disruption. It allows an organization to quick resume operations post-disaster. These disasters can be in the form of natural ones or human induced. Disaster Recovery is more reactive because it is not quick i.e. post-disaster it needs time, strategic planning, and proper steps to resume operations.
Business continuity is also a security planning tool used by organisations to see if their operations are safe in case of any serious disaster or incident. Example, many companies have BCP (Business continuity Plans) set up in different offices so as to ensure that in times of an incident or a disaster, employees can be moved to a different office and still resume operations. Business continuity is more proactive in nature and is much faster in resuming operations when compared with Disaster Recovery.
Richard Flanagan says
Donald – don’t you think that organizations would have both DR and BC even if there was not security threat out there.
Donald Hoxhaj says
Dr. Flanagan – I think they both complement each other and organizations should have both. They both server difference purposes in different times of crisis and it is always safe if an organization implements both these safety strategies in order to prevent it from operational loss.
Patrick DeStefano (tuc50677) says
I agree. Businesses should definitely have both. In todays day in age, it’s not a matter of “IF” but more a matter of “WHEN” the next disaster would strike a business. It can be something as simple as the power going out, to something as catastrophic as a flood, hurricane, or tornado. It is in the business’ best interest to have a DR and BC plan and to ensure that all employees are aware of them and how to put the plans into action.
Donald Hoxhaj says
2. What makes this so complicated and difficult for organizations?
The first challenge that organizations face is the fact that they take it for granted that a disaster might not happen in their locations and therefore fail to plan their BC or DR strategies. Second, many organizations do not follow a streamlined process for evacuation in times of DR or BC plans and fail to execute it at the right moment. There is a difference between planning and execution. While many organizations do plan security practices, but fail to execute or implement it in the systems. During times of disaster, this leads to confusion, chaos, and ultimate catastrophic to the operations and revenues of the company. Therefore, Disaster Recovery and BCP strategies needs to be planned well in terms of Implementation, Execution, and Delivery.
Heiang Cheung says
Yeah good point about the first challenge about many organization think the problem might not happen and not decide to implement these plans. especially if the company is a small one because the cost could outweigh the benefit. Most people just accept the risk it’s like people smoking cigarettes, they know it causes but people still smoke. Even texting while driving and the risk of getting an accident, we know the risk of getting in an accident goes up but some people still do it.
Richard Flanagan says
Heiang – OK but why is it easier to accept the risk rather than mitigate. Lets assume a rationally lead company – what gets in the way?
Heiang Cheung says
There a lot of things that get in the way like cost of mitigation. Also not having enough time to fix the issues.
Richard Flanagan says
Donald – what help companies get good at executing DR and BC?
Michael Gibbons says
Table-top exercises, component exercises, periodic testing of backups and of DR in general would help a company baseline where they are currently and get better at executing disaster recovery. For business continuity, a succession plan and cross trained employees in key areas would help an organization continue operations.
Paul Needle says
I have seen companies that have intricate snow emergency plans in place. Every part of the organization knows what to do and who to call including back ups if a snow storm hits. It always amazes me when they don’t have any clue as to what to do in the event of a cyber breach or system failure. Also I only deal with financial intuitions which makes this even more scary.
Patrick DeStefano (tuc50677) says
There can be a lack of planning but if you also combine that with lack of testing, it’s a recipe for disaster in and of itself. Often times, a poor plan will show itself once it is tested and will likely be improved due to the failure of the test. Ideally, it should be repeated and improved over and over again. Continuous improvement is the way of the future to keep any business alive.
Vince Kelly says
1. What is the difference between disaster recovery and business continuity? How are they related?
According to one definition, disaster recovery “..involves a set of policies, tools and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a natural or humal-induced disaster.”
While business continuity is defined as encompassing “planning and preparation to ensure that an organization can continue to operate in case of serious incidents or disasters and is able to recover to an operational state within a reasonably short period.”
The goal of disaster recovery is to get the company’s information systems back up and running as fast as possible. While the goal of business continuity is to keep the business viable until normal operations can resume.
Both focus on the restoration of functionality – the difference between them is a matter of the degree of that focus.
Donald Hoxhaj says
Hi Vince,
You brought an interesting point about the quickness of recovery in business continuity plan. Organizations processes should be designed in such a way that it can mobilise resources in the shortest time possible so as to prevent any interruption in business operations. It is important to have the strongest of restoration facilities so as to avoid mishaps. In fact, there are many cases of online frauds where companies fail to even detect thefts and just to later realize that their BCP is no more relevant or effective enough.
Vince Kelly says
good point Donald. I remember reading about about a company that followed every procedure by the book; religiously backing up everything, physically storing backups offsite, etc. Problem was that they had been infiltrated months before with a virus – I forget the name but it was triggered by a particular date – and when they shut down and tried to restore everything the just became reinfected.
The point is,(and to your point), the strongest of DR and BC planning must take eveything into account (the exercise in risk management that we’ve been discussing over the last several months)
Vince Kelly says
2. What makes this so complicated and difficult for organizations?
Very often DR and BC involves the restoration of many complex and interrelated systems, technologies, people and processes and many times it is difficult if not impossible to test everything to an extent that will guarantee a complete recovery in the event of an outage.
One of the reasons for this is that it is nearly impossible to plan or even account for every possible contingency that may be necessary. For example, the disaster at the Fukushima Daiichi nuclear power plant was caused by a freak occurrence which never had been anticipated or thought to be so improbable that it was discounted during the plants construction.
Richard Flanagan says
Vince – true that you can’t anticipate and plan for everything. The key point you made in you comment is that it is “impossible to test everything.” The comments so far have focused on planning, an absolutely necessary first step but insufficient in itself. I could plan to be a great golfer, watch all the videos, make lists of everything I need to do, but the reality is that if I don’t practice, I will never play very well. In DR and BC, practicing is difficult, time-consuming and expensive, making it something that takes strong discipline to accomplish.
Pascal Allison says
What is the difference between disaster recovery and business continuity? How are they related?
Disaster recovery and business continuity are very similar. Matter of fact disaster recovery is a part, a subset of business continuity. The paramount difference is their scope.
Business continuity = business-centric that includes IT, and proactive.
Disaster recovery = IT, system, data-centric, and reactive.
Disaster recovery deals with rejuvenating key IT infrastructure and operations back to functionality following an outage while business continuity is concerned with entire business functionality after a crisis. Business Continue ensures that important business functions continually function during and after a crisis.
The similarity between disaster recovery and business continuity is the goal they seek to achieve. Both strive to sustain business operation at all cost after a disaster or crisis.
Vince Kelly says
Agreed Pascal. The similarity is the goal they seek – its just a matter of degree/focus. DR is more IT and systems focused while BC focuses on how to keep the entire business viable during a crisis.
Patrick DeStefano (tuc50677) says
Agreed. DR and BC plans are extremely important and very common in almost any business that’s been around for any real amount of time. There might not always be a formal written plan, however there always is one. They can be called into play for something as innocent as a snowstorm or power outage at a retail store, to something as complex as a professional hack and security breach of multiple different systems at a highly complex corporation.
Example: (Happened to my brother several years ago)
Disaster: You were throwing a ball in the house when your mom specifically told you not to do and end up breaking a vase
Disaster Recovery Plan: Before your mom gets back, clean up the pieces, go to the store and buy an identical one, put the new one where the old one was with new flowers in it.
Business Continuity Plan: If your mom asks where it is, tell her your brother borrowed it and should be back soon with a surprise for her. (The flowers)
Mom never knew.
Pascal Allison says
What makes this so complicated and difficult for organizations?
This is complicated and difficult for the organization because they fail to plan. When they fail to plan, they will incur unaffordable costs; experience complexity of functions, timing, staffing unavailability, etc.
Richard Flanagan says
Pascal – its more than planning, its also testing your plans. This is expensive, particularly for BC, as it means voluntarily disrupting the normal operation of your business. As an example, in my old company we wanted to test BC in Brazil so we had to get the regional EVP to agree to turn the systems off on a Friday night and let the Brazilian operations run until Sunday morning using their manual processes. Then on Sunday afternoon we used extra help to get all the systems caught up to date.
Pascal Allison says
Thanks Instructor flanagan, missed that part.
Testing is important, because if the plan does not work when needed, it would be worthless planning. Organizations need to be sure of implementation and resolution. Thus, they will plan then test the plan for confirmation and assurance.
Vince Kelly says
I think once an effective process is in place it can almost become second nature to a company.
The entire DR/BCP doesn’t need to be constantly tested. For example, once a ‘baseline’ has been established – the system completely tested, then only changes that have been made can be ‘smoke tested’ individually. As more of these changes occur the entire system can be retested at some point (maybe once a year)
Michael Gibbons says
System and process dependencies plays a big factor in this approach. If dependencies aren’t properly documented or understood, it can cause a butterfly effect on the rest of the systems/processes during this type of an exercise.
Patrick DeStefano (tuc50677) says
I agree professor, testing plays an essential role. You might plan everything out with an extensive play-by-play plan, put it in a nice fancy binder and show it off to all the higher ups who will praise you for your work (or not). HOWEVER, if your plan isn’t adequately tested, you could be missing a major piece, have your plan wrong, or even uncover that the design of the systems which you based your plan off of, are not how they were coded or are currently working. There could be some defects in the code or incorrect documentation. I’ve seen this happen far too many times working in software development. Testing that the plan works, is essential to any successful plan
Michelangelo C. Collura says
What is the difference between disaster recovery and business continuity? How are they related?
DR is focused on regaining functionality of all IT infrastructure and operations in a business. BC is broader, looking at regaining functionality for the entire business. Since IT is the lifeblood of many firms in the current market, DR is thus an integral – if not the main – component of a firm’s BC plan. This seems like a simple answer, but the difference is quite straightforward. The takeaway about them is that they need each other to succeed.
Vince Kelly says
agreed Michelangelo. there must be some way to put things back to where they were before the disaster but more importantly, there must be provisions to keep the business running even if DR hasn’t occurred yet. I would think that an example was 9/11. When the towers came down and the financial traders facilities had been obliterated, several companies were able to go to a warehouse, collect some IP phones and PCs, stand them up in a nearby office in north Jersey and just had the employees report there the next day – starting their trading activities the next day almost without missing a beat all while their DR restoration process was getting underway – the employees working conditions were a bit cramped but their work could continue.
Michelangelo C. Collura says
What makes this so complicated and difficult for organizations?
I can only speak from my own experience, but I believe it’s a combination of complexity and human aversion to tasks perceived as frivolous. When a blizzard occurs or we know one is coming, we’re likely to stock up on food and candles, preparing for the threat we perceive as very real. When someone suggests this preparation in June, we are less likely to show such urgency; we may defer those purchases, or we may simply disregard them entirely. When you take this behavior at the micro level and extend it up to the enterprise, you end up with potentially millions or billions of dollars in costs to address possible dangers no one really considers impending. Even when applying best practices, such as in the Target case where they did employ an IDS system, leadership may feel that risks aren’t worth the added hassle of following up on implementations; if we have the technology, we can start worrying and ignore the risk, right? Of course, this is not correct. It requires continuous improvement, management, testing and more testing. This all takes a lot of time and money, so firms would likely wish to just allocate those resources to making money in the here and now.
Donald Hoxhaj says
Michelangelo – Great examples of how people tend to refrain from taking decisions soon. In project management is it often called human lag in doing things at the right time. Organization should, as rightly said, continuously identify new problems and plan their recovery mechanisms well in advance so that they do not later repent.
Richard Flanagan says
Michelangelo – good description of how organizations grow an aversion to spending money on DR and BC. Your Target example is more about a security incident than either DR or BC although there is some overlap. They didn’t lose the use of their systems for any great length of time, they were compromised. Picture, instead, going to a Target when they had no inventory control, no barcode readers, no working cash registers (POS systems). How would they check prices, collect payments, etc. That would be what a business continuity plan would address.
Michael Gibbons says
To use a security incident as a business continuity issue, the shipping company maersk was hit was ransomware and had to go back to manual and paper based processes for a period of time. The event cost them over $200 million.
BIlaal Williams says
1. What is the difference between disaster recovery and business continuity? How are they related?
Disaster Recovery (DR) – goal is to get the company’s information system’s back up and running as fast as possible. It involves implementing risk mitigation before a disaster strikes, as well as planning for the recovery of all critical resources.
Objectives include Recovery Time Objective (RTO) and Recover Point Objective (RPO) for systems.
Business Continuity – main goal is to keep business viable until normal operations can resume. Answer’s question, “how to keep company afloat during disaster until DRP is complete and systems are restored”. Business continuity management involves key initiatives that highlight specific activities in the business process. These are:
• Business Recovery Management
• IT Disaster Recovery Management
• Crisis/Incident Management
• Third-Party Availability Management
So Disaster Recovery is a subset of Business Continuity, Disaster Recovery involves the restoration of the systems following a disaster while business continuity involves the entire process of continuing business operations during and after a disaster occurs.
Michael Gibbons says
I like how you mentioned Third-Party availability. I think this gets overlooked by both disaster recovery and business continuity because unless it is specifically defined, it is just assumed it will be there and working and responsibility for verifying how the third-party will work in the event of a disaster may be missed.
BIlaal Williams says
2. What makes this so complicated and difficult for organizations?
Preparing for a disaster is difficult, it depends on an accurate risk assessment and must account for unforeseen issues. Businesses today have extensive networks where users from different parts of the world access its applications, making the provision of the continued availability of systems more complex. Effective recovery is not completed by merely acting on the day of the disaster, but by sustained activities that are completed with the objective of remaining in a state of preparedness for a disaster. Also, a successful BCP and DR plan depends on the awareness of the employees involved, this can be gained through training, tabletop exercises and drills, but it is difficult to thoroughly test a BCP and DRP without introducing some kind of service disruption similar to what would be caused by a disaster..
Vince Kelly says
good point Bllaal. DR and BC are more of a process than an event. It’s like shooting foul shots, swinging at the right pitch or nailing down a golf swing – the best players don’t even think about the mechanics of the activity because they’ve essentially made it part of their muscle memory. Likewise, DR and BCP should be ingrained in the company culture as well.
BIlaal Williams says
Prepare a risk analysis for your household’s computer environment (computers, operating systems, network connections, peripherals, applications, etc.). Consider everything that you have learned in the last three weeks. Highlight the key risks, current controls, and propose future mitigations that might reduce your family’s risk exposure. Post your plan online.
Devices on Network
Router/AP – 1
Switch – 1
Home PC/laptops – 3
Smart TV – 2
Smart Phones – 4
Gaming Systems – 2
Media Devices – 2
Key Risks –
Unauthorized Access to Personal Wi-Fi
Malware – malicious download
System failure
Electrical Failure
Burglary – unauthorized entry to home
Controls:
Burglar alarm, locked doors – windows
Account for IP addresses/MAC addresses for all known devices on network
Scan network for unknown devices on network (NMAP)
Test devices for known vulnerabilities (Nessus)
Update devices with patch from developers (automated)
Complex WIFI password
Anti-Virus software on devices
Verify hash checksums for software downloads from open source – (MD5 – SHA1)
User awareness – educate household members about good security practices (don’t click on suspicious links, be wary of downloading software from unknown sources)
Backup data on home PC/laptops (automated)
Richard Flanagan says
Bilaal – where do you backup your data to?
Lezlie Jiles says
1. What is the difference between disaster recovery and business continuity? How are they related?
A disaster recovery plan is a documented plan created to react to an unplanned incident. An analysis of business process is conducted, which identifies the impact of a planned incident, as well as, the time and recovery objectives. The DRP is designed to provide instructions geared to minimize the incident and continue business functions as soon as possible. Whereas, a business continuity plan defines possible risks and determines how the identified risks will affect operations. The organization then creates safeguards to mitigate the identified risks.
Richard Flanagan says
Lezlie – DR is about recovering the use of your systems after an incident of some kind disrupted them. Business continuity is about keeping the business operations running while you restore normal operations.
I was just at a doctors office that suffered a network outage before I arrived. It was comical. No one knew who to call to identify the problem and take action to restore the connection (Disaster Recovery). They also were at a loss to run the office without their systems. They were writing stuff on random scraps of paper, trying to find and copy old manual forms, patient records, etc. (Business continuity). In the end they figured out a way to work but it took a few hours. If they had good DR and BC plans, that they practiced, they could have done much better.
Lezlie Jiles says
2. What makes this so complicated and difficult for organizations?
The DRP and BCP are difficult because the importance of either process is not taking seriously, and not filtered from the top down. Leadership should take an active roll in requiring the process be completed and adhered to. Most companies/employees believe it is a waste of time because they will never experience a disaster. I know for my office a BCP has been conducted twice and the process of identifying any possible risks is pain stacking and time-consuming all for a plan that will possibly be used or not.
Richard Flanagan says
Lezlie – OK it was hard to do and took a lot of time, but why?
Lezlie Jiles says
Within in our department, there are several functions, and with those functions are keepers of the information/processes. Coordinating everyone’s schedule and getting full participation/openness was ridiculously pain stacking. The format of the BCP itself was fine, but having to deal with different people and their personalities was the toughest part.
Pascal Allison says
Prepare a risk analysis for your household’s computer environment (computers, operating systems, network connections, peripherals, applications, etc.). Consider everything that you have learned in the last three weeks. Highlight the key risks, current controls, and propose future mitigations that might reduce your family’s risk exposure. Post your plan online.
To prepare a risk analysis for household computer environment, assets will be identified or determine and valuated, identify risks (vulnerabilities & threat), quantify the likelihood of occurrence, then provide a balance between the effect of the risk and cost to mitigate, avoid, accept, or transfer the risk.
Assets:
Laptops, desktop, smart phone, smart television, router/modem, games, and Switches, network, and electrical supplies.
Some of the risks associated with the assets identified are:
• System failure
• Power outage
• Malware, Viruses, etc.
• Hacking
• Natural disaster
• Human error, and
• Robbery
With the likelihood of these risks, the must be control and recovery process if they should occur.
• Access controls (network and devices – username & password)
• Anti-virus
• House member training and awareness
• Backup of data
• Security system
• WIFI Protection (User & Password)
• Updated software
• Known or protected Website(https)
• Physical restriction
• Insurance
• Recovery and contingency plan
Richard Flanagan says
Pascal – Good lists, take backup for example. What do you use? What policies do you follow?
Pascal Allison says
For backup I used icloud for data of non PII, then data with PII I use an external hard drive. Depending on the data, I use full – store all data all the time; and incremental – update backup data.
Brandan Mackowsky says
Pascal,
I liked the set up that you identified for your risk analysis. By identifying all in house assets, it is beneficial to understand and quickly determine the risk and likelihood of a disaster occurring. This is crucial because assets can be quickly tracked and remediated should an event occur if it is quickly identified.
Heiang Cheung says
1. What is the difference between disaster recovery and business continuity? How are they related?
Disaster recovery plan is a document process of procedures to recover and protect a business IT infrastructure in the event of a disaster. Business Continuity plan is the process of creating systems of prevention and recovery to deal with potential threats. So there’s really not much of a difference but business continuity helps the company run smoothly and try to prevent things from happening and disaster recovery is when there already a disaster that happened, how to fix it.
Richard Flanagan says
Heiang – there really is a difference. DR is about restoring IT systems while BC is about keeping the company running whenever a company’s normal operations are disrupted. They are usually tied together but are theoretically independent. Think of BC as the how to we ship product manually when we have no operating systems.
Heiang Cheung says
2. What makes this so complicated and difficult for organizations?
This can be difficult for organization because you’re planning for something that might or might not happen. Which could be seen as useless to some people and a waste of time. Also creating these plans could be costly to set and time consuming because having multiple systems in place would have to involve a lot of people in different departments not just in IT. I know at my job they just started implementing a BCP and most people don’t think its worth their time. IT a really time consuming process because you have to document everything.
Vince Kelly says
you make a good point Heiang – getting buy-in from everyone can be as important as the actual DR/BC plan itself. Ownership and accountability for DR/BC is the responsibility of everyone. Successful implementation and full system test should be recognized and rewarded by management.
Vince Kelly says
Prepare a risk analysis for your household’s computer environment (computers, operating systems, network connections, peripherals, applications, etc.). Consider everything that you have learned in the last three weeks. Highlight the key risks, current controls, and propose future mitigations that might reduce your family’s risk exposure. Post your plan online.
Basically the home network is a remote office from my company. There is a multi-homed VPN tunnel back to the data centers. Endpoint Firewall, AV, HIDs and NIDs services are configured and managed by the company. Video, voice and data traffic is encrypted (at rest and in flight). Backup to the DC is preconfigured to run daily, (using rashPlan 42).
3 home PC’s run on a separate physical network separated by FW/DMZ. Home computers are backed up to a local multi-TB SSD automatically (once per week). Phone based configurations and data are backed up to the cloud.
Risk:
– Unplanned physical network outage caused by catastrophic event like fire, flood or malevolent activity. Alternative network connectivity is available via WiFi hotspot (but there would be degraded network performance if this occurs). New OS images and restoration are available from corporate at anytime. BCP would be to work out of the local corporate office. Risk deemed acceptable.
– Virus/malware/zombie infestation: minimal risk to the business network (traffic is evaluated at corporate). Some risk to home PC’s but this is also acceptable – Norton AV is used. Signatures are updated frequently.
IT Administrative controls:
– Corporate sets, configures, manages and monitors the business network. There are no administrative controls for the home network outside of the security settings for FW, AV software, etc.
– There are no separation of duties for the home network – I am responsible for it
– There are appropriate separation of duties for the business network, corporate help desk, security NOC, etc.
There is an extensive EA/EA repository in place at corporate. There is no enterprise architecture in place for the home network.
In terms of portfolio management. We do no monitoring, planning or evaluation of
– Business investment. No consideration is given to how our home IT service aligns to our overall objectives or goals. Project/budget efficiency is not a consideration
– Financial. Outside of purchasing equipment when its needed, (and a review of the Comcast bills), very little attention is paid to this topic.
– Operations: Help desk services are available for the business network. For the home network, outside of basic troubleshooting services provided by Comcast help desk, tere are no such services for the local home network (PC’s, OS patches, etc.) other than what I do myself.
Duy Nguyen says
1. What is the difference between disaster recovery and business continuity? How are they related?
• Disaster recovery which in this context should call IT disaster recovery, is a plan to recover systems, system configurations, and data in event of a disaster. Business Continuity is a higher-level plan of how to continue business unit the systems are back to normal, whether with or without IT. Business Continuity goal is to continue business under any condition. Both have an end goal of limiting impact to business operations in event of disaster.
Michael Gibbons says
Great point. Having the business define realistic recovery time objectives to limit the impact to operations helps organizations see the amount of resources (people and money) needed to keep the business running.
Duy Nguyen says
2. What makes this so complicated and difficult for organizations?
• Both plans are needed in parallel and need to be tested meticulously. Most often organizations that are not knowledgeable about their needs will not see the need for these plans. They most likely will not consider how business would function without their information or information systems.
Brandan Mackowsky says
Duy,
I definitely agree and feel that organizations do not truly value their information and data until it is completely gone and unrecoverable. This is what really stresses the need for a disaster recovery plan and a business continuity plan and how much these two topics contribute to an organization’s operations and overall success. I feel that it is crucial to stress the need for personnel to understand the importance for the two areas as well as enforce them.
Duy Nguyen says
1. Prepare a risk analysis for your household’s computer environment (computers, operating systems, network connections, peripherals, applications, etc.). Consider everything that you have learned in the last three weeks. Highlight the key risks, current controls, and propose future mitigations that might reduce your family’s risk exposure. Post your plan online.
Devices: Laptops, mobile phones, wireless router, smart TVs
Laptops:
• 2 anti-virus software (Norton and McAfee)
• Windows defender and Firewall and network protection
• Windows defender health checks for updates and any other issues
• Critical data are backed up to one drive and also dropbox
• plugged into an outlet with surge protector
• password protected
Mobile Phone:
• Verizon Security and privacy device protection app Scans for (Privacy, web Security, and Wi-fi)
• Fingerprint protected
• Fingerprint enable for all NFC payments apps
• Fingerprint enable for all other accounts apps
• DDOS turned on for password protection after restart or 5 tries of unlocking phone
wireless router:
• High-security password protected
Donald Hoxhaj says
Risk Analysis
My household computer environment consists of the following devices:
1. Computer
2. Smart Phones (iPhone)
3. Smart Television
4. Network Routers
5. Wireless Internet Connection
6. Cloud connected Systems for Backup
Personal computer systems can be quite vulnerable to data attacks and data loss if not protected. If your computer is connected on a network system or an internet source, then the chances of network intrusion might be high if firewall is not installed. Similarly, the risk of leaving computers unattended might have a significant impact on the loss of privacy and user data. The act of sharing access of computers with other people might put one under potential threat of destruction of information, illegal use of sensitive information, passing on information over the network to other people, data altercation, etc. The breach to such systems will definitely cause loss of Confidentiality, Integrity, and Availability of systems. The impact of these risks however depends largely on the criticality of information, monetary value attached to it, and the probability of it being replicated. Other risks that are possible in a personal household environment are:
1. IP Address Vulnerability
2. Malware Attacks because of lack of Antivirus protection
3. System Crash due to no backups, leading to data loss
4. Password and System sharing
One can always use Risk mitigation options to ensure safety of information. One needs to understand the criticality of information at hand before implementing a solution. If the data in a local system deems high importance, one needs to have a UPS backing or a cloud storage done at the right time so that in case of any failure, the data can be recovered. All sensitive data needs to be encrypted by a good software so that eternal attacks
Richard Flanagan says
Donald,
I like your comment on cloud based backup but see that all your examples are security. What about dropping your phone in the street and getting it run over (my daughter), having a very close lightening strike that fried several circuits (me) or living through an apartment fire (my son). My point is security is at top of mind right now and should be. But don’t forget that good DR and BC practices can mitigate a host of non security IT risks.
Heiang Cheung says
https://www.cnet.com/news/nsa-breach-spills-over-100gb-of-top-secret-data/
thought the above article was pretty neat talking about security.
Michael Gibbons says
What is the difference between disaster recovery and business continuity? How are they related?
Disaster recovery is focused on getting the IT infrastructure back up and operating after an event that has affected the availability of IT systems/services. Business continuity is focused on getting the business functioning again and requires people from all areas of the organization (think the bus test, if I’m no longer here to do my job, who can do it in my place but apply this across the whole organization).
Michael Gibbons says
Business continuity and disaster recovery are related by the purpose they serve. They are both in place for the purpose of keeping the business going in the event that something happens that affects operations.
Michael Gibbons says
What makes this so complicated and difficult for organizations?
One of the things that makes this so complicated is the cost. Disaster recovery is expensive (the level of expense varies depending on the approach – multiple data centers, data storage, replication, internet service, etc.). Business continuity planning is difficult because it is time consuming and requires the business units to know and be able to document what it is they do and how they do it
Patrick DeStefano (tuc50677) says
I agree that cost can play a major factor in getting buy in for proper planning and testing of a DR and BC plan. That being said, also keep in mind that there are other things that also play a role in the difficulties organizations have with this. Bringing down the systems to test DR and BC can take a lot of effort and collaboration and will also affect BAU processes. Lack of training due to poor communication to key people and or high employee turn over rate may leave key steps forgotten or without anyone who knows how to execute them.
Michael Gibbons says
Prepare a risk analysis for your household’s computer environment (computers, operating systems, network connections, peripherals, applications, etc.). Consider everything that you have learned in the last three weeks. Highlight the key risks, current controls, and propose future mitigations that might reduce your family’s risk exposure. Post your plan online.
Risks to confidentiality, integrity and availability of my household computing environment.
Risks – Internet Service provider goes down, cable modem malfunction, hard drive failure, misconfigured firewall, misconfigured settings on personal devices
Controls – Service Level Agreement with Internet Service Provider, ability to purchase or rent a new cable modem. Periodic backups of personal data to external storage, firewall hardening guide with recommended service/port configurations. Personal device hardening/configuration guides.
Steps that can be taken to reduce the risks for future mitigations. Full asset inventory of all devices with internet access and their purpose. Secure disposal of deprecated devices/equipment (recycling, hard drive destruction, etc.)
Jonathan Duani says
Michael,
I like the idea of hard drive destruction. A lot of people do not think about this when they are getting rid of a computer or a device in general and they leave their drives in the computer with personal data on them and just throw them out. i think if more people are conscience about decommission equipment properly it could help a lot of people not loose vital information.
Heiang Cheung says
1. Prepare a risk analysis for your household’s computer environment (computers, operating systems, network connections, peripherals, applications, etc.). Consider everything that you have learned in the last three weeks. Highlight the key risks, current controls, and propose future mitigations that might reduce your family’s risk exposure. Post your plan online.
Devices: Laptop, Smart Phone, Wireless router.
Laptop security includes:
McAfee anti-virus software
Windows Firewall
Windows Updates/patches
Passwords
Encrypt back to external Hard drive
Smart phone:
Password protection
Touch ID finger print scan
Built in GPS to pinpoint location
Apple IOS
Sync to Icloud for backup
Encrypt backup to laptop
Wireless Router/ Wi-Fi network:
Changing the Network name
Encryption
Control broadcast power
Update firmware
There are a lot of risk especially if you have Wi-Fi. People could hack into your Wi-fi network. I remember before we got a letter from comcast saying someone in the house been downloading illegal movies but realize it wasn’t any body at the house so we had to change the password to our network. Going online and checking email could get viruses on your computer if you don’t have sufficient anti-virus software.
Pascal Allison says
Hey Heiang,
Icloud comes with limited user privacy and data syncing across devices. Is the any measure to bridge the single device breach and access all device data stored in icloud? How protected are PII stored on icloud, if any?
Jonathan Duani says
Heiang,
I like how you mentioned about WiFi being a spot of vulnerability. With all the tools that are out now and some of which we use in this masters program it is really easy to break into a WiFi especially if it is default. Another thing that you could look into disabling the SSID broadcast all together. This way the only way you can join your WiFi Network is if you know the name AND password which adds a little bit more difficulty in it.
Tamekia P. says
What is the difference between disaster recovery and business continuity?
I use fire analogy to keep it straight – if a building was on fire. Disaster recovery is a fire extinguisher that helps you respond immediately put the fire out. Business Continuity is what you do post disaster to get you back to being operational like fire safety people that would ensure the structure integrity is sound and that alarms work to allow you to move back into to the building.
Brandan Mackowsky says
Tamekia,
I definitely agree with the fire analogy and think that it is a great point to compare the two topics. For business continuity, I would say that it is more along the lines of how the organization plans to run its business due to the fire occurring while the original structure is rebuilt. I would think maybe they would do business strictly online or in a mobile location?
Tamekia P. says
What makes this so complicated and difficult for organizations?
This is complicated and difficult for organizations because I think organizations know how to stop the bleeding and focus their efforts on there without paying much attention to how to resume normal operations after coming back from crisis. Organizations typically find out that they have poor business continuity post a disaster.
Jonathan Duani says
1. What is the difference between disaster recovery and business continuity? How are they related?
I feel like that disaster recovery and business continuity go hand in hand. They both have a common goal to get a company back up and running or keep the company operational during the event of an incident. However, there are some differences with these as well. A disaster recovery plan is a plan that is focused on recovering the data and the infrastructure of a company in the event of a disaster. Where the business continuity plan comes into play is that they are more focuses on the business operations instead of the infrastructure. They are more focused on where people can go in case their normal location is incapacitated to make sure that normal business operations stay current.
Jonathan Duani says
2. What makes this so complicated and difficult for organizations?
The reason I feel like this is so hard for companies is mostly because of money. When everything is going well and there is not a problem they do not understand why they need to spend hundreds of thousands of dollars if not millions on a disaster recovery plan where they may never use it. A lot of companies do not see the need for something so expansive and sometimes do not even check it or test it if they have one because it is usually forgotten about. It is only when something happens that everyone is scrambling and it becomes a big deal.
Tamekia P. says
Prepare a risk analysis for your household’s computer environment (computers, operating systems, network connections, peripherals, applications, etc.). Consider everything that you have learned in the last three weeks. Highlight the key risks, current controls, and propose future mitigations that might reduce your family’s risk exposure. Post your plan online.
Key Risks
– Risk of unauthorized access to wifi network
– Various operating systems running on same network. Can be attacked by both OS (MAC OS and Windows)
– Risk of downloading malicious software
– Loss of backups for devices – computer, cell phone, etc
Current Controls
– Password protection of wifi network
– Windows computers are password protected
– By owning Mac limiting types of viruses on that computer
– Backing up mobile devices to iCloud and annually creating back up on Windows computer
Future Mitigations
– Change network name – My current network name is my name. When people come over they see ‘Tamekia’ and ask for the password. By changing the name, I secure my network from the public as well as limit people from attempting to guess password based on things they may know about me.
– Segregating Wifi per OS
– Updating anti-virus
– Obtaining external hard drive and performing back-up of computers
Jonathan Duani says
1. Prepare a risk analysis for your household’s computer environment (computers, operating systems, network connections, peripherals, applications, etc.). Consider everything that you have learned in the last three weeks. Highlight the key risks, current controls, and propose future mitigations that might reduce your family’s risk exposure. Post your plan online.
In my personal network, I actually do things a little differently which might seem crazy but I do feel like it does make me less exposed then the normal consumer. In my house and on my home network I run a full enterprise system. I run a couple of servers, SAN, NAS, Hardware firewall, and Enterprise APs in addition to multiple desktop computers, laptops, and mobile devices. With the current setup I have no all the traffic hits the HW firewall before entering the main house network and there are different IP address for external and internal networks (WAN and LAN). All my network traffic is NAT under a single IP that is then sent over to Verizon so that it is hard to pin point what is going on or where to exactly it is coming from.
I think in my environment are 2 things. The first things is the major thing and that is the people. I think my family do not care about security and securing the digital identity like I would. This is a major vulnerabilities and risk that foresee being as an entry point for someone because someone like my mom likes to just click on things. Another issues is security patches. I try and keep everything up to date on the security front as much as possible but with multiple devices things so slip through the cracks. I think moving forward I plan on opening a guest network that is on a separate VLAN so user are not able to access my main servers. Another thing I am currently working on is having the rest of my family’s information on a different VLAN as well that way it does not interfere with all my stuff and if someone does get in.
Patrick DeStefano (tuc50677) says
1. What is the difference between disaster recovery and business continuity? How are they related?
Disaster recovery is exactly what it sounds like. It’s a recovery plan which includes the steps which need to be taken to bring the systems or operations back to BAU after a disaster occurs. This can involve changes in physical hardware, physical locations, bringing databases back online with backup data, moving key people around, in what order should each step be taken, etc. It deals specifically with bringing operations from a down/disaster state back to BAU operations.
Business continuity deals more along the lines of how the business is going to stay in operation while the disaster recovery plan is executed.
Say, for example, you are managing a retail store when a power surge strikes. The entire store loses power and several of the computers are fried. The Disaster recovery plan could include things like restarting the circuit breaker main switch and manually boot up each of the stores computers, if any data issues analyze the extent and recover from the most recent backup, have the computer hardware technician repair or replace the fried pc’s.
The Business continuity plan could include such things as how to take down orders and process transactions using only paper and pen until the systems are back up and running.
Patrick DeStefano (tuc50677) says
2. What makes this so complicated and difficult for organizations?
Several things can factor into making Disaster Recovery and Business Continuity difficult for organizations. Lack of testing can leave broken processes undiscovered until it’s actually needed. High employee turnover rates can lead to employees who don’t know what the DR or BC steps are or how to implement them. Another issue can be caused from lack of executive support to fund or place any sort of priority in the DR or BC plans.
Jonathan Duani says
Patrick,
I besides the monetary aspect, the lack of testing is a big thing that we see with DR and BC plans failing. Everyone and anyone can have an awesome well funded plan but if the plan was never tested once and nobody knows if it will actually work when ti is needed is ti really a solidified DR and BC plan? We saw this with the graphic novel case the other week where they did have a plan if some happened however, nobody touched it in years and even know where it was. I think in this scenario testing is also really important so that you can make sure that what you have in place will really do what you expect it to do in the time you want it to happen
Patrick DeStefano (tuc50677) says
I completely agree Jonathan. Coming from a testing background in QA, I am surprised this even slipped my mind in my post haha. Testing is a huge part of this and if the organization does not properly test their DR and BC, They will likely fail miserably when it comes time to put it into use.
Patrick DeStefano (tuc50677) says
Prepare a risk analysis for your household’s computer environment (computers, operating systems, network connections, peripherals, applications, etc.). Consider everything that you have learned in the last three weeks. Highlight the key risks, current controls, and propose future mitigations that might reduce your family’s risk exposure. Post your plan online.
Computer Environment:
MacBook Pro (iOS High Sierra)
Dell MicroPC (Windows 10)
iPhone (iOS 11.1)
Amazon FireStick
Amazon Echo
Visio Smart TV
PlayStation 3
Apple TV
Verizon FiOS Cable Box
Verizon FiOS Router/WiFi
Key Risks & Current Controls:
1. Risk: Power outage causes lack of availability of systems
Control: None (Hopes & Dreams that the power doesn’t go out)
Future Mitigation Plan: Risk Accepted (No Future Mitigation Plan)
2. Risk: Power surge destroys hardware and causes significant cost to repair/replace
Control: Currently have all electronics connected via surge protectors
Future Mitigation Plan: Ensure than any and all current and future electonics are also powered through a surge protector
3. Risk: Theft causes lack of availability and significant cost to replace
Control: Keep door to apartment building as well as apartment door locked at all times.
Future Mitigation Plan: Potentially look into Renters Insurance to reduce any financial impact to replace items
4. Risk: Virus causes lack of availability of systems and can be time consuming/costly to remediate
Control: Have virus protection installed on PC, iOS has low likelihood to get virus infections, User knowledge to not open suspicious emails or go to potentially dangerous sites
Future Mitigation Plan: Remaining Risk accepted (No future mitigation plan)
5. Risk: Hacking causes lack of availability and or loss of personal data
Control: Virus protection software, data backups on Google as well as iCloud, all operating systems require password to gain access
Future Mitigation Plan: Remaining Risk accepted (No future mitigation plan)
6. Risk: Loss of physical devices causes lack of availability and significant cost to replace
Control: Only remove from apartment when absolutely necessary
Future Mitigation Plan: Keep devices nearby or in a safe location whenever removed from apartment
7. Risk: Internet outage causes lack of availability of connection to certain applications
Control: Have internet via Verizon FiOS as well as AT&T Wireless. If one goes out, the other will stand in and take its place until the other is back up and running
Future Mitigation Plan: Continue relying on parallel internet connection. Invest in new hardware to lessen risk associated with hardware failure due to age
8. Risk: Hardware failure due to age, hardware defect, and/or other reasons causes unavailability of systems and can include significant replacement/repair costs
Control: As warranties are expired on all devices and I’m not made of money to replace after warranty expires, user accepts the risk associated with any hardware failure until it actually fails.
Future Mitigation Plan: Graduate ITACS and get a raise/new job paying six figures so I’m able to purchase the latest and greatest whenever I want.
Paul Needle says
1. What is the difference between disaster recovery and business continuity? How are they related?
Disaster recovery is all about how the company is going to recreate its computing environment including the data and configurations that were backed up. The goal is to get the company’s information system back up and running as fast as possible. There needs to be an understanding of what’s needed and who is responsible. Typically an recovery time objective (RTO) and recovery point objective (RPO) will be determined prior to a disaster so that the company Business Continuity is how the business is going to execute its key business processes from the time the disaster occurs to the time everything is back up and running. The goal is to keep the business viable until normal operations can resume. Disaster recovery is more focused on getting systems and IT up and running while business continuity is focused on continuing operations while the systems are down.
Paul Needle says
2. What makes this so complicated and difficult for organizations?
Disaster recovery is difficult because the nature of most systems are complex. It would be almost impossible to start from scratch in the middle of an emergency so it’s critical to have the right back ups in place. The determination of what to back up, how to back it up and who is responsible needs to be considered. Backing up systems can be expensive. An organization needs to prioritize all of it’s systems when it seems like all systems are equally important. Business continuity is difficult for similar reasons. Deciding what functions are critical the company is not easy. Then a determination of cost via a hot/cold site needs to be made. Overall it is critical to practice both procedures so that everyone understands why it’s important and what they need to do in an emergency.
Paul Needle says
Activity:
1. Prepare a risk analysis for your household’s computer environment (computers, operating systems, network connections, peripherals, applications, etc.). Consider everything that you have learned in the last three weeks. Highlight the key risks, current controls, and propose future mitigations that might reduce your family’s risk exposure. Post your plan online.
Devices
– Modem
– Router
– Laptops
– Tablets
– Phones
– Baby monitor
– Smart TV’s
– Gaming System
Key Risks
– Unauthorized access to wifi
– Power Outage
– Virus, Malware,
– Brute Force Password Hacking
– Stolen assets (phone, computer, etc.)
Controls
– Verizon Internet Security Suite
o Provides access to McAfee
Virus and spyware protection
Security patches and updates
Web and email protection
o Also allows me to see active IP Addresses
– Windows built in encryption
– Encryption on Iphones
– Android remote wipe and lock
– Work laptop if encypted and remote wiping capabilities
– VPN on work laptop
– Multi-factor authentication for bank accounts
– Google Photos are backed up
– Family photos and documents are backed up on external hard drive
– Subscription to Lifelock.
– Physical Locks and alarm System
Paul Needle says
Besides for an external hard drive, does anyone know of a cheap and reliable way to back up files? Preferably something that would provide remote accessibility over the internet? My favorite pictures I post to facebook in hopes they never go out of business haha.
Brandan Mackowsky says
1. What is the difference between disaster recovery and business continuity? How are they related?
The difference between disaster recovery and business continuity is that disaster recovery focuses around how an organization is going to recreate its computing environment that includes all data and configurations that were backed up whereas business continuity explains how a business will execute all of its key business processes from the time of the disaster until it is fixed. The goal of disaster recovery is to ensure that the company’s information systems are quickly back up and running. To ensure that disaster recovery is successful, it is crucial to ensure a hot site and cold site are in place and steady testing is conducted to ensure the plan fully works. The goal of business continuity is to ensure that the business remains operable while the disaster is being mitigated and the business is repaired. The two concepts are related in that they both focus to ensure a business’ success as an event arises. The two are similar in that they both support the same strategy that is used to help a business recover and work hand in hand with one another because as the disaster recovery plan is in place, the business continuity plan takes over.
Brandan Mackowsky says
2. What makes this so complicated and difficult for organizations?
The reason that this is so complex for an organization to keep active is that the disaster recovery aspect is prone to failure and the business continuity can cause issues when personnel are not properly trained. Since an organization is rapidly changing, aspects of the business may not be included in the disaster recovery as they are implemented. This leads to a push back and delay in reimplementation when restoring backups due to the missing information and data. Without properly trained personnel, an organization will see its members struggling to run daily operations without the concepts that it is normally used to. This causes a complication and can result in losses to a business.