Hi Percy,
Business continuity testing/rehearsal enable test team to identify weaknesses, gaps, and risks within continuity plans before deploying them in a crisis situation. I can list some benefits as following:
• Reduce cost of operation during a disaster
• Reduce operational downtime
• Provide more effective continuity strategies
• Reduce impact of disaster
• Reduce duration of outage
Rehearsing the BCP enables the team to evaluate the adequacy and effectiveness of the plan, and to tick-the-box that you’ve done this for an audit rail. Rehearsing the BCP gives each member an opportunity to master his or her role and understand what they are required to do during crisis.
Because business objective is the goal for every company. Like we learnt in IT Governance class, the company should apply IT controls follow along the business objective. Also, IT systems is a part of business operations support.
Its a business concern because if you cant recover form the disaster than there is no business left. Many companies fail in the months after a major incident because they cant recover quick enough to regain cash flow.
In majority of the organizations, IT is used for supporting the core business processes rather than being a revenue generating process (e.g. Cloud service providers). Hence. on its own, IT teams cannot assign criticality levels as they wouldn’t be in a position to know how much loss in revenue would be caused in case, a particular information system is not functioning. These financial numbers are given by business teams, who calculate the loss in revenue in case of the information systems, used for supporting that business line is down. Depending on these numbers, IT systems are assigned their criticality. This process is nothing but BIA in a nutshell and hence DRP should be a business concern as well.
Hi Akshay,
I think deciding between a hot site or cold site depends on company’s priorities. For a small or medium-size company, cost will likely a key role in which type of site the company prefers. Therefore, if the priority is cutting cost, they probably will choose cold site. However, if the company doesn’t allow long downtime, in this case, they should pick hot site. The important thing is company’s understanding of how each type of DR site works and what resources each one requires. There are many factors that should be considered such as from cost of equipment to staffing.
As far as I know, BCP is based on DRP. So if a company has BCP, they will have a DRP. But if a company has DRP but without BCP, there is a high chance that they have not completed their contingency planing and will have a BCP in the future.
Companies could potentially have a BCP without a DRP as the DRP can be considered a subset of the BCP, so for a company to create a DRP without a BCP it would be a huge challenge. Since BCP deals with continuing business processes as a whole and DRP handles recovering IT infrastructure, it’s really in a company’s best interest to have both plans in order to have the best chance of continuity/recovery in the event of a disaster.
When considering key personnel to include in Computer Security Incident Response Teams (CSIRT), what other employees should be members aside from the ones mentioned in the textbook (ie. Senior manager, affected-line employees, PR director, HR, legal team)?
The CERT (Computer Emergency Readiness Team) recommends following roles among the CSIRT:
• Manager or Team Lead
• Assistant Managers or Group Leaders
• Help Desk or Triage Staff
• Incident Handlers
• Vulnerability Handlers
• Artifact Analysis Staff
• Platform Specialists
• Trainers
• Technology Watch
I believe you are talking about physical and health disasters that could impact the workers who are incharge of the security protocol. I believe there should be contingency plans that revolve around the employees and a potential impact on them. We often take for granted the human capital that organizations have.
Basically, the company should perform annually basis followed along the plan. Both IT and business users should both involve. The result of testing DRP should be formally recorded.
It depends on the system architecture, and impact level of the security. I think it should be simulation annually, or every six months.In addition, attention should be paid to personnel changes. When personnel changes are frequent, it may be necessary to temporarily add simulation.
A major issue with intrusion detection systems is that they tend to produce too many false positives, so alarms will often be ignored. What do you think would be a good solution to this problem?
The best solution to this problem is knowing what “normal” looks like on your network. Being able to look at you baseline to see if a truly adverse event is happening of if it is a false positive.
More open ports means different ways to exploit a system. It means that attackers may spend more time trying different methods of exploiting vulnerabilities on each port depending on the service running,
How much does BCP and DRP need to be done for a medium size company comparing to a larger or smaller company? Is there any different for different size of company?
Hello,
Among the more critical things to consider that help determine the amount of time and effort put into preparing the BCP and DRP is the business impact analysis. Another part that organizations consider prior to determining the time and effort put into preparing the BCP and DRP is the amount and types of information systems involved in critical business processes.
What is the most important step to a disaster recovery plan? Is there something missing that should be an outlined step? Possibly in the beginning or the end?
I think performing Business Impact Analysis (BIA) to determine critical systems, RTO, RPO value is the most important step to DRP. If company define inappropriate value, it will seriously impact to business operations and cause damage and loss to financial and systems.
What are some of the direct benefits of rehearsing BCPs?
Hi Percy,
Business continuity testing/rehearsal enable test team to identify weaknesses, gaps, and risks within continuity plans before deploying them in a crisis situation. I can list some benefits as following:
• Reduce cost of operation during a disaster
• Reduce operational downtime
• Provide more effective continuity strategies
• Reduce impact of disaster
• Reduce duration of outage
Hi Zeynep,
I can’t agree more with you, the benefits you have listed are all astonishing and they validate the importance of performing rehearsals.
Rehearsing the BCP enables the team to evaluate the adequacy and effectiveness of the plan, and to tick-the-box that you’ve done this for an audit rail. Rehearsing the BCP gives each member an opportunity to master his or her role and understand what they are required to do during crisis.
Why should disaster recovery be a business concern rather than be a concern for only techies?
The IT should follow the business processes and not the opposit. I think
Because business objective is the goal for every company. Like we learnt in IT Governance class, the company should apply IT controls follow along the business objective. Also, IT systems is a part of business operations support.
Its a business concern because if you cant recover form the disaster than there is no business left. Many companies fail in the months after a major incident because they cant recover quick enough to regain cash flow.
Hello Zeynep,
In majority of the organizations, IT is used for supporting the core business processes rather than being a revenue generating process (e.g. Cloud service providers). Hence. on its own, IT teams cannot assign criticality levels as they wouldn’t be in a position to know how much loss in revenue would be caused in case, a particular information system is not functioning. These financial numbers are given by business teams, who calculate the loss in revenue in case of the information systems, used for supporting that business line is down. Depending on these numbers, IT systems are assigned their criticality. This process is nothing but BIA in a nutshell and hence DRP should be a business concern as well.
For a small to medium size business, which factors need to be assessed before selecting a backup facility (e.g. Hot site or cold site)?
Hi Akshay,
I think deciding between a hot site or cold site depends on company’s priorities. For a small or medium-size company, cost will likely a key role in which type of site the company prefers. Therefore, if the priority is cutting cost, they probably will choose cold site. However, if the company doesn’t allow long downtime, in this case, they should pick hot site. The important thing is company’s understanding of how each type of DR site works and what resources each one requires. There are many factors that should be considered such as from cost of equipment to staffing.
Is it possible for companies to create only BCP or DRP? or they should have both?
Hi Numneung,
As far as I know, BCP is based on DRP. So if a company has BCP, they will have a DRP. But if a company has DRP but without BCP, there is a high chance that they have not completed their contingency planing and will have a BCP in the future.
Companies could potentially have a BCP without a DRP as the DRP can be considered a subset of the BCP, so for a company to create a DRP without a BCP it would be a huge challenge. Since BCP deals with continuing business processes as a whole and DRP handles recovering IT infrastructure, it’s really in a company’s best interest to have both plans in order to have the best chance of continuity/recovery in the event of a disaster.
When considering key personnel to include in Computer Security Incident Response Teams (CSIRT), what other employees should be members aside from the ones mentioned in the textbook (ie. Senior manager, affected-line employees, PR director, HR, legal team)?
Hi Imran,
The CERT (Computer Emergency Readiness Team) recommends following roles among the CSIRT:
• Manager or Team Lead
• Assistant Managers or Group Leaders
• Help Desk or Triage Staff
• Incident Handlers
• Vulnerability Handlers
• Artifact Analysis Staff
• Platform Specialists
• Trainers
• Technology Watch
Do you think virus and the humain factors impacts should be included in the BIA?
I believe you are talking about physical and health disasters that could impact the workers who are incharge of the security protocol. I believe there should be contingency plans that revolve around the employees and a potential impact on them. We often take for granted the human capital that organizations have.
How often should an organization perform a simulation in reaction to a disaster?
I read somewhere that it s every year.
Basically, the company should perform annually basis followed along the plan. Both IT and business users should both involve. The result of testing DRP should be formally recorded.
It depends on the system architecture, and impact level of the security. I think it should be simulation annually, or every six months.In addition, attention should be paid to personnel changes. When personnel changes are frequent, it may be necessary to temporarily add simulation.
A major issue with intrusion detection systems is that they tend to produce too many false positives, so alarms will often be ignored. What do you think would be a good solution to this problem?
The best solution to this problem is knowing what “normal” looks like on your network. Being able to look at you baseline to see if a truly adverse event is happening of if it is a false positive.
How would more open ports affect the ability of your honeypot to attract hackers?
More open ports means different ways to exploit a system. It means that attackers may spend more time trying different methods of exploiting vulnerabilities on each port depending on the service running,
How much does BCP and DRP need to be done for a medium size company comparing to a larger or smaller company? Is there any different for different size of company?
Hello,
Among the more critical things to consider that help determine the amount of time and effort put into preparing the BCP and DRP is the business impact analysis. Another part that organizations consider prior to determining the time and effort put into preparing the BCP and DRP is the amount and types of information systems involved in critical business processes.
What is the most important step to a disaster recovery plan? Is there something missing that should be an outlined step? Possibly in the beginning or the end?
I think performing Business Impact Analysis (BIA) to determine critical systems, RTO, RPO value is the most important step to DRP. If company define inappropriate value, it will seriously impact to business operations and cause damage and loss to financial and systems.
How to calculate Maximum Tolerable Downtime (MTD) , what factors should be taken into consideration?