Business Continuity and Disaster Recovery Planning for IT Professionals PDF

Preview

Summary

Visit us at w w w. s y n g r e s s . c o m Syngress is committed to publishing high-quality books for IT Professionals and deliv- ering those books in media and formats that fit the demands of our customers. We are also committed to extending the utility of the book you purchase via additional mate...

Description

436_XSS_FM.qxd

4/20/07

1:18 PM

Page ii

443_Disaster_Rec_FM.qxd

5/25/07

3:07 PM

Page i

Visit us at w w w. s y n g r e s s . c o m Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our customers. We are also committed to extending the utility of the book you purchase via additional materials available from our Web site.

SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our [email protected] Web pages. There you may find an assortment of valueadded features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s).

ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few.

DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in downloadable Adobe PDF form. These e-books are often available weeks before hard copies, and are priced affordably.

SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings.

SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations. Contact us at sales@ syngress.com for more information.

CUSTOM PUBLISHING Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use. Contact us at [email protected] for more information.

443_Disaster_Rec_FM.qxd

5/25/07

3:07 PM

Page ii

443_Disaster_Rec_FM.qxd

5/25/07

3:07 PM

Page iii

Business Continuity & Disaster Recovery for IT Professionals

Susan Snedaker, MCSE, MCT

443_Disaster_Rec_FM.qxd

5/25/07

3:07 PM

Page iv

Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Elsevier, Inc. “Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Elsevier, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY 001 002 003 004 005 006 007 008 009 010

SERIAL NUMBER HJIRTCV764 PO9873D5FG 829KM8NJH2 QX34TYP89Z CVPLQ6WQ23 VBP965T5T5 HJJJ863WD3E 2987GVTWMK 629MP5SDJT IMWQ295T6T

PUBLISHED BY Syngress Publishing, Inc. Elsevier, Inc. 30 Corporate Drive Burlington, MA 01803 Business Continuity and Disaster Recovery Planning for IT Professionals

Copyright © 2007 by Elsevier, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN 13: 978-1-59749-172-3 Publisher: Amorette Pedersen Project Manager: Anne McGee Copy Editor: Adrienne Rebello

Cover Designer: Michael Kavish Page Layout and Art: Patricia Lupien Indexer: Richard Carlson

For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights, at Syngress Publishing; email [email protected].

443_Disaster_Rec_FM.qxd

5/25/07

3:07 PM

Page v

Acknowledgments

Thanks first to Syngress for publishing this book and for the efforts of Amy Pedersen and all the others behind the scenes in helping shepherd this project to completion. Thanks to my friend and colleague, and a brilliant attorney, Deanna Conn, for contributing a piece on legal aspects of data security within the context of business continuity and disaster recovery (BC/DR) planning.Thanks also go out to my good friend and colleague, Patty Hoenig, whose expertise in crisis communications will help you understand and address the challenges of communicating effectively during and after a crisis. Additional thanks to my friend and colleague Nels Hoenig for reviewing sections of the material and providing invaluable feedback along the way.Thanks to my colleague Debbie Earnest who shared her expertise and experience (bumps and bruises) garnered from working in the field of BC/DR. Her advice and comments helped me in crafting this book from start to finish. Her contribution offers time-tested techniques for overcoming some of the common challenges to BC/DR planning. Last but not least, many thanks to the voice of reason, my cohort and draft reviewer, Lisa Mainz, for reading through early versions of chapters and helping me find the clearest, most direct path through the material. Finally, thanks to my long-time friend, Shirley, who passed away just after I started writing this book. She had recently reminded me of this oft-quoted phrase: Hope for the best, plan for the worst. Nothing will ever surprise you.

v

443_Disaster_Rec_FM.qxd

5/25/07

3:07 PM

Page vi

443_Disaster_Rec_FM.qxd

5/25/07

3:07 PM

Page vii

About the Author Susan Snedaker, Principal Consultant and founder of Virtual Team Consulting, LLC has over 20 years experience working in IT in both technical and executive positions including with Microsoft, Honeywell, and Logical Solutions. Her experience in executive roles at both Keane and Apta Software provided extensive strategic and operational experience in managing hardware, software and other IT projects involving both small and large teams. As a consultant, she and her team work with companies of all sizes to improve operations, which often entails auditing IT functions and building stronger project management skills, both in the IT department and company-wide. She has developed customized project management training for a number of clients and has taught project management in a variety of settings. Ms. Snedaker holds a Masters degree in Business Administration (MBA) and a Bachelors degree in Management. She is a Microsoft Certified Systems Engineer (MCSE), a Microsoft Certified Trainer (MCT), and has a certificate in Advanced Project Management from Stanford University. She recently completed an Executive program in International Management at Thunderbird University’s Garvin School of International Management.

vii

443_Disaster_Rec_FM.qxd

5/25/07

3:07 PM

Page viii

443_Disaster_Rec_TOC.qxd

5/25/07

4:19 PM

Page ix

Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Chapter 1 Business Continuity and Disaster Recovery Overview . . . . . . . . . . . . . . . . . . . . . . . . 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Business Continuity and Disaster Recovery Defined . . . . . . .3 Components of Business . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 People in BC/DR Planning . . . . . . . . . . . . . . . . . . . . . .6 Process in BC/DR Planning . . . . . . . . . . . . . . . . . . . . . .7 Technology in BC/DR Planning . . . . . . . . . . . . . . . . . . .9 The Cost of Planning versus the Cost of Failure . . . . . . . . .11 People . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Types of Disasters to Consider . . . . . . . . . . . . . . . . . . . . . . .17 Natural Hazards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 Cold Weather Related Hazards . . . . . . . . . . . . . . . . .19 Warm Weather Related Hazards . . . . . . . . . . . . . . . .19 Geological Hazards . . . . . . . . . . . . . . . . . . . . . . . . . .20 Human-Caused Hazards . . . . . . . . . . . . . . . . . . . . . . . .20 Accidents and Technological Hazards . . . . . . . . . . . . . . .22 Electronic Data Threats . . . . . . . . . . . . . . . . . . . . . . . . .24 Personal Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 Privacy Standards and Legislation . . . . . . . . . . . . . . .24 Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . .26 Fraud and Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 Managing Access . . . . . . . . . . . . . . . . . . . . . . . . . . .30 Business Continuity and Disaster Recovery Planning Basics 31 Project Initiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 Business Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . .34 Mitigation Strategy Development . . . . . . . . . . . . . . . . . .34 Plan Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Training,Testing, Auditing . . . . . . . . . . . . . . . . . . . . . . .35 ix

443_Disaster_Rec_TOC.qxd

x

5/25/07

4:19 PM

Page x

Contents

Plan Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .40 Case Study 1 Legal Obligations Regarding Data Security . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 The ChoicePoint Incident . . . . . . . . . . . . . . . . . . . . . . .44 State Laws Regarding Data Security . . . . . . . . . . . . . . . . . .45 Notice of Security Breach Laws . . . . . . . . . . . . . . . . . . .46 Definition of Personal Information . . . . . . . . . . . . . .46 What Triggers Notice Requirements? . . . . . . . . . . . .46 Federal Laws Regarding Data Security . . . . . . . . . . . . . . . . .48 U.S. House of Representatives Proposed Bill . . . . . . . . .49 U.S. Senate Proposed Bill . . . . . . . . . . . . . . . . . . . . . . . .49 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 Footnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .51 Chapter 2 Project Initiation . . . . . . . . . . . . . . . . . . . . . . . . 53 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 Elements of Project Success . . . . . . . . . . . . . . . . . . . . . . . . .55 Executive Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55 User Involvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 Experienced Project Manager . . . . . . . . . . . . . . . . . . . .59 Clearly Defined Project Objectives . . . . . . . . . . . . . . . .60 Clearly Defined Project Requirements . . . . . . . . . . . . . .60 Clearly Defined Scope . . . . . . . . . . . . . . . . . . . . . . . . . .61 Shorter Schedule, Multiple Milestones . . . . . . . . . . . . . .62 Clearly Defined Project Management Process . . . . . . . . .63 Project Plan Components . . . . . . . . . . . . . . . . . . . . . . . . . .64 Project Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66 Problem and Mission Statement . . . . . . . . . . . . . . . .67 Potential Solutions . . . . . . . . . . . . . . . . . . . . . . . . . .67 Requirements and Constraints . . . . . . . . . . . . . . . . .68 Success Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 Project Proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . .69 Estimates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70

443_Disaster_Rec_TOC.qxd

5/25/07

4:19 PM

Page xi

Contents

Project Sponsor . . . . . . . . . . . . . . . . . . . . . . . . . . . .71 Forming the Project Team . . . . . . . . . . . . . . . . . . . . . . .72 Organizational . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73 Technical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73 Logistical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74 Political . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74 Project Organization . . . . . . . . . . . . . . . . . . . . . . . . . . .75 Project Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . .75 Project Stakeholders . . . . . . . . . . . . . . . . . . . . . . . . .78 Project Requirements . . . . . . . . . . . . . . . . . . . . . . . .79 Project Parameters . . . . . . . . . . . . . . . . . . . . . . . . . .80 Project Infrastructure . . . . . . . . . . . . . . . . . . . . . . . .84 Project Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . .85 Project Communication Plan . . . . . . . . . . . . . . . . . .89 Project Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90 Work Breakdown Structure . . . . . . . . . . . . . . . . . . . .91 Critical Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91 Project Implementation . . . . . . . . . . . . . . . . . . . . . . . . .92 Managing Progress . . . . . . . . . . . . . . . . . . . . . . . . . .93 Managing Change . . . . . . . . . . . . . . . . . . . . . . . . . .93 Project Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94 Project Close Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95 Key Contributors and Responsibilities . . . . . . . . . . . . . . . . .96 Information Technology . . . . . . . . . . . . . . . . . . . . . . . .96 Experience Working on a Cross-Departmental Team . . . . . . . . . . . . . . . . . . . .97 Ability to Communicate Effectively . . . . . . . . . . . . . .97 Ability to Work Well with a Wide Variety of People 97 Experience with Critical Business and Technology Systems . . . . . . . . . . . . . . .98 IT Project Management Leadership . . . . . . . . . . . . . .99 Human Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99 Facilities/Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99 Finance/Legal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100 Warehouse/Inventory/Manufacturing/Research . . . . . .101 Purchasing/Logistics . . . . . . . . . . . . . . . . . . . . . . . . . .102 Marketing and Sales . . . . . . . . . . . . . . . . . . . . . . . . . . .103

xi

443_Disaster_Rec_TOC.qxd

xii

5/25/07

4:19 PM

Page xii

Contents

Public Relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103 Project Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106 Business Requirements . . . . . . . . . . . . . . . . . . . . . . . .107 Functional Requirements . . . . . . . . . . . . . . . . . . . . . . .109 Technical Requirements . . . . . . . . . . . . . . . . . . . . . . .110 Business Continuity and Disaster Recovery Project Plan . . .112 Project Definition, Risk Assessment . . . . . . . . . . . . . . .112 Business Impact Analysis . . . . . . . . . . . . . . . . . . . . . . .112 Risk Mitigation Strategies . . . . . . . . . . . . . . . . . . . . . .113 Plan Development . . . . . . . . . . . . . . . . . . . . . . . . . . . .113 Emergency Preparation . . . . . . . . . . . . . . . . . . . . . . . .113 Training,Testing, Auditing . . . . . . . . . . . . . . . . . . . . . .113 Plan Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . .114 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .119 Case Study 2 The Financial Impact of Disasters and Disruptions . . . . . . . . . . . . . . . . 123 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124 Financial Aspects of Business Disruptions . . . . . . . . . . . . . .124 Cash Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125 Lower Revenues . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126 Sales Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . .126 Order Fulfillment . . . . . . . . . . . . . . . . . . . . . . . . . .126 Order Shipment . . . . . . . . . . . . . . . . . . . . . . . . . . .127 Accounts Receivable . . . . . . . . . . . . . . . . . . . . . . . .127 Higher Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127 Impact on Cash Flow . . . . . . . . . . . . . . . . . . . . . . . . .128 Impact on Valuation and Ability to Raise Capital . . . . .129 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131 Chapter 3 Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . 133 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134 Risk Management Basics . . . . . . . . . . . . . . . . . . . . . . . . . .135 Risk Management Process . . . . . . . . . . . . . . . . . . . . . .137 Threat Assessment . . . . . . . . . . . . . . . . . . . . . . . . . .138 Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . .140

443_Disaster_Rec_TOC.qxd

5/25/07

4:19 PM

Page xiii

Contents

Impact Assessment . . . . . . . . . . . . . . . . . . . . . . . . .140 Risk Mitigation Strategy Development . . . . . . . . . .140 People, Process,Technology, and I nfrastructure in Risk Management . . . . . . . . . . . . . . . .141 People . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141 Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 IT-Specific Risk Management . . . . . . . . . . . . . . . . . . .143 IT Risk Management Objectives . . . . . . . . . . . . . . .144 The System Development Lifecycle Model . . . . . . .144 Risk Assessment Components . . . . . . . . . . . . . . . ....