Disaster Recovery Planning Guidelines

http://www.dir.state.tx.us/oops/infosec/index.html Guidelines

Step 1. Obtain Commitment from Executive Management. Executive support for the development and implementation of a realistic and cost-effective disaster recovery plan is vital to the plan’s success.

3.3 THE RISK ANALYSIS STUDY TEAM

Planning for information security and risk management begins with identifying the agency's information assets and their related vulnerabilities and risks. These tasks are the basis for the risk analysis process. Risk analyses should be coordinated by the agency Information Security Function and are best performed by a team of individuals representing the following disciplines:

data processing operations management
systems programming (operating systems)
systems analysis
applications programming
data base administration
auditing
physical security
communication networks
legal issues
functional owners
system users

GUIDELINES. Generally, those information assets that are critical to agency operations should be assigned highest priority. Those information assets where data confidentiality or disclosure and dissemination are controlling factors should be given the next priority. Next, information assets which are sensitive or where data integrity is the controlling factor will maintain third priority. Finally, all other information assets are assigned lower priority. To set priorities:

Inventory the information assets for which the agency has ownership and custodial responsibility.
Identify the automated files and data bases that should be classified as confidential or sensitive.
Identify systems that are critical to agency program operations.
Establish priorities.

3.7 IDENTIFYING INFORMATION ASSETS AT RISK

The risk analysis team's first major task is to identify and inventory the agency's information assets and prepare a checklist of those items. Generally, risk analysis methodologies provide procedures defining how this information may be collected, organized, and documented. Risk analysis methodologies generally include examples of checklists and worksheets which the study team may use or adapt.

Items subject to loss in an information technology environment include application systems, data bases, data files, documentation manuals, operating procedures, operating systems, computer hardware and related equipment, physical equipment, buildings, personal computer systems and software, and the continuity of operations.

Ask the owners of information to classify the application systems as critical or otherwise and indicate whether the data bases and files contain confidential or sensitive information. This information is essential for determining the security controls required for the information.

Consider grouping data bases and/or data files by application system. Remember to include back-up files. For this purpose, consider a worksheet that contains the following information:

name of the application or the system which retains responsibility and control over the data base(s) and/or files;
indicator which identifies the application as critical or otherwise;
names of data bases and/or files;
approximate number of records in each data base or file;
retention period or usually the number of days, weeks, months, or years that the data base or file is retained before the information is destroyed;
indicator identifying the information maintained by the data base or file as confidential or sensitive;
indicator identifying it as a backup or production data base or file;
storage medium (disk, tape); and,
mode of transmitting the information (mail, telecommunications, messenger).

Common vulnerabilities may be identified or categorized in a variety of ways which will be influenced to some degree by the risk analysis methodology the agency selects. In general, vulnerabilities are categorized in terms of "Major" and "Minor Threats." Alternatively, they may be categorized in terms of:

Accidental Acts such as errors, omissions, modifications, destruction, disclosure, and negligence.
Intentional Acts such as theft, fraud, embezzlement/defalcation, extortion, misuse/misappropriation, forgery, destruction, disclosure, physical sabotage (arson, bomb), logical sabotage (viruses which impact programs or data), wire tapping, war, and civil disturbance/riot.
Natural Catastrophes such as fire, water damage, explosion and tornados.
Interruption of Utilities affecting water, electricity, natural gas, and communications.

Specific risks should be addressed during the risk analysis process. These risks include, but are not limited to, those associated with:

accidental and deliberate acts on the part of agency employees and outsiders;

fire;
water damage;
electrical disturbances; and,
loss of data communications capabilities.

FIGURE 3-1. SUGGESTED RISK ANALYSIS REPORT OUTLINE

I. Introduction

   A. Discuss the scope of the risk analysis study. Explain any decisions to limit the scope or adopt a phased approach.

   B. Describe the physical automated information processing environment(s).

   C. Discuss the major security measures currently in use or in the process of being installed.

II. Background

   A. Discuss the interrelationships between the owners, custodians, and users of information. Identify specific roles and responsibilities in terms of the risk analysis study.

   B. Include a statement of assumptions specific to the study.

III. Requirements and Constraints

PERSONNEL ISSUES

   A. Discuss historical factors having a bearing on the study (for example, discuss previous risk analyses and their results, serious security breaches, etc.).

   B. List the special requirements and constraints, such as time and manpower, under which the study was conducted.

IV. Risk Analysis

   A. Discuss the security issues (the threats and vulnerabilities) considered.

   B. Summarize the findings of the risk analysis study; identify the information assets at risk; identify the risks, the probabilities of occurrence, and the dollar value loss. Do not include detailed working papers or worksheets. Rather, summarize the findings in sufficient detail to provide the reader with an understanding of the security issues (threats or vulnerabilities) and their probable impact (or risk).

  C. List protective measures and identify their cost; identify the threat(s) and risk(s) each countermeasure is intended to address; summarize the cost-benefit analysis of each countermeasure; identify the degree of risk acceptance or the remaining exposure after implementation of the recommended protective measure.

V. Recommendations

   A. Prioritize and list the recommended protective measures or safeguards; identify the impact of implementing technical and procedural protective measures in terms of their effect on the security of information assets; identify their cost-benefit; identify the resources necessary to develop, implement, and maintain the protective measures, with particular emphasis on technical security solutions.

VI. Summary

   A. Discuss any difficulties encountered during the risk analysis study.

   B. Identify the risk analysis methodology or the techniques that were used to conduct the study; identify the composition of the team; the resources used (time and manpower); include information that will be valuable to those conducting future risk analyses.

   C. Briefly, discuss the recommended safeguards. Consider including a chart or cross tabulation that identifies:

      1. the relationship of existing safeguards to threats, information assets, and risks;

      2. the relationship of recommended safeguards to existing threats, information assets, and risks.

Step 2. Establish a Services Resumption Planning Committee. Depending on the size of the organization and the availability of resources

Step 3. Perform a Service Resumption Capability Assessment. All equipment should be inventoried, and the strengths and weaknesses of the equipment’s ability to recover from a service disruption should be identified. Appendix D of the DIR report includes an assessment checklist to support grantees in this process. The DIR report provides a list of five suggested actions to complete this step.

Step 4. Perform a Risk Analysis. A risk assessment will be used to identify high-risk service disruptions and levels of protection needed to reinstate these vital services. Security and control measures can then be established to manage the risk. This step should include a risk assessment of the logical and physical configuration of the automated resources and an identification of potential single points of failure. Prevention policies and procedures—ways in which to respond to risk—should then be established (see risk control options outlined in the DIR report). Appendices E and F contain forms to assist in risk analysis. In addition,

Step 5. Establish System Priorities. This step involves examining automated software applications in relation to risk. Such applications should be prioritized by examining the impact of an operational loss if an application were unavailable. The report provides suggested prioritization levels: (1) must be run on schedule, (2) run as resources become available, and (3) can be delayed.

PHYSICAL SECURITY ISSUES

Step 6. Analyze and Define Requirements for Recovery. Recovery can range from interim processing of critical systems for a few days to full redundancy. The resources necessary to resume operations may involve hardware, software, communications, back-up data, physical facilities, vendor support, interagency support, staff, application software, security, office equipment, logistics, storage, funding, and acquisitions. The DIR report provides a list of 16 suggested actions to complete this step.

Step 7. Design the Program for Recovery Operations. Detailed processes should be developed to ensure that full recovery occurs easily so normal service operations can be resumed. DIR recommends distributing responsibilities to teams. This, of course, will depend on the size of the TIF Board grantee organization and resource availability. DIR recommends developing step-by-step procedures for each resource in the case of failure and provides a procedural sample outline in Appendix L. The DIR report provides a list of three suggested actions to complete this step.

Step 8. Conduct Service Resumption Training. Providing adequate training to key personnel is vital to the success of resource recovery. Successful execution of a service resumption situation largely depends on how well the responsible personnel are trained and ready to execute the resumption processes. Personnel should be cross-trained. A list of recommended training classes is provided in the report. The DIR report provides a list of four suggested actions to complete this step.

Step 9. Test the Service Resumption Plan. DIR stresses the importance of testing the disaster recovery plan. Most organizations that recover successfully have usually tested their disaster recovery plans. Plans should be tested regularly using a fully developed scenario of a simulated disruption. The DIR report provides a list of eight suggested actions to complete this step.

Step 10. Maintain and Update the Service Resumption Plan. Service resumption plans should be updated as an organization changes its systems, software, applications, communication systems, personnel, and operations. The DIR report outlines the recommended frequency of plan changes. The DIR report provides list of three suggested actions to complete this step.

BACK