Objectives
Understand the ways to classify disasters, both by
speed of onset and source
Know who should form the membership of the
disaster recovery team
Understand the key functions of the disaster plan
Explain the key concepts included in the NIST
approach to technical contingency planning
Describe the elements of a sample disaster recovery
plan
Principles of Incident Response and Disaster Recov
Objectives (continued)
Understand the need for simultaneous wide access
to the planning documents as well as the need for
securing the sensitive content of the DR plans
Introduction
Disaster recovery planning: preparation for and
recovery from a disaster
Disaster may be an escalated incident or may be
immediately classified as a disaster
In general, a disaster is an incident that cannot be
contained or whose impact is not controllable
All business units of an organization need to be
involved in disaster recovery planning, not just IT
Disaster Classifications
Disasters can be classified by cause:
Man-made: war, terrorism, cyberterrorism, etc.
Natural: fire, flood, earthquake, hurricane, lightning,
tornado, etc.
Organization
DR team
Should include representatives from every major
organizational unit
Should be separate from other contingency-related
teams
May include senior management, corporate support
units, facilities, fire and safety, maintenance, IT,
InfoSec
Organization (continued)
Subteams may include:
Disaster management team: command and control,
responsible for planning and coordination
Communications: public relations and legal
representatives to interface with senior management
and general public
Computer recovery (hardware): recovers physical
computing assets
Systems (OS) recovery: recovers operating systems
Network recovery: recovers network wiring and
hardware
Principles of Incident Response and Disaster Recov
10
Organization (continued)
Subteams (continued):
Storage recovery: recovers storage area networks and
network attached storage
Applications recovery: recovers applications and
reintegrates users back into the systems
Data management: recovers and restores data
Vendor contact: works with suppliers and vendors to
replace damaged or destroyed materials, equipment, or
services
Damage assessment and salvage: provides initial
assessments of damage and recovers salvageable
items
11
Organization (continued)
Subteams (continued):
Business interface: works with remainder of
organization to assist in recovery of non-technology
functions
Logistics: provides supplies, space, materials, food,
services, or facilities needed at the primary site
Other teams needed to reestablish key business
functions as needed
12
13
14
Purpose
Scope
Roles and responsibilities
Resource requirements
Training requirements
Exercise and testing schedules
Plan maintenance schedules
Special considerations
15
16
Training requirements:
Details training related to the DR plan
17
18
19
20
21
22
23
24
DR addendums
One for each type of anticipated disaster
Includes the trigger, notification method, response
time
25
26
27
28
29
Plan Maintenance
Plan must be a dynamic document that is updated
regularly
Revisit the DR plan at least annually to update
plans, contracts, and agreements
Make necessary personnel and equipment
modifications
Any change in the organizations size, location, or
business focus must be incorporated into the DR
and CP plans, and the BIA should also be reviewed
30
31
32
33
34
35
36
Servers
Address server vulnerabilities by considering these
practices:
Store backup media and software off site
Standardize hardware, software, and peripherals
Document system configuration and vendor
information
Coordinate with security policies and controls
Use results from BIA
37
Servers (continued)
Contingency strategies may include:
Document system configuration and vendor
information
Standardize hardware, software, and peripherals
Coordinate with security policies and controls
38
Servers (continued)
Contingency strategies (continued):
Implement fault tolerance in critical system
components
Replicate data
Implement storage solutions
39
Web Sites
In addition to information about servers, these
practices should be considered:
Document Web site
Web site programming should use documented change
management
Web site coding should be relative, not absolute,
allowing quick reconfiguration if needed
Coordinate contingency solutions with appropriate
security policies and controls
Coordinate contingency solutions with incident response
procedures
Use results from BIA
40
41
42
43
44
45
Distributed Systems
Consider the following practices:
Standardize hardware, software, and peripherals
Document system configuration and vendor
information
Coordinate with security policies and controls
Use results from the BIA
46
Standardize components
Document system
Coordinate with vendors
Coordinate with security policies and controls
Consider server contingency solutions
Consider LAN contingency solution
Consider WAN contingency solution
47
Mainframe Systems
Consider the following practices:
Store backup media off site
Document system configurations and vendors
Coordinate with network security policies and system
security controls
Use results from the BIA
48
49
50
51
52
53
54
55
56
57
58
59
Summary
DR planning is the preparation for and recovery
from a disaster
Disasters can be classified by source (natural or
man-made) or by speed of development (rapid
onset or slow onset)
CPMT assembles the DR team, consisting of
representatives from every major organizational unit
Members of the DR team do not serve on IR or BC
team because of overlapping duties
DR team may consist of many subteams
Principles of Incident Response and Disaster Recov
60
Summary (continued)
All members of DR team should have multiple copies
of the DR and BC plans available to them at home
and office
DR policy is the first deliverable
Effective preventive controls implemented for
security also facilitate recovery of information
DR plan should contain detailed procedures for
restoring lost or damaged information, in 3 phases:
During the disaster
After the disaster
Before the disaster
Principles of Incident Response and Disaster Recov
61
Summary (continued)
Training in the use of the DR plan can be used to
test the validity and effectiveness of the plan
Testing of the plan is an ongoing activity, with each
scenario tested at least semiannually at the walkthrough level
62