Week (5) Session (2)

Computer science Department

Executive Master in Cyber Security

Cybersecurity Policies
& Issues
EMCS-602

Business Continuity
Management

Spring2021
2020-2021
 Focus of This Session
Business Continuity Plan
Business Continuity Disaster Response Plans

Regulatory Requirements .
The Disaster Recovery Phase

Analyze risk, threat, incident response, and assessment to understand their impact on business continuity.

Week (5) Session (1) 2

 Objectives
▪ Define a disaster
▪ Appreciate the importance of emergency preparedness
▪ Analyze threats, risks, and business impact assessments
▪ Explain the components of a business continuity plan and
program
▪ Develop policies related to business continuity management

Week (5) Session (2) 3

 Outline

Emergency Preparedness

Business Continuity Risk Management

Disaster Response

Testing and Maintenance

Week (5) Session (2) 4

 Computer science Department
Executive Master in Cyber Security

Emergency Preparedness
 Emergency Preparedness
▪ Disaster
▪ Any event that results in damage or
destruction, loss of life, or drastic change
to the environment
▪ A disruption of normal business functions
where the expected time for returning to
normalcy would seriously impact the
organization’s capability to maintain
operations, including customer commitments
and regulatory compliance
▪ The cause can be environmental,
operational, accidental, or willful

Week (5) Session (2) 6

 Emergency Preparedness cont.

▪ Disasters
and Their
Causes

Week (5) Session (2) 7

 Emergency Preparedness cont.
Resilient organization
▪ Resilient organization is the one has the capability to
quickly adapt and recover from known or unknown change
to the environment
▪ It requires management support, investment, planning,
and layers of preparation.

Week (5) Session (2) 8

 Computer science Department
Executive Master in Cyber Security

Business Continuity Risk

Management
 Business Continuity Risk Management
▪ Continuity planning is simply the good business practice
of ensuring the execution of essential functions
▪ Continuity planning is an integral component of
organizational risk management.
▪ Risk management for continuity of operations requires
the organizations to
▪ Identify the threats that can disrupt operations
▪ Determine the risk
▪ Assess the impact on the company

Week (5) Session (2) 10

 Business Continuity Risk Management cont.
Business continuity threat assessment
▪ Business continuity threat assessment is to identify viable threats
and predict the likelihood of occurrence
▪ Threat modeling takes into account historical and predictive
geographic, technological, physical, environmental, industry, and
third-party factors such as the following:
▪ What type of disasters have occurred in the community or at this location?
▪ What can happen due to the geographic location?
▪ What could cause processes or information systems to fail?
▪ What threats are related to service provider dependency?
▪ What disasters could result from the design or construction of the facility or
campus?
▪ What hazards are particular to the industry sector?
▪ Business continuity threat assessment
▪ Evaluates the sufficiency of controls to prevent a threat from occurring or to
minimize its impact
11
Week (5) Session (2)
 Business Continuity Risk Management cont.

Threat
Assessments:
Historical

Week (5) Session (2) 12

 Business Continuity Risk Management cont.

Business Continuity Risk

Assessment
▪ Business continuity risk
assessment evaluates the
sufficiency of controls to
prevent a threat from occurring
or to minimize its impact.
▪ Table 12-2 illustrates risk
assessment considerations for
the specific threat of a wildfire.

Week (5) Session (2) 13

What Is a Business Impact Assessment?
Business Impact Assessment (BIA)
▪ Is to identify essential services/processes and
recovery time frames
▪ Business Impact Analysis
▪ It is a multistep collaborative activity that involves business
process owners, stakeholders, and corporate officers

14
What Is a Business Impact Assessment?
▪ A BIA incorporates three metrics
▪ Maximum tolerable downtime (MTD) is the total length of time an
essential business function can be unavailable without causing
significant harm to the business.
▪ Recovery time objective (RTO) is the maximum amount of time a
system resource can be unavailable before there is an unacceptable
impact on other system resources or business processes.
▪ Recovery point objective (RPO) represents the point in time, prior to
a disruption or system outage, that data can be recovered (in other
words, the acceptable data loss).

Week (5) Session (2) 15

 What Is a Business Impact Assessment?
▪ the
components
of a BIA.

Week (5) Session (2) 16

What Is a Business Impact Assessment?
▪ the
components
of a BIA.

Week (5) Session (2) 17

 Business Impact Assessment
Synopsis: Require and assign responsibility for an annual BIA.
Policy Statement:
▪ The Chief Operating Officer is responsible for scheduling an
enterprisewide annual BIA. System owner participation is required.
▪ The BIA will identify essential services and processes. Essential is
defined as meeting one or more of the following criteria:
▪ Required by law, regulation, or contractual obligation.
▪ Disruption would be a threat to public safety.
▪ Disruption would result in impact to the health and well-being of
employees.
▪ Disruption would result in irreparable harm to customers or business
partners.
▪ Disruption would result in significant or unrecoverable financial loss.

Chapter (#) 18
 Business Impact Assessment
Policy Statement (cont.):
▪ For each essential service and/or process, the maximum tolerable
downtime (MTD) will be documented. The MTD is the total length of
time an essential function or process can be unavailable without
causing significant harm to the business.
▪ For each essential service and/or process, supporting infrastructure,
devices/information systems, and dependencies will be identified.
▪ Recovery time objectives (RTOs) and recovery point objectives (RPOs)
for supporting infrastructure and devices/information systems will be
documented.
▪ Current capability and capability delta will be identified. Deviations
that put the organization at risk must be reported to the Board of
Directors.
▪ The Chief Operating Officer, the Chief Information Officer, and the
Business Continuity Team are jointly responsible for aligning the BIA
outcome with the business continuity plan.
Chapter (#) 19
 Business Continuity Plan
▪ The objective is to ensure the organization has the capability to
respond and recover from a disaster
▪ Component:
▪ Response plans
▪ focus on the initial and near-term response and include such elements as
authority, plan activation, notification, communication, evacuation, relocation,
coordination with public authorities, and security.
▪ Contingency plans
▪ focus on immediate, near-term, and short-term alternate workforce and
business processes.
▪ Recovery plans
▪ focus on the immediate, near-term, and short-term recovery of information
systems, infrastructure, and facilities.
▪ Resumption plans
▪ guide the organization back to normalcy.
▪ this plan is referred to as the business continuity plan (BCP).The
discipline is referred to as business continuity management.
Week (5) Session (2) 20
 Business Continuity Plan cont.
▪ Business continuity management involves the entire
organization
▪ Board of Directors provides oversight and guidance,
authorizes the related policy, and is legally accountable for
the actions of the organization
▪ Executive management provides leadership
▪ Business Continuity Team (BCT) has the authority to make
decisions related to disaster preparation, response, and
recovery

Week (5) Session (2) 21

 Computer science Department
Executive Master in Cyber Security

Disaster Response
 Disaster Response Plans
▪ Addresses what should be done immediately following a
significant incident
▪ Defines who has the authority to declare a disaster
▪ Defines who has the authority to contact external entities
▪ Defines evacuation procedures
▪ Defines emergency communication & notification procedures
▪ Upon declaration of a disaster, all BCT members should report to
a designated command and control center
▪ Occupant emergency Plan (OEP)
▪ Describes evacuation and shelter-in-place procedures in the event of a
threat or incident to the health and safety of personnel

Week (5) Session (2) 23

 Disaster Response Plans cont.

▪ Relocation strategies
▪ Hot site
▪ Fully operational location with
redundant equipment.
▪ The data has been streamed to the
site on a real-time basis or close to
real time

▪ Warm site
▪ Configured to support operations
including communications capabilities,
peripheral devices, power, and HVAC.
▪ Spare computers may be located there
that then would need to be configured
in the event of a disaster
▪ Date must be restored

Week (5) Session (2) 24

 Disaster Response Plans cont.

▪ Relocation strategies
▪ Cold site
▪ Available alternative location
▪ Equipped with power, HVAC, and secure access
▪ Mobile site
▪ Self-contained unit
▪ Equipped with the required hardware, software, and
peripherals
▪ Data needs to be restored
▪ A mirrored site
▪ is fully redundant with real-time replication from the
production site. Mirrored sites can assume processing
with virtually no interruption.
▪ reciprocal site
▪ is based on an agreement to have access to/use of
another organization’s facilities.

Week (5) Session (2) 25

 Emergency Response Plan Policy
Synopsis: Ensure that the organization is prepared to respond to an
emergency situation.
Policy Statement:
▪ The Chief Operating Officer is responsible for developing and
maintaining the emergency response plan. The emergency response plan
is a component of the enterprise business continuity plan.
▪ The objective of the emergency response plan is to protect the health
and safety of employees, customers, first responders, and the public
at large, minimizing damage to property and the environment, and set
in motion response, contingency, and recovery operations.
▪ The emergency response plan must, at a minimum, address
organizational alerts and notification, disaster declaration, internal
and external communication channels, command and control centers,
relocation options, and decision making authority.

Chapter (#) 26
 Emergency Response Plan Policy
Policy Statement (cont.):
▪ Ancillary to the response plan are OEPs and the crisis communication
plan (CCP). Both plans may be utilized in conjunction with and/or
referenced by the response plan.
▪ The Office of Human Resources is responsible for maintaining the
OEP.
▪ The Office of Communications and Marketing is responsible for
maintaining a CCP.
▪ Personnel responsible for response operations must receive
appropriate training.
▪ Response plans and procedures must be audited in accordance with the
schedule set forth by the Business Continuity Team.
▪ Response procedures must be tested in accordance with the schedule
set forth by the Business Continuity Team.

Chapter (#) 27
 Operational Contingency Plans
▪ Addresses how an organization’s essential business processes will
be delivered during the recovery process
▪ Developed at the departmental level
▪ Responsibility of the business process owner
▪ The documentation should follow the same form as the SOPs

Week (5) Session (2) 28

 The Disaster Recovery Phase

▪ In the disaster recovery phase, the organization begins the process

of restoring or replacing damaged infrastructure, information
systems, and facilities.
▪ Recovery strategies
▪ The path to bringing the company back to a normal business environment
▪ A plan should be in place that breaks down each category of the overall recovery
effort to simplify the daunting recovery process:
▪ Mainframe recovery is specific to the restoration of a mainframe computer (or
equivalent capability) and corresponding data processing.
▪ Network recovery is specific to information systems (servers, workstations, mobile
devices, applications, data stores, and supporting utilities) and includes the
restoration of functionality and data.

Week (5) Session (2) 29

 The Disaster Recovery Phase cont.
▪ Recovery strategies (Cont.)
▪ Communications recovery encompasses internal and external transmission systems,
including local-area network (LAN), wide-area network (WAN), data circuits (T1, T3,
MPLS), and Internet connectivity. Included in this category are connectivity devices
such as switches, routers, firewalls, and IDSs.
▪ Infrastructure recovery encompasses those systems providing a general operating
environment, including environmental and physical controls.
▪ Facilities recovery addresses the need to rebuild, renovate, or relocate the physical
plant.

Week (5) Session (2) 30

 The Disaster Recovery Phase Cont.
▪ Recovery procedures
▪ All procedures should be designed, tested, documented, and
approved prior to when the disaster strikes
▪ Procedures should be written as if the person who will be
following them is not intimately familiar with the information
system or component
▪ Procedures should explain what needs to be done, when,
where, and how
▪ The key is to respond fast using predefined steps
▪ Recovery procedures should be reviewed annually

Week (5) Session (2) 31

 Disaster Recovery Plan Policy
Synopsis: Ensure that the organization can recover infrastructure,
systems, and facilities damaged during a disaster.
Policy Statement:
▪ The Office of Information Technology and the Office of Facilities
Management are responsible for their respective disaster recovery
plans. Disaster recovery plans are a component of the enterprise
business continuity plan.
▪ The disaster recovery plan must include recovery strategies and
procedures for systems and facilities as determined by the business
impact assessment.
▪ Modifications to the recovery plan must be approved by the Chief
Operating Officer.
▪ The amount of procedural detail required should be enough that
competent personnel familiar with the environment could perform the
recovery operation.
Chapter (#) 32
 Disaster Recovery Plan Policy
Policy Statement (cont.):
▪ External system dependencies and relevant contractual agreements
must be reflected in the recovery plan.
▪ Personnel responsible for recovery operations must receive
appropriate training.
▪ Recovery plans and procedures must be audited in accordance with the
schedule set forth by the Business Continuity Team.
▪ Recovery procedures must be testing in accordance with the schedule
set forth by the Business Continuity Team.

Chapter (#) 33
 The Resumption Phase
▪ The objective is to transition to normal operations
▪ Two major activities
▪ Validation
▪ Verifying recovered systems are operating correctly
▪ Deactivation
▪ The official notification that the organization is no longer operating in
emergency or disaster mode

Week (5) Session (2) 34

 Computer science Department
Executive Master in Cyber Security

Testing and Maintenance

 Plan Testing and Maintenance
▪ Proactive testing of the plan is essential
▪ Until tested, the plan is theoretical at best
▪ The tests should prove that the procedures and the plan are:
▪ Relevant
▪ Operable under adverse conditions
▪ Accurate
▪ Tests are used to discover errors and inadequacies

Week (5) Session (2) 36

 Plan Testing and Maintenance Cont.
▪ Three standard testing methodologies
▪ Tabletop exercise
▪ Structured reviewfocuses on a specific procedure or set of procedures.
Representatives from each functional area participate in a systematic
walkthrough of the procedures with the goal of verifying accuracy and
completeness.
▪ Simulation focuses on participant readiness. A facilitator presents a scenario
and asks the exercise participants’ questions related to the scenario, including
decisions to be made, procedures to use, roles, responsibilities, time frames, and
expectations.
▪ Functional exercises allow personnel to validate plans, procedures, resource
availability, and participant readiness. Functional exercises are scenario-
driven and limited in scope, such as the failure of a critical business
function or a specific hazard scenario.
▪ Full-scale testing is conducted at the enterprise level. Based on a specific
scenario, the business operates as if a disaster was declared.

Week (5) Session (2) 37

 Plan Testing and Maintenance Cont.
▪ Business continuity plan audit
▪ Evaluation of how the business continuity program in its entirety is being managed
▪ Auditors must be independent, they will ask the following questions:
▪ Is there a written business continuity policy and plan?
▪ Has the business continuity policy and plan been approved by the Board of
Directors?
▪ How often is it reviewed and/or reauthorized?
▪ How often is a BIA conducted? By whom?
▪ Who is on the BCT?
▪ What training have they had?
▪ What training has the user community had?
▪ Is there a written test plan?
▪ How often is the plan tested?
▪ Are the results documented?
▪ If third parties are involved, what is the process for testing/verifying their
procedures?
▪ Who is responsible for maintaining the plan?
 Plan Maintenance
▪ Business environments are dynamic: The plan should be
reviewed and edited regularly to match the changes that
occur in the company and/or the industry in which the
company is involved
▪ The plan cannot be reviewed without the risk assessment
being reviewed as well
▪ Responsibility for maintaining the plan should be assigned to a
specific role such as the ISO

Week (5) Session (2) 39

 Summary
▪ A disaster can strike at any time. The organization must be
prepared to respond to continue to provide services/products
to its clients.
▪ It is the responsibility of executive management to insure
that threats are evaluated, impact to business processes
recognized, and resources allocated.
▪ This requires the creation and maintenance of an audited
business continuity plan and of a set of ancillary procedures.

Week (5) Session (2) 40

 Building: 61
Room:

Contact:

Email address:
-----@kau.edu.sa

Chapter (#) 41