.

[Article]-BCP and DRP from Scratch

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Mon Apr 02, 2007 12:48 am

[Article]-BCP and DRP from Scratch

This month RichM tackles disaster recovery and business continuity. One would think that since he was hired to secure the joint, that he would have support from management on such plans. Not so fast. Seems like everyone has mountains to climb.

Permanent Link: [Article]-BCP and DRP from Scratch

Image
This month's column has been quite a learning experience. Well not the column as much as what I discovered in the process of getting management buy-in for a Business Continuity Planning/Disaster Recovery Planning (BCP/DRP).  In all of the information I have read, three main objectives need to be met in order to develop a BCP/DRP good plan. The major emphasis (and motivation behind this column) is point one:

1.         Management buy-in
2.         Develop the plan (Leave 4 - 6 months for this step)
3.         Ability to test and verify plan

Once I approached management they were extremely excited and asked me to come up with a disaster recovery plan in a week.  I explained that BCP/DRP takes a long time to create and requires feedback and input from key management members, and that rushing it would create an inaccurate plan.  As I watched the decision maker's eyes glaze over, he mumbled something about off site storage of backup tapes and walked away.

And thus my learning experience kicks into high gear.


Be sure to add your comments,
Don
CISSP, MCSE, CSTA, Security+ SME
<<

jimbob

Post Mon Apr 02, 2007 3:40 am

Re: [Article]-BCP and DRP from Scratch

BCP/DRP are among the unglamorous and often forgotten aspects of security. Security practice aims to keep the business rolling, so that includes backup (and more importantly restore), disaster planning, incident response policy and all of the other work that ensures if something goes titsup the damage is minimised. Good to see an article focused on this aspect since it can potentially save a company from ruin.

Jimbob
<<

slimjim100

User avatar

EH-Net Columnist
EH-Net Columnist

Posts: 385

Joined: Wed Nov 08, 2006 12:50 pm

Location: Atlanta

Post Mon Apr 02, 2007 6:49 am

Re: [Article]-BCP and DRP from Scratch

This is where your Project management skills meet your sales skills to get a upper management buy off. I have been in smiler places where you would think common sense would pervale. The reason we have SOX (Sarbanes-Oxley) and HIPPA (Health Insurance Portability and Accountability Act) is because business dose not always want to focus on anything that dose not drive profits to the bottom line. As security professionals we are obligated to know what is the correct course of action is to protect or networks and the company. Understand BCP & DRP is very important and will only add another layer of protection to your company/client. RichM Thanks for pointing out some of the real day to day projects & tasks that are not always brought up in security forums.

Thanks RichM for the article!

Brian Wilson
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Mon Apr 02, 2007 11:06 am

Re: [Article]-BCP and DRP from Scratch

CISSP, MCSE, CSTA, Security+ SME
<<

LSOChris

Post Mon Apr 02, 2007 3:07 pm

Re: [Article]-BCP and DRP from Scratch

ohhh good article.

out of curiosity, what type of fire supression do you have in the server room?  I am guessing water, which  means you may want to have a plan in place for replacing every single server in that room and restoring the data once the water hits them.
<<

Cutaway

User avatar

Jr. Member
Jr. Member

Posts: 96

Joined: Mon Nov 20, 2006 5:02 pm

Post Mon Apr 02, 2007 3:51 pm

Re: [Article]-BCP and DRP from Scratch

ChrisG's comment actually happened the other day to a friend of a friend.  The fire suppression system malfunctioned and destroyed $200,000+ worth of furniture plus the water damage to the building and other assets bumping the price tag up significantly.  The insurance company will not pay up because anything over a couple hundred thousand dollars they fight over so that you have to settle a lesser claim or lose everything.  Everyday they wait for the settlement they are losing money.  They are in the process of triple mortgaging everything just to get enough stock to keep people coming in and supply the people who have already purchased.

Sometimes owning your own business is tough.  But, then again, a good BC/DRP "might" have helped.

Moral of this comment: Do not depend on the insurance company to have your best interest in mind.

Cutaway
Go forth and do good things,
Cutaway
<<

linuxstarved

EH-Net Columnist
EH-Net Columnist

Posts: 49

Joined: Sat Sep 23, 2006 9:55 am

Post Tue Apr 03, 2007 7:46 pm

Re: [Article]-BCP and DRP from Scratch

Thanks to everyone for the kind words.

slimjim100,

It is disturbing how little business thinks about contigency planning till it is too late.  It is our job (whether we like it or not) to sell the concept.  It has been 5+ years since those horrific events on September 11th and many companies still do not get it.

ChrisG, to answer your question, our fires suppression stops and starts with handheld charged fire extinguishers.  As is more par for the course (than most will admit), our server room was at one time office space.  There are no sprinklers of any kind throughout the space, and the door to the "server room" is left unlocked b/c the space is large enough to accomodate old but possibly still usuable (in management's eyes) it equipment printers, switches, etc.

I agree though that if you do have water suppression in your server room that you absolutely need a contigency plan for replacing the hardware.  Even if you have a dry system (water is not charged in the line) once it goes off, it seems as if the cure can be much more harmful than the disease.

cutaway,

Thank you for that sobering example, I will definately carry that with me the next time someone thinks they are mitigating a considerable risk through the purchase of insurance.

Return to RichM

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software