6.5 Disaster recovery and business continuity planning and auditing

Edit subtitles

0:03 - 0:05

So today, we are from Group 10.
0:05 - 0:08

We will continue to present on Chapter 6
0:08 - 0:10

under Subtopic 6.5:
0:10 - 0:12

Disaster Recovery and Business
0:12 - 0:15

Continuity Planning and Auditing.
0:15 - 0:17

Assalamu Alaikum,
0:18 - 0:19

and hi, everyone.
0:19 - 0:20

We are from BlueTech.
0:20 - 0:22

In this video, we will present about
0:22 - 0:24

disaster
0:24 - 0:26

recovery and business continuity
0:26 - 0:27

planning and auditing.
0:27 - 0:30

First, of course, my name is Intan Sanwa
0:30 - 0:31

Binti Mahasi,
0:31 - 0:34

matric number 268061, and
0:34 - 0:37

I'm the first presenter. I will present
0:37 - 0:38

the definition,
0:38 - 0:43

purpose, and the main aspects of BRP.
0:45 - 0:47

Alright, I will proceed for the
0:47 - 0:49

definition part.
0:49 - 0:53

Disaster. What is disaster? Disaster is
0:53 - 0:55

disruptions that cause critical
0:55 - 0:58

information resources to be inoperative
0:58 - 1:00

for a period of time.
1:00 - 1:02

Disaster can be caused because of
1:02 - 1:03

environmental conditions,
1:03 - 1:06

system failure, or equipment failure,
1:06 - 1:10

or disaster can also be man-made. Any
1:10 - 1:12

incident that can takes more than
1:12 - 1:14

a suitable amount of time
1:14 - 1:17

to recover, or if it has more than an
1:17 - 1:18

acceptable range
1:18 - 1:20

of consequences, can be called a
1:20 - 1:23

disaster.
1:23 - 1:26

The examples of disaster are weather,
1:26 - 1:29

terrorism, disruption in expected services,
1:29 - 1:33

human error, and so on.
1:34 - 1:37

Disaster can be short or may last for a
1:37 - 1:37

long time,
1:37 - 1:41

but when an organization is ready for
1:41 - 1:44

any adversity, it strives hard and survives.
1:44 - 1:47

Disruption can lead to lost revenue,
1:47 - 1:48

brain damage,
1:48 - 1:51

and dissatisfied customers. And the
1:51 - 1:53

longer the recovery time,
1:53 - 1:56

the greater the adverse business impact.
1:56 - 1:59

Therefore, a good disaster recovery plan
1:59 - 2:02

should enable rapid recovery from
2:02 - 2:03

disruptions,
2:03 - 2:05

regardless of the source of the
2:05 - 2:07

disruptions.
2:07 - 2:10

The business continuity plan includes,
2:10 - 2:13

first, the disaster recovery plan, that is
2:13 - 2:15

generally the plan to be followed
2:15 - 2:19

by the business units to recover a harmed
2:19 - 2:20

or demolished
2:20 - 2:23

facility, or business functionality,
2:23 - 2:26

or an operational facility. Then, the
2:26 - 2:27

operation
2:27 - 2:29

plan, that is to be followed by the
2:29 - 2:30

business units
2:30 - 2:35

to get by while recovery is taking place.
2:36 - 2:38

Everything is the same as in the case of
2:38 - 2:41

the business continuity planning
2:41 - 2:43

or disaster recovery plan, with the
2:43 - 2:44

exception
2:44 - 2:46

that the continuity of the information
2:46 - 2:49

system processing is threatened.
2:49 - 2:51

Information system processing is one
2:51 - 2:52

operation
2:52 - 2:55

of many that keeps the organization not
2:55 - 2:58

only alive but also successful,
2:58 - 3:01

thus it is of strategic importance.
3:01 - 3:04

Thus, the event to be controlled is such
3:04 - 3:06

a disruption, that the objective
3:06 - 3:09

of the control measure is to survive an
3:09 - 3:11

interruption of the information system
3:11 - 3:13

processing.
3:13 - 3:15

Throughout the planning process of
3:15 - 3:16

business continuity,
3:16 - 3:19

the overall plan of the organization
3:19 - 3:22

should be taken into consideration.
3:22 - 3:25

All its plans must be consistent with
3:25 - 3:27

and support the corporate business
3:27 - 3:28

continuity plan.
3:28 - 3:30

This means that, especially those
3:30 - 3:33

information processing systems,
3:33 - 3:35

must have them more elaborated and ready
3:35 - 3:38

to start reserve processing facilities
3:38 - 3:42

that support key operations.
3:43 - 3:47

Next, the purpose and main aspects of DRP.
3:47 - 3:50

The purpose of DRP is to enable a business
3:50 - 3:51

to continue
3:51 - 3:55

offering critical services in the event
3:55 - 3:56

of a disruption
3:56 - 3:58

and to survive even a disastrous
3:58 - 3:59

interruption of
3:59 - 4:03

its activities. Next is the main aspects
4:03 - 4:04

of BRP
4:04 - 4:07

that business continuity planning has to
4:07 - 4:09

take into consideration.
4:09 - 4:11

First, the market and strategic goals of
4:11 - 4:13

the corporation.
4:13 - 4:16

Second, the strategic business processes.
4:16 - 4:18

Third, those key operations that are most
4:18 - 4:20

necessary to the survival
4:20 - 4:23

of the organization and the human or
4:23 - 4:27

material resources supporting them.
4:27 - 4:29

In the business continuity plan, it
4:29 - 4:30

includes
4:30 - 4:33

the disaster recovery plan to recover a
4:33 - 4:34

facility rendered
4:34 - 4:37

inoperable, including relocating
4:37 - 4:38

operations
4:38 - 4:41

to a new location, and the restoration
4:41 - 4:44

plan that is used to return operations
4:44 - 4:47

to normal, whether in a restored or
4:47 - 4:50

new facility, which is only after
4:50 - 4:53

mitigating the effect of your disruption
4:53 - 4:55

by restarting the business applications
4:55 - 4:57

involved.
4:57 - 4:59

That's all for my part. I will pause for
4:59 - 5:00

the next presenter.
5:00 - 5:02

Thank you.
5:04 - 5:09

Assalamu Alaikum, my name is Nur Athirah Haziqah Binti Mohd Said
5:09 - 5:12

and my matric is number is 264828. And I will
5:12 - 5:14

continue to present the objective of
5:14 - 5:16

Disaster Recovery Planning.
5:16 - 5:19

So, the first objective is to minimize
5:19 - 5:21

interruptions to the normal operations.
5:21 - 5:23

Which means by having this disaster
5:23 - 5:24

recovery planning,
5:24 - 5:26

we can minimize any problems of
5:26 - 5:28

disruptions that might be happen
5:28 - 5:31

later on to the normal operations. The
5:31 - 5:33

second objective is to limit the extent
5:33 - 5:36

of disruptions and damage.
5:36 - 5:40

Why limit the extent of disruptions and
5:40 - 5:42

damage? Because by having this DRP,
5:42 - 5:44

we can ensure that the disruptions does
5:44 - 5:47

not spread to any unrelated things,
5:47 - 5:50

so we can limit it. The third objective
5:50 - 5:52

is to minimize the economic impact of
5:52 - 5:53

the interruption.
5:53 - 5:55

For example, as nowadays, during this
5:55 - 5:56

COVID-19 pandemic,
5:56 - 5:58

when a company has this disaster
5:58 - 6:00

recovery planning, so the company has a
6:00 - 6:02

backup plan on how the company will
6:02 - 6:04

operate normally as usual.
6:04 - 6:07

Maybe in terms of meeting, they can do an
6:07 - 6:08

online meeting
6:08 - 6:11

so it can minimize the
6:11 - 6:13

economic impact due to the interruptions.
6:13 - 6:15

This is because they can continue
6:15 - 6:17

operate the company as usual
6:17 - 6:18

and the economic growth will not be
6:18 - 6:21

affected. The fourth objective is to
6:21 - 6:23

establish alternative means of operation
6:23 - 6:24

in advance.
6:24 - 6:27

Which means by having this DRP, it can
6:27 - 6:29

provide a planning with effective medium
6:29 - 6:31

of solutions globally,
6:31 - 6:34

if anything happens later on. The fifth
6:34 - 6:34

one
6:34 - 6:36

is to train personnel with emergency
6:36 - 6:39

procedures. For example,
6:39 - 6:41

when cyberattacks suddenly happen. So
6:41 - 6:43

when a company is applying this DRP,
6:43 - 6:46

the personnel knows the action to be
6:46 - 6:48

taken after the cyberattacks happen.
6:48 - 6:51

It's something like early preparation.
6:51 - 6:52

The management also
6:52 - 6:54

should regularly train the employees
6:54 - 6:55

about how to prepare
6:55 - 6:57

for a data breach or to avoid a data
6:57 - 6:59

breach in the first place.
6:59 - 7:01

The last one is to provide for smooth
7:01 - 7:03

and rapid restoration of service.
7:03 - 7:05

So when having this disaster recovery
7:05 - 7:07

planning, it can provide a smooth and rapid
7:07 - 7:10

restoration because this DRP continues
7:10 - 7:13

offering critical services in the event
7:13 - 7:13

of the
7:13 - 7:16

disruptions and to survive
7:16 - 7:19

even early disastrous,
7:19 - 7:20

interruptions
7:20 - 7:23

to its activities. So the next one is
7:23 - 7:25

the components of disaster recovery
7:25 - 7:26

planning.
7:26 - 7:28

So the next one is the components of
7:28 - 7:31

disaster recovery planning. The first one
7:31 - 7:31

is to
7:31 - 7:34

create a disaster recovery team. This
7:34 - 7:36

team will be responsible for developing,
7:36 - 7:39

implementing, and maintaining the DRP. All
7:39 - 7:41

employees should be informed of and
7:41 - 7:42

understand the
7:42 - 7:44

Disaster Recovery Planning and their
7:44 - 7:46

responsibility
7:46 - 7:49

if any disaster occurs. When having
7:49 - 7:52

this DRP team, the management will refer
7:52 - 7:53

straight to this team
7:53 - 7:56

easily when any disaster occurs, as this
7:56 - 7:58

team will be responsible
7:58 - 8:01

to inform and give understanding to all
8:01 - 8:01

employees about
8:01 - 8:03

what action that should be taken when
8:03 - 8:04

any disasters
8:04 - 8:07

occurs. So the second one: identify and
8:07 - 8:09

access disaster risk.
8:09 - 8:11

The Disaster Recovery team should
8:11 - 8:12

identify and assess
8:12 - 8:16

the risks to organization. Also, assist the
8:16 - 8:17

team in identifying the recovery
8:17 - 8:19

strategies and resources
8:19 - 8:21

required to recover from disasters
8:21 - 8:24

within a predetermined and acceptable
8:24 - 8:25

timeframe.
8:25 - 8:27

Which means after the DRP team
8:27 - 8:29

identified a risk,
8:29 - 8:31

then they will provide a planning with
8:31 - 8:33

effective medium of solution
8:33 - 8:37

globally, if anything happen later on.
8:37 - 8:39

So the third one is determine critical
8:39 - 8:40

applications,
8:40 - 8:43

documents, and resources. The plan should
8:43 - 8:44

focus on
8:44 - 8:46

short-term survivability, such as
8:46 - 8:48

generating cash flows and revenues,
8:48 - 8:50

rather than on a long-term solution of
8:50 - 8:52

restoring the organization's
8:52 - 8:54

full functioning capacity. The
8:54 - 8:56

organization must recognize
8:56 - 8:58

some processes that should not be
8:58 - 9:00

delayed if possible, for example, like
9:00 - 9:01

processing of payroll.
9:01 - 9:03

In simple words, I can say that when they
9:03 - 9:05

want to build a DRP,
9:05 - 9:07

so it should focus on short-term
9:07 - 9:09

planning to ensure that the company
9:09 - 9:14

survive rather than planning a long-term,
9:14 - 9:17

long-term planning. All the
9:17 - 9:19

important documents must not be delayed,
9:19 - 9:21

such as the processing of payroll.
9:21 - 9:23

The fourth one is specify backup and
9:23 - 9:25

off-site storage procedures.
9:25 - 9:28

All critical equipment, applications, and
9:28 - 9:29

documents
9:29 - 9:31

should be backed up.
9:31 - 9:33

What needs to be backed up?
9:33 - 9:35

Such documents like the latest
9:35 - 9:36

financial statements,
9:36 - 9:39

tax returns, inventory records, customer
9:39 - 9:40

and vendor listings.
9:40 - 9:42

Critical supplies required for daily
9:42 - 9:44

operations like checks and also the
9:44 - 9:46

purchase orders.
9:46 - 9:48

All critical supplies and a copy of the
9:48 - 9:50

DRP should be stored at
9:50 - 9:53

an off-site location. Which means,
9:53 - 9:53

which
9:53 - 9:56

locate all the backup data away from the
9:56 - 10:00

client's main premises.
10:00 - 10:03

So the last one is to test and maintain the
10:03 - 10:04

DRP.
10:04 - 10:07

The organization routinely test the DRP
10:07 - 10:08

to evaluate
10:08 - 10:11

the procedures documented in the plan
10:11 - 10:14

for effectiveness and appropriateness.
10:14 - 10:15

The recovery team should regularly
10:15 - 10:17

update the DRP
10:17 - 10:19

to accommodate for changes in business,
10:19 - 10:20

processes,
10:20 - 10:23

technology, and evolving disaster risks. So
10:23 - 10:24

basically,
10:24 - 10:27

test of DRP is important to establish if
10:27 - 10:29

the recovery objectives are achievable.
10:29 - 10:33

Maybe to improve any recovery processes
10:33 - 10:34

and to familiarize,
10:34 - 10:37

start with the recovery processes. This
10:37 - 10:39

test will be explained more details by
10:39 - 10:41

the next presenter.
10:41 - 10:43

Assalamu Alaikum, and hi, everyone. My name
10:43 - 10:44

is Norzawana Binti Zaini,
10:44 - 10:47

matric number 259065. So, I will continue the
10:47 - 10:49

presentation regarding the disaster
10:49 - 10:52

recovery testing. Okay,
10:52 - 10:54

so the purpose of DRT, Disaster
10:54 - 10:56

Recovery Testing is to discover flaws in
10:56 - 10:58

your Disaster Recovery Plan,
10:58 - 10:59

so you can resolve them before they
10:59 - 11:01

impact your ability to restore
11:01 - 11:04

operations. In other words, Disaster
11:04 - 11:05

Recovery Testing
11:05 - 11:08

allows you to identify potential errors
11:08 - 11:09

and issues
11:09 - 11:12

and develop solutions, so that in a real
11:12 - 11:12

disaster
11:12 - 11:14

your business will be able to
11:14 - 11:18

reestablish critical operations.
11:18 - 11:21

Okay, there are about five types of
11:21 - 11:23

Disaster Recovery Testing,
11:23 - 11:25

including walkthrough test, cutover
11:25 - 11:26

test, paper test,
11:26 - 11:29

simulation, and parallel test. Let us
11:29 - 11:32

start with the first one: walkthrough
11:32 - 11:33

test.
11:33 - 11:36

In this test, several business and
11:36 - 11:37

technology experts
11:37 - 11:40

in the organization will gather to walkthrough
11:40 - 11:42

the DRP
11:42 - 11:45

to discuss each step in the DRP, so that
11:45 - 11:45

they can
11:45 - 11:48

identify issues and opportunities for
11:48 - 11:49

making the
11:49 - 11:52

DRP more accurate and complete.
11:52 - 11:55

Next, cutover test. A cutover test is
11:55 - 11:58

to test recovery systems built
11:58 - 12:00

to take over the full production
12:00 - 12:04

workload in case of disaster.
12:04 - 12:07

Primary systems are
12:07 - 12:11

disconnected during the test. Next, paper
12:11 - 12:12

test.
12:12 - 12:14

In a paper test, members of the DRT team
12:14 - 12:15

read
12:15 - 12:17

and testify recovery plan documents, such
12:17 - 12:18

as
12:18 - 12:21

DR policies, procedures, timelines,
12:21 - 12:24

benchmark, and checklist. A hard copy of
12:24 - 12:25

documents should
12:25 - 12:28

be stored in a secure offline
12:28 - 12:30

environment and a digital copy in the
12:30 - 12:31

cloud.
12:31 - 12:34

Simulation is a simulated disaster in
12:34 - 12:35

which teams
12:35 - 12:39

must go through their documented
12:39 - 12:41

recovery plans to identify whether
12:41 - 12:43

emergency response
12:43 - 12:46

plans adequate. Another idea is to
12:46 - 12:47

hold the simulation
12:47 - 12:50

on a day that is not
12:50 - 12:52

announced ahead of time, so that
12:52 - 12:53

respondents
12:53 - 12:57

possibly be less prepared to respond.
12:57 - 12:59

This is a very real simulation
12:59 - 13:00

because, in fact,
13:00 - 13:03

anyone do not know when the catastrophe
13:03 - 13:03

may
13:03 - 13:06

occur. This is very important actually
13:06 - 13:07

for the teams
13:07 - 13:10

to practice the DRP in real life to make
13:10 - 13:12

sure that it's sufficient for DRT,
13:12 - 13:14

disaster recovery like fire drill,
13:14 - 13:17

for example. Parallel test. In a parallel
13:17 - 13:19

test,
13:19 - 13:21

recovery systems are tested to
13:21 - 13:24

make sure that in case of disaster, they
13:24 - 13:25

can perform
13:25 - 13:28

real business transactions supporting
13:28 - 13:30

key processes and applications.
13:30 - 13:33

Meanwhile, primary systems continue to
13:33 - 13:34

run the
13:34 - 13:38

full production workload.
13:39 - 13:41

Okay, so next, why does a DRP require
13:41 - 13:42

testing?
13:42 - 13:45

The reason is because to exercise the
13:45 - 13:47

recovery processes and procedures.
13:47 - 13:50

Next, to familiarize staff with the
13:50 - 13:51

recovery process
13:51 - 13:54

and documentation. Verify the
13:54 - 13:56

effectiveness of the recovery
13:56 - 13:57

documentation.
13:57 - 14:00

Verify the effectiveness of the recovery
14:00 - 14:00

site.
14:00 - 14:02

Establish if the recovery objectives are
14:02 - 14:04

achievable.
14:04 - 14:06

Identify improvements required to the DR
14:06 - 14:07

strategy,
14:07 - 14:11

infrastructure, and recovery processes.
14:11 - 14:13

Hi, Assalamu Alaikum, my name is Nur Shahirah Binti
14:13 - 14:17

Mohd Shuhir. My matric number is 261056.
14:17 - 14:18

I will continue within its subtopics,
14:18 - 14:21

which are Recovery Time Objective,
14:21 - 14:24

RTO and Recovery Point Objective, RPO.
14:24 - 14:26

I will also explain the differences
14:26 - 14:28

between these two recovery objectives.
14:28 - 14:32

Now, let's start with RTO.
14:34 - 14:36

So, what is recovery time objective?
14:36 - 14:38

Recovery Time Objective,
14:38 - 14:40

RTO, is the duration of time and a
14:40 - 14:41

service level
14:41 - 14:44

within which a business process must be
14:44 - 14:44

restored
14:44 - 14:47

after a disaster in order to avoid any
14:47 - 14:49

unacceptable consequences
14:49 - 14:52

associated with a break in continuity. In
14:52 - 14:54

other words, the RTO is the answer to the
14:54 - 14:55

question:
14:55 - 14:57

How much time did it take to recover
14:57 - 15:00

after notification of business process
15:00 - 15:03

disruption? In addition, RTO designates
15:03 - 15:05

the variable amount of data that will be
15:05 - 15:06

lost
15:06 - 15:08

or will have to be re-entered during
15:08 - 15:09

network downtime.
15:09 - 15:12

RTO also designates the amount of "real time"
15:12 - 15:12

that
15:12 - 15:15

can pass before the disruption begins to
15:15 - 15:16

seriously and
15:16 - 15:19

unacceptably impede the flow of normal
15:19 - 15:20

business
15:20 - 15:22

operations.
15:24 - 15:27

For example, if RTO is 24 hours, it means
15:27 - 15:29

the organization determined that
15:29 - 15:31

the business can maintain operations for
15:31 - 15:33

that amount of time
15:33 - 15:35

without having its normal data and
15:35 - 15:37

infrastructure available.
15:37 - 15:39

So if the data and infrastructure are
15:39 - 15:41

not recovered within 24 hours,
15:41 - 15:43

the business could suffer irreparable
15:43 - 15:46

harm.
15:47 - 15:50

Now, let's move to the next recovery
15:50 - 15:50

objective.
15:50 - 15:53

The next recovery objective is Recovery
15:53 - 15:55

Point Objective
15:55 - 15:58

or RPO. I will discuss briefly about RPO
15:58 - 16:01

in the next slides.
16:03 - 16:06

What is RPO? RPO is a measurement of the
16:06 - 16:09

maximum tolerable amount of data to lose.
16:09 - 16:12

In other words, RPO measures how much
16:12 - 16:14

data you can afford to lose
16:14 - 16:17

as the result of a disaster. RPO can help
16:17 - 16:18

the organization to measure how much
16:18 - 16:19

time
16:19 - 16:21

can occur between last data backup and a
16:21 - 16:23

disaster without
16:23 - 16:25

causing serious damage to the business.
16:25 - 16:26

On top of that,
16:26 - 16:29

RPO is very useful for an organization
16:29 - 16:31

to determine how often to perform data
16:31 - 16:34

backups.
16:36 - 16:38

So most businesses back up data at fixed
16:38 - 16:40

intervals of time, such as
16:40 - 16:43

once every hour, once every day, or
16:43 - 16:44

infrequently as once every week.
16:44 - 16:48

Example of RPO is: If the last available
16:48 - 16:50

good copy of data upon an outage
16:50 - 16:54

is from 18 hours ago and the RPO for the
16:54 - 16:56

business is 20 hours
16:56 - 16:58

then the organization is still within
16:58 - 16:59

the parameters of the Business
16:59 - 17:01

Continuity Plan's
17:01 - 17:04

RPO. In other words, it answers the
17:04 - 17:04

question
17:04 - 17:06

of: Up to what point in time could a
17:06 - 17:07

business process
17:07 - 17:10

recovery proceed tolerably given the
17:10 - 17:11

volume
17:11 - 17:13

of data loss during the interval?
17:16 - 17:18

So Recovery Time Objective, RTO, and
17:18 - 17:20

Recovery Point Objective, RPO,
17:20 - 17:23

are two of the most important parameters
17:23 - 17:25

of a disaster recovery or data
17:25 - 17:26

protection plan.
17:26 - 17:29

These are objectives that can guide
17:29 - 17:31

enterprises to choose an optimal cloud
17:31 - 17:32

backup and disaster
17:32 - 17:35

recovery plan. The RPO or RTO along with
17:35 - 17:37

the business impact analysis
17:37 - 17:39

provides the basis for identifying and
17:39 - 17:41

analyzing viable strategies
17:41 - 17:43

for inclusion in the business continuity
17:43 - 17:46

plan. Viable strategy options include any
17:46 - 17:47

which
17:47 - 17:49

would enable resumption of a business
17:49 - 17:50

process
17:50 - 17:52

in a timeframe at or near the RPO or
17:52 - 17:53

RTO.
17:53 - 17:55

At first glance, these two terms appear
17:55 - 17:57

to be quite similar;
17:57 - 17:59

however, there are some differences
17:59 - 18:01

between these two recovery objectives.
18:01 - 18:03

Now, let's differentiate these two
18:03 - 18:06

recovery objectives in the next slide.
18:08 - 18:11

The first difference between RTO and RPO
18:11 - 18:11

is
18:11 - 18:14

RTO has a broader purpose, as it focuses
18:14 - 18:16

more on downtime
18:16 - 18:19

of services, applications, and processes.
18:19 - 18:22

This is because RTO sets the boundaries
18:22 - 18:23

for the whole business
18:23 - 18:26

continuity management while RPO focuses
18:26 - 18:27

solely on the issue of
18:27 - 18:30

backup frequency. Other than that RTO's
18:30 - 18:33

concerned with applications and systems.
18:33 - 18:35

The measurement includes data recovery
18:35 - 18:36

but primarily
18:36 - 18:38

describes time limitations on
18:38 - 18:40

application downtime.
18:40 - 18:42

On the other hand, RPO only is concerned
18:42 - 18:45

with the amount of data that is lost
18:45 - 18:48

following a failure event. Furthermore,
18:48 - 18:50

RTO looks forward in time where it
18:50 - 18:52

focuses on the amount of time the
18:52 - 18:53

organization need
18:53 - 18:56

in order to resume the operations while
18:56 - 18:57

RPO
18:57 - 19:00

looks back in time where it focuses on
19:00 - 19:02

the amount of time or data that the
19:02 - 19:05

organization are willing to lose. That's
19:05 - 19:07

all from me. I will pass to the next
19:07 - 19:09

presenter.
19:09 - 19:11

Okay, next I'm going to explain on the
19:11 - 19:13

types of disaster recovery plan.
19:13 - 19:15

There are a variety of disaster recovery
19:15 - 19:17

plans actually
19:17 - 19:19

but I'm going to focus on the two types
19:19 - 19:20

while the other types
19:20 - 19:22

will be covered by my other teammates
19:22 - 19:24

later and the DR recovery plan.
19:24 - 19:26

Okay, the first type that I'm going to
19:26 - 19:29

cover is called Virtualization Disaster
19:29 - 19:30

Recovery.
19:30 - 19:32

It is actually a way to decrease the
19:32 - 19:33

amount of time
19:33 - 19:36

or reduce the time needed to perform a
19:36 - 19:36

full
19:36 - 19:39

restoration after they have been hit by
19:39 - 19:41

a disaster.
19:41 - 19:44

So, what does it mean by virtualization?
19:44 - 19:47

Virtualization, by definition, it is the
19:47 - 19:48

process
19:48 - 19:50

of creating a virtual version of a
19:50 - 19:51

system,
19:51 - 19:53

or a software, or even an entire working
19:53 - 19:55

environment rather than creating a
19:55 - 19:57

physical
19:57 - 20:00

replica. It can eliminate the need to
20:00 - 20:01

recreate a physical server when
20:01 - 20:03

something goes wrong.
20:03 - 20:06

How? By creating a multiple simulated
20:06 - 20:07

environments
20:07 - 20:09

or dedicated resources using a single
20:09 - 20:11

hardware system.
20:11 - 20:14

It also helps you split a single system
20:14 - 20:16

into multiple distinct environments
20:16 - 20:18

called virtual machines.
20:18 - 20:22

The physical system on which the various
20:22 - 20:25

virtual machines are created is
20:25 - 20:26

called the host
20:26 - 20:30

and the virtual machines are called guest.
20:30 - 20:34

Okay, next is Network Disaster Recovery.
20:34 - 20:36

A Network Disaster Recovery plan is a
20:36 - 20:39

set of policies and procedures that
20:39 - 20:42

ensure a network is reinstated to
20:42 - 20:44

its normal working operations after it
20:44 - 20:45

goes offline
20:45 - 20:48

or is disrupted after a
20:48 - 20:50

disastrous event.
20:50 - 20:54

It is a type of disaster recovery plan
20:54 - 20:56

that is specifically designed for
20:56 - 20:57

Internet
20:57 - 20:59

and external network infrastructure of
20:59 - 21:01

an organization.
21:01 - 21:04

Network Disaster Recovery plan generally
21:04 - 21:05

requires
21:05 - 21:07

listing this tab which should be
21:07 - 21:09

undertaken in order to restock network
21:09 - 21:10

connectivity,
21:10 - 21:13

identifying people responsible for
21:13 - 21:16

conducting natural disaster recovery,
21:16 - 21:18

assessing possible consequences of a
21:18 - 21:19

natural failure,
21:19 - 21:21

last, but not least, determining the best
21:21 - 21:24

strategies to mitigate them.
21:24 - 21:26

The main purpose of Network Disaster
21:26 - 21:28

Recovery is to ensure that
21:28 - 21:30

business services can be delivered to
21:30 - 21:31

customers
21:31 - 21:33

despite a disruption in network
21:33 - 21:34

connectivity.
21:34 - 21:37

However, disasters come in different
21:37 - 21:38

forms and sizes
21:38 - 21:42

which makes it hard
21:42 - 21:44

to predict what their impact would be,
21:44 - 21:46

which network
21:46 - 21:49

components would be affected, and how
21:49 - 21:50

many resources
21:50 - 21:52

would be required to restore network
21:52 - 21:54

connectivity.
21:54 - 21:57

Therefore, the best strategy for ensuring
21:57 - 21:58

a successful
21:58 - 22:00

natural disaster recovery is by
22:00 - 22:03

preparing for the worst case scenarios
22:03 - 22:05

in advance and finding the ways to
22:05 - 22:08

mitigate their impact.
22:08 - 22:12

Possible causes of nature failures,
22:12 - 22:16

include human errors
22:16 - 22:19

and network attacks. Human errors, we can
22:19 - 22:19

say that
22:19 - 22:22

sometimes network connectivity problems
22:22 - 22:26

might be the result of mistakes made by
22:26 - 22:29

employees when working with network
22:29 - 22:30

equipment
22:30 - 22:32

or manually configuring network
22:32 - 22:35

components without an adequate grasp
22:35 - 22:38

of knowledge while natural attacks
22:38 - 22:40

is a network services that can get
22:40 - 22:41

disrupted
22:41 - 22:44

after a cyberattack whose aim is to
22:44 - 22:46

prevent the organization
22:46 - 22:48

to deliver its services by forcing it to
22:48 - 22:50

shut down.
22:50 - 22:52

The next one is IT Disaster Recovery
22:52 - 22:53

Plan.
22:53 - 22:56

So, the next one is IT Disaster Recovery
22:56 - 22:57

Plan.
22:57 - 22:58

An information technology disaster
22:58 - 23:00

recovery plan should be developed in
23:00 - 23:02

conjunction with the business continuity
23:02 - 23:03

plan.
23:03 - 23:06

Business continuity plan is a process a
23:06 - 23:09

company undergoes to create a prevention
23:09 - 23:11

and recovery system from potential
23:11 - 23:13

threats, such as natural disasters or
23:13 - 23:14

cyberattacks.
23:14 - 23:17

BCP is designed to protect personnel and
23:17 - 23:18

assets
23:18 - 23:22

and make sure that they function quickly
23:22 - 23:24

when disaster occurs. Priorities and
23:24 - 23:26

recovery time objectives
23:26 - 23:28

for information technology should be
23:28 - 23:30

developed during the business impact
23:30 - 23:31

analysis.
23:31 - 23:34

Which means the company must know the
23:34 - 23:35

reason
23:35 - 23:38

why they want to develop the disaster
23:38 - 23:39

recovery plan.
23:39 - 23:42

Technology recovery strategies should be
23:42 - 23:44

developed to restore hardware,
23:44 - 23:46

applications, and data in time to meet
23:46 - 23:47

the needs
23:47 - 23:49

of the business recovery. In simple
23:49 - 23:50

words,
23:50 - 23:52

the management must provide a planning
23:52 - 23:55

with effective strategies or solutions
23:55 - 23:58

globally, if anything happen later on to
23:58 - 23:59

ensure that the company can
23:59 - 24:03

run smoothly as normal.
24:03 - 24:05

So, the next part is the information
24:05 - 24:07

technology recovery strategies.
24:07 - 24:10

Basically, these strategies should be
24:10 - 24:12

developed for IT systems,
24:12 - 24:15

applications, and data. IT resources
24:15 - 24:17

required to support time-sensitive
24:17 - 24:19

business functions
24:19 - 24:23

and processes should also be identified.
24:23 - 24:25

The recovery time for an IT resource
24:25 - 24:27

should match the recovery time
24:27 - 24:30

objective for the business functions or
24:30 - 24:31

process
24:31 - 24:36

that depends on the IT resource.
24:36 - 24:38

The next one is components. What
24:38 - 24:40

components related to this IT of
24:40 - 24:42

disaster recovery planning?
24:42 - 24:44

The first one is computer room
24:44 - 24:45

environment, which is
24:45 - 24:47

secured computer room with climate
24:47 - 24:49

control. If I'm not mistaken,
24:49 - 24:52

climate control is a temperature control
24:52 - 24:54

which fitted the computer room
24:54 - 24:55

environment.
24:55 - 24:57

Maybe the temperature is not too low and
24:57 - 24:59

not too high.
24:59 - 25:01

The second one is hardware. For example,
25:01 - 25:02

like networks,
25:02 - 25:05

servers, desktops, laptop, computers, and
25:05 - 25:07

also the wireless devices.
25:07 - 25:09

The third one is connectivity to a
25:09 - 25:12

service provider for example like fiber,
25:12 - 25:15

cable, wireless, and etc. The first one is
25:15 - 25:17

software applications, for example, like
25:17 - 25:20

electronic data, interchange electronic
25:20 - 25:21

mail,
25:21 - 25:24

enterprise resource management, and also
25:24 - 25:26

office productivity.
25:26 - 25:28

The next one is data and restorations.
25:28 - 25:30

Data restore is the process of
25:30 - 25:33

copying backup data from secondary
25:33 - 25:34

storage
25:34 - 25:38

and restoring it to its original
25:38 - 25:41

locations or new locations. So, the next
25:41 - 25:43

part is developing an IT disaster
25:43 - 25:45

recovery plan.
25:45 - 25:47

The first one is compiling an inventory
25:47 - 25:48

of hardware,
25:48 - 25:51

software applications, and data which is
25:51 - 25:54

gathering the hardware like laptop or PC,
25:54 - 25:56

which comes with wifi connectivity and
25:56 - 25:57

also
25:57 - 26:00

software needed, like, maybe cloud or any
26:00 - 26:02

other important software needed.
26:02 - 26:04

The second one is ensure that all
26:04 - 26:06

critical information
26:06 - 26:09

is being backed up. Critical information is
26:09 - 26:10

something like
26:10 - 26:13

latest financial statements, tax returns,
26:13 - 26:14

inventory records,
26:14 - 26:16

customer and vendor listings, and also
26:16 - 26:18

critical supplies that required for
26:18 - 26:20

daily operations like
26:20 - 26:22

checks and purchase orders is being
26:22 - 26:24

made up by using this
26:24 - 26:26

IT disaster recovery plan.
26:28 - 26:30

The third one is identify critical
26:30 - 26:32

software applications and data
26:32 - 26:34

and the hardware required to run them.
26:34 - 26:37

Maybe in terms of software, like
26:37 - 26:39

maybe in terms of software needed like
26:39 - 26:40

electronic mail network,
26:40 - 26:43

servers, or maybe like wifi to ensure
26:43 - 26:45

that it has connectivity to a service
26:45 - 26:46

provider.
26:47 - 26:49

The fourth one is using standardized
26:49 - 26:52

hardware that will help to replicate and
26:52 - 26:52

reimage
26:52 - 26:56

new hardware. The next one is to ensure that
26:56 - 26:58

copies of program software are available
26:58 - 26:59

to enable
26:59 - 27:02

re-installation on replacement
27:02 - 27:04

equipment.
27:04 - 27:06

The next one is to document the IT disaster
27:06 - 27:07

recovery plan
27:07 - 27:10

as part of the business continuity plan.
27:10 - 27:11

Because
27:11 - 27:13

business continuity requires a
27:13 - 27:14

company
27:14 - 27:17

to keep operations functional during the
27:17 - 27:18

event
27:18 - 27:22

and immediately after and immediately
27:22 - 27:23

after.
27:23 - 27:25

While disaster recovery focuses on how
27:25 - 27:26

you respond
27:26 - 27:29

after the event has completed and how a
27:29 - 27:30

company
27:30 - 27:33

would return to normal operation.
27:33 - 27:35

The next one is to test the plan
27:35 - 27:38

periodically to make sure that it works.
27:38 - 27:41

This test is also to ensure that it works
27:41 - 27:44

and to identify improvements required
27:44 - 27:48

to the IT DRP strategy infrastructure and
27:48 - 27:51

recovery processes. Okay, last but not
27:51 - 27:53

least, we're going to talk about audit
27:53 - 27:54

program for the DRP.
27:54 - 27:57

The objective is to evaluate documented
27:57 - 27:59

processes and procedures
27:59 - 28:02

for IS' Disaster Preparedness
28:02 - 28:03

compliance
28:03 - 28:05

and to ensure the continuance of key
28:05 - 28:07

business functions in the event of a
28:07 - 28:09

disruption.
28:09 - 28:11

The scope of this audit included: To
28:11 - 28:13

ascertain the existence and
28:13 - 28:16

effectiveness of the current IS disaster
28:16 - 28:16

recovery
28:16 - 28:18

plan and its alignment with the
28:18 - 28:21

enterprise business continuity plan,
28:21 - 28:24

policies, and procedures. Next, to evaluate
28:24 - 28:26

IS function's preparedness in the event
28:26 - 28:28

of a process disruption.
28:28 - 28:29

Last, but not least, to determine
28:29 - 28:32

compliance with applicable federal laws
28:32 - 28:34

and regulations.
28:36 - 28:38

There are many audit programs for the DRP
28:38 - 28:39

actually but
28:39 - 28:42

I only listed about five audit programs,
28:42 - 28:43

including audit
28:43 - 28:45

and validate the adequacy of the back up
28:45 - 28:46

data.
28:46 - 28:47

Well, actually it does not matter how
28:47 - 28:51

good your disaster recovery plan
28:51 - 28:54

is if your data is out of date and is in a
28:54 - 28:55

location
28:55 - 28:57

also affected by the disaster or has
28:57 - 28:59

become corrupted.
28:59 - 29:01

Next, audit and validate the testing of
29:01 - 29:03

the Disaster Recovery Plan.
29:03 - 29:05

Companies need to make sure the recovery
29:05 - 29:06

plan actually works
29:06 - 29:10

in an emergency, regularly conduct data
29:10 - 29:11

fight drills to test
29:11 - 29:14

every possible scenario from basic power
29:14 - 29:14

failures
29:14 - 29:17

to catastrophic events that could result
29:17 - 29:20

in multiple months of devastation.
29:20 - 29:23

Next, audit and validate passwords are
29:23 - 29:24

available to the Disaster
29:24 - 29:28

Recovery Plan Team. Password protection
29:28 - 29:30

is a key goal for data security.
29:30 - 29:32

Companies need to store
29:32 - 29:34

system passwords in at least two
29:34 - 29:35

geographically separate
29:35 - 29:38

secure locations. Make sure that more
29:38 - 29:39

than IT
29:39 - 29:41

staff, more than one IT staff person
29:41 - 29:44

has access to all password code.
29:44 - 29:46

Change this password promptly if a key
29:46 - 29:48

person leaves the company.
29:48 - 29:51

Next, audit and validate the Disaster
29:51 - 29:53

Recovery Plan is up to date.
29:53 - 29:56

Once a plan is created, it
29:56 - 29:57

needs to be
29:57 - 30:01

revised at least
30:01 - 30:04

on a quarterly basis. Last, but not least,
30:04 - 30:06

audit and validate there is physical
30:06 - 30:08

documentation of the Disaster
30:08 - 30:11

Recovery Plan. After creating a plan,
30:11 - 30:13

ensure that every process is well
30:13 - 30:14

documented,
30:14 - 30:16

describe the location of all system
30:16 - 30:17

resources needed to accomplish the
30:17 - 30:18

recovery,
30:18 - 30:21

store the documentation at multiple
30:21 - 30:22

locations,
30:22 - 30:25

paper and electronic, and verify that all
30:25 - 30:27

key personnel have easy access to the
30:27 - 30:29

manuals.
30:29 - 30:34

So, that's all from us. Thank you.

Title:: 6.5 Disaster recovery and business continuity planning and auditing
Description:: more » « less
Video Language:: English
Duration:: 30:32

	OEVIDEOS edited English subtitles for 6.5 Disaster recovery and business continuity planning and auditing
	OEVIDEOS edited English subtitles for 6.5 Disaster recovery and business continuity planning and auditing
	OEVIDEOS edited English subtitles for 6.5 Disaster recovery and business continuity planning and auditing
	OEVIDEOS edited English subtitles for 6.5 Disaster recovery and business continuity planning and auditing

English subtitles

Revisions Compare revisions

Revision 4 Edited

OEVIDEOS
Revision 3 Edited

OEVIDEOS
Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	Revision Number	Author	Created
	4	OEVIDEOS
	3	OEVIDEOS
	2	OEVIDEOS
	1	OEVIDEOS

6.5 Disaster recovery and business continuity planning and auditing

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)