System Availability
Availability: Being able to perform business function/objective that is critical to a business success, including system availability (when business data is accessible and IT systems are operating normally) and availability of an organizations human capital and personnel being ready and able to perform in normal operations..
Even minor availability failure could result in loss.
System availability risk: critical risk that could cause loss.
risk and corresponding threats:
•failure of IT: from use of outdated or lack of maintenance, malware, physical or political or individual, or insufficient resources for tech or people.
Business Resiliency (the umbrella): integration of system availability controls, disaster recovery plans, business continuity plans, and crisis management plans into a central set of procedures to consider whether a business can continue to operate normally or return to operation.
Lack:
•lose data, slower recovery or no recovery
Mitigation:
•mirroring: copying data to a different machine.
•replication: copy and transfer data onto different sites like the cloud.
•Metrics for system availability which focuses attention: metrics for the hire party org like
"agreed service time"
"down time specified in service level agreement" which is how much time it should be up and how long it can be down.
"Maxium Tolerable downtime" which is how much it can be down without long term damage.
"recovery point objective" which is the maximum threshold for data lost, dollars lost, or imoperable
"recovery time objectives" max amount of time it should take to restore the business operations to a target state following the system failure
"Mean time to repair" average of how long to take to fix it.
"Recovery time actual"
"recovery point actual", getting back to where we were
An org mus identify necessary operations and existing threats, to design business resiliency.
Identifying and Assessing Risk is a key component of business resiliency. Can be done by performing a Business Impact Analysis. BIA will identify the business units, departments, and processes that are essential to survival of an entity as well as the organizational impact of a failure. High, medium, and low impact.
Helps identify: How quickly recover is and resources required.
Steps:
•Agree on the necessary approach to BIA and outline it, along with timeframe, defintions
•Identify critical resources and what IT resources are required to perform them which will show the most vulnerable places. Usually done by inquiry.
•Define disruption impact like quantitative and qualitative
•Estimate the losses
•Establish recovery priorities
•Create the BIA report
•Implement and evaluate
Terms:
Annualized Rate of Occurance is the expected frequency of occurrence in a year
Exposure Factor is the damage in terms of dollars, expressed as a percentage of an assets value
Single loss expectancy is the cost of an individual loss (SLE= Damage likelyhood * ave cost of asset)
Annualized loss expectancy is the cost of a specific loss in a given year (ALE = SLE * ARO)
Disaster Recovery (the IT): a component of business resiliency. Consists of an entity's plan for restoring and continuing its IT function in the event of the destruction of programs, data filed, and computer processing capacity. (Dire circumstances not fixed quickly).
Steps to disaster recovery:
•Assess the risk.
•Identify mission-critical application and data.
•Develop a plan for handling the mission-critical application.
•Determine the responsibility of the personnel involved in disaster recovery plans.
•Test the disaster recovery plan.
Can move to an alternative processing facilities:
•Cold site: off site location that has all the electrical connection and physical requirement but no actual equipment. May take 3 days the slowest, the cheapest, with low quality equipment.
•Hot site: has everything we need already. an hour, Fast, expensive.
•Warm site: middle ground. One day.
Business continuity plan (Non-it): more comprehensive than a disaster recovery plan and contain contingency and mitigation procedures around all business processes.
Steps to a business continuity plan.
•Identify the org key business processes
•Identify the risk that exist in key business processes
•Determine the acceptable downtime for key business processes
•Implement mitigation and contingency plan to address risk and downtimes.
SOC 2 service auditor may look at plan and judge if the business continuity plan is updated and reasonable or lacking.
Crisis Management Plan (large scale events): unexpected, large scale incident that can cause major negative effects on an organization and its stakeholders. Policies are vital in stressful situations to avoid adverse effects.
Goals:
•lessens the impact
•protect the people and orga reputation
•return to normal operations as soon as possible
Draft should have:
•risk assessment of potential crises and how to repond
•How to implement the steps managed and how the employees perform to put plan into operation
•crisis response command center is where directions come from
•roles and responsibility's are there during the crisis
•communication is maintained
•employees are trainined
Controls to address System availability
System Availability controls: activities to prevent system disruptions and loss of information and provides continue operation/quick recovery
Physical controls:
•physical access controls
•Fire alarms and sprinkles
•housing
IT infrastructure controls:
•anti-malware software and patch management to fix vulnerabilities
•periodic review of IT to ensure up to date
•Network security controls
•Access and authorization logical controls
Uninterrupted power supply
Redundancy: allows easy switch from fail to unit in operation, backup data, data storage,
•Redundant arrays of independent drives (RAID) allows org to record data on multiple disk drives at one time
System Back up:
•Full: exact copy which is time consuming but fastest to restore
•Incremental: only make a copy of anything that changed from the most recent back up. Fast but restoration is more complicated
•Differential (hybrid) : backups all changes from last full back up.
Possible Deficiencies in Control Design: SOC 2
Consider:
•infrastructure capacity and monitoring: look at metrics of monitoring and how they monitor
•backups and recovery: look at disaster recovery and business continuity plan and when it was last tested
deficiency would if it wasn't there or wasn't tested
•testing recovery plans