Center for Strategic Assessment and forecasts

Autonomous non-profit organization

Home / Defence and security / / Articles
If trouble came...
Material posted: -Publication date: 23-06-2003

The last few years have witnessed a dynamic restructuring of the perception of the world not only of specialists working in the field of information technology, but also thousands of ordinary users of these same information technologies.

Because emergencies of different nature have become almost the norm today, then, accordingly, there is a need to formalize the activities of the staff of information and telecommunication systems in terms of such situations. Complete regulatory documents there was a document – "a plan to restore the functioning of the system in emergency situations". What it represents? How to develop it? What information needs to be reflected in it? The answers to these and other questions we have tried to give the article.

General provisions

One of the most complete and logical of samples of a similar document was developed by the National Institute of standards (NIST) in 2001 (

A plan to restore the functioning of the system (the Plan) establishes a list and sequence of procedures required to restore normal functioning of the system after the occurrence of extraordinary circumstances that caused the failure in the availability of resources of the system as a result of failure of separate elements of system, physical destruction of the premises, fire, flood, terrorist attacks, etc.

The main objective of the implementation Plan is to ensure a quick and full recovery sustainable functioning information systems.

This goal is achieved by the following tasks:

determining the order of actions, procedures and resources necessary to restore functioning of the system or ensure its sustainable operation in the backup option of placing technical resources and personnel;

the definition of full-time staff and the main responsibilities of the staff of the operational staff and emergency groups from among employees of the Bank for the implementation of the recovery Plan, as well as to the organization of effective interaction between emergency and manage groups for the entire time of the activity recovery Plan;

determination of the order of interaction and coordination of actions of the operational headquarters for the implementation of the Plan with other organizations and agencies (firefighters, nurses, police, rescuers, etc.) that might be involved in elimination of consequences of emergency events that caused a disruption of the normal functioning of the system.

For example, the NIST experts all activities to implement the Plan are divided into three stages:

phase the notification/activation
Main tasks solved at this stage, the timely identification of the onset of emergency conditions, detection of deposited seven and a decision on whether or not to activate the recovery Plan of the system;

the recovery phase. Main objectives – the restoration of the functioning of the system on a temporary basis (with the use of reserve funds and facilities), execution of works for full system recovery in the amount of ordinary conditions;

the stage of reconstruction of system/deactivation of the Plan. Main tasks – the full restoration of normal operation of the system and the deactivation of the recovery Plan, a return to normal functioning.

According to the study of McKinseyQuarterly, over the past year in the United States significantly increased the number of computer attacks on corporate IT systems. The study McKinseyQuarterly reported that the number of computer attacks (hacking, viruses, worms, unscrupulous employees, etc.) increased by 150% in comparison with 2000, amounting to a total of 53,000 cases of hacking of information security systems of companies.

This increase occurred primarily because of the attitude to IT security as a purely technological field. This means that many organizational and strategic decisions in companies are simply neglected.


The principles of recovery planning

The feasibility of the Plan is based on two assumptions:

normal system operation is impaired by the occurrence of some extraordinary event, or chain of such events. As a result, the system is not able to exercise its functions to the extent required for quality customer service;

there is a prepared room, which serves as a reserve center host hardware system. The personnel system generates the necessary computing environment based on the technical means of the backup center to restore the functioning of the system backup option placement during the period of the recovery Plan. In addition, a fallback host is used for the duration of time required to restore functioning of the system is still (or new) location.

Assumptions in developing the Plan

When developing a recovery Plan, as a rule, apply the following main assumptions and assumptions:

the system is unusable, taking into account the specifics of implementation and of the technology of the system hardware can be restored at the previous place of posting no earlier than 12 hours;

pre-identified key staff who are aware of the emergency and their responsibilities in the process of recovery of the system;

control systems, emergency warning and elimination of consequences (fire protection systems, gas contamination monitoring, leakage monitoring of water supply and heating etc.) are in good condition and are healthy.

all items 30 minutes from the time of failure of the main power system. In the following all elements of the system connected to a diesel generator, secured a three-day supply of fuel;

hardware and software located at the Central office is not available in the emergency more than 12 hours;

current backups of the application software and data is not damaged and is available at the reserve office.

necessary recovery equipment available in the reserve office;

contracts for maintenance of hardware, updating of software and services to communication providers include provisions necessary for the implementation of the recovery plan of operation of the system.

The target of hacker attacks is usually the theft of commercial information and financial fraud, but in Moscow, according to polls of experts, these positions make up only 3% and 6% of the total number of hacker attacks. Experts Ernst & Young believe that the magnitude of problems is much more substantial, while a low percentage is explained by the fact that the modern hacker skillfully hide the traces. In Moscow alone, the damage from electronic fraud is estimated Metropolitan law enforcement agencies in the 12 - 15 million dollars a month.


Basic requirements for politics organizations

Effective implementation of the Plan requires consideration of major issues in planning policy development of the organization.

First of all, the organization needs to develop their ability to restore normal functioning of the information system in case of unavailability for a period of not more than 12 hours. When neither a hardware and software system located in the Central office of the organization, more than 6 hours shall be provided the back office with the appropriate infrastructure and resources to restore normal functioning of the system backup option.

All procedures necessary for the implementation of the Plan should be set out in the relevant guidelines in the structural units of the organization involved to implement the Plan. Documents should be reviewed at least once a year and modified as needed.

The personnel responsible for the system must be trained to perform the procedures the recovery Plan.
All provisions of the Plan and the practical ability of the staff to implement it in terms of restoration of functioning of the system should be tested during drills and exercises at least once a year.

The organization works to restore the functioning of the system

The main coordinating and managing body for the implementation of the recovery Plan operation of the system is the operational headquarters.

Directs the activities of staff of the coordinator for reconstruction. This position is appointed by the head of the organization or his Deputy.

The staff usually razmeshati members of staff with heads of departments, heads of emergency response organizations and agencies are involved for liquidation of consequences of emergency situations.

The composition of the operational headquarters, according to the NIST recommendations include:

- chiefs of structural divisions of the organization;
- head of Department of information security;
- operations duty officer (Secretary).

All members of staff supplied with means of mobile or pager. List of phone numbers of members of staff, executives, emergency response and rescue services, municipal emergency services is each member of staff. In the scheme alert personnel shall be provided options for their awareness of the working and non-working time.

The task of the headquarters is part of the assessment of damages required to restore the normal functioning of resources and time, as well as coordination of staff.

The staff communicates and coordinates its actions with the operational headquarters of the other organizations and services related to the liquidation of consequences of emergency situations.

During the implementation of the Plan measures are grouped in the following categories:

events for the damage analysis – damage assessment, preparation of forecast recovery and proposals for the revitalization of the recovery Plan;

preparations for hardware and software – preparation of premises and hardware and software to deploy the system backup option (preparing jobs for incoming personnel, telephone communication and computer networks, providing backup power for connected equipment, etc.);

measures for the deployment of the system backup option is to deploy hardware and software system using backup data stored in the backup center;

activities of the emergency support system – the maintenance operation of the technical equipment in the building organization, who are in the emergency zone, possibly longer, until the timing of the actuation of a fallback operation of the system;

restoration activities – carrying out necessary activities, in conjunction with representatives of other organizations (firefighters, police, rescuers, etc.) for localization and elimination of consequences of the events leading to the failure of the system;

measures for evacuation – evacuation media information of limited distribution, and system hardware from the buildings in the disaster area.

The procedures for the notification of emergency events. Activation of the recovery Plan system

This stage is the initial stage in the cycle of works on restoration of the functioning of the system. In the course of implementing the decision on whether or not to activate the recovery Plan.

The stage is divided into the following phases:

•Vvedenie solutions to all structures and units employed in the recovery Plan.

Experts note that information on emergency situations may be urgent (start a fire, the break of the water system, sudden power outage, terrorist attack, assault, etc.) and long-term (flooding, radiation or chemical clouds, storm warning, operational details about the impending terrorist attack, etc.).

In any case, the coordinator needs to clarify the source of information to verify its truth before taking a decision on the deployment of staff and activate Plan.

When receiving information coordinator (duty officer) must have a special journal to record the time of receipt of the information and its source (the name of the transferred information, telephone or other source of income).

When you receive urgent information immediately notifies the coordinator of its receipt of the guide, members of the operational headquarters and the heads of departments.

All the operational information about the emergency situation and its development needs to be drained, as a rule, in the operational headquarters.

Given the confidential nature in full, this information may be reviewed by the leadership of the organization and members of the operational headquarters. The results to anyone other information about the emergency situation without the permission of the coordinator is strictly prohibited.

Deployment of operational staff

Having made the decision to activate the Plan, the coordinator shall communicate the necessary information to the members of the operational headquarters. The notice shall indicate the time and place of collection of its members.

Must be provided for several variants of accommodation of operational staff: the main – in the office of the coordinator, substitute – outside the organization's premises, back in the minibus, camper, etc.

Every member of staff needs to know what documents and technical means, he is obliged to carry in case of emergency has been declared.

In convening members of staff during working hours they (or their residual face) arrive at the designated place immediately.

In convening members of staff outside office hours should take into account the time for their collection and move to the specified location.

In the scheme alert the members of the operational headquarters must be specified the exact address, telephone, availability of a personal vehicle. In case of impossibility of arrival of the member of staff's personal transport must be provided the option of delivery service or private vehicle.

On arrival members of staff are introduced in the course of the case provides access to all necessary information.

Each member of staff is defined by his workplace, which should be equipped with the necessary means of communication.

The decision to activate the Plan

The decision about necessity of strengthening of the recovery Plan adopts a systems coordinator in person, on the OS every member of staff gives a situation assessment that brings his vision of the problem (activate or not in the current environment the recovery Plan) and briefly it argues.

In the reports of the members of staff and group leader of failure analysis should reflect the following information:

• possible cause of the incident;
• the nature of the damage (affected physical area and status of physical infrastructure condition and functionality of the equipment and inventory, including the list of elements to be restored);
• the forecast for the development of the incident, the potential for a possible deepening of the extension of its consequences, which can lead to increased destruction or damage in the system;
• estimated time for system recovery;
• proposals aimed at strengthening a recovery Plan.

In the decision, there are some serious limitations. So, the decision by the coordinator on activation of the recovery Plan must be made within 30 minutes of receipt of the information about the incident. The decision is not discussed.

The recovery plan of the system must be enabled without fail, if failure analysis indicates that the recovery of her health should be more than 6 hours, there is the danger of physical destruction of infrastructure and hardware and software system or real threat to the life and health of personnel.

If caused the system damage can be fixed for no more than 6 hours, the coordinator has the right not to activate the Plan recovery, and charging Troubleshooting to the relevant specialist in working order.

The coordinator can also make the decision to involve the emergency services of the city for containment and elimination of consequences of emergency incidents.

As in the positive (activate the Plan) or negative (rebound) the decision is communicated to the leadership and all involved to implement the recovery Plan structures.

Measures for system recovery in the backup option of placing equipment and personnel

Preparedness reserve space in advance is equipping the backup center with the necessary amount of computer equipment that form an Autonomous subnet and have access to the backup server, as well as consumables and stationery.

Every means of computers
attached manual, which outlines the actions of the operator of the tool when receiving the signal of the emergency alert and command for transition to the backup mode of operation of the system.

To obtain backups of programs and data is organized the process of duplicating and updating databases necessary for the operation of the system clients.

Backup programs are stored in the Central room of organizatio.

The return to the normal operation of the system

Upon completion of the remediation works Manager at failure analysis prepares a report on the readiness of the system to return to its original state and the possibility of deactivation of the recovery Plan.

The decision to deactivate the recovery Plan is accepted by the coordinator based on the information obtained from the results of the analysis of the situation. The decision is reported to the management of the organization.

After receiving a signal for deactivation of the recovery Plan staff performs emergency response activities to bring the system to its original state.

For these purposes, is usually involved the same personnel, and to perform work according to activation of the recovery Plan.

According to the results of the work every employee shall report to his supervisor, and the coordinator.

After the restoration of normal functioning of the system on the initial version of the heads of departments carry out a detailed analysis of the actions of subordinates during the execution of works on recovery Plan. The results of the analysis are transmitted to the coordinator. Based on the materials he prepares a detailed report for the management of the organization about the event, the measures taken and their efficiency, the Bank incurred losses. If necessary, develop and give presentations of proposals for improving the infrastructure in case of recurrence of such situations.

The changed nature of threats makes you pay attention to those areas of the sustainable functioning of the systems, which several years ago were not relevant. Among the documents regulating the operation of the system in an emergency situation, the main place is a recovery Plan in operation. Today, the existence of such a document became mandatory for all enterprises and organizations.


Tags: threat

RELATED MATERIALS: Defence and security