Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011

Dr. Bhavani ThuraisinghamThe University of Texas at Dallas (UTD)

June 2011

Business Continuityand

Disaster Recovery Planning

Domain Agenda• Project Scope Development and Planning• Business Impact Analysis (BIA) and Functional Requirements• Business Continuity and Recovery Strategy• Plan Design and Development• Implementation• Restoration / Disaster Recovery• Feedback and Plan Management

Domain Objectives• Understand the planning process• Integrating BCP into the organization• Defining inputs and outputs of process• Understand the difference between BCP and DRP

Sources of Information• Disaster Recovery Institute International• Business Continuity Institute• ISO 25999• ISO 27001, Section 10• NIST SP 800-34

ISO 25999: Business Continuity Management

• Risk management• Disaster recovery• Facilities management• Supply chain management• Quality management

• Health and safety• Knowledge management• Emergency management• Security• Crisis communications and

PR

Overview of BCP• Direct benefits• Indirect benefits• Overlap with Risk Management• BCM vs. BCP vs. COOP

The Enterprise BCP• DRP

– Backup strategies– Emergency procedures– Contracts and provisioning

• BIA– Reciprocal agreements– Alternate sites

• Incident response planning– Succession Plan– Incidence Response Team

The Enterprise BCP (cont.)• Risk analysis

– Safeguards / countermeasures– Insurance plan

• Corporate communication plan– User awareness training– Media/stakeholder relations plan

The Business Continuity Life Cycle• Analyze the business• Assess the risks• Develop the BC strategy• Develop the BC plan• Rehearse the plan

BC Project Phases• Project Scope Development and Planning• Business Impact Analysis (BIA) and Functional Requirements• Business Continuity and Recovery Strategy• Plan Design and Development• Implementation• Restoration / Disaster Recovery• Feedback and Plan Management

Reflecting Organizational Context• Policy is the driver• Aligned with requirements• Provides direction and focus• Use Business Impact Analysis• Identify inputs• Outcomes and deliverables• Reviewed annually

Policy• Organizational authority• Policy document• Program scope• Resources• Outsourcing

Policy contents• Framework• Tools and techniques• Policy contents• Change is infrequent

Outsourced Activities• You are still responsible• Resilience in outsourcing• Supplier continuity

Scope and Choices• Limit scope• Ensure clarity of scope• Strategy, Return on Investment (ROI), and SWOT (Strengths,

Weaknesses, Opportunities, Threats)• Review yearly

Program Management• Assigning responsibilities• Initiating BCP in the organization• Project management• Ongoing management• Documentation• Incident readiness and response

Documentation• Review current BCP if available• Documentation may not equal capability• Staff must be trained to use any necessary software• Types of documentation• Review as directed by policy

Initiating BCP• Awareness, data, implementation• Staff and budget• Result must be a long-term, sustainable program• Review progress monthly

Incident Readiness & Response• Planners become leaders• Be prepared• Triage• Incident management• Success = Return to Operations• Immediate lessons learned

Key Indicators of Success• Senior management commitment• Policy content• BCP Resources• Project management• Documentation

BCP Project Phases• Project Scope Development and Planning• Business Impact Analysis (BIA) and Functional Requirements• Business Continuity and Recovery Strategy• Plan Design and Development• Implementation• Restoration / Disaster Recovery• Feedback and Plan Management

Understanding the Organization• Business Impact Analysis (BIA)

– Benefits– Objectives

• Evaluating Threats (Risk Assessment)• Emergency Assessment• Indicators of Critical Business Functions

Business Impact Analysis• Identifies, quantifies and qualifies loss• Scope and support required• Documents impact and dependencies• MTD, RPO• Business impact analysis process• Workshops, questionnaires, interviews• Business justifications for budget

Maximum Tolerable Period of DisruptionItem Required recovery time

following a disaster

Non-essential 30 days

Normal 7 days

Important 72 hours

Urgent 24 hours

Critical/Essential Minutes to hours

Estimating Continuity Requirements• Total budget for disaster recovery• Identification of necessary resources• Outcomes feed BCP strategy selection• Reviewed with BIA

Evaluating Threats (Risk Assessment)• Risk equation + time element• Risk = Threat impact * probability• Prioritize key processes and assets• Outcomes

Key Indicators or Success• Corporate governance• BIA practice• Risk assessment practice

BCP Project Phases• Project Scope Development and Planning• Business Impact Analysis (BIA) and Functional Requirements• Business Continuity and Recovery Strategy• Plan Design and Development• Implementation• Restoration / Disaster Recovery• Feedback and Plan Management

Determining Business Continuity Strategy

• High-level strategies• RTO < MTPD• Separation distance• Resilience• Address specific business types

Determining Strategy• Determining BC strategies• Strategy options• Activity continuity options• Resource-level consolidation

Activity Continuity Options• Selecting recovery tactics• Reliability• Extent of planning• Cost/benefit analysis• Outcome

Recovery AlternativesAlternative Description Readiness Cost

Multiple processing/ mirrored site

Fully redundant identical equipment

and data

Highest level of availability and readiness

Highest

Mobile site/trailer Designed, self-contained IT and communications

Variable drive time; load data and test systems

High

Hot site Fully provisioned IT and office, HVAC, infrastructure and communications

Short time to load data, test systems. May be yours or

vendor staff

High

Warm site Partially IT equipped, some office, data and voice, infrastructure

Days of weeks. Need equipment, data communications

Moderate

Cold site Minimal infrastructure, HVAC

Weeks or more. Need all IT, office equipment and

communications

Lowest

Processing AgreementsAgreement Description Consideration

Reciprocal or Mutual Aid Two or more organizations agree to recover critical operations for each other.

Technology upgrades/ obsolescence or business growth. Security and access by partner users

Contingency Alternate arrangements if primary provider is interrupted, i.e. voice or data communications

Providers may share paths or lease from each other. Question them.

Service Bureau Agreement with application service provider to process critical business functions.

Evaluate their loading geography and ask about backup mode.

BCP Project Phases• Project Scope Development and Planning• Business Impact Analysis (BIA) and Functional Requirements• Business Continuity and Recovery Strategy• Plan Design and Development• Implementation• Restoration / Disaster Recovery• Feedback and Plan Management

Resource Level Consolidation• Consolidation plan• Availability of solutions• Consolidate, approve, implement• Methods and techniques• Outcomes and deliverables

Business Continuity Plan• Master plan• Modular in design• Executive endorsement• Review quarterly

Business Continuity Plan Contents• When team will be activated• Means by which the team will be activated• Places to meet• Action plans/task list created

• Responsibilities of the team or of specific individuals– Liaising with Emergency Services (fire, police ambulance)– Receiving or seeking information from response teams– Reporting information to the Incident Management Team– Mobilizing third party suppliers of salvage and recovery services– Allocating available resources to recovery teams– Invocation / mobilization instructions

Business Continuity Plan Contents

Developing and Implementing Response

• Incident response structure• Emergency response procedures• Personnel notification• Communications• Restoration

BCP Project Phases• Project Scope Development and Planning• Business Impact Analysis (BIA) and Functional Requirements• Business Continuity and Recovery Strategy• Plan Design and Development• Implementation• Restoration / Disaster Recovery• Feedback and Plan Management

Implementing Incident Management Plan

• Rapid response is critical• Crisis management• Steps to develop an Incident Management Plan• Action plans

Incident Response Structure

• Strategic• Tactical• Operational

Key Indicators of Success• Development and acceptance of Recovery Strategies and

Business Continuity Plans

BCP Project Phases• Project Scope Development and Planning• Business Impact Analysis (BIA) and Functional Requirements• Business Continuity and Recovery Strategy• Plan Design and Development• Implementation• Restoration / Disaster Recovery• Feedback and Plan Management

Disaster Recovery• Salvage• Separate function and team• Facility restoration • System recovery

BCP Project Phases• Project Scope Development and Planning• Business Impact Analysis (BIA) and Functional Requirements• Business Continuity and Recovery Strategy• Plan Design and Development• Implementation• Restoration / Disaster Recovery• Feedback and Plan Management

Testing the Program• Find the flaws• Outsourcing• Timetable for tests• Test design process

Testing TypesTypes Process Participants Frequency Complexity

Desk Check Check the contents of the plan, aid in

maintenance.

AuthorOften LOW

Walk-through

Check interaction and roles of participants.

Author and main people

Simulation Includes: business plans, buildings, communications

Main people and auditors

Parallel testing

Moves work to another site. Recreates the

existing work from the displaced site.

Everyone at location

Full Shuts down and relocates all work

Everyone at both locations Rare HIGH

Embedding BCP• Assessing level of awareness and training• Developing BCP within the Culture• Monitoring cultural change

Test BCP Arrangements• Test, rehearsal, exercise• Combine all plan activities• Stringency, realism and minimal exposure• Contents of a test• Outcomes

Maintaining BCP Arrangements• Ready and embedded• Triggered by change management• Owners keep information current• Documented• Review as needed

Reviewing BCP Arrangements• Audit• Independent BCP audit opinion• As directed by audit policy

Factors for Success• Supported by senior management• Everyone is aware• Everyone is invested• Consensus

Assessing the Level of Awarenessand Training

• Where are we now• What does the policy state• Current vs. desired levels• Training framework in place

Developing a BCP Within the Organization’s Culture

• Training, education, awareness• Well-implemented policy• Design• Delivery planning• Delivery• Cost effective delivery• Higher awareness

Domain Summary• Project Scope Development and Planning• Business Impact Analysis (BIA) and Functional Requirements• Business Continuity and Recovery Strategy• Plan Design and Development• Implementation• Restoration / Disaster Recovery• Feedback and Plan Management