Embed Size (px)
Citation preview
1
The Basics of Business Continuity
Presented by Mary F. Sandy, CBCP
Business Continuity/Disaster Recovery Class
DePaul University
©Mary F. Sandy, 2006 Intro.ppt
2
• What is Business Continuity?
• Business Continuity Components• Phase I: Risk Assessment
• Phase II: Business Impact Analysis
• Phase III: Select Recovery Strategies Based on RTOs & RPOs
• Phase IV: Implement Recovery Organization Structure
• Phase V: Conduct Education & Exercises for Employees
• Phase VI: Develop Recovery Plans
• Phase VII: Test, Test,Test!!!!!
• Phase VIII: Incorporate Changes to Keep Current
Contents
3
What is Business Continuity?
• Process of Ensuring Continuance of a Business if a Disruption Occurs and Includes:
• Analysis of Criticalities (Business Impact Analysis).
• Securing Accommodations to Restore People, Processes, and Information Systems.
• Documenting and Testing Processes, Procedures and Information Systems.
4
Phase I: Risk AssessmentPhase I: Risk Assessment
Phase II: Business Impact AnalysisPhase II: Business Impact Analysis
Business Continuity Components
Phase III: Select Recovery Strategies Phase III: Select Recovery Strategies Based on RTOs & RPOsBased on RTOs & RPOs
Phase IV: Implement Recovery Phase IV: Implement Recovery Organization StructureOrganization Structure
5
Business Continuity Components (Cont’d.)
Phase VI: Develop Recovery PlansPhase VI: Develop Recovery Plans
Phase VIII: Incorporate Phase VIII: Incorporate Changes to Keep CurrentChanges to Keep Current
Phase VII: Test, Test, Test!!!!!Phase VII: Test, Test, Test!!!!!
Phase V: Conduct Education & Phase V: Conduct Education & Exercises for EmployeesExercises for Employees
6
Phase I: Risk Assessment
• Identify and Evaluate Risks (such as single electrical feed, exposure to chemical spills, etc.) to an Organization:
• Those Required for a Company to Continue Operations
• Each Risk Evaluated for its Probability of Occurring
• Define Existing Controls to Mitigate Risks
• Recommend New/Enhanced Controls
• Evaluate Cost of Controls
7
Phase II: Business Impact Analysis
• The Process of Analyzing:
• A Business Function’s Tolerance for Loss of Its Daily Activities Resulting From Inaccessibility to Its:
• Computers
• Work Areas
• How This Affects the Viability of the Company.
8
Phase II: Business Impact Analysis (Cont’d.)
• Establish Recovery Time Objectives (RTOs) for:
• Work Areas (Departments)
• Software Applications and Associated Hardware
9
Recovery Time Objective (RTO)
• The Amount of Time, Starting When the Disaster is Declared, by Which an Application Needs to be Restored and Ready for Use.
• Used as Basis for Recovery Strategy• RTOs are Developed for:
• Departments (Work Area Recovery)• Functions• Software Applications/Hardware
Phase II: Business Impact Analysis (Cont’d.)
10
Dollars Spent*
$0
Cold Site/Shell Site
Warm Site
Quick Ship--Purchase At Time of Disaster (ATOD)
Electronic Vaulting Remote Journaling Data Shadowing/Mirroring Standby Processing Fault-Tolerant System Hot Site Redundant Data Center
RPO 0 hrs-24 hrs; RTO 0-<3 days RPO ≥24 hrs; RTO ≥3 days-1 month
*This chart shows that costs increase for strategies that meet lower RTOs and RPOs anddecrease for strategies that accommodate higher RTOs and RPOs.
COSTS
INCREASE
Phase III: Select Recovery StrategiesBased on RTOs & RPOs
11
Exhibit 2. High Availability Solutions for Hardware/Software with Recovery Time Objectives (RTOs) <3 Days
CriteriaAlt #4—
Electronic Vaulting
Alt #5—Remote Journaling
Alt #6—Data Shadowing/ Mirroring
Alt #7—Standby
Processing
Alt #8—Fault- Tolerant Systems
Alt #9—Hot Site
Alt #10—Redun-dant Data Center
Definition Electronically conduct data backups by transmitting data to equipment located in an offsite facility. This is disk to disk backup with critical equipment located at an alternate facility.
Changes/updates logged to a database (DB) on a real-time basis since the last full backup. Note: Restore of current journal not immediate since these journal entries are archived & must be incorporated into current dataset prior to restore from backup media.
Immediate dupli- cation of data on separate disks that are located remotely which is considered a “shadow.” The remote facility can be an alternate location owned by the client or at a vendor’s location.
Secondary server in stand-by mode & takes over as primary server when primary server is interrupted. System either located in facility owned by company or by vendor.
System’s ability to respond “gracefully” to hardware or software failure & redirect traffic seamlessly to a device not affected by this failure.
Alternate processing site ready for immediate use since it is equipped with all hardware, software & environmental infrastructure. Hot Site is provided by a vendor.
A secondary Data Center in an alternate location with the same computer components as the first. May be located in a facility owned by the company or by another company.
Is There Any Data Loss?
No No, but restore not immediate since current files are archived & used together with image copies to recover DB to point of failure.
No No No. Hardware disks are usually mirrored in the equipment to eliminate any data loss.
Depends upon whether one of these High Availability solutions is used to backup data at the hot site.
No
Phase III: Sample Recovery Strategies Based on RTOs & RPOs (Cont’d.)
12
Phase IV: Implement Recovery Organization Structure
Administrative SupportD e llaP e lla
Public RelationsF uerst
LAN/W AN/VoiceJud i Fa r ley
Applications DevM arsha ll W and rei
Technical SupportJe ff M a it land
Information SystemsW andre i/R a iney
Facilities/Site RestoreT urzak /L indsey
S ue B lackbu rn
Staff CounselT a ft /C a lder
K a ren G ivens
Ops Support CreditT a ft /C a lder
G len S chu lte
UnderwritingT a ft /C a lder
Karen MurdockSCOK ev in H enderson
Farm H Agency OpsY ave rsk i/R oggenbaum
Field Offices
Pat PhillipsSandy White
Executive Office
Dave Cherniawsky
Actuarial/Prod SpptT a ft /C a lder
Business Recovery CoordinatorB ac iga l
Damage AssessmentT a ft /C a lder
Emergency Ops Committee
13
Phase V: Conduct Education & Exercises for Employees
• Conduct a Business Continuity Week• Invite Vendors for Presentations• Show Videos• Present Company Recovery Plan• Make it Fun and Enjoyable• If Possible, Have “Take-Aways”
• Advertise• Use Your Marketing Department to Create Posters• Display Posters in Cafeteria, Elevators, etc.• Email Reminders
• Reeducate As Required
14
Phase VI: Develop Recovery Plans• Document Recovery Plans for:
• Work Areas (Processes)• Software and Hardware
• Document Recovery Plans for the “Worst Case” Scenario; DO NOT Create Plans for Different Scenarios. (Some exceptions are: Pandemic Plan, Flood Plan, etc.)
• Reevaluate and Change Plans Two Times Per Year, if They Need Updating
• Make Copies of Plans and Keep Accessible
15
Phase VI: Develop Recovery Plans (Cont’d.)
• At a Minimum, Include the Following in Recovery Plans:
• Backup Strategy• Organization Chart• Calling Trees With Telephone Numbers• For Technology Plans, DETAILED Instructions for
Restoring Software and Hardware• Evacuation• Alternate Recovery Site• Location of Command Center• List of Vendors
16
Phase VII: Test, Test, Test!!!!
• Test all Plans: • Work Area Plans• Technical Plans
• Types of Tests • Walkthroughs• “Surprise” Tests*• Scenario Tests*
*Note: These tests include restoration of required hardware and software.
17
Phase VIII: Incorporate Changes to Keep Current
• Continue to Reevaluate Organization and System Changes
• Change Strategy as Required
• Change Recovery Organization as Needed
• Change Recovery Plans
• IT IS BEST TO CONSIDER CONTINUITY BEFORE YOU DEVELOP AND/OR IMPLEMENT ANY INFORMATION SYSTEMS!!!!
18
Questions?
