45
A Business Continuity Planning Toolkit Security 2008 – EDUCAUSE & Internet2 Security Professionals Conference Robert J. Block (B.J.), IT Security Analyst University of Rochester Beth Buse, Deputy Director of Internal Auditing Minnesota State Colleges and Universities Leslie Maltz, Deputy VP for IT Planning & Standards (retired) Columbia University

A Business Continuity Planning Toolkit

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: A Business Continuity Planning Toolkit

A Business Continuity Planning Toolkit

Security 2008 – EDUCAUSE & Internet2 Security Professionals Conference

Robert J. Block (B.J.), IT Security AnalystUniversity of Rochester

Beth Buse, Deputy Director of Internal AuditingMinnesota State Colleges and Universities

Leslie Maltz, Deputy VP for IT Planning & Standards (retired) Columbia University

Page 2: A Business Continuity Planning Toolkit

Copyright Leslie Maltz, Beth Buse, Robert Block, 2008

This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the authors.

Page 3: A Business Continuity Planning Toolkit

What would your college or university do if….

A fire destroyed your administration building?

A tornado destroyed a resident hall?

A water pipe burst and flooded your data center?

Half of your faculty and staff called in sick?

A bomb exploded in a classroom?

Page 4: A Business Continuity Planning Toolkit

Terminology and Definitions

All Hazards Planning – an integrated planning approach to all domestic terrorist attacks, major disasters, and other emergencies. Business Continuity Planning (also referred to as Continuity of Operations Planning and Service Continuation Planning) – process for determining an institution's ability to maintain or restore its business and academic services when some circumstance disrupts normal operations.Disaster Recovery Plan – refers to the technological portions of the business continuity plan. This plan contains the details to ensure systems and communications are restored within a predetermined timeframe.Business Impact Analysis - A management level analysis, which identifies the impacts of losing resources. This analysis measures the effect of resource loss and escalating losses over time, in order to provide senior management with reliable data upon which to base decisions on risk mitigation and continuity planning.Pandemic Planning – preparation in the event that the Avian Flu virus reaches pandemic stage. Emergency Response Plan – this plan includes details for responding to sudden states of danger that require immediate action.

Page 5: A Business Continuity Planning Toolkit

Importance of Preparing

Planning provides for backup If primary staff unavailable – who will do the

work? If primary system is gone – how do we

operate? If a specific building cannot be occupied –

where do we go?

Planning creates routines Routines create repetition and normalcy Normalcy generates calm instead of panic

Page 6: A Business Continuity Planning Toolkit

Homeland Security Presidential Directives

HSPD-5 Subject: Management of Domestic Incidents Established the National Incident Management

System (NIMS) and National Response Plan (NRP)

HSPD-8 Subject: National Preparedness Added definition to the National Response Plan

(NRP) and established the term "all-hazards preparedness".

Page 7: A Business Continuity Planning Toolkit

Homeland Security Vision Statement for Higher Education

“That all schools and universities are prepared to mitigate/prevent, respond to, and recover from all hazards, natural or man-made by having a comprehensive, all-hazards plan based on the key principles of emergency management to enhance school safety, to minimize disruption, and to ensure continuity of the learning environment.”

U.S. Department of Education Sector Specific Plan

Page 8: A Business Continuity Planning Toolkit

MnSCU - All Hazards Plan

MnSCU Board Policy 1A.10 Long Term Emergency Management

“Each college, and university and the Office of the Chancellor shall develop and maintain an All Hazards Plan that provides guidelines in the event of long term emergency. The plan shall be developed in accordance with guidelines developed and administered by the Office of the Chancellor in accordance with state and federal directions.  The All Hazards Plan will include sections that address crisis intervention, continuity of operations, and emergency preparedness.”  

Page 9: A Business Continuity Planning Toolkit

Minnesota State Colleges and Universities

All Hazards Planning Architecture

Emergency Preparedness

Continuity of Operations

Crisis Intervention

Minnesota State Colleges and UniversitiesAll Hazards Plan

Page 10: A Business Continuity Planning Toolkit

Minnesota State Colleges and Universities

All Hazards Planning Architecture

Continuity of Operations

Facilities Functions

Academic Functions

Essential Services

Communications Functions

Operations Functions

Pandemic Event

Wind Event

Healthcare/Student Services Functions

Fire Event

IT Services Event

Special functions:Library and Information Services Public Safety IT System SupportAthleticsOther

Water Event

Utilities Loss Event

Plan Elements

Page 11: A Business Continuity Planning Toolkit

Where to Start?

EDUCAUSE - Business Continuity Planning Toolkit: https://wiki.internet2.edu/confluence/display/secguide/Business+Continuity+Planning+Toolkit

Provides a resource of guides, examples and templates

Need to have executive level buy-in to succeed.Ideal: have dedicated resourcesNeed to have a cross-functional team.

Page 12: A Business Continuity Planning Toolkit

Business Impact Analysis

If one of the afore mentioned disasters were to occur, how would you know where to focus your recovery efforts first.

Page 13: A Business Continuity Planning Toolkit

Business Impact Analysis

Definition: A management level analysis, which

identifies the impacts of losing resources. This analysis measures the effect of resource loss and escalating losses over time. In order to provide senior management with reliable data upon which to base decisions on risk mitigation and continuity planning.

Page 14: A Business Continuity Planning Toolkit

Goals of theBusiness Impact Analysis

To establish the value of each organizational unit or resource as they relate to the function of the total organizationTo provide the basis for identifying the critical resources required to develop a business recovery strategyTo establish an order or priority to restoring the function of the organization in the event of a disastrous event

Page 15: A Business Continuity Planning Toolkit

Considerations

Enterprise (or University) wide

Goes beyond IT

Need to have executive level buy-in

Need to have a cross-functional team

Willing to make tough decisions

A time consuming effort

Page 16: A Business Continuity Planning Toolkit

Terminology

MTTR – Mean time to Recover

MTBF – Mean Time Before Failure

Criticality Level

Tangible Impact

Intangible Impact

RPO – Recovery Point Objective

RTO – Recovery Time Objective

Page 17: A Business Continuity Planning Toolkit

Business Impact Analysis

Phases Project Planning Data Collection Data Analysis Reporting Findings Approval for Next Phase

Page 18: A Business Continuity Planning Toolkit

Business Impact Analysis Project Planning

Identify Objectives

• Criticality of business functions• Critical dependencies• Impact of disruptions• Critical resources

Scope• Departmental• Facility• Complex• Region• Organization

Page 19: A Business Continuity Planning Toolkit

Business Impact Analysis Data Collection

How to collect information from the community Questionnaire Interview Hybrid

Page 20: A Business Continuity Planning Toolkit

Business Impact Analysis Data Collection

Questionnaire Approach Design questionnaire Develop data analysis

process Develop instructions Cover Letter Formal presentation Questionnaire distribution Questionnaire collection

Interview Approach Develop interview guide Train interviewers Formal Presentation Schedule interview Conduct interview Validate

Page 21: A Business Continuity Planning Toolkit

Business Impact Analysis Data Collection

Topics to address Mission Service Objectives Dependencies Impacts over time Critical time periods Financial impact Operational impact Legal, regulatory, contractual requirements

Page 22: A Business Continuity Planning Toolkit

Business Impact Analysis Data Collection

Additional items to reference Mission Statements Service Objectives Service Level Agreements Organizational Charts Policies and Procedures

Page 23: A Business Continuity Planning Toolkit

Business Impact Analysis Data Analysis

Quantitative Impact Losses identified in quantities or percentages

that can be described in monetary terms

Qualitative Impact Intangible losses that can impact operationally

but that can not be quantified in monetary terms

Page 24: A Business Continuity Planning Toolkit

Business Impact Analysis Data Analysis

List of business functions ordered by restoration time

Consolidation Simplify the process Create priority levels

Project lead confirms with management

Page 25: A Business Continuity Planning Toolkit

Business Impact Analysis Report Findings

Confirm findings with end users and functional departments

Present formal findings to executive management

Page 26: A Business Continuity Planning Toolkit

Business Impact Analysis Approval for Next Phase

Just when you thought it was done…

Begin moving on to the next phase

Page 27: A Business Continuity Planning Toolkit

Business Impact Analysis Resources

EDUCAUSE website (https://wiki.internet2.edu/confluence/display/secguide/Business+Continuity+Planning+Toolkit)

Disaster Recovery Journal website (http://www.drj.com)

Page 28: A Business Continuity Planning Toolkit

Disaster RecoveryNo Longer an Optional Activity

Page 29: A Business Continuity Planning Toolkit

Why Have a Disaster Recovery Plan?

Natural and Man-Made emergencies cannot be prevented

Preparedness means quick response

Part of an All Hazards response effort

Tough to function during an emergency

“It will never happen here is NOT TRUE”

Page 30: A Business Continuity Planning Toolkit

BUY-IN

Clear mandate (Senior Executives)

Facilities

Staffing (DR and Business Unit staff)

Coordination during emergencies

Authority to take actions

Funding

Testing

Page 31: A Business Continuity Planning Toolkit

Not Just for Central IT Units

Business Units must identity and prioritize key resources and define acceptable risks

This is NOT just a technology issue

Page 32: A Business Continuity Planning Toolkit

Critical Resources

Prioritization

Dependencies/Relationships

Alternate resources

Command Centers

Coordination/Management of Response

Funding

Page 33: A Business Continuity Planning Toolkit

Disaster Recovery Plan

Gives a blueprint for reestablishing critical business processes under extraordinary conditions

Page 34: A Business Continuity Planning Toolkit

Disaster Recovery Planning is NOT a One Time Activity

You Must Have Frequent:

Updates

Drills

Training

Reviews

Page 35: A Business Continuity Planning Toolkit

Identify Applications

Determine Criticality

Resources Needed

Priorities and Dependencies

Page 36: A Business Continuity Planning Toolkit

Identify Applications

Have Business Units Review and Revise Priorities

Page 37: A Business Continuity Planning Toolkit

Contact Information

Identify (and keep current) staff contacts and all means for communication: Office Home Mobile Email addresses

Page 38: A Business Continuity Planning Toolkit

Compile all Required Documentation

Operational Documentation

Emergency Recovery Action Templates (ERAT)

Contact Info

Command Center Inventory Checklist

Page 39: A Business Continuity Planning Toolkit

Command Centers

Identify Locations

Establish and stock resources

Inventory Checklists

Schedule for inventory assessment

Page 40: A Business Continuity Planning Toolkit

Duty Managersaka Team Leaders

Schedule and Coverage

Train

Assess Command Center Inventory

Substitution Procedure

Page 41: A Business Continuity Planning Toolkit

Drills and Testing

Table top exercises

Real tests and emergencies

Evaluate the response, procedures, and staff

Page 42: A Business Continuity Planning Toolkit

Repeat!

Page 43: A Business Continuity Planning Toolkit

Forms and Templates

ERAT Emergency Application Template

Log and Post Mortem Forms for use during and after emergencies and drills

Contact Information Office, home, mobile phones

Team Leader Training

Team Leader Responsibilities

Command Center Inventory Checklist

Page 44: A Business Continuity Planning Toolkit

Business Continuity Planning Toolkit

Page 45: A Business Continuity Planning Toolkit

Questions