Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
1
Building a Standard for Business Continuity Planning
John Lugo
Sr. Business Continuity Analyst
April 17, 2012
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Business Continuity @ Citrix
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Statistics
• Over 36% of organizations reported incidents of workplace violence
Source ‐ Society for Human Resource Management (SHRM)
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Agenda• Business Continuity Goals
• Global Core Business Continuity Team Structure
• Regional Business Continuity Plans
• Disaster Recovery / Business Continuity Testing
• Crisis Communications
• Employee Safety and Awareness Programs
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Business Continuity Goals• Maintain business critical functions and
services before, during and after a wide range of disaster events
• Limit the impact to operations and the magnitude of any financial loss
• Ensure rapid recovery and timely resumption of company operations to protect employees, customers, shareholders and company reputation
• The formal BC plans combine preventive and recovery measures; the plans are updated, tested and communicated regularly to ensure effectiveness in mitigating business disruption
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Global Business Continuity Team Structure
• The Teams mission is to provide overall direction / preparation and recovery efforts
• Team members are a mixture of diverse departments including IT, HR, Legal, Facilities, Physical Security and Finance
• On‐Site Recovery Teams are the ‘boots on the ground’ team responsible for individual offices in EMEA and Pacific
• Business Unit contacts are part of the Non‐Core BC Team
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Emergency Management Team (EMT)
• Provide overall recovery / preparation direction• Provide strategically response and incident management
• Ensure Business Continuity Team communication• Monitor event activity• Escalate alert levels to all team members• Facilitate communication with the Executive Management Committee
• Ensure the appropriate and adequate disaster response
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Communications Team
• Provides communication to all parties including employees, vendors, public service agencies, customers
• Communication methods including emergency notification systems, email, vmail, external / internal web pages, press releases, media
• Team conveys a message on behalf of company
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Campus Response Team
• Operational response and business direction• Prepare property and equipment for the impending disaster event
• Provide HR related assistance for building items (people staying on site, building closures, parking garages, etc.
• Damage assessment from a disaster and its impact on continuing operations; assistance with insurance claims
• Secure buildings and grounds; liaise with landlord • Historian Function – Documenting all critical decisions once an event has occurred and keeping track of expenses
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Business Readiness Team
• Make necessary arrangements to implement disaster business operations in accordance with business plan for each unit
• Provide a tactical response and business direction• Act as a liaison with the Business Unit Teams• Provide travel assistance for recovery team members
• Ensure critical business functions are operational at alternate processing centers
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
On Site Recovery Team
Drivers of decisions regarding:• Recovery of office
• Well being of employees
• Alternate relocation plans
• Communications out to employees in affected location(s)
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Our Business Continuity plans are based on two incident types
1) Unexpected Disaster• Fire, flood, earthquake, tornados, terrorist act, explosion, workplace violence, flu outbreak…
2) Expected Scenario • Scheduled protests, scheduled power outages / rolling blackouts
• Hurricane / severe weather due to our South Florida exposure; lead time allows for storm preparedness
Business Continuity Planning Scenarios
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Business Impact Analysis (BIA)
• The BIA is the initial step for Business Continuity planning from which the whole BCP program is built
• Provides the data from which appropriate continuity strategies can be determined
• Ranks core business activities– Grades activities from a financial and non‐financial impact – Determines interdependencies– Defines Recovery Time Objectives (RTO)– Defines process, people, equipment and IT systems needed to
meet continuity objectives
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Disaster Recovery Strategies
• What technology based solutions do you incorporate in your BC Program?
Cloud computing, data replication, clustering, failover circuits, redundant equipment, restore from tape, software as a service (SAS)
• Bring Your Own Computer (BYOC) Program
• Desktop virtualization
• ‘Work Anywhere’ Initiative
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Business Continuity Plans
• Structure your plans around the responses from your BIA
• Plans contain critical processes and procedures to recover business functions in the event of an emergency interruption
• Individual plans are regional, country and business unit specific and are updated annually
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Emergency Response Plans
• Build your ERPs with the help of executive management – host a table top exercise
• ERPs are based on worse case scenario; anything less severe becomes a subset of the plan
• Develop plans for specific incidents – hurricane, earthquake, active shooter scenario
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
IT Disaster Recovery Test
• Based on your requirements, do you have a Hot Site, Cold Site, Warm Site?
• Review the responses from your BIA to ensure that your critical applications and services reside in your DR environment
• Create a detailed site bring up script that is simple to follow
• Do you have plans in place to fail back to Production?
• Exercise your IT DR Plan at least once a year
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Workplace Recovery Test
• In the event your office is inaccessible for a period of time, where are your employees going to relocate?
• Leverage offices in other cities / countries• Work from home vs contracted office space• Exercise your workplace recovery plan once a year
• Document your results and forward to senior management
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Emergency Response Tests
• Develop realistic scenarios that your organization is likely to experience
• Establish a strong relationship with external agencies including local fire departments and emergency responders
• Work with senior management and HR to develop an emergency response plan around workplace violence
• Coordinate emergency evacuation drills with Facilities
• Exercise emergency response tests annually
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Measurable Results
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Crisis Communication Plan
• Establish a crisis communication program with the Core Business Continuity Team
• Plan should identify all stake holders that are inclusive of emergency communications –employees, clients, vendors, media, EMC…
• Draft sample communications around realistic scenarios that could affect your location
• Have HR and Public Relations review communications before distribution
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Communicate!
• Emergency notification systems
• Communicate quickly
• Push/pull communications
• Pre‐script communications
• Wallet cards and badges
• Satellite phones
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Crisis Communication Tools
• Use internal resources – Telecom Team, PBX, PA system, intranet Sharepoint site, company website
• Toll free emergency notification numbers for employees
• Blast emergency alerts through vmail• Emergency Notification Software – Sungard, Everbridge; sends messages via mobile, email, text, etc
• Satellite phones – service is available even if infrastructure is down
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Train the People in Charge
• Develop table top exercises with Core Business Continuity Teams
• Research emergency response training through local agencies – Red Cross, Fire Departments, SWAT Teams, C.E.R.T.
• Review the roles and responsibilities with the Core BC Team annually
• Ensure that the global teams buy into the Standards of Business Continuity
• Deliver a robust employee safety program, even if there isn’t a requirement by law in a particular country!!
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Practice
• Emergency evacuation drills
• Bomb threat procedures
• Workplace violence process
• Emergency training
• Awareness newsletters
• Emergency information cards
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
New Employee Orientations
• Work with HR to include overview of Business Continuity Program
• Review emergency evacuation procedures
• Ensure that employees know where to find BC and DR documentation
• If possible, make training a mandate for compliance
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Communications out to Employees
• Develop communications around specific incidents – hurricane season, earthquake scenario, emergency evacuations
• Work with Business Unit leads to ensure that teams understand recovery processes
• Work with HR to develop a newsletter• Post Incident Response Action Items in break room or common areas – evacuation routes, assembly points, security hotlines
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Plans Put into Practice
Scenario 2
Scenario 1
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Hurricane Wilma at HQ• When: October 24th 2005
• Damage: 3 out of our 4 buildings closed for over a week
• 6 million people without power
• Local infrastructure damaged• Pre‐storm activities completed
– Campus prepared
– Key business teams and IT flown out of area
– Communication schedule established with employees
• Post storm– Reserved hotel rooms out of the area
– Employee assistance program
– Employees helping employees intranet site
– Post mortem review
– Long term – office opened for customer facing teamsout of the path of hurricanes
HQLocationHQ
Location
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Pandemic PlanningAvian, H1N1, H3N2 and Influenza B Viruses
• Citrix Planning – Creation of Pandemic Influenza Continuity Plan – Phased alerts from the World Health
Organization and the Center for Disease Control– Updated internal policies; infected employees
requested to stay home until symptoms subsided
• Employee awareness– Communications sent to employees around best
practices – Travel recommendations posted on Intranet site
• Manager communication and training– Distributed messages to managers around
working with employees; options include working from alternate locations
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Earthquake in Japan• Damage:
– 10 employees overnight in office (elevator was on limited power)
– Office closed for 3 days ‐Most employees worked from home leveraging our own products
• Daily meetings held with on‐site recovery teams (IT, Facilities and HR)
• Alternate relocation plan for employees (150 hotel rooms in Hiroshima)
• Resources sent to Tokyo from CA office
• Lessons learned: – Creation of on‐site recovery teams for
other regions– Upgrade emergency notification system
in Tokyo
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Wrap ‐ Up
• Make sure your plans are flexible
• Revisit your strategy around DC infrastructure – physical vs virtual
• Partner with key Business Units (IT, Facilities, HR) in other offices to help you build and test plans
• Include end users within your testing platform
• People come first!!
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Building a Standard for Business Continuity Planning
John Lugo ‐ Sr. Business Continuity Analyst