Business Continuity & Disaster Recovery

All about businessAssumes the worst has happened

Domain Definition

Preparation, testing, & updating of actions required to protect critical business processes from the effects of major system & network failures

Buss Continuity (BCP) Disaster Recovery (DRP)

Plan initiation Planning

Bus. Impact Assess. (BIA) Testing

Plan Development Specific Procedures

BCP

Created to prevent interruptions to normal business activity

Minimize effects of disruptive event Enhance orgs capability to recover Minimize cost Mitigate risks

BCP: Areas Covered

LANs, WANs, DMZ, Servers Telecomm & data comm links Workstations & workspaces Applications, software, & data Media & records storage Staff duties & production processes

BCP & DRP: Primary Concern

Life Safety Evacuation routes Assembly areas Accounting for personnel

Protection of people always comes first

Continuity Disruptive Events All plans & processes are

“After the Fact” Examples:

Fires, explosions, spills Earthquakes, storms, floods, ex Power outages & other utility failures Bombings, sabotage Strikes & other job actions Employee unavailability Comm infrastructure failures

Asset Loss

Revenues Lost during incident Ongoing recovery costs Fines & penalties Competitive advantage, credibility or

good will damaged by incident

Four Prime Elements of BCP

1. Scope & Plan Initiationa. Define scope & parameters of plan

2. Business Impact Assessmenta. Help buss units understand impact

3. BCP Developmenta. Implementation, testing, maintenance

4. Plan Approval & Implementationa. Senior mgt signoff & org. awareness

BCP 1. Scope & Plan Initiation Examine org. operations & support services

Distributed processing == special problems All business units involved

BCP committee Senior Management – total, highly visible

support Due diligence: Foreign corrupt practices act

of 1977

BCP: 2. Buss. Impact Assess.

What impact incident would have Financial, Operational, Vulnerability Primary Goals

Criticality Prioritization Downtime Estimation Resource Requirements

BCP: 2. Buss. Impact Assess.Steps

1. Gathering info neededa. Critical business units &

interdependencies

2. Vulnerability assessment (next slide)

3. Analyzing info compileda. Clearly describe support required

4. Documenting results & present recommendations

BCP: 2. BIA – Vulnerability Assess. Similar to but smaller than Risk Analysis Quantitative loss criteria

Revenue, capital, liability, operational expenses, contract agreements, regulatory requirements

Qualitative loss Criteria Competitive advantage, mkt share, public

confidence, etc Common Steps

List Potential Emergencies, 2. Estimate likelihood, 3. Assess impact, 4. Resources Required

Sample Vulnerability TableA. Type of EmergencyB. Probability (High 5 – Low 1)C. Human Impact (High Impact 5 …)D. Property Impact E. Business ImpactF. Internal Resources (Weak Resources 5 …)G. External ResourcesH. Total

A B C D E F G H

BCP: 3. BCP Development Use BIA to create recovery strategy plan Defining the continuity strategy

Elements: computing, facilities, people, supplies & equipment

Short-term goals & objectives Vital personnel, systems, operations, equipment Priorities for restoration Acceptable downtime & minimum resources req.

Long-term goals & objectives Org’s strategic plan Funding, Management & coordination of events Funding & fiscal Management

IT department: backup & restore, physical security, logical security, system administration

BCP: 4. Approval & Implementation

Approval by Senior Management Creating plan awareness

Org’s ability to recover will most likely depend on many individuals

Maintenance of Plan Plans easily get out of date

Disaster Recovery Planning (DRP)

Procedures for: Responding to emergency Providing extended backup operations Managing recovery & salvage operations

“Primary objective is to implement critical processes at an alternate site & return to primary site & normal operations with time frame that minimizes loss to the organization.”

DRP: Planning Process Development & creation of recovery plans BIA has been made so now defining steps

needed to protect business in actual disaster

Recovery Timeframe Requiements AAA – Immediate recovery needed, no downtime AA – Full functional recovery within 4 hours A – Same day business recovery needed B – Up to 24 hours downtime acceptable C – 24 – 72 hours downtime acceptable D – Greater than 72 hours downtime ok

DRP: Disaster Planning Process Steps

Data Processing Continuity Planning

Data Recovery Plan Maintenance

DRP: Data Processing Continuity Planning

Common alternate processing types1. Mutual Aid Agreements2. Subscription services3. Multiple centers4. Service bureaus5. Other data center backup alternatives

1. Automated Tools to create DRP (www.intiss.com/intisslinks)

DRP: Mutual Aid Agreements Both parties agree to support each other Advantages

Very little or no cost Same NOS, data comm needs, & transaction

processing procedures Disadvantages

Only use if no other option available Same infrastructure with unused capacity highly

unlikely Limits responsiveness & support What about disaster that affects both orgs

DRP: Subscription Services

3rd party commercial services & alternate processing

Basic Forms of Subscription Svcs Hot Site Warm Site Cold Site

DRP: Multiple Centers

Spread processing around multiple sites and insure excess capacity at each site

Adv: Financial Dis: Mutual disaster could overtake

both (or all) sites

DRP: Service Bureaus & Other

Service Bureaus: Contractual Agreement to provide backup Adv: Quick & available Dis: Expensive

Rolling/Mobile backup site Vendor remote re-supply of hdw Prefabricated buildings

DRP: Transaction Redundancy Level of fault tollerance in transaction

processing

Electronic Vaulting Transfer of backup offsite

Remote Journaling Offsite Parallel processing

Database Shadowing Offsite parallel database(s)

DRP: Maintenance DRP easily get out-of-date Regular audit procedures ensure

currency Review, evaluate, modify, update

After training exercises After disaster response When personnel change When policies, procedures or

infrastructure changes

DRP: Testing No plan really exists until tested “Test plan must be created & carried out in

orderly, standardized fashion & executed on a regular basis”

Reasons for Testing Verifies accuracy of DRP Prepares personnel Verifies processing capacity of alternate site To find weaknesses: if non found was probably a

bad test. Mistakes WILL BE MADE

DRP: Testing -- The Test Document

Documented Test scenario Reasons for test, type of test, objectives

Granular details of what will happen Scheduling of test Duration of test Specific test steps Participants Task assignments Resources & services to be used

DRP: Testing – Test Levels

1. Checklist review2. Structured walk-through3. Simulation test4. Parallel test5. Full-scale exercise

DRP: Procedures Details roles played & tasks assigned External groups, financial considerations Senior Management:

Remain visible Directing, managing, monitoring recovery Rationally amending plans Clearly communicating roles & responsibilites

IT Management: Identify mission critical apps Reassess recovery site’s stability Recovering & constructing data

Human resources Financial

DRP: Teams Recovery Team

Primary task to get critical apps functioning at alternate site

Salvage Team Isolate incident scene Secure & control access Return primary site to fully functional Authority to declare incident over Different personnel from Recovery Team

DRP: Other Issues Not over till main site fully functional Interfacing with External Groups

Relations with external often overlooked Employee Relations

Major incident == stress, pay checks? Fraud & Crime

Alternate site much more easily exploited Financial Disbursement Media Relations