Slide 1

1

Continuity of Operations Planning Continuity of Operations Planning COOP 101COOP 101

Stephen X. MazzucaSr. Account Executive

Federal Sales

www.ParadigmSolutionsCorp.com

http://www.paradigmsolutionscorp.com/

2

As defined by the Disaster Recovery Institute:

The ability of an organization to ensure continuity of service The ability of an organization to ensure continuity of service and support for its customers and to maintain its viability and support for its customers and to maintain its viability before, after, and during an event.before, after, and during an event.

Simply Stated: Simply Stated:

The ability to stay in business after a disaster strikesThe ability to stay in business after a disaster strikes !!

Copyright © CER 2003

What is CONTINUITY OF OPERATIONS CONTINUITY OF OPERATIONS PLANNING?PLANNING?

3

BENEFITS OF A CONTINUITY OF BENEFITS OF A CONTINUITY OF OPERATIONS PLANNING PROGRAMOPERATIONS PLANNING PROGRAM

. . Reduce Disaster Impact on the

company.

. . Provide a Reliable Source of Information to be used at time of

Disaster.

. . Provide Ongoing Maintenance of all Plans

. . Provide Ongoing Testing of all Plans

. . Plan Timely response to loss of business and computing resources.

. . Provide Clear understanding of Roles and Responsibilities


4

NEED FOR CONTINUITY OF OPERATIONS NEED FOR CONTINUITY OF OPERATIONS PLANNINGPLANNING

Contractual &Contractual &Legal obligationsLegal obligationsContractual &Contractual &

Legal obligationsLegal obligations

Employees Health Employees Health & Safety& Safety

Employees Health Employees Health & Safety& Safety

Liability Liability ExposureExposure Liability Liability ExposureExposure

Cash flow andCash flow andFinancial PerformanceFinancial Performance

Cash flow andCash flow andFinancial PerformanceFinancial Performance

Market ShareMarket ShareMarket ShareMarket Share

CustomerCustomerServiceService

CustomerCustomerServiceService

Brand Image &Brand Image &

ReputationReputation

Brand Image &Brand Image &

ReputationReputationSalesSalesSalesSales

RegulatoryRegulatoryRequirementsRequirements

COMPLIANCE

RegulatoryRegulatoryRequirementsRequirements

COMPLIANCE

5

• It will happen only to the "other company." and / or• The odds of our business being struck by a disaster are extremely low, or at least the

damage will be minimal.• Continuity of Operations/Business Continuity Plans are not a government `` Continuity of Operations/Business Continuity Plans are not a government ``

requirement.``requirement.``• It is Human nature to put off something that “ we think ” we are not required to have.• Continuity of Operations Planning, testing, and proper data backup and archiving

activities cost money and offer no obvious return on investment.

Statistical InformationAverage Hourly Cost of Downtime:

Brokerage House (or large e-commerce site) $ 6.4 million Credit Card Sales and Authorization $ 2.6 million Catalog Sales $ 90 thousand Package Shipping and Transportation Industry $ 28 thousand UNIX Networks $ 75 thousand PC LANs $ 18 thousand

Average Hourly Cost to Re-create Data $ 50 thousand

Perfect Reasons Not to ProcrastinatePerfect Reasons Not to Procrastinate

Objections to COOP/BCPObjections to COOP/BCP

6

Federal Mandate“The head of each Federal department and agency shall ensure the continuity of essential functions in any national security emergency by providing for: succession to office and emergency delegation of authority in accordance with applicable law; safekeeping of essential resources, facilities and records; and establishment of emergency operating capabilities.”Executive Order 12656

Legal Statute - D&O Insurance Limitations"Directors and Officers of companies have a fiduciary responsibility to ensure that any and all reasonable efforts are made to protect their companies. D&O insurance only protects officers if they used good judgment and their decisions resulted in harm to their company and/or employees. "Courts will assess liability by determining the probability of loss, multiplied by the magnitude of the harm, balanced against the cost of prevention.

BURDEN of PROOFThe burden of proof would be on Company X to prove that all reasonable measures had been taken to mitigate the harm caused by the disaster.

FCPAThe FCPA (Foreign Corrupt Practices Act ) is unique in that it holds corporate managers personally liable for protecting corporate assets. Failure to comply with the FCPA exposes individuals and companies to the following: Personal fines up to $10,000, Corporate fines up to $1,000,000, and Prison terms up to five years.

FFEICFederal Financial Institutions Examination Council (FFIEC) issued an updated policy statement on "Corporate Business Resumption and Contingency Planning" (SP-5) for financial institutions, as of March 1997. It emphasizes that the directors and management of financial institutions must address the inherent risks associated with the loss or disruption of services to themselves and their customers.

LEGAL / REGULATORY REASONS FOR LEGAL / REGULATORY REASONS FOR COOP/BCPCOOP/BCP

7Copyright © CER 2003

The Primary Objectives of COOP/BCP:The Primary Objectives of COOP/BCP:

Ensure 'survival' of the organization under a number of postulated business interruption scenarios.

. . Define strategies for resumption of the critical business functions to specific performance targets within specified time periods (RTO, RPO, SLA) following the interruption scenario.

The assumption is that the organization's short-term survival will be assured if the resumption/recovery strategies are correctly implemented

The assumption is that the organization's short-term survival will be assured if the resumption/recovery strategies are correctly implemented

Objectives are delivered, via a set of contingency plan components better known collectively as the “Continuity of Operations Plan” or “Business Continuity Plan”. These contingency plans include: Emergency Management/Crisis Management, Agency/Business Recovery, and Disaster Recovery

OBJECTIVES OF CONTINUITY OF OBJECTIVES OF CONTINUITY OF OPERATIONS PROGRAMOPERATIONS PROGRAM

8

PLAN COMPONENTSPLAN COMPONENTS

9

Contingency Plan ComponentsContingency Plan Components


Continuity of Operations/Business Continuity Plan

ARP/BRPEnterprise-wide

Emergency/CrisisManagement

Response/Decision Making/Communications

Planning focused on resumption of critical processes

Planning focused on quickly restoring failed IT systems in line with acceptable IT budget impact

DRPSystem-oriented

Continuing the Operations of an enterprise –”continuity”

User CommunityIA and funding dictatethe level of recovery a

Business Unit/IT Applicationwill receive

(i.e.. hours, days, weeks)

Continuity of Operations/Business Continuity Plan






DRPSystem-oriented










DRPSystem-oriented






Contingency Plan Components - DefinedContingency Plan Components - Defined

Continuity of Operations Plan - COOP(GSA)

a,k,a, Business Continuity Plan -Commercial

Emergency Management/Crisis

Management

Agency/Business Recovery

Disaster Recovery(IT)

Methods for managing a crisis

Crisis decision-making tool for Executives

Methods of assessing the criticality of a crisis

Methods of communicating to employees, media, and emergency response entities

Methods for Disaster Declarations

Methods for recovering IT applications, systems, and networks, etc

Methods for establishing backup procedures

Methods for determining alternate processing sites.

May or may not include telecommunications or non-IT business systems

Methods of ensuring the resumption/ recovery of business processing.

Methods for identifying work-arounds/alternatives

Methods of recovering key business processing systems (telecommunications, shop equipment

Includes Team Work Area Recovery




Management



















Management
















11

STRATEGIC PLANNING – PHASE 1STRATEGIC PLANNING – PHASE 1

12

The goal of any mitigation strategy is to minimize negative impact. Planning strategies should be based on the outcome of the Impact Assessment and Risk Assessment.

Planning strategies must encompass the key planning initiatives:

1: Identification

To identify potential disaster scenarios

1: Identification

To identify potential disaster scenarios

3. Planning

To create recovery plans, strategies, and tactics.

3. Planning

To create recovery plans, strategies, and tactics.

6. Recovery:

To put the pieces back together, providing business resumption and

recovery

6. Recovery:

To put the pieces back together, providing business resumption and

recovery

5. Action:

To mobilize when disaster occurs.

5. Action:

To mobilize when disaster occurs.

4. Testing

To test recovery plans and related activities

4. Testing

To test recovery plans and related activities

2. Assessment

To quantify consequences and disaster impact

2. Assessment

To quantify consequences and disaster impact


Mitigation StrategiesMitigation Strategies

13

Recovery plans must be tested at least once a year to Recovery plans must be tested at least once a year to effectivelyeffectively support critical business requirements..support critical business requirements..

The most cost-effective COOP/BCP plans The most cost-effective COOP/BCP plans will be based on priorities determined by a will be based on priorities determined by a

comprehensive Impact Analysis - IA.comprehensive Impact Analysis - IA.

Financial

Regulatory

Legal Employees

Sales

Customer

Production

Other


Best Practices for COOP/BCPBest Practices for COOP/BCP

14

BCP/ COOP StrategyBCP/ COOP Strategy

It is much easier to react with a plan in hand! It is much easier to react with a plan in hand!

PreventionPrevention

To avoid and minimize To avoid and minimize disaster frequency and disaster frequency and

occurrence to the extent occurrence to the extent possible.possible.

AnticipationAnticipation

To identify likely disasterTo identify likely disaster scenarios and assess scenarios and assess related consequencesrelated consequences..

MitigationMitigation

To take the necessaryTo take the necessary steps to react, respond,steps to react, respond,

and and minimize any negativeminimize any negative

While it is essential to build strategies around a “worse-case” disaster, the strategy must also address three basic needs:

15

A Comprehensive contingency plan must address five major elements:

Impact Analysis

Risk Analysis

The Emergency Response/Crisis Management organization and procedures for reacting to and coordinating recovery efforts. – Crisis/Emergency Management

Plan

The Business Resumption procedures for the continuation of critical business processes – Business Agency Recovery Plan

The Recovery Support procedures for restoring key Information Technology resources – Disaster Recovery Plan.


Five Major COOP ElementsFive Major COOP Elements

16

PLAN DEVELOPMENT/PLAN DEVELOPMENT/

IMPLEMENTATION - PHASE 2IMPLEMENTATION - PHASE 2

17

Organize procedures to

effectively initiate and manage the

recovery activities.

Identify the critical

workload and where

it will process at time of disaster

Identify recovery

responsibilities and functions necessary to

resume computer

processing of critical

applications.

Identify the personnel

responsible for maintaining and exercising the

various parts of the plan


Develop and Implement – Phase 2Develop and Implement – Phase 2

18

COOP/BCP LifecycleAnalysis

Continuity Of OperationsContinuity Of Operations/Business Continuity/Business Continuity

AAnalysisnalysis

Plan Development

Plan DevelopmentImpl

emen

tatio

n

Impl

emen

tatio

n

COOP/BCP LifecycleCOOP/BCP Lifecycle


BUSINESS RECOVERY PLANNING – ARPBUSINESS RECOVERY PLANNING – ARP

The process of planning to ensure that the agencies can survive an event that causes interruption to normal processes.

It includes :• Resumption, recovery and restoration phases of all identified agency functions as dictated by SLA (service level agreement) and RTO (recovery time objectives).

• Resumption - Interim procedures to resume survival-critical agency functions

• Recovery - Interim procedures to continue processing survival-critical, mission critical, and essential agency functions prior to restoration of the stricken facility

• Restoration - Returning to reconstructed/permanent facility. All processing restored. Backlog cleaned-up.

• Identifying critical agency functions and workarounds.

• Instructions and information on what to do including essential details on procedures, directions, and schedules.

• Documenting plans to enable agency functions to be resumed /recovered/restored in the event of a disruption.

• In general, the agency recovery plan should expect the worst case.

BUSINESS RECOVERY PLANNING – ARPBUSINESS RECOVERY PLANNING – ARP

The process of planning to ensure that the agencies can survive an event that causes interruption to normal processes.

It includes :• Resumption, recovery and restoration phases of all identified agency functions as dictated by SLA (service level agreement) and RTO (recovery time objectives).

• Resumption - Interim procedures to resume survival-critical agency functions

• Recovery - Interim procedures to continue processing survival-critical, mission critical, and essential agency functions prior to restoration of the stricken facility

• Restoration - Returning to reconstructed/permanent facility. All processing restored. Backlog cleaned-up.

• Identifying critical agency functions and workarounds.

• Instructions and information on what to do including essential details on procedures, directions, and schedules.

• Documenting plans to enable agency functions to be resumed /recovered/restored in the event of a disruption.

• In general, the agency recovery plan should expect the worst case.

Develop and Implement – Phase 2Develop and Implement – Phase 2

20

CRISIS MANAGEMENT PLANNING – CMPCRISIS MANAGEMENT PLANNING – CMP

The process for facilitating communications, information gathering and decision-making immediately following the onset of a crisis. It includes and is dependent upon preparedness.

Specifically, crisis management focuses on:

• Identification of the crisis communications team (and others who might assist the team in certain situations)

• Predefined individual and team responsibilities for the crisis management team members

• Contact lists for all internal and external stakeholders

• Responsibilities and procedures for crisis/disaster declaration

• Establishment of Crisis Command Centers for directing the crisis event

• Coordination with effected constituents, such as the community, neighboring industries, and identified support entities (fire, police, hospitals, etc.)

• Links Agency Recovery and Disaster Recovery, via Emergency Management and Direction

CRISIS MANAGEMENT PLANNING – CMPCRISIS MANAGEMENT PLANNING – CMP

The process for facilitating communications, information gathering and decision-making immediately following the onset of a crisis. It includes and is dependent upon preparedness.

Specifically, crisis management focuses on:

• Identification of the crisis communications team (and others who might assist the team in certain situations)

• Predefined individual and team responsibilities for the crisis management team members

• Contact lists for all internal and external stakeholders

• Responsibilities and procedures for crisis/disaster declaration

• Establishment of Crisis Command Centers for directing the crisis event

• Coordination with effected constituents, such as the community, neighboring industries, and identified support entities (fire, police, hospitals, etc.)

• Links Agency Recovery and Disaster Recovery, via Emergency Management and Direction


Develop and Implement – Phase 2 – continuedDevelop and Implement – Phase 2 – continued

21

IT DISASTER RECOVERY PLANNINGIT DISASTER RECOVERY PLANNING Component – DRP

The process of planning to ensure disaster recovery support services for the resumption, recovery and restoration of all identified critical applications, associated systems, and infrastructure contained within corporate computer processing centers, in a timeframe dictated by business requirements (SLA, RPO, RTO).

Until recently, DRP was the only component addressed. Other BCP components did not become essential until after 9-11.

It includes:• Identifying critical IT applications, systems and their dependencies.• Preventing Failure when appropriate. • Providing instructions and information on what to do including essential details on procedures, directions, and schedules • Documenting plans to enable critical applications/systems and related infrastructure to be resumed in the event of a disruption as dictated by the Business. • In general, the disaster recovery plan should expect the worst case.

High Availability Perspective:

Plans should ensure that the inevitable, occasional interruption is transparent to the enterprise's key stakeholders, Plans should ensure that the inevitable, occasional interruption is transparent to the enterprise's key stakeholders, including customers, stockholders, and employeesincluding customers, stockholders, and employees ..

IT DISASTER RECOVERY PLANNINGIT DISASTER RECOVERY PLANNING Component – DRP

The process of planning to ensure disaster recovery support services for the resumption, recovery and restoration of all identified critical applications, associated systems, and infrastructure contained within corporate computer processing centers, in a timeframe dictated by business requirements (SLA, RPO, RTO).

Until recently, DRP was the only component addressed. Other BCP components did not become essential until after 9-11.

It includes:• Identifying critical IT applications, systems and their dependencies.• Preventing Failure when appropriate. • Providing instructions and information on what to do including essential details on procedures, directions, and schedules • Documenting plans to enable critical applications/systems and related infrastructure to be resumed in the event of a disruption as dictated by the Business. • In general, the disaster recovery plan should expect the worst case.

High Availability Perspective:

Plans should ensure that the inevitable, occasional interruption is transparent to the enterprise's key stakeholders, Plans should ensure that the inevitable, occasional interruption is transparent to the enterprise's key stakeholders, including customers, stockholders, and employeesincluding customers, stockholders, and employees ..

Develop and Implement – Phase 2 – continuedDevelop and Implement – Phase 2 – continued

22

TESTING and MAINTENANCETESTING and MAINTENANCE

PHASE 3PHASE 3

23

The method of training provided is dependent on the level and complexity of a disaster scenario.

Full-Scale Exercise

Full-Scale Exercise

Fully integrated exercise that pulls

together all functional areas.

Fully integrated exercise that pulls

together all functional areas.

Functional Exercise

Functional Exercise

Test individual functional areas

within the organization.

Test individual functional areas

within the organization.

Tabletop / Mini-Drill

Tabletop / Mini-Drill

Test parts of the plan and to

reinforce logic and decision-

making.

Test parts of the plan and to

reinforce logic and decision-

making.

Orientation / Walkthrough

Orientation / Walkthrough

Designed to familiarize

personnel with the plans and equipment.

Designed to familiarize

personnel with the plans and equipment. Awareness, commitment, and skills must be repeatedly practiced to maintain

the edge necessary for the greatest level of response.

LOW

HIGH

Copyright © CER 2003 30

Training Methods – Exercising the PlanTraining Methods – Exercising the Plan

24

Questions and AnswersQuestions and Answers

25

Continuity of Operations Planning Continuity of Operations Planning COOP 101COOP 101

www.ParadigmSolutionsCorp.com

Stephen X. MazzucaSr. Account Executive, Federal Sales

Tel (240) 283-3420Cell (410) 207-7969

[email protected]

http://www.paradigmsolutionscorp.com/

mailto:[email protected]

Documents

Slide 1