Business Continuity Disaster Recovery All about business Assumes
Business Continuity & Disaster Recovery All about business Assumes the worst has happened
Domain Definition Preparation, testing, & updating of actions required to protect critical business processes from the effects of major system & network failures
BCP Created to prevent interruptions to normal business activity Minimize effects of disruptive event Enhance orgs capability to recover Minimize cost Mitigate risks
BCP: Areas Covered LANs, WANs, DMZ, Servers Telecomm & data comm links Workstations & workspaces Applications, software, & data Media & records storage Staff duties & production processes
BCP & DRP: Primary Concern Life Safety Evacuation routes Assembly areas Accounting for personnel Protection of people always comes first
Continuity Disruptive Events All plans & processes are “After the Fact” Examples: Fires, explosions, spills Earthquakes, storms, floods, ex Power outages & other utility failures Bombings, sabotage Strikes & other job actions Employee unavailability Comm infrastructure failures
Asset Loss Revenues Lost during incident Ongoing recovery costs Fines & penalties Competitive advantage, credibility or good will damaged by incident
Four Prime Elements of BCP 1. Scope & Plan Initiation a. 2. Business Impact Assessment a. 3. Help buss units understand impact BCP Development a. 4. Define scope & parameters of plan Implementation, testing, maintenance Plan Approval & Implementation a. Senior mgt signoff & org. awareness
BCP 1. Scope & Plan Initiation Examine org. operations & support services All business units involved Distributed processing == special problems BCP committee Senior Management – total, highly visible support Due diligence: Foreign corrupt practices act of 1977
BCP: 2. Buss. Impact Assess. What impact incident would have Financial, Operational, Vulnerability Primary Goals Criticality Prioritization Downtime Estimation Resource Requirements
BCP: 2. Buss. Impact Assess. Steps 1. Gathering info needed a. Critical business units & interdependencies 2. 3. Vulnerability assessment Analyzing info compiled (next slide) a. Clearly describe support required 4. Documenting results & present recommendations
BCP: 2. BIA – Vulnerability Assess. Similar to but smaller than Risk Analysis Quantitative loss criteria Qualitative loss Criteria Revenue, capital, liability, operational expenses, contract agreements, regulatory requirements Competitive advantage, mkt share, public confidence, etc Common Steps List Potential Emergencies, 2. Estimate likelihood, 3. Assess impact, 4. Resources Required
Sample Vulnerability Table A. B. C. D. E. F. G. H. Type of Emergency Probability (High 5 – Low 1) Human Impact (High Impact 5 …) Property Impact Business Impact Internal Resources (Weak Resources 5 …) External Resources Total
BCP: 3. BCP Development Use BIA to create recovery strategy plan Defining the continuity strategy Elements: computing, facilities, people, supplies & equipment Short-term goals & objectives Vital personnel, systems, operations, equipment Priorities for restoration Acceptable downtime & minimum resources req. Long-term goals & objectives Org’s strategic plan Funding, Management & coordination of events Funding & fiscal Management IT department: backup & restore, physical security, logical security, system administration
BCP: 4. Approval & Implementation Approval by Senior Management Creating plan awareness Org’s ability to recover will most likely depend on many individuals Maintenance of Plans easily get out of date
Disaster Recovery Planning (DRP) Procedures for: Responding to emergency Providing extended backup operations Managing recovery & salvage operations “Primary objective is to implement critical processes at an alternate site & return to primary site & normal operations with time frame that minimizes loss to the organization. ”
DRP: Planning Process Development & creation of recovery plans BIA has been made so now defining steps needed to protect business in actual disaster Recovery Time frame Requirements AAA – Immediate recovery needed, no downtime AA – Full functional recovery within 4 hours A – Same day business recovery needed B – Up to 24 hours downtime acceptable C – 24 – 72 hours downtime acceptable D – Greater than 72 hours downtime ok
DRP: Disaster Planning Process Steps Data Processing Continuity Planning Data Recovery Plan Maintenance
DRP: Data Processing Continuity Planning Common alternate processing types 1. 2. 3. 4. 5. 1. Mutual Aid Agreements Subscription services Multiple centers Service bureaus Other data center backup alternatives Automated Tools to create DRP (www. intiss. com/intisslinks)
DRP: Mutual Aid Agreements Both parties agree to support each other Advantages Very little or no cost Same NOS, data comm needs, & transaction processing procedures Disadvantages Only use if no other option available Same infrastructure with unused capacity highly unlikely Limits responsiveness & support What about disaster that affects both orgs
DRP: Subscription Services 3 rd party commercial services & alternate processing Basic Forms of Subscription Svcs Hot Site Warm Site Cold Site
DRP: Multiple Centers Spread processing around multiple sites and insure excess capacity at each site Adv: Financial Dis: Mutual disaster could overtake both (or all) sites
DRP: Service Bureaus & Other Service Bureaus: Contractual Agreement to provide backup Adv: Quick & available Dis: Expensive Rolling/Mobile backup site Vendor remote re-supply of hdw Prefabricated buildings
DRP: Transaction Redundancy Level of fault tolerance in transaction processing Electronic Vaulting Remote Journaling Transfer of backup off site Off site Parallel processing Database Shadowing Off site parallel database(s)
DRP: Maintenance DRP easily get out-of-date Regular audit procedures ensure currency Review, evaluate, modify, update After training exercises After disaster response When personnel change When policies, procedures or infrastructure changes
DRP: Testing No plan really exists until tested “Test plan must be created & carried out in orderly, standardized fashion & executed on a regular basis” Reasons for Testing Verifies accuracy of DRP Prepares personnel Verifies processing capacity of alternate site To find weaknesses: if non found was probably a bad test. Mistakes WILL BE MADE
DRP: Testing -- The Test Documented Test scenario Reasons for test, type of test, objectives Granular details of what will happen Scheduling of test Duration of test Specific test steps Participants Task assignments Resources & services to be used
DRP: Testing – Test Levels 1. 2. 3. 4. 5. Checklist review Structured walk-through Simulation test Parallel test Full-scale exercise
DRP: Procedures Details roles played & tasks assigned External groups, financial considerations Senior Management: Remain visible Directing, managing, monitoring recovery Rationally amending plans Clearly communicating roles & responsibilites IT Management: Identify mission critical apps Reassess recovery site’s stability Recovering & constructing data Human resources Financial
DRP: Teams Recovery Team Primary task to get critical apps functioning at alternate site Salvage Team Isolate incident scene Secure & control access Return primary site to fully functional Authority to declare incident over Different personnel from Recovery Team
DRP: Other Issues Not over till main site fully functional Interfacing with External Groups Employee Relations Major incident == stress, pay checks? Fraud & Crime Relations with external often overlooked Alternate site much more easily exploited Financial Disbursement Media Relations
- Slides: 31