Business Continuity Planningand Disaster RecoverySession 5a - BambergMay 2008StatisticsνAccording to a recent NFIB NationalSmall Business Poll, man-madedisasters affect 10% of smallbusinesses, whereas natural disastershave impacted more than 30% of allsmall businesses in the USABCP and DRPνVery important for “due care” and “due diligence” inlawsuitνThe worst has happened, how do you recover?νBCP - Business Continuity PlanningνKeep vital operation running during emergencyνDRP - Disaster Recovery PlanningνReturn to normal operationsνPhysical security focuses on prevention, DRP andBCP looks at clean up afterνIncludes computers, but also goes beyondShould know the followingνThe difference between BCP and DRPνDifference between manmade and natural disastersνFive prime elements of BCPνReasons for and steps in BIAνSteps in creating DRPνDRP testingνTypes of backup servicesThe ImpactνThe U.S. Department of Laborestimatesν40% of businesses never reopen followinga disaster.νOf the remaining companies, at least 25%will close within 2 years.(http://sbinformation.about.com/od/disastermanagement/a/disasterrecover.htm)Business Continuity PlanningνPrevent interruptions to normalbusiness activityνMinimize the effect of disturbancesνReduce the risk of financial loss duringnegative eventνTop priority - protect human life1Critical Information ProcessingνLocal and wide area networksνTelecom and data com linksν Workstations and spaceνApplications, software and dataνMedia and records storageνStaff duties and production processνMore…..Elements to BCPνScope and Plan InitiationνDefine scope and parametersνBusiness Impact AssessmentνUnderstand the impact of disruptive eventνBusiness Continuity Plan DevelopmentνUse BIA to develop planνPlan Approval and ImplementationνSenior management sign off, create awarenessand keep updatedBusiness Impact Assessment(BIA)νMay be most critical stepνNeed to find out what the businessimpact of a disruption would beνFinancial (quantitative)νOperational (qualitative)νSkypeNatural vs Man Made EventsνNatural (or accidental)νFires, explosions, hazards spillsνEarthquakes, storms, floodsνPower outagesνMan Made (on purpose)νBombing, arson, sabotage or other intentionalattacksνStrikes or other job actionsνCommunication infrastructure failure (due toattack)νCyber terrorismScope and Plan InitiationνFirst step - assemble cross functional teamνExecutive management - Initiates project, givesfinal approval and supportνSenior business unit managers - identifies andprioritizes time critical systemsνBCP committee - directs the planning,implementation and test processνWho do you select?νFunctional business unites - participate inimplementation and testing2Three Primary Goals of BIAνCriticality PrioritizationνMust prioritize systems (Rank), may not be able to give allfull coverageνStudent grades presentationνDowntime EstimationνDetermine the Maximum Tolerable Downtime (MTD)νWhat is the longest period of time a critical process canremain interrupted before the company can never recover?νResource RequirementsνWhat resources do you need for the most criticalprocesses?Four Steps in BIAνGather needed assessment materialsνPerform vulnerability assessmentνAnalyzing the compiled informationνDocumenting results and presentingrecommendationsVulnerability AssessmentνSimilar to risk assessment performed earlierνQuantitative FactorsνFinancial loss, capital expense, personal liabilityνAdditional operations expenseνBreach of contract expense or regulatoryviolationsνQualitative FactorsνLoss of competitive advantageνLoss of public confidenceνCritical support areasνTelecom, IT, Physical infrastructureνAccounting, payroll (very important), TPS,It Exec and business Exec AtoddsMaterials to GatherνIdentify critical business unitsνOrg chart, interrelationshipsνRevenue and services requiredνLegal or regulatory requirementsAnalyzing InformationνPut in all togetherνClearly describe what support thedefined critical areas will need3Documentation andRecommendationsνLast step of BIAνDocument everythingνFormalize and justify recommendationνSummarize quantitative and qualitativeimpact statementsνProvide recommended recovery periodsPlan Approval andImplementationνPresent to senior managementνHave roadmap for implementationνStepsνSenior management approvalνPlan AwarenessνPlan MaintenanceThe DRPνA comprehensive statement ofconsistent actions to be taken before,during and after a disruptive eventνMust take before, after is often to lateνRun out of gasνBullet proof vestνCannot go back in timeBusiness Continuity PlanDevelopmentνDefine and document recovery strategy forνComputingνFacilitiesνPeopleνSupplies and EquipmentνDocumentation is importantνLegal reasonsνOther people to look at and followDisaster Recovery Planning(DRP)More StatisticsνOver 60% of businesses confronted bya major disaster close by two years,according to the Association of RecordsManagers and Administrators.4Two StepsνData Processing Continuity PlanningνData Recovery Plan MaintenanceSubscription ServicesνHot site - fully functional backup locationνCan be up in minutesνFully functional, expensive, administratively taxingνRisk of data breach - another spot to hack intoνOverbookingνWarm site - partially functional backup locationνTakes hours/days to get upνMuch less expensive and taxingνCould be ok if BIA does not identify extremely urgentprocessing - Joe’s lawn careνCold Site - an empty building, no equipmentνCould take weeks to get online, CheapνNot considered adequateTransaction RedundancyνElectronic VaultingνTransfer backup to offsite locationνBatch and dump to serverνRemote JournalingνParallel processingνAlternate site fully operational at all timesνVery high level of fault toleranceνDatabase ShadowingνEven more redundancyνDuplicates database sets to multiple serversAlternate ProcessingνMutual AidνLow cost, not enforceableνMay not be compatibleνFriend stay at placeνWhat if both are out?νMay work with parent companyOther Alternate ProcessingOptionsνMultiple centersνMany large companies have alreadyνGoogle, Fidelity etcνService Bureau (Outsource it all)νVery expensiveνRolling/Mobile backup sitesνVendor resupply agreementsνPrefabricated buildingsνVery cold siteDisaster Recovery TestingνReasons to testνVerifies the accuracy of the recoveryproceduresνPrepares and trains the personnelνFire drillνVerifies process capability at alternate site5Types of TestsνChecklist - go over listνFlight check, preliminary to real testνStructures Walk Through - meet and discussνActors reading scriptνSimulation - acts out, key personnelνGoes to the point of relocatingνParallel - Full test, all personalνUse backup facilities in syncνFull Interruption - The real dealνSwitch to backup, very scary, but tells you what you need toknowνRisky and expensive, but most like real thingOther Recovery IssuesνInterfacing with external groupsνHave policy and trainingνEmployee relationsνHow to contact, pay, what to do with familiesνFraud and crimeνVandalism, theft, violence - KatrinaνFinancial disbursementνPay the billsνMedia relationsνHave credible informed spokesperson, take controlνTell story quickly, openly and honestly6