Presentation on theme: "David M. Crosby Disaster Recovery Planning ……."— Presentation transcript:
1David M. Crosby Disaster Recovery Planning ……. Business Contingency PlanningA Business Model For Continuity PlanningDavid M. CrosbyInformation Assurance and Business Sustainability
2Introductions David M. Crosby Former VP of Information Security, Venture Bank35 Years Experience in IT15 Years Experience in Information Security and Business SustainabilityFinance, Aerospace, Insurance and Energy Industry; and Technology and Services Company Principal
4The Business Continuity Management Program Service To OurCustomersInstitutionalBest PracticesCounty Regs.HIPAAGLB NoticeDisaster Recovery and Contingency Operations Protect Information and ProcessesInt. AuditFederal Regs.Ext AuditSB 1386State Regs.
5The Business Continuity Management Program The interruption of fundamental business processes for any extended period of time could have a debilitating affect on our basic infrastructure…….and our way of lifeE-CommercePrivate and Business Online TradingCash Advances At ATM MachinesPersonal and Commercial Online BankingPurchases By Credit CardsJust In Time InventoriesCommunicationsStudent ServicesGrants and EndowmentsGeneral Administration & Finance
6The Business Continuity Management Program ERPDRPBCPCMPERP – Emergency Response Plan: Steps Taken To Immediately Respond To An Event, Ensure Personnel Safety, Minimize Further Impact To Assets, And Make Proper Notifications.DRP – Disaster Recovery Plan: Steps Taken To Restore Specified Infrastructure Requirements Such As Information Systems, Clinical Equipment Environments, Internal And External Network Connections, And Data Structures Utilizing Alternate Resources For Hardware, Software, Data, and Networks.BCP – Business Contingency Plan: Steps Taken To Restore Alternate Business Processes In The Event That Automated Processes Or Business Infrastructures Are Unavailable, Employing Documented Workaround And/Or Manual Procedures And Alternate Resources.CMP – Crisis Management Plan: Steps Taken To Manage The Event To Ensure That Order Is Maintained, Employee Assistance Is Being Provided, Proper Information Is Being Disseminated By Appropriate Representatives, Action Items Are Effectively Escalated, And Ongoing Internal And External Notifications Are Consistent.
7The Business Continuity Management Program ERPDRPBCPCMPWorking ComponentsResponse - Notifications, assessments, escalations, declarations, etc. (established procedures)Recovery/Relocation - Mobilization, Quick-ship, Infrastructure, Network and Data recovery, etc.. Movement of staff, patients, and business units to alternate facilities (flexibility and adaptability)Resumption - of Business Operations and I.T. functionality (business units must synch up processes and resume operations at an alternate site)Re-assessment - of situation, strategies, planning, reactions (input from all involved parties)Restoration - Movement back to home site and/or normal operations (reconstituted at restored site by I.T. and/or Business UnitsIn order to clarify roles and responsibilities, and better define the scope of various components, we have establish our own internal set of definitions
8Components Of The Emergency Response Plan First ResponseNotificationAssessmentandStatusEscalationsDeclarationsPersonnel Safety Damage Mitigation Local Authorities EvacuationsInitial Notifications Telephone Trees Command Center AssemblyDamage AssessmentInitial Status ReportingSecondary NotificationsOrganizational Committees Local Authorities Vendors Customers MediaChecklistsScriptsProceduresContact ListsVendorsMobilization
9Components Of The Disaster Recovery Plan Disaster Recovery PlanningSteps taken to restore specified infrastructure requirements such as Information Systems, business equipment environments, internal and external network connections, and data structures utilizing alternate resources for hardware, software, data, and networks.What To Do When The Computer Goes Down
10Components Of The Disaster Recovery Plan Disaster Recovery Is……The successful recovery of mission-critical I.T. services to the customer community in response to a crisisFlexible Response To A CrisisPlace to Recover (Location/Equipment/Network)Defined “Recovery Set” (Critical Components)Reliable BackupsTest – Maintain – TestService ContinuationDisaster Recovery is NOT…..Recovery of full environmentA business continuity planA replacement for conventional service plansA trivial decision
11Components Of The Disaster Recovery Plan InfrastructureApplicationsAnalysisNetworkInfrastructureOpens SystemsDocumentationHardwareSystemsDatabasesTSO/CICSTest Criteria/ObjectivesQuestionnaires Interviews Analysis Documented Profiles Test Criteria/Objectives Recovery PlansLDAPDNSIntranet/InternetGateway ServersTest Criteria/ObjectivesOwned EquipmentDR Vendor EquipmentConnectivity RequirementsTest Criteria/ObjectivesRemote Access ParametersDefine ‘rogue’ FTPsIdentified Network ServicesChecklistsScriptsProceduresContact ListsTestCriteria/Objectives
12Components Of The Disaster Recovery Plan I.T. RequirementsRECOVERY TIME OBJECTIVE: (RTO)The period of time in which systems, applications, or I.T. functions must be recovered after an outage. RTO's are often used as the basis for the development of recovery strategies, and as a determinant as to whether or not to implement the recovery strategies during a disaster situation.RECOVERY POINT OBJECTIVE: (RPO)The point in time to which systems and data must be restored after an outage. RPO's are often used as the basis for the development of backup strategies, and as a determinant of the amount of data that may need to be recreated after the systems or functions have been recovered.
13Components Of The Business Contingency Plan DRPBCPDRP – Disaster Recovery Plan: Steps taken to restore specified infrastructure requirements such as Information Systems, business equipment environments, internal and external network connections, and data structures utilizing alternate resources for hardware, software, data, and networks.- Hardware - System Software- Data and Data Structures - Applications- Networks - Desktop Services- Production SupportWe established a set of working definitions for I.T. disaster recovery planningBCP – Business Contingency Plan: Steps taken to restore alternate business processes in the event that automated processes or business infrastructures are unavailable, employing documented workaround and/or manual procedures and alternate resources.- Relocation of Personnel- Availability of remote support services and network connections- Contingency office space
14What To Do While The Computer Is Down Components Of The Business Contingency PlanBusiness Contingency PlanningSteps taken to restore alternate business processes in the event that automated processes or business infrastructures are unavailable, employing documented workaround and/or manual procedures and alternate resources.What To Do While The Computer Is Down
15Components Of The Business Contingency Plan Business Contingency Planning Is……The successful response to an interruption in normal operating procedures and thus services to the customer communityFlexible Response To A CrisisPlace to Initiate Contingency Operations (Systems/Network/Location/Personnel/Equipment)Documented Systems Workaround ProceduresAlternate ResourcesBusiness Continuity is NOT…..Disaster Recovery, Emergency Preparedness, or Crisis ManagementA Permanent SolutionAn I.T. Issue
16Manual Business Processes Alternate Data Capture Components Of The Business Contingency PlanMobilizationAlternateProcessesAlternateResourcesPersonnel & Skill SetsFacilitiesVendorsHardware/SoftwareCommunicationsBusinessResumptionLogisticsTransition Back To I.T.Validation/AuditNormal OperationsBusiness CyclesDocumentationProceduresLogistical SupportFormsContact ListsI.T. WorkaroundsManual Business ProcessesAlternate Data CaptureLogisticsLocation(s)TransportationPersonnel
17Business Continuity Planning Scenarios Components Of The Business Contingency PlanBusiness Continuity Planning ScenariosLoss of I.T Services or ResourcesLoss of Functional Support PersonnelLoss of FacilityLoss of Network ConnectivityLoss of Voice CommunicationsLoss of 3rd Party SuppliersLoss of Business Partners
18Build Contingency Plans Components Of The Business Contingency PlanBuild Contingency PlansIdentify key functional components to establish the business environmentDefine the alternate process requirements for each componentEnsure interdependent business processes are identified and can be synched upDefine minimal processing requirements for each componentTEST TEST TEST TEST
19Components Of The Business Contingency Plan Business Recovery RequirementsRECOVERY TIME OBJECTIVE: (RTO)When do I have to have an alternate process in place to address loss of primary functions (I.T. and otherwise) ?RECOVERY POINT OBJECTIVE: (RPO)How current does my information have to be when normal processes are resumed ?
20Components Of The Business Contingency Plan Centralized Administration and Coordination Decentralized Development, Maintenance and ExecutionWeb-Enabled – 24 x 7 x 365 access from anywhere with VPN connectionAutomated progress reporting during Plans development, maintenance, and executionDefine relationship between BCPs and DRPs (RTO and RPO)Capable of expanding to include ERP and CMPReal-time updating to a single database, not multiple PlansVersion Control on all PlansConcurrent Plan developmentIssue TemplatesImport TemplatesDevelop BCPsFlexibility when producing BCPs…………..or executing BCPs“Show me all Plans by Department….”“Show me all Plans by Building…..”“Show me all Plans by Building, by Floor…..”“Show me all Plans by Building, by Floor, by DepartmentFor execution and “system” testing, different views of recovery and continuity plans can be established to allow flexibility and accurate reporting
21Components Of The Business Contingency Plan Negotiate The Service Level Agreement Between I.T. And Business OperationsUse Both The I.T. And Business RTO & RPO As The BasisDisaster Recovery Plan Test Results Quantify TimelinesBusiness Contingency Plan Exercises Qualify ImpactI.T. Capabilities Improve Timelines – But At A CostBusiness Contingencies Reduce Impact - But Require I.T. CapabilitiesThis will require managing to the expectations of the organization with clearly defined SLAs including RTOs, RPOs, priority sequences, etc.Criticality RankingsSystems Recovery SequencingBusiness Process PrioritizationI.T. and Business Process TimelinesNegotiated RTO and RPO
22Components Of The Business Contingency Plan ResultsI.T. Better Understands The Customers’ Issues and RequirementsI.T. Obtains A Clearly Documented Set Of Customer Expectations For DRP’s- Clarify and Justify Budget Forecasts- Establishes Specific Test Objectives- Ensure Active Customer Involvement In Testing & Recovery ProcessesBusiness Units Better Understand The Role Of I.T. In The Contingency ProcessBusiness Units Obtain A Set Of Parameters From Which To Develop their BCP’s- Workaround Procedures During Downtime- Procedures For Capturing Lost Transactions From Downtime and During Recovery- Restoration Of Normal Environments
23Components Of The Crisis Management Plan EventAnalysisReactionPlanningCommunicationsDocumentationCatastrophic EventsCriminal EventsDisease/EpidemicsTechnological or SafetyUtility or StructuralWeatherPersonal vs. ProfessionalEmotional AssistanceAddressing Traumatic StressFamily Assistance PgmsProfessional AssistanceProvide Information & CounselingPost Incident Follow-upLocal MediaEmployeesLocal AuthoritiesOpennessAccuracyBalanceDesignate a point personContinuous FlowEmployee ChecklistsAnd Action PlansPress Release DataEmployee Notification Mechanisms
24Crisis Management Preparedness Key Elements Identification of vulnerabilitiesPerformance of regional threat assessmentAssessment of system resourcesCommunications infrastructureStandardization of plansDissemination of informationAnalysis of system Surge CapacityCollaboration with federal, state, local agenciesCrisis Management Preparedness Key ElementsComponents Of The Crisis Management Plan
25Regional Collaboration Components Of The Crisis Management PlanRegional CollaborationWho does what?? Who calls whom??LocalFire/EMS/OESLaw EnforcementHealth Dept./HazmatHospitalsStateState Health Dept.State OES/DHSFederalFederal Emergency Mgmt AgencyCDCMilitaryPrivate SectorCollaborationIndividual Plans Supplement/Complement Broader PlansClinical Care ResponsePublic Health Response
26The Business Continuity Management Program When the issues surrounding both I.T. Disaster Recovery Plans and Business Unit Business Contingency Plans come together what is at stake becomes much clearer, and each can understand the others objectives and expectations. Only then can a total Business Continuation Program be effective.And if the organization has an effective Business Continuation Program, not only can it assure that its goals and objectives will be met…..but will also become a valued partner in the protection of the larger infrastructure.….The Business Continuity Management Program