1. Business Continuity & Disaster Recovery
All about business
Assumes the worst has happened

2. Domain Definition
Preparation, testing, & updating of actions required to protect critical business processes from the effects of major system & network failures
Buss Continuity (BCP)
Disaster Recovery (DRP)
Plan initiation
Planning
Bus. Impact Assess. (BIA)
Testing
Plan Development
Specific Procedures

3. BCP Created to prevent interruptions to normal business activity
Minimize effects of disruptive event
Enhance orgs capability to recover
Minimize cost
Mitigate risks

4. BCP: Areas Covered LANs, WANs, DMZ, Servers Telecomm & data comm links
Workstations & workspaces
Applications, software, & data
Media & records storage
Staff duties & production processes

5. BCP & DRP: Primary Concern
Life Safety
Evacuation routes
Assembly areas
Accounting for personnel
Protection of people always comes first

6. Continuity Disruptive Events
All plans & processes are “After the Fact”
Examples:
Fires, explosions, spills
Earthquakes, storms, floods, ex
Power outages & other utility failures
Bombings, sabotage
Strikes & other job actions
Employee unavailability
Comm infrastructure failures

7. Asset Loss Revenues Lost during incident Ongoing recovery costs
Fines & penalties
Competitive advantage, credibility or good will damaged by incident

8. Four Prime Elements of BCP
Scope & Plan Initiation
Define scope & parameters of plan
Business Impact Assessment
Help buss units understand impact
BCP Development
Implementation, testing, maintenance
Plan Approval & Implementation
Senior mgt signoff & org. awareness

9. BCP 1. Scope & Plan Initiation
Examine org. operations & support services
Distributed processing == special problems
All business units involved
BCP committee
Senior Management – total, highly visible support
Due diligence: Foreign corrupt practices act of 1977

10. BCP: 2. Buss. Impact Assess.
What impact incident would have
Financial, Operational, Vulnerability
Primary Goals
Criticality Prioritization
Downtime Estimation
Resource Requirements

11. BCP: 2. Buss. Impact Assess. Steps
Gathering info needed
a. Critical business units & interdependencies
Vulnerability assessment (next slide)
Analyzing info compiled
a. Clearly describe support required
Documenting results & present recommendations

12. BCP: 2. BIA – Vulnerability Assess.
Similar to but smaller than Risk Analysis
Quantitative loss criteria
Revenue, capital, liability, operational expenses, contract agreements, regulatory requirements
Qualitative loss Criteria
Competitive advantage, mkt share, public confidence, etc
Common Steps
List Potential Emergencies, 2. Estimate likelihood, 3. Assess impact, 4. Resources Required

13. Sample Vulnerability Table
Type of Emergency
Probability (High 5 – Low 1)
Human Impact (High Impact 5 …)
Property Impact
Business Impact
Internal Resources (Weak Resources 5 …)
External Resources
Total A B C D E F G H

14. BCP: 3. BCP Development Use BIA to create recovery strategy plan
Defining the continuity strategy
Elements: computing, facilities, people, supplies & equipment
Short-term goals & objectives
Vital personnel, systems, operations, equipment
Priorities for restoration
Acceptable downtime & minimum resources req.
Long-term goals & objectives
Org’s strategic plan
Funding, Management & coordination of events
Funding & fiscal Management
IT department: backup & restore, physical security, logical security, system administration

15. BCP: 4. Approval & Implementation
Approval by Senior Management
Creating plan awareness
Org’s ability to recover will most likely depend on many individuals
Maintenance of Plan
Plans easily get out of date

16. Disaster Recovery Planning (DRP)
Procedures for:
Responding to emergency
Providing extended backup operations
Managing recovery & salvage operations
“Primary objective is to implement critical processes at an alternate site & return to primary site & normal operations with time frame that minimizes loss to the organization.”

17. DRP: Planning Process Development & creation of recovery plans
BIA has been made so now defining steps needed to protect business in actual disaster
Recovery Timeframe Requiements
AAA – Immediate recovery needed, no downtime
AA – Full functional recovery within 4 hours
A – Same day business recovery needed
B – Up to 24 hours downtime acceptable
C – 24 – 72 hours downtime acceptable
D – Greater than 72 hours downtime ok

18. DRP: Disaster Planning Process Steps
Data Processing Continuity Planning
Data Recovery Plan Maintenance

19. DRP: Data Processing Continuity Planning
Common alternate processing types
Mutual Aid Agreements
Subscription services
Multiple centers
Service bureaus
Other data center backup alternatives
Automated Tools to create DRP (

20. DRP: Mutual Aid Agreements
Both parties agree to support each other
Advantages
Very little or no cost
Same NOS, data comm needs, & transaction processing procedures
Disadvantages
Only use if no other option available
Same infrastructure with unused capacity highly unlikely
Limits responsiveness & support
What about disaster that affects both orgs

21. DRP: Subscription Services
3rd party commercial services & alternate processing
Basic Forms of Subscription Svcs
Hot Site
Warm Site
Cold Site
Hot Site:
Fully functional remote site
Remote journaling (mirroring current transactions)
Adv: best alternative 24/7 availability, lowest downtime
DisAdv: COST, requires constant maintenance, adds administrative overhead, common for provider to oversell capacity, security at remote site
Warm Site:
Cross between Hot & Cold Site,
Facility available, Comm links usually online but applications & configuration not done till needed
Adv: Cost, Location, Admin resources
Dis: Amount of downtime that will be incurred
Cold Site:
Least ready but most common type
Room with electrical power, HVAC but no computers or comm
Not adequate resource for disaster recovery
Adv: COST
Dis: False sense of security

22. DRP: Multiple Centers
Spread processing around multiple sites and insure excess capacity at each site
Adv: Financial
Dis: Mutual disaster could overtake both (or all) sites

23. DRP: Service Bureaus & Other
Service Bureaus: Contractual Agreement to provide backup
Adv: Quick & available
Dis: Expensive
Rolling/Mobile backup site
Vendor remote re-supply of hdw
Prefabricated buildings

24. DRP: Transaction Redundancy
Level of fault tollerance in transaction processing
Electronic Vaulting
Transfer of backup offsite
Remote Journaling
Offsite Parallel processing
Database Shadowing
Offsite parallel database(s)

25. DRP: Maintenance DRP easily get out-of-date
Regular audit procedures ensure currency
Review, evaluate, modify, update
After training exercises
After disaster response
When personnel change
When policies, procedures or infrastructure changes

26. DRP: Testing No plan really exists until tested
“Test plan must be created & carried out in orderly, standardized fashion & executed on a regular basis”
Reasons for Testing
Verifies accuracy of DRP
Prepares personnel
Verifies processing capacity of alternate site
To find weaknesses: if non found was probably a bad test. Mistakes WILL BE MADE

27. DRP: Testing -- The Test Document
Documented Test scenario
Reasons for test, type of test, objectives
Granular details of what will happen
Scheduling of test
Duration of test
Specific test steps
Participants
Task assignments
Resources & services to be used

28. DRP: Testing – Test Levels
Checklist review
Structured walk-through
Simulation test
Parallel test
Full-scale exercise
1. Checklist review
Plan sent to all business units & reviewed, preliminary step only not sufficient
2. Structured walk-through
Attempt to ensure plan accuracy, identify glaring faults
3. Simulation test
Emergency Mgt Group performs response functions in practice session
Does not perform actual steps
4. Parallel test
Tests specific functions like medical response, emergency notifications, warning & comm functions
Full test of recovery plan using all personnel & all drills executed
5. Full-scale exercise
Real life simulation as close as possible to real thing

29. DRP: Procedures Details roles played & tasks assigned
External groups, financial considerations
Senior Management:
Remain visible
Directing, managing, monitoring recovery
Rationally amending plans
Clearly communicating roles & responsibilites
IT Management:
Identify mission critical apps
Reassess recovery site’s stability
Recovering & constructing data
Human resources
Financial
Human Resources
retraining, productivity, moral, counseling
Financial
Reestablish account processes
Reestablish transaction controls

30. DRP: Teams Recovery Team Salvage Team
Primary task to get critical apps functioning at alternate site
Salvage Team
Isolate incident scene
Secure & control access
Return primary site to fully functional
Authority to declare incident over
Different personnel from Recovery Team

31. DRP: Other Issues Not over till main site fully functional
Interfacing with External Groups
Relations with external often overlooked
Employee Relations
Major incident == stress, pay checks?
Fraud & Crime
Alternate site much more easily exploited
Financial Disbursement
Media Relations