Download presentation
1
Business Continuity & Disaster Recovery
All about business Assumes the worst has happened
2
Domain Definition Preparation, testing, & updating of actions required to protect critical business processes from the effects of major system & network failures Buss Continuity (BCP) Disaster Recovery (DRP) Plan initiation Planning Bus. Impact Assess. (BIA) Testing Plan Development Specific Procedures
3
BCP Created to prevent interruptions to normal business activity
Minimize effects of disruptive event Enhance orgs capability to recover Minimize cost Mitigate risks
4
BCP: Areas Covered LANs, WANs, DMZ, Servers Telecomm & data comm links
Workstations & workspaces Applications, software, & data Media & records storage Staff duties & production processes
5
BCP & DRP: Primary Concern
Life Safety Evacuation routes Assembly areas Accounting for personnel Protection of people always comes first
6
Continuity Disruptive Events
All plans & processes are “After the Fact” Examples: Fires, explosions, spills Earthquakes, storms, floods, ex Power outages & other utility failures Bombings, sabotage Strikes & other job actions Employee unavailability Comm infrastructure failures
7
Asset Loss Revenues Lost during incident Ongoing recovery costs
Fines & penalties Competitive advantage, credibility or good will damaged by incident
8
Four Prime Elements of BCP
Scope & Plan Initiation Define scope & parameters of plan Business Impact Assessment Help buss units understand impact BCP Development Implementation, testing, maintenance Plan Approval & Implementation Senior mgt signoff & org. awareness
9
BCP 1. Scope & Plan Initiation
Examine org. operations & support services Distributed processing == special problems All business units involved BCP committee Senior Management – total, highly visible support Due diligence: Foreign corrupt practices act of 1977
10
BCP: 2. Buss. Impact Assess.
What impact incident would have Financial, Operational, Vulnerability Primary Goals Criticality Prioritization Downtime Estimation Resource Requirements
11
BCP: 2. Buss. Impact Assess. Steps
Gathering info needed a. Critical business units & interdependencies Vulnerability assessment (next slide) Analyzing info compiled a. Clearly describe support required Documenting results & present recommendations
12
BCP: 2. BIA – Vulnerability Assess.
Similar to but smaller than Risk Analysis Quantitative loss criteria Revenue, capital, liability, operational expenses, contract agreements, regulatory requirements Qualitative loss Criteria Competitive advantage, mkt share, public confidence, etc Common Steps List Potential Emergencies, 2. Estimate likelihood, 3. Assess impact, 4. Resources Required
13
Sample Vulnerability Table
Type of Emergency Probability (High 5 – Low 1) Human Impact (High Impact 5 …) Property Impact Business Impact Internal Resources (Weak Resources 5 …) External Resources Total A B C D E F G H
14
BCP: 3. BCP Development Use BIA to create recovery strategy plan
Defining the continuity strategy Elements: computing, facilities, people, supplies & equipment Short-term goals & objectives Vital personnel, systems, operations, equipment Priorities for restoration Acceptable downtime & minimum resources req. Long-term goals & objectives Org’s strategic plan Funding, Management & coordination of events Funding & fiscal Management IT department: backup & restore, physical security, logical security, system administration
15
BCP: 4. Approval & Implementation
Approval by Senior Management Creating plan awareness Org’s ability to recover will most likely depend on many individuals Maintenance of Plan Plans easily get out of date
16
Disaster Recovery Planning (DRP)
Procedures for: Responding to emergency Providing extended backup operations Managing recovery & salvage operations “Primary objective is to implement critical processes at an alternate site & return to primary site & normal operations with time frame that minimizes loss to the organization.”
17
DRP: Planning Process Development & creation of recovery plans
BIA has been made so now defining steps needed to protect business in actual disaster Recovery Timeframe Requiements AAA – Immediate recovery needed, no downtime AA – Full functional recovery within 4 hours A – Same day business recovery needed B – Up to 24 hours downtime acceptable C – 24 – 72 hours downtime acceptable D – Greater than 72 hours downtime ok
18
DRP: Disaster Planning Process Steps
Data Processing Continuity Planning Data Recovery Plan Maintenance
19
DRP: Data Processing Continuity Planning
Common alternate processing types Mutual Aid Agreements Subscription services Multiple centers Service bureaus Other data center backup alternatives Automated Tools to create DRP (
20
DRP: Mutual Aid Agreements
Both parties agree to support each other Advantages Very little or no cost Same NOS, data comm needs, & transaction processing procedures Disadvantages Only use if no other option available Same infrastructure with unused capacity highly unlikely Limits responsiveness & support What about disaster that affects both orgs
21
DRP: Subscription Services
3rd party commercial services & alternate processing Basic Forms of Subscription Svcs Hot Site Warm Site Cold Site Hot Site: Fully functional remote site Remote journaling (mirroring current transactions) Adv: best alternative 24/7 availability, lowest downtime DisAdv: COST, requires constant maintenance, adds administrative overhead, common for provider to oversell capacity, security at remote site Warm Site: Cross between Hot & Cold Site, Facility available, Comm links usually online but applications & configuration not done till needed Adv: Cost, Location, Admin resources Dis: Amount of downtime that will be incurred Cold Site: Least ready but most common type Room with electrical power, HVAC but no computers or comm Not adequate resource for disaster recovery Adv: COST Dis: False sense of security
22
DRP: Multiple Centers Spread processing around multiple sites and insure excess capacity at each site Adv: Financial Dis: Mutual disaster could overtake both (or all) sites
23
DRP: Service Bureaus & Other
Service Bureaus: Contractual Agreement to provide backup Adv: Quick & available Dis: Expensive Rolling/Mobile backup site Vendor remote re-supply of hdw Prefabricated buildings
24
DRP: Transaction Redundancy
Level of fault tollerance in transaction processing Electronic Vaulting Transfer of backup offsite Remote Journaling Offsite Parallel processing Database Shadowing Offsite parallel database(s)
25
DRP: Maintenance DRP easily get out-of-date
Regular audit procedures ensure currency Review, evaluate, modify, update After training exercises After disaster response When personnel change When policies, procedures or infrastructure changes
26
DRP: Testing No plan really exists until tested
“Test plan must be created & carried out in orderly, standardized fashion & executed on a regular basis” Reasons for Testing Verifies accuracy of DRP Prepares personnel Verifies processing capacity of alternate site To find weaknesses: if non found was probably a bad test. Mistakes WILL BE MADE
27
DRP: Testing -- The Test Document
Documented Test scenario Reasons for test, type of test, objectives Granular details of what will happen Scheduling of test Duration of test Specific test steps Participants Task assignments Resources & services to be used
28
DRP: Testing – Test Levels
Checklist review Structured walk-through Simulation test Parallel test Full-scale exercise 1. Checklist review Plan sent to all business units & reviewed, preliminary step only not sufficient 2. Structured walk-through Attempt to ensure plan accuracy, identify glaring faults 3. Simulation test Emergency Mgt Group performs response functions in practice session Does not perform actual steps 4. Parallel test Tests specific functions like medical response, emergency notifications, warning & comm functions Full test of recovery plan using all personnel & all drills executed 5. Full-scale exercise Real life simulation as close as possible to real thing
29
DRP: Procedures Details roles played & tasks assigned
External groups, financial considerations Senior Management: Remain visible Directing, managing, monitoring recovery Rationally amending plans Clearly communicating roles & responsibilites IT Management: Identify mission critical apps Reassess recovery site’s stability Recovering & constructing data Human resources Financial Human Resources retraining, productivity, moral, counseling Financial Reestablish account processes Reestablish transaction controls
30
DRP: Teams Recovery Team Salvage Team
Primary task to get critical apps functioning at alternate site Salvage Team Isolate incident scene Secure & control access Return primary site to fully functional Authority to declare incident over Different personnel from Recovery Team
31
DRP: Other Issues Not over till main site fully functional
Interfacing with External Groups Relations with external often overlooked Employee Relations Major incident == stress, pay checks? Fraud & Crime Alternate site much more easily exploited Financial Disbursement Media Relations
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.