A Lightweight Business Continuity & Disaster Recovery Plan Motahareh Moravej Issuers’ Affairs Director at CSDI PHD. Student of Computer Engineering, UT
Agenda Why we need BCP and DR? The relation of IT, BCP and DR? The trade-offs between cost of downtime and cost of establishing BCP? Iterative based frameworks – Stateless Checkpoints 2
BCM in other words It is not just a paper based plan that requires – Planning – Analysis – Assessment – Training To... – Establish a secure and resilience environment – Minimize financial loss – Ensure resumption of operations in case of disaster 3
BC and DP Planning Tasks Process Management – Define BC/DR Management Objectives – BC/DR Management Steering Committee Risk Assessment – Formal Risk Assessment definition(Impact and Likelihood criteria definition) – Key legislation and Industry Codes of Practice Business Impact Assessment – Identify key Business Processes and critical dependencies – Impacts of potential business interruptions and recovery time objectives(RTO’s) 4
BC and DP Planning Tasks (2) Recovery Strategies definition – Vendor contracting procedures – Alternate site identification – Cost Benefit Analysis of recovery strategies BCM Procedures – Standards for recovery, restoration and communication plan – BC/DR crisis management organization 5
BC and DP Planning Tasks (3) Training and Awareness – Document training plans Plan Exercise – Roles and responsibilities definition for BCP testing – Types of testing Plan Maintenance – Timelines for plan updates – Onsite and offsite plan storage 6
BCP standards Control objective for information and related technology – (CoBIT) Federal Emergency Management Association – (FEMA) National Institute of Standards and Technology – (NIST) Disaster Recovery Institute International – (DRII) 7
Source of disasters Many domains that can be – Natural – Human – Technical The business should work properly – Accessibility – Timeliness – Reliability 8
Why Lightweight BCP? Because we have to...!! Resource limitations Ideal... – Less effort but better outcome Estimate what is required to provide an acceptable level of service 9
An example... Redundant facilities and Replication provide higher level of business continuity and higher availability But they can... – Be source of inconsistency – Need more testing – N* resources and higher cost Sometimes more than n-times 10
A live software solution It should work properly and continuously Maintenance Testing Metrics/Program Maintenance Program Change Management Program Audit Certification Program Development IT Disaster Recovery Plans Business Resumption Plans Testing and Certification Program 11
Iterative project management Milestones and iterative changes and confirmation Shorter duration of delivery It is not necessary to have incremental changes in each iteration – training or modifications Waterfall projects drawbacks – Delaying value delivery – Time sensitive – Underlying resources can change the target 12
Impact of proiritization Determining the minimum action needed in each iteration to – Deliver value – Reduce risk – Mitigate requirement – Prioritize Stakeholders Consider each successful iteration as a building block for future business 13
Milestones as checkpoints Each iteration can be a good starting point Try to keep it stateless Confirmed state of the business 14
Checkpointing Stateless check pointing Point in time to which systems and data must be recovered Amount of data loss that a business can tolerate 15
Step by step planning Easier assessment Resource reallocation – Probability of resource sharing Better understand the needs of stakeholders Planning based on new requirements 16
Why Iterative procedures? Lightweight Prioritized Flexible toward changes Short term objectives Step by step confirmation Higher resolution 17
Conclusion “The greatest danger in times of turbulence is not the turbulence; it is to act with yesterday’s logic.“ — Peter Drucker 18
THANK YOU FOR YOUR ATTENTION 19