2 What is Business Continuity? Business Continuity Components Phase I: Risk Assessment Phase II: Business Impact Analysis Phase III: Select Recovery Strategies Based on RTOs & RPOs Phase IV: Implement Recovery Organization Structure Phase V: Conduct Education & Exercises for Employees Phase VI: Develop Recovery Plans Phase VII: Test, Test,Test!!!!! Phase VIII: Incorporate Changes to Keep Current Contents
3 What is Business Continuity? Process of Ensuring Continuance of a Business if a Disruption Occurs and Includes: Analysis of Criticalities (Business Impact Analysis). Securing Accommodations to Restore People, Processes, and Information Systems. Documenting and Testing Processes, Procedures and Information Systems.
4 Phase I: Risk Assessment Phase II: Business Impact Analysis Business Continuity Components Phase III: Select Recovery Strategies Based on RTOs & RPOs Phase IV: Implement Recovery Organization Structure
5 Business Continuity Components (Contd.) Phase VI: Develop Recovery Plans Phase VIII: Incorporate Changes to Keep Current Phase VII: Test, Test, Test!!!!! Phase V: Conduct Education & Exercises for Employees
6 Phase I: Risk Assessment Identify and Evaluate Risks (such as single electrical feed, exposure to chemical spills, etc.) to an Organization: Those Required for a Company to Continue Operations Each Risk Evaluated for its Probability of Occurring Define Existing Controls to Mitigate Risks Recommend New/Enhanced Controls Evaluate Cost of Controls
7 Phase II: Business Impact Analysis The Process of Analyzing: A Business Functions Tolerance for Loss of Its Daily Activities Resulting From Inaccessibility to Its: Computers Work Areas How This Affects the Viability of the Company.
8 Phase II: Business Impact Analysis (Contd.) Establish Recovery Time Objectives (RTOs) for: Work Areas (Departments) Software Applications and Associated Hardware
9 Recovery Time Objective (RTO) The Amount of Time, Starting When the Disaster is Declared, by Which an Application Needs to be Restored and Ready for Use. Used as Basis for Recovery Strategy RTOs are Developed for: Departments (Work Area Recovery) Functions Software Applications/Hardware Phase II: Business Impact Analysis (Contd.)
10 Dollars Spent* $0 Cold Site/Shell Site Warm Site Quick Ship--Purchase At Time of Disaster (ATOD) Electronic Vaulting Remote Journaling Data Shadowing/Mirroring Standby Processing Fault-Tolerant System Hot Site Redundant Data Center RPO 0 hrs-24 hrs; RTO 0-<3 daysRPO 24 hrs; RTO 3 days-1 month *This chart shows that costs increase for strategies that meet lower RTOs and RPOs and decrease for strategies that accommodate higher RTOs and RPOs. COSTSINCREASECOSTSINCREASE Phase III: Select Recovery Strategies Based on RTOs & RPOs
11 Exhibit 2. High Availability Solutions for Hardware/Software with Recovery Time Objectives (RTOs) <3 Days Criteria Alt #4 Electronic Vaulting Alt #5Remote Journaling Alt #6Data Shadowing/ Mirroring Alt #7 Standby Processing Alt #8Fault- Tolerant Systems Alt #9Hot Site Alt #10Redun- dant Data Center DefinitionElectronically conduct data backups by transmitting data to equipment located in an offsite facility. This is disk to disk backup with critical equipment located at an alternate facility. Changes/updates logged to a database (DB) on a real-time basis since the last full backup. Note: Restore of current journal not immediate since these journal entries are archived & must be incorporated into current dataset prior to restore from backup media. Immediate dupli- cation of data on separate disks that are located remotely which is considered a shadow. The remote facility can be an alternate location owned by the client or at a vendors location. Secondary server in stand- by mode & takes over as primary server when primary server is interrupted. System either located in facility owned by company or by vendor. Systems ability to respond gracefully to hardware or software failure & redirect traffic seamlessly to a device not affected by this failure. Alternate processing site ready for immediate use since it is equipped with all hardware, software & environmental infrastructure. Hot Site is provided by a vendor. A secondary Data Center in an alternate location with the same computer components as the first. May be located in a facility owned by the company or by another company. Is There Any Data Loss? NoNo, but restore not immediate since current files are archived & used together with image copies to recover DB to point of failure. No No. Hardware disks are usually mirrored in the equipment to eliminate any data loss. Depends upon whether one of these High Availability solutions is used to backup data at the hot site. No Phase III: Sample Recovery Strategies Based on RTOs & RPOs (Contd.)
13 Phase V: Conduct Education & Exercises for Employees Conduct a Business Continuity Week Invite Vendors for Presentations Show Videos Present Company Recovery Plan Make it Fun and Enjoyable If Possible, Have Take-Aways Advertise Use Your Marketing Department to Create Posters Display Posters in Cafeteria, Elevators, etc. Email Reminders Reeducate As Required
14 Phase VI: Develop Recovery Plans Document Recovery Plans for: Work Areas (Processes) Software and Hardware Document Recovery Plans for the Worst Case Scenario; DO NOT Create Plans for Different Scenarios. (Some exceptions are: Pandemic Plan, Flood Plan, etc.) Reevaluate and Change Plans Two Times Per Year, if They Need Updating Make Copies of Plans and Keep Accessible
15 Phase VI: Develop Recovery Plans (Contd.) At a Minimum, Include the Following in Recovery Plans: Backup Strategy Organization Chart Calling Trees With Telephone Numbers For Technology Plans, DETAILED Instructions for Restoring Software and Hardware Evacuation Alternate Recovery Site Location of Command Center List of Vendors
16 Phase VII: Test, Test, Test!!!! Test all Plans: Work Area Plans Technical Plans Types of Tests Walkthroughs Surprise Tests* Scenario Tests* *Note: These tests include restoration of required hardware and software.
17 Phase VIII: Incorporate Changes to Keep Current Continue to Reevaluate Organization and System Changes Change Strategy as Required Change Recovery Organization as Needed Change Recovery Plans IT IS BEST TO CONSIDER CONTINUITY BEFORE YOU DEVELOP AND/OR IMPLEMENT ANY INFORMATION SYSTEMS!!!!