business continuity management

SAHANA CONFERENCE 2009

BUSINESS CONTINUITY MANAGEMENT

SAHANA CONFERENCEMARCH 24-25, 2009

COLOMBO, SRI LANKA

1Brent H. Woodworth

Brent H. Woodworth 2

Business Continuity Management: Steps to Preparedness

� 1. GAP analysis

� 2. COOP (Continuity of Operations Planning)

� 3. BIA (Business Impact Analysis)

� 4. Emergency Response Plan

� 5. Education

� 6. Testing

� 7. Update

3

5

Contingency Planning ProcessThe seven steps of contingency planning

1. Develop the contingency planning policy statement

2. Conduct the business impact analysis (BIA)

3. Identify preventive controls

4. Develop recovery strategies

5. Define recovery roles and responsibilities

6. Plan testing, training, & exercises

7. Plan maintenance

• Implement controls• Maintain controls

IdentifyPreventive Controls

• Identify critical IT resources

• Identify outage impacts and allowable outage times

• Develop recovery priorities

ConductBusiness Impact

Analysis

• Identify statutory or regulatory requirements for contingency plans

• Develop IT contingency planning policy statement

• Obtain approval of policy

• Publish policy

DevelopContingency

Planning Policy

DevelopRecovery Strategies

• Identify methods• Integrate into system

architecture

Plan Testing, Training, and

Exercises

• Develop test objectives• Develop success criteria• Document lessons

learned• Incorporate into the plan• Train personnel

Plan Maintenance

• Review and update plan• Coordinate with

internal/external organizations

• Control distribution• Document changes

• Document recovery strategy

Develop Contingency

Plan*

*Discussed in Section 4

• Implement controls• Maintain controls

IdentifyPreventive Controls

• Identify critical IT resources

• Identify outage impacts and allowable outage times

• Develop recovery priorities

ConductBusiness Impact

Analysis

• Identify statutory or regulatory requirements for contingency plans

• Develop IT contingency planning policy statement

• Obtain approval of policy

• Publish policy

DevelopContingency

Planning Policy

DevelopRecovery Strategies

• Identify methods• Integrate into system

architecture


Exercises


Exercises

• Develop test objectives• Develop success criteria• Document lessons

learned• Incorporate into the plan• Train personnel

Plan Maintenance

• Review and update plan• Coordinate with

internal/external organizations

• Control distribution• Document changes

• Document recovery strategy

Develop Contingency

Plan*

*Discussed in Section 4

7

Step 1: Develop the Contingency Planning Policy Statement

� Policy must be supported by senior management

� Key policy elements include :

� Roles and responsibilities

� Scope

� Resource requirements

� Training requirements

� Exercise and testing schedules

� Plan maintenance schedule

� Backup frequency and storage method (applies to IT)

9

Step 2: Conduct a Business Impact Analysis

� The business impact analysis (BIA) characterizes system contingency requirements and priorities in the event of a disruption

Step 1: Identify critical IT resources

Step 2: Identify disruption impacts and allowable outage times

Step 3: Develop recovery priorities

� Results are key to development of recovery strategy and should also be used for COOP, BCP, and BRP development

Input from users, business process owners, application owners, and other associated groups

Develop Recovery Priorities

Resource

• LAN Server

• WAN Access

• E-mail

• Mainframe Access

• E-mail Server....

Recovery Priority

High

Medium

Low

High

High

Identify Critical IT Resources

Critical Business Process

1. Payroll Processing

2. Time and Attendance Reporting

3. Time and Attendance Verification

4. Time and Attendance Approval

...

X

Critical Resources

• LAN Server

• WAN Access

• E-mail



• LAN Server

• WAN Access



Max Allowable Outage

8 hours

Impact

PROCESS: 2. Time and Attendance Reporting

• Delay in time sheet processing

• Inability to perform routine payroll operations

• Delay in payroll processing...

Identify Disruption Impacts and Allowable Outage Times

Critical Resource

Input from users, business process owners, application owners, and other associated groups


Resource

• LAN Server

• WAN Access

• E-mail



Recovery Priority

High

Medium

Low

High

High


Resource

• LAN Server

• WAN Access

• E-mail



Recovery Priority

High

Medium

Low

High

High

Resource

• LAN Server

• WAN Access

• E-mail



Recovery Priority

High

Medium

Low

High

High







...

X

Critical Resources

• LAN Server

• WAN Access

• E-mail









...

X

Critical Resources

• LAN Server

• WAN Access

• E-mail








...

X

Critical Resources

• LAN Server

• WAN Access

• E-mail



• LAN Server

• WAN Access




8 hours

Impact






Critical Resource

• LAN Server

• WAN Access




8 hours

Impact





• LAN Server

• WAN Access




8 hours

Impact






Critical Resource

10

Step 3: Identify Preventive Controls

� Preventive controls should be selected and implemented to mitigate some of the impacts identified

� Controls include, but are not limited to –

� Uninterruptible Power Supplies (UPS) and power generators

� Fire suppression systems and detectors

� Offsite storage and system documentation

� Technical security controls

12

Step 4: Develop Recovery Strategies

� Recovery strategies are a means to restore IT operations quickly and effectively following a disruption

� The strategies should:

� Address residual risks and impacts identified by the BIA

� Use a combination of methods to cover full spectrum of identified risks

� Integrate with the design and implementation phases of the system development life cycle

� Strategy should consider:

� Backup methods

� Alternate sites, Cost considerations

� Equipment replacement

� Roles and responsibilities

14

Step 5: Recovery Roles & Responsibilities

� Specific teams should be staffed based on their skills, knowledge, and normal operating responsibilities

� Team members should be trained to be ready to deploy and implement the plan when necessary

� Inter-team training will facilitate coordination and ease staff shortages during a response

� Role-based teams should be developed; do not use actual names and titles

15

Step 5 (continued): Recovery Roles & Responsibjilities

� Senior management (e.g., CIO, CFO, CEO) should have authority over plan activation and execution; may be supported by a management team

� Line of succession should define delegation of authority

� All teams are lead by a team leader; team leaders should have alternatives designated

17

Step 6: Plan Testing, Training, & Exercises

� Objectives, success criteria, schedule, scope, scenario, and logistics should be defined in the test plan

� Recovery staff should be trained on team procedures and responsibilities

� Plan deficiencies and ability to implement the plan should be evaluated through testing

� 2 basic types of tests

� Classroom (tabletop)

� Functional (simulation)

18

Step 7: Plan Maintenance

� Plan effectiveness relies on up-to-date system, organization, and procedural information

� Reviews, followed by updates, should be conducted:

� At least annually for technical, operational, and system requirements

� At least annually for alternative site/offsite requirements and vital records information

� All changes made to the plan should be communicated to the owners of associated plans and procedures

� All changes should be recorded in the Record of Changes (included in the plan)

business continuity management

Business

disruption step

allowable outage times

recovery strategies4

exercises policy

methods document recovery

update plan

plan activation

plan maintenance7