business continuity planning disaster recovery planning

Business Continuity PlanningBusiness Continuity PlanningDisaster Recovery PlanningDisaster Recovery Planning

A Business Continuity Plan (BCP) is an approved set of advanced arrangements and procedures that enable an organization to:

Facilitate the recovery of business operations to reduce the overall impact of an event, while at the same time resuming the critical business functions within a predetermined period of time.

Minimize the amount of loss. Repair or replace the damaged facilities as soon as

possible.Traditionally, recovery plans focused on the recovery of critical computer systems running at data centers (aka “disaster recovery”).Today, recovery plans must also focus on the critical computer systems operating in a distributed environment involving PCs, LANs, telecommunications, etc.Essentially, continuity plans address every critical function of an enterprise.

A disaster is something that interrupts normal business processing.

A disaster is defined as a sudden, unplanned calamitous event that brings about great damage or loss.

In the business environment, it is any event that creates an inability to support critical business functions for some predetermined period of time.

Reasons for BCPReasons for BCPIt is better to plan activities ahead of time

rather than to react when the time comes“Proactive” rather than “Reactive”

Take the correct actions when needed Allow for experienced personnel to be absent

Maintain business operations Saves time, mistakes, stress and $$ Keep the money coming in Short and long term loss of business Have necessary materials, equipment, information on

hand Planning can take up to 3 years

Effect on customers Public image Loss of life

BCP RequirementsBCP Requirements Provide an immediate, accurate and measured

response to emergency situations. Provide procedures and a listing of resources to

assist in the recovery process. Identify vendors that may be needed in the

recovery process and put agreements in place with selected vendors.

Avoid confusion experienced during a crisis by documenting, testing and training plan procedures.

Clear guidance for declaring a disaster.

BCP RequirementsBCP Requirements Provide the necessary direction to ensure the timely

resumption of critical services. Document storage, safeguarding and retrieval

procedures for critical systems and supporting functions.

Describe the actions, resources and materials required to restore critical operations at an alternate site in the event that the primary site(s) has suffered a serious outage.

Document recovery procedures so they can be executed by knowledgeable people.

Developing the BCPDeveloping the BCPProject Management and InitiationProject Management and Initiation

Determine the need for automated data collection tools, including plans to provide training on how to use the software.

Establish members of the BCP team, both technical and functional representatives.

Prepare and present an initial report to management on how the BCP will meet the objectives.

Developing the BCPDeveloping the BCPProject Management and InitiationProject Management and Initiation “Automated” plan development can help you:

Speed the processAvoid missing critical elementsOrganize teamsMaintain the plan

Developing the BCPDeveloping the BCPProject Management and InitiationProject Management and InitiationTeam Members

BCP Planner/Coordinator Senior management, CFO, etc. Legal, HR Business unit/functions Recovery team leaders InfoSec, Telecomm, etc.

The same people who would be responsible for executing the plan in the event of an outage must also be involved in preparing the BCP

Developing the BCPDeveloping the BCPBusiness Impact Analysis (BIA)Business Impact Analysis (BIA)The BIA is a functional analysis that identifies the impacts should an outage occur. Impact is measured by the following:

Allowable business interruption - the maximum tolerable downtime (MTD)

Financial and operational considerations Regulatory requirements Organizational reputation

The BIA sets the stage for determining a business-oriented judgment concerning the appropriation of resources for recovery planning efforts.

Developing the BCP - BIADeveloping the BCP - BIA

Impact AssessmentPurpose Identify risks Identify business requirements for continuity Quantify impact of potential threats Balance impact and countermeasure cost Establish recovery priorities


BenefitsRelates security objectives to organization missionQuantifies how much to spend on security measuresProvides long term planning guidance

Site selectionBuilding designHW configurationSW Internal controlsCriteria for contingency plansSecurity policy

Protection requirements Significant threats Responsibilities


Risk AssessmentPotential failure scenariosLikelihood of failureCost of failure (loss impact analysis)

Dollar losses Additional operational expenses Violation of contracts, regulatory requirements Loss of competitive advantage, public confidence

Assumed maximum downtime (recovery time frames) Rate of losses Periodic criticality Time-loss curve charts

Developing the BCP - BIADeveloping the BCP - BIARisk Assessment/Analysis

Potential failure scenarios (risks)Likelihood of failureCost of failure, quantify impact of threatAssumed maximum downtimeAnnual Loss ExpectancyWorst case assumptionsBased on business process model? Or IT model?Identify critical functions and supporting resourcesBalance impact and countermeasure cost

KeyPotential damageLikelihood


DefinitionsQuantitative Risk Analysis

quantified estimates of impact, threat frequency, safeguard effectiveness and cost, and probability

Powerful aid to decision makingDifficult to do in time and cost

Qualitative Risk Analysisminimally quantified estimatesExposure scale ranking estimates Easier in time and moneyLess compelling

Risk Analysis is performed as a continuum from fully qualitative to less than fully quantitative


Goals Understand economic & operational impact Determine recovery time frame

(business/DP/Network) Identify most appropriate strategy Cost/justify recovery planning Include BCP in normal decision making process


Risk Analysis Steps1 - Identify essential business functions

Dollar losses or added expenseContract/legal/regulatory requirementsCompetitive advantage/market shareInterviews, questionnaires, workshops

2 - Establish recovery plan parametersPrioritize business functions


Risk Analysis Steps3 - Gather impact data/Threat analysis

Probability of occurrence, source of helpDocument business functionsDefine support requirementsDocument effects of disruptionDetermine maximum acceptable outage periodCreate outage scenarios

Developing the BCP - BIADeveloping the BCP - BIARisk Analysis Steps4 - Analyze and summarize

Estimate potential losses Destruction/theft of assets Loss of data Theft of information Indirect theft of assets Delayed processing Consider frequency

Combine potential loss & probabilityMagnitude of risk is the ALE (Annual Loss

Expectancy)Guide to security measures and how much to

spend


Maximum tolerable downtime (MTD)

ItemRequired recovery time

following a disasterNon-essential 30 days

Normal 7 daysImportant 72 hours

Urgent 24 hoursCritical/essential minutes to hours

Developing the BCPDeveloping the BCPRecovery StrategiesRecovery Strategies

Business Recovery Focus is on the critical resources and the maximum

tolerable downtime for each business/support unit system. This may included identification of:

Critical IT system hardware, software and data Critical equipment, supplies, furniture and office

space Key personnel for each business unit and support

unit, such as Operations, Facilities, InfoSec, etc.

Developing the BCPDeveloping the BCPRecovery StrategiesRecovery StrategiesFacility and Supply Recovery Focus is on restoration and recovery, such as:

Facility - main building, remote facilities Inventory - supplies, equipment, paper, forms Equipment - network environments, servers, mainframe,

PCs, etc. Telecomm - voice and data Documentation - application, technical materials Transportation - movement of equipment, personnel Supporting equipment - HVAC, safety, security

22

Developing the BCPDeveloping the BCPRecovery StrategiesRecovery StrategiesUser Recovery Focus is on personnel requirements, such as:

Manual procedures Vital record storage (i.e., medical, personnel) Employee transportation Critical documentation and forms User workspace and equipment Alternate site access procedures

User Recovery (continued) Procedures for the organization’s employees to follow during the outage include

items such as: Team responsibilities Distribution of information Manual processing techniques Disaster policies Notification procedures High priority tasks Emergency accounting Checklists


Operational Recovery Determine the necessary equipment

configurations such as: Mainframes, LANs, PCs, peripherals Explore opportunities for integration/consolidation Usage parameters

Data communications configurations include: Switching equipment, routers, bridges, gateways

24


Operational Recovery (continued) Outline alternative strategies for technical

capabilities, such as network infrastructure components. Options include:

Hot site, warm site, cold site, mobile site Reciprocal or mutual aid agreements Multiple processing centers Service bureaus

25

Developing the BCPDeveloping the BCPRecovery StrategiesRecovery StrategiesSoftware and Data Recovery Focus is on the recovery of information - the data. Options include:

Backing up and off-site storage Electronic vaulting Online tape vaulting Remote journaling Database shadowing Standby services Software escrow Manuals and documentation Backup frequency - criticality and rate of change

26

$ < P * V

$ = expense of backupP = probability of lossV = cost of recreating lost data


Software and Data Recovery (continued) Security and controls of backup data and materials

While being transported to the offsite facility While stored at the offsite facility Backup site may need even better protection than

primary site Data at backup facility is not accessed very often Problems could go undetected for a long time

Consider encryption of backup data Too much processing overhead? Bank of America lost backup tapes

27

Developing the BCPDeveloping the BCPPlan Design and DevelopmentPlan Design and Development In this phase the team prepares and

documents a detailed plan for recovery of critical business systems. End products include:

Business and service recovery plans Test method descriptions Restoration plans Plan maintenance programs Employee awareness and training programs

28

Developing the BCPDeveloping the BCPPlan Design and DevelopmentPlan Design and Development

1. Determine management concerns and priorities.2. Determine planning scope such as geographical concerns,

organizational issues, and the various recovery functions to be covered in the plan.

3. Establish outage assumptions.4. Identify response procedures, such as ensuring evacuation and

safety of personnel, notification of disaster, initial damage assessment, activating teams and relocating to alternate sites.

. Identify resumption strategies for mission-critical and non-mission-critical systems at alternate sites.

6. Identify the location for the emergency operations center/command center.

7. Identify restoration procedures for salvage, repair and return to the primary site. Also, the procedures to deactivate the recovery site

29


8. Plan and implement the gathering of data required for plan completion.

Personnel information Vendor services Equipment, software, forms, supplies Vital records Technical information Office space requirements

30


9. Review and outline who (and how) the organization will interface with external groups.

Customers Shareholders Civic officials Community, region, and state emergency services

groups Utility providers Industry group coalitions Media

31


10. Review and outline how the organization will cope with other complications beyond the actual disaster. Responsibility to families Coordination with human resource and legal

departments Fraud opportunities Exposure of sensitive data Looting and vandalism Ensuring primary site is protected during disaster Safety and legal problems Expenses exceeding emergency manager authority Insurance coverage and timing of claim payment

32


11. Develop support service plans, including human resources, public relations, transportation, facilities, IT, telecomm, etc.

12. Develop business function plans and procedures.13. Develop facility recovery (i.e., the building) plans.

33

Plan TestingPlan TestingProves feasibility of recovery processVerifies compatibility of backup facilitiesEnsures adequacy of team procedures

Identifies deficiencies in proceduresTrains team membersProvides mechanism for maintaining/updating

the planUpper management comfort

34

Plan TestingPlan TestingDesk checks/checklistStructured walkthroughsSimulationsParallel testsFull interruption tests

35

Plan MaintenancePlan MaintenanceDevelop processes that maintain the currency of

continuity capabilities and the BCP document in accordance with the organization’s strategic direction. This includes:Changing management proceduresResolving problems found during testingBuilding maintenance procedures into the processCentralizing responsibility for updatesReporting results regularly to team members

36

Plan MaintenancePlan MaintenancePlan maintenance functions are:

Receive and monitor input on needed revisions - maintain revision history

Plan maintenance reviews as neededMonitor changes within business units, such as

upgrades to systemsControl plan maintenance distribution - who

receives a copy of plan updatesEnsuring version control - obsolete editions of

the plan are collected and destroyed.

37

Awareness and TrainingAwareness and TrainingThe goal is to design and develop a program to

create corporate awareness and enhance the skills required to develop, implement, maintain and execute the plans.

The objectives should cover a range of outcomes from simple awareness of the major provisions to the ability to carry out specific procedures.

Train the teams used for recovery strategies.Train those employees who will have specific

roles in the recovery process, such as systems staff, team leaders, etc.

38

business continuity planning disaster recovery planning

Documents