Disaster Recovery Plan (DRP)

Presentation for Management

Arriva Serbia (Arriva Litas doo)

Venue – Location

Date

CONTENTS

1. The Necessity of DRP (Disaster Recovery Plan)

2. Current state od DRP

3. Business Impact Analyses (BIA)

4. High-Medium Level Design of DRP

5. CAPEX and OPEX for DRP

6. Discussion

7. Conclusion

2

The Necessity of DRP (Disaster Recovery Plan)

The Necessity of DRP (Disaster Recovery Plan)

• Disaster Recovery Plan (DRP) is documented process or set of procedures with

set of actions that must be executed in case of disaster

• It is "a comprehensive statement of consistent actions to be taken before, during

and after a disaster.“ *

* Wold, Geoffrey H. (1997). "Disaster Recovery Planning Process". Adapted from Volume 5 #1. Disaster Recovery

World. Retrieved 8 August 2012.

• DRP has to protect the business by protecting the IT infrastructure in case of

disaster.

4

The Necessity of DRP (Disaster Recovery Plan)

• The disaster can be catastrophe,

major incident or any other event

with permanent temporary effect

which seriously affect IT

infrastructure and services and, as

a consequence, services provided

to the customers fail and other

business activities also fail or has

very limited functionality.

• The disaster could be:

– be natural

– Environmental

– man-made.

5

The Necessity of DRP (Disaster Recovery Plan)

Relationship to the Business Continuity Plan… *

According to the SANS institute, the Business Continuity Plan (BCP) is a

comprehensive organizational plan that includes the disaster recovery plan. The

Institute further states that a Business Continuity Plan (BCP) consists of the five

component plans: *

• Business Resumption Plan

• Occupant Emergency Plan

• Continuity of Operations Plan

• Incident Management Plan

• Disaster Recovery Plan

* The Disaster Recovery Plan. Chad Bahan.

GSEC Practical Assignment version 1.4b. SANS InstituteInfoSec Reading Room. June 2003. Retrieved 24 August 2012.

Good, short and high level overview from business executive perspective you may read on

https://en.wikipedia.org/wiki/Disaster_recovery_plan

6

The Necessity of DRP (Disaster Recovery Plan)

Reasons why disaster recovery

plans fail: *

1. Fail to Take Disaster Recovery

Seriously

2. Fail to Set Priorities

3. Fail to Update the Disaster

Recovery Plan regularly

4. Fail to Understand Reliance on

3rd party Vendors

5. Fail to Test the Disaster

Recovery Plan

* http://www.burgesscomputer.com/burgess-

technology-blog/maine-technology-news/5-reasons-

disaster-recovery-plans-fail/

7

The Necessity of DRP (Disaster Recovery Plan)

IT disaster recovery plan should be a

top priority: *

1. Machines and hardware fail

2. Much like machines, humans are not

perfect. They make mistakes.

3. Customers expect perfection.

4. Customer retention is costly, but customer

re-acquisition is devastatingly expensive.

5. You’re only as strong as your weakest

link.

Conclusion: Save Money, Save Time, Save

Your Business. Develop a Solid IT Disaster

Recovery Plan.

* http://www.onlinetech.com/resources/references/top-5-

reasons-why-your-it-disaster-recovery-plan-should-be-a-top-

priority

8

The Necessity of DRP (Disaster Recovery Plan)

9

Current state od DRP in Arriva Serbia

Current state of DRP in Arriva Serbia

Out of technical perspective, some

of necessary DRP building blocks

are:

1. Backup&Restore system in place

2. Regular checks of backup/restore

system

3. Offsite store (out of main data

center)

4. Network (Internet and other

connections like VPN) connectivity

and reliability

5. Consolidated server infrastructure –

virtualized as much as possible

6. DR location as secondary

datacenter

11

Arriva Serbia has fulfilled,

comparing to the left side:

• Fully: items 1, 3, 4, 5

• Partially: items 2 and 6

Arriva Serbia is not ready in case of

disaster:

• Still Arriva Serbia does not have

DRP in place

• In case of disaster at least 1 week is

needed to recover some of base IT

services and 2-6 weeks for rest

• Business Impact (damage) would be

substantial.

Current state of DRP in Arriva Serbia

12

How it should look

like:

General graph of

data centres - main

and DR and their

relation

Arriva Serbia does

not have DR Data

Centre

Business Impact Analyses (BIA)

Business Impact Analyses (BIA)

BIA performed for Arriva Serbia:

1. Period June 2015 – January 2016

2. DB template is used (sent to us by Arriva group)

3. Performed by local management team: lead by IT manager, supported by MD

4. 68 applications and tools are covered *.

5. For every application or tool we have clearly stated:

– Responsible persons: Process owner, application owner, technical maintenance

– ICT Security Officer (same for all)

– Objectives: RTO (Recovery Time Objective), RPO (Recovery Point Objective)

6. Most critical applications and tools have RTOs and RPOs 1-2 days.

7. Internal audit (report from May 2016) requested BIA. In Feb 2016 we reported back that

BIA is completed and sent all BIA documentation back to the group

8. BIA is base for DRP development

* We used BEAM (Arriva application landscape tool) list for BIA; note that one application is stated as several separated

applications if it is categorized in different business domain. So we have less than 68 in reality.

14

Business Impact Analyses (BIA)

15

RPO and RTO

Business Impact Analyses (BIA)

16

RPO and RTO

Business Impact Analyses (BIA)

17

RPO and RTO

High-Medium Level Design of DRP

High-Medium Level Design of DRP

1. Considerations started in 2014 by IT manager

2. Considerations intensified since October 2015

3. Decision is made (Jan 2016) by MD is to implement DRP until 30 June 2016;

4. Internal Audit is informed about the decision;

5. Approval is given to IT manager to complete high-medium level design of DRP

6. IT system integrator (Coming Computer Engineering) is given to do the job (Jan

2016) as one of most serious system integrators in the country with excellent

references in DRP designs and DRP implementations.

7. The design is done by:

– Arriva IT employees (IT manager, system administrator)

– Coming CE (3 system engineers)

– MDS (Cisco partner for networking, maintain Arriva network for years)

8. The design is completed on 09 Mar 2016 and quote received on 11 Mar 2016

19

High-Medium Level Design of DRP

The solution designed provides following benefits:

1. Cloud based:

1. Significantly less CAPEX+OPEX needed in total, primarily less CAPEX

2. Much more flexibility possible (both in IT resources volumes and time)

2. Legislation conditions met:

1. Still not all data can be stored out of Serbia / legislation not clear enough

3. Improvements in server virtualization platform (technical from Hyper-V to

VMware)

4. Unified solution for disaster recovery, backup and restore

5. Improvements in regular restore tests

6. Improvements in backup&restore process and procedures since technical

platform will change (from SBE to VEAAM)

7. Disk-to-disk backup solution: first set of backup copies in main data center and

second set on DR site. We will not use data tapes anymore.

20

High-Medium Level Design of DRP

The solution designed is made having in mind the following assumptions:

1. Current state and desired state of Arriva Serbia IT infrastructure;

2. Arriva Serbia does not want to have some solution where Arriva would be the

first client of Coming;

3. Arriva Serbia want to use a solution like solution already proven as very good

ones with other Coming clients; we need proven processes, technologies and

vendors involved

4. Agreements to sign:

– SLA (Service Level Agreement) – 24x7 support, defined RTOs and RPOs

– NDA (Non Disclosure Agreement);

5. 2 disaster recovery test per year.

6. Minimal (as possible) disruption and downtime of IT services and of daily

operations – part of work will have to be done out of working hours

21

Implementation proposal – timeline, CAPEX, OPEX

Implementation proposal – timeline, CAPEX, OPEX

Timeline:

1. Preconditions to meet before start of DR solution implementation:

– Complete implementations during April 2016:

– new servers

– new Active Directory (2012 R2)

2. DRP implementation for 6 weeks:

– start on Monday 09 May 2016 and complete until Friday 17 June 2016.

– Work during working hours and out of working hours included.

– Post implementation work needs to be done until end od 2016 to optimize

other less critical processes for restore on client (users) side. That will be

also included in DRP plan

23

Implementation proposal – timeline, CAPEX, OPEX

24

CAPEX and OPEX needed:

1. CAPEX 22.748 EUR in 2016:

– software permanent licences virtualization (VMware) and backup&restore

system (VEEAM) and 1st year vendor support – all for main datacentre

– implementation costs (virtualization, backup&restore, network, etc.)

2. OPEX monthly – starting from June 2016:

– 2.250 EUR for current needs:

– Few near future pending needs included already;

– price is of renting infrastructure on the cloud side (DR data centre):

– virtual resources (servers, storage, processors, memory, network, etc.)

– support 24x7 with SLA

– 2 DR tests during the year

– Price for maintaining virtualization platform on main (Arriva’s) data centre

Discussion

Conclusion

Conclusion

27

Disaster Recovery Plan needs to be implemented in near future as planned to:

• protect our business from substantial damage or even closure;

• be able to keep good reputation as reliable company among:

– Our customers;

– Communities where we operate;

– Partners;

– Competitors;

– Authorities.

THANK YOU

Prepared by IT Manager

Pavle Knežević

pavle.knezevic@arriva.rs

+381 62 8800009