don’t wait for disaster to strike! be prepared with business continuity plans
TRANSCRIPT
DATA SERVICES DEPTARTMENT
SRIIA TECHNOLOGIES, INC. BUSINESS CONSULTING SERVICES
Developing and Supporting BCPs05/03/2023
DON’T WAIT FOR DISASTER TO STRIKE! BE PREPARED WITH BUSINESS CONTINUITY PLANS
Creating a Business Continuity Plan
Presenter: Kevin WilliamsPrincipal – SRIIA Technologies
Consulting ServicesAustin, TX
Learning Objectives After participating in this session, you will be able to:
Understand the goals of Business Continuity Planning
Understand the components of a Business Continuity plan
Begin your Business Continuity Planning project
05/03/2023
What is a Business Continuity Plan?
• Disaster recovery planning is a subset of a larger process known as business continuity planning and should include planning for resumption of applications, data, hardware, communications (such as networking) and other IT infrastructure.
• A business continuity plan (BCP) includes planning for non-IT related aspects such as key personnel, facilities, crisis communication and reputation protection, and should refer to the disaster recovery plan (DRP) for IT related infrastructure recovery / continuity
• Source: http://en.wikipedia.org/wiki/Disaster_recovery
05/03/2023
05/03/2023
Remember this Terrible Day?
• Hurricane Katrina• Hurricane Katrina was the deadliest and most
destructive Atlantic tropical cyclone of the 2005 Atlantic hurricane season. It was the costliest natural disaster, as well as one of the five deadliest hurricanes, in the history of the United States. Among recorded Atlantic hurricanes, it was the sixth strongest overall. Total property damage was estimated at $81 billion (2005 USD), nearly triple the damage brought by Hurricane Andrew in 1992.
05/03/2023
FEMA Grant Helps Restore New Orleans' Katrina-Damaged Archives
• Release date: FEBRUARY 3, 2012 - Release Number: 1603-963
• NEW ORLEANS, La. -- The Federal Emergency Management Agency announced today approximately $1.7 million in public assistance funding to restore New Orleans Notarial Archives’ book volumes and historical records damaged during Hurricane Katrina.
• “The Katrina-affected materials contain the original evidence of transactions involving land transfers, business agreements, mortgages, estates, agency rulings and other agreements relating to Orleans Parish properties. The volumes, which date from approximately 1965 to 2005, are critical for use in title examinations and serve as a rich supply of primary source materials for historical research on their period.
Dilbert on Disaster Recovery
Is this your current plan?
05/03/2023
05/03/2023
What is a BCP?
• It is a plan that gives a recovery team the information it needs to:• Recover from a disaster• Continue the business operations• Return to normal operations
05/03/2023
How is the BCP Used?
• As a ready reference for all information needed during the recovery phase following a disaster
• Lists strategies & priorities for recovery• Lists contact information for recovery assistance &
personnel• Outlines the stages and flow of the recovery
process
05/03/2023
General Overview
• General Overview of the Organization• Managers & contact information• Assembly sites—evacuation & alternate• BCP coordinators & contact information• Recovery site information• Critical dependencies• Important deadlines• Important agreements
05/03/2023
General Overview (cont’d)
• Recovery Strategies• Address the priority that you wish to use to recover
your information assets• Include the identification of the assets, their location,
and why important• Establish the strategy to follow for several days during
the recovery• Uses the Vital Records plan to establish those
priorities.
05/03/2023
Initial Response / Escalation Procedures
• Notification checklist• Who do you call? What are their numbers?• In what priority do you call?
• Security / 911• Building Management?• Department Manager?
• Declaration Procedures• Initiate Evacuation Procedures
• Account for all Personnel• Alert recovery site• Assess severity of situation
• Activate Recovery Team
05/03/2023
Declaration Procedures
• Determine procedures for when to declare a disaster
• Determine who can declare a disaster• Establish local, regional Authorities and contact
info• If you must activate a hotsite, make sure these
persons can also activate that site through the vendor
05/03/2023
Organizational Recovery Teams –Roles & Responsibilities
• Management Team - Planning• Appoints business recovery coordinator to oversee
plan development & maintenance• Confirms essential functions & acceptable downtime
for recovery efforts• Approves alternate site / relocation decisions• Sets test objectives—requirements to be met• Reviews test results, ensures corrective measures are
detailed and actions taken
05/03/2023
Alternate Site
• Notification • Personnel• Applications support / tech support• Administrative areas (mail, etc.)• Key customers• Critical vendors
• Periodically report status to management
05/03/2023
Alternate Site (cont’d)• First, consider the following issues risk managers commonly
address in developing alternate site strategies as part of overall business continuity planning programs:• Employee comfort. Risk managers are growing more concerned and
increasingly thoughtful about employees during crises. • Location, location, location. Alternate site solutions that require
significant travel can necessitate substantial expense in providing employee transportation and remote accommodations.
• Fast recovery time balanced with a reasonable budget. Customers are looking to restore their data and business functions promptly, but without placing undue strain on financial resources. Internal 'hot sites' are preferred by some corporations, but after staffing and accounting for space and technology upgrades, can wind up costing significantly more.
05/03/2023
Establish Requirements
• Requirements Matrix – lists of what you need• How much staffing required?• Equipment needed? Make, Model & Speed
• Computers, fax machines, data lines, printers• Desks, chairs, cabinets, etc.• Forms, office supplies
• Software needed? (This is where Cloud Computing, SaaS type services become very tactical in a compelling BCP.)• Any software critical to your function, not commonly found in
other departments• Help to bring it up and running – tech support people
05/03/2023
Business Critical Records
• Where are they located? • Best practices suggest CRM records management
• Can anyone find them– firemen, 1st responders, etc.?• Can you contact off-site storage?
• (Working with your hard-copy and digital storage providers is critical for successful BCP planning).
• Do you know what to order?• Keep a list of your business critical records, locations,
accessibility with your BCP• Keep it updated!
05/03/2023
Establish Recovery Procedures
• Procedures to Activate Teams• Establish new telecommunications
• Voice recovery• Data recovery• Vendor connectivity
• Platform restoration• Server applications• Desktop applications / WAN
• Retrieval of Business Critical Records
05/03/2023
Establish Recovery Procedures
• Reconstruction Procedures• Interim operating procedures• Validating restored applications• Identifying & re-entering lost transactions• Processing backlogged work• Alternate processing procedures• Logon procedures• Voice mail instructions• Printer selections, etc.
05/03/2023
Develop Calling Lists
• You will need help to recover—don’t be afraid to ask for help• Applications support – vendors, companies • Personnel – others at your company / office who
might be able to help• Customers need to be informed- (Public Service
Announcements for government offices) • Vendors – can supply needed materials, equipment
05/03/2023
Creating a Business Continuity Plan
Tactical Discussions
Deciding goals for operational continuity?
• What are your organizations key business processes?
• How long can your org survive without these operations business process?
• Do manual methods make time to restore less critical?
• Do you have any processes with very little tolerance for downtime?
05/03/2023
Decide Criteria for invoking the plan
• What is the maximum amount of time a process can be unavailable before action must be taken?
• At what point does the cost of executing the plan become secondary to the outage?
05/03/2023
Critical Business Process Recovery Section
• Critical Business Process Workflow • Physical Plant Related Recovery Plans• IT Related Recovery Plans• People Related Recovery Plans• Assignments and Execution• Preconditions / Preventative Plans
05/03/2023
Critical Business Process Workflows
• Use the process workflow that was developed through a “Discovery” methodology as outlined in the earlier sections
• Make sure the workflow shows enough detail that someone who isn’t you can understand!
• Be sure to identify critical systems and applications used in the transactions
Physical Location Recovery Related Plans
• Office space?• Lights?• Heat / AC?• Power?• Water?• Delivery Transportation?
05/03/2023
IT Related Recovery Plans
• Hardware?• Power?• Internet?• Email?• Phone Service?
• Applications (got media and a license key?)
• Data Recovery from Backup? (Do you have backups offsite?)
• Tech support contact information?
Technology Time out: Consider Hosting, ASP or SaaS
• Consider preventing server disasters by owning and maintaining as few as possible
• Consider a provider that will be contractually bound to 99%+ uptime for your critical services without your efforts
• Ideas to look into:• ASP or SaaS from your software vendor• Rackspace (Managed service provider)
05/03/2023
People Related Recovery Plans
• Who knows how to contact vendors?• Who knows how to cut payroll checks?• Who knows how to process credit card payments?• Is there more than one person who can perform
each critical business transaction?• Do you have cell phone numbers to reach
employees / volunteers / service providers?
Assignments and Execution
• What steps need to be taken to restore this process?
• Who has the authority with vendors to do so?• Who has the required knowledge or training?• Is there a backup operator to execute this plan if
the primary is unavailable or unreachable?• Who can make the decision to enact the plan?• Assign roles and communicate expectations to staff
05/03/2023
Required Preconditions / Preventative Plans
• What needs to be part of your regular operating plan to enable your disaster recovery plans?
• Set these actions in motion as part of your finished recovery plan
Example:• Its really hard to restore from backup tapes if they
are burned in an office fire or submerged under water.
05/03/2023
Technology Time out: Cloud Backup Solutions
Example of cost : Amazon S3 $0.15 / GB / month
• Don’t want to “Roll your own” try one of these:• www.crashplan.com• www.jungledisk.com• www.spideroak.com• www.barracuda.com
Testing The Plan
• Test each business process in your section when finished and at least annually after that!
• Make sure that your interactions with your vendors work as planned
• Streamline your plan based on your test results• It is unlikely your plan will work exactly as you have
planned it, do not be disappointed and focus on making corrections for the next test.
05/03/2023
Plan Maintenance
• Review your business processes at least annually• Update the processes for changes in how things
workExamples:• Did you add new software applications?• Add new vendors you rely on?• Are there new processes or services to constituents
you need to protect?
• Technical References –• PRISM• DR Reference• Disaster Planning: What Organizations Need to Know to Pro
tect Their Tech (Webinar)• Disaster Planning: FEMA Reference• ARMA Resources• ARMA Resources• http://en.wikipedia.org/wiki/Disaster_recovery
Resources
05/03/2023