1 / 32

Business Continuity & Disaster recovery

Business Continuity & Disaster recovery. SZABIST – Spring 2012. Business Continuity & Disaster Recovery. This chapter presents the following: Project initiation steps Recovery and continuity planning requirements Business impact analysis

gail-brooks
Download Presentation

Business Continuity & Disaster recovery

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Business Continuity & Disaster recovery SZABIST – Spring 2012

  2. Business Continuity & Disaster Recovery This chapter presents the following: • Project initiation steps • Recovery and continuity planning requirements • Business impact analysis • Selecting, developing, and implementing disaster and continuity plans • Backup and offsite facilities • Types of drills and tests

  3. Business Continuity & Disaster Recovery • Introduction • We can’t prepare for every possibility, as recent events have proved. • The catastrophic Indian Ocean tsunami in December 2004. • The terrorists attack on World Trade Center towers. • affected many businesses, people, the government, and the world. • Every year, thousands of businesses are affected by floods, fires, tornadoes, terrorist attacks, and vandalism. • The companies that survive are the ones that thought ahead, planned for the worst, estimated the possible damages that could occur, and put the necessary controls in place to protect themselves and staying in the market.

  4. Business Continuity & Disaster Recovery • Business Continuity and Disaster Recovery • Business continuity planning provides methods and procedures for dealing with longer-term outages and disasters. • How do we stay in and continue the business until the disaster is over and things get back to normal • Disaster recovery is to minimize the effects of a disaster and to take the necessary steps to ensure that the resources, personnel, and business processes are able to resume operation in a timely manner”. • Disaster recovery plan is usually very information technology (IT) focused.

  5. Business Continuity & Disaster Recovery

  6. Classification of Disruption • What is a ‘Disruption’? • Types of Disruption: • Non-disasters • Due to a device malfunction or failure • Disasters • Causes the entire facility to be unusable for a day or longer • Catastrophes • Major disruption that destroys the facility altogether

  7. Business Continuity Steps – An Overview • Although no specific scientific equation is followed to create continuity plans, certain best practices have proven themselves over time. • Accordingly following steps are outlined: • Develop the continuity planning policy statement. • Conduct the business impact analysis (BIA). • Identify critical functions and systems, prioritize them based on necessity. • Identify vulnerabilities, threats, and calculate risks. • Identify preventive controls. • Develop recovery strategies. • Develop the contingency plan. • Test the plan and conduct training and exercises. • Maintain the plan.

  8. Business Continuity Steps – An Overview

  9. Develop the Continuity Planning Policy • Business continuity should be a part of the security program and business decisions • establishing and maintaining a current continuity plan with management support. • justification of cost and benefit for the activity • formation of a BCP Team which includes individuals from: • Business units • Senior management • IT department • Security department • Communications department • Legal department; etc

  10. Business Impact Analysis (BIA) • A business impact analysis (BIA) is a functional analysis of an organization to develops a hierarchy of business functions; and applies a classification scheme to indicate each individual function’s criticality level. • How do we determine a classification scheme based on criticality levels?

  11. Business Impact Analysis (BIA)

  12. Business Impact Analysis (BIA) Perform the Risk Assessment • Calculate Asset Value and Perform Risk Assessment (BIA Step 6 – 7) • Same as discussed in Chapter 3 Various Disaster Scenarios • The analysis should consider the scenarios that could produce the following results: • Equipment malfunction or unavailable equipment • Unavailable utilities (HVAC, power, communications lines) • Facility becomes unavailable • Critical personnel become unavailable • Vendor and service providers become unavailable • Software and/or data corruption

  13. Business Impact Analysis (BIA) Estimation of Losses • Loss in reputation and public confidence • Loss of competitive advantages • Increase in operational expenses • Violations of contract agreements • Violations of legal and regulatory requirements • Delayed income costs • Loss in revenue • Loss in productivity • Identification of Maximum Tolerable Downtime (MTD)

  14. Business Impact Analysis (BIA) Maximum Tolerable Downtime (MTD) • The following are some MTD estimates that may be used within an organization: System Rating Duration • Nonessential 30 days • Normal Seven days • Important 72 hours • Urgent 24 hours • Critical Minutes to hours

  15. Business Impact Analysis (BIA)

  16. Preventive Measures • Based on BIA result and calculated MTD the preventive measures are implemented to reduce the impact of risk. They may include some of the following components: • Redundant servers and communications links • Power lines coming in through different locations • Purchasing of UPS and generators • Redundant vendor support • Purchasing of insurance • Data backup technologies • Backup media protection safeguards • Increased inventory of critical equipment • Fire detection and suppression systems

  17. Recovery Strategies • A recovery strategy is a combination of preventive, detective and corrective measures. • The selection of a recovery strategy would depend upon: • The criticality of the business process and the applications supporting the processes • Cost • Time required to recover • Security • It is the most cost-effective recovery mechanisms to address the threats identified in the BIA stage. • E.g. If the facility was unavailable for a day, it would cost the organization $200,000 a day, the company has to be up and running within MTD or the company could be financially crippled. • The company needs to obtain a hot site or redundant facility that would allow it to be up and running in this amount of time.

  18. Recovery Strategies • Recovery strategies might cover the following areas: • Business process recovery • Facility recovery • Supply and technology recovery • User environment recovery • Data recovery

  19. Recovery Strategies • Business Process Recovery • Considering the example of SZABIST: • Course registration through ZABDESK is not available then??? • What are the alternates to continue the process? Also • In the mean time, recover the processes to original state.

  20. Recovery Strategies • Facility Recovery • Companies can choose from three main types of leased or rented offsite facilities: • Hot Site • Fully configured and ready to operate immediately or within few hours • Warm Site • Leased or rented facility that is partially configured with some equipment, but not all the systems and equipments. • Cold Site • Leased or rented facility that supplies the basic environment, electrical wiring, air conditioning, but none of the equipment or additional services. • Reciprocal Agreements • Redundant Sites • Speed of availability • Subscribers per site and area • Note: Offsite location should be far enough away from the original site so one disaster does not take out both locations

  21. Recovery Strategies • Supply and Technology Recovery • Backup solutions for the following: • Network and computer equipment / Hardware • Voice and data communications resources • Redundancy • Alternative routing • Human resources • Business Applications, Software and Data • Environment issues (HVAC)

  22. Recovery Strategies • Data Backup Alternatives • Full Backup • Incremental Backup • Electronic Backup Solutions • Offsite backup vaults • Disk Mirroring • Real time data replication • Insurance

  23. Recovery Strategies • Real time data replication

  24. Recovery Strategies

  25. Recovery Strategies Which solution to go for??? Depends on: • Maximum Tolerable Downtime (MTD) • Recovery Point Objective (RPO) • Based on acceptable data loss • Indicates earliest point in time in which it is acceptable to recover the data • Recovery Time Objective (RTO) • Based on acceptable downtime • Indicates earliest point in time at which the business operations must resume after a disaster

  26. Recovery Strategies • Recovery Point Objective (RPO) and Recovery Time Objective (RTO)

  27. Recovery and Restoration • Coming back to Normal State (i.e. Reconstruction) • Disaster Recovery

  28. Documentation of Plans • Documentation of formal plans includes: • Business Continuity Plan (BCP) • Disaster Recovery Plan (DRP)

  29. Testing and Revising the Plans • BCP and DRP should be tested at least once a year. • The following type of tests can be conducted: • Checklist Test • Structured Walk-Through Test • Simulation Test • Full-Interruption Test

  30. Maintaining the Plan • The plan developed today might be obsolete in a year due to: • Infrastructure and environnent changes occur. • Reorganization of the company, layoffs, or mergers occur. • Changes in hardware, software, and applications occur. • Plans do not have a direct line to profitability. • Plans should be updated based on the test results

  31. Summary – BCP and DRP Cycle

  32. End of Chapter 5 • Thank You!

More Related