1 / 38

Business Continuity Planning Disaster Recovery Planning

Business Continuity Planning Disaster Recovery Planning. A Business Continuity Plan (BCP) is an approved set of advanced arrangements and procedures that enable an organization to:

cassie
Download Presentation

Business Continuity Planning Disaster Recovery Planning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Business Continuity PlanningDisaster Recovery Planning

  2. A Business Continuity Plan (BCP) is an approved set of advanced arrangements and procedures that enable an organization to: • Facilitate the recovery of business operations to reduce the overall impact of an event, while at the same time resuming the critical business functions within a predetermined period of time. • Minimize the amount of loss. • Repair or replace the damaged facilities as soon as possible. • Traditionally, recovery plans focused on the recovery of critical computer systems running at data centers (aka “disaster recovery”). • Today, recovery plans must also focus on the critical computer systems operating in a distributed environment involving PCs, LANs, telecommunications, etc. • Essentially, continuity plans address every critical function of an enterprise.

  3. A disaster is something that interrupts normal business processing. • A disaster is defined as a sudden, unplanned calamitous event that brings about great damage or loss. • In the business environment, it is any event that creates an inability to support critical business functions for some predetermined period of time.

  4. Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes • “Proactive” rather than “Reactive” • Take the correct actions when needed • Allow for experienced personnel to be absent • Maintain business operations • Saves time, mistakes, stress and $$ • Keep the money coming in • Short and long term loss of business • Have necessary materials, equipment, information on hand • Planning can take up to 3 years • Effect on customers • Public image • Loss of life

  5. BCP Requirements • Provide an immediate, accurate and measured response to emergency situations. • Provide procedures and a listing of resources to assist in the recovery process. • Identify vendors that may be needed in the recovery process and put agreements in place with selected vendors. • Avoid confusion experienced during a crisis by documenting, testing and training plan procedures. • Clear guidance for declaring a disaster.

  6. BCP Requirements • Provide the necessary direction to ensure the timely resumption of critical services. • Document storage, safeguarding and retrieval procedures for critical systems and supporting functions. • Describe the actions, resources and materials required to restore critical operations at an alternate site in the event that the primary site(s) has suffered a serious outage. • Document recovery procedures so they can be executed by knowledgeable people.

  7. Developing the BCPProject Management and Initiation • Determine the need for automated data collection tools, including plans to provide training on how to use the software. • Establish members of the BCP team, both technical and functional representatives. • Prepare and present an initial report to management on how the BCP will meet the objectives.

  8. Developing the BCPProject Management and Initiation • “Automated” plan development can help you: • Speed the process • Avoid missing critical elements • Organize teams • Maintain the plan

  9. Developing the BCPProject Management and Initiation Team Members • BCP Planner/Coordinator • Senior management, CFO, etc. • Legal, HR • Business unit/functions • Recovery team leaders • InfoSec, Telecomm, etc. The same people who would be responsible for executing the plan in the event of an outage must also be involved in preparing the BCP

  10. Developing the BCPBusiness Impact Analysis (BIA) The BIA is a functional analysis that identifies the impacts should an outage occur. Impact is measured by the following: • Allowable business interruption - the maximum tolerable downtime (MTD) • Financial and operational considerations • Regulatory requirements • Organizational reputation The BIA sets the stage for determining a business-oriented judgment concerning the appropriation of resources for recovery planning efforts.

  11. Developing the BCP - BIA Impact Assessment Purpose • Identify risks • Identify business requirements for continuity • Quantify impact of potential threats • Balance impact and countermeasure cost • Establish recovery priorities

  12. Developing the BCP - BIA Benefits • Relates security objectives to organization mission • Quantifies how much to spend on security measures • Provides long term planning guidance • Site selection • Building design • HW configuration • SW • Internal controls • Criteria for contingency plans • Security policy • Protection requirements • Significant threats • Responsibilities

  13. Developing the BCP - BIA • Risk Assessment • Potential failure scenarios • Likelihood of failure • Cost of failure (loss impact analysis) • Dollar losses • Additional operational expenses • Violation of contracts, regulatory requirements • Loss of competitive advantage, public confidence • Assumed maximum downtime (recovery time frames) • Rate of losses • Periodic criticality • Time-loss curve charts

  14. Developing the BCP - BIA • Risk Assessment/Analysis • Potential failure scenarios (risks) • Likelihood of failure • Cost of failure, quantify impact of threat • Assumed maximum downtime • Annual Loss Expectancy • Worst case assumptions • Based on business process model? Or IT model? • Identify critical functions and supporting resources • Balance impact and countermeasure cost • Key • Potential damage • Likelihood

  15. Developing the BCP - BIA Definitions • Quantitative Risk Analysis • quantified estimates of impact, threat frequency, safeguard effectiveness and cost, and probability • Powerful aid to decision making • Difficult to do in time and cost • Qualitative Risk Analysis • minimally quantified estimates • Exposure scale ranking estimates • Easier in time and money • Less compelling • Risk Analysis is performed as a continuum from fully qualitative to less than fully quantitative

  16. Developing the BCP - BIA Goals • Understand economic & operational impact • Determine recovery time frame (business/DP/Network) • Identify most appropriate strategy • Cost/justify recovery planning • Include BCP in normal decision making process

  17. Developing the BCP - BIA Risk Analysis Steps 1 - Identify essential business functions • Dollar losses or added expense • Contract/legal/regulatory requirements • Competitive advantage/market share • Interviews, questionnaires, workshops 2 - Establish recovery plan parameters • Prioritize business functions

  18. Developing the BCP - BIA Risk Analysis Steps 3 - Gather impact data/Threat analysis • Probability of occurrence, source of help • Document business functions • Define support requirements • Document effects of disruption • Determine maximum acceptable outage period • Create outage scenarios

  19. Developing the BCP - BIA Risk Analysis Steps 4 - Analyze and summarize • Estimate potential losses • Destruction/theft of assets • Loss of data • Theft of information • Indirect theft of assets • Delayed processing • Consider frequency • Combine potential loss & probability • Magnitude of risk is the ALE (Annual Loss Expectancy) • Guide to security measures and how much to spend

  20. Developing the BCP - BIA Maximum tolerable downtime (MTD)

  21. Developing the BCPRecovery Strategies Business Recovery • Focus is on the critical resources and the maximum tolerable downtime for each business/support unit system. This may included identification of: • Critical IT system hardware, software and data • Critical equipment, supplies, furniture and office space • Key personnel for each business unit and support unit, such as Operations, Facilities, InfoSec, etc.

  22. Developing the BCPRecovery Strategies Facility and Supply Recovery • Focus is on restoration and recovery, such as: • Facility - main building, remote facilities • Inventory - supplies, equipment, paper, forms • Equipment - network environments, servers, mainframe, PCs, etc. • Telecomm - voice and data • Documentation - application, technical materials • Transportation - movement of equipment, personnel • Supporting equipment - HVAC, safety, security

  23. Developing the BCPRecovery Strategies User Recovery • Focus is on personnel requirements, such as: • Manual procedures • Vital record storage (i.e., medical, personnel) • Employee transportation • Critical documentation and forms • User workspace and equipment • Alternate site access procedures User Recovery (continued) • Procedures for the organization’s employees to follow during the outage include items such as: • Team responsibilities • Distribution of information • Manual processing techniques • Disaster policies • Notification procedures • High priority tasks • Emergency accounting • Checklists

  24. Developing the BCPRecovery Strategies Operational Recovery • Determine the necessary equipment configurations such as: • Mainframes, LANs, PCs, peripherals • Explore opportunities for integration/consolidation • Usage parameters • Data communications configurations include: • Switching equipment, routers, bridges, gateways

  25. Developing the BCPRecovery Strategies Operational Recovery (continued) • Outline alternative strategies for technical capabilities, such as network infrastructure components. Options include: • Hot site, warm site, cold site, mobile site • Reciprocal or mutual aid agreements • Multiple processing centers • Service bureaus

  26. Developing the BCPRecovery Strategies Software and Data Recovery • Focus is on the recovery of information - the data. Options include: • Backing up and off-site storage • Electronic vaulting • Online tape vaulting • Remote journaling • Database shadowing • Standby services • Software escrow • Manuals and documentation • Backup frequency - criticality and rate of change $ < P * V $ = expense of backup P = probability of loss V = cost of recreating lost data

  27. Developing the BCPRecovery Strategies Software and Data Recovery (continued) • Security and controls of backup data and materials • While being transported to the offsite facility • While stored at the offsite facility • Backup site may need even better protection than primary site • Data at backup facility is not accessed very often • Problems could go undetected for a long time • Consider encryption of backup data • Too much processing overhead? • Bank of America lost backup tapes

  28. Developing the BCPPlan Design and Development • In this phase the team prepares and documents a detailed plan for recovery of critical business systems. End products include: • Business and service recovery plans • Test method descriptions • Restoration plans • Plan maintenance programs • Employee awareness and training programs

  29. Developing the BCPPlan Design and Development 1. Determine management concerns and priorities. 2. Determine planning scope such as geographical concerns, organizational issues, and the various recovery functions to be covered in the plan. • Establish outage assumptions. • Identify response procedures, such as ensuring evacuation and safety of personnel, notification of disaster, initial damage assessment, activating teams and relocating to alternate sites. . Identify resumption strategies for mission-critical and non-mission-critical systems at alternate sites. 6. Identify the location for the emergency operations center/command center. 7. Identify restoration procedures for salvage, repair and return to the primary site. Also, the procedures to deactivate the recovery site

  30. Developing the BCPPlan Design and Development 8. Plan and implement the gathering of data required for plan completion. • Personnel information • Vendor services • Equipment, software, forms, supplies • Vital records • Technical information • Office space requirements

  31. Developing the BCPPlan Design and Development 9. Review and outline who (and how) the organization will interface with external groups. • Customers • Shareholders • Civic officials • Community, region, and state emergency services groups • Utility providers • Industry group coalitions • Media

  32. Developing the BCPPlan Design and Development 10. Review and outline how the organization will cope with other complications beyond the actual disaster. • Responsibility to families • Coordination with human resource and legal departments • Fraud opportunities • Exposure of sensitive data • Looting and vandalism • Ensuring primary site is protected during disaster • Safety and legal problems • Expenses exceeding emergency manager authority • Insurance coverage and timing of claim payment

  33. Developing the BCPPlan Design and Development 11. Develop support service plans, including human resources, public relations, transportation, facilities, IT, telecomm, etc. 12. Develop business function plans and procedures. 13. Develop facility recovery (i.e., the building) plans.

  34. Plan Testing • Proves feasibility of recovery process • Verifies compatibility of backup facilities • Ensures adequacy of team procedures • Identifies deficiencies in procedures • Trains team members • Provides mechanism for maintaining/updating the plan • Upper management comfort

  35. Plan Testing • Desk checks/checklist • Structured walkthroughs • Simulations • Parallel tests • Full interruption tests

  36. Plan Maintenance • Develop processes that maintain the currency of continuity capabilities and the BCP document in accordance with the organization’s strategic direction. This includes: • Changing management procedures • Resolving problems found during testing • Building maintenance procedures into the process • Centralizing responsibility for updates • Reporting results regularly to team members

  37. Plan Maintenance • Plan maintenance functions are: • Receive and monitor input on needed revisions - maintain revision history • Plan maintenance reviews as needed • Monitor changes within business units, such as upgrades to systems • Control plan maintenance distribution - who receives a copy of plan updates • Ensuring version control - obsolete editions of the plan are collected and destroyed.

  38. Awareness and Training • The goal is to design and develop a program to create corporate awareness and enhance the skills required to develop, implement, maintain and execute the plans. • The objectives should cover a range of outcomes from simple awareness of the major provisions to the ability to carry out specific procedures. • Train the teams used for recovery strategies. • Train those employees who will have specific roles in the recovery process, such as systems staff, team leaders, etc.

More Related