BIA Executive Summary Recommended Roadmap For Program Design

2. Impetus For State of Oregon Action Unlike any private organization or entity, the State of Oregon MUST continue operations, regardless of the interruption cause, extent or expected impact duration. The State of Oregon not only has no such recourse, but in the event of a regional outage that would impact Oregonians, the State of Oregon employees and systems, the State must be able to provide continued support to the citizens for both emergency and normal day-to-day operations. Overall, the State�s objectives for conducting a Business Impact Analysis were to: Develop a more complete understanding of the true business impact from disruptions to critical processes and technology Improve Business Continuity planning based upon the quantified impact of disruptions Utilize this understanding in conjunction with the Enterprise Business Continuity Planning goal Identify the State�s most critical resources, including interdependencies Prioritize business process and applications availability requirements Develop a focused list of business continuity activities appropriate to State�s business requirements

3. Scope of Analysis

6. Catastrophic consequences can result with occurrence of a significant service interruption Inter-agency process reliance & infrastructure dependencies will impair ability to serve constituents Significant H&S, operational & financial business impacts were identified in recently completed analysis Evolution from non-restorable to recoverable, for essential agency infrastructure can be achieved quickly & cost effectively Today�s Capability is Inadequate�

8. Agency Criticality The BIA revealed numerous inter agency dependencies, from both the process and technology perspective. The dependence of infrastructure Agencies (within current scope) on DAS, compels the SOO to seriously consider the ramifications and capability constraints associated with the �piece meal� (each agency on their own) or iterative program design & implementation approach. The larger issue that SOO faces with their dependence on technology, is the need for an integrated and structured means to provide communications capabilities, information and requisite services, accessible through a demonstrated recoverability & restoration capability. BIA - KPMG BIA - KPMG

9. Constituency Impacts According to the personnel we interviewed, if State Agency Business functions are interrupted for a prolonged period, we obtained very clear and firm answers regarding whether State Agencies could:

11. In reviewing the information collected during the BIA analysis, SunGard observed areas of commonality across the agencies. As participants addressed questions and concerns raised by the survey, their responses revealed themes which center on their commitment to Oregonians. Participants emphasized the importance of providing service or support to citizens in three areas: Health and Safety of Oregonians � Participants placed the heath, safety and welfare of their clients above all other considerations. Cash Management Requirements - There was an understanding across all the agencies that state revenues and monies must be managed to provide the monies to fund State services. Economic Development � Participants understood that many of the functions provided or supported economic opportunity for individuals and economic development opportunities for business. Another area of commonality was the interdependencies between the various agencies and functions. That is, no agency and very few functions can operate independently. Although it is also true that many private companies have internal dependencies, these interdependencies do not rise to the level or to the degree that was found within the State. These service requirements and inter-agency dependencies should be considered in developing any recovery strategy. In addition, State management will face a Business Continuity challenge similar to the challenge presented to private business management � balancing the RTOs of the participating business functions against the cost associated with implementing a strategy to support those requirements. The State selected the most critical functions within each agency to participate in the BIA and these, by their critical selection, will have the smallest window for recovery or RTO. As the State begins to analyze recovery alternatives, it will have to weigh the relative priority of RTOs from a state-wide perspective against the associated costs and then provide recovery for those functions having the greatest impact over the greatest number of people. RTOs may need to be adjusted to reflect an overall state level prioritization. Finally, since the information collection and data analysis represents the status at a �point-in-time�, the State of Oregon must account for changes that occur naturally in its environment, whether it is environmental (legal/regulatory), organizational, technical or procedural. When such changes occur, the State should ensure that it has a process in place to: 1) identify such changes, 2) review and assess the impact of the changes and 3) update or design mitigation/recovery strategies that will address those changes. Today�s technology-driven business environment places a premium on the availability of systems and data. Every organization needs a complete Business Continuity Program that addresses business interruptions, including contingency plans, data protection and restoration capabilities, alternate facilities and equipment replacement plans and a formal, integrated testing program. The information collected from the BIA should be used as a baseline to address these concerns in the next phase � State Strategy Design.

12. How Much does a Robust Capability Really Cost�. When compared against the State�s consensus on existing risk�..

13. Minimal, Optimal Or HybridRoadmap Decisions Introduction Slide Introduction Slide

14. Recommended Roadmap to Address Enterprise Availability

15. Business Drivers For Oregon�s Program Business Continuity perspective is different today: Secure immediate, low cost, interim, protection Validate/action service interruption parameters that support constituency centric program options/costs Develop tiered recoverability for technology infrastructure/shared services Evaluate future consolidated DC impacts and constraints vs commercial (hybrid) recovery capabilities Address H&S and infrastructure exposures as repeatable processes Make immediate, demonstrable, measurable progress Optimize time, results and develop a lifecycle approach to tiered recoverability

16. Tiered Recoverability: Terms and Definitions STEVESTEVE

17.  STEVESTEVE

18. Solution Continuum

19. Tactical Recommendations

20. Tactical Execution (October � Dec 2005) Consensus on infrastructure agency designations & requisite budgetary allocations (Infrastructure, Essential & Ancillary) Concurrence on phased approach to catastrophic risk mitigation & subsequent program component design (Phase One � infrastructure / Phase Two � essential agencies / Phase Three � Ancillary agencies) Concurrence on integrated (interdependent) agency design to synergize efforts and secure optimum ROI (DAS, DHS, DOR, ODOT, OHCS, OSP, OST) Initial technology centric purview will force Business Continuity activities to enable utilization Concurrence on optimal delivery vehicle to expedite, cost effective results Reap benefits of Enterprise Coverage

21. Lifecycle Program Components

22. Develop A Continuity Program Management Focus

25. Enterprise Program Deliverables Scalable and Repeatable Processes Defined In The Program Framework & Program Office For Enterprise Use: Project Definition Governance Customized Tools & Approach (Integrated DR/BCP) Program Roll-Out Strategies Measurable Testing Program Defined Change Control processes Management Accountability Internal/External Auditability Outcome is a structured, program and demonstrable capability

26. STEVESTEVE

27. Consensus on Partnership Value Potential Program or Project: Define Program Scope, Approach, Timeline & Deliverables Establish Funding & Presentation Dates To Secure Commitment Next Steps