1 / 128

EDUCAUSE 2008, Orlando, Florida

A Business Continuity Planning Toolkit. EDUCAUSE 2008, Orlando, Florida. Beth Buse, Deputy Director of Internal Auditing Minnesota State Colleges and Universities Leslie Maltz, Deputy VP for IT Planning & Standards (retired) Columbia University Kim Milford, Special Assistant to the CIO

mstaley
Download Presentation

EDUCAUSE 2008, Orlando, Florida

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Business Continuity Planning Toolkit EDUCAUSE 2008, Orlando, Florida Beth Buse, Deputy Director of Internal Auditing Minnesota State Colleges and Universities Leslie Maltz, Deputy VP for IT Planning & Standards (retired) Columbia University Kim Milford, Special Assistant to the CIO Indiana University

  2. Seminar Expectations Why have a Business Continuity/ Disaster Recovery Plan What does a plan address How to begin the process Elements of a plan Training Drills References 2

  3. Background: Minnesota State Colleges and Universities (MnSCU) • Includes 32 state universities and community and technical colleges on 53 campuses in 46 communities. • Sixth-largest system of two- and four-year colleges and universities in the country, based on student enrollment. • Serve 374,000 students each year in credit and noncredit courses. • Produce 33,500 graduates each year. • Employ more than 18,000 full-time and part-time faculty and staff.

  4. A fire is reported in your administration building? A tornado warning is declared for your campus? A water pipe bursts in your data center? Half of your faculty and staff call in sick? A bomb explodes in a classroom? What would your college or university do if….

  5. EDUCAUSE Current Issues Committee listed Business Continuity as one of the Top-Ten IT Issues in 2008 March 29, 2007 – Research Study: Shelter from the Storm: IT and Business Continuity in Higher Education ISACA listed Business Continuity and Disaster Recovery Planning as one of the top business issues in 2008 The AICPA listed Business Continuity and Disaster Recovery Planning as one of the top Technology initiatives for 2008.

  6. How Does It Affect You? • Personal responsibilities • Making sure you know what to do to remain safe • Institution responsibilities • Providing a plan and training • Responsibilities for others • Making sure your students are safe • External Relationships

  7. Business Continuity Planning Disaster Recovery Plan Business Impact Analysis Pandemic Planning Key Terminology(see separate handout) • All Hazards Planning • National Incident Management Systems (NIMS) • Incident Command System (ICS) • Emergency Response Plan

  8. Importance of Preparing • Planning provides for backup • If primary staff unavailable – who will do the work? • If primary system is gone – how do we operate? • If a specific building cannot be occupied – where do we go? • Planning creates routines • Routines create repetition and normalcy • Normalcy generates calm instead of panic

  9. Homeland Security Presidential Directives(HSPD) • HSPD-5 – February 2003 • Subject: Management of Domestic Incidents • Established the National Incident Management System (NIMS) and National Response Plan (NRP) • HSPD-8 – December 2003 • Subject: National Preparedness • Added definition to the National Response Plan (NRP) and established the term "all-hazards preparedness".

  10. State of Minnesota • Based on the presidential directives, Governor Pawlenty issued two Executive Orders which direct planning activities for state agencies and entities: • Governor’s Executive Order 05-02: Establishes the National Incident Management System (NIMS) as the state’s only emergency management system; • Governor’s Executive Order 07-14: establishes the National Response Plan as the state’s planning template.

  11. NIMS Compliance • Government, including higher education must: • Adopt the ICS through executive order, proclamation, or legislation as the jurisdictions official incident management system. • Have incident managers and responders in their jurisdiction train, exercise, and use ICS. • Conduct ICS training for responders, supervisors, command (decision) – level managers. • Conduct ICS orientated training exercises that involve responders from multiple disciplines and jurisdictions.

  12. Homeland Security Vision Statement for Higher Education “That all schools and universities are prepared to mitigate/prevent, respond to, and recover from all hazards, natural or man-made by having a comprehensive, all-hazards plan based on the key principles of emergency management to enhance school safety, to minimize disruption, and to ensure continuity of the learning environment.” U.S. Department of Education Sector Specific Plan

  13. MnSCU - All Hazards Plan • MnSCU Board Policy 1A.10 Long Term Emergency Management “Each college, and university and the Office of the Chancellor shall develop and maintain an All Hazards Plan that provides guidelines in the event of long term emergency. The plan shall be developed in accordance with guidelines developed and administered by the Office of the Chancellor in accordance with state and federal directions.  The All Hazards Plan will include sections that address crisis intervention, continuity of operations, and emergency preparedness.”

  14. Minnesota State Colleges and UniversitiesAll Hazards Planning Architecture All Hazards Plan Emergency Preparedness Section Human Safety, Protection of Assets Managing, Decision-Making, Communication How to manage an emergency that involves a criminal act Crisis Management Section Continuity of Operations Section Identification and protection of operational processes in the event of sudden, unexpected, or not so unexpected, interruptions of these processes and their supporting resources.

  15. Minnesota State Colleges and UniversitiesAll Hazards Planning Architecture Emergency Preparedness Basic Plan Annexes Evacuation/Traffic Control And Security Warning and Notification Annexes can be subdivided to Address campus- unique situations, e.g. risk of flooding Mass Care/Housing & Human Services Incident Management & EOC Debris Management Public Information Public Works & Utilities Restoration Accident/Damage Assessment Environmental Hazard Response Search and Rescue Health Protection Resource Management Medical Services Radiological Exposure Fire Protection Pandemic Influenza

  16. Minnesota State Colleges and UniversitiesAll Hazards Planning Architecture Crisis Intervention Basic Plan Threat/Physical Security Assessment Terrorism Individual Acts of Violence

  17. Minnesota State Colleges and UniversitiesAll Hazards Planning Architecture Continuity of Operations Essential Services Plan Elements Academic Functions Wind Event Special functions: Library and Information Services Public Safety IT System Support Athletics Other Water Event Healthcare/Student Services Functions Fire Event Operations Functions Utilities Loss Event Facilities Functions IT Services Event Communications Functions Pandemic Event

  18. Continuity of Operations After the fire is out, how do we resume operations?

  19. Discussion Question - Given the following scenarios what would you do? • Scenario #1: Resident hall, including food service, destroyed by fire in October. • Scenario #2: Science building flooded by vandals in February. Most classrooms and labs will be unavailable for one month. • Scenario #3: Power outage for data center that houses ERP system during the first week of fall semester. Power company estimates time to fix will be two days.

  20. Continuity of Operations Plan Contents • Mission critical processes and systems • Roles and responsibilities • Employee, partner and vendor contact information • Disaster recovery plan • Recovery strategies • Communications plan • Resumption plan

  21. Continuity of Operations Plan Diagram Recovery Strategies Business Impact Analysis Plan Development Plan Testing

  22. What will your plan look like? • It Depends • Institution Complexity • Number of locations • Number of buildings • Types of programs (liberal arts vs. medical school) • Centralization vs. Decentralization • Multiple Plans within the Overall Plan • Enterprise • Campus • Department or Building • Plan Maturity

  23. Who should be involved? • President • Public Relations • Finance • Facilities • Public Safety • Academic Affairs • Student Affairs • External Partners

  24. Risk Management and Business Continuity • Risk Assessment – looks at the probability and impact of different types of vulnerabilities and threats that could cause an interruption. • Business Impact Analysis • Risk mitigation • Risk avoidance • Risk acceptance • Insurance

  25. Where to Begin? • Don’t get overwhelmed by the overall process. • Simple vs. Complex • Need Executive Level Support • Staffing • Development of initial plan – ideal to have dedicated resources • Maintenance • Establish Teams • Steering • Cross-Functional

  26. Where to Begin? (cont.) • Plan for worst case scenario. • Health and safety always the priority. • Mission should be decision driver in completing plans. • EDUCAUSE - Business Continuity Planning Toolkit: https://wiki.internet2.edu/confluence/display/secguide/Business+Continuity+Planning+Toolkit • Provides a resource of guides, examples and templates

  27. Financing Business Continuity

  28. Kim Milford Indiana University University of Rochester University of Wisconsin * Security, policy and planning 28

  29. Business Impact Analysis A management level analysis, which identifies the impacts of losing resources.  This analysis measures the effect of resource loss and escalating losses over time, in order to provide senior management with reliable data upon which to base decisions on risk mitigation and continuity planning. 29

  30. Business Impact Analysis PlanningContext: Region State 30

  31. Business Impact Analysis Goals: • Correlate specific system components with the critical services they provide • Characterize the consequences of a disruption • Inventory critical services and systems • Identify allowable outage times • Develop a prioritized restoration order 31

  32. Business Impact Analysis Phases: 32

  33. Business Impact AnalysisData Collection • Questionnaire • Approach • Interview • Approach • Design questionnaire • Develop data analysis process • Develop instructions • Cover Letter • Formal presentation • Questionnaire distribution • Questionnaire collection • Develop interview guide • Train interviewers • Formal Presentation • Schedule interview • Conduct interview • Validate 33

  34. Business Impact Analysis Data Collection • Mission • Service Objectives • Dependencies • Impacts over time • Critical time periods • Financial impact • Operational impact • Legal, regulatory, contractual requirements 34

  35. Business Impact Analysis Reference Materials: • Mission Statements • Service Objectives • Service Level Agreements • Organizational Charts • Policies and Procedures 35

  36. Business Impact Analysis Data Analysis Methodology • Quantitative Impact • Losses identified in quantities or percentages that can be described in monetary terms • Qualitative Impact • Intangible losses that can impact operationally but that can not be quantified in monetary terms 36

  37. Business Impact Analysis Data Analysis Deliverables: • Prioritized list of business functions ordered by MTD • Recovery strategies • Cost-benefit analysis 37

  38. Business Impact Analysis Identification of Critical Resources • What resources are needed to provide critical services? • Identify • Full range of support • Security • Managerial • Technical • Operational 38

  39. Business Impact Analysis Identify Critical Resources Processes Resources Payroll LAN server Time Reporting Network router Time Approval E-mail E-mail server • Input from: • Users • Business process owners • Application owners • Business partners 39

  40. Business Impact Analysis Process: Time Reporting Critical Max Allow Resources Outage Impact LAN server Delayed time Network router 8 hrs processing E-mail Inability to E-mail server perform routine payroll Delayed checks 40

  41. Business Impact Analysis Priorities and Dependencies • Includes infrastructure: • Electric • Telecommunications • Environmental controls 41

  42. Business Impact Analysis Recovery Priorities Resources Priority Dependency LAN server High Network Network router High E-mail Low Network LAN server Email Server E-mail server High Network, LAN 42

  43. Business Impact Analysis Identify Impacts: • Tracking the effects over time • Across related resources and dependent systems 43

  44. Business Impact Analysis Recovery Cost Balancing • Cost of disruption • Cost to recover 44

  45. Business Impact Analysis Common BIA Terminology: • MTD – Maximum Tolerable Downtime • MAO – Maximum Allowable Outage • MTBF – Mean Time Before Failure • Criticality Level • Tangible Impact • Intangible Impact • RTO – Recovery Time Objective • RPO – Recovery Point Objective 45

  46. Business Impact Analysis Reporting and Approval • Confirm findings • Present to organizational management • Set scope for next cycle of BIA 46

  47. Business Impact Analysis Just when you thought it was done… • It could be next department or the annual review • Don’t forget to analyze what worked and what didn’t • Try to work the BIA into ongoing BCP testing and training 47

  48. Business Impact Analysis Exercises – Business Impact Analysis templates 48

  49. Leslie Maltz Deputy VP of IT Planning and Standards Columbia University Chief Information Technology Officer Stevens Institute of Technology 49

  50. Disaster Recovery No Longer an Optional Activity 50

More Related