Disaster Biz Resumpt


Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Disaster Biz Resumpt

    1. 1. Corp. AWS Overview Security & Business Continuity
    2. 2. Introduction <ul><li>To preserve of the business in the face of major disruptions to normal business operations. </li></ul><ul><li>Describe objectives of the domain </li></ul><ul><ul><li>Theoretical </li></ul></ul><ul><ul><li>Practical </li></ul></ul><ul><ul><li>Significance </li></ul></ul>
    3. 3. Domain Topics <ul><li>BCP vs. DRP </li></ul><ul><li>BIAs </li></ul><ul><li>Contingency Planning </li></ul><ul><li>End User Environment </li></ul><ul><li>Backup Alternatives </li></ul><ul><li>Recovery and Restoration </li></ul><ul><li>Choosing a Software Backup Facility </li></ul><ul><li>Testing and Drills </li></ul><ul><li>Emergency Response </li></ul>
    4. 4. Information Security Requirements <ul><li>BCP and DRP are part of the Security Policy and Program. </li></ul><ul><li>Policy statement set by executive staff. </li></ul><ul><li>Not optional. </li></ul><ul><li>Must include the business. </li></ul><ul><li>This is true at Corp. </li></ul>
    5. 5. BCP vs. DRP <ul><li>Business Continuity Planning is addresses the needs to maintain the business until the situation returns to normal (pre-disaster situation). </li></ul><ul><li>Disaster Recovery Planning is aimed at minimizing the effects of a impact and ensuring that resources, personnel, and business processes are able to resume in a timely manner. </li></ul><ul><li>BCP’s goal is to keep the business running … </li></ul><ul><li>DRP’s goal is to resume a lost part of the business. </li></ul><ul><li>Just because you lose a system, you may not implement BCP. </li></ul><ul><ul><li>E.g.. Server crash, 4 hour SLA, 2 hour rebuild </li></ul></ul><ul><ul><li>E.g.. System crash, 3 hour failover & expense, 5 hour recovery </li></ul></ul>
    6. 6. Cohesive Response Emergency Management Team Crisis Management Team Business Resumption Business Resumption Resource Support Team Vital Records Facilities Services Information Technology Communications Purchasing Maintenance Space Planning Security
    7. 7. Business Impact Analysis <ul><li>A BIA is performed before a plan is written to identify the areas that are at greatest financial or operation loss in the event of a disaster or disruption. </li></ul><ul><li>How? </li></ul><ul><ul><ul><li>develop materials </li></ul></ul></ul><ul><ul><ul><li>gather information (quantitative & qualitative) </li></ul></ul></ul><ul><ul><ul><li>analyze and interpret </li></ul></ul></ul><ul><ul><ul><li>prepare and recommend </li></ul></ul></ul>Corp. Practice: Corp. completed an initial BIA in December of 2001. It is red cover and was compiled from 200+ key business personnel. Managed at IT Staff and Audit Level.
    8. 8. BIA cont. <ul><li>Major deliverable </li></ul><ul><ul><li>Identify vulnerabilities </li></ul></ul>
    9. 9. Establishment of Priorities <ul><li>Organizing when to do what </li></ul><ul><li>Resource limitations </li></ul><ul><ul><li>facilities </li></ul></ul><ul><ul><li>people </li></ul></ul><ul><ul><li>hardware </li></ul></ul><ul><ul><li>backup </li></ul></ul>Corp. Practice: We have tiered priorities and people response. We are taking that down to a view per site and datacenter.
    10. 10. Critical Business Functions <ul><li>What is most important to a company. </li></ul><ul><li>Identified by senior management. </li></ul><ul><li>Supports or defines the mission of the company. </li></ul><ul><li>Almost always the money chain. </li></ul><ul><li>Measured in cost per hour of downtime. </li></ul>
    11. 11. Processes to Plans <ul><li>Identify Business Processes </li></ul><ul><li>Select Required Functions </li></ul><ul><li>Identify Macro Processes </li></ul><ul><li>Develop Plans </li></ul>Business Processes ORDER SHIP CLOSE PAY BUILD
    12. 12. Emergency Response <ul><li>Save lives, not a recovery exercise </li></ul><ul><li>Reduce further injuries </li></ul><ul><li>Secure the facilities </li></ul><ul><li>Contain the situation </li></ul>Corp. Practice:
    13. 13. Crisis Management <ul><li>Coordinated disaster response. </li></ul><ul><li>To mitigate further disruptions, containment, secure facilities, coordinate and control external communications and activities. </li></ul>Corp. Practice: CEOC - super event. EOC- Life and Limb IT-ERP is the team for IT.
    14. 14. Emergency Assessment <ul><li>Understand the impact </li></ul><ul><li>Determine the correct response </li></ul>Corp. Practice: Done at the site level..
    15. 15. External Communications <ul><li>Media Training </li></ul><ul><li>Impact Perception vs. Reality </li></ul>Corp. Practice: No one should talk to the press unless you have been approved and trained to do so.
    16. 16. Containment Priorities <ul><li>Life and Limb </li></ul><ul><li>Assets </li></ul><ul><li>Records </li></ul>
    17. 17. Training/Testing/Drilling <ul><li>Checklist Test (Contact and part of SWT) </li></ul><ul><li>Structured Walkthrough (Structured Walkthrough) </li></ul><ul><li>Simulation (Functional) </li></ul><ul><li>Parallel (Functional) </li></ul><ul><li>Full-Interruption (Integrated) </li></ul><ul><li>Prepare people to react, respond, and resume operations under stressful and time critical situations. Mature our skill levels. </li></ul>Corp. Practice: Contact done Quarterly, Structured Walkthroughs at least twice a year, Functional Test at least yearly, Integrated test performed once every two years.
    18. 18. Test Types – Contact Verification <ul><li>Validate Information for: </li></ul><ul><ul><li>Employees </li></ul></ul><ul><ul><li>Team members </li></ul></ul><ul><ul><li>Emergency Authorities </li></ul></ul><ul><ul><li>Vendor representatives </li></ul></ul><ul><ul><li>Customer representatives </li></ul></ul><ul><ul><li>Business partners </li></ul></ul><ul><ul><li>Media outlets / silos </li></ul></ul><ul><ul><li>Other stakeholders </li></ul></ul>Verify available contact elements Street Address Cellular Pager Work Home
    19. 19. Recovery Plan Development <ul><li>BIA, SPOF's, Mitigation, Strategy, Priority, Scope, Approvals </li></ul><ul><li>Written for the recovery team. </li></ul><ul><li>More generic. </li></ul>Corp. Practice: BIA, SPOF Analysis, Strategy, Priority, Approval, Scope, Plan Creation (Process, Team, Positions, Tasks, Resources), Peer Review (SWC), Contact Test
    20. 20. Documentation <ul><li>How to recover </li></ul><ul><li>Essential steps </li></ul><ul><li>Written for a specific audience </li></ul><ul><li>Aims to document critical decisions before the crisis </li></ul>Corp. Practice: The system of record for IT is XXXXX The business uses MS-word. When they automate further, it will be in XXXx system.
    21. 21. Logistics and Supplies <ul><li>Coordinated response for people to get the needed resources delivered to meet the recovery priorities and recovery objectives. </li></ul><ul><li>Why- </li></ul><ul><ul><li>predefined streamlined processes provide real time response instead of normal approval cycles which may have broken down when the disaster occurred </li></ul></ul>Corp. Practice: Driven by Priorities. Simplified to remove processes like procurement and approvals.
    22. 22. Data Recovery <ul><li>RPO- Recovery Point Objective </li></ul><ul><li>Recovery Priorities </li></ul>Corp. Practice: IT staff has stated that we want no data loss. Hasn’t funded. Recovery Priorities are being set per data center.
    23. 23. Backups and Offsite Storage <ul><li>Types </li></ul><ul><ul><li>Full –everything </li></ul></ul><ul><ul><li>Incremental –modified files since last any backup </li></ul></ul><ul><ul><li>Differential –everything since last full </li></ul></ul><ul><ul><li>Methods </li></ul></ul><ul><li>Backup Facility – </li></ul><ul><ul><li>accessible in your timeframes to recover </li></ul></ul><ul><ul><li>available on demand </li></ul></ul><ul><ul><li>fire “proof” </li></ul></ul>Corp. Practice: Strategy is undergoing major revisions. IT is your best source for program information.
    24. 24. Recovery Time Objective (RTO) No Longer Have to Wait For a Catastrophe minutes and hours are dollars in revenue Resume Business Lost Time Crisis Time Zero Emergency Response Relocate Backups Mobilize Resources Restore Operating System Reload Data Base Roll Forward & ReSync
    25. 25. Cold, Warm, Hot, Mobile Sites <ul><li>Subscription Services – for a fee. </li></ul><ul><li>Cold Site – basic environment, electrical wiring, air conditioning, plumbing, and flooring. (may take weeks to activate) </li></ul><ul><li>Warm Site – cold site basics plus some services (servers, backups, network) </li></ul><ul><li>Hot Site – everything for a quick failover. Usually less than 4 hours. Costly </li></ul><ul><li>Mobile Sites – e.g.. PBx in a flatbed, crash kits </li></ul>Corp. Practice: We have a mixture. Moving away from subscriptions and toward company owned internal hot sites.
    26. 26. A Successful Business Continuity Program Trained Personnel Testing Up-to-Date Plan Strategy Business Continuity!!!
    27. 27. BCP/DRP Events <ul><li>Links </li></ul><ul><ul><li>DRJ (Disaster Recovery Journal) </li></ul></ul><ul><ul><li>DRI (Disaster Recovery Institute) </li></ul></ul><ul><ul><li>BCI (Business Continuity International) </li></ul></ul><ul><ul><li>Contingency Planning </li></ul></ul>
    28. 28. Program Interdependency Biz Apps/Infrastructure SAP WOM Biz Functions Order Build Ship Close IT Core BCP Focus Business BCP Focus App/Service BCP Focus External Requirements Basic Infrastructure Facilities Power Enabling Apps/Services Messaging Voicemail Conferencing Security Basic Services Network Internet Intranet Telephony
    29. 29. Summary <ul><li>Key Topics </li></ul><ul><ul><ul><li>BCP vs. DRP </li></ul></ul></ul><ul><ul><ul><li>BIAs </li></ul></ul></ul><ul><ul><ul><li>Contingency Planning </li></ul></ul></ul><ul><ul><ul><li>End User Environment </li></ul></ul></ul><ul><ul><ul><li>Backup Alternatives </li></ul></ul></ul><ul><ul><ul><li>Recovery and Restoration </li></ul></ul></ul><ul><ul><ul><li>Choosing a Software Backup Facility </li></ul></ul></ul><ul><ul><ul><li>Testing and Drills </li></ul></ul></ul><ul><ul><ul><li>Emergency Response </li></ul></ul></ul>
    30. 30. Questions <ul><li>Why perform a risk analysis: </li></ul><ul><ul><li>inventory assets </li></ul></ul><ul><ul><li>identify single points of failure </li></ul></ul><ul><ul><li>identify all data in all systems </li></ul></ul><ul><ul><li>review all procedures in all places </li></ul></ul>
    31. 31. Questions <ul><li>Primary function of the DR committee: </li></ul><ul><ul><li>identify strategies </li></ul></ul><ul><ul><li>recover </li></ul></ul><ul><ul><li>identify weaknesses in systems </li></ul></ul><ul><ul><li>prepare for a disaster </li></ul></ul>
    32. 32. Questions <ul><li>Major purpose of a written plan: </li></ul><ul><ul><li>satisfy auditors </li></ul></ul><ul><ul><li>satisfy regulatory authorities </li></ul></ul><ul><ul><li>minimize the pressure to make decisions </li></ul></ul><ul><ul><li>coordinate all parties </li></ul></ul>
    33. 33. Questions <ul><li>The ultimate goal of a disaster recovery plan is: </li></ul><ul><ul><li>get operations up and running quickly </li></ul></ul><ul><ul><li>restore at least partial operations </li></ul></ul><ul><ul><li>get operations up and running efficiently </li></ul></ul><ul><ul><li>restore operations to a pre-disaster state </li></ul></ul>
    34. 34. Questions <ul><li>During a disaster, which procedures require coordinated efforts of a disaster recovery specialist and IS security specialists? </li></ul><ul><ul><li>notifying employees </li></ul></ul><ul><ul><li>retrieving supplies </li></ul></ul><ul><ul><li>returning to the original site </li></ul></ul><ul><ul><li>recovering lost data </li></ul></ul>
    35. 35. Questions <ul><li>A proactive disaster recovery plan includes all but </li></ul><ul><ul><li>UPS </li></ul></ul><ul><ul><li>emergency procedures </li></ul></ul><ul><ul><li>a provision for recovery after the disaster </li></ul></ul><ul><ul><li>a fire extinguisher </li></ul></ul>
    36. 36. Questions <ul><li>DRP and Security policies are: </li></ul><ul><ul><li>separate but complementary </li></ul></ul><ul><ul><li>separate without substitution </li></ul></ul><ul><ul><li>can be one document </li></ul></ul><ul><ul><li>separate and diverse </li></ul></ul>
    37. 37. Questions <ul><li>Major purpose of a written plan: </li></ul><ul><ul><li>minimize the pressure to make decisions </li></ul></ul><ul><li>The ultimate goal of a disaster recovery plan is: </li></ul><ul><ul><li>restore operations to a pre-disaster state </li></ul></ul>
    38. 38. Questions <ul><li>During a disaster, which procedures require coordinated efforts of a disaster recovery specialist and IS security specialists? </li></ul><ul><ul><li>recovering lost data </li></ul></ul><ul><li>Primary function of the DR committee: </li></ul><ul><ul><li>recover </li></ul></ul><ul><li>Why perform a risk analysis: </li></ul><ul><ul><li>identify single points of failure </li></ul></ul>
    39. 39. Questions <ul><li>A proactive disaster recovery plan includes all but </li></ul><ul><ul><li>a provision for recovery after the disaster </li></ul></ul><ul><li>DRP and Security policies are: </li></ul><ul><ul><li>separate but complementary </li></ul></ul>