Business Continuity Planning

1,525 views
1,404 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,525
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
107
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Vulnerabilities? Improper access to data - controls not granular enough Invalid data - Update permitted to the wrong/too many people
  • Business Continuity Planning

    1. 1. Business Continuity Planning <ul><li>The Problem - Reasons for Business Continuity Planning - BCP </li></ul><ul><li>Principles of BCP </li></ul><ul><li>Doing BCP </li></ul><ul><ul><li>The steps </li></ul></ul><ul><ul><li>What is included </li></ul></ul><ul><ul><li>The stages of an incident </li></ul></ul>
    2. 2. Definitions <ul><li>A contingency plan is: </li></ul><ul><ul><li>“ A plan for emergency response, backup operations, and post-disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation…” </li></ul></ul><ul><ul><li>(National Computer Security Center 1988) </li></ul></ul><ul><li>1997-98 survey >35% of companies have no plans </li></ul>
    3. 3. Definitions of BCP <ul><li>Disaster Recovery </li></ul><ul><li>Business Continuity Planning </li></ul><ul><li>End-user Recovery Planning </li></ul><ul><li>Contingency Planning </li></ul><ul><li>Emergency Response </li></ul><ul><li>Crisis Management </li></ul><ul><li>The goal is to assist the organization/business to continue functioning even though normal operations are disrupted </li></ul><ul><li>Includes steps to take </li></ul><ul><ul><li>Before a disruption </li></ul></ul><ul><ul><li>During a disruption </li></ul></ul><ul><ul><li>After a disruption </li></ul></ul>
    4. 4. Reasons for BCP <ul><li>It is better to plan activities ahead of time rather than to react when the time comes </li></ul><ul><ul><li>“Proactive” rather than “Reactive” </li></ul></ul><ul><ul><li>Take the correct actions when needed </li></ul></ul><ul><ul><li>Allow for experienced personnel to be absent </li></ul></ul>
    5. 5. Reasons for BCP <ul><li>It is better to plan activities ahead of time rather than to react when the time comes </li></ul><ul><ul><li>“ Proactive” rather than “Reactive” </li></ul></ul><ul><li>Maintain business operations </li></ul><ul><ul><li>Keep the money coming in </li></ul></ul><ul><ul><li>Short and long term loss of business </li></ul></ul><ul><ul><li>Have necessary materials, equipment, information on hand </li></ul></ul><ul><ul><li>Saves time, mistakes, stress and $$ </li></ul></ul><ul><ul><li>Planning can take up to 3 years </li></ul></ul>
    6. 6. Reasons for BCP <ul><li>It is better to plan activities ahead of time rather than to react when the time comes </li></ul><ul><ul><li>“ Proactive” rather than “Reactive” </li></ul></ul><ul><li>Maintain business operations </li></ul><ul><ul><li>Keep the money coming in </li></ul></ul><ul><ul><li>Short and long term loss of business </li></ul></ul><ul><li>Effect on customers </li></ul><ul><ul><li>Public image </li></ul></ul><ul><ul><li>Loss of life </li></ul></ul>
    7. 7. Reasons for BCP <ul><li>It is better to plan activities ahead of time rather than to react when the time comes </li></ul><ul><ul><li>“ Proactive” rather than “Reactive” </li></ul></ul><ul><li>Maintain business operations </li></ul><ul><ul><li>Keep the money coming in </li></ul></ul><ul><ul><li>Short and long term loss of business </li></ul></ul><ul><li>Effect on customers </li></ul><ul><li>Legal requirements </li></ul><ul><ul><li>‘ 77 Foreign Corrupt Practices Act/protection of stockholders </li></ul></ul><ul><ul><ul><li>Management criminally liable </li></ul></ul></ul>
    8. 8. Reasons for BCP <ul><li>It is better to plan activities ahead of time rather than to react when the time comes </li></ul><ul><ul><li>“ Proactive” rather than “Reactive” </li></ul></ul><ul><li>Maintain business operations </li></ul><ul><ul><li>Keep the money coming in </li></ul></ul><ul><ul><li>Short and long term loss of business </li></ul></ul><ul><li>Effect on customers </li></ul><ul><li>Legal requirements </li></ul><ul><ul><li>‘ 77 Foreign Corrupt Practices Act/protection of stockholders </li></ul></ul><ul><ul><li>Federal Financial Institutions Examination Council (FFIEC) </li></ul></ul><ul><ul><li>FCPA SAS30 Audit Standards </li></ul></ul><ul><ul><li>Defense Investigative Service </li></ul></ul><ul><ul><li>Legal and Regulatory sanctions, civil suits </li></ul></ul>
    9. 9. Definitions <ul><li>Due Care </li></ul><ul><ul><li>minimum and customary practice of responsible protection of assets that reflects a community or societal norm </li></ul></ul><ul><li>Due Diligence </li></ul><ul><ul><li>prudent management and execution of due care </li></ul></ul>
    10. 10. The Problem <ul><li>Utility failures </li></ul><ul><li>Intruders </li></ul><ul><li>Fire/Smoke </li></ul><ul><li>Water </li></ul><ul><li>Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes) </li></ul><ul><li>Heat/Humidity </li></ul><ul><li>Electromagnetic emanations </li></ul><ul><li>Hostile activity </li></ul><ul><li>Technology failure </li></ul>
    11. 11. Recent Disasters <ul><li>Bombings </li></ul><ul><ul><li>‘ 92 London financial district </li></ul></ul><ul><ul><li>‘ 93 World Trade Center, NY </li></ul></ul><ul><ul><li>‘ 93 London financial district </li></ul></ul><ul><ul><li>‘ 95 Oklahoma City </li></ul></ul><ul><ul><li>’ 01 World Trade Center, NY (9/11) </li></ul></ul><ul><li>Earthquakes </li></ul><ul><ul><li>‘ 89 San Francisco </li></ul></ul><ul><ul><li>‘ 94 Los Angeles </li></ul></ul><ul><ul><li>‘ 95 Kobe, JP </li></ul></ul><ul><li>Fires </li></ul><ul><ul><li>‘ 95 Malden Mills, Lawrence, MA </li></ul></ul><ul><ul><li>‘ 96 Credit Lyonnais, FR </li></ul></ul><ul><ul><li>‘ 97 Iron Mountain Record Center, Brunswick, NJ </li></ul></ul>
    12. 12. Recent Disasters <ul><li>Power </li></ul><ul><ul><li>‘ 92 AT&T </li></ul></ul><ul><ul><li>‘ 96 Orrville, OH </li></ul></ul><ul><ul><li>‘ 99 East coast heat/drought brownouts </li></ul></ul><ul><li>Floods </li></ul><ul><ul><li>‘ 97 Midwest floods </li></ul></ul><ul><li>Storms </li></ul><ul><ul><li>‘ 92 Hurricane Andrew </li></ul></ul><ul><ul><li>‘ 93 Northeast Blizzard </li></ul></ul><ul><ul><li>‘ 96 Hurricanes Bertha, Fran </li></ul></ul><ul><ul><li>‘ 98 Florida tornados </li></ul></ul><ul><li>Hardware/Software </li></ul><ul><ul><li>Year 2000 </li></ul></ul>
    13. 13. The Problem <ul><li>Utility failures </li></ul><ul><li>Intruders </li></ul><ul><li>Fire/Smoke </li></ul><ul><li>Water </li></ul><ul><li>Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes) </li></ul><ul><li>Heat/Humidity </li></ul><ul><li>Electromagnetic emanations </li></ul><ul><li>Hostile activity </li></ul><ul><li>Technology failure </li></ul><ul><li>Failure to keep operating </li></ul><ul><ul><li>Fortune 1000 study </li></ul></ul><ul><ul><li>Average loss $78K, up to $500K </li></ul></ul><ul><ul><li>65% failing over 1 week never reopen </li></ul></ul><ul><ul><li>Loss of market share common </li></ul></ul>
    14. 14. Threats <ul><li>From Data Pro reports </li></ul><ul><ul><li>Errors & omissions 50% </li></ul></ul><ul><ul><li>Fire, water, electrical 25% </li></ul></ul><ul><ul><li>Dishonest employees 10% </li></ul></ul><ul><ul><li>Disgruntled employees 10% </li></ul></ul><ul><ul><li>Outsider threats 5% </li></ul></ul>
    15. 15. The Controls <ul><li>Least Privilege </li></ul><ul><ul><li>Information security </li></ul></ul><ul><li>Redundancy </li></ul><ul><ul><li>Backed up data </li></ul></ul><ul><ul><li>Alternate equipment </li></ul></ul><ul><ul><li>Alternate communications </li></ul></ul><ul><ul><li>Alternate facilities </li></ul></ul><ul><ul><li>Alternate personnel </li></ul></ul><ul><ul><li>Alternate procedures </li></ul></ul>
    16. 16. The Steps in a BCP - Initiation <ul><li>Project initiation </li></ul><ul><ul><li>Business case to obtain support </li></ul></ul><ul><ul><li>Sell the need for DRP (price vs benefit) </li></ul></ul><ul><ul><li>Build and maintain awareness </li></ul></ul><ul><ul><li>On-going testing & maintenance </li></ul></ul><ul><ul><li>Top down approach </li></ul></ul><ul><ul><li>Executive commitment and support MOST CRITICAL </li></ul></ul><ul><ul><li>Project planning, staffing </li></ul></ul><ul><ul><ul><li>Local support/responsibility </li></ul></ul></ul>
    17. 17. The Steps in a BCP - 1 <ul><li>Impact Assessment (Impact Analysis/Vulnerability Assessment/Current State Assessment/Risk Assessment ) </li></ul><ul><ul><li>Purpose </li></ul></ul><ul><ul><li>Identify risks </li></ul></ul><ul><ul><li>Identify business requirements for continuity </li></ul></ul><ul><ul><li>Quantify impact of potential threats </li></ul></ul><ul><ul><li>Balance impact and countermeasure cost </li></ul></ul><ul><ul><li>Establish recovery priorities </li></ul></ul>
    18. 18. Benefits <ul><li>Relates security objectives to organization mission </li></ul><ul><li>Quantifies how much to spend on security measures </li></ul><ul><li>Provides long term planning guidance </li></ul><ul><ul><li>Building design </li></ul></ul><ul><ul><li>HW configuration </li></ul></ul><ul><ul><li>SW </li></ul></ul><ul><ul><li>Internal controls </li></ul></ul><ul><ul><li>Criteria for contingency plans </li></ul></ul><ul><ul><li>Security policy </li></ul></ul><ul><ul><li>Site selection </li></ul></ul><ul><ul><ul><li>Protection requirements </li></ul></ul></ul><ul><ul><ul><li>Significant threats </li></ul></ul></ul><ul><ul><ul><li>Responsibilities </li></ul></ul></ul>
    19. 19. The Steps in a BCP - 1 <ul><li>Risk Assessment </li></ul><ul><ul><li>Potential failure scenarios </li></ul></ul><ul><ul><li>Likelihood of failure </li></ul></ul><ul><ul><li>Cost of failure (loss impact analysis) </li></ul></ul><ul><ul><ul><li>Dollar losses </li></ul></ul></ul><ul><ul><ul><li>Additional operational expenses </li></ul></ul></ul><ul><ul><ul><li>Violation of contracts, regulatory requirements </li></ul></ul></ul><ul><ul><ul><li>Loss of competitive advantage, public confidence </li></ul></ul></ul><ul><ul><li>Assumed maximum downtime (recovery time frames) </li></ul></ul><ul><ul><ul><li>Rate of losses </li></ul></ul></ul><ul><ul><ul><li>Periodic criticality </li></ul></ul></ul><ul><ul><ul><li>Time-loss curve charts </li></ul></ul></ul>
    20. 20. The Steps in a BCP - 1 <ul><li>Risk Assessment/Analysis </li></ul><ul><ul><li>Potential failure scenarios (risks) </li></ul></ul><ul><ul><li>Likelihood of failure </li></ul></ul><ul><ul><li>Cost of failure, quantify impact of threat </li></ul></ul><ul><ul><li>Assumed maximum downtime </li></ul></ul><ul><ul><li>Annual Loss Expectancy </li></ul></ul><ul><ul><li>Worst case assumptions </li></ul></ul><ul><ul><li>Based on business process model? Or IT model? </li></ul></ul><ul><ul><li>Identify critical functions and supporting resources </li></ul></ul><ul><ul><li>Balance impact and countermeasure cost </li></ul></ul><ul><li>Key - </li></ul><ul><ul><li>Potential damage </li></ul></ul><ul><ul><li>Likelihood </li></ul></ul>
    21. 21. Definitions <ul><li>Threat </li></ul><ul><ul><li>any event which could have an undesirable impact </li></ul></ul><ul><li>Vulnerability </li></ul><ul><ul><li>absence or weakness of a risk-reducing safeguard, potential to allow a threat to occur with greater frequency, greater impact, or both </li></ul></ul><ul><ul><li>Exposure </li></ul></ul><ul><ul><li>a measure of the magnitude of loss or impact on the value of the asset </li></ul></ul><ul><li>Risk </li></ul><ul><ul><li>the potential for harm or loss, including the degree of confidence of the estimate </li></ul></ul>
    22. 22. Definitions <ul><li>Quantitative Risk Analysis </li></ul><ul><ul><li>quantified estimates of impact, threat frequency, safeguard effectiveness and cost, and probability </li></ul></ul><ul><ul><li>Powerful aid to decision making </li></ul></ul><ul><ul><li>Difficult to do in time and cost </li></ul></ul><ul><li>Qualitative Risk Analysis </li></ul><ul><ul><li>minimally quantified estimates </li></ul></ul><ul><ul><li>Exposure scale ranking estimates </li></ul></ul><ul><ul><li>Easier in time and money </li></ul></ul><ul><ul><li>Less compelling </li></ul></ul><ul><li>Risk Analysis is performed as a continuum from fully qualitative to less than fully quantitative </li></ul>
    23. 23. Results <ul><li>Loss impact analysis </li></ul><ul><li>Recovery time frames </li></ul><ul><ul><li>Essential business functions </li></ul></ul><ul><ul><li>Information systems applications </li></ul></ul><ul><li>Recommended recovery priorities & strategies </li></ul><ul><li>Goals </li></ul><ul><ul><li>Understand economic & operational impact </li></ul></ul><ul><ul><li>Determine recovery time frame (business/DP/Network) </li></ul></ul><ul><ul><li>Identify most appropriate strategy </li></ul></ul><ul><ul><li>Cost/justify recovery planning </li></ul></ul><ul><ul><li>Include BCP in normal decision making process </li></ul></ul>
    24. 24. Risk Management Team <ul><li>Management - Support </li></ul><ul><li>DP Operations </li></ul><ul><li>Systems Programming </li></ul><ul><li>Internal Audit </li></ul><ul><li>Physical Security </li></ul><ul><li>Application owners </li></ul><ul><li>Application programmers </li></ul>
    25. 25. Preliminary Security Exam <ul><li>Asset costs </li></ul><ul><li>Threat survey </li></ul><ul><ul><li>Personnel </li></ul></ul><ul><ul><li>Physical environment </li></ul></ul><ul><ul><li>HW/SW </li></ul></ul><ul><ul><li>Communications </li></ul></ul><ul><ul><li>Applications </li></ul></ul><ul><ul><li>Operations </li></ul></ul><ul><ul><li>Natural disasters </li></ul></ul><ul><ul><li>Environment </li></ul></ul><ul><ul><li>Facility </li></ul></ul><ul><ul><li>Access </li></ul></ul><ul><ul><li>Data value </li></ul></ul>
    26. 26. Preliminary Security Exam <ul><li>Asset costs </li></ul><ul><li>Threat survey </li></ul><ul><li>Existing security measures </li></ul><ul><li>Management review </li></ul>
    27. 27. Threats <ul><li>Hardware failure </li></ul><ul><li>Utility failure </li></ul><ul><li>Natural disasters </li></ul><ul><li>Loss of key personnel </li></ul><ul><li>Human errors </li></ul><ul><li>Neighborhood hazards </li></ul><ul><li>Tampering </li></ul><ul><li>Disgruntled employees </li></ul><ul><li>Emanations </li></ul><ul><li>Unauthorized access </li></ul><ul><li>Safety </li></ul><ul><li>Improper use of technology </li></ul><ul><li>Repetition of errors </li></ul><ul><li>Cascading of errors </li></ul><ul><li>Illogical processing </li></ul><ul><li>Translation of user needs (technical requirements) </li></ul><ul><li>Inability to control technology </li></ul><ul><li>Equipment failure </li></ul><ul><li>Incorrect entry of data </li></ul><ul><li>Concentration of data </li></ul><ul><li>Inability to react quickly </li></ul><ul><li>Inability to substantiate processing </li></ul><ul><li>Concentration of responsibilities </li></ul><ul><li>Erroneous/falsified data </li></ul><ul><li>Misuse </li></ul>
    28. 28. Threats <ul><li>Uncontrolled system access </li></ul><ul><li>Ineffective application security </li></ul><ul><li>Operations procedural errors </li></ul><ul><li>Program errors </li></ul><ul><li>Operating system flaws </li></ul><ul><li>Communications system failure </li></ul><ul><li>Utility failure </li></ul>
    29. 29. Risk Analysis Steps <ul><li>1 - Identify essential business functions </li></ul><ul><ul><li>Dollar losses or added expense </li></ul></ul><ul><ul><li>Contract/legal/regulatory requirements </li></ul></ul><ul><ul><li>Competitive advantage/market share </li></ul></ul><ul><ul><li>Interviews, questionnaires, workshops </li></ul></ul><ul><li>2 - Establish recovery plan parameters </li></ul><ul><ul><li>Prioritize business functions </li></ul></ul><ul><li>3 - Gather impact data/Threat analysis </li></ul><ul><ul><li>Probability of occurrence, source of help </li></ul></ul><ul><ul><li>Document business functions </li></ul></ul><ul><ul><li>Define support requirements </li></ul></ul><ul><ul><li>Document effects of disruption </li></ul></ul><ul><ul><li>Determine maximum acceptable outage period </li></ul></ul><ul><ul><li>Create outage scenarios </li></ul></ul>
    30. 30. Risk Analysis Steps <ul><li>4 - Analyze and summarize </li></ul><ul><ul><li>Estimate potential losses </li></ul></ul><ul><ul><ul><li>Destruction/theft of assets </li></ul></ul></ul><ul><ul><ul><li>Loss of data </li></ul></ul></ul><ul><ul><ul><li>Theft of information </li></ul></ul></ul><ul><ul><ul><li>Indirect theft of assets </li></ul></ul></ul><ul><ul><ul><li>Delayed processing </li></ul></ul></ul><ul><ul><ul><li>Consider periodicity </li></ul></ul></ul><ul><ul><li>Combine potential loss & probability </li></ul></ul><ul><ul><li>Magnitude of risk is the ALE (Annual Loss Expectancy) </li></ul></ul><ul><ul><li>Guide to security measures and how much to spend </li></ul></ul>
    31. 31. Results <ul><li>Significant threats & probabilities </li></ul><ul><li>Critical tasks & loss potential by threat </li></ul><ul><li>Remedial measures </li></ul><ul><ul><li>Greatest net reduction in losses </li></ul></ul><ul><ul><li>Annual cost </li></ul></ul>
    32. 32. Information Valuation <ul><li>Information has cost/value </li></ul><ul><ul><li>Acquire/develop/maintain </li></ul></ul><ul><ul><li>Owner/Custodian/User/Adversary </li></ul></ul><ul><li>Do a cost/value estimate for </li></ul><ul><ul><li>Cost/benefit analysis </li></ul></ul><ul><ul><li>Integrate security in systems </li></ul></ul><ul><ul><li>Avoid penalties </li></ul></ul><ul><ul><li>Preserve proprietary information </li></ul></ul><ul><ul><li>Business continuity </li></ul></ul><ul><li>Circumstances effect valuation timing </li></ul><ul><li>Ethical obligation to use justifiable tools/techniques </li></ul>
    33. 33. Conditions of Value <ul><li>Exclusive possession </li></ul><ul><li>Utility </li></ul><ul><li>Cost of creation/recreation </li></ul><ul><li>Liability </li></ul><ul><li>Convertibility/negotiability </li></ul><ul><li>Operational impact </li></ul><ul><li>Market forces </li></ul><ul><li>Official value </li></ul><ul><li>Expert opinion/appraisal </li></ul><ul><li>Bilateral agreement/contract </li></ul>
    34. 34. Scenario <ul><li>A specific threat (potential event/act) in which assets are subject to loss </li></ul><ul><li>Write scenario for each major threat </li></ul><ul><li>Credibility/functionality review </li></ul><ul><li>Evaluate current safeguards </li></ul><ul><li>Finalize/Play out </li></ul><ul><li>Prepare findings </li></ul>
    35. 35. The Steps in a BCP - 2 <ul><li>Strategy Development (Alternative Selection) </li></ul><ul><ul><li>Management support </li></ul></ul><ul><ul><li>Team structure </li></ul></ul><ul><ul><li>Strategy selection </li></ul></ul><ul><ul><ul><li>Cost effective </li></ul></ul></ul><ul><ul><ul><li>Workable </li></ul></ul></ul>
    36. 36. The Steps in a BCP - 3 <ul><li>Implementation (Plan Development) </li></ul><ul><ul><li>Specify resources needed for recovery </li></ul></ul><ul><ul><li>Make necessary advance arrangements </li></ul></ul><ul><ul><li>Mitigate exposures </li></ul></ul>
    37. 37. The Steps in a BCP - 3 <ul><li>Risk Prevention/Mitigation </li></ul><ul><ul><li>Security - physical and information (access) </li></ul></ul><ul><ul><li>Environmental controls </li></ul></ul><ul><ul><li>Redundancy - Backups/Recoverability </li></ul></ul><ul><ul><ul><li>Journaling, Mirroring, Shadowing </li></ul></ul></ul><ul><ul><ul><li>On-line/near-line/off-line </li></ul></ul></ul><ul><ul><li>Insurance </li></ul></ul><ul><ul><li>Emergency response plans </li></ul></ul><ul><ul><li>Procedures </li></ul></ul><ul><ul><li>Training </li></ul></ul><ul><ul><li>Risk management program </li></ul></ul>
    38. 38. The Steps in a BCP - 3 <ul><li>Decision Making </li></ul><ul><ul><li>Cost effectiveness </li></ul></ul><ul><ul><ul><li>Total cost </li></ul></ul></ul><ul><ul><li>Human intervention requirements </li></ul></ul><ul><ul><ul><li>Manual functions are weakest </li></ul></ul></ul><ul><ul><li>Overrides and defaults </li></ul></ul><ul><ul><ul><li>Shutdown capability </li></ul></ul></ul><ul><ul><ul><li>Default to no access </li></ul></ul></ul><ul><ul><li>Design openness </li></ul></ul><ul><ul><li>Least Privilege </li></ul></ul><ul><ul><ul><li>Minimum information </li></ul></ul></ul><ul><ul><ul><li>Visible safeguards </li></ul></ul></ul><ul><ul><li>Entrapment </li></ul></ul><ul><ul><ul><li>Selected vulnerabilities made attractive </li></ul></ul></ul>
    39. 39. The Steps in a BCP - 3 <ul><li>Decision Making </li></ul><ul><ul><li>Universality </li></ul></ul><ul><ul><li>Compartmentalization, defense in depth </li></ul></ul><ul><ul><li>Isolation </li></ul></ul><ul><ul><li>Completeness </li></ul></ul><ul><ul><li>Instrumentation </li></ul></ul><ul><ul><li>Independence of controller and subject </li></ul></ul><ul><ul><li>Acceptance </li></ul></ul><ul><ul><li>Sustainability </li></ul></ul><ul><ul><li>Auditability </li></ul></ul><ul><ul><li>Accountability </li></ul></ul><ul><ul><li>Recovery </li></ul></ul>
    40. 40. Remedial Measures <ul><li>Alter environment </li></ul><ul><li>Erect barriers </li></ul><ul><li>Improve procedures </li></ul><ul><li>Early detection </li></ul><ul><li>Contingency plans </li></ul><ul><li>Risk assignment (insurance) </li></ul><ul><li>Agreements </li></ul><ul><li>Stockpiling </li></ul><ul><li>Risk acceptance </li></ul>
    41. 41. Remedial Measures <ul><li>Fire </li></ul><ul><ul><li>Detection, suppression </li></ul></ul><ul><li>Water </li></ul><ul><ul><li>Detection, equipment covers, positioning </li></ul></ul><ul><li>Electrical </li></ul><ul><ul><li>UPS, generators </li></ul></ul><ul><li>Environmental </li></ul><ul><ul><li>Backups </li></ul></ul><ul><li>Good housekeeping </li></ul><ul><li>Backup procedures </li></ul><ul><li>Emergency response procedures </li></ul>
    42. 42. The Steps in a BCP - 3 <ul><li>Plan Development </li></ul><ul><ul><li>Specify resources needed for recovery </li></ul></ul><ul><ul><li>Team-based </li></ul></ul><ul><ul><li>Recovery plans </li></ul></ul><ul><ul><li>Mitigation steps </li></ul></ul><ul><ul><li>Testing plans </li></ul></ul><ul><ul><li>Prepared by those who will carry them out </li></ul></ul>
    43. 43. Included in a BCP <ul><li>Off-site storage </li></ul><ul><ul><li>Trip there - secure? Timely? </li></ul></ul><ul><ul><li>Physical layout of site </li></ul></ul><ul><ul><li>Fire protection </li></ul></ul><ul><ul><li>Climate controls </li></ul></ul><ul><ul><li>Security access controls </li></ul></ul><ul><ul><li>Backup power </li></ul></ul>
    44. 44. Included in a BCP <ul><li>Off-site storage </li></ul><ul><li>Alternate site </li></ul><ul><ul><li>Reciprocal agreements/Multiple sites/Service bureaus </li></ul></ul><ul><ul><li>Hot/Warm/Cold(Shell) sites </li></ul></ul><ul><ul><li>Trip there - secure? Timely? </li></ul></ul><ul><ul><li>Physical layout of site </li></ul></ul><ul><ul><li>Fire protection </li></ul></ul><ul><ul><li>Climate controls </li></ul></ul><ul><ul><li>Security access controls </li></ul></ul><ul><ul><li>Backup power </li></ul></ul><ul><ul><li>Agreements </li></ul></ul>
    45. 45. Included in a BCP <ul><li>Off-site storage </li></ul><ul><li>Alternate site </li></ul><ul><li>Backup processing </li></ul><ul><ul><li>Compatibility </li></ul></ul><ul><ul><li>Capacity </li></ul></ul><ul><ul><li>Journaling - maintaining audit records </li></ul></ul><ul><ul><ul><li>Remote journaling - to off-site location </li></ul></ul></ul><ul><ul><li>Shadowing - remote journaling and delayed mirroring </li></ul></ul><ul><ul><li>Mirroring - maintaining realtime copy of data </li></ul></ul><ul><ul><li>Electronic vaulting - bulk transfer of backup files </li></ul></ul>
    46. 46. Included in a BCP <ul><li>Off-site storage </li></ul><ul><li>Alternate site </li></ul><ul><li>Backup processing </li></ul><ul><li>Communications </li></ul><ul><ul><li>Compatibility </li></ul></ul><ul><ul><li>Accessibility </li></ul></ul><ul><ul><li>Capacity </li></ul></ul><ul><ul><li>Alternatives </li></ul></ul>
    47. 47. Included in a BCP <ul><li>Off-site storage </li></ul><ul><li>Alternate site </li></ul><ul><li>Backup processing </li></ul><ul><li>Communications </li></ul><ul><li>Work space </li></ul><ul><ul><li>Accessibility </li></ul></ul><ul><ul><li>Capacity </li></ul></ul><ul><ul><li>Environment </li></ul></ul>
    48. 48. Included in a BCP <ul><li>Off-site storage </li></ul><ul><li>Alternate site </li></ul><ul><li>Backup processing </li></ul><ul><li>Communications </li></ul><ul><li>Work space </li></ul><ul><li>Office equipment/supplies/documentation </li></ul><ul><li>Security </li></ul><ul><li>Critical business processes/Management </li></ul><ul><li>Testing </li></ul><ul><li>Vendors - Contact info, agreements </li></ul><ul><li>Teams - Contact info, transportation </li></ul><ul><li>Return to normal operations </li></ul><ul><li>Resources needed </li></ul>
    49. 49. Complications <ul><li>Media/Police/Public </li></ul><ul><li>Families </li></ul><ul><li>Fraud </li></ul><ul><li>Looting/Vandalism </li></ul><ul><li>Safety/Legal issues </li></ul><ul><li>Expenses/Approval </li></ul>
    50. 50. The Steps in a BCP - Finally <ul><li>Plan Testing </li></ul><ul><ul><li>Proves feasibility of recovery process </li></ul></ul><ul><ul><li>Verifies compatibility of backup facilities </li></ul></ul><ul><ul><li>Ensures adequacy of team procedures </li></ul></ul><ul><ul><ul><li>Identifies deficiencies in procedures </li></ul></ul></ul><ul><ul><li>Trains team members </li></ul></ul><ul><ul><li>Provides mechanism for maintaining/updating the plan </li></ul></ul><ul><ul><li>Upper management comfort </li></ul></ul>
    51. 51. The Steps in a BCP - Finally <ul><li>Plan Testing </li></ul><ul><ul><li>Desk checks/Checklist </li></ul></ul><ul><ul><li>Structured Walkthroughs </li></ul></ul><ul><ul><li>Life exercises/Simulations </li></ul></ul><ul><ul><li>Periodic off-site recovery tests/Parallel </li></ul></ul><ul><ul><li>Full interruption drills </li></ul></ul>
    52. 52. The Steps in a BCP - Finally <ul><li>Test </li></ul><ul><ul><li>Software </li></ul></ul><ul><ul><li>Hardware </li></ul></ul><ul><ul><li>Personnel </li></ul></ul><ul><ul><li>Communications </li></ul></ul><ul><ul><li>Procurement </li></ul></ul><ul><ul><li>Procedures </li></ul></ul><ul><ul><li>Supplies/forms </li></ul></ul><ul><ul><li>Documentation </li></ul></ul><ul><ul><li>Transportation </li></ul></ul><ul><ul><li>Utilities </li></ul></ul><ul><ul><li>Alternate site processing </li></ul></ul><ul><ul><li>Security </li></ul></ul>
    53. 53. The Steps in a BCP - Finally <ul><li>Test </li></ul><ul><ul><li>Purpose (scenario) </li></ul></ul><ul><ul><li>Objectives/Assumptions </li></ul></ul><ul><ul><li>Type </li></ul></ul><ul><ul><li>Timing </li></ul></ul><ul><ul><li>Schedule </li></ul></ul><ul><ul><li>Duration </li></ul></ul><ul><ul><li>Participants </li></ul></ul><ul><ul><ul><li>Assignments </li></ul></ul></ul><ul><ul><li>Constraints </li></ul></ul><ul><ul><li>Steps </li></ul></ul>
    54. 54. The Steps in a BCP - Finally <ul><li>Alternate Site Test </li></ul><ul><li>Activate emergency control center </li></ul><ul><li>Notify & mobilize personnel </li></ul><ul><li>Notify vendors </li></ul><ul><li>Pickup and transport </li></ul><ul><ul><li>tapes </li></ul></ul><ul><ul><li>supplies </li></ul></ul><ul><ul><li>documentation </li></ul></ul><ul><li>Install (Cold and Warm sites) </li></ul><ul><li>IPL </li></ul><ul><li>Verify </li></ul><ul><li>Run </li></ul><ul><li>Shut down/Clean up </li></ul><ul><li>Document/Report </li></ul>
    55. 55. The Steps in a BCP - Finally <ul><li>Plan Update and Retest cycle (Plan Maintenance) </li></ul><ul><ul><li>Critical to maintain validity and usability of plan </li></ul></ul><ul><ul><ul><li>Environmental changes </li></ul></ul></ul><ul><ul><ul><li>HW/SW/FW changes </li></ul></ul></ul><ul><ul><ul><li>Personnel </li></ul></ul></ul><ul><ul><li>Needs to be included in organization plans </li></ul></ul><ul><ul><ul><li>Job description/expectations </li></ul></ul></ul><ul><ul><ul><li>Personnel evaluations </li></ul></ul></ul><ul><ul><ul><li>Audit work plans </li></ul></ul></ul>
    56. 56. BCP by Stages <ul><li>Initiation </li></ul><ul><li>Current state assessment </li></ul><ul><li>Develop support processes </li></ul><ul><li>Training </li></ul><ul><li>Impact Assessment </li></ul><ul><li>Alternative selection </li></ul><ul><li>Recovery Plan development </li></ul><ul><li>Support services continuity plan development </li></ul><ul><li>Master plan consolidation </li></ul><ul><li>Testing strategy development </li></ul><ul><li>Post transition plan development </li></ul>
    57. 57. BCP by Stages <ul><li>Implementation planning </li></ul><ul><li>Quick Hits </li></ul><ul><li>Implementation, testing, maintenance </li></ul>
    58. 58. End User Planning <ul><li>DP is critical to end users </li></ul><ul><li>Difficult to use manual procedures </li></ul><ul><li>Recovery is complex </li></ul><ul><li>Need to plan </li></ul><ul><ul><li>manual procedures </li></ul></ul><ul><ul><li>recovery of data/transactions </li></ul></ul><ul><ul><li>procedures for alternate site operation </li></ul></ul><ul><ul><li>procedures to return to normal </li></ul></ul>
    59. 59. The Real World <ul><li>DR plans normally involve </li></ul><ul><ul><li>Essential DP platforms/systems only </li></ul></ul><ul><ul><li>A manual on the shelf written 2-3 years ago </li></ul></ul><ul><ul><li>Little or no user involvement </li></ul></ul><ul><ul><li>No provision for business processes </li></ul></ul><ul><ul><li>No active testing </li></ul></ul><ul><ul><li>Resource lists and contact information that do not match current realities </li></ul></ul>
    60. 60. Stages in an Incident <ul><li>Disaster </li></ul><ul><ul><li>interruption affecting user operations significantly </li></ul></ul>
    61. 61. Stages in an Incident <ul><li>Disaster </li></ul><ul><li>Initial/Emergency response </li></ul><ul><ul><li>Purpose </li></ul></ul><ul><ul><ul><li>Ensure safety of people </li></ul></ul></ul><ul><ul><ul><li>Prevent further damage </li></ul></ul></ul><ul><ul><li>Activate emergency response team </li></ul></ul><ul><ul><li>Covers emergency procedures for expected hazards </li></ul></ul><ul><ul><li>Safety essential </li></ul></ul><ul><ul><li>Emergency supplies </li></ul></ul><ul><ul><li>Crisis Management plan - decision making </li></ul></ul>
    62. 62. Stages in an Incident <ul><li>Disaster </li></ul><ul><li>Initial response </li></ul><ul><li>Impact assessment </li></ul><ul><ul><li>Activate assessment team </li></ul></ul><ul><ul><li>Determine situation </li></ul></ul><ul><ul><ul><li>What is affected? </li></ul></ul></ul><ul><ul><li>Decide whether to activate plan </li></ul></ul>
    63. 63. Stages in an Incident <ul><li>Disaster </li></ul><ul><li>Initial response </li></ul><ul><li>Impact assessment </li></ul><ul><li>Initial recovery </li></ul><ul><ul><li>Initial recovery of key areas at alternate site </li></ul></ul><ul><ul><li>Detailed procedures </li></ul></ul><ul><ul><li>Salvage/repair - Clean up </li></ul></ul>
    64. 64. Stages in an Incident <ul><li>Disaster </li></ul><ul><li>Initial response </li></ul><ul><li>Impact assessment </li></ul><ul><li>Initial recovery </li></ul><ul><li>Return to normal/Business resumption </li></ul><ul><ul><li>Return to operation at normal site </li></ul></ul><ul><ul><li>“ Emergency” is not over until you are back to normal </li></ul></ul><ul><ul><li>Requires just as much planning - Parallel operations </li></ul></ul>
    65. 65. Special Cases <ul><li>Y2K </li></ul><ul><ul><li>Incidents will happen in a particular time frame </li></ul></ul><ul><ul><li>Alternate sites won’t help </li></ul></ul><ul><ul><li>Redundant equipment won’t help </li></ul></ul><ul><ul><li>Backups won’t help </li></ul></ul><ul><ul><li>Involves automated equipment and services </li></ul></ul>
    66. 66. Final Thoughts <ul><li>Do you really want to activate a DR/BCP plan? </li></ul><ul><ul><li>Prevention </li></ul></ul><ul><ul><li>Planning </li></ul></ul>

    ×