University of Wisconsin/Alliant Energy

312
-1

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
312
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

University of Wisconsin/Alliant Energy

  1. 1. Preparing for the Unexpected ITSM Conference – April 21, 2008 Steve Lipshetz – Senior Business Continuity Consultant
  2. 2. Agenda <ul><li>The Risk of a Disaster </li></ul><ul><li>Business Continuity and Disaster Recovery </li></ul><ul><li>9/11 Changed Everything </li></ul><ul><li>Where Do We Start? </li></ul><ul><li>What is Business Resilience? </li></ul><ul><li>Building a Partnership </li></ul><ul><li>“ Right-sizing” the Program </li></ul><ul><li>Auditing and “Testing” the Program </li></ul><ul><li>Looking Towards the Future </li></ul><ul><li>Key Take Aways </li></ul>
  3. 3. The Risk of a Disaster <ul><li>Business and systems operations face four categories of risks: </li></ul><ul><ul><li>Natural Disaster or Weather Related </li></ul></ul><ul><ul><li>Terrorism </li></ul></ul><ul><ul><li>Company Facility / Building </li></ul></ul><ul><ul><li>People </li></ul></ul><ul><li>Low probability / high impact </li></ul><ul><li>Certain risks more likely than others – Midwest / tornado </li></ul>
  4. 4. Business Continuity vs. Disaster Recovery <ul><li>Business Continuity (Led by business area) </li></ul><ul><ul><li>Company’s game plan for keeping your critical business operations working if: </li></ul></ul><ul><ul><ul><li>A company worksite is lost (permanent or temporary) </li></ul></ul></ul><ul><ul><ul><li>Access to computer systems and applications is lost or limited </li></ul></ul></ul><ul><ul><ul><li>The workforce is disrupted such as in a Pandemic </li></ul></ul></ul><ul><li>Disaster Recovery (Led by IT) </li></ul><ul><ul><li>Company’s game plan for maintaining or restoring critical and non-critical infrastructure, systems and applications </li></ul></ul><ul><li>Joint Efforts – Business and IT </li></ul><ul><ul><li>Assure that most critical business operations are “recovered” first </li></ul></ul><ul><ul><li>Assure that critical systems in support of business are recovered first </li></ul></ul>
  5. 5. 9/11 Changed Everything <ul><li>Many impacted businesses went out of business </li></ul><ul><ul><li>Lost data </li></ul></ul><ul><ul><li>Lost business expertise </li></ul></ul><ul><li>Difficulty for other companies to get back in business </li></ul><ul><ul><li>Inadequate recovery plans </li></ul></ul><ul><ul><li>Lost business expertise </li></ul></ul><ul><li>CEO’s and Boards ask questions: </li></ul><ul><ul><li>How would our Company fare? </li></ul></ul><ul><ul><li>Is our data safe? </li></ul></ul><ul><ul><li>Do we have adequate recovery plans? </li></ul></ul><ul><ul><li>Do people know what to do in a disaster situation? </li></ul></ul><ul><ul><li>Can we survive? </li></ul></ul>
  6. 6. Where Do We Start? <ul><li>Risk Evaluation and Control </li></ul><ul><ul><li>Identifying risks and potential risks </li></ul></ul><ul><ul><li>Identifying potential consequences if risk becomes reality </li></ul></ul><ul><li>Business Impact Analysis </li></ul><ul><ul><li>Identifying critical business processes and recovery time objectives </li></ul></ul><ul><ul><li>Identifying dependencies </li></ul></ul><ul><ul><li>Identifying consequences of disruption </li></ul></ul><ul><ul><ul><li>Financial </li></ul></ul></ul><ul><ul><ul><li>Legal </li></ul></ul></ul><ul><ul><ul><li>Regulatory </li></ul></ul></ul><ul><ul><ul><li>Reputation </li></ul></ul></ul><ul><ul><ul><li>Personnel </li></ul></ul></ul>
  7. 7. Where Do We Start? Business Process / Functions: Assign Recovery Time Objectives (RTO’s) People Performing process / function Assets and Equipment Needed to perform process / function Software Needed to perform process / function Internal Dependencies Other departments that department depends upon to perform process / function External Dependencies Third parties that department relies upon to perform process / function Vital Records Required to perform process / function Recovery Locations Alternate location(s) for people / assets External Customers Third parties that rely upon department to perform process / function
  8. 8. Where Do We Start? <ul><li>DRI (Disaster Recovery Institute) International </li></ul><ul><ul><li>Ten professional practices for Business Continuity planners </li></ul></ul><ul><li>NFPA 1600 </li></ul><ul><li>Generally Accepted Practices for Business Continuity Practitioners </li></ul><ul><ul><li>Draft collaboration – Disaster Recovery Journal and DRII </li></ul></ul><ul><li>Business Continuity Institute Good Practices Guidelines </li></ul><ul><ul><li>Six areas for developing an effective Business Continuity program </li></ul></ul>
  9. 9. Where Do We Start? <ul><li>Coordination with External Agencies </li></ul><ul><ul><li>NIMS - National Incident Management System </li></ul></ul><ul><ul><li>ICS – Incident Command System </li></ul></ul><ul><ul><li>Critical Incident Protocol Program </li></ul></ul><ul><ul><ul><li>Joint Public / Private partnership </li></ul></ul></ul><ul><ul><ul><li>Michigan State University / DHS grant </li></ul></ul></ul><ul><ul><ul><ul><li>Brown, Dane and Eau Claire Counties </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Milwaukee and Racine </li></ul></ul></ul></ul>
  10. 10. Where Do We Start? <ul><li>Key element in building, implementing and maintaining an effective program, and executing plans in a disaster is…… </li></ul>
  11. 11. Where Do We Start? <ul><li>Effective and timely Communication!!! </li></ul>
  12. 12. What is Business Resilience? <ul><li>Newest preparedness and planning philosophy </li></ul><ul><ul><li>The ability to avoid, minimize, withstand and recover from the affects of adversity </li></ul></ul><ul><ul><li>The ability of an organization to sustain the impact of a business interruption and recover and resume its business operations in order to continue to provide an acceptable level of services </li></ul></ul><ul><ul><li>All encompassing planning methodology </li></ul></ul><ul><ul><ul><li>Business Continuity </li></ul></ul></ul><ul><ul><ul><li>Disaster Recovery </li></ul></ul></ul><ul><ul><ul><li>Crisis Management </li></ul></ul></ul>
  13. 13. What is Business Resilience? <ul><li>Business Continuity </li></ul><ul><ul><li>Company’s game plan for keeping your critical business operations working if: </li></ul></ul><ul><ul><ul><li>A company worksite is lost (permanent or temporary) </li></ul></ul></ul><ul><ul><ul><li>Access to computer systems and applications is lost or limited </li></ul></ul></ul><ul><ul><ul><li>The workforce is disrupted such as in a Pandemic </li></ul></ul></ul><ul><li>Disaster Recovery </li></ul><ul><ul><li>Company’s game plan for maintaining or restoring critical and non-critical infrastructure, systems and applications </li></ul></ul><ul><li>Crisis Management </li></ul><ul><ul><li>Intervention and coordination by individuals or teams before , during , and after an event to resolve the crisis, minimize loss, and otherwise protect the organization </li></ul></ul>
  14. 14. Building a Partnership <ul><li>People + Systems and Data = Business Process execution </li></ul><ul><ul><li>Business focal point and business department representatives </li></ul></ul><ul><ul><li>IT focal point and IT experts (infrastructure, systems, PCs, telephony) </li></ul></ul><ul><li>Joint planning – all types of disruptions (worksite, system, people) </li></ul><ul><ul><li>Criticality of business process drives system availability requirements </li></ul></ul><ul><ul><li>Business and IT plans must be in sync </li></ul></ul><ul><ul><li>Protection of all electronic data </li></ul></ul><ul><ul><li>Paper vital records management </li></ul></ul><ul><li>Joint testing of plans </li></ul><ul><ul><li>Business areas are dependent on IT for “business as usual” </li></ul></ul><ul><ul><li>Plans need to be reviewed and tested jointly to assure that business processes can be maintained and/or restored following a disruption </li></ul></ul>
  15. 15. Right-Sizing the Program <ul><li>Generally accepted practices are the minimum of what should be done </li></ul><ul><ul><li>Latitude within what is implemented </li></ul></ul><ul><li>Development + Testing plans = $$$$$ </li></ul><ul><ul><li>Cost of establishing disaster recovery for infrastructure and systems </li></ul></ul><ul><ul><ul><li>Network design </li></ul></ul></ul><ul><ul><ul><li>Alternate data center and equipment costs vs. vendor solution </li></ul></ul></ul><ul><ul><li>Cost of establishing worksite recovery for people and business processes </li></ul></ul><ul><ul><ul><li>Strategies </li></ul></ul></ul><ul><ul><ul><li>Other company facilities </li></ul></ul></ul><ul><ul><li>Cost of establishing plans for loss of personnel </li></ul></ul><ul><li>Regulation / audit sets the bar for what is expected in certain industries </li></ul><ul><ul><li>Financial </li></ul></ul><ul><ul><li>Insurance </li></ul></ul><ul><ul><li>Health care </li></ul></ul>
  16. 16. Auditing and Testing the Program <ul><li>Business Continuity and Disaster Recovery Plan requirements </li></ul><ul><ul><li>Must be complete! </li></ul></ul><ul><ul><li>Must be executable! </li></ul></ul><ul><li>Plan review process should be joint with Audit </li></ul><ul><ul><li>Develop process including criteria for review </li></ul></ul><ul><ul><li>Develop review template </li></ul></ul><ul><ul><li>Pilot with Audit and other selected groups </li></ul></ul><ul><ul><li>Develop schedule </li></ul></ul>
  17. 17. Auditing and Testing the Program <ul><li>Types of Drills and Exercises </li></ul><ul><ul><li>Calling tree - actual </li></ul></ul><ul><ul><ul><li>Tests process of contacting personnel </li></ul></ul></ul><ul><ul><ul><li>Assures that current contact information is correct </li></ul></ul></ul><ul><ul><li>Tabletop exercise (structured walkthrough of plan) - simulation </li></ul></ul><ul><ul><ul><li>Disaster scenario given to facilitator </li></ul></ul></ul><ul><ul><ul><li>Department personnel talk through what they would do and reference their plans </li></ul></ul></ul><ul><ul><ul><li>Could be designed to exercise any type of plan </li></ul></ul></ul><ul><ul><ul><li>Most knowledgeable people can be “sent on vacation”! </li></ul></ul></ul>
  18. 18. Auditing and Testing the Program <ul><li>Types of Drills and Exercises </li></ul><ul><ul><li>Disaster recovery exercises - actual </li></ul></ul><ul><ul><ul><li>Led by IT </li></ul></ul></ul><ul><ul><ul><li>Business area testing involvement </li></ul></ul></ul><ul><ul><ul><li>Joint follow-up meeting and “lessons learned” document </li></ul></ul></ul><ul><ul><ul><li>Tasks are assigned and completion is tracked </li></ul></ul></ul><ul><ul><li>Crisis management drills – actual and simulation </li></ul></ul><ul><ul><ul><li>Contact crisis management team members </li></ul></ul></ul><ul><ul><ul><li>Should ideally be a “surprise” </li></ul></ul></ul><ul><ul><ul><li>Use of the Emergency Operations Center </li></ul></ul></ul><ul><ul><ul><li>Walk through a scenario </li></ul></ul></ul><ul><ul><ul><li>Optional to involve others not in the room, but do not execute any plans </li></ul></ul></ul>
  19. 19. Auditing and Testing the Program <ul><li>Types of Drills and Exercises </li></ul><ul><ul><li>Worksite recovery exercise - actual </li></ul></ul><ul><ul><ul><li>Led by business area </li></ul></ul></ul><ul><ul><ul><li>Significant IT involvement </li></ul></ul></ul><ul><ul><ul><li>Selected business groups go to designated recovery site and work </li></ul></ul></ul><ul><ul><ul><li>Tests both business and IT processes in support of the business </li></ul></ul></ul><ul><ul><ul><li>Joint follow-up meeting and “lessons learned” document </li></ul></ul></ul><ul><ul><ul><li>Tasks are assigned and completion is tracked </li></ul></ul></ul>
  20. 20. Auditing and Testing the Program <ul><li>Types of Drills and Exercises </li></ul><ul><ul><li>Scenario-based drills </li></ul></ul><ul><ul><ul><li>Considerable planning needed </li></ul></ul></ul><ul><ul><ul><li>Core planning team </li></ul></ul></ul><ul><ul><ul><li>Involves many different business areas and processes </li></ul></ul></ul><ul><ul><ul><li>Could involve one or multiple simultaneous scenarios </li></ul></ul></ul><ul><ul><ul><li>People talk through what they would do and contact others as needed </li></ul></ul></ul><ul><ul><ul><li>Plans are not executed </li></ul></ul></ul><ul><ul><ul><li>Joint follow-up meeting of core team and “lessons learned” document </li></ul></ul></ul><ul><ul><ul><li>Tasks are assigned and completion is tracked </li></ul></ul></ul>
  21. 21. Looking Towards the Future <ul><li>Most recent threat – Avian Flu </li></ul><ul><ul><li>Plans adequately covered loss of worksite or loss of systems </li></ul></ul><ul><ul><li>Major loss of personnel was never considered </li></ul></ul><ul><ul><li>Pandemic situations re-occur – if not this threat, what next? </li></ul></ul><ul><li>Terrorist attacks – are they inevitable? </li></ul><ul><ul><li>What will be targeted? </li></ul></ul><ul><ul><ul><li>Population hub </li></ul></ul></ul><ul><ul><ul><li>Symbol of the United States </li></ul></ul></ul><ul><ul><ul><li>Transportation </li></ul></ul></ul><ul><ul><ul><li>Electric or natural gas infrastructure </li></ul></ul></ul><ul><ul><ul><li>Water supply </li></ul></ul></ul>
  22. 22. Looking Towards the Future <ul><li>H.R. 1/ Public Law 110-53: Implementing Recommendations of the 9/11 Commission Act of 2007 </li></ul><ul><ul><li>Signed into law August 3, 2007 </li></ul></ul><ul><ul><li>Most sections of the law relate to government and public entities </li></ul></ul><ul><ul><li>Two sections relate to private sector, but are not mandatory </li></ul></ul><ul><ul><ul><li>Strengthening the use of the Incident Command System by coordinating with private industry to promote preparedness </li></ul></ul></ul><ul><ul><ul><li>Private sector preparedness including certification guidelines and standards </li></ul></ul></ul><ul><ul><li>Are we one terrorist attack away from mandatory requirements? </li></ul></ul><ul><ul><ul><li>In critical industries? </li></ul></ul></ul><ul><ul><ul><li>In all industries? </li></ul></ul></ul>
  23. 23. Key Take Aways <ul><li>Protect your data! </li></ul><ul><li>Develop plans to re-build your technical environment </li></ul><ul><li>Business Continuity Planning </li></ul><ul><ul><li>Something is better than nothing </li></ul></ul><ul><ul><li>Senior Executive buy-in </li></ul></ul><ul><ul><li>If in a regulated industry, meet all federal and state regulatory requirements </li></ul></ul><ul><ul><li>If not regulated: </li></ul></ul><ul><ul><ul><li>How best can committed $$$$$ be spent </li></ul></ul></ul><ul><ul><ul><li>Work with “critical” business processes and departments first </li></ul></ul></ul>
  24. 24. Key Take Aways <ul><li>Develop Business / IT partnership approach to planning </li></ul><ul><ul><li>Execution of any plans requires both areas </li></ul></ul><ul><ul><li>Coordination of planning and testing will help keep chaos manageable </li></ul></ul><ul><li>Test, test, test, test, test……………………… </li></ul><ul><ul><li>You never know how good a plan is until you put it to a test </li></ul></ul><ul><ul><li>Problems in testing are good – you can remediate the problem! </li></ul></ul><ul><ul><li>If you have no problems, was the test designed properly? </li></ul></ul><ul><li>Communicate </li></ul><ul><ul><li>Clear and concise </li></ul></ul><ul><ul><li>To / from all levels of the organization </li></ul></ul><ul><ul><li>To / from all departments with which you have dependencies </li></ul></ul><ul><ul><li>To / from all critical 3 rd parties </li></ul></ul>
  25. 25. Key Take Aways <ul><li>&quot;Above all else, we certainly know one thing from past such events: preparation makes all the difference. Although events never unfold exactly as we have planned , having no plan is simply a plan for failure.“ </li></ul><ul><li>Kerry Killinger – Chairman and CEO of Washington Mutual Inc </li></ul>
  26. 26. Questions / Comments Steve Lipshetz [email_address] 608-458-4892
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×