Your SlideShare is downloading. ×
0
Achieving Enterprise Resiliency                                And                       Corporate Certification          ...
Achieving Enterprise Resiliency and Corporate Certification        © Thomas Bronack   bronackt@dcag.com Abstract        • ...
Achieving Enterprise Resiliency and Corporate Certification        © Thomas Bronack    bronackt@dcag.comTopics included in...
Achieving Enterprise Resiliency and Corporate Certification       © Thomas Bronack       bronackt@dcag.comLayout of this p...
Achieving Enterprise Resiliency and Corporate Certification        © Thomas Bronack   bronackt@dcag.comMission Statement: ...
Achieving Enterprise Resiliency and Corporate Certification           © Thomas Bronack         bronackt@dcag.comGoals and ...
Achieving Enterprise Resiliency and Corporate Certification        © Thomas Bronack   bronackt@dcag.comRisk Management:•  ...
Achieving Enterprise Resiliency and Corporate Certification        © Thomas Bronack           bronackt@dcag.comThe Goal of...
Achieving Enterprise Resiliency and Corporate Certification                © Thomas Bronack                bronackt@dcag.c...
Achieving Enterprise Resiliency and Corporate Certification             © Thomas Bronack           bronackt@dcag.com      ...
Achieving Enterprise Resiliency and Corporate Certification               © Thomas Bronack            bronackt@dcag.com   ...
Achieving Enterprise Resiliency and Corporate Certification         © Thomas Bronack            bronackt@dcag.com  Testing...
Achieving Enterprise Resiliency and Corporate Certification           © Thomas Bronack           bronackt@dcag.com        ...
Achieving Enterprise Resiliency and Corporate Certification                © Thomas Bronack                 bronackt@dcag....
Achieving Enterprise Resiliency and Corporate Certification              © Thomas Bronack             bronackt@dcag.com  P...
Achieving Enterprise Resiliency and Corporate Certification           © Thomas Bronack          bronackt@dcag.comIntel Bui...
Achieving Enterprise Resiliency and Corporate Certification        © Thomas Bronack          bronackt@dcag.comOptimized Pr...
Achieving Enterprise Resiliency and Corporate Certification          © Thomas Bronack           bronackt@dcag.com         ...
Achieving Enterprise Resiliency and Corporate Certification                                 © Thomas Bronack              ...
Achieving Enterprise Resiliency and Corporate Certification         © Thomas Bronack                bronackt@dcag.com     ...
Achieving Enterprise Resiliency and Corporate Certification                                       © Thomas Bronack        ...
Achieving Enterprise Resiliency and Corporate Certification          © Thomas Bronack         bronackt@dcag.com   Systems ...
Achieving Enterprise Resiliency and Corporate Certification         © Thomas Bronack        bronackt@dcag.comSystems Manag...
Achieving Enterprise Resiliency and Corporate Certification                 © Thomas Bronack             bronackt@dcag.com...
Achieving Enterprise Resiliency and Corporate Certification        © Thomas Bronack      bronackt@dcag.com        Informat...
Achieving Enterprise Resiliency and Corporate Certification        © Thomas Bronack   bronackt@dcag.com1/23/2013          ...
Achieving Enterprise Resiliency and Corporate Certification           © Thomas Bronack               bronackt@dcag.com    ...
Achieving Enterprise Resiliency and Corporate Certification        © Thomas Bronack   bronackt@dcag.com  Problem Managemen...
Achieving Enterprise Resiliency and Corporate Certification             © Thomas Bronack             bronackt@dcag.com    ...
Achieving Enterprise Resiliency and Corporate Certification                © Thomas Bronack              bronackt@dcag.com...
Achieving Enterprise Resiliency and Corporate Certification        © Thomas Bronack                 bronackt@dcag.com    L...
Achieving Enterprise Resiliency and Corporate Certification        © Thomas Bronack   bronackt@dcag.com1/23/2013          ...
Achieving Enterprise Resiliency and Corporate Certification        © Thomas Bronack   bronackt@dcag.com    Why Implement E...
Achieving Enterprise Resiliency and Corporate Certification                © Thomas Bronack            bronackt@dcag.com  ...
Achieving Enterprise Resiliency and Corporate Certification                           © Thomas Bronack   bronackt@dcag.com...
Achieving Enterprise Resiliency and Corporate Certification                                       © Thomas Bronack        ...
Achieving Enterprise Resiliency and Corporate Certification                              © Thomas Bronack               br...
Achieving Enterprise Resiliency and Corporate Certification                                       © Thomas Bronack   brona...
Achieving Enterprise Resiliency and Corporate Certification                      © Thomas Bronack              bronackt@dc...
Achieving Enterprise Resiliency and Corporate Certification           © Thomas Bronack        bronackt@dcag.com     Target...
Achieving Enterprise Resiliency and Corporate Certification                    © Thomas Bronack            bronackt@dcag.c...
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Upcoming SlideShare
Loading in...5
×

Achieving Enterprise Resiliency and Corporate Certification

206

Published on

Enterprise Resiliency is the process of combining all recovery disciplines into a single department using the same tools and speaking the same language, while Corporate Certification shows how to achieve compliance in countries where you do business.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
206
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Achieving Enterprise Resiliency and Corporate Certification"

  1. 1. Achieving Enterprise Resiliency And Corporate Certification By Combining Recovery Operations through a Common Recovery Language and Recovery Tools, While adhering to Domestic and International Compliance Standards Created by: Thomas Bronack, CBCP Bronackt@dcag.com Phone: (718) 591-5553 Cell: (917) 673-69921/23/2013 Created by: Thomas Bronack 1
  2. 2. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com Abstract • Are you utilizing your recovery personnel to achieve maximum protection? • Have you implemented a common recovery language so that personnel speak the same language and can best communicate and respond to disaster events? • Is your company utilizing a common recovery management toolset? • Want to reduce disaster events, improve risk management, and insure fewer business interruptions through automated tools and procedures? • Does your company adhere to regulatory requirements in the countries that you do business in? • Can you monitor and report on security violations, both physical and data, to best protect personnel, data access, eliminate data corruption, support failover /failback operations, and protect company locations against workplace violence? • Are you protecting data by using backup, vaulting, and recovery procedures? • Can you recover operations in accordance to SLR/SLR and RTO/RPO? • Is your supply chain able to continue to provide services and products if a disaster event occurs through SSAE 16 (Domestic), SSAE 3402 (World)? • Do you coordinate recovery operations with the community and government agencies like OEM, FEMA, Homeland Security, etc.? • Do you have appropriate insurance against disaster events? • Can you certify that applications can recover within High Availability (2 hours – 72 hours) or Continuous Availability (immediate) guidelines? • If not, this presentation will help you achieve the above goals.1/23/2013 Created by: Thomas Bronack Page: 2
  3. 3. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comTopics included in this presentation 1. Business Plan (Mission, Goals & Objectives, and Risk Management; 2. IT Evolution (PC, Domains, Enterprise); 3. Systems Development Life Cycle (SDLC); 4. Data Management and Information Security Management System (ISMS); 5. Enterprise Resiliency and Corporate Certification; 6. Regulations (Domestic and International); 7. Building Enterprise Resiliency on a solid foundation; 8. Business Continuity and Disaster Recovery Planning for High Availability (HA) and Continuous Availability (CA) applications to achieve Zero Downtime; 9. Emergency Management; 10. Risk and Crisis Management; 11. Laws and Regulations; 12. Converting to a Enterprise Resiliency environment; 13. Implementing Corporate Certification (Domestic and International); and, 14. Fully Integrated Enterprise Resiliency and Corporate Certification environment.1/23/2013 Created by: Thomas Bronack Page: 3
  4. 4. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comLayout of this presentationA. Business Plan C. Building Enterprise Resiliency o Mission Statement o CobIT o Goals and Objectives o ITIL o Risk Management o Fully integrated Enterprise ResiliencyB, Direction Plan o Compliance Laws o Building Business Recover Plans o Gramm-Leach Bliley (GLB) o Certifying Application Recovery for High o Dodd-Frank Availability and Continuous Availability o HIPAA, SOX, o IT Evolution o EPA Superfund o SDLC o Patriot Act o Support and Maintenance o Basel II / Basel III framework o Potential Risks and Threats o Reporting on Compliance Adherence o Enterprise Resilience and Corporate o Eliminating Audit Exceptions Certification o Recovery Planning o Risk Management Guidelines o BIA / BCP / EM o Crisis Management o Converting to Automated Recovery o Workplace Violence Prevention Tools o Emergency Management o Documentation, Awareness, and o Incident Management Training o Emergency Operations Center (EOC) o How do we get started 1/23/2013 Created by: Thomas Bronack Page: 4
  5. 5. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comMission Statement: 1. Insure Continuity of Business and Eliminate / Reduce Business Interruptions (Enterprise Resilience); 2. Assure “Corporate Certification” by complying with Regulatory Requirements for countries that you do business in, through Risk Management and Crisis Management guidelines (CERT / COSO); 3. Adhere to Service Level Agreements (SLA) through Service Level Reporting (SLR) and the use of Capacity and Performance Management procedures; 4. Implement Enterprise-Wide Recovery Management by combining Business Continuity Management (BCM), Disaster Recovery Planning (DRP), and Emergency Management (EM); 5. Utilize “Best Practices” to achieve “Enterprise Resiliency” (CobIT, ITIL, etc.); 6. Protect personnel and achieve physical security through Workplace Violence Prevention principals, laws, and procedures; 7. Guaranty data security through access controls and vital records management principals and procedures within an Information Security Management System (ISMS) based on ISO2700; 8. Achieve Failover / Failback and data management procedures to insure RTO, RPO, and Continuity of Business within acceptable time lines (Dedupe, VTL, Snapshots, CDP, NSS, RecoverTrak, etc.); 9. Integrate recovery management procedures within the everyday functions performed by personnel as defined within their job descriptions and the Standards and Procedures Manual; 10. Embed Recovery Management and ISMS requirements within the Systems Development Life Cycle (SDLC) used to Develop, Test, Quality Assure, Production Acceptance / Implement, Data Management, Support and Problem Management, Incident Management, Recovery Management, Maintenance, and Version and Release Management for components and supportive documentation; 11. Develop and provide educational awareness and training programs to inform personnel on how best to achieve the corporate mission.1/23/2013 Created by: Thomas Bronack Page: 5
  6. 6. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comGoals and Objectives: Protecting the Business Eliminate / Reduce Business Insure Continuity of Business by Conduct Risk Management and Interruption certifying application recovery Insurance Protection reviews Personnel (HRM and Employee Vendors (Supply Chain Clients (Products / Services) and Assistance) Management) SLA / SLR Locations / Infrastructure Community / Business / Personnel Lines of Business Physical / Data Security Compliance Recovery Management Optimized Operations Insurance Reputation Protecting Information Technology Build IT Location (Safe Site, Asset Management (Asset Configuration Management / HVAC, Water, Electrical, Raised Acquisition, Redeployment, and Version and Release Management Floor, etc.) Termination) Use Best Practices like CERT / Mainframe, Mid-Range, Client / Communications (Local, LAN, COSO, CobIT, ITIL Server, and PC safeguards WAN, Internet, cloud) System Development Life Cycle Products and Service Support Support and Maintenance for (SDLC) optimization Development, Enhancement problems and enhancements Data Management (Dedupe/ Information Security Management Data Sensitivity and Access VTL / Snapshots / CDP) System via ISO2700 Controls (Userid / Pswd) Vaulting, Backup, and Recovery Disk / File copy retrieve utilities RTO, RPO, RTC 1/23/2013 Created by: Thomas Bronack Page: 6
  7. 7. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comRisk Management:• Define Risk Management Process in accordance with COSO / CERT guidelines, including: • Internal Environment Review; • Objective Setting; • Event Identification; • Risk Assessment and Response Definitions; • Control Activities; • Information and Communications; and • Monitoring and Reporting.• Define Legal and Regulatory Requirements (Domestic and International as needed);• Determine OCC, Tax, and Industry compliance requirements;• Perform an IT Audit / Risk Assessment to uncover Gaps and Exceptions;• Define Mitigations and their Costs, along with data gathering and reporting guidelines;• Calculate cost of Mitigation against cost of Gap / Exception to prioritize responses;• Review Vendor Agreements for primary and secondary sites to eliminate / minimize Supply Chain interruptions;• Obtain Insurance Quotes and select appropriate insurance protection;• Integrate with the everyday functions performed by personnel as outlines in their job descriptions and the Standards and Procedures Manual; and,• Develop documentation, awareness, and training materials. 1/23/2013 Created by: Thomas Bronack Page: 7
  8. 8. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comThe Goal of Disaster Recovery with Continuous Availability (CA) and High Availability (HA) Local Short Primary Vault Term Users are Normally connected to Closed Primary System CA HA Data Continuous High Availability Availability Vault Normally Data Data Vault Open Synchronized Snapshots Management System Remote Long Secondary Term Users are switched to Secondary Vault System when disaster strikes1/23/2013 Created by: Thomas Bronack Page: 8
  9. 9. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com Achieving Recovery Time Objective (RTO) / Recovery Point Objective (RPO) and Recovery Time Capability (RTC) Secondary Site must contain synchronized data and infrastructure Production Processing CA Instantaneous Flip of Production Processing to Secondary Site Interrupted Primary Site recovers data and infrastructure Reload Last Backup HA Recovery of Production Processing Planned Or Snapshot Recovery Time Extended Production Processing Loss Resumed Production ProcessingData Lost Data Time Actual Time Loss equals Actual Time neededsince Start Forward needed to needed to to Recover, costs for staff, loss of of Day Recovery Recover Recover client productivity, and damage to corporate reputation. Recovery Disaster Recovery Recovery Other Terms include: Point Event Time Time RTE – Recovery Time Expectation; Objective Objective Capability RPE – Recovery Point Expectation; and (RPO) (RTO) (RTC) RTC – Recovery Time Capability. 1/23/2013 Created by: Thomas Bronack Page: 9
  10. 10. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com Start Creating Business Recovery Plans Recognize the Initiate Recovery Define Goals Obtain Management Need for Recovery Executive And Objectives Funding Commitment Committee Risk Compliance & Audit Supply SLA’s Gaps & Management Regulatory Needs Controls Chain / SLR Exceptions Insurance Mediate / Cost to Mitigate Repair Business Location & Rate RTO, Rate Ability to Achieve Impact Analysis Applications Criticality RPO, RTC Recovery Goals BIA Mediate / Cost to Gaps & Impeding Mitigate Repair Exceptions Obstacles Select Automated BIA & Plan Train Create, Test, & BCM Tools BCM Tool? Creation Staff Implement BCM Plans A1/23/2013 Created by: Thomas Bronack Page: 10
  11. 11. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com High Availability and Continuous Availability Certification A (This process should be performed periodically to insure recoverability after changes) High Availability Identify Design Meeting Schedule & Define Critical And Continuous Stakeholders and Agenda and Conduct Applications Availability Contributors Deliverables Meetings OK Validate Use Artifacts to Architectural Any Gaps & Application support criticality Assessment to Exceptions Substantiation Criticality and RTO / RPO locate Obstacles found? OK Mediate / Mitigate Impeding Obstacles, Gaps & Exceptions until application is able to be Tested Recovery Test Applications Certify HA Recovery or Define Obstacles Testing & Secondary Site CA Gold Standard That Impede OK Re-Test Application until Mediate / Gaps & Certified, if possible Mitigate Exceptions? Mediation / Failed Obstacles & Define Mitigate / Mitigation Applications Impediments Repair Costs Mitigate OK Attestation Re-Test Application Letter Until Certified End1/23/2013 Created by: Thomas Bronack Page: 11
  12. 12. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com Testing High Availability (HA) and Continuous Availability (CA) for Recovery Certification and ability to Flip / Flop between Primary and Secondary Sites The Road to Successful Recovery Certification Ready for Recovery Testing Success Testing Certification Testing Failure Loop, until Successful Recovery Certification Gaps & Exceptions Obstacles & Failure Impediments Mitigation Mediate Compliance to Recovery Plans and Infrastructure & Hardware capable of Software capable of Country Laws and Personnel Procedures Suppliers capable of supporting workload supporting workload Regulations need improvement supporting needs processing processing Ready for Problem Re-Testing Repaired1/23/2013 Created by: Thomas Bronack Page: 12
  13. 13. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com OVERALL Implementation IMPLEMENTATION Understanding Your Emergency Response APPROACH Business Initiation Crisis Mgmt Escalation & Notification Continual Improvement Maturity Assessment Life & Safety Disaster Declaration Testing & Review Program Management Damage Data & Record Assessment Testing Project Statement Recovery Timeline Review Plan Development Requirements & Strategy Procedure Development Update Policies Business Impact Assurance Checklist Development Risk Assessment Preventive Measures Continuity Contact Information Strategies Building Your Team & Capabilities Organizational Roles Defining the Committees & Teams Defining Roles & Responsibilities Incorporate R&R into JD’s Staff / Management Awareness & Training Workshops / Awareness Sessions -confidential- Short Training Sessions Training Matrix & Master Plan1/23/2013 Created by: Thomas Bronack Page: 13
  14. 14. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comPersonnel Computer environment Client Personal Workstation External • CD/ROM • Memory Stick Memory • Data Storage Device • Programs, and Internal • Data Memory • Printer Connected • Fax Devices • Scanner • Instruction Fetch, • Instruction Execute Personal USB • Removable Disks Other PC’s Computer Devices • Camera Wireless • Keyboard and others Internal • System Network Software • Programs Router Modem • Products & Services Switch A Personal Computer is used by workers to fulfill their job functions and responsibilities. Presently these PC’s are used in a physical office, or privately at home, but the trend is toward virtual offices where people WAN could work from home or at remote locations (like when traveling away from the office), so the PC Worker will become part of a virtual office, or virtual private network (VPN). This VPN is widely used in today’s business environment and can be housed at a company site or at a remote Secondary location sometimes called the “Cloud”, which is a physical site owned by Site an outside supplier (public) or the enterprise (private). Privately owned client site or vendor owned Programs can be stored in the server or accessed through the server, which sometimes referred to will result in reduced costs and greater security by limiting access to as the “Cloud”. authorized personnel only. This will also reduce costs for data and equipment.1/23/2013 Created by: Thomas Bronack Page: 14
  15. 15. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com Physical / Virtual Office Domains Work Office Domain, Internet either physical or virtual Cloud Server Switch Router Storage Device Printer, Fax, and Personal Scanner Computers Wide Area NetworkEach Domain has a name (Domain Named Server – DNS) and contains components like PC’s, printers, faxes, scanners, StorageDevices, etc.. Domains support office environments and can be either physical or virtual. Today’s business model is moving from aphysical to a virtual domain concept and access to the domain is migrating from the WAN to the Cloud. Clouds can be privatelyowned by the enterprise or owned by an outside vendor supplying services to the enterprise.This presentation will show how products and services are created, tested, quality assured, migrated to production, supported,maintained and accessed in compliance to domestic and regulatory requirements which must be adhered to before an enterprise cando business in a country.1/23/2013 Created by: Thomas Bronack Page: 15
  16. 16. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comIntel Builds Dell x86 Target EnvironmentChips for their Dell x86 Servers IBM AIX P7 (“Watson”)Servers Systems using AIX VMware vSphere 5 and AIX Tivoli 1 million I/O per Sec. Remote Storage Double- Talk Local Storage Cisco Network Equipment for remote locations VMware vSphere 5 Software Supports : NetApp NAS to support • vShield for Cloud Computing - Remote and Cloud security, control, and compliance. EMC SAN, supporting 2 • vCenter Site Recovery Manager 5. Storage channels, AIX Storage Array, • vCloud Director 5 – model and up to 2 TeraBytes of Local activate recovery and failover. storage1/23/2013 Created by: Thomas Bronack Page: 16
  17. 17. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comOptimized Protection / Recovery Data Services Data De-duplication eliminates duplicate data files and network traffic to a Virtual Tape Library (VTL) Forward Recovery Real backup tapes can be between Snapshots created directly from the VTL. Snapshots1/23/2013 Created by: Thomas Bronack Page: 17
  18. 18. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com Data Protection, Maintenance, and Recovery Maintenance Recovery Server Server Failover / Failback recovery operations can beApplications can be tested by loading a tested by loading a Snapshop from the SIR andSnapshop from the SIR which loads like an exercising recovery plans.active environment. Test results can be used to identify problemsThis can support Quality Assurance and with recovery plans which can be used toenvironment maintenance without interrupting update the recovery plan.normal operations.Personnel training can be achieved through thisprocess, thereby insuring fewer mistakes and areduction in problem / disaster events. 1/23/2013 Created by: Thomas Bronack Page: 18
  19. 19. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com Overview of the Enterprise Information Technology Environment Physically Transported Physical / Physical Using Tape Remote Cloud / Virtual Only Encryption Tape / Data Customers; Vault Remote Credit Bureaus; Feed-Files; and, Electronic Vaulting; Locations Other Locations. Incremental Vaulting; and, Encrypting Data-In- Electronic transmission to Disaster Movement will protect Disaster Recovery Site data being transmitted to Recovery Site remote sites Electronic Transmission Local Electronic Local Transmission Tape / Data Tape / Data Vault Open Network Vault With Multiple Access Points Local Local Encryption of “Data at Rest” Sites Sites to Provide Total Protection Production Production Site #2 Site #1 Cloud Company Computing Data IT Locations Systems Development Life Cycle (SDLC) Send Approved Applications To Production New Acceptance Problem Resolution End User Applications And “Work Order” Enhancements to create a new Product or Testing and Service Development Maintenance Quality Assurance Business Locations Development And Maintenance Environments1/23/2013 Created by: Thomas Bronack 19
  20. 20. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com Systems Development Life Cycle (SDLC), Components and flow Development Testing Quality Production Acceptance Assurance End-User Naming, Security, On-Line Request for Unit and Documents, Vital Records, Data Files New Product System and Back-up, Or Service Testing Recovery, Placement Audit. BKUP On-Line BKUP Data Files Enhance Release And And Security, Production Repair Version Vital Records,End-User Defines: Control Back-up,• Business Purpose,• Business Data, Recovery, BKUP• Ownership, Audit.• Sensitivity, Change Maintenance• Criticality, Management• Usage, On-Line• Restrictions, Update Data Files• Back-Up, and• Recovery. New Business Disaster Real-Time End-User Recovery Recovery Recovery Off-Site Location Facility Facility Periodic Vault Company or Client Site Vendor Site Vendor Site 1/23/2013 Created by: Thomas Bronack 20
  21. 21. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com Migrating products / services to the Production Environment Quality Assurance and SDLC Checkpoints Interfaces between Applications, QA, and Production Groups Testing and QA Turnover Package Components Service Form and results from Assessment Change and Release Notes. Create Perform Perform Perform Application Application Group Testing Results Service Technical Business Requested Group Test Scenarios and Scripts Request Assessment Assessment Work Testing Messages, Codes, and Recoveries Data for Regression and Normal Testing, Documentation Error Loop CP #1 No Yes Return Successful Create QA to Turnover Submitter APPLICATIONS GROUP Package CP #2 Perform Perform QA QA Review Schedule Post- Requested Review And Request Mortem Work Meeting Accept CP Error Loop #3 Create PRODUCTION ACCEPTANCE Perform Production Submit to Turnover Package Components: No User Successful Acceptance Production Yes Acceptance Explanation and Narrative; Turnover Acceptance Testing Files to be released; Package Predecessor Scheduling; QUALITY ASSURANCE Group Special Instructions; Risk Analysis; Vital Records Management; and IT Security and Authorizations.1/23/2013 Created by: Thomas Bronack Page: 21
  22. 22. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com Systems Management Controls and Workflow Service Level Reporting, Capacity Management, Performance Management, Problem Management, Inventory Management, Configuration Management. Production Production Development Testing Quality Batch and On-Line Assurance Acceptance ManagementService Level Management, Walk Thru’s, Test Validation, Batch,Project Life Cycle, Unit Testing, On-Line, Components, System Testing, EDP Security, Naming, Scenarios, Operations, Placement, Scripts, Functionality, Recovery, Vital Recovery Tests, EDP Audit. Process. Records Regression, Benchmarks, Post Mortem. Maintenance Change Management Disaster Off-Site Recovery Service Level Management, Vault Project Life Cycle, Project Life Cycle, Component & Release Management, Standards & Procedures, User Guides & Vendor Manuals, Training (CBT & Classroom), etc... Disaster Recovery Facility A Forms Management & Control System, used to originate work requests and track work until completed, will facilitate optimum staff productivity and efficiency. Mainframe and Office Recovery1/23/2013 Created by: Thomas Bronack Page: 22
  23. 23. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comSystems Management Organization Systems Management Data Processing and Controls (SMC) Environment Service Level Management Application Production Contingency Change Inventory Development Acceptance Management Management & Asset (PLC) Management Application EDP Security Problem Production Configuration Management Management Maintenance Operations Management Application Audit & Vital Records Emergency Capacity Testing Compliance Management Management Management Performance Quality Risk Business Disaster Management Assurance Management Recovery Management1/23/2013 Created by: Thomas Bronack Page: 23
  24. 24. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com Job Documentation Requirements and Forms Automation New Product / Service Development Request Form Life Cycle Documents are Linked to from Date Field Development Request Form Development: Development Request Form Number Phase: Date Business Need Documentation Application Overview Audience (Functions and Job Descriptions) User Information _____________ Business / Technical Review Data Cost Justification Business Justification _____________ Build or Buy Decision Link to Interfaces (Predecessor / Successor) Technical Justification _____________ Documents Request Approval Build or Buy _____________ Testing: Development (Build / Modify) _____________ Data Sensitivity & Access Controls IT Security Management System Test: _____________ Documentation Encryption Vital Records Management Unit Testing _____________ Data Synchronization Backup and Recovery System Testing _____________ Vaulting (Local / Remote) Disaster Recovery Regression Testing _____________ Business Recovery Quality Assurance _____________ Quality Assurance: Application Owner Production Acceptance _____________ Documentation Documentation & Training Application Support Personnel Production _____________ End User Coordinators Vendors and Suppliers Support (Problem / Change) _____________ Recovery Coordinators Testing Results Maintenance (Fix, Enhancement) _____________ Documentation _____________ Production Acceptance Application Setup Documentation Input / Process / Output Recovery _____________ Messages and Codes Awareness and Training _____________ Circumventions and Recovery Recovery Site Information Travel Instructions Main Documentation Menu Sub-Documentation Menus1/23/2013 Created by: Thomas Bronack Page: 24
  25. 25. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com Information Accounting and Charge-Back System ConceptBy utilizing Work Order (WO) and Purchase Order (PO) concepts, it is possible to track and bill clients fortheir use of Information Technology services associated with development and maintenance services. Thisconcept is presented below:User Name: ____________________ User Division: ___________ User Identifier _______Work Order #: __________________ Date: ___________ For: _________________________ PO for: Development Cost: $ _____________ PO for: Testing Cost: $ _____________ PO for: Quality Assurance Cost: $ _____________ PO for: Production Acceptance Costs $ ____________ PO for: Production (on-going) Cost: $ _____________ PO for: Vital Records Management Cost: $ _____________ PO for: Asset Management (Acquisition, Redeployment, Termination) Cost: $ _____________ PO for: Inventory and Configuration Management Cost: $ _____________ PO for: Information and Security Management Cost: $ _____________ PO for: Workplace Violence Prevention Cost: $ _____________ PO for: Recovery Management Cost: $ _____________ PO for: Documentation and Training Cost: $ _____________ PO for: Support and Problem Management Cost: $ _____________ PO for: Change Management Cost: $ _____________ PO for: Version and Release Management Cost: $ _____________ Total Cost: $ _____________Bill can be generated via Forms Management, Time Accounting, or Flat Cost for Services. This system canbe used to predict costs for future projects and help control expenses and personnel time management. 1/23/2013 Created by: Thomas Bronack Page: 25
  26. 26. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com1/23/2013 Created by: Thomas Bronack 26
  27. 27. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com Can be sorted by: Equipment Type, Disposition, Date, or Location Asset Management Disciplines Pick-Up List Equip. Type: Disp: Location: “Dispose of Surplus equipment after Migration to PC A Bldg 3, Rm 203 Start Target Data Center(s) to reap profit from sales, PC R Bldg 1, Rm 405 return of equipment storage space, and personnel.” PC T Bldg 2, Rm 501 Disposition = ‘A’ Acquire Purchase Install Add to Master Equipment Order Equipment Master Inventory Inventory Equipment is being Actively used Disposition = ‘R’ N, Exceptions List Generated Re-deploy Work Compare to Pick-Up Warehouse Equipment Master Inventory Y Order Inventory Inventory Equipment is moved to new location Perform Service Services Order Disposition = ‘T’ Terminate Work Service Ready-to-Sell Purchase Release Finance Equipment Order Order Inventory Order Form Form Equipment is Sold or Disposed of Marketing & Sales End Archive1/23/2013 Created by: Thomas Bronack Page: 27
  28. 28. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com Problem Management and Circumvention Techniques1/23/2013 Created by: Thomas Bronack Page: 28
  29. 29. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com Help Desk / Contingency Command Center Operations Problems are reported to Help Desk who compare critical problems to Problem Matrix and Select Recovery Plan then call Situation Manager who assembles necessary Recovery Teams to respond to critical problems and disaster events. Lessons learned are used to update recovery procedures.1/23/2013 Created by: Thomas Bronack Page: 29
  30. 30. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comThe Potential Risks and Threats facing a Corporation Recovery Management plans for loss of a location, Malicious Activity: service, vendor, or personnel due to a disaster event. Fraud, Theft, and Blackmail; Sabotage, Workplace Violence; and Terrorism. Disasters can render unusable / un-accessible specific resources (like a building) due to: flooding; water Natural Disasters: damage; inclement weather; transportation outage; Fire; power outage; or many other situations. Rather than Floods and other Water Damage; write specific recovery plans for each event that could Avian, Swine, or other Epidemic / Pandemic occurrence; Severe Weather; render a building un-accessible, a single plan for loss Air Contaminants; and of a building can be written and incorporated into the Hazardous Chemical Spills. crisis management plan associated with the specific disaster event causing the need to evacuate a building. Technical Disasters: Communications; Power Failures; Disasters result from problems and problems are the Data Failure; result of a deviation from standards. By making sure Backup and Storage System Failure; your standards and procedures are correct and Equipment and Software Failure; and maintained you will reduce disaster events. These Transportation System Failure. procedures should be included in the SDLC, External Threats: Maintenance, and Change Control process. Suppliers Down; Business Partner Down; and Working with the community will allow recovery Neighboring Business Down. managers to become good neighbors, build relationships with other recovery managers, and keep Facilities: HVAC – Heating, Ventilation, and Air Conditioning; aware of situations outside of their control. Emergency Power / Uninterrupted Power; and Recovery Site unavailable. Working with governmental agencies like FEMA , OEM, and Homeland Security will help recovery managers to stay current with compliance needs and recovery planning trends. 1/23/2013 Created by: Thomas Bronack Page: 30
  31. 31. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com Laws and Regulations Justifying the Need for a Recovery Plan History and Goals: Enterprise-Wide Commitment; “For Contingency Planning to be successful, Emergency Management and Workplace Violence a company-wide commitment, at all levels of personnel, must be established and funded. Prevention; Its purpose is to protect personnel, Disaster and Business Recovery Planning and customers, suppliers, stakeholders, and Implementation; business operations.” Risk Management Implementation; Protecting Critical Information; Safeguarding Corporate Reputation. “Define all Regulatory, Legal, Financial, and Laws and Regulators: Industry rules and regulations that must be complied with and assign the duty of insuring Controller of the Currency (OCC): that these exposures are not violated to the Risk Manager.” Foreign Corrupt Practices Act; OCC-177 Contingency Recovery Plan; OCC-187 Identifying Financial Records; OCC-229 Access Controls; and “Have the Legal and Auditing Departments OCC-226 End-User Computing. define the extent of Risk and Liabilities, in terms of potential and real Civil and Criminal Sarbanes-Oxley, Gramm-Leach-Bliley, damages that may be incurred.” HIPAA, The Patriot Act, EPA Superfund, etc. Penalties: “Once you have defined your exposures, Three times the cost of the Outage, or more; and construct an Insurance Portfolio that protects Jail Time is possible and becoming more probable. the business from sudden damages that could result from a Disaster Event.” Insurance: Business Interruption Insurance; and Directors and Managers Insurance.1/23/2013 Created by: Thomas Bronack Page: 31
  32. 32. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com1/23/2013 Created by: Thomas Bronack Page: 32
  33. 33. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com Why Implement Enterprise Resiliency and Corporate Certification?1/23/2013 Created by: Thomas Bronack Page: 33
  34. 34. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com The Goal of Combining Recovery Operations Desire to most rapidly and efficiently respond to encountered disaster events, or other emergencies by merging Emergency Management, Business Continuity, Disaster Recovery, and Workplace Violence Prevention: Best approach to protecting Employees, Customers, Suppliers, and Business Operations: Ensuring the Reputation and Integrity of the Organization; Combining many Lines of Business into a cohesive recovery structure with a common set of objectives, templates, tools, and a common language; Ensuring that your recovery environment meets and exceeds industry Best Practices; Utilization of Automated Tools; Integration of Best Practices like COSO, CobIT, ITIL, Six Sigma, ISO 27000, and FFIEC to optimize personnel performance, Standards and Procedures; Certify the business recovery environment and its components; Staffing, Training and Certifying Recovery Personnel; Integration with the Corporation, Customers, and Suppliers; Interfacing with First Responders, Government, and the Community; Working with Industry Leaders to continuously enhance recovery operations and mitigate gaps and exceptions to current practices; Achieve Compliance through Risk Management and Audit adherence; Testing and Quality Assurance; and Support and Maintenance going forward.1/23/2013 Created by: Thomas Bronack Page: 34
  35. 35. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com What is Emergency Management and Corporate Certification? Emergency Management Preparedness: First Responders (Fire / Police, / EMT, etc.); Emergency Operations Center (EOC); Desire Department of Homeland Security (DHS); and to most rapidly and efficiently respond to encountered disaster events, or other emergencies by merging Emergency Management, Business Continuity, Office of Emergency Management (OEM). Disaster Recovery, and Workplace Violence Prevention: Business Recovery Management: Best approach to protecting Employees, Customers, Suppliers, and Business Business Recovery; Operations: Disaster Recovery; Risk Management; and Ensuring the Reputation and Integrity of the Organization; Crisis Management. Combining many Lines of Business into a cohesive recovery structure with a common set of objectives, templates, tools, and a common language; Workplace Violence Prevention: Security (Physical and Data) and Guards; Ensuring that your recovery environment meets and exceeds industry Best Closed Circuit Cable TV; Practices; Access Controls and Card Key Systems; Utilization of Automatedand Crisis Management Procedures; and Response Plans Tools; Employee Assistance Programs. Integration of Best Practices like COSO, CobIT, ITIL, Six Sigma, ISO 27000, Supportive Agencies: and FFIEC to optimize personnel performance, Standards and Procedures; Disaster Recovery Institute International (DRII); CertifyBusiness Continuity Institute (BCI);and its components; the business recovery environment Contingency Planning Exchange; and Staffing, Training andContingency Planners. Association of Certifying Recovery Personnel; Integration with the Corporation, Customers, and Suppliers; Supportive Tools: Recovery Planner RPX; Interfacing with First Responders, Government, and the Community; Living Disaster Recovery Planning System (LDRPS); Six Sigma or Workflow Management; Working with Industry Leaders to continuously enhance recovery operations and mitigate gaps and exceptions to current practices; (ITIL); Information Technology Infrastructure Library Company Standards and Procedures; and Achieve ComplianceAwareness services. Training and through Risk Management and Audit adherence; Testing and Quality Assurance; and Corporate Business Resiliency Certification: Support and Maintenance going forward.(PL 110-53 Title IX Section 524); Private Sector Preparedness Act National Fire Prevention Association Standard 1600; and BS25999 / ISO 22301 International Standard; FFIEC.1/23/2013 Created by: Thomas Bronack Page: 35
  36. 36. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comBusiness Continuity Management Disciplines and Integration Charter: Contingency Eliminate Business Interruptions; Ensure Continuity of Business; Contingency Recovery Planning Minimize Financial Impact; and Disciplines Adhere to Legal / Regulatory “These four Contingency Planning Requirements Disciplines allow for logical work separation and better controls” Disaster Business Recovery Recovery Corporate Asset “Establishing interfaces with key Information Technology Protection departments will allow for the inclusion Protection of corporate-wide recovery procedures Critical Jobs; Risk Inventory Control (Security, Salvage, and Restoration, etc.) Management Asset Management Data Sensitivity and Access in department specific Recovery Plans” Controls; Configuration Vital Records Management; Risk Management Management Vaulting and Data Recovery; Business Continuity; and Recovery Time Objectives; Exposures (Gaps and Office Recovery. Recovery Point Objectives; and Exceptions); Mainframe, Mid-Range, and Insurance; Servers. Legal / Regulatory Requirements; Cost Justification; and Executive Information Vendor Agreements. Management Technology Facilities Company “Contingency Planning affects every part of the Operations organization and is separated into logical work Contingency areas along lines of responsibility”. Personnel Recovery Planning Auditing General Services Public Finance Relations 1/23/2013 Created by: Thomas Bronack Page: 36
  37. 37. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com Crisis Management, to Respond to / Control Disaster Events How Problems become Disasters and Controlling them through Crisis Management When a problem arises and there are no formal procedures to direct Operations personnel in the analysis and repair of the problem, then a Problem situation can occur that may lead to a potential crisis. Problem Compounding a problem by taking unnecessary actions can lead to a Matrix prolonged outage, which can effect the ability to meet deadlines. This additional scheduling problem may result in a situation which can lead to a crisis as well. Situation Problem An example of this would be when a Data Check on a Hard Disc Resolution Storage device occurs and there are no back-up copies of the information. This problem would create a prolonged outage, because Crisis the data contents on volume would have to be recreated. Additionally, if multiple jobs are dependent upon the failed Volume the effect of the Management problem will be even greater. This type of crisis situation could very easily be avoided by insuring that all Data Volumes have back-up copies stored in the local vault, so that restores can be provided. An additional copy of the Data Volume should also be stored in an off-site Crisis Management vault if the data is critical. In today’s IT environment, real-time and/ Procedures document Crisis Management or incremental data backups are commonplace. Procedures document Crisis Management The goal of Crisis Management is to determine which problem types Procedures document can occur and their impact. To then develop recovery plans and instruction that direct personnel to take appropriate actions when problems occur that would eliminate a crisis situation from arising. It is based on preparation and not response.1/23/2013 Created by: Thomas Bronack Page: 37
  38. 38. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com NYS Workplace Violence Prevention Act June 7, 2006 – Article 27-6 of Labor Law Employers must perform a Workplace Evaluation or Risk Assessment at each worksite to develop and implement programs to prevent and minimize workplace violence. Commonly referred to as “Standard of Care” and the OSHA “General Duty Law” which must be in place to avoid, or limit, law suites. It consists of: 1. Comprehensive policy for Workplace Violence; 2. Train employees on Workplace Violence and its impact; and 3. Use Best Practices for Physical Security and Access Controls. Why Workplace Violence occurs and most likely reason for offence: Number one cause is loss of job or perceived loss of job; Presently being addressed REACTIVELY, but should become PROACTIVE; Corporate culture must first accept importance of having a Workplace Violence policy that is embraced and backed by Executive Management; “Duty to Warn” - if a threat is made to a person, then they must be informed of the threat and a company must investigate any violent acts in a potential hire’s background. Average Jury award for Sexual Abuse if $78K, while average award for Workplace Violence is $2.1 million – with 2.1 million incident a year, 5,500 events a day, and 17 homicides a week. Survey found that business dropped 15% for 250 days after event. Onsite security costs $25K with all costs totaling $250K / year. Offender Profile consisted of: 1. Loner (age 26-40) who was made fun of, teased, and abused by workmates; 2. Cultural change has promoted Gun usage; 3. Their identify is made up of their job, so if you fire them they are losing their Identify / Lifestyle and will respond violently. 4. Instead of Workplace Violence, perpetrator may use computer virus, arson, or other methods to damage / ruin business; 5. Hiring tests can be used to identify potential Workplace Violence perpetrators; 6. Does not take criticism well and does not like people in authority; 7. Employee Assistance Programs can be developed to help cope with personal life crisis and avoid Workplace Violence situation – a range of these programs should be developed and made available to the staff and their family.1/23/2013 Created by: Thomas Bronack Page: 38
  39. 39. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com The Costs of Workplace Violence The costs associated with a Workplace Violence Event increase dramatically over time. ts Cos Events Workplace Employee Crisis Business Disaster Emergency Risk Violence Assistance Management Continuity Recovery Response Management Prevention Programs Plan Plan Plan Plan Plan Response Plan Identify and Create Mechanisms Create Contract Guard Develop and Exercise Crisis Document to allow Employees to Employee Service for Implement Management and Employee Report Problems Identification Physical and Employee Recovery Plans on Safety and and Seek Help, Badges and Perimeter Training and a Regular basis and Security Known as Employee Implement an Protection. Use Awareness Update Plans as Issues Assistance Access Control CCTV to scan Programs needed Programs System environment and document evidence.1/23/2013 Created by: Thomas Bronack Page: 39
  40. 40. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com Target Emergency Response Environment (Logical Overview) Emergency Response Plans and Planning Methods used to avoid Crisis Communications Threats Business Interruptions and Predator threats Crisis Security Communications Plans Crisis Management Predator Evacuation Plans Emergency Business Continuity Business Response Management* Interruptions Planning Salvage Plans Compliance Regulations Workplace Violence Restoration Prevention and Plans Response Planning * Business Continuity Management includes: OSHA Disaster Recovery; Recovery Supporting Plans Business Continuity; Annex Emergency Response Planning; and Risk Management. National Response Company Response Plan (NRP) Plans1/23/2013 Created by: Thomas Bronack Page: 40
  41. 41. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com Emergency Management is 4 STEPS IN THE PLANNING PROCESS established and procedures are STEP 1 - Establish a Planning Team generated through the following STEP 2 - Analyze Capabilities and Hazards process: STEP 3 - Develop and Test the Plan STEP 4 - Implement the Plan 1. Define the EM Planning process, its Scope, and Team members; EMERGENCY MANAGEMENT CONSIDERATIONS 2. Release a Project Initiation Executive Memo defining EM Goals, This section describes the core operational considerations its Priority, and that Executive of emergency management. They are: Management is behind the • Direction and Control development of EM and associated • Communications procedures; • Life Safety 3. EM team will develop project • Property Protection • Community Outreach plan containing EM Considerations • Recovery and Restoration and planned direction, with time • Administration and Logistics line, costs, deliverables, and resource requirements; 4. Management is provided with Executive Presentation and Written HAZARD-SPECIFIC INFORMATION Report on EM Direction and Plan, so This section provides information about some of the that Approval can be received and most common hazards: any concerns corrected before moving forward; • Fire • Hazardous Materials Incidents 5. EM develops procedures, • Floods and Flash Floods trains personnel, and tests prototype • Hurricanes action plans; • Tornadoes • Severe Winter Storms 6. Corrections and updates are • Earthquakes created based on Lessons Learned; • Technological Emergencies HAZARD-SPECIFIC INFORMATION 7. EM Trial Project(s) are performed and reviewed; 8. EM procedures and documentation is finalized and INFORMATION SOURCES approved; and This section provides information sources: 9. EM is Rolled Out to entire company and people trained. • Additional Readings from FEMA • Ready-to-Print Brochures • Emergency Management Offices1/23/2013 Created by: Thomas Bronack Page: 41
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×