So What is COOP/BCP? COOP identifies the roles and responsibilities of all parties that will be involved in maintaining an appropriate level of preparedness and reacting to a disaster or Crisis situation. : In general, a Continuity of Operations Plan should expect the worst case. It should provide instructions and information on what to do including essential details on procedures, directions, and schedules. Keep in mind, a Crisis includes such events as a hostage situation, death of an executive, natural disasters, man-made disasters, etc. It doesn't take a Earth Quake, Hurricane, Tornado, or a Flood to wipe out critical functions or IT operations. It can take a lot less to force a business into bankruptcy. Yet, corporations often do not take the necessary steps to protect their valuable business and technical resources from disaster. .
“ If the billions of dollars spent on technology annually to maintain a competitive edge is an indication of how reliant our society is on technology, then failing to implement a disaster recovery plan is an indication of corporate negligence.” Did you know that : Computer Economics, a US research company, estimated that the cost of restoring and replacing the information technology and telecommunications infrastructure affected by the World Trade Center and Pentagon attacks would be $15.8bn. The company said that the immediate recovery cost would be $1.7bn and longer term redevelopment work would total a further $8.1bn The cost of caring for victims of Hurricane Katrina and rebuilding the areas it wiped out could cost the federal government up to $200 billion, much higher than previous estimates (CNN/Money)
What is Continuity of Operations and how does it relate to your company? COOP permits the organization to take a proactive approach in planning for crisis events. Interruptions can include many scenarios, such as a fire in any company office or data center, theft of valuable assets, CEO kidnapping, terrorist attack. So, how do we go about developing an effective Contingency Plan? Let’s review some of its critical components and procedures
Contingency planning includes three Plan Components : Emergency/Crisis Mgt, Business/Agency Recovery, and Disaster Recovery.
Picture COOP as an structure that relies on three components to form its firm foundation. These components are further defined here:
We first must develop an overall strategy for the planning effort. First, let’s look at some best practices in COOP/BCP
Identification Ask : What are some potential disasters? Assessment This is the risk assessment we spoke of a couple of slides back. Planning Take into consideration long-term and short-term strategies Testing (read) Actions Disaster declaration Mobilizing teams Recovery (read)
While we have mentioned the IA before, it is so critical until I have decided to bring it up once again. Without a comprehensive IA, the COOP effort will most likely be ineffective. The completion of the IA falls within the realm of COOP/BCP. Recovery plans are not considered valid until they have been tested. There are various levels of testing which we will review later in this presentation.
These have already been defined. Just review the slide as is .
The COOP Program (note; it is not a project because it is never- ending) has a lifecycle just like any other development process. These phases can fit into three main categories: 1 - Analysis – - Plan Audit - Audit and analyze any existing plans for effectiveness, and thoroughness. Are the plans current? Identify Opportunities for improvement - Risk Assessment - Identifies threats and vulnerabilities to the facility and IT- Identify opportunities for improvement and potential Mitigation Strategies Impact Analysis – Identifies the impact of a disaster on the business. Defines and quantifies reasons for producing a Business Continuity /Continuity of Operations Plan 2 - Plan Development – - First, develop a list of potential threat scenarios that may impact each facility by geographical area - Identify mitigation strategies to minimize the impact of a disaster relative to the threat scenarios, wit associated cos ts Once a strategy has been determined and approved, begin developing and documenting plans to support the chosen strategy 3 - Implementation - - Conduct Awareness and Training Sessions to ensure all personnel are aware of the BCP/COOP, as well as their pre and post-disaster responsibilities - Conduct Tests and Exercises to ensure Plan Validity - Revise plans, based on exercise (test) results for plan improvement
Page is pretty self-explanatory . Don’t give any more detail than what is documented in slide .
SLA – Service Level Agreement RTO – Recovery Time Objective- When critical process/applications must be restored RPO – Recovery Point Objective – To what point-in-time functions and applications must be recovered.
There are various methods to facilitate training and/or testing recovery plans. Orientation/Walkthrough – One such type is an orientation of the hotsite resources for recovery personnel, which includes: familiarization with equipment, facility access procedures, and meeting and conferring with recovery specialists Tabletop Team members sit around a table and review documented procedures to ascertain if plan appears to be complete and valid. Naturally, until we physically test the plan we have no way of assuring that it will work. However, these reviews help to minimize the possibility of missing documentation for these procedures. Peer reviews, which incorporate review of procedures by members not directly involved in the documentation effort, often serve to flush out missing pieces of the plan. Functional This is the physical recovery exercise. It can take place at the external hotsite or at an internal alternate facility. The recovery effort must include restoring critical processes to a vanilla system, such as you would receive from the external hotsite. Should the recovery process include redundant processing or failover, then the system does not or should not be vanilla. Full Scale – The ultimate testing of the facility. Integration includes various system platforms/systems communicating and passing data between them as in the standard production environment.
Continuity of Operations Planning COOP 101 Stephen X. Mazzuca Sr. Account Executive Federal Sales www.ParadigmSolutionsCorp.com
NEED FOR CONTINUITY OF OPERATIONS PLANNING Contractual & Legal obligations Employees Health & Safety Liability Exposure Cash flow and Financial Performance Market Share Customer Service Brand Image & Reputation Sales Regulatory Requirements COMPLIANCE
<ul><li>It will happen only to the "other company." </li></ul><ul><li>and / or </li></ul><ul><li>The odds of our business being struck by a disaster are extremely low, or at least the damage will be minimal. </li></ul><ul><li>Continuity of Operations/Business Continuity Plans are not a government `` requirement.`` </li></ul><ul><li>It is Human nature to put off something that “ we think ” we are not required to have. </li></ul><ul><li>Continuity of Operations Planning, testing, and proper data backup and archiving activities cost money and offer no obvious return on investment . </li></ul>Objections to COOP/BCP Statistical Information Average Hourly Cost of Downtime: Brokerage House (or large e-commerce site) $ 6.4 million Credit Card Sales and Authorization $ 2.6 million Catalog Sales $ 90 thousand Package Shipping and Transportation Industry $ 28 thousand UNIX Networks $ 75 thousand PC LANs $ 18 thousand Average Hourly Cost to Re-create Data $ 50 thousand Perfect Reasons Not to Procrastinate
LEGAL / REGULATORY REASONS FOR COOP/BCP Federal Mandate “ The head of each Federal department and agency shall ensure the continuity of essential functions in any national security emergency by providing for: succession to office and emergency delegation of authority in accordance with applicable law; safekeeping of essential resources, facilities and records; and establishment of emergency operating capabilities.” Executive Order 12656 Legal Statute - D&O Insurance Limitations "Directors and Officers of companies have a fiduciary responsibility to ensure that any and all reasonable efforts are made to protect their companies. D&O insurance only protects officers if they used good judgment and their decisions resulted in harm to their company and/or employees. "Courts will assess liability by determining the probability of loss, multiplied by the magnitude of the harm, balanced against the cost of prevention. BURDEN of PROOF The burden of proof would be on Company X to prove that all reasonable measures had been taken to mitigate the harm caused by the disaster. FCPA The FCPA (Foreign Corrupt Practices Act ) is unique in that it holds corporate managers personally liable for protecting corporate assets. Failure to comply with the FCPA exposes individuals and companies to the following: Personal fines up to $10,000, Corporate fines up to $1,000,000, and Prison terms up to five years. FFEIC Federal Financial Institutions Examination Council (FFIEC) issued an updated policy statement on "Corporate Business Resumption and Contingency Planning" (SP-5) for financial institutions, as of March 1997. It emphasizes that the directors and management of financial institutions must address the inherent risks associated with the loss or disruption of services to themselves and their customers.
BCP/ COOP Strategy It is much easier to react with a plan in hand! Prevention To avoid and minimize disaster frequency and occurrence to the extent possible. Anticipation To identify likely disaster scenarios and assess related consequences . Mitigation To take the necessary steps to react, respond, and minimize any negative While it is essential to build strategies around a “worse-case” disaster, the strategy must also address three basic needs:
Develop and Implement – Phase 2 – continued <ul><li>IT DISASTER RECOVERY PLANNING Component – DRP </li></ul><ul><li>The process of planning to ensure disaster recovery support services for the resumption, recovery and restoration of all identified critical applications, associated systems, and infrastructure contained within corporate computer processing centers, in a timeframe dictated by business requirements (SLA, RPO, RTO). </li></ul><ul><li>Until recently, DRP was the only component addressed. Other BCP components did not become essential until after 9-11. </li></ul><ul><li>It includes: </li></ul><ul><li>Identifying critical IT applications, systems and their dependencies. </li></ul><ul><li>Preventing Failure when appropriate. </li></ul><ul><li>Providing instructions and information on what to do including </li></ul><ul><li>essential details on procedures, directions, and schedules </li></ul><ul><li>Documenting plans to enable critical applications/systems and related infrastructure to be </li></ul><ul><li>resumed in the event of a disruption as dictated by the Business. </li></ul><ul><li>In general, the disaster recovery plan should expect the worst </li></ul><ul><li>case. </li></ul><ul><li>High Availability Perspective: </li></ul><ul><li>Plans should ensure that the inevitable, occasional interruption is transparent to the enterprise's key stakeholders, including customers, stockholders, and employees . </li></ul>