Slide 1


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • So What is COOP/BCP? COOP identifies the roles and responsibilities of all parties that will be involved in maintaining an appropriate level of preparedness and reacting to a disaster or Crisis situation. : In general, a Continuity of Operations Plan should expect the worst case. It should provide instructions and information on what to do including essential details on procedures, directions, and schedules. Keep in mind, a Crisis includes such events as a hostage situation, death of an executive, natural disasters, man-made disasters, etc. It doesn't take a Earth Quake, Hurricane, Tornado, or a Flood to wipe out critical functions or IT operations. It can take a lot less to force a business into bankruptcy. Yet, corporations often do not take the necessary steps to protect their valuable business and technical resources from disaster. .
  • “ If the billions of dollars spent on technology annually to maintain a competitive edge is an indication of how reliant our society is on technology, then failing to implement a disaster recovery plan is an indication of corporate negligence.” Did you know that : Computer Economics, a US research company, estimated that the cost of restoring and replacing the information technology and telecommunications infrastructure affected by the World Trade Center and Pentagon attacks would be $15.8bn. The company said that the immediate recovery cost would be $1.7bn and longer term redevelopment work would total a further $8.1bn The cost of caring for victims of Hurricane Katrina and rebuilding the areas it wiped out could cost the federal government up to $200 billion, much higher than previous estimates (CNN/Money)
  • What is Continuity of Operations and how does it relate to your company? COOP permits the organization to take a proactive approach in planning for crisis events. Interruptions can include many scenarios, such as a fire in any company office or data center, theft of valuable assets, CEO kidnapping, terrorist attack. So, how do we go about developing an effective Contingency Plan? Let’s review some of its critical components and procedures
  • Contingency planning includes three Plan Components : Emergency/Crisis Mgt, Business/Agency Recovery, and Disaster Recovery.
  • Picture COOP as an structure that relies on three components to form its firm foundation. These components are further defined here:
  • We first must develop an overall strategy for the planning effort. First, let’s look at some best practices in COOP/BCP
  • Identification Ask : What are some potential disasters? Assessment This is the risk assessment we spoke of a couple of slides back. Planning Take into consideration long-term and short-term strategies Testing (read) Actions Disaster declaration Mobilizing teams Recovery (read)
  • While we have mentioned the IA before, it is so critical until I have decided to bring it up once again. Without a comprehensive IA, the COOP effort will most likely be ineffective. The completion of the IA falls within the realm of COOP/BCP. Recovery plans are not considered valid until they have been tested. There are various levels of testing which we will review later in this presentation.
  • These have already been defined. Just review the slide as is .
  • Self-explanatory
  • The COOP Program (note; it is not a project because it is never- ending) has a lifecycle just like any other development process. These phases can fit into three main categories: 1 - Analysis – - Plan Audit - Audit and analyze any existing plans for effectiveness, and thoroughness. Are the plans current? Identify Opportunities for improvement - Risk Assessment - Identifies threats and vulnerabilities to the facility and IT- Identify opportunities for improvement and potential Mitigation Strategies Impact Analysis – Identifies the impact of a disaster on the business. Defines and quantifies reasons for producing a Business Continuity /Continuity of Operations Plan 2 - Plan Development – - First, develop a list of potential threat scenarios that may impact each facility by geographical area - Identify mitigation strategies to minimize the impact of a disaster relative to the threat scenarios, wit associated cos ts Once a strategy has been determined and approved, begin developing and documenting plans to support the chosen strategy 3 - Implementation - - Conduct Awareness and Training Sessions to ensure all personnel are aware of the BCP/COOP, as well as their pre and post-disaster responsibilities - Conduct Tests and Exercises to ensure Plan Validity - Revise plans, based on exercise (test) results for plan improvement
  • Page is pretty self-explanatory . Don’t give any more detail than what is documented in slide .
  • SLA – Service Level Agreement RTO – Recovery Time Objective- When critical process/applications must be restored RPO – Recovery Point Objective – To what point-in-time functions and applications must be recovered.
  • There are various methods to facilitate training and/or testing recovery plans. Orientation/Walkthrough – One such type is an orientation of the hotsite resources for recovery personnel, which includes: familiarization with equipment, facility access procedures, and meeting and conferring with recovery specialists Tabletop Team members sit around a table and review documented procedures to ascertain if plan appears to be complete and valid. Naturally, until we physically test the plan we have no way of assuring that it will work. However, these reviews help to minimize the possibility of missing documentation for these procedures. Peer reviews, which incorporate review of procedures by members not directly involved in the documentation effort, often serve to flush out missing pieces of the plan. Functional This is the physical recovery exercise. It can take place at the external hotsite or at an internal alternate facility. The recovery effort must include restoring critical processes to a vanilla system, such as you would receive from the external hotsite. Should the recovery process include redundant processing or failover, then the system does not or should not be vanilla. Full Scale – The ultimate testing of the facility. Integration includes various system platforms/systems communicating and passing data between them as in the standard production environment.
  • Slide 1

    1. 1. Continuity of Operations Planning COOP 101 Stephen X. Mazzuca Sr. Account Executive Federal Sales
    2. 2. What is CONTINUITY OF OPERATIONS PLANNING? As defined by the Disaster Recovery Institute: The ability of an organization to ensure continuity of service and support for its customers and to maintain its viability before, after, and during an event. Simply Stated: The ability to stay in business after a disaster strikes ! Copyright © CER 2003
    3. 3. BENEFITS OF A CONTINUITY OF OPERATIONS PLANNING PROGRAM . Reduce Disaster Impact on the company. . Provide a Reliabl e Source of Information to be used at time of Disaster. . Provide Ongoing Maintenance of all Plans . Provide Ongoing Testing of all Plans . Plan Timely response to loss of business and computing resources . . Provide Clear understanding of Roles and Responsibilities Copyright © CER 2003
    4. 4. NEED FOR CONTINUITY OF OPERATIONS PLANNING Contractual & Legal obligations Employees Health & Safety Liability Exposure Cash flow and Financial Performance Market Share Customer Service Brand Image & Reputation Sales Regulatory Requirements COMPLIANCE
    5. 5. <ul><li>It will happen only to the &quot;other company.&quot; </li></ul><ul><li>and / or </li></ul><ul><li>The odds of our business being struck by a disaster are extremely low, or at least the damage will be minimal. </li></ul><ul><li>Continuity of Operations/Business Continuity Plans are not a government `` requirement.`` </li></ul><ul><li>It is Human nature to put off something that “ we think ” we are not required to have. </li></ul><ul><li>Continuity of Operations Planning, testing, and proper data backup and archiving activities cost money and offer no obvious return on investment . </li></ul>Objections to COOP/BCP Statistical Information Average Hourly Cost of Downtime: Brokerage House (or large e-commerce site) $ 6.4 million Credit Card Sales and Authorization $ 2.6 million Catalog Sales $ 90 thousand Package Shipping and Transportation Industry $ 28 thousand UNIX Networks $ 75 thousand PC LANs $ 18 thousand Average Hourly Cost to Re-create Data $ 50 thousand Perfect Reasons Not to Procrastinate
    6. 6. LEGAL / REGULATORY REASONS FOR COOP/BCP Federal Mandate “ The head of each Federal department and agency shall ensure the continuity of essential functions in any national security emergency by providing for: succession to office and emergency delegation of authority in accordance with applicable law; safekeeping of essential resources, facilities and records; and establishment of emergency operating capabilities.” Executive Order 12656 Legal Statute - D&O Insurance Limitations &quot;Directors and Officers of companies have a fiduciary responsibility to ensure that any and all reasonable efforts are made to protect their companies. D&O insurance only protects officers if they used good judgment and their decisions resulted in harm to their company and/or employees. &quot;Courts will assess liability by determining the probability of loss, multiplied by the magnitude of the harm, balanced against the cost of prevention. BURDEN of PROOF The burden of proof would be on Company X to prove that all reasonable measures had been taken to mitigate the harm caused by the disaster. FCPA The FCPA (Foreign Corrupt Practices Act ) is unique in that it holds corporate managers personally liable for protecting corporate assets. Failure to comply with the FCPA exposes individuals and companies to the following: Personal fines up to $10,000, Corporate fines up to $1,000,000, and Prison terms up to five years. FFEIC Federal Financial Institutions Examination Council (FFIEC) issued an updated policy statement on &quot;Corporate Business Resumption and Contingency Planning&quot; (SP-5) for financial institutions, as of March 1997. It emphasizes that the directors and management of financial institutions must address the inherent risks associated with the loss or disruption of services to themselves and their customers.
    7. 7. OBJECTIVES OF CONTINUITY OF OPERATIONS PROGRAM Copyright © CER 2003 The Primary Objectives of COOP/BCP: Ensure 'survival' of the organization under a number of postulated business interruption scenarios. . Define strategies for resumption of the critical business functions to specific performance targets within specified time periods (RTO, RPO, SLA) following the interruption scenario. The assumption is that the organization's short-term survival will be assured if the resumption/recovery strategies are correctly implemented Objectives are delivered, via a set of contingency plan components better known collectively as the “ Continuity of Operations Plan” or “Business Continuity Plan”. These contingency plans include: Emergency Management/Crisis Management, Agency/Business Recovery, and Disaster Recovery
    9. 9. Contingency Plan Components Copyright © CER 2003
    10. 10. Contingency Plan Components - Defined Copyright © CER 2003
    12. 12. Mitigation Strategies The goal of any mitigation strategy is to minimize negative impact. Planning strategies should be based on the outcome of the Impact Assessment and Risk Assessment. Planning strategies must encompass the key planning initiatives: Copyright © CER 2003 1: Identification To identify potential disaster scenarios 3. Planning To create recovery plans, strategies, and tactics. 6. Recovery: To put the pieces back together, providing business resumption and recovery 5. Action: To mobilize when disaster occurs. 4. Testing To test recovery plans and related activities 2. Assessment To quantify consequences and disaster impact
    13. 13. Best Practices for COOP/BCP Copyright © CER 2003 Recovery plans must be tested at least once a year to effectively support critical business requirements.. The most cost-effective COOP/BCP plans will be based on priorities determined by a comprehensive Impact Analysis - IA. Financial Regulatory Legal Employees Sales Customer Production Other
    14. 14. BCP/ COOP Strategy It is much easier to react with a plan in hand! Prevention To avoid and minimize disaster frequency and occurrence to the extent possible. Anticipation To identify likely disaster scenarios and assess related consequences . Mitigation To take the necessary steps to react, respond, and minimize any negative While it is essential to build strategies around a “worse-case” disaster, the strategy must also address three basic needs:
    15. 15. Five Major COOP Elements <ul><li>A Comprehensive contingency plan must address five major elements: </li></ul><ul><li>Impact Analysis </li></ul><ul><li>Risk Analysis </li></ul><ul><li>The Emergency Response/Crisis Management organization and procedures for </li></ul><ul><li>reacting to and coordinating recovery efforts. – Crisis/Emergency Management Plan </li></ul><ul><li>The Business Resumption procedures for the continuation of critical business processes – Business Agency Recovery Plan </li></ul><ul><li>The Recovery Support procedures for restoring key Information Technology resources – Disaster Recovery Plan . </li></ul>Copyright © CER 2003
    17. 17. Develop and Implement – Phase 2 Identify recovery responsibilities and functions necessary to resume computer processing of critical applications. Copyright © CER 2003 Organize procedures to effectively initiate and manage the recovery activities . Identify the critical workload and where it will process at time of disaster Identify the personnel responsible for maintaining and exercising the various parts of the plan
    18. 18. COOP/BCP Lifecycle COOP/BCP Lifecycle Analysis Continuity Of Operations /Business Continuity A nalysis Plan Development Implementation
    19. 19. Develop and Implement – Phase 2 Copyright © CER 2003 <ul><li>BUSINESS RECOVERY PLANNING – ARP </li></ul><ul><li>The process of planning to ensure that the agencies can survive an event that causes interruption to normal processes. </li></ul><ul><li>It includes : </li></ul><ul><li>Resumption, recovery and restoration phases of all identified agency functions as dictated by SLA </li></ul><ul><li>(service level agreement) and RTO (recovery time objectives). </li></ul><ul><ul><li>Resumption - Interim procedures to resume survival-critical agency functions </li></ul></ul><ul><ul><li>Recovery - Interim procedures to continue processing survival-critical, mission critical, and essential agency functions prior to restoration of the stricken facility </li></ul></ul><ul><ul><li>Restoration - Returning to reconstructed/permanent facility. All processing restored. Backlog </li></ul></ul><ul><ul><li>cleaned-up. </li></ul></ul><ul><li>Identifying critical agency functions and workarounds. </li></ul><ul><li>Instructions and information on what to do including essential details on procedures, directions, and </li></ul><ul><li>schedules. </li></ul><ul><li>Documenting plans to enable agency functions to be resumed /recovered/restored in the event of a </li></ul><ul><li>disruption. </li></ul><ul><li>In general, the agency recovery plan should expect the worst </li></ul><ul><li>case. </li></ul>
    20. 20. Develop and Implement – Phase 2 – continued <ul><li>CRISIS MANAGEMENT PLANNING – CMP </li></ul><ul><li>The process for facilitating communications, information gathering and decision-making immediately following the onset of a crisis. It includes and is dependent upon preparedness. </li></ul><ul><li>Specifically, crisis management focuses on: </li></ul><ul><li>Identification of the crisis communications team (and others who might assist the team in certain </li></ul><ul><li>situations) </li></ul><ul><li>Predefined individual and team responsibilities for the crisis management team members </li></ul><ul><li>Contact lists for all internal and external stakeholders </li></ul><ul><li>Responsibilities and procedures for crisis/disaster declaration </li></ul><ul><li>Establishment of Crisis Command Centers for directing the crisis event </li></ul><ul><li>Coordination with effected constituents, such as the community, neighboring </li></ul><ul><li>industries, and identified support entities (fire, police, hospitals, etc.) </li></ul><ul><li>Links Agency Recovery and Disaster Recovery, via Emergency Management and Direction </li></ul>Copyright © CER 2003
    21. 21. Develop and Implement – Phase 2 – continued <ul><li>IT DISASTER RECOVERY PLANNING Component – DRP </li></ul><ul><li>The process of planning to ensure disaster recovery support services for the resumption, recovery and restoration of all identified critical applications, associated systems, and infrastructure contained within corporate computer processing centers, in a timeframe dictated by business requirements (SLA, RPO, RTO). </li></ul><ul><li>Until recently, DRP was the only component addressed. Other BCP components did not become essential until after 9-11. </li></ul><ul><li>It includes: </li></ul><ul><li>Identifying critical IT applications, systems and their dependencies. </li></ul><ul><li>Preventing Failure when appropriate. </li></ul><ul><li>Providing instructions and information on what to do including </li></ul><ul><li>essential details on procedures, directions, and schedules </li></ul><ul><li>Documenting plans to enable critical applications/systems and related infrastructure to be </li></ul><ul><li>resumed in the event of a disruption as dictated by the Business. </li></ul><ul><li>In general, the disaster recovery plan should expect the worst </li></ul><ul><li>case. </li></ul><ul><li>High Availability Perspective: </li></ul><ul><li>Plans should ensure that the inevitable, occasional interruption is transparent to the enterprise's key stakeholders, including customers, stockholders, and employees . </li></ul>
    23. 23. Training Methods – Exercising the Plan The method of training provided is dependent on the level and complexity of a disaster scenario. Full-Scale Exercise Fully integrated exercise that pulls together all functional areas. Functional Exercise Test individual functional areas within the organization. Tabletop / Mini-Drill Test parts of the plan and to reinforce logic and decision-making. Orientation / Walkthrough Designed to familiarize personnel with the plans and equipment. Awareness, commitment, and skills must be repeatedly practiced to maintain the edge necessary for the greatest level of response. LOW HIGH Copyright © CER 2003 30
    24. 24. Questions and Answers
    25. 25. Continuity of Operations Planning COOP 101 Stephen X. Mazzuca Sr. Account Executive, Federal Sales Tel (240) 283-3420 Cell (410) 207-7969 [email_address]