You will leave this webinar by understanding the: • Prerequisites for decision on which ICT DR strategies to implement or use • What major alternatives there are • Pros and Cons of them • What will happen after the strategies are implemented About Presenter Barbro Thöyrä, MBA, is certified implementer, auditor and trainer in several ISO standards including ISO 24762 ICT Disaster Recovery Manager. She has many years of experience in IT, Product Management and Business Continuity as a manager, senior consultant, project manager, finance and business continuity subject matter expert. She has worked in several IT and BCMS planning projects worldwide as an expert and project manager.

1. Barbro Thöyrä

2. 16-09-15 2
General information
- About me
- Content of this webinar
- Duration of the webinar
- Questions

3. 16-09-15 3
Disaster Recovery Problem Statement
• An internal or external event interrupts one or more of our
business processes
• Time -- the length of the interruption -- causes the
situation to become a disaster

4. 16-09-15 4
Disaster Recovery Assumptions
• Major catastrophes, Not Daily Operational Problems
• Will Not Produce a “Business as Usual” environment
• The organization will Still Lose time and money in a
disaster

5. 16-09-15 5
• Move an operational department, with NO WARNING!
and
• Recover Time-Sensitive business operations
– Without notice
– At another (remote?) location/facility
– With less capacity & capability
– Using only data stored Off-Site
– Within a designated recovery time frame
– Without some key personnel
The Disaster Recovery Challenge

6. 16-09-15 6
Disaster
Emergency response
- immediate recovery
Recovery - critical
functions
Return
Home
Business Relocation
long term recovery in
new or semi-
permanent location
Hours Days Weeks

7. 16-09-15 7
- Identify recovery strategies for the mission critical operations
using the BIA and Risk Evaluation
- Recommend strategies to meet the recovery objectives
identified in the BIA
- Perform a cost benefit analysis on the recommended strategies

8. Risk Assessment
Resources
vul. to risks
1. Identifying risks
2. Risk analysis
3. Risk judgement
List of critical
resources
16-09-15

9. Risk Category Asset/Element VulnerabilityReal Probability Controls Category
Power outage Critical applications H H M 1
Power outage Information prov. by computers H H M 1
Power outage Critical information/data H H M 1
Power outage Computer facilities H H M 1
Power outage Terminals H H M 1
Power outage Internal links (LAN,WAN) H H M 1
Power outage Documents/conf. information H H M 1
Power outage Operating systems H H M 1
Power outage Gateways H H M 1
Fire Information prov. by computers H H M 1
Fire Critical information/data H H M 1
Fire Computer facilities H H M 1
Fire Terminals H H M 1
Fire Internal links (LAN,WAN) H H M 1
Fire Documents/conf. information H H M 1
Fire Operating systems H H M 1
Fire Gateways H H M 1
Fire Maintenance activities H H M 1
Software failure Daily operations H M M 1
Software failure Customer care H M M 1
Hacker Information prov. by computers H M M 1
Fire Failure indicators H L S 2
Fire Air condition H L S 2
Cable cut to switch Daily operation H L S 2
Cable cut to switch Customer care H L S 2
Major accidents Critical applications H L S 2
Major accidents Information prov. by computers H L S 2
Major accidents Critical information/data H L S 2

10. 16-09-15 10
Operational Impacts of Outage
Customer Impacts of Outage
Financial Impacts of Outage
Legal/Regulatory Impacts of Outage
Other Impacts of Outage
Recovery Time Objectives
Business Unit Recovery Priorities
Recovery Requirements/Resources
Vital Records
Establish
Determine
Business Impact Analysis (BIA)

11. 16-09-15 11
0
5,000,000
10,000,000
15,000,000
20,000,000
25,000,000
30,000,000
35,000,000
< Day
1
Day 1 Day 2 Day 3 Day 4 Day 5 Week 1 Week 2 Week 3 Week 4 > Week
4
USD
Cumulative financial impacts, example
Lost Sales

12. 16-09-15 12
“.....is the time between the point of disruption and the
point at which most critical systems must be
operational AND updated to current status.”
time
Recovery
of
Operations
Critical
Systems
Operational
with Current &
Accurate Data
Recovery Time Frame
The time within which Business Processes must
be recovered at acceptable levels of operational
capability to minimize the impact of an outage
Point of
Disruption
Recovery Time Frame (RTO)

13. 16-09-15 13
Some parameters for estimation of RTO:
• Complexity of recovery
• Impacts on customers
• Financial impacts
• Impacts on operations, how long can a site/node be idle
• Any recovery strategies in place?
• Any work around procedures?
• The amount of back-logg in case of an outage (RPO)
Recovery Time Frame (RTO)

14. 16-09-15 14
Major points to consider :
• Recovery of critical business functions
• Business recovery requirement priorities
• Minimization of losses
• Time frame for the recovery – RTO
• Service level desired within the RTO (100% not realistic)
• Stepwise recovery
• Recovery resources
• Cost/Benefit of Recovery solution
• Requirements of the Recovery solution(s)

15. 16-09-15 15
Recovery
time
Recovery
investment
$
Recovery
cost
$
Continuous
process
Hot site
Mobile
site
Cold site
Manual
procedures
Do nothing
Disaster Recovery strategies
Redundant
Hot Site
Mobile Site
Cold Site
Withdraw service
Do nothing

16. 16-09-15 16
Recovery Strategies
Service degradation:
• No recovery strategy
• Manual procedures – work around
• Reduce service response
• Withdrawal of service
• Staff working from home

17. 16-09-15 17
Recovery strategies
Internal/extrenal strategies:
1. Internal back-up facilities
2. Hot site
3. Warm site
4. Mobil site
5. Cold/shell site
6. Reciprocal agreements
7. Third party service vendor
8. Cloud
9. Investigate usage of other internal facilities

18. 16-09-15 18
Develop vital record and work in
progress recovery strategies

19. 16-09-15 19
Considerations when choosing recovery location:
 Threats
 Access control
 Facility security
 Dedicated areas
 Environmental control
 CC (EOC)
 Restricted facilities
 Others

20. 16-09-15 20
 Natural hazards
 Weather changes
 Industrial and commercial hazards
 Accessibility
 Alternate routes
 Shared premises
 Public utilities
 Cabling infrastructure
 Risk mitigation
Threats

21. 16-09-15 21
Access control:
- Selective restriction of entry and exit of users into or out of the area
- Personal security categoies
- Security zones
Facility security :
- Physical building
- Exterior/interior
- Alarm system
Dedicated areas:
- Recovery room
- Assambly areas

22. 16-09-15 22
Environmental control:
- Temperature
- Ventilation
- Humidity
- Vibration and noise
EOC:
Restricted facilities:
- Authorized access for designated
purposes
Others:
• Telecommunication
• Power supply
• Fire protction
• Cabling
• Rest areas
• Parking areas
• Medical care
• Food and drink
• Testing
• Life Cycle
• Vendors
• Outsoursing

23. 16-09-15 23
Compare internal/external solutions
a. Advantages
b. Disadvantages
c. Costs (startup, maintenance
and execution)
e. Mitigation capability and control options
f. Ability to meet defined RTO and RPO

24. 16-09-15 24
Prerequisites for mobile sites:
• Transmission connection points at each site
• Possible parking places are at the IT center
• Power supply (generators)
• Off-site storage and suitable back-up regime

25. 16-09-15 25
100%
West
Middle
East
North
10 %
18 %
27 %
36 %
Transport
4 hours
West&East
Transport
10 hours
Mid&North
• Part 1,2,3,4 of transmission up
• SDH backbone
• Far end transmission up
• Start the switches
• RBS reloaded,
• Switches loaded, HLR loaded
• Test, 8hours
Activate teams
2 hours
12,12,12,12
hours
6 hours
32 44 50 62 Hours
‘Cold Site’
For 5 HLR and 5 SCPs
HLR-redundancy (0 hours)
or
‘Warm site’ HLR (3 hours)
or
Mobile HLR (6 hours at site)
Enough capacity in
other GMSCs in the network

26. 16-09-15 26
Activation and Deactivation
Response plan
Recovery plan
Restoration plan

27. 16-09-15 27
Exercise/test
If you do not exercise your plan you do not
have any…..
Only 30% of the companies exercise their
plans…...
Plan for the worst,
exercise for the rest!

28. 16-09-15 28
...in case of
a disaster?