Apdip disaster mgmt


Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Apdip disaster mgmt

  1. 1. Disaster Management(i.e. Business Continuity)Josef C. MuellerAssociate Partner
  2. 2. ObjectiveTo discuss information systems disaster management and theformation of backup and disaster recovery plans
  3. 3. Agenda• Introduction• Disaster Recovery Approach• DR Team Organization• Case Study• Example Disaster Recovery Services• Open discussion
  4. 4. Introduction What is a Disaster? Any unplanned event that requires immediate redeployment of limited resources Sample DisastersNatural Forces Technical Failure Human Interference Fire  Power Outage  Criminal Act Environmental  Equipment Failure  Human Error Hazards  Network Failure  Loss of Users Flood / Water  Software Failure  Explosions Damage Extreme Weather
  5. 5. Introduction Some Examples of DisastersThe Chicago FloodThe underground flood of Chicago on Monday April 13, 1992 proved to be one ofthe worst business disasters ever. 230 buildings lost power because waterthreatened their underground power sources.The World Trade Center ExplosionBusinesses were forced to evacuate the World Trade Center in February 26, 1993.When a bomb exploded in the underground parking garage. Companies thatwere effected by the disruption were unable to remove critical equipment anddocuments.The San Francisco EarthquakeThe Oct 18, 1989 quake measured 7.0 on the Richter Scale. The Bay bridge hadcollapsed. The city had lost the main business section due to the collapse ofbuildings and electricity.
  6. 6. Introduction Some Examples of Disasters (Cont’d)Hurricane AndrewAugust 22, 1992, Hurricane Andrew hit the South Florida area. Many businessessuffered physical and financial losses from the hurricane, the valuation ofdestroyed property was the largest in US history.The Kobe QuakeThe devastation on January 17, 1995 was the worst in the port city of Kobe wherethe 7.2 magnitude quake toppled roadways, wrecked docks, severedcommunication lines and kept the city in flames into the next day.Oklahoma City BombingOn April 19, 1995, a terrorist bomb exploded in front of the nine-story Alfred P.Murrah Federal Building in downtown Oklahoma City. The blast destroyed one-third of the building from roof to ground, leaving a crater eight feet deep, and 30feet wide.
  7. 7. Introduction What is a Disaster Recovery Plan?A management document for how and when to utilizeresources needed to maintain selected functions when disrupted by agreed upon incidents Other names commonly used:  Business Continuity Plan  Contingency Plans  Continuity Plans  Emergency Response Plans  Business Recovery Plans  Recovery Plans
  8. 8. Introduction When an incident occurs, the Disaster Recovery response activities are likely to be the following (at a high level). Incident Assess Confirm Transfer to Execute Damage Response Alternate Required Strategy Location Functions Prepare Transfer & New Site Execute at New Site Restore Transfer & Primary Execute at Site Primary Site Return toNormal Operations Generate Assess DRP Change Effectiveness Requests
  9. 9. Introduction What is the magnitude of an incident?  Regional Area  Local Area  Within Blocks  To The Building  Within Floors  On The Floor  Within The RoomDepending upon the magnitude of an incident, possible alternative sites include:  Within The Room  Within the Building  Within the Region  Outside the Region
  10. 10. Introduction Types of ControlsIntegrity Controls Confidentiality Controls Availability Controls Policy  Proprietary Information  Asset Identification Methodology Policy  Interruption Analysis Staffing  Ethics Statement  Controls Review Education  “Need to Know”, “Need to  Impact Analysis Division of Withhold”  Data Backup Responsibility  Classification Scheme  Off-site Storage Audit  Records Management  Avoidance Strategies Error and Change  Handling Procedures  Mitigation Strategies Control  Physical & Electronic  Early Detection & Reporting and  Security Measures Notification Resolution  Recovery Strategies Test  Alternate Locations Quality Assurance  Plans and Procedures  Vendor Relationships  Training  Testing
  11. 11. Introduction Types of StrategiesAvoidance Strategy Mitigation Strategy Recovery Strategy Redundant  Early warning detection  High level recovery plan configuration to avoid  Contractual agreements  Off-site data storage incidents with vendors  Very responsive vendor Site harden facilities to  Mirrored data and relationships resist incidents documents  Very knowledgeable Redundant utilities  Detailed migration employees and hardware recovery plan Automated operation recovery plan Types of Strategy Options  Hot site  Cold site  Self Backup  Service Bureau  Reciprocal Agreement
  12. 12. Introduction What is a Critical Business Function? A specific entity management has decided is so significant to thebusiness mission, that without it, the organization cannot successfully operate after an identified time period. Types of ImpactFinancial Loss Extra Expense Lost Revenue  Labor Cost Lost Sales — Recreate Lost Lost Market Share Business Lost Opportunity — Recreate Lost Data — Use Manual ProcessHuman Interference  Equipment Cost Management Control — Hardware / Employee Relations software Stockholder Relations — Telephones Public Image  Money Cost Legal Exposure — Delayed Receivable Contractual Liability — Delayed Orders Competitive Advantage — New Interest — New Investments
  13. 13. Introduction Criteria for a Critical Business Function Timing RequirementsCost of Control vs. Impact  Minutes  Hours Cost of  Days Impact $  Weeks Cost of  Quarters Control $  Special Situations Impact Interdependencies  Inputs and Outputs Cost
  14. 14. IntroductionImplementing Recovery Plans is not an easy task! Recovery prevention techniques are inadequate Increase the level of user security awareness and education No recovery plan at all Plan is stored on the “ultimate” computer (in IT directors’ head) Establish short-term alternate processing procedures Removal of systems running on obsolete machines Recovery plans are too theoretical and not geared to the organization’s needs Plans are unwieldy Recovery plans are in a written format and/or are not updated Backup not tested Plans not tested Plans are located in the computer room or the building Plans are too grandiose (EXPENSIVE) Plan does not address PCs / workstations “People Factors” are not taken into account
  15. 15. Disaster Recovery ApproachThe following Life Cycle model is useful when thinking about Disaster Recovery. Planning Activities Normal Operations Changes Maintenance Activities Changes Up-to-Date from tests DRP Changes from Recovery Activities event
  16. 16. Disaster Recovery ApproachPlanning Implementation Scoping & Recovery Disaster Training Risk Strategy Recovery & ApprovalAssessment Development Plan Testing Planning The primary objective for the Planning Phase is to gain management consensus on the focus areas and scope of a Disaster Recovery Plan that will address major business risks Implementation The primary objective for the Implementation Phase is to develop, test, and rollout a Disaster Recovery plan. The implementation phase could be longer or shorter, depending upon scope, approach, and staffing defined during the Scoping and Risk Assessment phase
  17. 17. Disaster Recovery ApproachDetermine the focus areas and scope Scoping & Risk Assessment Recovery Strategy Disaster Recovery Development Plan Training & Testing Approvalfor the Disaster Recovery Planimplementation phase Activities Key Deliverables • Management Briefing • Scoping and Risk Assessment • Questionnaires Report • Interviews • Requirements Summary • Focus Groups • Current Capability Summary • Workshop • Critical Business Functions Matrix • Critical Systems Matrix
  18. 18. Disaster Recovery ApproachDevelop strategies for each of the Scoping & Risk Assessment Recovery Strategy Disaster Recovery Development Plan Training & Testing Approvalmost critical systems based upon theoutcome of the Scoping and RiskAssessment phase Activities Key Deliverables • Develop Strategies • The Recovery Strategy Report • Select Spinoff Projects • Alternatives and recommendations
  19. 19. Disaster Recovery ApproachDevelop detailed plans for business Scoping & Risk Assessment Recovery Strategy Disaster Recovery Development Plan Training & Testing Approvalcontinuity based upon the specificstrategy identified for each criticalsystem Activities Key Deliverable • Develop Recovery Plan • Recovery plan includes • Assessment Plan & Procedures • Notification Procedure • Recovery center Procedure • Migration Plan (facilities, data, people) • Team Organization ( Roles & Responsibilities)
  20. 20. Disaster Recovery ApproachDevelop detailed plans for business Scoping & Risk Assessment Recovery Strategy Disaster Recovery Development Plan Training & Testing Approvalcontinuity based upon the specificstrategy identified for each criticalsystem (continue) Activities Key Deliverable • Develop Maintenance • Maintenance Procedures include Procedures • Responsibility matrix for maintenance • Testing strategy • How to update the Recovery Procedure • Ongoing Center recovery training schedule • Prepare facilities and • Recovery Center Location, facilities Infrastructure and required component
  21. 21. Disaster Recovery ApproachProvide training to the recovery team Scoping & Risk Assessment Recovery Strategy Disaster Recovery Development Plan Training & Testing Approvaland conduct the testing based upon thetesting approach documented in theMaintenance procedure Activities Key Deliverables • Prepare training materials • Training material • Conduct & Evaluate • Trained staff Training
  22. 22. Disaster Recovery ApproachGet the Disaster Recovery Plan Scoping & Risk Assessment Recovery Strategy Disaster Recovery Development Plan Training & Testing Approvalapproved and rollout to theorganization Activities Key Deliverable • Revise plan (if necessary) • Management Sign-off • Approve the Disaster • Publication & Distribution of the Recovery Plan disaster recovery
  23. 23. DR Team OrganizationAn Example of Disaster Recovery Team DRP Management Team Disaster Recovery Director Customer Production Disaster Administrative Application Recovery Site Restoration Support Liaison Support Coordinator System Software and Database Security Administration Computer Network Operation and Delivery Off-site Storage Application Services Support Delivery
  24. 24. DR Team Organization Examples of Data Center Roles & Responsibilities Title Roles ResponsibilitiesDR management Act as the steering committee • Provide overall management support to DRTeam of the DR Team team • Responsible for strategic decision and key requirements or changes on DRP • Make key decisions according to DRPDisaster Recovery Act as an advisor to the • Oversee the activities of the DR teamDirector DR management team. • Budget for future DR requirements • Communicate with other management to deal with the business process and recovery proceduresAdministrative Provide administration • Provide the DR team with administrativeSupport support to the DR team resources and facilities • Co-ordinate with lawyers for court cases and handle legal documents • Responsible for accounting matters on DR’s expenses • Investigate the amount of damaged resources and insurance claims
  25. 25. DR Team Organization Examples of Data Center Roles & Responsibilities Title Roles ResponsibilitiesCustomer Liaison Coordinate and coordinate •Notify users and clients of the disaster with users and customers •Issue updates of recovery progress and on any recovery issue expected time of recovery •Help on data center migration issues and work re-allocationDisaster Recovery Centralized coordination •Declare a disaster for each critical systemCoordinator for the entire DR team component or for an entire site •Inform the DR team of the decision •Execute DR procedures and recovery strategies •Ensure that the DRP is updated and test on a regular basisSite Restoration Co-ordinate the recovery •Organize security control for the disaster site operations should a site be and alternate processing site as required destroyedSystem Software Prepare recovery and •Responsible for the restoration of Hosts,and Database restoration of software Servers, DB, synchronize data, etc.Administration and databases
  26. 26. DR Team Organization Examples of Data Center Roles & Responsibilities Title Roles ResponsibilitiesComputer Manage storage of the •Provide ready access to the required backupsOperations and off backups •Ensure the backups are stored in a securesite storage environmentApplication Manage applications with •Manage application changes to ensure theySupport regard to DRP are compliant with the DRP and vice versaSecurity Review and monitor DR •Ensure the DR procedures comply with the procedures firm security and audit policiesNetwork Delivery Manage and monitor •Oversee the recovery of the communication voice and data network environment •Switch users to use the alternate network •Co-ordinate with the communication service providers for WAN service recovery
  27. 27. DR Team Organization Examples of Data Center Roles & Responsibilities Title Roles ResponsibilitiesService Delivery Manage IT service •Oversee the service management recovery delivery •Provide helpdesk and end-user support as in DRP •Work closely with Customer Liaison and Disaster Recovery Coordinator to ensure synchronization of communication channel to the users and the DR team activities.
  28. 28. Case Study The Chicago Flood : Impact• One of the worst business disasters• 230 buildings lost power for a couple of days• Valuable government records were in jeopardy• Extensive impact on electrical and computing systems• The greatest financial impact on the CBOT, losing 25 billion in trading of 36 products
  29. 29. Case Study The Chicago Flood : Disaster Recovery• Using Alternate Site Services approach• Providing the alternate site nearly identical to the customer’s damaged site• Implemented by Comdisco Continuity Service The Chicago Flood : Recovery Result• Helped 2 Chicago banks resume operation within hours of evacuation• 17 customers from the financial, brokerage, government and service/ distribution industries, were supported at their hot sites within half a day
  30. 30. Case Study The World Trade Center Explosion : Impact• Building-wide power outage• Structural damaged and employee trauma, Businesses were down• Water problem due to pipes were severed• Injured and Dead reports, the building was considered a crime scene The World Trade Center Explosion : Recovery• Fiduciary Trust, a banking and financial institute’s Recovery Plan• The data center switched automatically to their secondary power system• Moved the operation to their alternate site in NJ which equipped with a computer network nearly identical to that of the bank
  31. 31. Case Study The World Trade Center Explosion : Recovery Result• System was down for Friday afternoon and was up and running by Monday morning as if nothing had happened• Employees retained their usual telephone numbers• Transactions went through the same as always• Customers couldn’t even detect that the bank was no longer operating from the World Trade Center
  32. 32. Example Disaster Recovery Services Examples of Disaster Recovery ServicesAlternate SitesProvide alternate site nearly identical to the customer’s damaged siteBusiness Impact AnalysisProvide services such as defining disaster plans and addressingexposures to business and recovery administratorsCertificationProvide services such as certifying qualified individuals in the disciplineand promoting the credibility and professionalism of certifiedindividuals
  33. 33. Example Disaster Recovery Services Examples of Disaster Recovery ServicesEducation ClassesCreating a base of common knowledge for the businesscontinuity/disaster recovery planning industry through education,assistance, and the promotion of international standardsOn-Site Recovery FacilitiesManage the mobilization of an on-call response team, prepare pre-designated site, erect temporary pre-engineered structures, installmechanical and electrical systems and coordinate move-in activitiesSatellite CommunicationProvide satellite telecommunications products and services
  34. 34. Example Disaster Recovery ServicesService Providers : Consulting Services Andersen Consulting www.ac.com Bell Atlantic Federal CommGuard www.commguard.com Comdisco www.comdisco.com Computer Security Consultants, Inc. www.crciweb.com GSA Disaster and Business Recovery www.gsa-gsa.com Intessera Technologies Group www. intessera.com
  35. 35. Example Disaster Recovery ServicesService Providers : Alternate Site Services ARC Disaster Recovery Services www.arcdrs.com Comdisco www.comdisco.com HP Business Recovery Services www.hp.com IBM Business Recovery Services www.brs.ibm.com SunGard Recovery Services, Inc. recovery.sungard.com
  36. 36. Example Disaster Recovery ServicesProviders : Computer Quick-ship , Hardware Replacement El Camino www.elcamino.com
  37. 37. Disaster Management(i.e., Business Continuity)Open discussionQ&A