Protect Critical Services with a Business Continuity Plan

Business Continuity
Plan
To Protect your
Critical Services

Yusuf Hadiwinata Sutandar
Linux Geek, Opensource Enthusiast, Security Hobbies
RHCT, RHCSAv5-v7, RHCEv5-v7, RHCVA, RHCI, RHCX, RHCSA-RHOS, RHCJA, CEI,
CEH, CHFI, CND, EDRP, CCNA, MCTCNA, Security+, Network+, VCA, vExpert 2017-
2018
Senior Operation Manager Technology

Key-Service For Your Business
Business is shifting in the digital age

The Role IT Play in Digital Transformation Initiatives
and Powers Business Growth
These four constituents are:
• IT Organization - Defines the scope of digital transformation and business continuity.
• Cloud service providers - Ensures service consistency in cloud-driven digital workplace.
• Systems integrators - Share expert perspective and guidance.
• Systems and software vendors - Ensure technology fits the need.

Digital Transformation not just solve lot of problem,
but also generate new problem
Now, Business rely on Information Technology

What would happen if…
• A hurricane hit?
• A fire occurred?
• Power was interrupted?
• What would you do?
• What would a business do?

An Example of Disaster

Not just an IT issue!

What is a Business Continuity?
"Is the capability of the organization to continue delivery
of products or services at acceptable predefined levels
following a disruptive incident.
(Source: ISO 22313/22301)"

Why Should we do Business Continuity Planning
(BCP)?
• To ensures compliance with our ever-increasing
regulatory requirements
• To enhances our ability to avoid:
Goal: To prevent disruptions in business operations
• Financial losses
• Regulatory fines
• Damage to equipment

BCP & DRP Triangle
Data Backup and Replication
Alternative Site
IT Recovery Process
Validation & Testing
Business Continuity Plans
Risk Management
Policy & Strategies
Business
Continuity
Business
Continuity
Plan
Disaster
Recovery
Plan
Policy Layer
Management Layer
Infrastructure Layer

BCP – Key Elements
• Analysis - Identification of risks/threats
• Response/recovery Design - Plan of action
• Implementation
• Testing
• Maintenance

Phases of BCP
Mitigation
After assessing your risk,
do what you can to avoid
the risk or reduce the
impact in case of an
emergency or incident
Preparedness
Be as prepraed as you
can to minimize the
impact in case of an
emergency or incident
Response
Take reasonable action
when emergency or
incident occurs.
Recovery
While still responding
start to think about how
to return to normal
operations as soon as
possible
Incident
Occurs
Phase 1 Phase 2 Phase 3 Phase 4

Achieving an Effective BCP
• Obtain Top Management Commitment
• Establish a Planning Committee
• Perform a Risk Assessment
• Establish Priorities for Processing Operations
• Determine Recovery Strategies
• Perform Data Collection
• Develop Testing Criteria and Procedures
• Test the Plan
• Approve the Plan

Business Impact
Analysis
Effective Business Continuity Plan
starts with identifying all functions
within and services delivered by
the organization.
A business impact analysis (BIA) is
the primary tool for gathering
this information and then
assigning each with a level of
criticality.

Understanding the Organization
• What does your organization do and
deliver?
• What are your most urgent activities?
• What do you need to deliver your
most critical activities?
• What would be the impact over time
if certain activities were disrupted or
interrupted?
• What are the risks to service delivery
e.g. do you rely on a single supplier?

Business Impact Analysis (BIA)
• Risk assessment and treatment
• Prioritisation of activities including Recovery Time Objectives (RTO) and
Maximum Tolerable Period of Disruption (MTPD)
• Identify resources required for maintenance of priority services
This systematic process to determine and evaluate the potential effects of an
interruption to critical business operations as a result of a disaster, accident or
emergency

Business Impact Analysis
Activities which can tolerate very short periods
of disruption
Activities that cannot tolerate any disruption
Activities which could be scaled down if necessary
for short periods of time
Activities which could be suspended if necessary

Business Continuity
Strategy
3 areas that should be considered
in the strategy design process,
including the design of continuity
and recovery strategies and
tactics, threat mitigation
measures, and an incident
response structure.

Key-Service For Your Business http://www.bcmpedia.org/wiki/Maximum_Tolerable_Period_of_Disruption_(MTPOD)
Case study: marketplace
• A = Main website online store
• B = Lapak / Seller center
• C = Internal reporting
Recovery Strategies and Tactics

Terms
RTO - Recovery Time Objective
Definition: period of time following an incident within which; product or service must be
resumed, or activity must be resumed, or resources must be recovered
NOTE: For products, services and activities, the recovery time objective must be less than the time it would take for
the adverse impacts that would arise as a result of not providing a product/ service or performing an activity to
become unacceptable.
MTPD- Maximum Tolerable Period of Disruption
Definition: time it would take for adverse impacts, which might arise as a result of not
providing a product/service or performing an activity, to become unacceptable
Source: ISO 22301

Thread Mitigation Measurement & Strategies
Measures Brief Description
Administrative Training, physical security
Networking These measures are easier to implement at a network hardware level
System
administration
The OS contains everything needed for implementation
Specialized security
solutions
Specialized security software is applicable
Goal: review of the risks and plans for addressing, or mitigating, each of those risks
to an acceptable level. In some cases, risks are accepted as is; in other cases, risks
are transferred, and in still other cases, risks are minimized to a level acceptable to
the organization

Thread Mitigation Measurement & Strategies
Risk References Mitigations
Risk mitigations generally relevant to Human Resources
Disputes over staff pay 1-General …..............
Staff strikes 2-General …..............
Risk mitigations generally relevant to Tenant Infrastructure
Tenant’s cloud service account
credentials compromised
3-General
Provide Identity and Access Management e.g. multi-
factor authentication and account roles with varying
privileges
Tenant’s data compromised in
transit
4-General
Support and use ASD-approved cryptographic controls
to protect data in transit between the tenant and the
BGN
Tenant’s data compromised by
malicious BGN staff
5-General
Restrict BGN staff privileged access to systems and data
based on their job tasks. Require re-approval every
three months for BGN staff requiring privileged access.
Revoke access upon termination of BGN staff
employment.

Incident Response Structure
https://response.pagerduty.com/before/different_roles/
Incident Commander acts as the
single source of truth of what is
currently happening and what is
going to happen during an major
incident
Subject Matter Expert (SME),
sometimes called a "Resolver",
is a domain expert or
designated owner of a
component or service

Elements of Business
Continuity
Management - 3
Introduction of the continuity
management process by education
and awareness of all stakeholders,
including employees, customers,
suppliers and shareholders.

Continuity Requirements
People Premises Technology Information
Suppliers and
Partners

Continuity Requirements Complete
People
• What number of
staff do you require
to carry out critical
activities?
• What is the
minimum staffing
level you will need
to deliver these
• What skills/level of
expertise are
required to
undertake these
activities?
Premises
• What locations do
your prioritised
activities operate
from?
• What alternative
premises do you
have?
• What machinery,
equipment and
other facilities are
essential?
Technology
• Is the service
dependant on
electrical
equipment?
• What IT is essential
to carry out your
prioritised
activities?
• What systems and
means of
communication are
required to carry
out your prioritised
activities
Information
• What Information is
essential to carry
out your prioritised
activities?
• How is this
information stored?
Suppliers and
Partners
• Who are your
priority suppliers?
• Are key services
contracted out?
• Do both you and
your suppliers/
partners have
mutual aid
arrangements in
please

Exercising and Testing
Exercises are there to test plans to give
an idea how our plans would stand up
in a disruption
Ensures that plans are fit for purpose
Identify gaps and learning actions
Continuous updating of core
information

Types of Business Continuity Exercises
It's important for those who are responsible for Business Continuity to know which
type of Business Continuity exercise is appropriate for what they wish to achieve
before planning it. This is because exercises vary in levels and resources required.
There are five main types of exercise and these are summarized below:
• Discussion based exercise
• Table top exercise
• Command post exercise
• Live exercise
• Test

Business Continuity Exercises Purpose
• Validation - to validate and identify improvement opportunities in existing
arrangements
• Training - to develop staff competencies and confidence by giving them
practice in carrying out their roles in a incident
• Testing - to test existing procedures, plans and systems to ensure they function
correctly and offer the degree of protection expected

HP YouTube Example Exercises
https://www.youtube.com/watch?v=ndpjNhd1MtE

Reviewing Business Continuity
Plans should be reviewed and updated when:
• Changes to key staff or partners take place
• The organization is restructured
• Prioritized activity is delivered differently
• Change to the external environment e.g. statutory change, company
requirement
• Following lessons identified from an incident or exercise

The most common problem

Multi-Region
BCP & DRP Triangle Solutions
Data Backup and Replication
Alternative Site
IT Recovery Process
Validation & Testing
Business Continuity Plans
Risk Management
Policy & Strategies
Business
Continuity
Business
Continuity
Plan
Disaster
Recovery
Plan
BaaS
DRaaS
NSS
GIO Backup

Multi Region Data Center
As Alternative Site to Provide High Availability

Multi Region Data Center Product
GIO Private
GIO BMaaS
NVC
NEO BMaaS
Jakarta
NSS
GIO Advanced
GIO OEM
NEO Flex
Storage
GIO Private
GIO BMaaS
NVC
NEO BMaaS
NSS
GIO Advanced
GIO OEM
NEO Flex
Storage
West-Java
InterDC
InterDC

Benefit Multi Region Data Center
Decentralization IT Infrastructure -
Deploy your Infra on Multi Avability-
zone and Region Data Center
Provide High Availability (Service
continuity) and Scalability for business-
critical IT Infrastructure
Align with regional regulatory
enforcement
Reduce latency for regional access
and Help to partition traffic among the
regions

Multi Region Data Center
Region Jakarta
Region West-Java
On-Premise Infrastructure
Region #3
Availability
Zone A
Availability
Zone B
Availability
Zone C
Availability
Zone A
Availability
Zone B
Availability
Zone C
Availability
Zone A
Availability
Zone B
Availability
Zone C
Availability
Zone A
Availability
Zone B
Availability
Zone C
3 avability zone
for each Region

Multi Region Data Center Use Case
Region Jakarta
Region West-Java
Availability
Zone A
Availability
Zone B Availability
Zone C
Availability Z
one A
Availability
Zone B
Availability
Zone C
Frontend Frontend
Backend Backend
Database Database
Free 10Gb InterDC
For Replication
User
High
Availability
and Scalability
Infrastructure

High Availability & Multi-Layer Clustering
Region Jakarta
Region West-Java
Geo Clustering Virtualization
Free 10Gb InterDC
For Replication
OS Clustering
App/DB Clustering
Layer 1 - Hardware
Layer 2 - OS
Layer 3 - App/DB
Global server load balancing (GSLB)

Business Model Multi-Region Infrastructure
Services
Gio Manage
Support
BGN Manage
Services
BGN Maintenance
Support
BGN Implementation &
Consulting
Assessment Current Requirement
Topology and Architecture Design
Propose Solution and Technology
Join Planning Session
Implementation & Documentation
Training and Sharing Knowledge

Disaster Recovery as a Services
Cost Effective Solution for Replication and High Availability

Disaster Recovery Benefit
Machines and Hardware Fail
While modern IT hardware is fairly
resistant to failures, most devices fall
far short of a perfect track record
Backup and disaster recovery solutions
help preserve a company’s reputation
with customers and partners
Helps prevent companies from losing
business to the competition when
disaster occurs
Backup and disaster recovery helps
ensure compliance with industry
regulations.
Extra Layer of Protection - Out of all the disaster
recovery benefits, having an extra layer of protection
is what strongly secures your business

Disaster Recovery as a Service (DRaaS) Solution
Replicate your VM
Infrastructure between
multiple BGN Region w/h
additional charge for
InterDC
Protect & Backup on-
premise Data Center into
our Region DC
Replicate your Cloud
VM Infrastrucutre into
your local Copy
Between BGN Region DC Into BGN Region DC To On-Premise DC
Technology
Help your business to keep doing business-even during major IT outages. DRaaS
offers ease of deployment, cost effectiveness, and dependability. Deploy
replication, failover, and recovery processes t to help keep your applications running
during planned and unplanned outages.

DRaaS Benefit
With a DRaaS solution in place, Customer do not have to worry if a disaster strikes,
Customer will be able to restore normal operations within minutes.
Rapid and Immediate Recovery
Virtualized DRaaS uses fast and scalable infrastructure, and allows virtual access of
assets, with little or no hardware and software expenditures
Resources Used
Compared to more traditional methods of backup, DRaaS is much more flexible.
Flexibility

DRaaS Benefit in term of Investment
Businesses that currently have a secondary site for disaster recovery purposes are surely
familiar with the high costs associated with it. Beyond the unavoidable investments in
replication software and the required software licenses for servers, storage, and security,
there are a number of significant additional costs. Most of these additional costs are
effectively eliminated by using DRaaS through a managed service provide, Our DRaaS
offering eliminates the need for the following expenses:
Reduce Disaster Recovery costs
Building and maintaining a secondary DR site can be both costly and complex, If all of that
infrastructure could be eliminated, then the administration, upgrade requirements, and
maintenance contracts could be eliminated as well
Reduce Complexity
Owning or leasing space for a secondary data center
Monthly costs associated with power, cooling, and internet bandwidth
Purchase or lease of servers, storage, and network equipment

DRaaS Scenario Offering
Region Jakarta
Region West-Java
Availability
Zone A
Availability
Zone B
Availability
Zone C
Availability
Zone A
Availability
Zone B
Availability
Zone C
Primary Data Center Disaster Recovery
On-Premise Infrastructure
Availability
Zone A
Availability
Zone B
Availability
Zone C
Continuous
Replicationto
achieve Lowest
RPOs
Primary Data Center
Disaster Recovery
Between BGN Region DC
Into BGN Region DC To On-Premise DC
Primary Data Center
Disaster Recovery

DRaaS RTO and RPO
3 HOURS 3 HOURS 3 HOURS
RPO RTO
Data Loss
Disaster
Strike
1:05 PM
Data
Restore
4:05 PM
Recovery Point Objective (RPO)
Limitshow far to roll back in time and
defines the maximum allowable amount
of lost data measured in time from a
failure occurrence to the last valid
backup.
Recovery Time Objective (RPO)
how long it takes to restore from the
incident until normal operationsare
available to users
• Tier-1: Mission-critical applicationsthat require an RTP ofless than 15 minutes
• Tier-2: Business-critical applications that require RTO of 2 hoursand RPO of4 hours
• Tier-3: Non-critical applicationsthat require RTO of 4 hoursand RPO of24 hours

Backup as a Service
Solution for Data Protection

Why Backup as a Service
Support's on Laptop and
Desktop enables you to
keep critical data safe
and workflows
uninterrupted
The patented backup
technology able to
capture everything on
your system disk in one
quick step.
You can trigger backup
without user action. You
can configure backup
start by using scheduler
or specific events (Login
Activity, Power off/on,
etc).
Keeping your Business Run
Best Choice for Disaster
Recovery
Less Manpower

Why Backup as a Service
Data compression capability of
BaaS enable you to reduce data
volume up to 90%. This will enable
you to maximize backup speed,
reduce storage requirements, and
minimize network loads.
Remote offices and multiple
work sites present unique
challenges to enterprise data
protection. With BaaS, you can
utilize centralized management
features to remotely manage
back up process in remote
branches.
Reduce Storage and Minimize
Network Loads
Best Solution for your Remote
Branches

Features & Benefit Backup as a Service
Centralized Management for All Operation
You can easily manage all backup operation for both
virtual and physical machine on one single console. You
can review status, assign new backup, monitorall
backup from one place.
Support for various Backup Resources
BaaS supportsvarious data and system for backup such
as files, disk images, application, configuration,as well
as physical system.GIO Backup supports backup from
enterprise server as well as laptop and desktop.
Data Compressionand Encryption
GIO Backup comes with a built-in block-level data
deduplicationand compression.All backups will be
encrypted by default and transmitted over.
Restore Anywhere
GIO Backup givesyou the convenient ability to instantly
restore backups to any machine, regardlessof platform.
The data can be restored either to same hardware,
different hardware, or virtual server.

Business Model BaaS
Services
Gio Manage
Support
BGN Manage
Services
BGN Maintenance
Support
BGN Implementation
& Consulting
Assessment Current Backup
Topology and Architecture Design
Propose Solution and Technology
Join Planning Session
Implementation & Documentation
Training and Sharing Knowledge
Solution
DRaaS BaaS
MSSP

Compliance and Certifications

Peace of Mind

Question and Answer

Key-Service
For Your Business
www.biznetgiocloud.com
PT. Biznet Gio Nusantara MidPlaza 1, 7th Floor Jl. Jend Sudirman Kav. 10-11 Jakarta 10220 – Indonesia

Protect Critical Services with a Business Continuity Plan

Recommended

Recommended

More Related Content

Similar to Protect Critical Services with a Business Continuity Plan

Similar to Protect Critical Services with a Business Continuity Plan (20)

More from Yusuf Hadiwinata Sutandar

More from Yusuf Hadiwinata Sutandar (20)

Recently uploaded

Recently uploaded (20)

Protect Critical Services with a Business Continuity Plan