Planning for the Inevitable: IT Disaster Preparedness - Linda Sharp


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Planning for the Inevitable: IT Disaster Preparedness - Linda Sharp

  1. 1. Planning for the Inevitable: IT Crisis Preparedness Linda Sharp CoSN Project Director IT Crisis Preparedness SchoolDude University 2009
  2. 2. <ul><li>Expect and prepare </li></ul><ul><li>for the unexpected! </li></ul>SchoolDude University 2009
  3. 3. Schools Run 24/7 <ul><li>Evening use of facilities </li></ul><ul><li>Backup reports running at off-instructional hours </li></ul><ul><li>Students and parents accessing the district website around the clock </li></ul><ul><li>Other activities and uses in your district? </li></ul>SchoolDude University 2009
  4. 4. Reliance on Technology <ul><li>Instructional activities </li></ul><ul><li>Business operations </li></ul><ul><li>Student data and recordkeeping </li></ul><ul><li>Assessment and accountability </li></ul><ul><li>Internal and external communication with stakeholders </li></ul><ul><li>Other areas of reliance in your district? </li></ul>SchoolDude University 2009
  5. 5. District Objectives in Any Disaster <ul><li>Safety and welfare of students </li></ul><ul><li>Safety and welfare of staff </li></ul><ul><li>Protection of property and facilities </li></ul>SchoolDude University 2009
  6. 6. District Objectives in Any Disaster <ul><li>Maintenance of essential services for as long as possible, shutting down least critical ones first </li></ul><ul><li>Restoration of services - critical ones first - in the shortest amount of time possible </li></ul>SchoolDude University 2009
  7. 7. Think About It? <ul><li>What are some predictable threats in your own community? </li></ul>SchoolDude University 2009
  8. 8. Potential Disasters <ul><li>Natural disasters </li></ul><ul><li>Violence, vandalism </li></ul><ul><li>Man-made threats </li></ul>SchoolDude University 2009
  9. 9. Potential Disasters <ul><li>Natural disasters, acts of God </li></ul><ul><li>Violence, vandalism </li></ul><ul><li>Man-made threats </li></ul><ul><li>Widespread medical emergencies and pandemics </li></ul>SchoolDude University 2009
  10. 10. Potential Disasters <ul><li>Natural disasters </li></ul><ul><li>Violence, vandalism </li></ul><ul><li>Man-made threats </li></ul><ul><li>Widespread medical emergencies and pandemics </li></ul><ul><li>Digital threats </li></ul>SchoolDude University 2009
  11. 11. Cyber Security for the Digital District <ul><li> </li></ul><ul><li>Tools and information to: </li></ul><ul><ul><li>Assess and improve security of technology systems </li></ul></ul><ul><ul><li>To protect safety of staff and students </li></ul></ul><ul><ul><li>Contribute to educational mission of their schools </li></ul></ul><ul><ul><li>Maintain community support </li></ul></ul>SchoolDude University 2009
  12. 12. Security Planning Process SchoolDude University 2009 Outcome: Security Project Description  goals  processes  resources  decision-making standards Phase 1: Create Leadership Team & Set Security Goals Outcome: Prioritized Risk Assessment A ranked list of vulnerabilities to guide the Risk Reduction Phase Phase 2: Risk Analysis Outcome: Implemented Security Plan Risk Analysis and Risk Reduction processes must be regularly repeated to ensure effectiveness Phase 3: Risk Reduction Outcome: Crisis Management Plan A blueprint for organizational continuity Phase 4: Crisis Management
  13. 13. Security Planning Grid SchoolDude University 2009 Security Area Basic Developing Adequate Advanced Management Leadership: Little participation in IT security Aware but little support provided Supports and funds security Aligns security with organizational mission Technology Network design and IT operations : broadly vulnerable security roll out is incomplete mostly secure seamless security Environmental & Physical: Infrastructure: not secure partially secure mostly secure secure End Users Stakeholders: unaware of role in security Limited awareness and training Improved awareness, Mostly trained Proactive participants in security
  14. 14. Security Planning Grid <ul><li>Provides benchmarks for assessing key security preparedness factors </li></ul><ul><li>Uses the same topic areas for consistency </li></ul><ul><li>Helps prioritize security improvement action steps </li></ul>SchoolDude University 2009
  15. 15. <ul><li>You never have time to plan for something you don’t think will ever happen. </li></ul>SchoolDude University 2009
  16. 16. Disaster Planning SchoolDude University 2009
  17. 17. Mitigation and Prevention <ul><li>Actions you take to identify preventable and unavoidable disasters and to address what can be done to eliminate or reduce the likelihood of a disaster and/or its accompanying risks </li></ul>SchoolDude University 2009 Cameron Parish School Board Office
  18. 18. Preparedness <ul><li>Consideration of worst-case scenarios and development of comprehensive plan for coordinated and effective response to any given disaster </li></ul>SchoolDude University 2009 South Cameron High
  19. 19. Response <ul><li>Execution of the preparedness plan and management of the disaster </li></ul>SchoolDude University 2009
  20. 20. Recovery <ul><li>Efficient and timely restoration of mission-critical operations and processes </li></ul>SchoolDude University 2009
  21. 21. Risk Assessment <ul><li>Analyze processes and functions deemed mission-critical. </li></ul><ul><li>Identify types of potential disasters and impact of each on mission-critical items. </li></ul>SchoolDude University 2009
  22. 22. Risk Assessment <ul><li>Prioritize based on acceptable period of unavailability. </li></ul><ul><li>Chart the workflow, considering hardware, software, people and other resource requirements for continued operations. </li></ul>SchoolDude University 2009
  23. 23. Risk Assessment <ul><li>Imagine worst-case scenarios for all types of potential disasters. </li></ul><ul><ul><li>What would be lost? </li></ul></ul><ul><ul><li>What data would be critical? </li></ul></ul><ul><ul><li>How would you communicate? </li></ul></ul><ul><ul><li>How would you restore mission-critical services? </li></ul></ul>SchoolDude University 2009
  24. 24. Consider Lack of Availability of Key Services and Operations <ul><li>What must be restored within 1 hour? </li></ul><ul><li>What must be restored within 4 hours? </li></ul><ul><li>What must be restored within 1 day? </li></ul><ul><li>What must be restored within 3 days? </li></ul><ul><li>What must be restored within 1 week? </li></ul><ul><li>What could wait for 30 days or longer? </li></ul>SchoolDude University 2009
  25. 25. Disaster Recovery Plan <ul><li>Easy to understand and follow </li></ul><ul><li>Organized into sections </li></ul><ul><li>Detailed steps of tasks to be accomplished </li></ul><ul><li>Multiple formats for different audiences </li></ul><ul><li>Print and electronic </li></ul>SchoolDude University 2009
  26. 26. The worst case scenario . . . SchoolDude University 2009 No Plan!
  27. 27. First Steps <ul><li>Identify Planning Team </li></ul>SchoolDude University 2009
  28. 28. First Steps <ul><li>Identify and Classify Services, Operations and Records </li></ul><ul><ul><li>Vital </li></ul></ul><ul><ul><li>Important </li></ul></ul><ul><ul><li>Non-essential </li></ul></ul>SchoolDude University 2009
  29. 29. Resources and Redundancies <ul><li>Hardware </li></ul><ul><li>Software </li></ul><ul><li>Communications </li></ul><ul><li>Facilities </li></ul><ul><li>People </li></ul>SchoolDude University 2009
  30. 30. Hardware <ul><li>Identify all required hardware. </li></ul><ul><li>Be sure to include resources required to run and maintain hardware. </li></ul><ul><li>Regularly update your list. </li></ul><ul><li>Maintain key documents offsite. </li></ul>SchoolDude University 2009
  31. 31. Software <ul><li>Identify all required software. </li></ul><ul><li>Regularly update the list. </li></ul><ul><li>Keep copies of key applications offsite. </li></ul><ul><li>Maintain key documents offsite. </li></ul><ul><li>Be certain your backup systems are reliable - and redundant. </li></ul>SchoolDude University 2009
  32. 32. Software <ul><li>Data </li></ul><ul><ul><li>Secure and Restore Data </li></ul></ul><ul><ul><li>Assess Capabilities of Providers </li></ul></ul>SchoolDude University 2009
  33. 33. Communications <ul><li>Establish a communications plan </li></ul><ul><li>Develop strategic partnerships </li></ul><ul><li>Employee communications </li></ul>SchoolDude University 2009
  34. 34. Communications <ul><li>Single point of contact </li></ul><ul><li>What is communicated </li></ul><ul><li>Technical staff support </li></ul><ul><li>Ensure redundancies </li></ul>SchoolDude University 2009
  35. 35. People <ul><li>Who is qualified to manage tasks? </li></ul><ul><li>Have they been trained? </li></ul><ul><li>What is their prior experience? </li></ul><ul><li>Ensure key people resources are backed up . </li></ul>SchoolDude University 2009
  36. 36. People <ul><li>Incident Response Team </li></ul><ul><li>Identify critical personnel </li></ul><ul><li>Communicate roles and responsibilities </li></ul><ul><li>Ensure personnel have authority needed </li></ul>SchoolDude University 2009
  37. 37. Facilities <ul><li>Have building blue prints available </li></ul><ul><li>Have all shut-off valves clearly labeled or color coded on blue prints </li></ul><ul><li>Identify evacuation sites </li></ul><ul><li>Identify potential known hazard areas </li></ul>SchoolDude University 2009
  38. 38. Emergency Operations Center (EOC) <ul><li>Determine overall strategy and priorities. </li></ul><ul><li>Allocate resources. </li></ul><ul><li>Manage the incident. </li></ul><ul><li>Ensure objectives are met. </li></ul><ul><li>Ensure strategies are followed. </li></ul>SchoolDude University 2009
  39. 39. Develop a Staged Shutdown <ul><li>Move from simple preparedness to ceasing operations. </li></ul><ul><li>Protect assets while staff is available to do the work. </li></ul><ul><li>Ensure that mission-critical operations are the last to be stopped. </li></ul><ul><li>Ensure shutdown can be reversed if needed. </li></ul>SchoolDude University 2009
  40. 40. Exemplary District Plans <ul><ul><li>Fairfax County (VA) Public Schools </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><ul><li>Montgomery County (MD) Public Schools </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><ul><li>North Carolina’s Critical Incident Response Kit Project </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul>SchoolDude University 2009
  41. 41. Those who have lived it! <ul><li>Dr. Sheryl Abshire, Ph.D </li></ul><ul><li>Chief Technology Officer </li></ul><ul><li>Calcasieu Parish Public Schools, Lake Charles, LA </li></ul><ul><li>Robert Gravina, </li></ul><ul><li>Chief Technology Officer </li></ul><ul><li>Poway Unified School District, CA </li></ul><ul><li>Wayne Howard </li></ul><ul><li>Technology Director </li></ul><ul><li>Platte Canyon School District </li></ul>SchoolDude University 2009
  42. 42. Calcasieu Parish School System (LA) <ul><li>Hurricane Rita struck the Louisiana / Texas border on September 24, 2005 as a category 3 storm with 120 mph sustained winds. Calcasieu Parish was hit by the hurricane eyewall and the east quadrant which has the strongest winds. </li></ul><ul><li>34,000 students and 5,000 staff displaced </li></ul><ul><li>2008 experienced Ike and Gustav </li></ul>SchoolDude University 2009
  43. 43. Calcasieu Parish School System <ul><li>Every school damaged. Many schools in Calcasieu Parish received extensive roof and water damage. The lack of power afterwards promoted mold and mildew growth. </li></ul><ul><li>24 hours after Rita hit, the CPSB web and email servers were back up and providing information to evacuees across the country. </li></ul><ul><li>34 days later, CPSB schools reopened. </li></ul>SchoolDude University 2009
  44. 44. Calcasieu Parish School System <ul><li>Many didn’t see IT as the recovery team – yet they took the initiative and were ready when disaster hit. Take the leadership if no one else is doing it. </li></ul>SchoolDude University 2009
  45. 45. Calcasieu Parish School System <ul><li>Document during response and </li></ul><ul><li>recovery </li></ul><ul><li>Pictures </li></ul><ul><li>Written records </li></ul><ul><li>Items destroyed or damaged </li></ul><ul><li>Items purchased </li></ul>SchoolDude University 2009
  46. 46. Calcasieu Parish School System <ul><li>Don’t just create a plan— </li></ul><ul><li>communicate and practice it </li></ul>SchoolDude University 2009
  47. 47. Calcasieu Parish School System <ul><li>Develop a culture of preparedness. </li></ul><ul><li>Revisit and actively practice the plan. </li></ul><ul><li>Conduct periodic audits of the plan. </li></ul>SchoolDude University 2009 Practice, Practice, Practice
  48. 48. Calcasieu Parish School System <ul><li>Staff </li></ul><ul><li>Power and capabilities </li></ul><ul><li>Computer and storage options </li></ul><ul><li>Facilities </li></ul><ul><li>Records and files </li></ul><ul><li>Communication methods </li></ul>SchoolDude University 2009 Redundancy, Redundancy, Redundancy
  49. 49. Calcasieu Parish School System <ul><li>You can’t over plan: </li></ul><ul><li>Identify mission critical operations </li></ul><ul><li>Think strategically </li></ul><ul><li>Pay attention to detail </li></ul>SchoolDude University 2009 “ A plan needs to exist before it is needed. Making one on the fly is too late.”
  50. 50. Poway Unified School District Poway, CA <ul><li>Poway is the third largest school district in San Diego County covering 100 square miles and serving approximately 33,000 students. </li></ul><ul><li>During the fires of 2007, the school district became the county’s communication center. </li></ul>SchoolDude University 2009
  51. 51. Poway Unified School District <ul><li>School Business Continuity </li></ul><ul><li>Work on creating a stable and reliable network for your organization </li></ul>SchoolDude University 2009
  52. 52. Poway Unified School District <ul><li>Servers that can handle capacity in an emergency </li></ul><ul><ul><li>You may be the best form of communication in your area </li></ul></ul><ul><li>Clean data </li></ul><ul><li>Online access </li></ul><ul><li>Bandwidth for learning </li></ul><ul><li>Opening up applications to your stakeholders </li></ul>SchoolDude University 2009
  53. 53. Poway Unified School District <ul><li>Secure dedicated equipment, software, </li></ul><ul><li>supplies </li></ul><ul><li>Capacity to Rebuild/Disaster Recovery </li></ul><ul><ul><li>Tape Drives and Juke Box (must be the same as what you are currently using) </li></ul></ul><ul><ul><li>Back up server (work with your vendor) </li></ul></ul><ul><ul><li>Estimated time to recover </li></ul></ul><ul><ul><li>Personnel availability (cross training) </li></ul></ul>SchoolDude University 2009
  54. 54. Poway Unified School District <ul><li>Moving your EOC </li></ul><ul><li>What would you do if you had to evacuate your EOC? </li></ul><ul><li>Could you set up a fully functional IT Department? </li></ul><ul><li>How long would it take? </li></ul><ul><li>Would you be able to have access to your network? </li></ul>SchoolDude University 2009
  55. 55. Poway Unified School District <ul><li>Remote Learning </li></ul><ul><li>The Bird Flu, “when, not if” </li></ul><ul><li>Applications that allow for anywhere, anytime learning </li></ul><ul><li>Content Management Systems </li></ul><ul><li>Online interactive tools </li></ul><ul><li>Online courses </li></ul>SchoolDude University 2009
  56. 56. Poway Unified School District <ul><li>What Worked….. </li></ul><ul><li>Multiple Communications Systems </li></ul><ul><ul><li>Auto dialers </li></ul></ul><ul><ul><li>Webpage </li></ul></ul><ul><ul><li>Content systems </li></ul></ul>SchoolDude University 2009
  57. 57. Platte Canyon School District, CO <ul><li>Mountain Community – 45 minutes from Denver </li></ul><ul><li>Approx 1300 students </li></ul><ul><li>Platte Canyon High School - 480 students </li></ul><ul><li>Preparations in place after Columbine shootings </li></ul><ul><li>Lone intruder shot student </li></ul>SchoolDude University 2009
  58. 58. Platte Canyon School District <ul><li>Communications and coordination with police was key </li></ul><ul><li>Separate communication channels </li></ul><ul><li>Cameras </li></ul><ul><li>Constant testing </li></ul><ul><li>and update </li></ul>SchoolDude University 2009
  59. 59. <ul><li>“ It’s not the plan that’s important—it’s the planning.” </li></ul><ul><li>Graeme Edwards </li></ul>SchoolDude University 2009
  60. 60. What are You Doing? <ul><li>Tips to share with colleagues </li></ul><ul><li>What will you do now? </li></ul>SchoolDude University 2009
  61. 61. Consortium for School Networking SchoolDude University 2009
  62. 62. Thank you Sponsors SchoolDude University 2009
  63. 63. <ul><li>Linda Sharp </li></ul><ul><li>CoSN Project Director </li></ul><ul><li>IT Crisis Preparedness </li></ul><ul><li>[email_address] </li></ul>SchoolDude University 2009 Hope is Not a Strategy!