This document discusses best practices for disaster recovery and business continuity planning. It begins with an agenda for presentations on the business aspects of IT disaster recovery, technical best practices, and a networking opportunity over lunch. It then provides information about the presenting company, The Signature Group, and their client base and services. Finally, it discusses defining objectives for disaster recovery planning by determining recovery time objectives and recovery point objectives based on a risk analysis of different systems. The key aspects are balancing recovery needs with costs while building an automated, documented plan.

1. PRESENTS
DISASTER RECOVERY & BUSINESS
CONTINUITY IT BEST PRACTICES
DECEMBER 8TH, 2009

2. House Keeping
• Rest rooms
• Food
• NDA

3. Objectives For Today
The Business
Aspects of IT
Signature Disaster Technical Toys for Tots Lunch &
Technology Recovery & Best The U.S. Networking
Network Business Practices Marine Corp Opportunity
Overview Continuity
10 Minutes 75 Minutes 75 Minutes 15 Minutes 60 Minutes

4. Who is The Signature Group?
Business
Program and Project Management
Strategic Planning
Mergers and Acquisitions
Proof of Concept, R&D and Standards
Technology Process and Change Management
Regulatory Compliance
Founded in 1997 as an IT Disaster Recovery Planning
Consulting, Strategy
Management & Systems Design and Implementation
Server Consolidation and Virtualization
Integration Firm Consolidated/Shared Storage
Datacenter Design and Consolidation
Local and Wide Area Networks
Wireless Solutions & Networks
Network Security and Audits
Voice over IP solutions (VoIP)
Three Primary Practice Areas Unified Messaging
Corporate Messaging (Exchange)
Enterprise Global Directory Services (AD/NDS)
Small & Mid-Market
Federal, State, Local Government SignatureCare Managed Services
Turn Key Monitoring and Management
HelpDesk
Over-The-Wire Data Protection
Real Time Disaster Avoidance/Recovery

5. Select TSG Clients

6. What is STN?
Signature Technology Network (STN) is a free membership based group* of Senior IT
Executives in the DC Metro Area from a broad array of industries.
Purpose: Benefits:
• Social and Peer Networking • Learn from Success and Failures of Peers
• Sharing of Best Practices • Understand Do’s, Don’ts and Best Practices
• Discuss Technology & Business Solutions • Learn the Solutions that Your Peers are Using to
• Access to Independent Industry Experts Improve the Performance of Their Business
• Forum for Ongoing Education • Hear What Independent Experts Say About
Dedicated Learning Sessions Various Technologies and Business Solutions
Panel Discussions • Gain Direct Access to Manufacturers and
Roundtable Events Vendors to Understand their Long Term Road
Manufacturer and Vendor Presentations Maps and How These Will Help You Plan And
Looking to the Future of IT Invest Wisely For The Future
•NDA’s are required for all participating members
Signature Technology Network

7. STN 2010 Events Calendar
• Tuesday, January 12, 2010
Windows 7/Server 2008/Active Directory
8:00 am – Noon
The Tower Club
• February 10-12, 2010
Collaboration Technologies & Managed Services Exhibition
Virtualization Business and Technology Best Practices – Educational Track
ASAE Technology Conference
Walter E. Washington Convention Center
• Tuesday, March 9, 2010
Microsoft Exchange 2010 and Collaboration Solutions
8:00 am – Noon
The Tower Club

8. For Small and Medium Enterprises
Michael Perdue, Chief Executive Officer
The Signature Group, Inc.

10. Important Thoughts
“A Failure to Plan is a Plan to Fail”
• Winston Churchill
“No Plan of Battle Ever Survives Contact
With the Enemy”
• Credited to Field Marshall Helmuth von Moltke, General
George C. Marshall and Napoleon Bonaparte
A Flexible and Fluid Plan is Required to Handle a Broad Range of Situations

11. Interesting Facts & Stats
60-90% of all companies that suffer from a disaster and do not
recovery critical systems within 30 days are acquired or out of
business in 2 years – International Data Corp
Only 6% of companies suffering from a catastrophic data loss
survive, while 43 percent never reopen and 51 percent close
within two years – University of Texas Study
Only 35 percent of SMBs have a comprehensive disaster
recovery plan in place – Gartner
SMB’s lose an average of $84,000 for every hour of system
wide downtime – International Data Corp
The survival rate for companies without a disaster recovery
plan is less than 10% – Touche Ross

12. So What Do We Really Mean By Disaster

13. The Disaster Spectrum
Extinction Level Event OUT OF SCOPE
Global Thermonuclear War (Too Big)
______________________________________________________
9/11
Flood, Hurricane, Tornado, Blackout
Building Fire
Facilities Issues
Core Switch, Router or Carrier Failure IN SCOPE
Critical Application Outage
______________________________________________________
Non-critical Server Outage
Access layer switch down OUT OF SCOPE
CEO drops Iphone in toilet (Normal Maintenance)
User spills coffee in keyboard

14. The Typical Disaster
• Fairly Localized
- Even 9/11 was an extremely geographically localized event
• Lasts between 1-5 days
- Don’t build a plan based on the 100 year earthquake/hurricane unless
the financial or risk impact is so great that the cost is justified
Examples of the Most Common Disasters
Extended Power Outage Extended Carrier Outage
Critical System Failure Facilities Issues
Hurricane Tornado
Earthquake Fire
Pandemic Flood

15. Define Objectives
RTO and RPO must be balanced against financial and risk requirements

16. The Solution Spectrum
Geographically Data
Extended Availability
Clusters or Needs
Synchronous Virtualized HA
Replication Platforms
Asynchronous
Replication Amount of
Non-
Data
Reproducible
Vaulting
Data
Off-Site
Tapes
Weeks Days Hours Minutes Seconds
Recovery Time and Point Objective

17. The RPO Organizational Spectrum
Should be based on
Financial and Risk Impact
Financial
Institutions Non-
Reproducible
Online
Data
Transaction
Retail based
Transactions
Vendors
or Data
Associations Change per
& Non- Second
Professional
Profits Organization Size Matters
Services
Firms
Days Hours Minutes Seconds
Recovery Point Objective

18. It’s an Issue of Balance
Disaster Solution
Cost of
Downtime Cost to
and/or Lost Maintain
Data
Cost to
Risk Implement

19. Defining your “Objectives”
Inventory all Systems and Applications
• Include System Dependencies
Perform Financial and Risk Analysis for
each System
Categorize
• Critical ∙ Nice to have
• Sensitive ∙ Should be dead already
• Vital
Define your RTO and RPO by
Category/System

20. DR Thoughts and Best Practices
Build a Plan Based on Align your Plan with your
Automation, Systems, RTO and RPO
Processes, & Requirements
Documentation Per System, Service and Application
John or Jane may have been RTO and RPO should not be globally
affected by the disaster defined
.
Tape Backup and Restoration
Every Organization is alone is not Traditionally
Considered an Effective
Different therefore Every Disaster Recovery Option
Plan should be Different unless RTO and RPO is
Extremely High

21. The Recovery Data Center/Facility
Initial Tendency is Typically too Aggressive
• If you are not NORAD then don’t plan like NORAD
Align Recovery Center Location and Facility with
Organizational Requirements
• If all of your employees and/or clients are located in the DC metro area
don’t put your redundant data center in Utah/Denver/Kuala Lumpur
• Best Practice for SME is greater than 20 miles but less than 60 miles
from your primary facility -- location dependant
• Align geographic location of recovery center with staff that is
knowledgeable about your systems
• Use remote offices where practical (if systems, staff, connectivity and
facilities can support)
• DON’T COUNT ON TRAINS and PLANES

22. The Recovery Data Center/Facility
In Major Disasters Long Haul Communications may be
Substantially Compromised
Understand the Specifics about Collocation Facilities:
• Carrier
• Power
• Fire Suppression
• Hardened Status
• Physical Security
• Placement on National Critical Infrastructure List
• Green Initiatives/Programs

23. The Datacenter Facility
Traditional Models
Internal Internal Multi-
Internal Collocation
Datacenter w/ location
Datacenter Datacenter
Hot or Standby Datacenter
Non-Carrier Facility Facility
Facility Facilities
Neutral
Facilities High Availability High Availability High Availability High Availability
and Failover and Failover and Failover and Failover
Between Systems Between Systems Between Systems Between Systems
and Locations and Locations
Redundant Telco Redundant Telco Redundant Telco Redundant Telco
Connectivity Connectivity Connectivity Connectivity
Less focus on
Protection Multiple Levels of Multiple Levels of
Multiple Levels of Power Power
Limited Power
Power Redundancy Redundancy
Redundancy
Redundancy
Replicated Data Replicated Data
Between Locations Between Locations
Offsite Backups or Offsite Backups or and Offsite Data
Data Replication Data Replication and Offsite Data
Protection Protection
Cost to Implement & Maintain

24. The 9 Step Planning Process
1. Services/System Inventory
2. Critical Vendor Inventory
3. Risk/Financial Analysis & Categorization
4. Identify Possible Solutions
5. Select Solutions
6. Implement Solutions
7. Create Recovery Manual & Documentation
8. Test Recovery (“Soft” and “Hard” testing)
9. Train, Maintain, and Continual Testing

25. Step 0. Selling Management
• Define Legal, Audit, and Regulatory Requirements
- Sarbanes-Oxley
- HIPPA
- SEC
- Contract or Client Specific Requirements
• Perform Financial Analysis
- Cost of Downtime or Lost Data
• Perform Risk Analysis
- Risk Associated with Downtime or Lost Data
• Avoid FUD Approach (Fear, Uncertainty, and Doubt)
Less of an issue in the post 9/11 and SoX world

26. Questions & Answers