SlideShare a Scribd company logo
protect / optimize /   connect / communicate / manage / protect / optimize / connec
optimize / connect / communicate / manage / protect / optimize / connect / communicat
 / communicate / manage / protect / optimize / connect /       communicate / mana
unicate / manage / protect / optimize / connect / communicate / manage / protect / optimi
ge / protect / optimize / connect / communicate / manage / protect / optimize / connec
optimize / connect / communicate / manage / protect / optimize / connect / communicat
                                                           Business Continuity
       White Paper
ct / communicate / manage / protect / optimize / connect / communicate / manage / prote
                                                                                        Planning Guide
manage / protect / optimize / connect / communicate / manage / protect / optimize / conne
 optimize / connect / communicate / manage / protect / optimize / Paper Authored by/Steve Shepard
                                                        An Informational connect     communicat
ct / communicate /   manage / protect / optimize / connect / communicate / manag
unicate / manage / protect / optimize / connect / communicate / manage / protect / optimi
protect / optimize / connect / communicate / manage /      protect / optimize / conne
 optimize / connect / communicate / manage / protect / optimize / connect / communicat
ct / communicate / manage / protect / optimize / connect / communicate / manage / prote
te / manage / protect /   optimize / connect / communicate / manage / protec
manage / protect / optimize / connect / communicate / manage / protect / optimize / conne
 optimize / connect / communicate / manage / protect / optimize / connect / communicat
ct / communicate / manage / protect / optimize / connect / communicate / manage / prote
manage / protect / optimize / connect / communicate / manage / protect / optimize / conne
 optimize / connect / communicate / manage / protect / optimize / connect / communicat




      www.xo.com                                            c onne c t / c ommunic ate / ma nage / p rote c t / optimize
Click here or copy and paste bit.ly link to download this white paper: http://bit.ly/BizCont
Business Continuity Planning guide                                                              www.xo.com




Xo Communications




2                                                        Services: VoIP ▪ Voice ▪ Network ▪ Internet & Hosted IT
Click here or copy and paste bit.ly link to download this white paper: http://bit.ly/BizCont
www.xo.com                                                                                           Xo Communications




BuSineSS Continuity
Planning guide
                                                               Table of Contents
                                                               Summary of Guide                                      4

                                                               Why Business Continuity Is Needed                     4

                                                                  Sobering Facts                                     5

                                                               Elements of Success:                                  5
                                                               Determining Resiliency Requirements

                                                                  Identification of Mission-Critical Systems         6

                                                                  Prioritizing Services into Risk Tolerance Tiers    6

                                                                  Conducting a Systematic Risk Assessment            7

                                                                  Elements of the Plan                               7

                                                                  Identifying Points of Failure                      7

                                                                  Assessing the Pros and Cons                        8
                                                                  of a Business Continuity Partner

                                                                  Selecting a Vendor Partner                         8

                                                                       #1: Breadth and Richness of Services          9

                                                                       #2: Solution Functionality                    9

                                                                       #3: Financial Viability                       9

                                                                       #4: Cost                                      9

                                                                  Project Assessment                                10

                                                               Summary of Recommendations                           10

                                                                  XO Communications as a                            11
                                                                  Business Continuity Partner

                                                               Conclusion                                           11



Copyright 2009. XO Communications, llC. all rights reserved.
XO, the XO design logo, and all related marks are registered trademarks of XO Communications, llC.                  3
Click here or copy and paste bit.ly link to download this white paper: http://bit.ly/BizCont
Business Continuity Planning guide                                                                              www.xo.com




Summary of guide                                                   Why Business Continuity is needed
Business continuity, also referred to as disaster recovery,        It was a business-as-usual day in the switching center. The
is one of the most-talked about – and worrisome –                  building served well over 100,000 subscribers, six hospi-
topics in industry today. Whether you are a five-person            tals, 11 firehouses, three post offices, a police station, nine
                                                                   schools and three universities. Like most central offices, this
small business determined to protect the integrity of              one was completely invisible to the public. It was just a big,
the day’s receipts, or a multinational corporation con-            windowless structure.
cerned about Sarbanes-Oxley compliance, shareholder
comfort and revenue assurance, the issues are similar.             Just after midnight, a relatively inconsequential piece of
                                                                   power equipment in the cable vault shorted and spit a few
The factors that lead to the disruption of business activities     sparks into the air. One of the sparks fell on a piece of
– disasters, as they are often called – fall into two general      insulation and began to smolder. The insulation melted and
 categories: natural disasters, which include uncontrolled         began to burn, changing from a smoldering spot on the
flooding, fire, earthquakes, hurricanes, typhoons, mudslides,      surface of a cable to a full-blown fire.
 disease, lightning strikes, and biological infestations; and
 man-made disasters, which include disruptions brought on          The fire burned its way up the cables, spreading from floor
 as the result of human error, strikes, intentional sabotage,      to floor. Soon the building was engulfed, and the world was
 burglary, theft, IT-related faults stemming from viruses,         about to see the single worst disaster that any American
Trojan horses, worms, denial-of-service attacks, and other         telephone company had ever experienced.
 breaches of computer and network security; and increas-
                                                                   Emergency services vehicles converged on the now evacu-
 ingly, disruption brought about by terrorist acts.
                                                                   ated building. They flooded the lower floors with hundreds
For the most part, natural disasters are unavoidable; dealing      of thousands of gallons of water, severely damaging what-
with them tends to be a matter of preparedness and recovery        ever equipment remained functional.
as well as an avoidance strategy. Man-made disasters, on
                                                                   Two days later the fire was finally out and engineers were
the other hand, can for the most part be avoided (or their
                                                                   able to enter the building to assess the damage. On the first
impact minimized) through prudent IT management prac-
                                                                   floor, the 240-foot main distribution frame was reduced
tices and adherence to a well-designed Business Continuity
                                                                   to a puddle of iron. Water had ruined the power equipment
Plan. In aviation, the phrase that is drilled into every pilot’s
                                                                   in the basement. Four switching offices on the lower floors
head as their operating mantra is “Always plan your flight,
                                                                   were completely destroyed. Cable distribution ducts
and always fly your plan.” The same rules apply in business
                                                                   were deformed and useless. Carrier equipment on the
continuity: Build a plan, and stick to it. Your discipline will
                                                                   second floor was destroyed. And 170,000 telephones were
be well-rewarded.
                                                                   out of service.
This paper is a practical guide for businesses concerned
                                                                   Within an hour of discovering the fire the company mobi-
with ensuring their own continuity in the event that an
                                                                   lized its forces to restore service to the affected area, and
unavoidable disruption challenges their ability to operate in
                                                                   resources converged on the building to coordinate the
a business-as-usual fashion. We begin with a rather sobering
                                                                   effort that would last just under a month and cost more
discussion about the need for business continuity planning,
                                                                   than $90 million.
followed by an in-depth section about the steps involved in
creating a plan: identifying mission-critical systems; con-        Within 24 hours, service had been restored to all medical,
ducting risk assessments; creating “strata” of risk tolerance      police and fire facilities. The day after the fire, a new main
for business systems; locating single points of failure; select-   distribution frame had been located and was shipped to the
ing partners for business continuity resources; and finally,       building. Luckily, the third floor had been vacant and was
identifying the steps required to ensure effective business        therefore available as a staging area to assemble and install
process continuity and data recovery.                              the 240-foot-long iron frame. Under normal circumstances,




4                                                                   Services: VoIP ▪ Voice ▪ Network ▪ Internet & Hosted IT
Click here or copy and paste bit.ly link to download this white paper: http://bit.ly/BizCont
www.xo.com                                                                                                Xo Communications




from the time a frame is ordered, shipped and installed           Consider these simple facts. The economic impact of a sin-
in an office, six months elapse. This frame was ordered,          gle intrusion, such as a denial-of-service attack, is roughly $1
shipped, installed, wired and tested - in four days.              million, an expense that could be prevented enterprise-wide
                                                                  through the deployment of a simple firewall. It gets worse:
It is almost impossible to understand the magnitude of the        in 2004, five years ago, the average large business spent $55
restoration effort, but this may help. 6,000 tons of debris       million per year to protect itself from viruses, Trojan horses,
were removed from the building and 3,000 tons of equip-           and worms, $26 million against denial of service attacks,
ment were installed including 1.2 billion feet of under-          and a comparatively paltry $12 million to guard against
ground wire, 8.6 million feet of frame wire, 525,000 linear       physical theft . And why are they willing to spend so much
feet of exchange cable, and 380 million conductor feet of         on cyber-protection? Because 93% of companies that lose
switchboard cable. 5 million underground splices hooked           access to the information in their data centers for 10 days or
it all together. And 30 trucking companies, 11 airlines,          more will file for bankruptcy protection within a year of the
and 4,000 people were pressed into service. And just after        loss. Can they afford not to spend the money?
midnight on March 21st, 22 days following the fire, service
from the building was restored.                                   Forrester Research has extensively studied Business Con-
                                                                  tinuity practices and there is much to be learned from
How was this possible? Two factors contributed to the suc-        them . Most companies recognize the need to improve their
cess of the restoral effort. First and foremost, the company      preparedness for disruptive events, and when asked why
had resources it could call on when needed, and the ability       they are doing so the list narrows to six primary drivers:
to deploy them.                                                   the increasing cost (and impact) of system downtime; the
                                                                  need to be online, available and therefore competitive in
Second, they understood the nature of their business: What
                                                                  an increasingly globalized (and therefore around-the-clock)
was critical and what wasn’t. The fact that they restored
                                                                  market; the need to satisfy financial responsibilities; the
emergency services first and consumer telephones second
                                                                  need to take steps to reduce increasing levels of enterprise
said a great deal about the degree to which they had though
                                                                  risk; the desire to increase the availability (and survivability)
the scenario through. They knew which services posed the
                                                                  of a critical business application; and finally, the require-
highest risk and dealt with them first.
                                                                  ment to ensure compliance with regulatory or legal man-
Business continuity imperatives haven’t changed much              dates such as Sarbanes-Oxley, HIPAA and CALEA.
since this disaster took place; technology has evolved, busi-
                                                                  So why is business continuity planning required? Besides
nesses have become more sophisticated, the global nature
                                                                  the obvious answer – the need to protect critical business
of the world’s economy now dictates that businesses operate
                                                                  resources in order to protect revenue-generating customer
around the clock, but one singular mandate remains the
                                                                  services – it is because “chance favors the prepared mind.”
same: be prepared.
                                                                  The better prepared an organization is for the possibility of a
                                                                  disruptive event, the more rapidly the event will be resolved.
SOBering FaCTS

Every day, 30 billion text messages, 40 billion e-mail            elements of Success:
messages, 19 billion mobile minutes, 30 billion PSTN min-
utes travel the world’s telecommunications networks.
                                                                  determining resiliency requirements
As if that weren’t enough, eight exabytes (that’s 18 zeroes)      One element of business continuity planning is disaster
of global IP traffic are generated every month, a number          recovery preparedness. And while disaster recovery is an
that’s expected to increase to a zettabyte (21 zeroes) by 2015.   important element of any prudent IT strategy, disaster
The problem with those numbers is not their magnitude:            avoidance – the process of taking steps to avoid the impact
It’s the nature of their intent. A large percentage of those      of a disastrous event when it occurs - is at least as important.
messages are destined for enterprise networks, and a small        Because these disruptions are largely unanticipated, a collec-
percentage of those aren’t friendly – they are intended to        tion of up-front efforts can reduce the downtime – and cost
disrupt business operations.


Copyright 2009. XO Communications, llC. all rights reserved.
XO, the XO design logo, and all related marks are registered trademarks of XO Communications, llC.                               5
Click here or copy and paste bit.ly link to download this white paper: http://bit.ly/BizCont
Business Continuity Planning guide                                                                             www.xo.com



– associated with disastrous events. These efforts, which we      We’re talking about a single laptop here – not the far more
 will describe in the sections that follow, include:              complex processes and resources of an entire business – even
                                                                  a small one. It is fundamentally important, then, to build
•	   Identification of mission-critical systems                   an “aerial view” of the ebbs and flows of the business, so
•	   Prioritizing services into risk tolerance tiers              that all business processes can be identified, evaluated, and
•	   Conducting a systematic risk assessment                      ranked according to their perceived levels of criticality to
•	   Identifying points of failure                                business operations.
•	   Assessing the pros and cons of dependency on a single
     business continuity provider                                 Once the processes have been identified, then the underly-
•	   Determining the steps involved in selecting a provider       ing systems can be identified as well. This process must
                                                                  include a comprehensive hardware inventory across all data
idenTiFiCaTiOn OF MiSSiOn-CriTiCal SySTeMS                        centers, office environments, call centers, operations centers,
                                                                  and any other locations where a significant amount of
Mission-critical systems are those resources – hardware,          human-to-machine (and therefore system) interaction takes
software, operational processes, operating procedures – that      place. At the same time, an application inventory should be
are absolutely necessary for the business to operate. Funda-      conducted to identify all of the ways that people rely on the
mentally speaking, if these resources become unavailable or       hardware to do their jobs. Keep in mind that the hardware
severely impaired for any reason and for any length of time,      is nothing more than a very large heat engine and real estate
business operations are jeopardized. It is critical, therefore,   consumer without applications running on it; all data flows
to identify these systems and take steps to ensure that they      and all application-to-application flow-through should be
are appropriately protected.                                      identified at the same time as part of a comprehensive sys-
                                                                  tematic analysis of critical IT resources.
The first step in the process, therefore, is to identify these
systems. In reality, though, this is not the first step – it is
                                                                  PriOriTizing ServiCeS
the third step. The first step is to map out the day-to-day       inTO riSk TOleranCe TierS
operations of the business to ensure a clear understanding of
exactly how the business operates. This means taking inven-       Once the mission-critical systems have been identified,
tory of business processes, and then relating those business      including all hardware, software, processes and procedures,
processes to the critical systems that underlie them. Sounds      the next step in the business continuity planning process
silly? Take this simple test: If you were to lose your laptop     is to rank them according to their relative importance to
tomorrow, what would the actual impact on you be? Let’s           the business. This is an extraordinarily difficult part of the
assume that your data is backed up (a major assumption).          overall process for one simple reason: it tends to become
Do you have a list of the applications that reside on the lap-    emotionally charged as different organizations, if given the
top that you will have to reinstall to restore the machine to     chance, argue for the relative importance of their critical
full functionality? You probably have the CDs and DVDs            systems. For this reason alone, it is important that the rank-
of the applications you’ve purchased in a box somewhere,          ing of these processes be conducted by a team made up of
but what about the installers for the applications you’ve         representatives from two organizations: IT and corporate
purchased online? And once they’re installed, how long will       finance. IT must be involved because they understand the
it take you to download all of the updates required to bring      inner workings of the systems and can speak to the complex
the applications up-to-date? And what about all of the            interworking that often exists between seemingly unre-
serial numbers and product keys required to securely install      lated applications and hardware. Finance must be involved
the software? If you have to change operating systems             because in the final analysis, the ultimate “tie-breaker” is
because of an update that came out since you bought the           the degree to which one mission-critical process affects the
laptop, how long will it take you to be comfortable with it       ability of the corporation to generate revenue, relative to
to ensure functionality?                                          other systems. After all, how do you compare the relative
                                                                  importance of an order tracking application vs. a strategic
                                                                  data collection application used by marketing? Remember,




6                                                                  Services: VoIP ▪ Voice ▪ Network ▪ Internet & Hosted IT
Click here or copy and paste bit.ly link to download this white paper: http://bit.ly/BizCont
 www.xo.com                                                                                              Xo Communications




we’re not talking about which one lives and which one dies:       elements of the Plan
We’re talking about a hierarchy of recovery to ensure that
the applications most necessary for revenue protection and        The plan, once completed, typically has five elements:
cost control are brought back to life first. As long as this is
                                                                  1.   An analysis of the business, as described earlier;
understood by all concerned, the emotional challenges tend
                                                                  2.   A description of the various solution elements that
to fade in favor of more rational arguments.
                                                                       have been put into place to deal with the potential for
                                                                       a significant disruption of business operations;
COnduCTing a SySTeMaTiC riSk aSSeSSMenT
                                                                  3.   A plan for the actual implementation of the identified
The “tiering” process is usually performed according to a              procedures, should they be needed;
set of standardized measures by which priorities can be           4.   A process for routinely testing the procedures to
assigned. These measures, the Recover Point Objective                  ensure their functionality and currency; and finally,
(RPO) and Recovery Time Objective (RTO), are used to              5.   A maintenance program to ensure that the plan is con-
determine the relative value of systems and applications               stantly updated according to changes in the business.
based on their importance to the business and based on a
                                                                  One of the main reasons that business continuity plans fail
set of agreed-upon performance objectives. The Recovery
                                                                  is that they are not routinely updated to model the chang-
Point Objective is the specific point in time to which you
                                                                  ing profile of the business, leaving some critical systems,
must recover data in order to resume effective business
                                                                  processes or infrastructure inadequately protected.
operations. It does not imply 100% recovery of all data. The
RPO is generally considered to be a measure of acceptable         There’s an old saying in business: “That which gets measured
data loss following a major disruptive event. RPO is serious      gets managed.” RPOs and RTOs are two of the important
business: If your RPO is determined to be four hours but a        success metrics of a business continuity plan. Once they are
full recovery will take seven, the last three hours are deemed    understood, put into place and socialized throughout the
to fall into the category of acceptable loss and business         business, they must be mapped to the systems and critical
operations will be resumed from the four-hour recovery            infrastructure that they are designed to protect. The next
point, with attempts to manually recover the lost activity        step in the process is to indentify failure points.
carried out later, as time permits. In the IT world, RPO is
the technical equivalent of medical triage – the steps neces-     idenTiFying POinTS OF Failure
sary to stabilize the patient.
                                                                  Every complex system has its weak links, and part of the
 Closely related to RPO is Recovery Time Objective (RTO).         business continuity planning process is to identify them
 RTO is the amount of time within which a critical business       so that they can either be fixed or appropriately protected.
 process must be restored following a systemic disruption to      Creating a map of critical process dependencies (described
 avoid unacceptable consequences in terms of the ability to       earlier) and then establishing metrics (RPOs and RTOs)
 satisfy customer needs and meet critical business objectives.    represents phase one of this process; phase two is the exami-
 Bear in mind that the RTO is associated with the recovery        nation procedure designed to identify areas where attention
 of critical business processes, not with the recovery of the     is required. Areas that tend to be at risk, and that should be
 underlying systems: that’s the domain of the RPO. Busi-          carefully examined, include:
 nesses must address both if they are to develop a holistic
 plan for assured operational continuity. When a company’s        •	   Power feeds to critical buildings: Is the power coming
 Web site is the victim of a denial-of-service attack, and the         into critical buildings (call centers, data centers, opera-
 company relies on their Web site for revenue generation, the          tions centers) fed redundantly and from different points
 recover priority (RTO) is much higher than it would be for            on the grid? Is there uninterruptible power (UPS) in
 a company whose Web site is used as nothing more than an              place? Is it tested routinely, and under load?
“online business card.”
                                                                  •	   High-bandwidth connections to critical buildings: Are
                                                                       the circuits redundant? Is that redundancy accom-



Copyright 2009. XO Communications, llC. all rights reserved.
XO, the XO design logo, and all related marks are registered trademarks of XO Communications, llC.                              7
Click here or copy and paste bit.ly link to download this white paper: http://bit.ly/BizCont
Business Continuity Planning guide                                                                               www.xo.com



     plished over facilities that are physically separated from          that a primary application server should die, is there a
     one another? Is there a high-speed wireless connection              backup system in place and online to ensure that busi-
     that could be used in the event of an event that dis-               ness can continue as required?
     rupts the physical media?
                                                                  •	     System security: Are there procedures in place for
•	   Database hardware (disks, servers): Are the servers,                auditing security policies and practices? These proce-
     processors and disk arrays that host and make available             dures should include examination of physical security
     critical applications configured in such a way that they            that protects buildings, outside plant, and personnel, as
     have “hot spares” available should they be needed?                  well as logical security practices that protect software
     In the event of a major failure of the physical site, is            and data from worms, viruses, Trojan horses, denial-of-
     there access to a redundant site to ensure business                 service attacks, malware, spam, social engineering, and
     continuity? Is the actual access redundant, i.e., is there          other intentionally disruptive attacks.
     (for example) point-to-point wireless available to
     ensure connectivity in the event of a disruption of the      This is by no means intended to be a complete list, but it
     physical plant?                                              does represent a valid sample of the key issues that should
                                                                  be included in the development of a business continuity
•	   Backup processes: Is there a clearly-documented              protection strategy. It can also serve as the basis for identi-
     backup strategy that ensures that all critical applica-      fying weak points in the strategy: If questions arise as the
     tions (and the data they create) are archived on a           result of the process described above, there are weaknesses
     regularly-occurring schedule? Are multiple copies            in the overall plan that should be examined and rectified.
     created, and if so, are they stored in physically differ-
     ent locations? Is there a process in place to gain access    aSSeSSing The PrOS and COnS
     to backup copies in the event of a business disruption?      OF a BuSineSS COnTinuiTy ParTner
     For many corporations, backup practices rise to levels
     that appear to be one step removed from organiza-            Once the metrics have been decided upon, are accepted,
     tional paranoia. The need to backup customer data and        and have been logically linked to the critical elements of
     the applications that depend on that data cannot be          the corporate information infrastructure, a priority-based
     overstated, however. Some of the methodologies that          strategy for resource recovery can be created, based on the
     companies consider include:                                  steps described earlier. In large corporations it has been a
                                                                  standard practice to perform most recovery processes inter-
•	   Tape backups that are transported to offsite facilities      nally, using the knowledge resources of the IT or Informa-
     on a daily basis                                             tion Systems organization. Increasingly, however, companies
                                                                  are relying on outsourced business continuity providers to
•	   Disk backups that are performed locally but copied           handle this aspect of protecting the business. The primary
     to a remote backup facility                                  reasons for this are two-fold: expertise, and strategic diver-
                                                                  sity. Business continuity organizations have considerable
•	   Real-time data replication to an offsite archive
                                                                  expertise in their field and are therefore valuable partners.
•	   Support for remote workers: In the event that a signifi-     And because they offer service diversity in terms of diverse
     cant number of remote workers would be affected by a         network routing, distributed database backup and hardware
     catastrophic system failure, are there alternatives avail-   redundancy, their role as a value-added provider is a valid
     able that they can use to gain access to backup critical     one.
     systems? Is there adequate security in place to ensure
     that remote access to sensitive information assets can       SeleCTing a vendOr ParTner
     be granted without threatening those assets?
                                                                  The vendor selection criteria must be carefully crafted to
•	   Application availability: Are critical applications avail-   not only ensure that the vendor’s product is up to the task
     able from multiple servers? In other words, in the event     of addressing the needs of the business, but that the vendor




8                                                                      Services: VoIP ▪ Voice ▪ Network ▪ Internet & Hosted IT
Click here or copy and paste bit.ly link to download this white paper: http://bit.ly/BizCont
www.xo.com                                                                                             Xo Communications




is in a position to provide ongoing, long-term support. This     back” in project discussions to raise concerns about poten-
is an important and often misunderstood part of the vendor       tial issues? Do they ask as many questions as they attempt
selection process, and companies have been known to select       to answer? Have they created and offered a technique for
a vendor based solely on the viability of their technology       assessing the overall effectiveness of the implementation and
when in fact the technology is perhaps the least important       distinct, well-defined intervals? Similarly, to what degree
of all criteria. Some companies, for example, have a policy      has the vendor identified management concerns?
that dictates that if their company’s purchases represent
more than 20% of a vendor’s annual revenues, they won’t          #3: Financial viability
buy from that vendor. It doesn’t seem to make logical sense
until you think about the decision strategically: If your        Mentioned earlier, this particular criterion is of utmost
company represents 20% of that company’s revenues and            importance, particularly in business continuity implemen-
you have a bad year and cut spending, you could put the          tations that are deemed “mission-critical.” If the vendor
vendor in financial jeopardy, which would make it impos-         does not strike you as being viable, don’t consider them
sible for them to provide the level of support you require.      in the final running. Keep in mind that the implementa-
It is important therefore to consider vendor selection from      tion of a complex system does not end the day it is turned
multiple, seemingly unrelated points-of-view.                    up: in essence, it never ends and requires various levels of
                                                                 vendor support throughout its life cycle. Critical questions
Vendors are typically evaluated in four key areas: (1) breadth   to ask, then, should revolve around the vendor’s business
and richness of services; (2) overall solution functionality;    model, survivability, cash position, vision, and commitment
(3) financial viability; and (4) overall cost.                   to product longevity. For example, to what degree is the
                                                                 vendor committed to building products around open stan-
#1: Breadth and richness of Services                             dards? What does the vendor’s future vision look like for
                                                                 themselves and their products? Can they tell a compelling
Services are represented not only by the capabilities of the     and logical story about where they see themselves in three-
vendor’s solution but also by the added value that the vendor    to-five years? What customer testimonials will the vendor
overlays on top of and after the sale. For example, a multi-     make available to you? Who are their customers, and what
stage, hosted backup and archival solution is a complex sale     sector do they hail from? Are they exclusively in one sector
and an even more complex implementation. Is your expecta-        or another, or do they span a broad range and therefore
tion that the vendor will work in lockstep with you before,      have the ability to draw from a broad experience base? Do
during and after the implementation? Will they rely entirely     they work with channels, and if so, what’s the nature of the
on their own resources for implementation or will they also      relationship? How long have they been in business? What is
rely on contracted capability? What are the qualifications       their cash position?
of the people who will be your primary implementation
resources? What kind of post sales support will you receive?     #4: Cost
Will there be resources on site for a period of time follow-
ing project completion or will you be dependent on remote         Overall cost is a measure of flexibility and operational
resources that must be dispatched if they are needed?             effectiveness, and the manner in which the vendor presents
                                                                  their solution is a measure of how well they understand your
#2: Solution Functionality                                       “pain points” and business drivers. For example, does the
                                                                  vendor go to significant lengths to understand your current
Related to these basic questions are questions around the         situation and take whatever steps are available to protect
 offered product, service or solution. How well does the ven-     any pre-existing investments that you would like to protect?
 dor understand your business, where you are, and where you       Does the vendor offer a variety of solutions or packages that
 want to go? How broad are the considerations it addresses        provide “silver, gold and platinum” options if you request
– does the proposal go beyond pure technology to include          them? Does the vendor offer anything in the way of model-
 economic, human capital, end user, application and com-          ing tools that will help you make a buy decision?
 petitive concerns? How effectively does the vendor “push



Copyright 2009. XO Communications, llC. all rights reserved.
XO, the XO design logo, and all related marks are registered trademarks of XO Communications, llC.                           9
Click here or copy and paste bit.ly link to download this white paper: http://bit.ly/BizCont
Business Continuity Planning guide                                                                               www.xo.com




Project assessment                                                 of your systems – only the ones that provide services that
                                                                   matter. And since most businesses only run systems that
When filling out the paperwork for a work-related accident,        matter, those that they do run typically provide services to
regardless of how minor, one of the last questions asked on        employees or customers that are deemed mission-critical. If
the form is “How could this accident have been prevented?”         they fail to operate, the business fails to operate, often with
If a business continuity solution is to be put into place and it   disastrous results.
is to deliver on its promises of cost reduction, efficiency and
enhanced workplace effectiveness, project managers must            We began this paper talking about the variety of events,
create an assessment methodology that monitors project             some predictable, some not, some accidental, some not, that
progress, compares it to expectations, and performs quali-         can cause a serious disruption of your organization’s ability
tative analysis of the results relative to those expectations.     to get the job done. Natural disasters, such as flood, fire,
There is no such thing as a perfect, problem-free project,         earthquakes, hurricanes, mudslides, disease, and lightning
but there is such a thing as a well-managed project that           strikes cannot, for the most part, be prevented; they can
experiences minimal problems – typically because of a well-        only be recovered from, the degree to which an organization
designed assessment and intervention process.                      prepares for their occurrence is a measure of the degree to
                                                                   which the impact of these events can be minimized.
Elements of such a process should include, at a minimum,
cost, identified benchmarks, a clear list of anticipated           Other events, such as failures due to human error, labor
(desirable) outcomes, solid, extensive project documentation,      strikes, intentional sabotage, burglary, theft, IT-related
well-crafted flowcharts that identify the interactivity among      faults stemming from physical failures, viruses, Trojan
all logical and physical elements of the project, and a well-      horses, worms, and denial-of-service attacks, can largely be
designed training program to ensure that personnel respon-         prevented through the deployment of carefully thought-out,
sible for operating, maintaining and using the new system          prudently designed business continuity practices.
can do so with maximum levels of capability. There should
also be an audit process in place to track those things that       Preparation of these practices involves a logical set of steps
went well, those things that didn’t and discussions about          that include identifying mission-critical systems; conduct-
alternative paths that could/should have been taken.               ing a series of granular and highly-detailed risk assessments;
                                                                   creating “strata” of risk tolerance for business systems;
There is nothing wrong with reliance on a single vendor for        locating single points of failure; selecting partners for busi-
business continuity services, as long as the selected vendor       ness continuity resources; and finally, identifying the steps
satisfies the concerns listed in the prior section. If they do,    required to ensure effective business process continuity and
then they are behaving more as a business partner than             data recovery. These steps lead collectively to a metrics-
they are a vendor, and they take their relationship with you       driven business continuity strategy that provides guidance
seriously – your success is their success – but just as impor-     for the protection of both logical and physical resources in
tant, your failure is theirs, as well. A professional services     the corporation. That strategy is then shared throughout the
provider in this space understands the business criticality of     organization to ensure that all employees understand its role,
the services they deliver, and will do everything they can to      its importance and their responsibilities relative to protect-
make the customer comfortable with the degree to which             ing critical organizational assets.
they take that relationship seriously.
                                                                   The final section of the paper dealt with the process of
                                                                   selecting a business continuity service provider suited to the
Summary of recommendations                                         task of implementing the continuity strategy. Assessing and
                                                                   selecting a vendor-partner should be based on a number of
Dentists often have a poster in their examining rooms that         factors, and while cost is certainly a consideration, other
says, “You don’t have to floss all of your teeth – only those      factors are equally important – if not more so. They include
that you want to keep.” That same message applies to the           the depth and scope of their offered services, the financial
world of business continuity. You don’t have to protect all        viability of the company, the degree to which they truly




10                                                                  Services: VoIP ▪ Voice ▪ Network ▪ Internet & Hosted IT
Click here or copy and paste bit.ly link to download this white paper: http://bit.ly/BizCont
www.xo.com                                                                                              Xo Communications




understand the nature of your situation, the appropriate-         Related to hardware availability is application availability.
ness of their solution for you, and a number of other factors.    XO offers a number of services that address this critical
Don’t rush through the process – take your time, assess well,     need. They include Applications Performance Management,
and select based on these factors. You’ll thank yourself later.   Collocation, Hosted Exchange Services, and Web Hosting.

XO COMMuniCaTiOnS aS a                                            To address the very real requirements of backup solutions,
BuSineSS COnTinuiTy ParTner                                       XO’s Managed Backup program ensures that enterprise data
                                                                  is safely archived in multiple locations to guarantee surviv-
 XO Communications is one of many companies helping its           ability in the event of a disruption of business operations.
customers with business continuity solutions. The company
stands out in the crowd for one reason: they understand the       XO offers Voice Re-Routing and Redundancy Services as
meaning of the word solution.                                     well as a collection of Teleworking solutions that ensure
                                                                  functionality for remote workers who could otherwise be
Like all service providers, XO has been in the telecom            isolated during a disruption of normal business operations.
business for a long time, and offers a complete array of
telecommunications services designed to handle the access         Finally, XO has developed a number of services that address
and transport requirements of the most demanding                  the important demands for system security. These include
customer applications.                                            our MPLS IP-VPN solution, which guarantees the avail-
                                                                  ability of a completely secure, high-bandwidth connection
Rather than create technology and then search out applica-        that is extremely flexible and cost-effective; a Managed
tions for it – typical of many players in the industry – XO       Security solution, which take care of system and network
studies the market, develops an understanding of your             security as an outsourced service; and Perimeter Email
business needs in terms of critical information infrastruc-       Protection, which dramatically reduces spam and improves
ture – and then crafts solutions around those needs               network efficiency.
based on the best technology available. We stand behind
our solutions because we use them internally to protect our
own business resources.                                           Conclusion

XO’s portfolio of business continuity solutions addresses the     Sad to say, disruptive events do happen – and in most cases,
spectrum of enterprise demands. To ensure high-bandwidth          they are a ‘when’ rather than an ‘if’ question. Businesses
connections to critical buildings, XO’s Broadband Wireless        that assume something will occur that will disrupt their
solution delivers on the promise of network resiliency. Dedi-     ability to do business, and then plan for that eventuality
cated Internet Access guarantees network path redundancy          before it happens, will be well ahead of the curve in terms
and the ability to re-route around network trouble spots          of their ability to survive the event and continue to service
on-demand. High-Bandwidth Network Transport ensures               customers. Developing a well-planned business continuity
the availability of adequate network bandwidth for the most       plan should be a matter of highest priority for all businesses,
demanding applications.                                           regardless of size, structure or function. Remember, chance
                                                                  favors the prepared business: Plan now, and breathe easy
To ensure peace-of-mind relative to the survivability and         later. You won’t regret it.
availability of database hardware (disks and servers) that
might be affected following a disruptive event, XO’s Man-
aged Server solution, in concert with our Collocation offer-
ing, guarantees access to redundant hardware to support
critical operational processes.




Copyright 2009. XO Communications, llC. all rights reserved.
XO, the XO design logo, and all related marks are registered trademarks of XO Communications, llC.                            11
Copyright 2009. XO Communications, llC. all rights reserved.
XO, the XO design logo, and all related marks are registered trademarks of XO Communications, llC.

More Related Content

Similar to Business Continuity Planning Guide

5th ME Business & IT Resilience Summit 2016 - Business Resiliency Pitfalls
5th ME Business & IT Resilience Summit 2016 - Business Resiliency Pitfalls5th ME Business & IT Resilience Summit 2016 - Business Resiliency Pitfalls
5th ME Business & IT Resilience Summit 2016 - Business Resiliency Pitfalls
Continuity and Resilience
 
5th ME Business & IT Resilience Summit 2016 - Business Resiliency Pitfalls
5th ME Business & IT Resilience Summit 2016 - Business Resiliency Pitfalls5th ME Business & IT Resilience Summit 2016 - Business Resiliency Pitfalls
5th ME Business & IT Resilience Summit 2016 - Business Resiliency Pitfalls
Sohan Masih
 
The Consultant
The ConsultantThe Consultant
The Consultant
Nuno Ferreira
 
AEB.Safeguarding Shareholder Value Role of Board in M&A Activity
AEB.Safeguarding Shareholder Value Role of Board in M&A ActivityAEB.Safeguarding Shareholder Value Role of Board in M&A Activity
AEB.Safeguarding Shareholder Value Role of Board in M&A Activity
PaulOstling
 
Building A CFO Ready Business Case For Contract Management
Building A CFO Ready Business Case For Contract ManagementBuilding A CFO Ready Business Case For Contract Management
Building A CFO Ready Business Case For Contract Management
Alison Clarke
 
Cobi T Top Down Bottom Up
Cobi T Top Down  Bottom UpCobi T Top Down  Bottom Up
Cobi T Top Down Bottom Up
Dave Kohrell
 
Hanu whitepaper
Hanu whitepaperHanu whitepaper
Hanu whitepaper
Hanu Software
 
Bk Performance Manager
Bk Performance ManagerBk Performance Manager
Bk Performance Manager
Friedel Jonker
 
Getting IT Right
Getting IT RightGetting IT Right
Getting IT Right
wjgay19
 
Unified Comms Exploring Attitudes Towards Risk
Unified  Comms   Exploring Attitudes Towards RiskUnified  Comms   Exploring Attitudes Towards Risk
Unified Comms Exploring Attitudes Towards Risk
rosiegregory
 
4239 Misys Bank Fusion Presentation
4239 Misys Bank Fusion Presentation4239 Misys Bank Fusion Presentation
4239 Misys Bank Fusion Presentation
sudha_20
 
Managing Threats in a Dangerous World
Managing Threats in a Dangerous WorldManaging Threats in a Dangerous World
Managing Threats in a Dangerous World
Chartered Management Institute
 
Whitepaper Cloud Financials Come Of Age Pdf
Whitepaper Cloud Financials Come Of Age PdfWhitepaper Cloud Financials Come Of Age Pdf
Whitepaper Cloud Financials Come Of Age Pdf
jingels72
 
Six Truths BtoB Marketers Must Accept
Six Truths BtoB Marketers Must AcceptSix Truths BtoB Marketers Must Accept
Six Truths BtoB Marketers Must Accept
Manticore Technology
 
Bulldog manticore final 6 truths
Bulldog   manticore final 6 truthsBulldog   manticore final 6 truths
Bulldog manticore final 6 truths
Manticore Technology
 
Doing Too Much PM Report
Doing Too Much PM ReportDoing Too Much PM Report
Doing Too Much PM Report
Ricky Smith CMRP, CMRT
 
Effective Virtual Projects
Effective Virtual ProjectsEffective Virtual Projects
Effective Virtual Projects
Zebra Management Consulting
 
Portfolio Decision Optimization
Portfolio Decision OptimizationPortfolio Decision Optimization
Portfolio Decision Optimization
Jeffrey Barnes
 
Business Continuity Management - Operational & Cyber Resilience Part 1 (whi...
Business Continuity Management  - Operational & Cyber Resilience  Part 1 (whi...Business Continuity Management  - Operational & Cyber Resilience  Part 1 (whi...
Business Continuity Management - Operational & Cyber Resilience Part 1 (whi...
Richard Brooks
 
Top 10 Pitfalls Of Am
Top 10 Pitfalls Of AmTop 10 Pitfalls Of Am
Top 10 Pitfalls Of Am
Application Management
 

Similar to Business Continuity Planning Guide (20)

5th ME Business & IT Resilience Summit 2016 - Business Resiliency Pitfalls
5th ME Business & IT Resilience Summit 2016 - Business Resiliency Pitfalls5th ME Business & IT Resilience Summit 2016 - Business Resiliency Pitfalls
5th ME Business & IT Resilience Summit 2016 - Business Resiliency Pitfalls
 
5th ME Business & IT Resilience Summit 2016 - Business Resiliency Pitfalls
5th ME Business & IT Resilience Summit 2016 - Business Resiliency Pitfalls5th ME Business & IT Resilience Summit 2016 - Business Resiliency Pitfalls
5th ME Business & IT Resilience Summit 2016 - Business Resiliency Pitfalls
 
The Consultant
The ConsultantThe Consultant
The Consultant
 
AEB.Safeguarding Shareholder Value Role of Board in M&A Activity
AEB.Safeguarding Shareholder Value Role of Board in M&A ActivityAEB.Safeguarding Shareholder Value Role of Board in M&A Activity
AEB.Safeguarding Shareholder Value Role of Board in M&A Activity
 
Building A CFO Ready Business Case For Contract Management
Building A CFO Ready Business Case For Contract ManagementBuilding A CFO Ready Business Case For Contract Management
Building A CFO Ready Business Case For Contract Management
 
Cobi T Top Down Bottom Up
Cobi T Top Down  Bottom UpCobi T Top Down  Bottom Up
Cobi T Top Down Bottom Up
 
Hanu whitepaper
Hanu whitepaperHanu whitepaper
Hanu whitepaper
 
Bk Performance Manager
Bk Performance ManagerBk Performance Manager
Bk Performance Manager
 
Getting IT Right
Getting IT RightGetting IT Right
Getting IT Right
 
Unified Comms Exploring Attitudes Towards Risk
Unified  Comms   Exploring Attitudes Towards RiskUnified  Comms   Exploring Attitudes Towards Risk
Unified Comms Exploring Attitudes Towards Risk
 
4239 Misys Bank Fusion Presentation
4239 Misys Bank Fusion Presentation4239 Misys Bank Fusion Presentation
4239 Misys Bank Fusion Presentation
 
Managing Threats in a Dangerous World
Managing Threats in a Dangerous WorldManaging Threats in a Dangerous World
Managing Threats in a Dangerous World
 
Whitepaper Cloud Financials Come Of Age Pdf
Whitepaper Cloud Financials Come Of Age PdfWhitepaper Cloud Financials Come Of Age Pdf
Whitepaper Cloud Financials Come Of Age Pdf
 
Six Truths BtoB Marketers Must Accept
Six Truths BtoB Marketers Must AcceptSix Truths BtoB Marketers Must Accept
Six Truths BtoB Marketers Must Accept
 
Bulldog manticore final 6 truths
Bulldog   manticore final 6 truthsBulldog   manticore final 6 truths
Bulldog manticore final 6 truths
 
Doing Too Much PM Report
Doing Too Much PM ReportDoing Too Much PM Report
Doing Too Much PM Report
 
Effective Virtual Projects
Effective Virtual ProjectsEffective Virtual Projects
Effective Virtual Projects
 
Portfolio Decision Optimization
Portfolio Decision OptimizationPortfolio Decision Optimization
Portfolio Decision Optimization
 
Business Continuity Management - Operational & Cyber Resilience Part 1 (whi...
Business Continuity Management  - Operational & Cyber Resilience  Part 1 (whi...Business Continuity Management  - Operational & Cyber Resilience  Part 1 (whi...
Business Continuity Management - Operational & Cyber Resilience Part 1 (whi...
 
Top 10 Pitfalls Of Am
Top 10 Pitfalls Of AmTop 10 Pitfalls Of Am
Top 10 Pitfalls Of Am
 

More from XO Communications

Energize your Unified Communications with SIP
Energize your Unified Communications with SIPEnergize your Unified Communications with SIP
Energize your Unified Communications with SIP
XO Communications
 
Forrester Survey sponsored by Juniper: Building for the Next Billion - What t...
Forrester Survey sponsored by Juniper: Building for the Next Billion - What t...Forrester Survey sponsored by Juniper: Building for the Next Billion - What t...
Forrester Survey sponsored by Juniper: Building for the Next Billion - What t...
XO Communications
 
Data Center Interconnects: An Overview
Data Center Interconnects: An OverviewData Center Interconnects: An Overview
Data Center Interconnects: An Overview
XO Communications
 
Dynamic Performance Acceleration - Reducing the Browser Bottleneck
Dynamic Performance Acceleration -  Reducing the Browser BottleneckDynamic Performance Acceleration -  Reducing the Browser Bottleneck
Dynamic Performance Acceleration - Reducing the Browser Bottleneck
XO Communications
 
The Case for Hosted Exchange
The Case for Hosted ExchangeThe Case for Hosted Exchange
The Case for Hosted Exchange
XO Communications
 
2016 The Year of the Zettabyte
2016 The Year of the Zettabyte2016 The Year of the Zettabyte
2016 The Year of the Zettabyte
XO Communications
 
Forces Disrupting the Network
Forces Disrupting the Network Forces Disrupting the Network
Forces Disrupting the Network
XO Communications
 
From the Network to Multi-Cloud: How to Chart an Integrated Strategy
From the Network to Multi-Cloud: How to Chart an Integrated StrategyFrom the Network to Multi-Cloud: How to Chart an Integrated Strategy
From the Network to Multi-Cloud: How to Chart an Integrated Strategy
XO Communications
 
Application Performance Management: Intelligence for an Optimized WAN
Application Performance Management: Intelligence for an Optimized WANApplication Performance Management: Intelligence for an Optimized WAN
Application Performance Management: Intelligence for an Optimized WAN
XO Communications
 
Key Considerations for MPLS IP-VPN Success
Key Considerations for  MPLS IP-VPN SuccessKey Considerations for  MPLS IP-VPN Success
Key Considerations for MPLS IP-VPN Success
XO Communications
 
A Business Guide to MPLS IP VPN Migration: Five Critical Factors
A Business Guide  to MPLS IP VPN Migration: Five Critical FactorsA Business Guide  to MPLS IP VPN Migration: Five Critical Factors
A Business Guide to MPLS IP VPN Migration: Five Critical Factors
XO Communications
 
SIP for the Enterprise
SIP for the Enterprise SIP for the Enterprise
SIP for the Enterprise
XO Communications
 
Intro to Voice over Internet Protocol: What does VoIP Mean for My Business?
Intro to Voice over Internet Protocol: What does VoIP Mean for My Business?Intro to Voice over Internet Protocol: What does VoIP Mean for My Business?
Intro to Voice over Internet Protocol: What does VoIP Mean for My Business?
XO Communications
 
Avoid Three Common Pitfalls With VoIP Readiness Assessments
Avoid Three Common Pitfalls With VoIP Readiness AssessmentsAvoid Three Common Pitfalls With VoIP Readiness Assessments
Avoid Three Common Pitfalls With VoIP Readiness Assessments
XO Communications
 
MPLS IP VPNs: Are You Ready to Migrate?
MPLS IP VPNs: Are You Ready to Migrate?MPLS IP VPNs: Are You Ready to Migrate?
MPLS IP VPNs: Are You Ready to Migrate?
XO Communications
 
Wan and VPN Solutions
Wan and VPN SolutionsWan and VPN Solutions
Wan and VPN Solutions
XO Communications
 
WAN Services Planning Checklist
WAN Services Planning ChecklistWAN Services Planning Checklist
WAN Services Planning Checklist
XO Communications
 
Cloud Communications: Top 5 Advantages for Your Enterprise
Cloud Communications: Top 5 Advantages for Your EnterpriseCloud Communications: Top 5 Advantages for Your Enterprise
Cloud Communications: Top 5 Advantages for Your Enterprise
XO Communications
 
Implementing SIP Trunking: Keys to Ensuring Interoperability
Implementing SIP Trunking: Keys to Ensuring InteroperabilityImplementing SIP Trunking: Keys to Ensuring Interoperability
Implementing SIP Trunking: Keys to Ensuring Interoperability
XO Communications
 
Level 3 Global Crossing Merger Not in Public Interest
Level 3 Global Crossing Merger Not in Public InterestLevel 3 Global Crossing Merger Not in Public Interest
Level 3 Global Crossing Merger Not in Public Interest
XO Communications
 

More from XO Communications (20)

Energize your Unified Communications with SIP
Energize your Unified Communications with SIPEnergize your Unified Communications with SIP
Energize your Unified Communications with SIP
 
Forrester Survey sponsored by Juniper: Building for the Next Billion - What t...
Forrester Survey sponsored by Juniper: Building for the Next Billion - What t...Forrester Survey sponsored by Juniper: Building for the Next Billion - What t...
Forrester Survey sponsored by Juniper: Building for the Next Billion - What t...
 
Data Center Interconnects: An Overview
Data Center Interconnects: An OverviewData Center Interconnects: An Overview
Data Center Interconnects: An Overview
 
Dynamic Performance Acceleration - Reducing the Browser Bottleneck
Dynamic Performance Acceleration -  Reducing the Browser BottleneckDynamic Performance Acceleration -  Reducing the Browser Bottleneck
Dynamic Performance Acceleration - Reducing the Browser Bottleneck
 
The Case for Hosted Exchange
The Case for Hosted ExchangeThe Case for Hosted Exchange
The Case for Hosted Exchange
 
2016 The Year of the Zettabyte
2016 The Year of the Zettabyte2016 The Year of the Zettabyte
2016 The Year of the Zettabyte
 
Forces Disrupting the Network
Forces Disrupting the Network Forces Disrupting the Network
Forces Disrupting the Network
 
From the Network to Multi-Cloud: How to Chart an Integrated Strategy
From the Network to Multi-Cloud: How to Chart an Integrated StrategyFrom the Network to Multi-Cloud: How to Chart an Integrated Strategy
From the Network to Multi-Cloud: How to Chart an Integrated Strategy
 
Application Performance Management: Intelligence for an Optimized WAN
Application Performance Management: Intelligence for an Optimized WANApplication Performance Management: Intelligence for an Optimized WAN
Application Performance Management: Intelligence for an Optimized WAN
 
Key Considerations for MPLS IP-VPN Success
Key Considerations for  MPLS IP-VPN SuccessKey Considerations for  MPLS IP-VPN Success
Key Considerations for MPLS IP-VPN Success
 
A Business Guide to MPLS IP VPN Migration: Five Critical Factors
A Business Guide  to MPLS IP VPN Migration: Five Critical FactorsA Business Guide  to MPLS IP VPN Migration: Five Critical Factors
A Business Guide to MPLS IP VPN Migration: Five Critical Factors
 
SIP for the Enterprise
SIP for the Enterprise SIP for the Enterprise
SIP for the Enterprise
 
Intro to Voice over Internet Protocol: What does VoIP Mean for My Business?
Intro to Voice over Internet Protocol: What does VoIP Mean for My Business?Intro to Voice over Internet Protocol: What does VoIP Mean for My Business?
Intro to Voice over Internet Protocol: What does VoIP Mean for My Business?
 
Avoid Three Common Pitfalls With VoIP Readiness Assessments
Avoid Three Common Pitfalls With VoIP Readiness AssessmentsAvoid Three Common Pitfalls With VoIP Readiness Assessments
Avoid Three Common Pitfalls With VoIP Readiness Assessments
 
MPLS IP VPNs: Are You Ready to Migrate?
MPLS IP VPNs: Are You Ready to Migrate?MPLS IP VPNs: Are You Ready to Migrate?
MPLS IP VPNs: Are You Ready to Migrate?
 
Wan and VPN Solutions
Wan and VPN SolutionsWan and VPN Solutions
Wan and VPN Solutions
 
WAN Services Planning Checklist
WAN Services Planning ChecklistWAN Services Planning Checklist
WAN Services Planning Checklist
 
Cloud Communications: Top 5 Advantages for Your Enterprise
Cloud Communications: Top 5 Advantages for Your EnterpriseCloud Communications: Top 5 Advantages for Your Enterprise
Cloud Communications: Top 5 Advantages for Your Enterprise
 
Implementing SIP Trunking: Keys to Ensuring Interoperability
Implementing SIP Trunking: Keys to Ensuring InteroperabilityImplementing SIP Trunking: Keys to Ensuring Interoperability
Implementing SIP Trunking: Keys to Ensuring Interoperability
 
Level 3 Global Crossing Merger Not in Public Interest
Level 3 Global Crossing Merger Not in Public InterestLevel 3 Global Crossing Merger Not in Public Interest
Level 3 Global Crossing Merger Not in Public Interest
 

Recently uploaded

BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
Neo4j
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
Jimmy Lai
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
Adam Dunkels
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
The importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT StandardizationThe importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT Standardization
Axel Rennoch
 
July Patch Tuesday
July Patch TuesdayJuly Patch Tuesday
July Patch Tuesday
Ivanti
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
Priyanka Aash
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
maigasapphire
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
shyamraj55
 
Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
Ivanti
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Nicolás Lopéz
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
Anant Gupta
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
Tatiana Al-Chueyr
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
ldtexsolbl
 
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
Priyanka Aash
 

Recently uploaded (20)

BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
The importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT StandardizationThe importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT Standardization
 
July Patch Tuesday
July Patch TuesdayJuly Patch Tuesday
July Patch Tuesday
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
 
Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
 
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
 

Business Continuity Planning Guide

  • 1. protect / optimize / connect / communicate / manage / protect / optimize / connec optimize / connect / communicate / manage / protect / optimize / connect / communicat / communicate / manage / protect / optimize / connect / communicate / mana unicate / manage / protect / optimize / connect / communicate / manage / protect / optimi ge / protect / optimize / connect / communicate / manage / protect / optimize / connec optimize / connect / communicate / manage / protect / optimize / connect / communicat Business Continuity White Paper ct / communicate / manage / protect / optimize / connect / communicate / manage / prote Planning Guide manage / protect / optimize / connect / communicate / manage / protect / optimize / conne optimize / connect / communicate / manage / protect / optimize / Paper Authored by/Steve Shepard An Informational connect communicat ct / communicate / manage / protect / optimize / connect / communicate / manag unicate / manage / protect / optimize / connect / communicate / manage / protect / optimi protect / optimize / connect / communicate / manage / protect / optimize / conne optimize / connect / communicate / manage / protect / optimize / connect / communicat ct / communicate / manage / protect / optimize / connect / communicate / manage / prote te / manage / protect / optimize / connect / communicate / manage / protec manage / protect / optimize / connect / communicate / manage / protect / optimize / conne optimize / connect / communicate / manage / protect / optimize / connect / communicat ct / communicate / manage / protect / optimize / connect / communicate / manage / prote manage / protect / optimize / connect / communicate / manage / protect / optimize / conne optimize / connect / communicate / manage / protect / optimize / connect / communicat www.xo.com c onne c t / c ommunic ate / ma nage / p rote c t / optimize
  • 2. Click here or copy and paste bit.ly link to download this white paper: http://bit.ly/BizCont Business Continuity Planning guide www.xo.com Xo Communications 2 Services: VoIP ▪ Voice ▪ Network ▪ Internet & Hosted IT
  • 3. Click here or copy and paste bit.ly link to download this white paper: http://bit.ly/BizCont www.xo.com Xo Communications BuSineSS Continuity Planning guide Table of Contents Summary of Guide 4 Why Business Continuity Is Needed 4 Sobering Facts 5 Elements of Success: 5 Determining Resiliency Requirements Identification of Mission-Critical Systems 6 Prioritizing Services into Risk Tolerance Tiers 6 Conducting a Systematic Risk Assessment 7 Elements of the Plan 7 Identifying Points of Failure 7 Assessing the Pros and Cons 8 of a Business Continuity Partner Selecting a Vendor Partner 8 #1: Breadth and Richness of Services 9 #2: Solution Functionality 9 #3: Financial Viability 9 #4: Cost 9 Project Assessment 10 Summary of Recommendations 10 XO Communications as a 11 Business Continuity Partner Conclusion 11 Copyright 2009. XO Communications, llC. all rights reserved. XO, the XO design logo, and all related marks are registered trademarks of XO Communications, llC. 3
  • 4. Click here or copy and paste bit.ly link to download this white paper: http://bit.ly/BizCont Business Continuity Planning guide www.xo.com Summary of guide Why Business Continuity is needed Business continuity, also referred to as disaster recovery, It was a business-as-usual day in the switching center. The is one of the most-talked about – and worrisome – building served well over 100,000 subscribers, six hospi- topics in industry today. Whether you are a five-person tals, 11 firehouses, three post offices, a police station, nine schools and three universities. Like most central offices, this small business determined to protect the integrity of one was completely invisible to the public. It was just a big, the day’s receipts, or a multinational corporation con- windowless structure. cerned about Sarbanes-Oxley compliance, shareholder comfort and revenue assurance, the issues are similar. Just after midnight, a relatively inconsequential piece of power equipment in the cable vault shorted and spit a few The factors that lead to the disruption of business activities sparks into the air. One of the sparks fell on a piece of – disasters, as they are often called – fall into two general insulation and began to smolder. The insulation melted and categories: natural disasters, which include uncontrolled began to burn, changing from a smoldering spot on the flooding, fire, earthquakes, hurricanes, typhoons, mudslides, surface of a cable to a full-blown fire. disease, lightning strikes, and biological infestations; and man-made disasters, which include disruptions brought on The fire burned its way up the cables, spreading from floor as the result of human error, strikes, intentional sabotage, to floor. Soon the building was engulfed, and the world was burglary, theft, IT-related faults stemming from viruses, about to see the single worst disaster that any American Trojan horses, worms, denial-of-service attacks, and other telephone company had ever experienced. breaches of computer and network security; and increas- Emergency services vehicles converged on the now evacu- ingly, disruption brought about by terrorist acts. ated building. They flooded the lower floors with hundreds For the most part, natural disasters are unavoidable; dealing of thousands of gallons of water, severely damaging what- with them tends to be a matter of preparedness and recovery ever equipment remained functional. as well as an avoidance strategy. Man-made disasters, on Two days later the fire was finally out and engineers were the other hand, can for the most part be avoided (or their able to enter the building to assess the damage. On the first impact minimized) through prudent IT management prac- floor, the 240-foot main distribution frame was reduced tices and adherence to a well-designed Business Continuity to a puddle of iron. Water had ruined the power equipment Plan. In aviation, the phrase that is drilled into every pilot’s in the basement. Four switching offices on the lower floors head as their operating mantra is “Always plan your flight, were completely destroyed. Cable distribution ducts and always fly your plan.” The same rules apply in business were deformed and useless. Carrier equipment on the continuity: Build a plan, and stick to it. Your discipline will second floor was destroyed. And 170,000 telephones were be well-rewarded. out of service. This paper is a practical guide for businesses concerned Within an hour of discovering the fire the company mobi- with ensuring their own continuity in the event that an lized its forces to restore service to the affected area, and unavoidable disruption challenges their ability to operate in resources converged on the building to coordinate the a business-as-usual fashion. We begin with a rather sobering effort that would last just under a month and cost more discussion about the need for business continuity planning, than $90 million. followed by an in-depth section about the steps involved in creating a plan: identifying mission-critical systems; con- Within 24 hours, service had been restored to all medical, ducting risk assessments; creating “strata” of risk tolerance police and fire facilities. The day after the fire, a new main for business systems; locating single points of failure; select- distribution frame had been located and was shipped to the ing partners for business continuity resources; and finally, building. Luckily, the third floor had been vacant and was identifying the steps required to ensure effective business therefore available as a staging area to assemble and install process continuity and data recovery. the 240-foot-long iron frame. Under normal circumstances, 4 Services: VoIP ▪ Voice ▪ Network ▪ Internet & Hosted IT
  • 5. Click here or copy and paste bit.ly link to download this white paper: http://bit.ly/BizCont www.xo.com Xo Communications from the time a frame is ordered, shipped and installed Consider these simple facts. The economic impact of a sin- in an office, six months elapse. This frame was ordered, gle intrusion, such as a denial-of-service attack, is roughly $1 shipped, installed, wired and tested - in four days. million, an expense that could be prevented enterprise-wide through the deployment of a simple firewall. It gets worse: It is almost impossible to understand the magnitude of the in 2004, five years ago, the average large business spent $55 restoration effort, but this may help. 6,000 tons of debris million per year to protect itself from viruses, Trojan horses, were removed from the building and 3,000 tons of equip- and worms, $26 million against denial of service attacks, ment were installed including 1.2 billion feet of under- and a comparatively paltry $12 million to guard against ground wire, 8.6 million feet of frame wire, 525,000 linear physical theft . And why are they willing to spend so much feet of exchange cable, and 380 million conductor feet of on cyber-protection? Because 93% of companies that lose switchboard cable. 5 million underground splices hooked access to the information in their data centers for 10 days or it all together. And 30 trucking companies, 11 airlines, more will file for bankruptcy protection within a year of the and 4,000 people were pressed into service. And just after loss. Can they afford not to spend the money? midnight on March 21st, 22 days following the fire, service from the building was restored. Forrester Research has extensively studied Business Con- tinuity practices and there is much to be learned from How was this possible? Two factors contributed to the suc- them . Most companies recognize the need to improve their cess of the restoral effort. First and foremost, the company preparedness for disruptive events, and when asked why had resources it could call on when needed, and the ability they are doing so the list narrows to six primary drivers: to deploy them. the increasing cost (and impact) of system downtime; the need to be online, available and therefore competitive in Second, they understood the nature of their business: What an increasingly globalized (and therefore around-the-clock) was critical and what wasn’t. The fact that they restored market; the need to satisfy financial responsibilities; the emergency services first and consumer telephones second need to take steps to reduce increasing levels of enterprise said a great deal about the degree to which they had though risk; the desire to increase the availability (and survivability) the scenario through. They knew which services posed the of a critical business application; and finally, the require- highest risk and dealt with them first. ment to ensure compliance with regulatory or legal man- Business continuity imperatives haven’t changed much dates such as Sarbanes-Oxley, HIPAA and CALEA. since this disaster took place; technology has evolved, busi- So why is business continuity planning required? Besides nesses have become more sophisticated, the global nature the obvious answer – the need to protect critical business of the world’s economy now dictates that businesses operate resources in order to protect revenue-generating customer around the clock, but one singular mandate remains the services – it is because “chance favors the prepared mind.” same: be prepared. The better prepared an organization is for the possibility of a disruptive event, the more rapidly the event will be resolved. SOBering FaCTS Every day, 30 billion text messages, 40 billion e-mail elements of Success: messages, 19 billion mobile minutes, 30 billion PSTN min- utes travel the world’s telecommunications networks. determining resiliency requirements As if that weren’t enough, eight exabytes (that’s 18 zeroes) One element of business continuity planning is disaster of global IP traffic are generated every month, a number recovery preparedness. And while disaster recovery is an that’s expected to increase to a zettabyte (21 zeroes) by 2015. important element of any prudent IT strategy, disaster The problem with those numbers is not their magnitude: avoidance – the process of taking steps to avoid the impact It’s the nature of their intent. A large percentage of those of a disastrous event when it occurs - is at least as important. messages are destined for enterprise networks, and a small Because these disruptions are largely unanticipated, a collec- percentage of those aren’t friendly – they are intended to tion of up-front efforts can reduce the downtime – and cost disrupt business operations. Copyright 2009. XO Communications, llC. all rights reserved. XO, the XO design logo, and all related marks are registered trademarks of XO Communications, llC. 5
  • 6. Click here or copy and paste bit.ly link to download this white paper: http://bit.ly/BizCont Business Continuity Planning guide www.xo.com – associated with disastrous events. These efforts, which we We’re talking about a single laptop here – not the far more will describe in the sections that follow, include: complex processes and resources of an entire business – even a small one. It is fundamentally important, then, to build • Identification of mission-critical systems an “aerial view” of the ebbs and flows of the business, so • Prioritizing services into risk tolerance tiers that all business processes can be identified, evaluated, and • Conducting a systematic risk assessment ranked according to their perceived levels of criticality to • Identifying points of failure business operations. • Assessing the pros and cons of dependency on a single business continuity provider Once the processes have been identified, then the underly- • Determining the steps involved in selecting a provider ing systems can be identified as well. This process must include a comprehensive hardware inventory across all data idenTiFiCaTiOn OF MiSSiOn-CriTiCal SySTeMS centers, office environments, call centers, operations centers, and any other locations where a significant amount of Mission-critical systems are those resources – hardware, human-to-machine (and therefore system) interaction takes software, operational processes, operating procedures – that place. At the same time, an application inventory should be are absolutely necessary for the business to operate. Funda- conducted to identify all of the ways that people rely on the mentally speaking, if these resources become unavailable or hardware to do their jobs. Keep in mind that the hardware severely impaired for any reason and for any length of time, is nothing more than a very large heat engine and real estate business operations are jeopardized. It is critical, therefore, consumer without applications running on it; all data flows to identify these systems and take steps to ensure that they and all application-to-application flow-through should be are appropriately protected. identified at the same time as part of a comprehensive sys- tematic analysis of critical IT resources. The first step in the process, therefore, is to identify these systems. In reality, though, this is not the first step – it is PriOriTizing ServiCeS the third step. The first step is to map out the day-to-day inTO riSk TOleranCe TierS operations of the business to ensure a clear understanding of exactly how the business operates. This means taking inven- Once the mission-critical systems have been identified, tory of business processes, and then relating those business including all hardware, software, processes and procedures, processes to the critical systems that underlie them. Sounds the next step in the business continuity planning process silly? Take this simple test: If you were to lose your laptop is to rank them according to their relative importance to tomorrow, what would the actual impact on you be? Let’s the business. This is an extraordinarily difficult part of the assume that your data is backed up (a major assumption). overall process for one simple reason: it tends to become Do you have a list of the applications that reside on the lap- emotionally charged as different organizations, if given the top that you will have to reinstall to restore the machine to chance, argue for the relative importance of their critical full functionality? You probably have the CDs and DVDs systems. For this reason alone, it is important that the rank- of the applications you’ve purchased in a box somewhere, ing of these processes be conducted by a team made up of but what about the installers for the applications you’ve representatives from two organizations: IT and corporate purchased online? And once they’re installed, how long will finance. IT must be involved because they understand the it take you to download all of the updates required to bring inner workings of the systems and can speak to the complex the applications up-to-date? And what about all of the interworking that often exists between seemingly unre- serial numbers and product keys required to securely install lated applications and hardware. Finance must be involved the software? If you have to change operating systems because in the final analysis, the ultimate “tie-breaker” is because of an update that came out since you bought the the degree to which one mission-critical process affects the laptop, how long will it take you to be comfortable with it ability of the corporation to generate revenue, relative to to ensure functionality? other systems. After all, how do you compare the relative importance of an order tracking application vs. a strategic data collection application used by marketing? Remember, 6 Services: VoIP ▪ Voice ▪ Network ▪ Internet & Hosted IT
  • 7. Click here or copy and paste bit.ly link to download this white paper: http://bit.ly/BizCont www.xo.com Xo Communications we’re not talking about which one lives and which one dies: elements of the Plan We’re talking about a hierarchy of recovery to ensure that the applications most necessary for revenue protection and The plan, once completed, typically has five elements: cost control are brought back to life first. As long as this is 1. An analysis of the business, as described earlier; understood by all concerned, the emotional challenges tend 2. A description of the various solution elements that to fade in favor of more rational arguments. have been put into place to deal with the potential for a significant disruption of business operations; COnduCTing a SySTeMaTiC riSk aSSeSSMenT 3. A plan for the actual implementation of the identified The “tiering” process is usually performed according to a procedures, should they be needed; set of standardized measures by which priorities can be 4. A process for routinely testing the procedures to assigned. These measures, the Recover Point Objective ensure their functionality and currency; and finally, (RPO) and Recovery Time Objective (RTO), are used to 5. A maintenance program to ensure that the plan is con- determine the relative value of systems and applications stantly updated according to changes in the business. based on their importance to the business and based on a One of the main reasons that business continuity plans fail set of agreed-upon performance objectives. The Recovery is that they are not routinely updated to model the chang- Point Objective is the specific point in time to which you ing profile of the business, leaving some critical systems, must recover data in order to resume effective business processes or infrastructure inadequately protected. operations. It does not imply 100% recovery of all data. The RPO is generally considered to be a measure of acceptable There’s an old saying in business: “That which gets measured data loss following a major disruptive event. RPO is serious gets managed.” RPOs and RTOs are two of the important business: If your RPO is determined to be four hours but a success metrics of a business continuity plan. Once they are full recovery will take seven, the last three hours are deemed understood, put into place and socialized throughout the to fall into the category of acceptable loss and business business, they must be mapped to the systems and critical operations will be resumed from the four-hour recovery infrastructure that they are designed to protect. The next point, with attempts to manually recover the lost activity step in the process is to indentify failure points. carried out later, as time permits. In the IT world, RPO is the technical equivalent of medical triage – the steps neces- idenTiFying POinTS OF Failure sary to stabilize the patient. Every complex system has its weak links, and part of the Closely related to RPO is Recovery Time Objective (RTO). business continuity planning process is to identify them RTO is the amount of time within which a critical business so that they can either be fixed or appropriately protected. process must be restored following a systemic disruption to Creating a map of critical process dependencies (described avoid unacceptable consequences in terms of the ability to earlier) and then establishing metrics (RPOs and RTOs) satisfy customer needs and meet critical business objectives. represents phase one of this process; phase two is the exami- Bear in mind that the RTO is associated with the recovery nation procedure designed to identify areas where attention of critical business processes, not with the recovery of the is required. Areas that tend to be at risk, and that should be underlying systems: that’s the domain of the RPO. Busi- carefully examined, include: nesses must address both if they are to develop a holistic plan for assured operational continuity. When a company’s • Power feeds to critical buildings: Is the power coming Web site is the victim of a denial-of-service attack, and the into critical buildings (call centers, data centers, opera- company relies on their Web site for revenue generation, the tions centers) fed redundantly and from different points recover priority (RTO) is much higher than it would be for on the grid? Is there uninterruptible power (UPS) in a company whose Web site is used as nothing more than an place? Is it tested routinely, and under load? “online business card.” • High-bandwidth connections to critical buildings: Are the circuits redundant? Is that redundancy accom- Copyright 2009. XO Communications, llC. all rights reserved. XO, the XO design logo, and all related marks are registered trademarks of XO Communications, llC. 7
  • 8. Click here or copy and paste bit.ly link to download this white paper: http://bit.ly/BizCont Business Continuity Planning guide www.xo.com plished over facilities that are physically separated from that a primary application server should die, is there a one another? Is there a high-speed wireless connection backup system in place and online to ensure that busi- that could be used in the event of an event that dis- ness can continue as required? rupts the physical media? • System security: Are there procedures in place for • Database hardware (disks, servers): Are the servers, auditing security policies and practices? These proce- processors and disk arrays that host and make available dures should include examination of physical security critical applications configured in such a way that they that protects buildings, outside plant, and personnel, as have “hot spares” available should they be needed? well as logical security practices that protect software In the event of a major failure of the physical site, is and data from worms, viruses, Trojan horses, denial-of- there access to a redundant site to ensure business service attacks, malware, spam, social engineering, and continuity? Is the actual access redundant, i.e., is there other intentionally disruptive attacks. (for example) point-to-point wireless available to ensure connectivity in the event of a disruption of the This is by no means intended to be a complete list, but it physical plant? does represent a valid sample of the key issues that should be included in the development of a business continuity • Backup processes: Is there a clearly-documented protection strategy. It can also serve as the basis for identi- backup strategy that ensures that all critical applica- fying weak points in the strategy: If questions arise as the tions (and the data they create) are archived on a result of the process described above, there are weaknesses regularly-occurring schedule? Are multiple copies in the overall plan that should be examined and rectified. created, and if so, are they stored in physically differ- ent locations? Is there a process in place to gain access aSSeSSing The PrOS and COnS to backup copies in the event of a business disruption? OF a BuSineSS COnTinuiTy ParTner For many corporations, backup practices rise to levels that appear to be one step removed from organiza- Once the metrics have been decided upon, are accepted, tional paranoia. The need to backup customer data and and have been logically linked to the critical elements of the applications that depend on that data cannot be the corporate information infrastructure, a priority-based overstated, however. Some of the methodologies that strategy for resource recovery can be created, based on the companies consider include: steps described earlier. In large corporations it has been a standard practice to perform most recovery processes inter- • Tape backups that are transported to offsite facilities nally, using the knowledge resources of the IT or Informa- on a daily basis tion Systems organization. Increasingly, however, companies are relying on outsourced business continuity providers to • Disk backups that are performed locally but copied handle this aspect of protecting the business. The primary to a remote backup facility reasons for this are two-fold: expertise, and strategic diver- sity. Business continuity organizations have considerable • Real-time data replication to an offsite archive expertise in their field and are therefore valuable partners. • Support for remote workers: In the event that a signifi- And because they offer service diversity in terms of diverse cant number of remote workers would be affected by a network routing, distributed database backup and hardware catastrophic system failure, are there alternatives avail- redundancy, their role as a value-added provider is a valid able that they can use to gain access to backup critical one. systems? Is there adequate security in place to ensure that remote access to sensitive information assets can SeleCTing a vendOr ParTner be granted without threatening those assets? The vendor selection criteria must be carefully crafted to • Application availability: Are critical applications avail- not only ensure that the vendor’s product is up to the task able from multiple servers? In other words, in the event of addressing the needs of the business, but that the vendor 8 Services: VoIP ▪ Voice ▪ Network ▪ Internet & Hosted IT
  • 9. Click here or copy and paste bit.ly link to download this white paper: http://bit.ly/BizCont www.xo.com Xo Communications is in a position to provide ongoing, long-term support. This back” in project discussions to raise concerns about poten- is an important and often misunderstood part of the vendor tial issues? Do they ask as many questions as they attempt selection process, and companies have been known to select to answer? Have they created and offered a technique for a vendor based solely on the viability of their technology assessing the overall effectiveness of the implementation and when in fact the technology is perhaps the least important distinct, well-defined intervals? Similarly, to what degree of all criteria. Some companies, for example, have a policy has the vendor identified management concerns? that dictates that if their company’s purchases represent more than 20% of a vendor’s annual revenues, they won’t #3: Financial viability buy from that vendor. It doesn’t seem to make logical sense until you think about the decision strategically: If your Mentioned earlier, this particular criterion is of utmost company represents 20% of that company’s revenues and importance, particularly in business continuity implemen- you have a bad year and cut spending, you could put the tations that are deemed “mission-critical.” If the vendor vendor in financial jeopardy, which would make it impos- does not strike you as being viable, don’t consider them sible for them to provide the level of support you require. in the final running. Keep in mind that the implementa- It is important therefore to consider vendor selection from tion of a complex system does not end the day it is turned multiple, seemingly unrelated points-of-view. up: in essence, it never ends and requires various levels of vendor support throughout its life cycle. Critical questions Vendors are typically evaluated in four key areas: (1) breadth to ask, then, should revolve around the vendor’s business and richness of services; (2) overall solution functionality; model, survivability, cash position, vision, and commitment (3) financial viability; and (4) overall cost. to product longevity. For example, to what degree is the vendor committed to building products around open stan- #1: Breadth and richness of Services dards? What does the vendor’s future vision look like for themselves and their products? Can they tell a compelling Services are represented not only by the capabilities of the and logical story about where they see themselves in three- vendor’s solution but also by the added value that the vendor to-five years? What customer testimonials will the vendor overlays on top of and after the sale. For example, a multi- make available to you? Who are their customers, and what stage, hosted backup and archival solution is a complex sale sector do they hail from? Are they exclusively in one sector and an even more complex implementation. Is your expecta- or another, or do they span a broad range and therefore tion that the vendor will work in lockstep with you before, have the ability to draw from a broad experience base? Do during and after the implementation? Will they rely entirely they work with channels, and if so, what’s the nature of the on their own resources for implementation or will they also relationship? How long have they been in business? What is rely on contracted capability? What are the qualifications their cash position? of the people who will be your primary implementation resources? What kind of post sales support will you receive? #4: Cost Will there be resources on site for a period of time follow- ing project completion or will you be dependent on remote Overall cost is a measure of flexibility and operational resources that must be dispatched if they are needed? effectiveness, and the manner in which the vendor presents their solution is a measure of how well they understand your #2: Solution Functionality “pain points” and business drivers. For example, does the vendor go to significant lengths to understand your current Related to these basic questions are questions around the situation and take whatever steps are available to protect offered product, service or solution. How well does the ven- any pre-existing investments that you would like to protect? dor understand your business, where you are, and where you Does the vendor offer a variety of solutions or packages that want to go? How broad are the considerations it addresses provide “silver, gold and platinum” options if you request – does the proposal go beyond pure technology to include them? Does the vendor offer anything in the way of model- economic, human capital, end user, application and com- ing tools that will help you make a buy decision? petitive concerns? How effectively does the vendor “push Copyright 2009. XO Communications, llC. all rights reserved. XO, the XO design logo, and all related marks are registered trademarks of XO Communications, llC. 9
  • 10. Click here or copy and paste bit.ly link to download this white paper: http://bit.ly/BizCont Business Continuity Planning guide www.xo.com Project assessment of your systems – only the ones that provide services that matter. And since most businesses only run systems that When filling out the paperwork for a work-related accident, matter, those that they do run typically provide services to regardless of how minor, one of the last questions asked on employees or customers that are deemed mission-critical. If the form is “How could this accident have been prevented?” they fail to operate, the business fails to operate, often with If a business continuity solution is to be put into place and it disastrous results. is to deliver on its promises of cost reduction, efficiency and enhanced workplace effectiveness, project managers must We began this paper talking about the variety of events, create an assessment methodology that monitors project some predictable, some not, some accidental, some not, that progress, compares it to expectations, and performs quali- can cause a serious disruption of your organization’s ability tative analysis of the results relative to those expectations. to get the job done. Natural disasters, such as flood, fire, There is no such thing as a perfect, problem-free project, earthquakes, hurricanes, mudslides, disease, and lightning but there is such a thing as a well-managed project that strikes cannot, for the most part, be prevented; they can experiences minimal problems – typically because of a well- only be recovered from, the degree to which an organization designed assessment and intervention process. prepares for their occurrence is a measure of the degree to which the impact of these events can be minimized. Elements of such a process should include, at a minimum, cost, identified benchmarks, a clear list of anticipated Other events, such as failures due to human error, labor (desirable) outcomes, solid, extensive project documentation, strikes, intentional sabotage, burglary, theft, IT-related well-crafted flowcharts that identify the interactivity among faults stemming from physical failures, viruses, Trojan all logical and physical elements of the project, and a well- horses, worms, and denial-of-service attacks, can largely be designed training program to ensure that personnel respon- prevented through the deployment of carefully thought-out, sible for operating, maintaining and using the new system prudently designed business continuity practices. can do so with maximum levels of capability. There should also be an audit process in place to track those things that Preparation of these practices involves a logical set of steps went well, those things that didn’t and discussions about that include identifying mission-critical systems; conduct- alternative paths that could/should have been taken. ing a series of granular and highly-detailed risk assessments; creating “strata” of risk tolerance for business systems; There is nothing wrong with reliance on a single vendor for locating single points of failure; selecting partners for busi- business continuity services, as long as the selected vendor ness continuity resources; and finally, identifying the steps satisfies the concerns listed in the prior section. If they do, required to ensure effective business process continuity and then they are behaving more as a business partner than data recovery. These steps lead collectively to a metrics- they are a vendor, and they take their relationship with you driven business continuity strategy that provides guidance seriously – your success is their success – but just as impor- for the protection of both logical and physical resources in tant, your failure is theirs, as well. A professional services the corporation. That strategy is then shared throughout the provider in this space understands the business criticality of organization to ensure that all employees understand its role, the services they deliver, and will do everything they can to its importance and their responsibilities relative to protect- make the customer comfortable with the degree to which ing critical organizational assets. they take that relationship seriously. The final section of the paper dealt with the process of selecting a business continuity service provider suited to the Summary of recommendations task of implementing the continuity strategy. Assessing and selecting a vendor-partner should be based on a number of Dentists often have a poster in their examining rooms that factors, and while cost is certainly a consideration, other says, “You don’t have to floss all of your teeth – only those factors are equally important – if not more so. They include that you want to keep.” That same message applies to the the depth and scope of their offered services, the financial world of business continuity. You don’t have to protect all viability of the company, the degree to which they truly 10 Services: VoIP ▪ Voice ▪ Network ▪ Internet & Hosted IT
  • 11. Click here or copy and paste bit.ly link to download this white paper: http://bit.ly/BizCont www.xo.com Xo Communications understand the nature of your situation, the appropriate- Related to hardware availability is application availability. ness of their solution for you, and a number of other factors. XO offers a number of services that address this critical Don’t rush through the process – take your time, assess well, need. They include Applications Performance Management, and select based on these factors. You’ll thank yourself later. Collocation, Hosted Exchange Services, and Web Hosting. XO COMMuniCaTiOnS aS a To address the very real requirements of backup solutions, BuSineSS COnTinuiTy ParTner XO’s Managed Backup program ensures that enterprise data is safely archived in multiple locations to guarantee surviv- XO Communications is one of many companies helping its ability in the event of a disruption of business operations. customers with business continuity solutions. The company stands out in the crowd for one reason: they understand the XO offers Voice Re-Routing and Redundancy Services as meaning of the word solution. well as a collection of Teleworking solutions that ensure functionality for remote workers who could otherwise be Like all service providers, XO has been in the telecom isolated during a disruption of normal business operations. business for a long time, and offers a complete array of telecommunications services designed to handle the access Finally, XO has developed a number of services that address and transport requirements of the most demanding the important demands for system security. These include customer applications. our MPLS IP-VPN solution, which guarantees the avail- ability of a completely secure, high-bandwidth connection Rather than create technology and then search out applica- that is extremely flexible and cost-effective; a Managed tions for it – typical of many players in the industry – XO Security solution, which take care of system and network studies the market, develops an understanding of your security as an outsourced service; and Perimeter Email business needs in terms of critical information infrastruc- Protection, which dramatically reduces spam and improves ture – and then crafts solutions around those needs network efficiency. based on the best technology available. We stand behind our solutions because we use them internally to protect our own business resources. Conclusion XO’s portfolio of business continuity solutions addresses the Sad to say, disruptive events do happen – and in most cases, spectrum of enterprise demands. To ensure high-bandwidth they are a ‘when’ rather than an ‘if’ question. Businesses connections to critical buildings, XO’s Broadband Wireless that assume something will occur that will disrupt their solution delivers on the promise of network resiliency. Dedi- ability to do business, and then plan for that eventuality cated Internet Access guarantees network path redundancy before it happens, will be well ahead of the curve in terms and the ability to re-route around network trouble spots of their ability to survive the event and continue to service on-demand. High-Bandwidth Network Transport ensures customers. Developing a well-planned business continuity the availability of adequate network bandwidth for the most plan should be a matter of highest priority for all businesses, demanding applications. regardless of size, structure or function. Remember, chance favors the prepared business: Plan now, and breathe easy To ensure peace-of-mind relative to the survivability and later. You won’t regret it. availability of database hardware (disks and servers) that might be affected following a disruptive event, XO’s Man- aged Server solution, in concert with our Collocation offer- ing, guarantees access to redundant hardware to support critical operational processes. Copyright 2009. XO Communications, llC. all rights reserved. XO, the XO design logo, and all related marks are registered trademarks of XO Communications, llC. 11
  • 12. Copyright 2009. XO Communications, llC. all rights reserved. XO, the XO design logo, and all related marks are registered trademarks of XO Communications, llC.