Domain Definition
Preparation, testing, & updating of actions required to protect critical business processes from the effects of major system & network failures
Buss Continuity (BCP) Disaster Recovery (DRP)
Plan initiation Planning
Bus. Impact Assess. (BIA) Testing
Plan Development Specific Procedures
BCP
Created to prevent interruptions to normal business activity
Minimize effects of disruptive event Enhance orgs capability to recover Minimize cost Mitigate risks
BCP: Areas Covered
LANs, WANs, DMZ, Servers Telecomm & data comm links Workstations & workspaces Applications, software, & data Media & records storage Staff duties & production processes
BCP & DRP: Primary Concern
Life Safety Evacuation routes Assembly areas Accounting for personnel
Protection of people always comes first
Continuity Disruptive Events All plans & processes are
“After the Fact” Examples:
Fires, explosions, spills Earthquakes, storms, floods, ex Power outages & other utility failures Bombings, sabotage Strikes & other job actions Employee unavailability Comm infrastructure failures
Asset Loss
Revenues Lost during incident Ongoing recovery costs Fines & penalties Competitive advantage, credibility or
good will damaged by incident
Four Prime Elements of BCP
1. Scope & Plan Initiationa. Define scope & parameters of plan
2. Business Impact Assessmenta. Help buss units understand impact
3. BCP Developmenta. Implementation, testing, maintenance
4. Plan Approval & Implementationa. Senior mgt signoff & org. awareness
BCP 1. Scope & Plan Initiation Examine org. operations & support services
Distributed processing == special problems All business units involved
BCP committee Senior Management – total, highly visible
support Due diligence: Foreign corrupt practices act
of 1977
BCP: 2. Buss. Impact Assess.
What impact incident would have Financial, Operational, Vulnerability Primary Goals
Criticality Prioritization Downtime Estimation Resource Requirements
BCP: 2. Buss. Impact Assess.Steps
1. Gathering info neededa. Critical business units &
interdependencies
2. Vulnerability assessment (next slide)
3. Analyzing info compileda. Clearly describe support required
4. Documenting results & present recommendations
BCP: 2. BIA – Vulnerability Assess. Similar to but smaller than Risk Analysis Quantitative loss criteria
Revenue, capital, liability, operational expenses, contract agreements, regulatory requirements
Qualitative loss Criteria Competitive advantage, mkt share, public
confidence, etc Common Steps
List Potential Emergencies, 2. Estimate likelihood, 3. Assess impact, 4. Resources Required
Sample Vulnerability TableA. Type of EmergencyB. Probability (High 5 – Low 1)C. Human Impact (High Impact 5 …)D. Property Impact E. Business ImpactF. Internal Resources (Weak Resources 5 …)G. External ResourcesH. Total
A B C D E F G H
BCP: 3. BCP Development Use BIA to create recovery strategy plan Defining the continuity strategy
Elements: computing, facilities, people, supplies & equipment
Short-term goals & objectives Vital personnel, systems, operations, equipment Priorities for restoration Acceptable downtime & minimum resources req.
Long-term goals & objectives Org’s strategic plan Funding, Management & coordination of events Funding & fiscal Management
IT department: backup & restore, physical security, logical security, system administration
BCP: 4. Approval & Implementation
Approval by Senior Management Creating plan awareness
Org’s ability to recover will most likely depend on many individuals
Maintenance of Plan Plans easily get out of date
Disaster Recovery Planning (DRP)
Procedures for: Responding to emergency Providing extended backup operations Managing recovery & salvage operations
“Primary objective is to implement critical processes at an alternate site & return to primary site & normal operations with time frame that minimizes loss to the organization.”
DRP: Planning Process Development & creation of recovery plans BIA has been made so now defining steps
needed to protect business in actual disaster
Recovery Timeframe Requiements AAA – Immediate recovery needed, no downtime AA – Full functional recovery within 4 hours A – Same day business recovery needed B – Up to 24 hours downtime acceptable C – 24 – 72 hours downtime acceptable D – Greater than 72 hours downtime ok
DRP: Disaster Planning Process Steps
Data Processing Continuity Planning
Data Recovery Plan Maintenance
DRP: Data Processing Continuity Planning
Common alternate processing types1. Mutual Aid Agreements2. Subscription services3. Multiple centers4. Service bureaus5. Other data center backup alternatives
1. Automated Tools to create DRP (www.intiss.com/intisslinks)
DRP: Mutual Aid Agreements Both parties agree to support each other Advantages
Very little or no cost Same NOS, data comm needs, & transaction
processing procedures Disadvantages
Only use if no other option available Same infrastructure with unused capacity highly
unlikely Limits responsiveness & support What about disaster that affects both orgs
DRP: Subscription Services
3rd party commercial services & alternate processing
Basic Forms of Subscription Svcs Hot Site Warm Site Cold Site
DRP: Multiple Centers
Spread processing around multiple sites and insure excess capacity at each site
Adv: Financial Dis: Mutual disaster could overtake
both (or all) sites
DRP: Service Bureaus & Other
Service Bureaus: Contractual Agreement to provide backup Adv: Quick & available Dis: Expensive
Rolling/Mobile backup site Vendor remote re-supply of hdw Prefabricated buildings
DRP: Transaction Redundancy Level of fault tollerance in transaction
processing
Electronic Vaulting Transfer of backup offsite
Remote Journaling Offsite Parallel processing
Database Shadowing Offsite parallel database(s)
DRP: Maintenance DRP easily get out-of-date Regular audit procedures ensure
currency Review, evaluate, modify, update
After training exercises After disaster response When personnel change When policies, procedures or
infrastructure changes
DRP: Testing No plan really exists until tested “Test plan must be created & carried out in
orderly, standardized fashion & executed on a regular basis”
Reasons for Testing Verifies accuracy of DRP Prepares personnel Verifies processing capacity of alternate site To find weaknesses: if non found was probably a
bad test. Mistakes WILL BE MADE
DRP: Testing -- The Test Document
Documented Test scenario Reasons for test, type of test, objectives
Granular details of what will happen Scheduling of test Duration of test Specific test steps Participants Task assignments Resources & services to be used
DRP: Testing – Test Levels
1. Checklist review2. Structured walk-through3. Simulation test4. Parallel test5. Full-scale exercise
DRP: Procedures Details roles played & tasks assigned External groups, financial considerations Senior Management:
Remain visible Directing, managing, monitoring recovery Rationally amending plans Clearly communicating roles & responsibilites
IT Management: Identify mission critical apps Reassess recovery site’s stability Recovering & constructing data
Human resources Financial
DRP: Teams Recovery Team
Primary task to get critical apps functioning at alternate site
Salvage Team Isolate incident scene Secure & control access Return primary site to fully functional Authority to declare incident over Different personnel from Recovery Team