VTN Executive Forum Disaster Recovery - PowerPoint PPT Presentation

1 / 47
About This Presentation
Title:

VTN Executive Forum Disaster Recovery

Description:

Data Networks: FAS, SAN, NAS. Data Recovery. Tape Backup ... Data Recovery Tape Backup. Intrusion Prevention/Detection. Anti-Virus, Anti-Spam, Firewalls ... – PowerPoint PPT presentation

Number of Views:297
Avg rating:3.0/5.0
Slides: 48
Provided by: notf4
Category:

less

Transcript and Presenter's Notes

Title: VTN Executive Forum Disaster Recovery


1
VTN Executive ForumDisaster Recovery Business
Continuity
  • Terry Buchanan, VP Services, CONPUTE
  • November 2nd, 2006

Partner
Smart.
2
Purpose Expectations
  • How to get started in DR/BCP and keep it simple
  • How to evaluate risk for your company
  • Risk mitigation and planning techniques
  • Best practice processes to start planning
  • Plan structure and application

3
Definition
  • Business Continuance (or Continuity) Planning
    (BCP) involves the processes and procedures
    organizations put in place to ensure that mission
    critical functions can continue during and after
    a disaster.
  • BCP focuses on
  • People (Human Safety),
  • Procedures/Process (How to) and
  • Infrastructure (Facilities IT) continuance.

4
Getting Started
  • Considering the What if scenario
  • Keeping your business running
  • What does that mean for each of you?
  • What does that mean for your staff co-workers?
  • Do you have a plan to
  • Stay open?
  • Recover?
  • Rebuild?
  • Do nothing?

5
Best Practice BCP Process
6
Best Practice BCP Process
  • Project Definition
  • Risk Assessment
  • Business Impact Analysis
  • RTO, RPO, Time Critical, Mission Critical
  • BC Management Design
  • Emergency Response and Operations
  • Crisis Communications
  • Coordination with External Agencies
  • Detail and Implementation
  • Awareness and Education
  • Exercise and Adapt

7
Sponsorship
  • Sponsor has to own initiative.
  • Sponsor has to fund initiative.
  • Sponsor is accountable for initiative.
  • Different level of Sponsors.
  • Who are sponsors?
  • President, CEO (Primary)
  • CIO, CAO, CFO (Secondary)
  • Directors and Managers (Tertiary)

8
Best Practice BCP Process
9
Project Planning
  • Sponsor
  • Sets Goals and Charter
  • Project/Program Manager
  • Needs Project Management Experience
  • Manages process/administration/negotiation
  • Steering Committee
  • Senior Management
  • C level, VP, etc.
  • Approves and makes decisions
  • Manages budget
  • Project Team
  • Business Unit representatives
  • Managers, Senior staff, Subject Matter Experts
  • Primary knowledge base

10
Best Practice BCP Process
11
Risk Assessment
12
Risk Assessment
13
Risk Assessment
  • Threats are the cause
  • Nature Flood (Peterborough), Hurricane
    (Katrina/Louisiana), Ice Storm (Ottawa)
  • Political Terrorist Attacks (9-11-01), Unions
  • Engineered Viruses (Blaster)
  • Infrastructure Power Outage (Ontario)
  • Pandemics Virus (SARS)
  • Vulnerability
  • Probability
  • Severity

14
Risk Assessment
  • Risks relate to impact
  • Function disruption to one or many
  • Elapsed Time
  • Reach
  • Controls
  • Deterrent
  • Mitigates
  • Reduces

15
Risk Assessment Analysis
  • Develop worst case scenarios
  • Develop realistic scenarios
  • Controllable versus uncontrollable
  • Identify how risks necessary for conducting
    business operations and communication are
    impacted
  • Identify how threats and risks impact human
    safety and revenue generation
  • Preventive controls (security redundancy)
  • Reactive controls (failing to or restarting
    operations at a designated location)

16
Risk Template
17
Application Impact
18
Ten Worst Mistakes IT Staff Make
  • Connecting systems to the Internet before
    hardening them
  • Connecting systems to the Internet with default
    passwords (wireless issues)
  • Failing to update systems when vulnerabilities
    are found
  • Using telnet or other unencrypted protocols for
    network management
  • Giving network access over the phone/without
    authentication
  • Failing to maintain backups according to
    legislated archiving
  • Running misconfigured, unvalidated, security
    tools (hacker software, I/10)
  • Failing to implement or update antivirus software
  • Allowing untrained, uncertified users to take
    responsibility for securing important systems
    (accidental use of vendor bias / training)
  • Failing to train users on what constitutes a
    security problem
  • Source RCMP Technical Security Branch, 2002

19
Best Practice BCP Process
20
Business Impact Analysis
  • Exposure to loss over time
  • Direct versus Indirect
  • Cost to recover
  • Cost to avoid recovery
  • Business Process interdependencies
  • Workflow
  • Legal and Regulatory

21
Recovery Objectives
22
Business Impact Analysis
  • Recovery Point Objective (RPO)
  • The point in time your companys data is
    replicated or stored off-site
  • Doesnt mean data is not corrupt or synchronized
  • The frequency of initiating a RPO determines
    YOUR risk or data loss potential
  • Recovery Time Objective (RTO)
  • How long can you wait for certain functions to
    be restored?
  • Tie in RTO to manual process

23
DR SLA 101 for IT
24
Risk MitigationNo BCP
25
Risk MitigationWith BCP
26
Legal
  • Bill C-471, C-387
  • EI Wait period can be waived in Disaster Region
  • Bill C-6 PIPEDA
  • Personal Information Protection and Electronic
    Documents Act
  • Bill C-145 Westray
  • law to hold corporations, their directors and
    executives criminally accountable for the health
    and safety of workers

27
Vital Records Management
  • Legal
  • Audits, Financials, Intellectual Property,
    Privacy
  • Duplication
  • Electronic, Hard Copy
  • Off-Site Storage
  • Access, security, maintenance

28
Best Practice BCP Process
29
ITIL Definition
  • BCP is part of ITIL (IT Infrastructure Library)
    framework
  • Continuity management involves the following
    basic steps
  • Prioritizing the businesses to be recovered by
    conducting a Business Impact Analysis (BIA).
  • Performing a Risk Assessment (aka Risk Analysis)
    for each of the IT Services to identify the
    assets, threats, vulnerabilities and
    countermeasures for each service.
  • Evaluating the options for recovery.
  • Producing the Contingency Plan.
  • Testing, reviewing, and revising the plan on a
    regular basis.

30
BCM Design
  • How will you avoid recovery?
  • How will you recover?
  • How will you manage recovery?
  • Defined by RA and BIA
  • Interdependencies
  • Relates to RTO RPO

31
Planning Strategies
  • Perform a Business Impact Analysis (BIA).
  • Determine risk and cost of downtime by critical
    application or function.
  • Create a Business Continuity Plan (BCP).
  • Create a Disaster Recovery Plan (DRP).
  • Create a Business Recovery Plan.
  • Create a Business Resumption Plan.
  • Create a Contingency Plan.
  • Execute the Plans.
  • Test and adapt the plans regularly.

32
Technology
  • BC and DR Planning Software assist tools
  • iSCSI low cost network data transport
  • Vendor Support (Microsoft, Novell, HDS, EMC,
    SUN, STK, McData, CISCO, etc.)
  • Drivers Initiators, NICs, TOE
  • FAS data replication/compression
  • Protocols FC, FCIP, IFCP, iSCSI, TCP/IP, DWDM
  • Data Networks FAS, SAN, NAS
  • Data Recovery
  • Tape Backup
  • Archiving
  • Database log synchronization

33
Data Replication
34
Emergency Response
  • SC becomes Critical Management Team
  • Escalation Notification
  • Disaster declaration
  • Emergency Operations Centre (EOC)
  • Life Safety
  • Evacuation
  • Fire, Police, Medical
  • Security
  • Property and news media

35
Crisis Communication
  • Respond
  • Emergency Response Team
  • Contact lists (up to date)
  • Recover Operations
  • Departmental Recovery Teams
  • Damage Assessment Team
  • Restoration
  • Clean Up
  • Insurance, rebuild, fail back

36
Communicate with EXT Agencies
  • Plans to deal with local emergency services
  • Plans to deal with media
  • Plans to deal with volunteers
  • Contact Lists
  • Call them before they call you
  • Lists for internal response teams
  • Lists for restoration companies
  • Lists for short/long term staffing

37
Best Practice BCP Process
38
Detail Implement
  • Plan is now a program
  • BCP is part of business culture
  • Implement controls
  • Vital Records replication and storage
  • Information Technology
  • Physical Security
  • Clean Desk Policies
  • Test controls with scenarios

39
ControlsInformation Technology
  • Data Availability
  • Clustering Load Balancing
  • Data Replication Synch vs. Asynch
  • Data Compression
  • Off Site Storage Tapes, CD/DVD, WORM
  • Data Recovery Tape Backup
  • Intrusion Prevention/Detection
  • Anti-Virus, Anti-Spam, Firewalls
  • IP Surveillance

40
Strategy Focus
  • Embrace BCP as part of your culture
  • Be prepared
  • Educate and promote sponsorship
  • Human Safety
  • Security Physical, records, IT Network
  • Emergency Response
  • Maintain business infrastructure
  • Mission Critical Operations
  • Support Operations
  • Self Insurance as a strategy
  • Reactive effort is not protection, its wasteful
    and costly
  • Public Perception
  • Privacy Legislation
  • Compliance Legislation

41
Plan Structure
  • Cheat sheet with numbers on a business card sized
    doc.
  • Speed kills
  • Outside help to identify risks and costs saves
    time
  • One person owns editing on plan documents
  • Get a partner to review it and or test it with
    you
  • Keep main document short (no more than 4 pages)
  • Write the document yourself (youll understand it
    better)
  • Have backups to subject matter experts write
    content
  • Appendices for workflow functions owned by
    departments
  • Assume you will only have 50 of your staff to
    manage plan
  • Assume whomever uses plan knows something about
    your business and or applications
  • Assume you are on your own

42
Best Practice BCP Process
43
Application of the Plan
  • Exercise the Controls
  • Exercise different scenarios
  • Exercise by cross training
  • Communicate results
  • Update documentation
  • Audit requirements
  • Develop New Hire training
  • Develop general training

44
Resources
  • http//www.drii.org Disaster Recovery
    International
  • http//www.dri.ca DRI Canada
  • http//www.drj.com Disaster Recovery Journal
  • http//www.redcorss.ca Red Cross
  • http//www.fema.gov Federal Emergency Management
    Agency
  • http//www.overt.ca Ontario Volunteer Emergency
    Response Team
  • http//www.ocipep.gc.ca Public Safety and
    Emergency Preparedness Canada
  • http//www.drie.org Disaster Recovery
    Information Exchange
  • http//continuitycentral.com/itdr.htm Continuity
    Central

45
Are you prepared?
46
Questions?
Thank You!
47
Partner
Smart.
Write a Comment
User Comments (0)
About PowerShow.com