Business Continuity and Disaster Recovery

1
Business Continuity andDisaster Recovery

• The very least you should be doing
• By Mike Wade, GOUSER Member
• Adjunct Professor, Southern Polytechnic State
  University
• mwade2_at_spsu.edu

2
Business Continuity

• Business Continuity is the enterprise-wide
  proactive BUSINESS process by which we manage the
  risks we operate within.
• It addresses all aspects of the business People,
  Processes, Resources and Technology (PPRT)
• The goal is preventing or mitigating the risks
  we can and preparing for recovery from those we
  cannot, or choose not to prevent.
• Preparation is the key You fight like you train!

3
Business Continuity consists of

• Chartering of BC activity
• Establishment of Cross-Functional Team(s)
• Inventory of People, Processes, Resources and
  Technology (PPRT)
• Risk/Threat Identification and Categorization
• Impact Analysis and Loss Estimation
• Prevention, Mitigation and Recovery Strategizing
• Gap Analysis and Resolution Planning
• Resolution Preparation, and Implementation
• Documenting, Communicating and Training
• Testing and Revision Ad-nauseam

4
Disaster Recovery

• Disaster Recovery is but one component of
  Business Continuity
• It consists of the response steps we take in the
  face of an impending disaster or in the aftermath
  of an actual disaster.
• It too addresses all aspects of the business
  People, Processes, Resources and Technology
  (PPRT)
• The goal is Preparing for recovery from those
  risks we cannot prevent or mitigate.
• Drilling is the key You have to work your plan
  to know your plan works!

5
Disaster Recovery consists of

• Development of a plan to appropriately address
  each category of Risk/Threat
• Including
• Establishment of the Recovery Team(s)
• Development of Recovery Procedures
• Training of the Recovery Team(s)
• Change Management to keep plan current
• Provision of Necessary Resources (Beans, Bombs
  and Bubbas)
• Arrangement for alternate technology platform,
  and retrieval of backup data

6
Some Terminology

• Charter, Plan, Recovery Procedures
• PPRT People, Process, Resources, Technology
• Classification Type, Scope, Duration, Impact
• Declaration Legal and Financial Implications
• Likelihood, Frequency, MTBF
• RTO Recovery Time Objective
• Hot, Warm, and Cold Recovery
• On-Site versus Off-Site, (and Escrow)
• Failover versus Recovery

7
The Disaster Event Lifecycle

• Vigilance, and Advanced Event Prediction
• Event Detection, Identification and
  Categorization
• Declaration of Disaster and Invocation of DR Plan
• Implementation of Appropriate DR Response
  Activities
• Operation under DR Plan
• Recovery or Replacement of Impacted Assets
• Return to Normal Operations
• Stand-Down of DR Response
• Reset of DR Arrangements Restock Supplies, etc
• Review of Response, Revision of DR Plan

8
Sample DR Plan Organization

• Section 1 Introduction
• Section 2 Document Control
• Section 3 Recovery Phase 1 Vigilance,
  Identification, Categorization and Declaration
• Section 3 Recovery Phase 2 Initial Recovery
  Partial Capacity
• Section 3 Recovery Phase 3 Full Recovery Full
  or Required Capacity
• Section 3 Recovery Phase 4 Stand Down Return to
  Normal Operations, Deactivation of Recovery
• Section 3 Recovery Phase 5 After Action Review
  and Plan Revision
• Section 4 References and Resources
• Section 5 Directory of Appendices
• Section 5-1 Appendix 1 Staff Contact List and
  Kris-Cross Calling Tree
• Section 5-2 Appendix 2 Vendor Contacts
• Section 5-3 Appendix 3 Communication Plan
• Section 5-4 Appendix 4 Platform Specifications
  and Vendor Re-Order Forms
• Section 5-5a Appendix 5a Platform Description
  Install and Configuration
• Section 5-5b Appendix 5b 2K3 Server Install and
  Configuration
• Section 5-5c Appendix 5c DB Server Install and
  Configuration
• Section 5-5d Appendix 5d Web Server Install and
  Configuration
• Section 5-5e Appendix 5e Rpt Server Install and
  Configuration
• Section 5-5f Appendix 5f Application Install
  and Configuration

9
So, lets look at a sample DR Plan
10
A Few Grey Beard Items

• The person or asset you need most will become
  unavailable to you! Have a succession plan for
  every role, a plan Bs for every asset or
  resource, and default instructions for everyone
• What if Atlanta went away? Think
  extra-regionally!
• You may have to live with your recovery platform
  longer than you think!
• Have arrangements for everything youll need in
  the event of a real emergency, you will be in
  competition for the stuff you need with every
  other business and organization impacted

11
In Summary

• Real BC/DR is a methodical process for
  identifying and managing risks and threats to
  your organization
• It is primarily a business question, not a
  technical one
• Your BC/DR Plan must address People, Process,
  Resources, then Technology what good is it to
  have a system and no one to use it?
• Your Plan should be based on a rational
  assessment of risks and impacts and you may
  choose skip some risks
• Test, Drill, and then Test again it builds
  confidence that your plan might work and helps
  people learn their role
• Build your plan iteratively dont wait until
  you have boiled the ocean before you make that
  first cup of tea
• And last, but certainly not least Your business
  does not stand still so neither can your BC/DR
  Plan Review and Revise, and integrate with your
  Change Management organization if you have one.

12
Bibliography
13
Books I Own and Use

• Business Continuity Planning A Step-by-Step
  Guide with Planning Forms on CD-ROM, Third
  Edition by Kenneth L. Fulmer, Philip Jan
  Rothstein (Editor) (Paperback - October 2004)
• Excellent book with lots of practical examples
  
• Disaster Recovery Planning For Computers and
  Communication Resouces by Jon William Toigo
  (Paperback - December 21, 1995)
• Excellent book with example forms on disk
• Writing Disaster Recovery Plans for
  Telecommunications Networks and Lans (Artech
  House Telecommunications Library) by Leo A.
  Wrobel
• Computer Control and Audit Rev. ed., Mair,
  William C., Donald R. Wood and Keagle W. Davis,
  Altamonte Springs, FL The Institute of Internal
  Auditors, 1978.
• Donald A. A. Watne Peter B. B. Tunney Peter B.
  Turney Auditing Edp Systems (2nd ed) Prentice
  Hall Professional Technical Reference, 1990. 2nd
• Backup and Restore Practices for the Enterprise
  (Paperback) by Stan Stringfellow, Miroslav
  Klivansky, Michael Barto Publisher Prentice
  Hall PTR 1st edition (August, 2000)
• Good reference models for tape/volume rotation
  

14
Books on Backup and Recovery

• Implementing Backup and Recovery The Readiness
  Guide for the Enterprise (Paperback) by David B
  Little, David A. Chapa, David B Little, David A.
  Chapa Publisher Wiley 1st edition (May 16,
  2003)
• The Backup Book Disaster Recovery from Desktop
  to Data Center (Paperback)by Dorian Cougias
  Publisher Schaser-Vartan Books Third edition
  edition (July 1, 2003)
• UNIX Backup and Recovery (Paperback)by W. Curtis
  Preston Publisher O'Reilly 1 edition (December
  15, 1999)

15
Books on Computer SystemAudit and Control

• Computer Audit, Control, and Security (The
  Wiley/Institute of Internal Auditors professional
  book series) by Robert R. Moeller
• Computer control audit guide by J. Efrim Boritz
  
• Computer Control and Audit by John G. Burch,
  Joseph L. Sardinas
• Computer Control and Audit by William Mair
• Computer Audit and Control Handbook by I. J.
  Douglas, I.J. Douglas (Hardcover - May 1, 1995)
• Audit and Control of Computer Networks by I.J.
  Douglas, P.J. Olson
• Audit and control of computer systems by Elise G
  Jancura

16
Books on BC and DR pg 1 of 4

• Disaster Recovery Handbook, The A Step-by-Step
  Plan to Ensure Business Continuity and Protect
  Vital Operations, Facilities, and Assets by
  Michael Wallace, Lawrence Webber (Hardcover -
  July 2004)
• Disaster Recovery and Business Continuity
  (Version 2.1) by Steven Weil, et al (Paperback -
  April 2004)
• Business Continuity, Disaster Recovery, and
  Incident Management Planning A Resource for
  Ensuring Ongoing Enterprise Operations by Albert
  J. Marcella (Paperback - January 2004)
• Disaster Recovery and Business Continuity
  Step-by-Step by Mark T. Edmead (Editor)
  (Paperback)
• Contingency Planning and Disaster Recovery A
  Small Business Guide by Donna R. Childs, Stefan
  Dietrich (Hardcover)
• Business Continuity Planning Methodology by
  Akhtar Syed, Afsar Syed (Paperback - November
  2003)
• A Primer for Disaster Recovery Planning in an IT
  Environment by Charlotte J. Hiatt (Paperback)
• Business Continuity Best Practices--World-Class
  Business Continuity Management, Second Edition by
  Andrew Hiles (Paperback - December 2003)

17
Books on BC and DR pg 2 of 4

• Disaster Recovery Planning For Computers and
  Communication Resouces by Jon William Toigo
  (Paperback - December 21, 1995)
• A Guide to Business Continuity Planning by James
  C. Barnes (Hardcover - June 27, 2001)
• The Definitive Handbook of Business Continuity
  Management by Andrew Hiles (Editor), Peter Barnes
  (Editor) (Paperback - April 18, 2001)
• Business Continuity by Martin Wieczorek (Editor),
  et al (Paperback - June 15, 2002)
• PC Disaster and Recovery by Kate J. Chase
  (Paperback - December 30, 2002)
• Disaster Planning and Recovery A Guide for
  Facility Professionals by Alan M. Levitt
  (Hardcover - April 4, 1997)
• The Backup Book Disaster Recovery from Desktop
  to Data Center by Dorian Cougias (Foreword), et
  al (Paperback - July 1, 2003)
• Business Continuity Planning and HIPAA Business
  Continuity Management in the Health Care
  Environment by James C. Barnes, et al (Paperback
  - August 2004)
• Disaster Survival Guide for Business
  Communications Networks by Richard Grigonis
  (Paperback - April 2002)

18
Books on BC and DR pg 3 of 4

• Disaster Recovery Planning A Guide for
  Facility Managers by Joseph F. Gustin (Hardcover
  - July 1, 2004)
• Integrated Business Continuity Maintaining
  Resilience in Uncertain Times by Geary W. Sikich
  (Hardcover - January 1, 2003)
• Avoiding Disaster How to Keep Your Business
  Going When Catastrophe Strikes by John Laye
  (Hardcover - August 16, 2002)
• Building a Comprehensive Disaster Recovery Plan
  by Info-Tech Research Group (Spiral-bound -
  September 2003)
• Disaster recovery testing Exercising your
  contingency plan by Philip Jan Rothstein
  (Paperback - October 1, 1995)
• Business Continuity Planning Protecting Your
  Organization's Life by Ken Doughty (Editor)
  (Hardcover - September 11, 2000)
• Disaster Recovery (Networking) by Mathew Varghese
  (Paperback - October 7, 2002)
• Business Continuity Management by Dominic Elliott
  (Editor), et al (Paperback - December 15, 2001)

19
Books on BC and DR pg 4 of 4

• Practical Guide To Business Continuity Assurance
  (Artech House Technology Management Library) by
  Andrew McCrackan (Hardcover - October 31, 2004)
• Manager's Guide to Contingency Planning for
  Disasters Protecting Vital Facilities and
  Critical Operations by Kenneth N. Myers
  (Hardcover - August 27, 1999)
• Administrator's Guide to Disaster Planning and
  Recovery, Volume 2 (includes CD-ROM) by
  TechRepublic
• Surviving PC Disasters, Mishaps, and Blunders by
  Jesse Torres, Peter Sideris (Paperback - January
  24, 2005)
• Call Center Continuity Planning by Jim Rowan,
  Sharon Rowan (Paperback - December 8, 1998)
• Disaster Proofing Information Systems A
  Complete Methodology for Eliminating Single
  Points of Failure by Robert W. Buchanan
  (Paperback - November 26, 2002)
• Disaster Management and Preparedness by Thomas D.
  Schneid, Larry Collins (Hardcover - November 22,
  2000)