Business Continuity Planning

1
Business Continuity Planning
Presented By Ken Sherman, President/CEO
Continuity Solutions, Inc.
2
What is a Disaster?
Any Situation That Impedes On Day-to-Day
Operations

• Natural Disaster
• Tornadoes, severe winter storms, earthquakes,
  fires, dam failure, (floods and water leaks are
  statistically the number one threat), etc.
• Man-Made Disasters
• Disgruntled employees/spouses/significant others
• Disgruntled Students
• Hazardous material spills
• Terrorist (Foreign and Domestic)
• Construction workers cutting power communication
  lines
• Biological, chemical, nuclear devices
• Civil uprisings
• Technical Disasters
• Hackers, cyber-terrorism, power outages, voice
  and data communications line failure, software
  and hardware failures

3
All Kinds of Disasters
4
What is Disaster Recovery?
Business Continuity Program An ongoing process
supported by senior management and funded to
ensure that the necessary steps are taken to
identify the impact of potential losses, maintain
viable recovery strategies and recovery plans,
and ensure continuity of services through
personnel training, plan testing, and
maintenance. Business Continuity Planning (BCP)
Process of developing advance arrangements and
procedures that enable an organization to respond
to an event in such a manner that critical
business functions continue with planned levels
of interruption or essential change. MANY SIMILAR
TERMS Contingency Planning, Business
Resumption. IT Disaster Recovery Planning (DRP)
Process of developing advance arrangements and
procedures that enable an IT department respond
to an event in such a manner that critical
business functions continue with planned levels
of interruption or essential change.
5
Why Should You Develop A Business Continuity and
Disaster Recovery Plan?

• As a Leader in your College
• PROTECT YOUR REPUTATION

6
Why Should You Develop A Business Continuity and
Disaster Recovery Plan?

• Protect the Organizations Assets
• People, Equipment, Information (Data), Financial
• Minimize damage and loss
• Minimize confusion, indecision
• Instills confidence in staff and public
• Ensure employee and student welfare and safety
• Disaster Plan may be used for daily activities
• A Business Recovery Plan saves TIME and MONEY
  responding to disasters
• Deal with the media in an appropriate fashion
• Expedite the return to business as usual

7
Plan for Proper Decisions

• If You dont know where youre going, youre
  liable to end up someplace else -
• Yogi Berra

8
Business Continuity Planning Methodology
The Path To Successful Planning
Analyze Data
Interviews and Observations Data Collection
Project Planning, Schedule and Kickoff
Recovery Analysis Risk Assessments Business
Impact Analysis Recovery Strategy Options
Present Recovery Solutions Consider Viable
Options
Plan Development
Plan Testing Exercise Rehearsals
Plan Enhancement Plan Maintenance
9
RECOVERY ANALYSIS

• CONDUCT A BUSINESS IMPACT ANALYSIS
• A management level analysis that identifies the
  impacts of losing the entitys resources. The
  analysis measures the effect of resource loss and
  escalating losses over time in order to provide
  the entity with reliable data upon which to base
  decisions concerning hazard mitigation, recovery
  strategies, and continuity planning.

10
RECOVERY ANALYSIS

• UNDERSTANDING Business Impact Analysis(BIA)
• Describes the business functions at the process
  level
• Identifies critical equipment (all the equipment
  you need to operate in disaster mode)
• Frequency of operations/functions
• Continuously, annually, daily, weekly, etc.
• Identifies periods of high volume
• Financial, operational and service impacts
  identified
• Considers if job descriptions and operational
  procedures exist
• Sets business process priorities

11
RECOVERY ANALYSIS

• UNDERSTANDING Business Impact Analysis(BIA cont.)

• Recovery Time Objective (RTO) - The period of
  time within which systems, applications, or
  functions must be recovered after an outage (e.g.
  one business day). RTOs are often used as the
  basis for the development of recovery strategies,
  and as a determinant as to whether or not to
  implement the recovery strategies during a
  disaster situation.
• CLASSIFY Priorities
• Priority One, Two, Three, Four, Five
• Many organization use terms like Continuous
  Availability
• High Availability, Highly recoverable, Less
  Critical to classify
• priorities business and computing priorities.
• Consider classifying new systems and operations
  as they
• evolve, turn BIA into part of the
  organizations lifecycle.

Recovery Point Objective (RPO) - The maximum
amount of data loss an organization can sustain
during an event.
12
RECOVERY ANALYSIS

• UNDERSTANDING Business Impact Analysis(BIA cont.)
• Identifies Functions Interfaces and
  Interdependencies
• Identifies automated or manual transactions from
  other applications or systems
• Internal departmental external companies
  (input-output)
• Identifies if written manual procedures exist
• Are they tested? Are associates trained to use
  them?
• Is extra staff required for later data input or
  job function?
• Number of Employees in Department
• Number of shifts, which is most important?
• Does each shift perform the same function or
  task?
• Considers the minimum number of people needed to
  accomplish tasks in Disaster Mode?

13
Business Continuity Methods

• Backup and Restore of Information
• NO DATA NO RECOVERY

14
Business Continuity Methods

• Information Media Recovery
• Microfiche
• SHOULD be backed up and stored OFF-SITE
• Paper Records
• Use fire proof filing or fire resistant filing
  cabinets
• Use an imaging system
• Critical stand alone pcs are they backed up?
• Backup nightly - critical files to network
  storage, tape, or CD/DVDs be careful while
  conducting incremental backups.
• Severs and Storage Networks - Is the IT
  department doing their job right? Are nightly
  backups tested?, Offsite storage, NAS (network
  attached storage, SAN (storage area networks)
• Off-Site storage facility should be used for
  paper documents, CDs, Tapes, etc. (test your
  storage provider ask for a backup tape
  periodically)
• Fire proof vault for cash, checks, blank checks,
  contracts, insurance policies, etc.

15
RECOVERY ANALYSIS

• QUESTION
• What is the best way to recover from a Disaster?
  
•        

16
RECOVERY ANALYSIS

• ANSWER
• Never have one in the first place!
•        
• CONDUCT A RISK ASSESSMENT

17
RECOVERY ANALYSIS

• How to Prevent Disasters
• Identify Hazards That May Cause A Disaster
• Mitigate The Identified Hazards

18
RECOVERY ANALYSIS

• CONDUCT A RISK ASSESSMENT
• Identifies vulnerabilities and ranks
  hazards/threats
• Examines all possible risk sourcesphysical
  security, systems security, facility, location,
  surrounding area
• The report will prioritize findings and
  recommendations for mitigation consideration
• GFIs LanGuard and Microsofts Security
  Assessment Tools are recommended starting points
  for computer security risk assessments
• COLLEGE RISKS WORKSHOP
• When students submit an application, where does
  their personal data
• flow and is it protected?
• When people are hired, how is their personal data
  transmitted from human resources to payroll and
  other departments, and what is being done to
  protect their information?

19
RECOVERY ANALYSIS

• CONDUCT A RISK ASSESSMENT
• Some Items To Assess
•  
• Uninterrupted Power Supplies and Power Generators
• In a secured location,
• Is it tested regularly
• Fuel contract (refill after testing) and a major
  supplier of fuel and an alternate    
• Fire Suppression System
• Wet or dry pipes
• Fire extinguishers and usage training

20
RECOVERY ANALYSIS

• CONDUCT A RISK ASSESSMENT
• Items To Assess
• Physical facility security
• Electrical power grid feeds
• Telecommunication central offices used
• Multiple voice and data communication providers
  routing through same central office
• Evaluation of data center and network security
  vulnerabilities
• Virus protection,trojans, worms, adware/spyware
  detection, unnecessary open ports and services
  being used on servers and workstations and
  network equipment, identify opportunities hackers
  would use to attack your network
• Physical facility security, backup validation and
  off-site storage rotation schedules
• Evaluate the security of vital records and one of
  a kind documents
• Insurance (do you have enough and the right
  coverage)

21
RECOVERY ANALYSIS

• DETERMINE RECOVERY STRATEGIES
• Alternate site arrangements
• Communications and network equipment
• Unique and/or irreplaceable equipment
• Resources staff, operations support, office
  supplies, life support
• (food, water, shelter)
• Emergency relocation costs
• Unique and/or irreplaceable equipment
• Environmental and off-site requirements
• Identification and suspension of non-critical
  functions or tasks
• Implementing manual processing functions and
  tasks
• (is this realistic in the aftermath?)
• Recovery facilities should be at least 30-60
  miles away from the primary site
• Consider different power grids and telecom points
  of presence

22
RECOVERY ANALYSIS

• DETERMINE RECOVERY STRATEGIES
• Use internal methods when possible - use your own
  facilities first
• Alternate site arrangements
• Hot Site Vendor Hot Site, Shared Hot Site,
  Company Owned Hot Site, Mobile Facilities
• Service Bureau, Office or Warehouse Space,
  Reciprocal Agreement, Equipment Leasing, Drying
  Companies and Emergency Cleaning Companies
• Cold Site, Warm Site, Work Area Recovery (Call
  Centers, Mail Room, Specialized Equipment)
• Networking and Telephone Considerations
• Continuous and High-Availability
• Mirroring, Replication, Clustering
• E-Vaulting, Disk to Disk (SAN, IP SAN, NAS, ATA)
• Collocation Facilities
• Grid Technology - supports distributed processing
  
• connecting multiple organizational sites,
  devices and platforms transparently, Grid is
  designed to assist in recovery from system
  failures

23
Business Continuity Planning

• Plans Must be DOCUMENTED
• Invisible Plans don't work

24
Business Continuity Methods

• Developing the Business Continuity Plan
•  
• Bring the research, analysis, strategies,
  procedures and recovery team assignments together
• Tasks managed and controlled at the Command
  Center location
• Contains recovery team(s) information
• Detail the entire emergency response/crisis
  management process
• Contains contact information and notification
  procedures
• Detail tasks and responsibilities
• Further identification of critical operations,
  functions and/or computer applications and how
  they will be recovered
• Specify business process recovery and restore
  requirements
• Specify software recovery and hardware
  configuration requirements
• Specify off-site storage location for your data
  and vital documents
•    

25
Business Continuity Methods

• Developing the BCP (cont.)
•  
• Detail recovery task sequence and functional
  interdependencies
• Identify everything that might be needed to
  perform part of the process teams of people,
  equipment, transportation, support items, support
  providers, etc.
• Contain all procedures that might be used in the
  recovery process
• Contain a list of all vendors, service providers
  you will need to support your recovery strategies
• Contains a list of critical customers to contact
• Contain standard forms (POs, Blank Checks, Travel
  Advances etc.), supplies and documents
• Moving from Disaster Mode to Normal

26
Business Continuity Methods

• Developing the BCP (cont.)
• Scenario Based Planning
• Plan for worst case disasters first (smoking
  hole)
• Scenario Based Plans
• Manage day-to-day risks that may become disasters
• DETAILED recovery procedures developed to
  mitigate lacking recovery strategy
• Business Function examples
• Work at home/telecommute, trailers, office space,
  operating procedures,
• machinery and equipment.
• Information systems
• Wiring and networking closets, hubs, routers,
  software failures, switches,
• firewalls, disk drives, power outages, turnkey
  systems, data communications
• and network security breaches

27
Business Continuity Testing

• Plan Exercising The Plan is Alive
• Before any recovery plan can be considered
  complete, it must be validated. Plan testing is
  a practice recovery it allows you to validate
  the strategies, procedures and recovery team
  structures documented in your recovery plan.
  Plan testing normally consists of a mock disaster
  scenario or moving your critical applications to
  an alternate facility. We recommend that your
  recovery teams participate fully in the plan
  rehearsal, to validate team structures and
  responsibilities.

28
Business Continuity Planning Lifecycle and Plan
Maintenance
Component Testing
Plan Review
Integrated Standards Planning and Testing
Update Plan
Awareness Training
Exercise Plan
Perform Maintenance Schedule
29
HOW DO I GET FUNDING?

• Budget for it
• Ask Emergency Manager
• Federal Grants State Grants
• Homeland Security Money
• U.S. DEPARTMENT OF HOMELAND SECURITY ANNOUNCES
  EIGHT PERCENT INCREASE IN FISCAL YEAR 2008 BUDGET
  REQUEST
• State Colleges should apply for grants to
  accomplish Business Continuity Planning for
  Equipment and Plans.
• Many grants give Colleges money to educate on
  topics concerning Homeland Security however do
  not allocate money for actual Business Continuity
  Planning.

30
Business Continuity Planning Federal
Guidelines

• Continuity of Operations (COOP)
• COOP provides guidance on the system restoration
  for emergencies, disasters, mobilization, and for
  maintaining a state of readiness to provide the
  necessary level of information processing support
  commensurate with the mission requirements/priorit
  ies identified by the respective functional
  proponent. This term is traditionally used by the
  Government and its supporting agencies to
  describe activities otherwise known as Disaster
  Recovery, Business Continuity, Business
  Resumption, or Contingency Planning.
• Continuity of Government (COG)
• COG ensures the command and control of response
  and recovery operations as well as continuance of
  basic governmental functions. Key governance
  functions include legislative activities and the
  capability for elected officials to convene and
  operate in a safe location in accordance with
  local requirements.

31
Business Continuity Planning Federal Guidelines

• NFPA 1600
• Standard on
• Disaster/Emergency Management
• and
• Business Continuity Programs
• 2007 Current Edition
• Published by FEMA, NEMA, IAEM,
• Establishes a common set of criteria for disaster
  management
• emergency management, and business continuity
  programs.

32
Business Continuity Planning Guidelines

• National Incident Management System
• (NIMS)
• System recommended by Local, State, Federal
  Government Officials for managing many types of
  disasters.
• Incorporate NIMS into the Command Center Guide
  portion of Business Continuity Plan so the
  College Disaster Manager can speak the language
  of Emergency officials like Fire Department,
  Emergency Medical Technicians, Police and Bomb
  Squad.

33
Business Continuity Planning Guidelines

• WHEN PRIVATE PLANS GO PUBLIC
• Many College,Universities and Government agencies
  have parts of their disaster plans available for
  ANYONE to see via the internet.
• Templates and ideas are available
• Security Breach (keep plans, status of plans and
  ideas for plans off the internet)

34
Business Continuity FAMILY FIRST

• PEOPLE RECOVER
• FROM DISASTERS
• NOT COMPUTERS!

35
Discussion Thank You
Thank YOU for attending this presentation
Continuity Solutions, Inc. 6649 North
High Street Worthington Ohio 43085
(614)-885-5001 www.csigroup.cc