Contingency Planning for Your Business

1
Contingency Planning for Your Business
August 12th 2009
Presented to
Government Procurement Conference 2009
Presented by
Alton Smith Director of Technology
2
About Me

• Director of Technology (Crystal Connections)
• Sr. Systems Engineer Global Systems Integration
  (Cisco Systems)
• Practice Consultant (Unisys Corporation)
• Sr. Systems Engineer (Hypercom Communications)
• Sr. Network Engineer (American Airlines
  SabreNet)
• Manager Voice Data Networks (Overhead Door
  Corporation)

3
Agenda

• Business Contingency Planning
• Disaster Recovery Planning
• Vital Statistics
• Data backup scenarios
• QA

4
Planning is critical

• Business Contingency
• Business Contingency describes the processes and
  procedures an organization puts in place to
  ensure that essential functions can continue
  during and after a disaster. Business Contingency
  planning seeks to prevent interruption of
  mission-critical services, and to reestablish
  full functioning as swiftly and smoothly as
  possible.

5
Things to consider in your plan

• Business Contingency Process
• Risk Management
• Business Impact Analysis
• BC Strategy Development
• BC Plan Development
• BC Plan Testing
• BC Plan Implementation/Maintenance

6
Statistics
The survey found that 36 percent of IT
departments changed their backup and restore
procedures and disaster recovery planning efforts
post 9/11. The most common changes include
establishing regular testing procedures (56) and
moving data backup offsite (43). However, at
least 30 percent of companies surveyed still
operate without a formal disaster recovery
plan.11
7
Are You Prepared?
8
Where do you start?
9
Where do you start?

• We have to take a couple of steps back to get an
  adequate idea of where to start
• A backup strategy is part of your Disaster
  Recovery (DR) plan.
• Disaster Recovery is concerned with the recovery
  of computer assets that include servers,
  computers, data, networks infrastructure, and
  other computer related assets.
• A DR plan is part of your Business Contingency
  (BC) plan.

10
Where do you start?

• Business Contingency
• Business Contingency describes the processes and
  procedures an organization puts in place to
  ensure that essential functions can continue
  during and after a disaster. Business Contingency
  planning seeks to prevent interruption of
  mission-critical services, and to reestablish
  full functioning as swiftly and smoothly as
  possible.

11
 Where do you start?

• Business Contingency Process
• Risk Management
• Business Impact Analysis
• BC Strategy Development
• BC Plan Development
• BC Plan Testing
• BC Plan Implementation/Maintenance

12
Where do you start?

• Risk Management
• Risk management is a preventative approach or
  method to proactively assess and selectively
  control risk factors that can otherwise lead to
  injuries, loss of life, business interruptions,
  legal consequences, or financial losses. The goal
  is to assess the risk to Business Contingency in
  terms of a possibility of a disaster, potential
  disaster impacts and then to assess the risk and
  then to ultimately control the risk.

13
 Where do you start?

• Business Impact Analysis (BIA)
• This involves the analysis of the potential
  operational and financial impact to business from
  an unexpected disaster or a disruptive event in
  order to identify mission-critical business
  functions and processes (facilities, personnel,
  IT, product/service operations, and financial
  administration). The goal is to not only analyze
  the critical business process, but to identify
  recovery requirements.

14
 Where do you start?

• BC Strategy Development
• During this stage, a set of alternative recovery
  options are generated that satisfy requirements
  for maintaining Business Contingency in the event
  of disruption to critical systems, services and
  resources. The goal here is to identify options
  in order to select the most cost effective method
  to achieve recovery.

15
 Where do you start?

• BC Plan Development
• The Plan Development brings together the previous
  three stages. It documents those steps needed to
  keep the business up and running. It is going to
  do the following
• Outline the Disaster Recovery (DR) plan for IT
  assets
• Give procedures to recover disrupted processes
  and resources in a safe and timely manner
• Develop/identify recovery strategies, objectives
  and resources (with contact information) and
  responsibilities
• Develop evacuation and shelter-in-place plans,
  including procedures for support after the
  disaster
• Document a crisis communications plan
• Develop and document emergency procedures for
  employees and stock emergency supplies

16
Where do you start?

• BC Plan Testing
• Plan Testing can be elaborate or simple. Testing
  can include checklist walk-throughs to make sure
  all aspects are covered to disaster drills and
  simulations.

17
 Where do you start?

• BC Plan Implementation/Maintenance
• New equipment will be incorporated into the
  business. Personnel changes occur. New
  regulations are implemented. All of these are
  reasons to re-evaluate the plan and make changes
  as needed. The plan should be a living document.

18
Where do you start?

• Benefits of BC
• Prevent damage to critical resources before a
  disaster happens
• Minimize damage to critical resources during and
  after disaster
• Protect Your Reputation
• Comply with Rules and Regulations
• Protect Your Patients
• Protect Your Revenue Flows
• Provide Safety of Employees
• Minimize legal liability 

19
 Where do you start?

• A piece of advice
• Start small
• Pick two or three key business principles
• Go through as many of the steps as possible
• The goal is to preparesomething is better than
  nothing. If you do not start, you will never get
  anywhere.

20
DRs role in BC

• DR is just one component to BC
• Backup is just one part of DR
• However, your BC is incomplete without a a
  successfully implemented DR plan with a well
  thought out backup strategy.

21
WARNING
The information you are about to see and hear is
very graphic in nature and may not be suitable
for most small business owners.
22
(No Transcript)
23
Business Contingency is Key
\\\ 93 of companies that lost their data for
10 days or more due to a disaster filed for
bankruptcy within one year of the disaster.
(National Archives Records Administration in
Washington) \\\ 34 of companies fail to test
their tape backups, and of those that do, 77
have found tape back-up failures. (The Gartner
Group) \\\ In 2006, IT executives list the top
three priorities on their to-do list as
technological fixes including data backup
(PricewaterhouseCoopers)

• CD-based backups
• Leave them in server
• Take them home
• Quality issues

• Backup tapes
• Many failure points
• Continually backing up to same physical
  tape
• Fail to verify recoverability

• Backup process
• None
• Inconsistent
• Not verified
• Access is limited

24
Are You Really Prepared?
6 of all PCs will suffer an episode of data loss
in any given year. Given the number of PCs used
in US businesses in 1998, that translates to
approximately 4.6 million data loss episodes.1
25
(No Transcript)
26
Statistics

• According to Gartner, the average business has 87
  hours of downtime a year.
• Average Cost of Downtime per Hour
• Overall average - 42,000
• Brokerage Operation 6.5M
• Credit Card/Sales Authorization 2.6M
• Pay per View Television 1.1M
• Airline Reservations 89,500
• Small to medium business 1,100 

27
Statistics
Lost data has an impact. The Computer Security
Institute estimates that it costs an average of
32,000 to replace data and proprietary
information on stolen computers. Typically, that
is three times the cost to recreate the data than
it did to create it originally.
28
Revenue costs
The bottom line lies in the bottom dollar.
When you lose your data, you lose your ability
to maintain your profitability in the face of the
inevitable disaster. If you can not invoice
your customers, they will not pay.
29
Are You Really Ready?

• Reasons
• Environmental Disaster
• The Human Factor
• Hardware Failure
• Compliance
• Data is Growing
• Breeches

30
(No Transcript)
31
Statistics
Nearly 44 of all data losses that occur are
attributed to a faulty hard drive or a head
crashThe hard drive has an estimated lifespan of
3 years.2
32
(No Transcript)
33
Statistics

• 93 of companies that lost their data center for
  10 days or more due to a disaster filed for
  bankruptcy within one year of the disaster.
• 50 of businesses that found themselves without
  data management for this same time period filed
  for bankruptcy immediately.3

34
Are You Really Prepared?

• Key causes of data loss
• 78 Hardware or System Malfunction
• 11 Human Error
• 7 Software Corruption or Program Malfunction
• 2 Computer Viruses
• 1 Natural Disasters
• 1 Other4

35
(No Transcript)
36
Statistics

• Natural disasters have quadrupled over the last
  two decades from an average of 120 a year in the
  early 1980s to as many as 500 today.5

37
(No Transcript)
38
Disasters Happen

• The number of people affected by all disasters
  has risen from an average of 174 million a year
  between 1985 and 1994 and to 254 million a year
  between 1995 and 2004. 5

39
(No Transcript)
40
Are You Really Prepared?

• Six fold increase in floods since 19805

41
Are You Really Prepared?

• Wind-storms have risen from 60 to 1980 to 240
  last year. 5

42
(No Transcript)
43
Are You Really Prepared?

• Unprecedented rise in geothermal events.
• Earthquakes
• Landslides
• Sinkholes
• Tsunami

44
Are You Really Prepared?
According to a 2004 Wall Street Journal
report, more than 83 of all critical data loss
is due to some form of human error.
45
The Human Factors

• Unhappy employees can
• Steal data
• Bring systems down
• Damage hardware
• Load malicious software
• Think about this, work place violence is on the
  rise. That is active aggression. What keeps
  those that are unhappy from acting out passive
  aggression by taking it out on your computer
  networkand your data?

46
Causes of Data Loss

• Hard Drive Failures
• Storage array errors
• Power Issues (Surge and Sag)

47
Database Data
Forrester Research estimates that enterprises
have doubled the number of mission-critical
databases applications in the past five years.
48
Know your Data
49
How much when it happens

• Data recovery starts at around 250 for a
  non-damaged hard drive with deleted data.
• When we start looking at a damaged drive, the
  price increases exponentially into the range of
  250 an hour. A recovery of a large drive could
  be 50 hours of work. Do the math

50
Fully understanding your technology choices

• Tape
• External Hard Disk
• SAN/NAS device
• Other External Devices
• Optical Media
• Televaulting

51
Tape

• Pros
• Most widely used and supported
• Scalable solution
• Many options for hardware/software applications
• Mid Level cost (High entry cost and low
  maintenance cost until hardware replacement is
  needed)
• Decent reliability
• Constantly increasing capacity

52
Tape

• Cons
• No real way to verify backups worked without
  actually doing data restores
• Tapes are very susceptible to environmental
  hazards such heat, dust, and moisture.
• Tapes must be replaced often because they wear
  poorly.
• Human error. The biggest issue around tape is
  that they have to be manually touched and rotated
  and must be moved offsite in order to have
  separation from main equipment in case of
  disaster. Reliable tape storage can be expensive.
• No data encryption by default which can put data
  from lost tapes in the wrong hands
• While there are ways of automating tape backup,
  with automation comes added hardware and
  software even then there must be some type of
  human contact.
• Linear read can have relatively long write and
  read times
• Technology changes very quickly, making upgrades
  a necessity

53
External Hard Disk

• Pros
• Includes backup software 
• Range of storage options 
• Portable
• Increased speed when compared to tape because of
  non-linear read and write
• Capacities of 1 TB and beyond

54
External Hard Disk

• Cons
• You must invest in the hardware, and in some
  cases, disks as well
•  Moving data offsite may mean carrying an
  unencrypted drive full of our data
• Moving the data offsite also relies on a high
  level of human interaction

55
SAN/NAS (Network Storage Array)

• Pros
• High Speed
• Highly Scalable
• Site replication is possible
• Degree of fault tolerance by using RAID 5 in the
  disk arrays

56
SAN/NAS (Network Storage Array)

• Cons
• Potentially extremely high front investment
• Requires dedicated IT personnel to support it
• Requires rack and server space
• Ideally, deserves a data room with redundant power

57
Optical Media

• CDs and DVDs
• Pros
• Cheap Media
• Potential storage of multiple GB on a single
  BluRay Disk
• Fast read/write
• Hard ware can be relatively inexpensive

58
Optical Media

• CDs and DVDs
• Cons
• Media holds up to heat very poorly
• Limited space on CDs
• High reliance on the human factor to move data
  offsite.
• Large amounts of media created after time due to
  rewritable cost more
• Media must be labeled
• Encryption is not the standard for creating the
  backup
• Drives can be costly
• 10 year shelf life
• Must purchase backup software for automation

59
Other External Devices

• USB Flash Drives, ZIP Drives
• Pros
• Inexpensive
• Easy to use
• Very reliable data integrity
• Quick backup and restore

60
Other External Devices

• USB Flash Drives, ZIP Drives
• Cons
• Relies heavily on manual backups, making
  automation hard to attain without the purchase of
  additional software
• The human factor is high relying on workers to
  not lose media and to take it offsite
• With capacity comes price
•  Small drives can be lost or stolen easily

61
Televaulting
62
Televaulting

• Pros
• An automated process
• Offsite instantly
• Offsite backup providers have powerful servers
  with fault tolerant storage and facilities with
  power back up
• No software or hardware acquisition or
  maintenance
• Potentially high level of security through strong
  encryption
• Quick and easy restores of single files or
  multiple directories
• Reduces the burden on the IT staff
• Virtually no capital expenditures

63
Televaulting

• Cons
• Contracts
• Reliance on Internet connection
• Initial Backup will be lengthy

64
5 Things to Take Back with You

• Know your data
• Have a plan
• Automate your backups
• Store your backups offsite
• Dont put your all eggs in one basket Vary your
  backups depending on its critical nature

65
References Used

• The Cost Of Lost Data, David M. Smith
• Top Causes of Data Loss, by James Walsh
  http//www.articlegold.com/Article/Top-Causes-of-D
  ata-Loss/38322
• National Archives and Records Administration in
  Washington
• http//www.ontrack.co.uk/datarecovery/dataloss.asp
  
• Disasters Escalating, Says Oxfam Contingency
  Insights November/December 2007Volume 5, Number
  6
• HIPAA Compliance and Disaster Recovery -
  TechRepublic, February 13, 2006
• Sepaton launches Enterprice VTL InfoStor
  December 2007 Volume 11No. 12
•  Numbers Sheet, CRN November 12, 07 Issue
  1253
• http//www.privacyrights.org/ar/DataBreaches2006-A
  nalysis.htm
• http//etiolated.org/
• http//www.imation.com/en_US/main.jhtml?Id71_01_0
  2
• http//www.engadget.com/2005/02/24/tell-us-your-wo
  rst-data-disaster-and-win-meminas-2gb-pocket/
• The Data Dilemma Best Practices Contingency
  Insights November/December 2007Volume 5 Number
  6
• Why users opt for online backup? InfoStor
  November 2007 Volume 11 No. 11
• ITs new dirty little secret InfoStor
  October 2007Volume 11No. 10
• Its Not Business as Usual Business Contingency
  April 2002

66
Resources

• U.S. Dept. of Homeland Security Business
  Contingency Planning www.ready.gov
• National Emergency Management Association
  www.nemaweb.org
• www.contingencyplanning.com
• Disaster Recovery Journal www.drj.com
• Disaster Recovery Institute www.drii.org
• www.availability.com
• Information System Security www.infosyssec.org

67
Thank You for Your Participation
Questions Answers