Business Continuity Planning Disaster Recovery Planning

1
Business Continuity PlanningDisaster Recovery
Planning
2

• A Business Continuity Plan (BCP) is an approved
  set of advanced arrangements and procedures that
  enable an organization to
• Facilitate the recovery of business operations to
  reduce the overall impact of an event, while at
  the same time resuming the critical business
  functions within a predetermined period of time.
• Minimize the amount of loss.
• Repair or replace the damaged facilities as soon
  as possible.
• Traditionally, recovery plans focused on the
  recovery of critical computer systems running at
  data centers (aka disaster recovery).
• Today, recovery plans must also focus on the
  critical computer systems operating in a
  distributed environment involving PCs, LANs,
  telecommunications, etc.
• Essentially, continuity plans address every
  critical function of an enterprise.

3

• A disaster is something that interrupts normal
  business processing.
• A disaster is defined as a sudden, unplanned
  calamitous event that brings about great damage
  or loss.
• In the business environment, it is any event that
  creates an inability to support critical business
  functions for some predetermined period of time.

4
Reasons for BCP

• It is better to plan activities ahead of time
  rather than to react when the time comes
• Proactive rather than Reactive
• Take the correct actions when needed
• Allow for experienced personnel to be absent
• Maintain business operations
• Saves time, mistakes, stress and
• Keep the money coming in
• Short and long term loss of business
• Have necessary materials, equipment, information
  on hand
• Planning can take up to 3 years
• Effect on customers
• Public image
• Loss of life

5
BCP Requirements

• Provide an immediate, accurate and measured
  response to emergency situations.
• Provide procedures and a listing of resources to
  assist in the recovery process.
• Identify vendors that may be needed in the
  recovery process and put agreements in place with
  selected vendors.
• Avoid confusion experienced during a crisis by
  documenting, testing and training plan
  procedures.
• Clear guidance for declaring a disaster.

6
BCP Requirements

• Provide the necessary direction to ensure the
  timely resumption of critical services.
• Document storage, safeguarding and retrieval
  procedures for critical systems and supporting
  functions.
• Describe the actions, resources and materials
  required to restore critical operations at an
  alternate site in the event that the primary
  site(s) has suffered a serious outage.
• Document recovery procedures so they can be
  executed by knowledgeable people.

7
Developing the BCPProject Management and
Initiation

• Determine the need for automated data collection
  tools, including plans to provide training on how
  to use the software.
• Establish members of the BCP team, both technical
  and functional representatives.
• Prepare and present an initial report to
  management on how the BCP will meet the
  objectives.

8
Developing the BCPProject Management and
Initiation

• Automated plan development can help you
• Speed the process
• Avoid missing critical elements
• Organize teams
• Maintain the plan

9
Developing the BCPProject Management and
Initiation

• Team Members
• BCP Planner/Coordinator
• Senior management, CFO, etc.
• Legal, HR
• Business unit/functions
• Recovery team leaders
• InfoSec, Telecomm, etc.
• The same people who would be responsible for
  executing the plan in the event of an outage must
  also be involved in preparing the BCP

10
Developing the BCPBusiness Impact Analysis (BIA)

• The BIA is a functional analysis that identifies
  the impacts should an outage occur. Impact is
  measured by the following
• Allowable business interruption - the maximum
  tolerable downtime (MTD)
• Financial and operational considerations
• Regulatory requirements
• Organizational reputation
• The BIA sets the stage for determining a
  business-oriented judgment concerning the
  appropriation of resources for recovery planning
  efforts.

11
Developing the BCP - BIA

• Impact Assessment
• Purpose
• Identify risks
• Identify business requirements for continuity
• Quantify impact of potential threats
• Balance impact and countermeasure cost
• Establish recovery priorities

12
Developing the BCP - BIA

• Benefits
• Relates security objectives to organization
  mission
• Quantifies how much to spend on security measures
• Provides long term planning guidance
• Site selection
• Building design
• HW configuration
• SW
• Internal controls
• Criteria for contingency plans
• Security policy
• Protection requirements
• Significant threats
• Responsibilities

13
Developing the BCP - BIA

• Risk Assessment
• Potential failure scenarios
• Likelihood of failure
• Cost of failure (loss impact analysis)
• Dollar losses
• Additional operational expenses
• Violation of contracts, regulatory requirements
• Loss of competitive advantage, public confidence
• Assumed maximum downtime (recovery time frames)
• Rate of losses
• Periodic criticality
• Time-loss curve charts

14
Developing the BCP - BIA

• Risk Assessment/Analysis
• Potential failure scenarios (risks)
• Likelihood of failure
• Cost of failure, quantify impact of threat
• Assumed maximum downtime
• Annual Loss Expectancy
• Worst case assumptions
• Based on business process model? Or IT model?
• Identify critical functions and supporting
  resources
• Balance impact and countermeasure cost
• Key
• Potential damage
• Likelihood

15
Developing the BCP - BIA

• Definitions
• Quantitative Risk Analysis
• quantified estimates of impact, threat frequency,
  safeguard effectiveness and cost, and probability
• Powerful aid to decision making
• Difficult to do in time and cost
• Qualitative Risk Analysis
• minimally quantified estimates
• Exposure scale ranking estimates
• Easier in time and money
• Less compelling
• Risk Analysis is performed as a continuum from
  fully qualitative to less than fully quantitative

16
Developing the BCP - BIA

• Goals
• Understand economic operational impact
• Determine recovery time frame (business/DP/Network
  )
• Identify most appropriate strategy
• Cost/justify recovery planning
• Include BCP in normal decision making process

17
Developing the BCP - BIA

• Risk Analysis Steps
• 1 - Identify essential business functions
• Dollar losses or added expense
• Contract/legal/regulatory requirements
• Competitive advantage/market share
• Interviews, questionnaires, workshops
• 2 - Establish recovery plan parameters
• Prioritize business functions

18
Developing the BCP - BIA

• Risk Analysis Steps
• 3 - Gather impact data/Threat analysis
• Probability of occurrence, source of help
• Document business functions
• Define support requirements
• Document effects of disruption
• Determine maximum acceptable outage period
• Create outage scenarios

19
Developing the BCP - BIA

• Risk Analysis Steps
• 4 - Analyze and summarize
• Estimate potential losses
• Destruction/theft of assets
• Loss of data
• Theft of information
• Indirect theft of assets
• Delayed processing
• Consider frequency
• Combine potential loss probability
• Magnitude of risk is the ALE (Annual Loss
  Expectancy)
• Guide to security measures and how much to spend

20
Developing the BCP - BIA

• Maximum tolerable downtime (MTD)

21
Developing the BCPRecovery Strategies

• Business Recovery
• Focus is on the critical resources and the
  maximum tolerable downtime for each
  business/support unit system. This may included
  identification of
• Critical IT system hardware, software and data
• Critical equipment, supplies, furniture and
  office space
• Key personnel for each business unit and support
  unit, such as Operations, Facilities, InfoSec,
  etc.

22
Developing the BCPRecovery Strategies

• Facility and Supply Recovery
• Focus is on restoration and recovery, such as
• Facility - main building, remote facilities
• Inventory - supplies, equipment, paper, forms
• Equipment - network environments, servers,
  mainframe, PCs, etc.
• Telecomm - voice and data
• Documentation - application, technical materials
• Transportation - movement of equipment, personnel
• Supporting equipment - HVAC, safety, security

23
Developing the BCPRecovery Strategies

• User Recovery
• Focus is on personnel requirements, such as
• Manual procedures
• Vital record storage (i.e., medical, personnel)
• Employee transportation
• Critical documentation and forms
• User workspace and equipment
• Alternate site access procedures
• User Recovery (continued)
• Procedures for the organizations employees to
  follow during the outage include items such as
• Team responsibilities
• Distribution of information
• Manual processing techniques
• Disaster policies
• Notification procedures
• High priority tasks
• Emergency accounting
• Checklists

24
Developing the BCPRecovery Strategies

• Operational Recovery
• Determine the necessary equipment configurations
  such as
• Mainframes, LANs, PCs, peripherals
• Explore opportunities for integration/consolidatio
  n
• Usage parameters
• Data communications configurations include
• Switching equipment, routers, bridges, gateways

25
Developing the BCPRecovery Strategies

• Operational Recovery (continued)
• Outline alternative strategies for technical
  capabilities, such as network infrastructure
  components. Options include
• Hot site, warm site, cold site, mobile site
• Reciprocal or mutual aid agreements
• Multiple processing centers
• Service bureaus

26
Developing the BCPRecovery Strategies

• Software and Data Recovery
• Focus is on the recovery of information - the
  data. Options include
• Backing up and off-site storage
• Electronic vaulting
• Online tape vaulting
• Remote journaling
• Database shadowing
• Standby services
• Software escrow
• Manuals and documentation
• Backup frequency - criticality and rate of change

lt P V expense of backup P probability
of loss V cost of recreating lost data
27
Developing the BCPRecovery Strategies

• Software and Data Recovery (continued)
• Security and controls of backup data and
  materials
• While being transported to the offsite facility
• While stored at the offsite facility
• Backup site may need even better protection than
  primary site
• Data at backup facility is not accessed very
  often
• Problems could go undetected for a long time
• Consider encryption of backup data
• Too much processing overhead?
• Bank of America lost backup tapes

28
Developing the BCPPlan Design and Development

• In this phase the team prepares and documents a
  detailed plan for recovery of critical business
  systems.
• End products include
• Business and service recovery plans
• Test method descriptions
• Restoration plans
• Plan maintenance programs
• Employee awareness and training programs

29
Developing the BCPPlan Design and Development

• 1. Determine management concerns and priorities.
• 2. Determine planning scope such as geographical
  concerns, organizational issues, and the various
  recovery functions to be covered in the plan.
• Establish outage assumptions.
• Identify response procedures, such as ensuring
  evacuation and safety of personnel, notification
  of disaster, initial damage assessment,
  activating teams and relocating to alternate
  sites.
• . Identify resumption strategies for
  mission-critical and non-mission-critical systems
  at alternate sites.
• 6. Identify the location for the emergency
  operations center/command center.
• 7. Identify restoration procedures for salvage,
  repair and return to the primary site. Also, the
  procedures to deactivate the recovery site

30
Developing the BCPPlan Design and Development

• 8. Plan and implement the gathering of data
  required for plan completion.
• Personnel information
• Vendor services
• Equipment, software, forms, supplies
• Vital records
• Technical information
• Office space requirements

31
Developing the BCPPlan Design and Development

• 9. Review and outline who (and how) the
  organization will interface with external groups.
• Customers
• Shareholders
• Civic officials
• Community, region, and state emergency services
  groups
• Utility providers
• Industry group coalitions
• Media

32
Developing the BCPPlan Design and Development

• 10. Review and outline how the organization will
  cope with other complications beyond the actual
  disaster.
• Responsibility to families
• Coordination with human resource and legal
  departments
• Fraud opportunities
• Exposure of sensitive data
• Looting and vandalism
• Ensuring primary site is protected during
  disaster
• Safety and legal problems
• Expenses exceeding emergency manager authority
• Insurance coverage and timing of claim payment

33
Developing the BCPPlan Design and Development

• 11. Develop support service plans, including
  human resources, public relations,
  transportation, facilities, IT, telecomm, etc.
• 12. Develop business function plans and
  procedures.
• 13. Develop facility recovery (i.e., the
  building) plans.

34
Plan Testing

• Proves feasibility of recovery process
• Verifies compatibility of backup facilities
• Ensures adequacy of team procedures
• Identifies deficiencies in procedures
• Trains team members
• Provides mechanism for maintaining/updating the
  plan
• Upper management comfort

35
Plan Testing

• Desk checks/checklist
• Structured walkthroughs
• Simulations
• Parallel tests
• Full interruption tests

36
Plan Maintenance

• Develop processes that maintain the currency of
  continuity capabilities and the BCP document in
  accordance with the organizations strategic
  direction. This includes
• Changing management procedures
• Resolving problems found during testing
• Building maintenance procedures into the process
• Centralizing responsibility for updates
• Reporting results regularly to team members

37
Plan Maintenance

• Plan maintenance functions are
• Receive and monitor input on needed revisions -
  maintain revision history
• Plan maintenance reviews as needed
• Monitor changes within business units, such as
  upgrades to systems
• Control plan maintenance distribution - who
  receives a copy of plan updates
• Ensuring version control - obsolete editions of
  the plan are collected and destroyed.

38
Awareness and Training

• The goal is to design and develop a program to
  create corporate awareness and enhance the skills
  required to develop, implement, maintain and
  execute the plans.
• The objectives should cover a range of outcomes
  from simple awareness of the major provisions to
  the ability to carry out specific procedures.
• Train the teams used for recovery strategies.
• Train those employees who will have specific
  roles in the recovery process, such as systems
  staff, team leaders, etc.