Business Continuity and Disaster Recovery Planning

Business Continuity
and
Disaster Recovery Planning
Dr. Bhavani Thuraisingham

The University of Texas at Dallas (UTD)
June 2015
Domain Agenda
• Project Scope Development and Planning
• Business Impact Analysis (BIA) and Functional Requirements
• Business Continuity and Recovery Strategy
• Plan Design and Development
• Implementation
• Restoration / Disaster Recovery
• Feedback and Plan Management
Domain Objectives
• Understand the planning process
• Integrating BCP into the organization
• Defining inputs and outputs of process
• Understand the difference between BCP and DRP
Sources of Information
• Disaster Recovery Institute International
• Business Continuity Institute
• ISO 25999
• ISO 27001, Section 10
• NIST SP 800-34
ISO 25999:
Business Continuity Management
• Risk management • Health and safety
• Disaster recovery • Knowledge management
• Facilities management • Emergency management
• Supply chain management • Security
• Quality management • Crisis communications and
PR
Overview of BCP
• Direct benefits
• Indirect benefits
• Overlap with Risk Management
• BCM vs. BCP vs. COOP
The Enterprise BCP
• DRP
– Backup strategies
– Emergency procedures
– Contracts and provisioning
• BIA
– Reciprocal agreements
– Alternate sites
• Incident response planning
– Succession Plan
– Incidence Response Team
The Enterprise BCP (cont.)
• Risk analysis
– Safeguards / countermeasures
– Insurance plan
• Corporate communication plan
– User awareness training
– Media/stakeholder relations plan
The Business Continuity Life Cycle
• Analyze the business
• Assess the risks
• Develop the BC strategy
• Develop the BC plan
• Rehearse the plan
BC Project Phases
• Implementation
Reflecting Organizational Context
• Policy is the driver
• Aligned with requirements
• Provides direction and focus
• Use Business Impact Analysis
• Identify inputs
• Outcomes and deliverables
• Reviewed annually
Policy
• Organizational authority
• Policy document
• Program scope
• Resources
• Outsourcing
Policy contents
• Framework
• Tools and techniques
• Policy contents
• Change is infrequent
Outsourced Activities
• You are still responsible
• Resilience in outsourcing
• Supplier continuity
Scope and Choices
• Limit scope
• Ensure clarity of scope
• Strategy, Return on Investment (ROI), and SWOT (Strengths,
Weaknesses, Opportunities, Threats)
• Review yearly
Program Management
• Assigning responsibilities
• Initiating BCP in the organization
• Project management
• Ongoing management
• Documentation
• Incident readiness and response
Documentation
• Review current BCP if available
• Documentation may not equal capability
• Staff must be trained to use any necessary software
• Types of documentation
• Review as directed by policy
Initiating BCP
• Awareness, data, implementation
• Staff and budget
• Result must be a long-term, sustainable program
• Review progress monthly
Incident Readiness & Response
• Planners become leaders
• Be prepared
• Triage
• Incident management
• Success = Return to Operations
• Immediate lessons learned
Key Indicators of Success
• Senior management commitment
• Policy content
• BCP Resources
• Project management
• Documentation
BCP Project Phases
• Implementation
Understanding the Organization
• Business Impact Analysis (BIA)
– Benefits
– Objectives
• Evaluating Threats (Risk Assessment)
• Emergency Assessment
• Indicators of Critical Business Functions
Business Impact Analysis
• Identifies, quantifies and qualifies loss
• Scope and support required
• Documents impact and dependencies
• MTD, RPO
• Business impact analysis process
• Workshops, questionnaires, interviews
• Business justifications for budget
Maximum Tolerable Period of Disruption
Item Required recovery time
following a disaster
Non-essential 30 days
Normal 7 days
Important 72 hours
Urgent 24 hours
Critical/Essential Minutes to hours
Estimating Continuity Requirements
• Total budget for disaster recovery
• Identification of necessary resources
• Outcomes feed BCP strategy selection
• Reviewed with BIA
Evaluating Threats (Risk Assessment)
• Risk equation + time element
• Risk = Threat impact * probability
• Prioritize key processes and assets
• Outcomes
Key Indicators or Success
• Corporate governance
• BIA practice
• Risk assessment practice
BCP Project Phases
• Implementation
Determining Business Continuity
Strategy
• High-level strategies
• RTO < MTPD
• Separation distance
• Resilience
• Address specific business types
Determining Strategy
• Determining BC strategies
• Strategy options
• Activity continuity options
• Resource-level consolidation
Activity Continuity Options
• Selecting recovery tactics
• Reliability
• Extent of planning
• Cost/benefit analysis
• Outcome
Recovery Alternatives
Alternative Description Readiness Cost
Multiple processing/ Fully redundant Highest level of availability Highest
mirrored site identical equipment and readiness
and data
Mobile site/trailer Designed, self- Variable drive time; load data High
contained IT and and test systems
communications
Hot site Fully provisioned IT Short time to load data, test High
and office, HVAC, systems. May be yours or
infrastructure and vendor staff
communications
Warm site Partially IT equipped, Days of weeks. Need Moderate

some office, data and equipment, data
voice, infrastructure communications
Cold site Minimal Weeks or more. Need all IT, Lowest

infrastructure, HVAC office equipment and
communications
Processing Agreements
Agreement Description Consideration
Reciprocal or Mutual Aid Two or more organizations Technology upgrades/
agree to recover critical obsolescence or business
operations for each other. growth. Security and access
by partner users
Contingency Alternate arrangements if Providers may share paths or
primary provider is lease from each other.
interrupted, i.e. voice or data Question them.
communications
Service Bureau Agreement with application Evaluate their loading
service provider to process geography and ask about
critical business functions. backup mode.
BCP Project Phases
• Implementation
Resource Level Consolidation
• Consolidation plan
• Availability of solutions
• Consolidate, approve, implement
• Methods and techniques
• Outcomes and deliverables
Business Continuity Plan
• Master plan
• Modular in design
• Executive endorsement
• Review quarterly
Business Continuity Plan Contents
• When team will be activated
• Means by which the team will be activated
• Places to meet
• Action plans/task list created
Business Continuity Plan Contents
• Responsibilities of the team or of specific individuals
– Liaising with Emergency Services (fire, police ambulance)
– Receiving or seeking information from response teams
– Reporting information to the Incident Management Team
– Mobilizing third party suppliers of salvage and recovery services
– Allocating available resources to recovery teams
– Invocation / mobilization instructions
Developing and Implementing Response
• Incident response structure
• Emergency response procedures
• Personnel notification
• Communications
• Restoration
BCP Project Phases
• Implementation
Implementing Incident Management Plan
• Rapid response is critical
• Crisis management
• Steps to develop an Incident Management Plan
• Action plans
Incident Response Structure
• Strategic
• Tactical
• Operational
Key Indicators of Success
• Development and acceptance of Recovery Strategies and
Business Continuity Plans
BCP Project Phases
• Implementation
Disaster Recovery
• Salvage
• Separate function and team
• Facility restoration
• System recovery
BCP Project Phases
• Implementation
Testing the Program
• Find the flaws
• Outsourcing
• Timetable for tests
• Test design process
Testing Types
Types Process Participants Frequency Complexity
Desk Check Check the contents Author
of the plan, aid in Often LOW
maintenance.
Walk- Check interaction Author and
through and roles of main people
participants.
Simulation Includes: business Main people
plans, buildings, and auditors
communications
Parallel Moves work to Everyone at
testing another site. location
Recreates the
existing work from
the displaced site.
Full Shuts down and Everyone at
relocates all work both locations Rare HIGH
Embedding BCP
• Assessing level of awareness and training
• Developing BCP within the Culture
• Monitoring cultural change
Test BCP Arrangements
• Test, rehearsal, exercise
• Combine all plan activities
• Stringency, realism and minimal exposure
• Contents of a test
• Outcomes
Maintaining BCP Arrangements
• Ready and embedded
• Triggered by change management
• Owners keep information current
• Documented
• Review as needed
Reviewing BCP Arrangements
• Audit
• Independent BCP audit opinion
• As directed by audit policy
Factors for Success
• Supported by senior management
• Everyone is aware
• Everyone is invested
• Consensus
Assessing the Level of Awareness
and Training
• Where are we now
• What does the policy state
• Current vs. desired levels
• Training framework in place
Developing a BCP Within the
Organization’s Culture
• Training, education, awareness
• Well-implemented policy
• Design
• Delivery planning
• Delivery
• Cost effective delivery
• Higher awareness
Domain Summary
• Implementation

Business Continuity and Disaster Recovery Planning

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Business Continuity and Disaster Recovery Planning

Hochgeladen von

Copyright:

Business Continuity

Dr. Bhavani Thuraisingham

Warm site Partially IT equipped, Days of weeks. Need Moderate

Cold site Minimal Weeks or more. Need all IT, Lowest

Das könnte Ihnen auch gefallen