BUSINESS CONTINUITY PLANNING IN EDUCATION (IT Role in

1
BUSINESS CONTINUITYPLANNING IN EDUCATION(IT
Role in Emergency Planning)

• Dr. Jim Kennedy
• MRP, MBCI, CBRM, CHS-IV
• Business Continuity Practice Lead
• Alcatel-Lucent

2
Presentation Agenda

• What does BC have to do with Schools?
• Risk Management Threats Vulnerabilities
• Why Business Continuity Planning is Crucial
• What is Needed to Fully Plan For Emergency
  Preparedness
• Process For Developing BCP
• What makes a Successful BCP/DR Plan
• Lessons Learned From Experience
• Case Study

3
Interesting Question

• What does business continuity have to do with
  Schools?
• In education as in personal life, it is tempting
  to assume that catastrophes are things that
  happen elsewhere and to other people.
• Recent events have shown us that planning is
  essential in the protection of the safety of
  children, teachers, staff, and the public.
• Technology infrastructure and IT is increasingly
  central to education. However, the increase of
  educations dependence on technology has left
  many institutions unaware of their reliance upon
  it.
• As solutions such as the student information
  system (SIS) or learning management system (LMS)
  become increasingly central to the day-to-day
  operation of schools and school districts,
  ensuring that these solutions keep working
  regardless of whatever disaster may have befallen
  the institution becomes a core objective of the
  Administration and the IT department.

4
Further

• As a result, it is easy to underestimate the
  effect that a catastrophic event might have on a
  school district and its community.
• These potential problems range from the seemingly
  trivial such as a leaking pipe to the
  completely catastrophic.
• Damaging events might be natural or man-made.
• A massive range of eventualities might either
  cause damage to the school or require technology
  to aid during an adverse event.
• In all these situations, school districts need to
  have a clear plan of action that will enable them
  to make sure that their technical infrastructures
  are capable of doing what is necessary in time of
  crisis

5
Threats Natural Man-made Disasters
Hurricane/Tornado
Earthquake
Bio Hazards
Bombing
Fires
6
Threats Terrorist Attacks
Business Continuity Disruptive Events
7
Invisible Threat Cyber-Terrorism

• Cyber-terrorism
• Is a serious threat to critical infrastructure
• Impacts computer systems that support
• business operations
• Can cause data corruption prevent access
• to business critical data
• Cyberspace attacks coupled with a physical
  attack can devastate business continuity
• Were the attacks on Estonia this Spring
  state-sponsored cyber-terrorism?

8
Major Ramifications For Continuity

• Utility Outages
• Communications Outages
• Transportation Outages
• Evacuations / Unavailability of Key Personnel

9
Impact of an Incident

• Being able to cope should adverse event occur is
  increasingly recognized as vital for individual
  schools and school districts.
• Alcatel-Lucent believes that a number of factors
  are driving increasing interest in business
  continuity by education institutions, including

10
Education and Adverse Events

• The range of possible disasters Extreme weather
  events across the world help to focus the minds
  of education decision-makers on how they would
  cope if some part of their infrastructure were
  hit by a disaster beyond their control.
• Increasing dependence on Technology As
  discussed in the introduction, all schools and
  their districts now depend on the technology
  infrastructure for a significant part of their
  day-to-day operations. Education decision-makers
  are waking up to the fact that if central IT
  functions fail, then their institutions would
  find it difficult to continue their operations,
  even in a minimal fashion.
• Broader community role Schools are not merely
  businesses providing an ordinary service, they
  are often seen as providing a central service to
  the community as a whole. In the event of a major
  crisis, schools and school buildings often find
  themselves at the center of efforts to deal with
  the situation. Schools often act as co-ordination
  points for both the victims of a disaster or the
  emergency workers trying to help them.
  Institutions who see themselves as fulfilling
  this broader role need to keep themselves going
  in a crisis not just for their own sake but in
  order to take its place at the center of the
  community it serves.
• NOTE In a recent survey 51 of education IT
  decision makers indicated that they did not feel
  ready for a disaster.

11
Common Failure Areas
12
Applicable Standards and Regulations

• FEDERAL
• STATE
• COUNTY
• LOCAL
• NFPA 1600

13
Different Types of Plans

• Business Continuity (BC)
• Disaster Recovery (DR)
• Continuity of Operations (COOP)
• Emergency Operations (EOP)
• Crisis Management (CM)
• Incident Response (IR)

Resume
Respond
4 Rs of Contingency Planning
Recover
Restore
14
Business Continuity a Beginning without an End

• Business Continuity Management means
  ensuring the continuity or uninterrupted
  provision of operations and services.  Business
  Continuity Management is an on-going process with
  several different but complementary elements.
  Planning for business continuity is a
  comprehensive process that includes disaster
  recovery, business recovery, business resumption,
  and contingency planning as shown below.

15
BUSINESS CONTINUITY MANAGEMENT
Security Policy
BUSINESS CONTINUITY MANAGEMENT
Risk Management
BUSINESS CONTINUITY PLAN

Emergency Operations Plan
Crisis Management Plan
Data Recovery Plan
IT Recovery Plan
Business Unit Recovery Plans

• Security
• Insurance
• Vital Records
• Business
• Impact
• Analysis

• Takeover
• Product
• Contamination
• Kidnap
• Strike

Testing
Dr. Jim Kennedy July 2006
16
Business Continuity Planning So Where Do We
Begin?

• Formalize BC processes Organization to set
  Policy, Governance Reporting
• Senior Official and executive management
  commitment support as most critical elements
• Identify recovery needs
• What is the difference Business Continuity (BCP)
  vs. Disaster Recovery (DR)
• BCP is forethought to prevent loss of operational
  capability
• DR is process of recovery/resumption of
  technology functions

17
Did You Know?

• If you cant describe what you are doing as a
  process, you dont know what you are doing.
• -W. Edwards Deming

18
Business Continuity Planning
19
Methodology
20
Typical BCP Process
1
2
4
BCP Project Initiation
Conduct Business Impact Analysis (BIA)
Develop BCP Policy Scope
5
Identify Risks and their Mitigation
Develop Recovery Strategies
3
Develop Test Plan

• Organization
• Resources

6
Management Awareness Training
BCP Maintenance Change Management
BCP Review, Testing Verification
7A
7
7B
21
Which Plan to Develop?

• DISASTER RECOVERY PLAN  The management approved
  document that defines the resources, actions,
  tasks and data required to manage the technology
  recovery effort.  Usually refers to the
  technology recovery effort.  This is a component
  of the Business Continuity Management Program.
• BUSINESS CONTINUITY PLAN  (BCP)  Process of
  developing and documenting arrangements and
  procedures that enable an organization to respond
  to an event that lasts for an unacceptable period
  of time and return to performing its critical
  functions after an interruption. Similar terms 
  business resumption plan, continuity plan, and
  contingency plan.

22
More Plans?

• CONTINUITY OF OPERATIONS PLAN (COOP)  A COOP
  provides guidance on the system restoration for
  emergencies, disasters, mobilization, and for
  maintaining a state of readiness to provide the
  necessary level of information processing support
  commensurate with the mission requirements/priorit
  ies identified by the respective functional
  proponent.  Federal, State and local government
  and supporting agencies traditionally use this
  term to describe activities otherwise known as
  Disaster Recovery, Business Continuity, Business
  Resumption, or Contingency Planning.
• Emergency Operations Plan (EOP) A clear and
  concise document describing the actions to be
  taken, or instructions to all individual and
  local government services concerned, stating what
  will be done in the event of an emergency. The
  plan will state the method or scheme for taking
  coordinated action to meet the needs of the
  situation. It will state the action to be taken
  by whom, what, when and where based on
  predetermined assumptions, objectives and
  capabilities.

23
BCP Plan Composition Contents

• Supporting Information
• Introduction
• Scope of BCP
• Concept of Operations

• Notification/Activation
• Notification Procedures
• Damage Assessment
• Plan Activation

• Plan Appendices
• Points of Contact
• System Requirements
• Procedures Checklists

• Recovery Phase
• Sequence of Recovery Activities
• Recovery Procedures

• Restoration Phase
• Restore Original Site
• Test Systems
• Terminate Operations

24
Major Shortcomings in BCP

• Not considering critical processes or functions
• Forgetting about critical records
• Protection of distributed and mostly unstructured
  data
• Lack of emphasis on people side of recovery
• Lack of planning for crisis management
• Not involving outside agencies and first
  responders

25
Personnel Considerations in BCP

• Single most common failure is the lack of
  planning for the people
• Personal Safety Evacuation
• Personnel Welfare
• Relationship with Response Organization (Local
  Fire, Police, Rescue, etc.)
• Internal External Communication

26
Did you Know?

• Plans are only good intentions,
• unless they immediately degenerate
• into hard work.
• -Peter F. Drucker

27
Critical Success Factors

• Build smaller teams of Subject Matter Experts
• Seek team cooperation and sharing w. each other
  and outside resources
• Be brutally honest
• Do it in-house if you have time and expertise,
  otherwise bring a BCP consultant
• Simplify large/complex critical
• functions
• People
• Facilities
• Technology
• Miscellaneous

28

• Expect the Worst and Dont be Disappointed
  Planning for Business Continuity Disaster
  Recovery

29
CASE STUDY
30
Atlanta Public Schools Partners with its Local
Service Provider and Lucent to Implement Disaster
Planning

• I was extremely pleased with our engagement with
  our Service Provider and Lucent. They provided us
  with competent industry experts who not only
  identified our vulnerabilities, but also
  suggested solutions for mitigation. Their
  expertise was critical in the overall project and
  they ensured that our team was positioned for
  ongoing support by the end of the engagement.
• Gail Waldo, Director of IT Operations, Atlanta
  Public Schools

Challenge
Previous audits had shown that Atlanta
Public Schools (APS) lacked adequate security and
disaster recovery processes to protect its IT
operations. It needed to assess and develop
business continuity management/disaster recovery
plans for its critical IT platforms.
Solution
APS partnered with its local service provider and
Lucent Worldwide Services to develop a business
continuity/disaster recovery strategy. Lucent
worked with APS to assess its IT risks, their
business impact, and potential disaster recovery
strategies. Lucent also helped APS develop and
test comprehensive response and restoration plans
and to train its staff on those new procedures.
Benefits

• Initial Risk Assessment helped APS identify and
  determine how to mitigate all natural, man-made,
  and technical risks to their IT infrastructure
• IT Business Impact Assessment enabled APS to
  focus their efforts on the risks that would have
  the greatest impact on their IT operations
• Incident Command Structure, Response Plans, and
  Restoration Addendums ensure that APS will be
  able to restore critical IT operations rapidly in
  the event of a disaster

31
QUESTIONS ???

• Dr. Jim Kennedy
• Principal Consultant BCDR/Security Practice
  Lead
• NCE, MRP, MBCI, CBRM, CHS-IV, Security
• jtkennedy_at_alcatel-lucent.com