BIA Executive Summary

1
BIA Executive Summary Recommended Roadmap For
Program Design
2
Impetus For State of Oregon Action

• Unlike any private organization or entity, the
  State of Oregon MUST continue operations,
  regardless of the interruption cause, extent or
  expected impact duration.
• The State of Oregon not only has no such
  recourse, but in the event of a regional outage
  that would impact Oregonians, the State of Oregon
  employees and systems, the State must be able to
  provide continued support to the citizens for
  both emergency and normal day-to-day operations.
• Overall, the States objectives for conducting a
  Business Impact Analysis were to
• Develop a more complete understanding of the true
  business impact from disruptions to critical
  processes and technology
• Improve Business Continuity planning based upon
  the quantified impact of disruptions
• Utilize this understanding in conjunction with
  the Enterprise Business Continuity Planning goal
• Identify the States most critical resources,
  including interdependencies
• Prioritize business process and applications
  availability requirements
• Develop a focused list of business continuity
  activities appropriate to States business
  requirements

3
Scope of Analysis
Red denotes State Constituency Infrastructure
agencies
4
Proactive Calling Map
5
SunGard Disaster Declarations by Event Type
SunGard Disaster Declarations by Event Type and
of Customers Declared

• Event type Number/Percentage 09/30/2005
• (support since 1999)

6
Todays Capability is Inadequate

• Catastrophic consequences can result with
  occurrence of a significant service interruption
• Inter-agency process reliance infrastructure
  dependencies will impair ability to serve
  constituents
• Significant HS, operational financial business
  impacts were identified in recently completed
  analysis
• Evolution from non-restorable to recoverable, for
  essential agency infrastructure can be achieved
  quickly cost effectively

7
State of Oregon 2005 Score Card


Process Lifecycle
Process Lifecycle
Analysis
Develop
Develop
Develop
Implement
Analysis
Develop
Develop
Develop
Implement
Implement
Conduct
Implement
Conduct
Business
Technology
Requirem'ts
Maintain
Continuous
Business
Technology
Requirem'ts
Maintain
Continuous
Recovery Strategy Elements
Recovery Strategy Elements
Strategy
Testing
Strategy
Testing
Needs
Profile
Strategy
Plans
Improvement
Needs
Profile
Strategy
Plans
Improvement
DAS
DAS


DCBS
DCBS
DHS
DHS
DOC
DOC
DOR
DOR
ODOF
ODOF
ODOT
ODOT
ODVA
ODVA
OED
OED
OHCS
OHCS
OSP
OSP
OST
OST
8
Agency Criticality

• The BIA revealed numerous inter agency
  dependencies, from both the process and
  technology perspective. The dependence of
  infrastructure Agencies (within current scope) on
  DAS, compels the SOO to seriously consider the
  ramifications and capability constraints
  associated with the piece meal (each agency on
  their own) or iterative program design
  implementation approach.
• The larger issue that SOO faces with their
  dependence on technology, is the need for an
  integrated and structured means to provide
  communications capabilities, information and
  requisite services, accessible through a
  demonstrated recoverability restoration
  capability.

9
Constituency Impacts

• According to the personnel we interviewed, if
  State Agency Business functions are interrupted
  for a prolonged period, we obtained very clear
  and firm answers regarding whether State Agencies
  could

10
Initial Program Scope
DCBS
OST
OSP
DHS
OHCS
DOC
DAS
DOR
OED
ODVA
ODOF
ODOT
11
Conclusions

• In reviewing the information collected during the
  BIA analysis, SunGard observed areas of
  commonality across the agencies. As participants
  addressed questions and concerns raised by the
  survey, their responses revealed themes which
  center on their commitment to Oregonians.
  Participants emphasized the importance of
  providing service or support to citizens in three
  areas
• Health and Safety of Oregonians Participants
  placed the heath, safety and welfare of their
  clients above all other considerations.
• Cash Management Requirements - There was an
  understanding across all the agencies that state
  revenues and monies must be managed to provide
  the monies to fund State services.
• Economic Development Participants understood
  that many of the functions provided or supported
  economic opportunity for individuals and economic
  development opportunities for business.
• Another area of commonality was the
  interdependencies between the various agencies
  and functions. That is, no agency and very few
  functions can operate independently. Although it
  is also true that many private companies have
  internal dependencies, these interdependencies do
  not rise to the level or to the degree that was
  found within the State. These service
  requirements and inter-agency dependencies should
  be considered in developing any recovery
  strategy.
• In addition, State management will face a
  Business Continuity challenge similar to the
  challenge presented to private business
  management balancing the RTOs of the
  participating business functions against the cost
  associated with implementing a strategy to
  support those requirements. The State selected
  the most critical functions within each agency to
  participate in the BIA and these, by their
  critical selection, will have the smallest window
  for recovery or RTO. As the State begins to
  analyze recovery alternatives, it will have to
  weigh the relative priority of RTOs from a
  state-wide perspective against the associated
  costs and then provide recovery for those
  functions having the greatest impact over the
  greatest number of people. RTOs may need to be
  adjusted to reflect an overall state level
  prioritization.
• Finally, since the information collection and
  data analysis represents the status at a
  point-in-time, the State of Oregon must
  account for changes that occur naturally in its
  environment, whether it is environmental
  (legal/regulatory), organizational, technical or
  procedural. When such changes occur, the State
  should ensure that it has a process in place to
  1) identify such changes, 2) review and assess
  the impact of the changes and 3) update or design
  mitigation/recovery strategies that will address
  those changes.
• Todays technology-driven business environment
  places a premium on the availability of systems
  and data. Every organization needs a complete
  Business Continuity Program that addresses
  business interruptions, including contingency
  plans, data protection and restoration
  capabilities, alternate facilities and equipment
  replacement plans and a formal, integrated
  testing program. The information collected from
  the BIA should be used as a baseline to address
  these concerns in the next phase State Strategy
  Design.

12
How Much does a Robust Capability Really Cost.

• When compared against the States consensus on
  existing risk..

Recovery Window
High Availability Recovery Window
Think about the risk you bear when Health
Safety processes are reliant on information
technology
and infrastructure is not available
13
Minimal, Optimal Or HybridRoadmap Decisions
Enablers For Success
14
Recommended Roadmap to Address Enterprise
Availability
15
Business Drivers For Oregons Program

• Business Continuity perspective is different
  today
• Secure immediate, low cost, interim, protection
• Validate/action service interruption parameters
  that support constituency centric program
  options/costs
• Develop tiered recoverability for technology
  infrastructure/shared services
• Evaluate future consolidated DC impacts and
  constraints vs commercial (hybrid) recovery
  capabilities
• Address HS and infrastructure exposures as
  repeatable processes
• Make immediate, demonstrable, measurable progress
• Optimize time, results and develop a lifecycle
  approach to tiered recoverability

16
Tiered Recoverability Terms and Definitions

• Restorable an environment that is re-built in
  its entirety (synchronized systems,
  applications, databases) to the point in time of
  the last complete set of offsite backups
• Recoverable applying roll forward
  logs/transactions for online systems to a
  restored environment and identifying,
  re-acquiring, synchronizing and reconciling lost
  (in-process and backlogged) and/or paper based
  transactions
• Available an always on environment that does
  not incur a service interruption regardless of
  service impacts to the (critical) production
  technology components
• Recovery Time Objective (RTO) target timeframe
  for recovery of technology and business processes
• Recovery Point Objective (RPO) how current is
  your data for recovery?

17

Availability Options (Business IT)
Traditional Recovery - Compute Utility
Protection Data Staging - Ability to Commence
Restoration Immediately Standby Op. Sys.
- Ability to Commence IPL Immediately Electronic
Vaulting - Simplified Logistics Transact.
Protection - Automated Remote Journaling (includes
limited Electronic Vaulting) Data Shadowing
- Eliminates Data Recovery Exposures (includes
Transaction Protection) Hot Standby - Rapid
Recovery Capability (includes Data Shadowing)
-24
-12
0
12
24
36
48
60
72
84
18
Solution Continuum
R I S K
PREMIUM RTO lt24 HRS RPO lt24 HRS
C O S T
STANDARD RTO 48 HRS RPO 48 HRS

R E C O V E R Y T I M E
19
Tactical Recommendations
20
Tactical Execution (October Dec 2005)

• Consensus on infrastructure agency designations
  requisite budgetary allocations (Infrastructure,
  Essential Ancillary)
• Concurrence on phased approach to catastrophic
  risk mitigation subsequent program component
  design
• (Phase One infrastructure / Phase Two
  essential agencies / Phase Three Ancillary
  agencies)
• Concurrence on integrated (interdependent) agency
  design to synergize efforts and secure optimum
  ROI
• (DAS, DHS, DOR, ODOT, OHCS, OSP, OST)
• Initial technology centric purview will force
  Business Continuity activities to enable
  utilization
• Concurrence on optimal delivery vehicle to
  expedite, cost effective results
• Reap benefits of Enterprise Coverage

21
Lifecycle Program Components
Business/ Technology Profile
Analyze Impacts
Assessment
Design Detail Strategy
Design General Strategy
Define Requirements
Configuration Change Management
Implement Strategy
Develop Plans
Maintain Continuous Improvement
Validate Capability
22
Develop A Continuity Program Management Focus
23
Enterprise Program Year 1

• Strategy
• Funding Approvals
• Project Management
• Project Planning
• Project Implementation
• Staffing (ongoing project)

• Management Reporting
• Management Briefings
• Training Awareness
• Process Improvement
• Continuous Improvement

Cost First Year TBD
6 12 Months
Detailed Design Implementation
Program Concept
Program Design Criteria
Validation (POC)

• Immediate interim coverage
• for infrastructure agencies,
• including End User work area
• (200 seats and mobile)

• Establish Oversight Committee
• Program Office

• Conduct mandatory
• Orientation, Education
• Awareness sessions

• Engineer HA solution for Tier
• 1 infrastructure technologies

• Commence with Business /
• Technology Profile

• Engineer tape based solution
• for Tier 2 3 technologies

• Conduct Table Top
• exercises

• Commence with Backup/Restore
• Analysis (HA traditional)

• Data replication for HS and
• revenue infrastructure
• processes

• Hot Site Orientation

• Engineer Work Area
• occupation strategies

• Integrate compliance security
• criteria to tiered design

• Work Area Orientation

• Traditional tape based for
• essential ancillary agencies

• Concurrently, develop Action
• Oriented Recovery Plans with
• Step-by-Step Actions and Tasks
• For Technology Platforms

• Commence with vital records
• protection enhancements

• Recovery Team Training

• Recovery Team Plan
• Walkthroughs

• Include Radio Wireless
• communications backup

• Refine agency centric recovery
• documentation (concurrently)

• Concurrently, develop Action
• Oriented Recovery Plans with
• Step-by-Step Tasks for Critical
• Business Units (by Agency)

• Integrate change configuration management
  with design operational processes

• Conduct POC for HA,
• Traditional Work Area

• Concurrent Production
• availability design (network,
• applications architecture)

• Enterprise Coverage
• evolves to subscription of
• services

• Establish baseline Work Area
• strategy based on tiered
• Technologies (based on
• accepted RPO/RTOs

• POC testing allocated
• staffing by agency Year One

• Refine operation procedures
• For production support

• Refine Crisis Management
• Strategies based on tiered
• Strategy execution

• Establish tiered design criteria
• for committee approval (with
• costs)

• Approve Design Implementation

24
Enterprise Program Year 2 - 3

• Strategy
• Funding Approvals
• Project Management
• Project Planning
• Project Implementation
• Staffing (ongoing project)

• Management Reporting
• Management Briefings
• Training Awareness
• Process Improvement
• Continuous Improvement

Cost Per Year TBD
Ongoing
Enterprise Strategy
Technology Profile / Strategy Refinement
Business Impact Analysis Update
Validation

• Integrate HA/Tier 23
• processes/capabilities

• Identify Test Strategy

• Collect Hardware Inventory

• Data Gathering
• (Workshops, Surveys, Questionnaires, Interviews)

• Define Test Objectives

• Refine Change/Configuration
• management processes

• Collect Software Inventory

• Define Schedules /
• Timelines

• Update Critical Business Functions

• Document or obtain Network
• Diagram

• Integrate ongoing security
• and compliance criteria /
• capabilities

• Update Critical Business
• Applications

• Identify Test Team

• Document Infrastructure
• Diagram

• Define Roles and
• Responsibilities

• Identify Organizational Risks

• Sustain backup restore
• capabilities

• Document Business Unit X
• Reference

• Develop Test Plan

• Identify Tangible/Intangible Impacts

• Identify Alternate Site

• Document Application X
• Reference

• Facilitate ongoing awareness
• education

• Identify Long Range Business Plans

• Select Test Data

• Identify Financial/Operational
• Impacts

• Identify Application System
• Interdependencies

• Conduct/Observe
• Alternative Site Test

• Integrate IT BCP with First
• Responders

• Create Central Repository /
• Database

• Identify/Update Vital Records
• Critical Office Equipment, Voice,
• Physical Space Requirements

• Assess and Document
• Testing

• Conduct Recovery Gap
• Analysis

• Develop Post Test Report

• Update Recovery Time Objectives

• Document Improvements/
• Recommendations

• Document/Identify Recovery
• Strategy

• Update Recovery Point Objectives

• Conduct Post Team
• Meeting

• Document Recovery Requirements-
• Business/Technology

• Develop Recommendations

25
Enterprise Program Deliverables

• Scalable and Repeatable Processes Defined In The
  Program Framework Program Office For Enterprise
  Use
• Project Definition
• Governance
• Customized Tools Approach
• (Integrated DR/BCP) Program Roll-Out Strategies
• Measurable Testing Program
• Defined Change Control processes
• Management Accountability
• Internal/External Auditability
• Outcome is a structured, program and demonstrable
  capability

26
Business Technology Availability Options
Comparison
Current Data Replication Data
Replication MRT
13 Days
5 Days
1 Days
27
Next Steps

• Consensus on Partnership Value Potential
• Program or Project Define Program Scope,
  Approach, Timeline Deliverables
• Establish Funding Presentation Dates To Secure
  Commitment