Business Continuity Planning

1
Business Continuity PlanningDisaster Recovery

• Lauren Farese Oracle CorporationPaul Christman
  Quest Software

2
What happened August 14, 2003?
3
Disasters happen every day...its a fact! 

• Disasters are inevitable and costly so why are so
  many unprepared?
• Effective organizations have
• management foresight
• tested procedures
• processes
• back-up facilities
• Business ContinuityPlanning (BCP)

4
Downtime Costs Money
Numbers assume 5B yearly revenue run rate.
Oracle calculated costs and is not associated
with the Standish Group Report
5
Business Continuity Planning vs.Disaster
Recovery Planning

• Both are directed at recovery of operations
• Business Continuity Planning is directed at the
  recovery and resumption of business activities
  across the entire enterprise
• Disaster Recovery Planning is usually directed at
  the recovery of information technology systems
  and business applications, including corporate
  data
• BCP addresses Processes, People and Property

6
Cost Components Of IT
Labor - 58
Hardware - 29
Software - 13
Source IDC 2001
7
Cost Components ofBusiness Continuity Planning
TOTAL 118.8B
WORLDWIDE SECURITY AND BUSINESS
CONTINUITYSPENDING SHARE BY PRODUCT SEGMENT -
2007
Source IDC report, September 2003
8
Business Continuity is Different

• Glass is half empty
• We are throwing technology at the problem
• Glass is half full
• We are properly automating in a systematic way
• Technology cannot be the complete answer

9
Business Continuity Themes

• Disaster recovery
• Plan for site or component outage that affects
  mission-critical applications
• Business recovery resumption
• Address mission-critical business processing in
  case of site outage
• Plan workarounds in case of application outage
• Contingency planning
• External event forces change to the internal
  business process
• Crisis management
• Address the overall management of the event
• Build plans to protect employees
• Maintain confidence in government

10
Techniques Tips for Business Continuity Planning
11
BCP Process
Phase 1 Establish the foundation
Business Continuity Planning
Phase 3 Maintain the plan
Phase 2 Develop and implement the plan
12
BCP Process
Phase 1 Establish the foundation
Obtain executive sponsorship

• Identify what the enterprise has at risk
• Which business processes are most critical
• Prioritize risk management and recovery
  investments
• Identify the enterprises vulnerability to risks
  so they can be mitigated in the project design
  phase

Business Impact Risk Analysis
Source Gartner, March 2004
13
BCP Process
Phase 2 Develop and implement the plan
Is this plan worth implementing?

• Develop recovery strategies and processes
• Create team responsible for the daily operation
  of the processes create detailed plans and
  procedures.

Recovery Strategy
Create Planning Team
Source Gartner, March 2004
14
BCP Process
Phase 3 Maintain the plan
Plan MUST be tested and kept up to date

• Test the recovery process before implementation
  to ensure that requirements can be met.
• Keep the plan current by initiating a review of
  every change to business processes or systems.

Test Process
Review Process
Source Gartner, March 2004
15
Implement YourBusiness Continuity Plan

• Determine what is relevant to your business
• Know what assets you have
• Data
• Where is it?
• How often is it used?
• Is it still relevant to the business?
• Systems, Networks and Storage
• What is running?
• Know asset exposures for Security
• Determine what threats affect each individual
  asset and know the risks of these threats
• Who has access?
• How is it being accessed?
• When is it being accessed? 

16
Implement YourBusiness Continuity Plan

• Know what action to take and implement
• Utilize validated remediation and automatically
  deliver fixes to vulnerable assets
• Measure status, progress and compliance
• Provide enterprise reporting to measure progress,
  summarize risks and determine regulatory
  compliance

Implement all of these steps while performing
your everyday business tasks
17
What about the technology?
18
Match the Tools to the Business Needs
Recovery Point
Recovery Time
19
Only as Good as the Weakest Link
Clients
Load Balancers
Application Servers
Web Cache
Database Servers
Java Clusters
Storage
20
BC/DR Must Address Every Component

• Network Infrastructure
• Data Storage online, near-line and off-line
• Application servers and their offspring
• Any component down the entire system is
  un-usable

21
Network Infrastructure

• Wide Area Traffic Manager to direct client
  traffic to proper site
• Network load balancer to distribute incoming
  requests
• Dedicated, fast link between sites
• Influences production database performance
• Redundant components and paths
• Network paths to the site and within the site

22
BC/DR Techniques for Data Storage

• Snapshots frequent, within an array, FC,
  temporary
• Mirrors frequent, in a different array, FC,
  temporary
• Replicas synchronous or async, remote or local,
  FC or IP, temporary or semi-permanent
• Near-Line Disk infrequent, x-platform, FC or
  IP, BI copy, DLM, or staging for backup
• Tape Backup infrequent, FC or IP, required best
  practice for DR

23
Application Availability with Local Clustering
Server 2 Instance B
Server 1 Instance A
Database
Protects from local server failures Depends on
shared available storage
24
Wide Area Clustering

• Extends local clustering model to several sites
• Requires data mirroring or replication

25
Wide Area Clustering
Site Migration
Failover
Replication
26
Key Steps to Success

• Conduct a Business Impact Analysis
• Identify which processes are truly critical and
  cost of BC
• Prioritize investments in people and technology
• Plan and Implement
• Test, test, test!!!
• Review the business continuity plan when the
  business process changes

27
Best Practices

• Configuration
• Detailed recommendations from your vendor
• Features to use, parameters to set
• Guidelines for hardware and other software
• Operational
• Technical e.g. Switchover and failover
  procedures
• Logistical e.g. Change management
  considerations
• Emphasis on outages
• Outages to monitor
• Detailed steps to resolve outages
• How to restore fault tolerance

28
Information Sources

• Peter G. Neumann PhD.
• Architectural Frameworks for Composable
  Survivability and Security
• http//www.csl.sri.com/neumann
• Comp.risks
• Presidents Commission on Critical Infrastructure
  Protection (PCCIP)
• http//www.pccip.gov
• Robert Buchmann. Disaster Proofing information
  Systems. McGraw-Hill Networking Professional, 2003

29
Information Sources

• Manhoi Choy, Hong Va Leong, and Man Hon Wong.
  Disaster Recovery Techniques for Database
  Systems. In Communications of the ACM 2000
• Renate Rohde, Jim Haskett. Disaster Recovery
  Planning For Academic Computing Centers. In
  Communications of the ACM. June 1990
• Bridget Eklund. Business Unusual. In
  Communications of the ACM, December 2001
• Martin Nemzow. Business Continuity Planning. In
  International Journal for Network Management, vol
  7, 127-136 (1997)

30
The pessimist sees difficulty in every
opportunity.The optimist sees opportunity in
every difficulty

• - Winston Churchill