Michael Singletary, Enterprise IT Manager

1
Strategic Initiatives OfficeOctober 25, 2005
Information Technology Advisory Board

• Michael Singletary, Enterprise IT Manager

2
Agenda

• In a post-911 world, and after the experience of
  Louisiana in Hurricane Katrina, are North
  Carolinas state agencies and their IT systems
  ready for a disaster?
• What steps have been taken to ensure our
  preparedness?
• What steps still need to be taken?
• How can the ITAB help?
• Questions

3
Are We Ready?

• The short answer is that it depends on the
  disasters level of severity.
• Hurricane Floyd
• IT
• Business (records)
• Progress has been made in a just a few years.
• Cornerstones of Progress
• Legislation requiring that agencies prepare
  Business Continuity Plans
• Business Impact Analysis tool was purchased and
  agencies trained in its use.
• Hot Site and routine tests of it.

4
Governing Statute GS 147-33.89

• Each state agency shall develop and continually
  review and update as necessary a business and
  disaster recovery plan with respect to
  information technology
• Consider the organizational, managerial, and
  technical environments.
• Assess the types and likely parameters of
  disasters most likely to occur and the resultant
  impacts.
• List protective measures to be implemented in
  anticipation of a natural or man-made disaster.
• Each agency shall submit its disaster recovery
  (business continuity) plan on an annual basis to
  the State CIO (June).

5
Business Impact Assessment
Per the Governing Statute Each state agency
shall assess the types and likely parameters of
disasters most likely to occur and the resultant
impacts. Based on a recommendation from the
statewide security assessment ITS was advised
to leverage the Business Impact Assessment tool
to help each agency understand its risks and what
assets need to be protected.
6
BIA Process

• Starting in January/February 2005 workshops were
  held for agencies.
• Each agencys Business Continuity planner
  completed a self-administered Business Impact
  assessment using a nationally recognized tool.
  Strohl Systems provided consultation.
• The surveys were submitted to Strohl Systems for
  consolidation, review and report generation.

7
BIA Report Results

• Alternate Business Site (s) needed
• Employees will need equipment and secure network
  for work-from-home strategy to be considered
  viable
• Test system and data recoverability
• Strategy for on-site paper records recovery
  needed

8
BIA Report Results - Graphs
9
BIA Report Results - Graphs
What Percentage of Business Units Are Difficult
to Recover?
10
BIA Report Results - Graphs
11
BIA Report Results - Graphs
Types of Disruptions Fire
Website Hacking Flooding Severe
Weather Loss of Data Communications
Power Loss Loss/Corrupted Data
Business Disruption/Physical move Loss of Tape
Drives Loss of Local LAN Severs Loss of Water
12
BIA Report Results - Graphs
13
BCP ResultsPlans submitted to SCIO
14
BCP Results
15 agencies are ITS customers eligible for hot
site services
15
BCP ResultsAgencies w/ Critical Apps/Processes
Listed
16
How can the ITAB Help?

• Raise the importance of the issues with agencies
  and the General Assembly.
• Promote testing of critical business processes
  located on hardware in agency facilities
• Establish agency policy
• Review your own agencys plan. Could you recover
  your mission critical processes with just the
  material in your plan?

17
Next Steps

• Strohl Systems will provide statewide training on
  new versions of the tools (October/November 2005)
• Agencies encouraged to use BIA information to
  prepare their BCPs
• SIO works closely with agencies on process
  improvements pertaining to BIA, Risk Management
  and BCP
• BCPs will be submitted to SIO by June 30, 2006

18
Questions?