Business Continuity and Disaster Recovery Planning

1
Business Continuity and Disaster Recovery
Planning
2
Domain Objectives

• Business Continuity Planning (BCP) and Disaster
  Recovery Planning (DRP) prepare for Adverse
  Events through
• Response Programs focused on preserving life and
  business
• Recovery Plans to resume interrupted critical
  business operations
• Restoration Activities to return to normal
  operations

3
Information Security TRIAD
4
Domain Agenda

• Project Scope Development and Planning
• Business Impact Analysis (BIA) and Functional
  Requirements
• Business Continuity and Recovery Strategy
• Plan Design and Development
• Implementation
• Restoration
• Feedback and Plan Management

5
Important Elements in this Step (Agenda)

• Managements Commitment to the Project
• Agree upon resources and produce a project plan
• Analyze business and link BCP to organizations
  mission

6
Business Organization Analysis

• BC Steering Committee
• Policy scope and authorization
• Mandates
• Current future organization
• Inter-operational dependencies
• External dependencies

7
Resource Requirements

• Appraise budget
• Coordinate Personnel Availability
• Identify Key Personnel and Alternates

8
Resource Requirements

• Select BC Tools
• Evaluate Project Management Tools
• Consider Vendor Resources

9
Domain Agenda

• Project scope development and planning
• Business Impact Analysis (BIA) and Functional
  Requirements
• Business Continuity and Recovery Strategy
• Plan Design and Development
• Implementation
• Restoration
• Feedback and Plan Management

10
Business Impact Analysis

• Business Impact Analysis (BIA)
• Develop BIA Format
• Evaluate Potential Impact if interrupted
• Prioritize Business Functions

11
Important Elements in this Step (Agenda)

• Analysis of the Business
• Identification of Critical Business Processes
• Topics
• Threat Analysis
• Emergency Assessment
• Critical Business Functions
• 3rd party and Networked Relationships

12
Threat Analysis

• Potential Risk Factors
• Man-made
• IT
• Natural
• Supply Chain
• Utility Failures
• Loss of Key Personnel

13
Emergency Assessment

• Affected Areas
• Triage and Escalation Procedures
• Notification and Alerting Procedures
• Safety and Security Provisions

14
Critical Business Functions

• Critical Function Characteristics
• Time Sensitivity
• Data Integrity
• Classification

15
Critical Business Functions

• Identification of Critical Business Functions
• Operational Impact
• Financial Impact
• Reputation or Public Image Impact
• Dependencies

16
Third Party and Networked Relationships

• Downstream Liabilities
• Identify Potentially Impacted Organizations
• Establish Compliance Requirements

17
Third Party and Networked Relationships

• Upstream Impacts
• Identify 3rd Party Relationships with Impact
  Potential
• Enforce Service Level Agreements (SLAs)

18
Domain Agenda

• Project scope development and planning
• Business Impact Analysis (BIA) and Functional
  Requirements
• Business Continuity and Recovery Strategy
• Plan Design and Development
• Implementation
• Restoration
• Feedback and Plan Management

19
Business Unit Priorities

• Meet identified business unit priorities
• Critical Processes
• Infrastructure
• Communications

20
Business Unit Priorities

• Recovery Time Objective
• Recovery Point Objective
• Cost/Benefit Analysis

21
Recovery Alternatives
Alternative Description Readiness Cost
Multiple processing / mirrored site Fully redundant identical equipment data Highest level of availability readiness Highest
Mobile site/Trailer Designed, self-contained IT communications Variable drive time load data test systems High
Hot site Fully provisioned IT office, HVAC, infrastructure, communications Short time to load data, test systems. May be yours or vendor staff High
Warm site Partially IT equipped, some office, data voice, infrastructure Days or weeks. Need equipment, data, communications Moderate
Cold site Minimal infrastructure, HVAC Weeks or more. Need all IT, office equipment, communications Lowest
22
Processing Agreements
Agreement Description Considerations
Reciprocal or Mutual Aid Two or more organizations agree to recover critical operations for each other. Technology upgrades/ obsolescence or business growth. Security and access by partner users.
Contingency Alternate arrangements if primary provider is interrupted, i.e., voice or data communications. Providers may share paths or lease from each other. Question them.
Service Bureau Agreement with application service provider to process critical business function. Evaluate their loading, geography and ask about backup mode.
23
Backup Strategies

• Replication
• Distributed Processing
• Electronic Vaulting

24
Backup Strategies

• Remote Journaling
• Media Archives
• Storage Area Network

25
Backup Locations and Storage Criteria

• On-Site
• Near-Site
• Off-Site
• Storage for additional documentation and supplies

26
Resilience Strategies

• Site resilience
• IT resilience
• Organizational Resilience

27
Domain Agenda

• Project scope development and planning
• Business Impact Analysis (BIA) and Functional
  Requirements
• Business Continuity and Recovery Strategy
• Plan Design and Development
• Implementation
• Restoration
• Feedback and Plan Management

28
Emergency Response Procedures

• Topics
• Event Reporting
• Life, Health, Safety
• Damage Assessment
• Triage and Escalation
• Disaster Declaration
• Alerting, Activation and Notification
• Reporting, Communication

29
Personnel Notification

• Executive Succession Planning
• Executive Crisis Management Role
• BC Coordinator and Teams
• Notification Lists
• Public Relations

30
Backups and Offsite Storage

• Backup and offsite storage
• Inventory
• Facility Accessibility
• Facility Resilience

31
Communications

• Emergency Communication Systems
• Business Communication Systems
• Networks

32
Alternate Site Considerations

• Utilities
• Communications
• Environmental Protections
• Space
• Critical IT and Communications

33
Logistics and Supplies

• Personnel and Materials Transportation
• Alternate Site Workspace
• Personnel Support and Welfare
• Remote Worker Environment Activation
• Emergency Funds Access

34
Logistics and Supplies

• Additional Contingencies
• Family Responsibilities
• Fraud and Looting
• Safety and Legal Issues
• Escalated Management Authority

35
Documentation

• BC/DR Plans
• Activity and Status Reports
• Issue Identification and Resolution Reports
• Checklists
• Recovery Deactivation Plans

Business Continuity Plan
36
Business Continuity and Resumption Planning

• Risk Avoidance and Mitigation Planning
• Emergency Business Recovery Procedures
• Contracts for Emergency Vendor Services

37
Domain Agenda

• Project scope development and planning
• Business Impact Analysis (BIA) and Functional
  Requirements
• Business Continuity and Recovery Strategy
• Plan Design and Development
• Implementation
• Restoration
• Feedback and Plan Management

38
Training
Audience Key education expectation Example Methods
All personnel Awareness of select emergency response Signage, videos or computer based training, drills
Operations Backup procedures and transmittal/recall from offsite storage Emergency response procedures Drills, simulations, exercises
Recovery Team Recovery procedures Drills, simulations, exercises, parallel tests
EOC Teams Training on EOC procedures criteria Workshops, simulations, exercises, parallel tests
39
Testing Purpose

• Measure Plan Effectiveness
• Assess Personnel Readiness and increase their
  Familiarity

40
Test Plans

• Explicit test objectives and success criteria
• Test Details
• Schedule
• Post-test Review

41
Types of Tests
Type Purpose Participants
Checklist or Desk Check Review contents BC Coordinator, authors and independent parties
Structured Walk-through Reviewed more thoroughly with interaction BC Coordinator, authors and team leaders
Simulations Check plan integration Personnel have mock event roles and observers
Parallel Testing Measure recovery against non-interrupted operations All recovery teams and recovery site staff and observers
Full Interruption Most complete metric. Rely on plan All recovery teams and recovery site staff and observers
42
Testing Follow-up

• Deficiencies
• Plan Assessment
• Scheduled Test Program

43
Recovery Procedures

• Local Recovery Procedures
• Alternate Site Migration
• Prioritization Validation
• Transfer and Recovery
• Certification and Accreditation

44
Audit

• Assurance of effective BC and DR capability
• Measures compliance
• Ensure audit findings are addressed

45
Domain Agenda

• Project scope development and planning
• Business Impact Analysis (BIA) and Functional
  Requirements
• Business Continuity and Recovery Strategy
• Plan Design and Development
• Implementation
• Restoration
• Feedback and Plan Management

46
Restoration

• Restoration of Primary Location

47
Procurement

• Support of Recovery Activities
• Consolidation of Acquisitions and Disposition
• Reporting of Restoration Costs

48
Data Recovery

• Reversal Procedures
• Business Process Recovery Point
• Journal and Process Synchronization

49
Relocation to Primary Site

• Restoration Order and Prioritization
• End of Disaster Declaration

50
Domain Agenda

• Project scope development and planning
• Business Impact Analysis (BIA) and Functional
  Requirements
• Business Continuity and Recovery Strategy
• Plan Design and Development
• Implementation
• Restoration
• Feedback and Plan Management

51
Post-recovery Reporting

• Identification or Remediation of Plan Gaps
• Lessons Learned
• Performance Metric Review

52
Plan Review and Evolution

• Plan Review and Adjustment
• Training of Key Personnel

53
Communication

• Plan Distribution
• Communication of Plan to Stakeholders

54
Domain Summary

• A Business Continuity and Disaster Recovery
  Planning Project is a ongoing, continuous effort
  to ensure that the business is prepared to handle
  any type of disaster

55
Domain Summary
56
Security
Transcends
Technology