Transcript Business Resumption Planning with Case Studies by PRITI
Business Resumption Planning with Case Studies by
PRITI SIKDAR (F.C.A., D.I.S.A., C.I.S.A., C.I.S.M.,I.S.O. 27001 L.A.) Manager-Business Risk Services 29 th November, 2007.
Business Resumption is…
• • • When we think of Disaster Recovery we often think of occurrences such as a server crashing, a router going down, or a virus or worm damaging our data. More often than not we are ready for these situations with backups, a replacement drive, or the ability to divert traffic to another machine.
But implicit in the Disaster Recovery Plan is a critical, although often discounted component; b
usiness resumption!
It is the process of recovery of all systems and related processes after a disaster to return to Business-as-Usual. It involves re-opening each of the institution's components -- and testing and revising the process based upon the results.
Prepare Business Resumption Plan according to the type and impact of the disaster.
-Floods -Fire -Earthquakes -Storms -Lightening, -Tornadoes -High Winds -Power Failures -Hardware Failures
How Do Businesses Survive Disaster?
Businesses that survive disaster are those with a cohesive business resumption plan. What are we planning for?
– 1)
Crisis Localized to a system or resource- "Half of U.S. corporations rate their internet downtime costs at more than $1,000 per hour." Communication failure and link failure leads to loss of data.
–
Minor interruption to business due to virus infestation, computer crime and the like.
2)
Disaster
–
Contained within an area due to economic sanctions, human error,
–
Damage of property due to terrorism and sabotage
loss 3)
Catastrophe
– –
Regional or larger Infrastructure disrupted
Characteristics of a good BRP
A good Business Resumption Plan •Identifies the pre-set arrangements you need to have on "stand-by" in order to get vital functions operating again with as little delay as possible •Ensures the availability of necessary resources including personnel, information, equipment, financial arrangements, services and accommodations •Helps an operation to survive an unplanned interruption by making sure essential clients needs can be met until normal operations are resumed.
Two Major Factors consideration while implementing BRP • •
Business Factors:
1. Insurance of - Equipment and Facility insurance - Business interruption insurance - Extra Expense - Professional Liability - Extra Equipment Coverage - Data Reconstruction - Specialized Equipment Coverage - Valuable Papers and Records 2. Business Risk( dependency on Information Technology)
Driving Factor:
Legal/Regulatory Compliance ( SOX 404, MI 52-109)
Components of Business Resumption Plan People Process Technology
Baseline Requirements
Before you can begin to design a Business Resumption Plan there are some primary Disaster Recovery activities that must be implemented. Without these procedures in place, no plan will ever be successful.
•Management buy-in for disaster recovery and resumption should be existing right from beginning.
•Your mission critical data must be backed up, with a defined schedule, and fully documented. This includes which server is backed up onto which tape, where key data is located, type of backup device, and even backup type (differential, incremental etc).
•At least one set of backups must be in secured offsite storage. This set should be rotated back onsite, with a more recent backup sent offsite.
•Rotation should occur at a minimum of once per week. You should also maintain a full month end backup and a set of current emergency repair disks offsite.
Steps involved in building an effective Business Resumption Plan
1)
Establish a Business Resumption Planning Committee
• Project Leader • Project Plan/Control • Committee Selection • Assign Responsibilities • Regular Committee Meetings • Periodic Management Briefings
Steps involved in building an effective Business Resumption Plan
2
)
Perform a Business Resumption Capability Assessment
•Assess how quickly and fully you need to resume if a disruption were to occur today. What are your critical business needs?
•Security Check List •Recovery Analysis •Task Assignments
3) Perform a Risk Analysis
•Risk Assessment •Risk Management •Evaluate Threats •Establish Controls •Review Security Measures
Study the business impact factors
High Impact / Low Probability Terrorist Attack Earthquake Hurricane Computer Failure
10 20 30 40
Low Impact / Low Probability Workplace Violence Staffing Issues
10 9 8 7 6 60
Tornado
70 80 90 100 4 3 2 1
Virus Attack Snow Storm High Impact / High Probability Probability Factor Scale Low Impact / High Probability
Steps involved in building an effective Business Resumption Plan
4) Analyze and Define Requirements for Recovery
•Hardware •Software - system and application software •Communications •Back-up Data •Physical Facility •Vendor Support •Inter-Campus Support • Office Equipment • Personnel • Security • Forms/Paper Supplies • Logistics • Storage • Funding/Purchase Orders
Steps involved in building an effective Business Resumption Plan 5)Design and Document the BRP for Recovery Operations
•Damage Assessment Team •User Liaison Team (if needed) •Communications Team •Operations Team •Security/Back-up Team •System Software Team •Procurement Team •Facilities Team •Identify Processes Required •Develop Procedures (by team) •Risk Manager or initiate an Audit Review and Approval team.
Steps involved in building an effective Business Resumption Plan 6) Training for business resumption
•Select Training Topics - emergency procedures, use of fire extinguishers, backup retrieval, etc.
•Select Instructors •Develop Training Material •Risk Management •Procedures •Select Personnel for Training •Train Personnel
Steps involved in building an effective Business Resumption Plan 7)Test the BRP
•Frequency - at least annually •Develop a Test Plan/Script •Test Scenario •Evaluation and Reporting •Follow-up
8). Maintain and Update the BRP
•Follow-up BRP Test •Report Test Results to Risk Manager •Institute Controls/Changes - environmental, procedural, personnel, training, etc.
Goals Of The Disaster Recovery & Business Resumption Plan
• • •
Eliminate or reduce the potential for injuries or the loss of human life, damage to facilities, and loss of assets and records:
This requires a comprehensive assessment of each department within the institution, to insure that appropriate steps have been taken to -Minimize disruptions of services to the institution and its customers; -Minimize financial loss; -Provide for a timely resumption of operations in case of a disaster; and -Reduce or limit exposure to potential liability claims filed against the institution, and its directors, officers and other personnel.
Immediately invoke the emergency provisions of Disaster Recovery & Business Resumption Plan:
For stabilizing the effects of the disaster, allowing for appropriate assessment and the beginning of recovery efforts. We then minimize the effects of the disaster and provide for the fastest possible recovery.
Implement the procedures contained in the Disaster Recovery & Business Resumption Plan:
Care to be taken to gauge the disaster and measure the likely impact from the disaster.
Recovery Time Objectives (RTO) & Recovery Point Objectives (RPO) RTO (recovery-time objective)
indicates allowable downtime, or the earliest point in time at which the business operations must resume after disaster.
RPO (recovery-point objective)
signifies the amount of data that is acceptable to have been lost and subsequently recovered once the service is restored.
Determining Recovery Objectives
“Freshness” mths wks Recovery Point Objective
I’m up and running in seconds, but I’ve lost a day’s data
days hrs What are my disaster recovery needs?
I lost no data but it took me a week to get back up and running
mins secs Zero secs mins hrs days wks mths Recovery Time Objective “Downtime”
Develop Recovery Time Objective
Once you have completed the identification and prioritization of the business functions it is time to outline your planning objective, or basically what gets fixed, how quickly and to what level of service. It may help to structure this in the form of a table such as that shown below.
Essential Function Resumption Objective Resumption (priority) Alternative Telephone Service Email Connectivity Firewall Protection 0 - Immediately Cellular Telephones 0 - Immediately Free service – temporary solution 1 - First Day Co-Location
Set your priorities When we implement these procedures, we must prioritize all recovery efforts as follows: – – – – –
Employees:
Not only must we help to ensure their survival as a basic human concern, but because of their anticipated performance in helping other persons on the institution's premises when the disaster strikes;
Customers:
As we do with employees, we must help to ensure the survival of or care for customers affected by the disaster: physically, mentally, emotionally and financially;
Facilities:
After ensuring the safety of employees and customers, we then secure each facility as shelter for both people and assets;
Assets:
Conducting a damage assessment will determine which assets have been destroyed, which ones are at risk and what resources that we have left; and
Records:
Documenting the disaster and the actions taken by the institution's personnel -- when combined with comprehensive videotapes of facilities that are obtained during routine facility inspections -- reduce the likelihood of legal actions while helping to assess the responsibility for losses.
Put thrust on training and updating of resumption plan
• A comprehensive training program for all personnel at all facilities, conducted at specified intervals -- at least annually - that may also include the: •Identification and operation of utility shut-off devices; •Location of emergency staging areas; •Basic first aid and survival techniques; and •Emergency responsibilities and re-assignment plans for all positions; and •Written copies of the final Disaster Recovery & Business Resumption Plan distributed to branch and department leaders -- including a complete list of appropriate emergency response agencies and facilities.
Prioritizing resumption requirements
• Prioritization is the process of understanding what will be needed, when, and how long you have to get things rolling again.
•The one consistent activity is the establishment of basic telephone communication and should always be first on your list.
•List the major functions or activities of your business or organization. (in a large organization, list the "time-critical" functions or activities of each unit, division, department, branch etc.)
Recovery of Documents
• Developed, maintained and implemented an effective storage and recovery plan for the institution's original documents and vital records?¡ •Recovering business operations after a disaster often requires the use of original documents and vital records not stored as electronic data. The contingency plan should in •Include plans for the consolidation and storage of appropriate original documents and vital records in a central fireproofed location, including:: •Contracts; •Insurance policies; •Corporate papers; •An inventory list of stored items, stored in two (2) locations; and •Annual review for applicability, currency and legality
Case Study 1-The Katrina Disaster •Hurricane Katrina left behind nearly a million displaced people and destroyed paper medical records, underscoring the critical need for a digital health system. Hurricane Katrina pounded the Gulf Coast as a Category 4 storm at 7 a.m.Monday, August 29, 2005. Raging winds sustained at 140 mph and nearly 13 inches of torrential rain inundated the city for 48 straight hours. •While the rest of the city went dark, redundant generator power kept St. Tammany alive with light, ensuring that computer operations, internal communication, and critical equipment including air conditioning and elevators never faltered.
Model instance of coping with a disaster
Overview:
Merrill Lynch's Director of Global Contingency Planning, was in the company's world-wide headquarters in the World Financial Center, across the street from the World Trade Center, when the 9/11 attacks occurred. Within three to five minutes Merrill Lynch had its command center up and running. In the hour following the attacks, obtaining accurate information was a challenge. With the condition of the surrounding buildings becoming increasingly uncertain, they relied on media reports to keep them up to date. Within a few hours, they were able to go from an employee evacuation and accounting mode to a standard business recovery mode, prioritizing resumption as dictated by the continuity plan. Merrill Lynch mandated the use of LDRPS for all business units worldwide after Y2K.
Building the Foundation for BCP & DC Business Strategy
To unravel the complexity associated with Business Continuity, while maintaining an operational business, we advocate a comprehensive structural approach utilizing building blocks...
Best Results Come From Alignment & Optimization
Organization
Resource Management Process Optimization
Processes
Landscape Architecture Local Planning Activity Deployment Prioritization Planning
Technology …..
Enabling your company to ensure organizational, business process and technological readiness, while limiting overall business impact to its Information Technology, Business Processes, the Supply Chain and its client base
Agility Recovery
A cohesive business resumption plan can prepare your business for nearly any contingency. An integral part of any business resumption plan is a fully functional mobile command center.