Transcript Disaster Recovery - Indiana University of Pennsylvania

Disaster Recovery versus
Continuity of Operations




“Disaster recovery” is the process by which you
resume business in the short term after a disruptive
event.
"Business continuity planning" is a more
comprehensive approach to making sure the
organization continues to keep operating and
making money.
Disaster recovery could be considered a sub-part of
continuity of operations.
Both apply across a range from an earthquake to a
computer virus attack.
Business continuity actions



Mitigation: Something done to
reduce the likelihood of occurrence
and the severity of the loss
Avoidance: Actions taken to
eliminate the event from occurring
Transference: Shift the risk to a
third party
Federal Government Continuity of
Operations Plan (COOP)


FPC-65 describes the planning considerations and
requirements for COOP plans.
FPC-65 requires that all Federal Executive Branch agencies
must:







Be capable of implementing their COOP plans with and without
warning.
Be operational not later than 12 hours after activation.
Be capable of maintaining sustained operations for up to 30 days.
Include regularly scheduled testing, training, and exercising of
personnel, equipment, systems, processes, and procedures used
to support the agency during a COOP event.
Provide for a regular risk analysis of current alternate operating
facilities.
Locate alternate facilities in areas where the ability to initiate,
maintain, and terminate COOP is optimal.
Take advantage of existing agency field infrastructures and give
consideration to other options, such as telecommuting, work-athome, and shared facilities.
Business Continuity Plans

Plans that enable your company to
operate at possibly reduced levels
during and immediately following a
disaster.
Steps in Planning

To build a disaster recovery plan,
the following steps should be taken:





Identify critical assets
Identify risks to the assets
Determine the likelihood of the threat
and reduce it
Steps to minimize damage
Response actions
Contingency Plan Coordination



Designated person to coordinate the
contingency plan
Adequate knowledge and knowledge to
implement the plan
Select a team to develop and implement
the plan





Finance
Legal
Safety
Production
Administration
Business Impact Analysis




A business impact analysis (BIA) is the first step
in developing a BCP. It should include:
Identification of the potential impact of
uncontrolled, non-specific events on the
institution's business processes and its
customers;
Consideration of all departments and business
functions, not just data processing; and
Estimation of maximum allowable downtime and
acceptable levels of data, operations, and
financial losses.
Business Impact Analysis



As part of a disaster recovery plan, BIA is likely to
identify costs linked to failures, such as loss of
cash flow, replacement of equipment, salaries
paid to catch up with a backlog of work, loss of
profits, and so on.
A BIA report quantifies the importance of
business components and suggests appropriate
fund allocation for measures to protect them.
The possibilities of failures are likely to be
assessed in terms of their impacts on safety,
finances, marketing, legal compliance, and quality
assurance.
Risk Assessment


Combined likelihood and severity of the
event
Tangible losses


Costs that can be readily quantified
 Lost productivity
 Lost income
 Extra expenses
 Property damage
Intangible losses

Costs related to the event but hard to quantify
 Lost business opportunities
 Damaged reputation
Examples of Risk Assessments







Tornadoes
Earthquakes
Thunderstorms
Snows
Extreme thunderstorms
Hurricanes
Floods
Potential Manmade Risks






Maps of hazardous materials routes
Locations of hazardous facilities
Pipelines
Railroads
Dams
Rivers
Facility Risks






Electricity
Telephones
Water
Climate control
Data networks
Structural
Security Risks





Workplace violence
Bomb threats
Physical security of property
Sabotage
Intellectual property thefts
Medical Threats



Illness
Deaths
Serious accidents
Factors that can Affect Risks



Time of day
Day of the week
Location
COOP Elements

Elements that make a COOP plan viable,
include:









Essential functions.
Delegations of authority.
Succession planning.
Alternate facilities.
Interoperable communications.
Vital records and databases.
Human capital.
Testing, training, and exercise program.
Plans for devolution and reconstitution.
COOP Plans

COOP planning objectives include:







Ensuring continued performance of essential
functions.
Reducing loss of life and minimizing damage.
Ensuring succession to office of key leaders.
Reducing or mitigating disruptions to
operations.
Protecting essential assets.
Achieving a timely recovery and reconstitution.
Maintaining a test, training, and exercise
program for program validation.
FEMA’s COOP Elements

Elements that make a COOP plan
viable, include:







Essential functions
Delegations of authority
Succession planning
Alternate facilities, communication
systems
Vital records and databases
A test, training, and exercise program
Plans for devolution and reconstitution
Essential Functions


Essential functions are those
functions that allow the organization
to provide vital services
Essential functions are those
functions which must continue to be
provided without interruption
Delegations of Authority

Delegations should be
predetermined and documented
in writing. They should state
explicitly:




What authorities are delegated.
To whom.
Exceptions to the successor’s authority
to redelegate.
Limitations on the delegated authority.
Succession Planning


Order of Succession provides an
orderly transition of power in the
event of an emergency
Orders of succession should be
established management,
supervisors, etc. who are
responsible for performing essential
functions
Alternate Facilities, Communications


In the event of a disaster,
arrangements for alternate facilities
should be identified beforehand
Arrangements should be made
ahead of time to ensure
communication systems can be
brought back up and operational
with limited interruptions
Vital Records



In the event of a disaster, loss of
data and loss of records may occur
Provisions and procedures should
be made in advance to ensure back
up copies are made and available
Examples of these records include
legal records, financial records, etc.
Tests

From a COOP perspective, tests are an excellent
way to evaluate functions such as:
 Communications connectivities.
 Alert and notification procedures.
 Deployment procedures.
Training



Training is instruction in core competencies
and skills and is the principal means by
which individuals achieve a level of
proficiency
Provides the tools needed to accomplish a
goal, meet program requirements, or
acquire a specified capability.
Training encompasses a range of activities,
each intended to provide information and
refine skills.
Exercises


Exercises are events that allow
participants to apply their skills and
knowledge to improve operational
readiness.
Exercises also allow planners to
evaluate the effectiveness of
previously conducted tests and
training activities.
Devolution

Devolution is the capability to
transfer statutory authority and
responsibility for essential functions
from an agency’s primary operating
staff and facilities to other
employees and facilities.
Reconstitution

Reconstitution is the process by
which agency personnel resume
normal agency operations from the
original or a replacement primary
operating facility.