1 / 95

Covered Topics

Disaster Recovery B usiness C ontinuity P lanning to reduce your organization’s IT Risk Profile “ prepare, organize, execute” Best Practices Presented By Tim Woodcock. Covered Topics. Statistics, Definitions and Dangerous Excuses

abram
Download Presentation

Covered Topics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Disaster RecoveryBusiness Continuity Planningto reduce your organization’sIT Risk Profile“prepare, organize, execute”Best PracticesPresented ByTim Woodcock

  2. Covered Topics • Statistics, Definitions and Dangerous Excuses • 5 Phases of Business Continuity Planning “BCP” (also referred to as Disaster Recovery Planning “DRP”) • IT Risks & Counter measures (follow the BCP) (group participation) • Key Considerations in Disaster Planning & Management • Tips for Preventative Maintenance • Q&A

  3. Areas of Risk Hackers – hurricanes – fires – flooding – power outages – denial of service attacks – telecommunication outages – loss of internet access – hardware failures – application failures – employee error – virus attacks – sabotage – terrorism Can you think of other areas of risk?

  4. Statistics • 75% of all incidences are caused by system & hardware malfunctions (MTBF)… and human error. “Did I just format my hard drive?” • 78% of businesses have data backup systems, but very few have a plan to access that data if and when a disaster occurs… “what do you mean, there is nothing on the tape?”

  5. Statistics • 80% of all businesses do not have a Disaster Recovery Plan (Business Continuity Plan) in place. • 50% of companies that experience a computer outage lasting more that 10 days go out of business within five years and that most never fully recover financially. (Gartner Group)

  6. Since 911 Disaster Recovery Planning(DRP) Is now referred to as: Business Continuity Planning(BCP)

  7. DRII Certification Changes www.drii.org Certified Disaster Recovery Planner(CDRP) Certified Business Continuity Professional(CDRP) formally

  8. What is Business Continuity Planning (BCP)? Planning ahead to avoid problems (plan for the worst; hope for the best) and Being prepared in the event of a problem. (some every day examples) • Spare tire in the trunk of the car • Yearly flu shot • Emergency exit signs • 911 Emergency support services • Business Continuance Insurance

  9. BCP Focuses on: • Realizing what processes are needed to keep the organization running. • Realizing and prioritizing the risks, if the processes are disrupted. • Implementing solutions designed to minimize the risks and keep the organization functioning…

  10. BCP Goals • Protect Your • People • Data • vital communications • Assets • brand and reputation. • Minimize threats, impacts and downtime. • Mitigate any losses. • To ensure your organization continues to operate and to do it in a cost-effective way.

  11. Dangerous Excuses for not implementing a BCP • It costs too much money to implement. • Not enough time or resources. • It will never happen to our company. • Why bother? We have good data backups. • We “plan” on implementing one next year. • Fill in your lousy excuse here ___________

  12. The BCP is a catalog of countermeasures for your business, in order of occurrence probability. Most important processes addressed FIRST Least important Processes addressed LAST

  13. The Starting Point Everyone must participate for BCP to succeed • Executive management must be onboard. • Assign a Business Continuity Planner” to head up discovery & implementation. • Assemble an Emergency Management Team (cross-functional team must represent all departments) • Management • IT / telecommunications • facilities and power • accounting • customer service • human resources • public relations • membership

  14. The 5 Phases of the Business Continuity Planning Process Risk Evaluation Monitor - Test and Adjust Business Impact Analysis (BIA) Develop Document Implement BCP Alternative Strategies & Recommendations

  15. Risks Evaluation(utilizing the BCP)

  16. Risk Evaluation Risk Evaluation Identify Key Risks Return Monitor Test Adjust Business Impact Analysis Prioritize Probable Threats Develop Document Implement BCP Alternative Strategies & Recommendations Vulnerability Analysis

  17. Identify Key IT Risks(Risk Evaluation) • Data Loss / Corrupt • Security Breach • Loss of Key personnel • Virus – SPAM - Spyware Attacks • File Server / Network Down • Power Outage • Loss of Phones / Fax • Loss of Internet Other IT Risks?

  18. Risk Evaluation Risk Evaluation Identify Key Risks Return Monitor Test Adjust Business Impact Analysis Vulnerability Analysis Develop Document Implement BCP Alternative Strategies & Recommendations Prioritize Probable Threats

  19. Vulnerability Analysis(Risk Evaluation) “inventory & review everything”(hardware-software-policies-procedures-responsibilities, etc.) • Data Loss / Corrupt -(backup procedures) • Security Breach -(internal / external security risk analysis) • Virus Attack-(software-updates-verification) • SPAM Attack-(filter process-updates) • File Server / Network Down -(PM-MTBF) • Power Outage -(UPS – power generator – location- seasonal) • Loss of Phones / Fax -(Telco – spares - SLA) • Loss of Internet –(ISP - data line – equipment)

  20. Risk EvaluationAlways ask ‘what if?’ Risk Evaluation Identify Key Risks Return Monitor Test Adjust Business Impact Analysis Vulnerability Analysis Develop Document Implement BCP Alternative Strategies & Recommendations Prioritize Probable Threats There are various ways to Prioritize. One of the most effective ways is the 1-2-3 (tic-tack-toe) method

  21. Prioritize Probable Threats(Risk Evaluation) (Probability of occurrence) 1=low, 2=medium, 3=high • 3 • 3 • 1 • 2 • 3 • 2 • 2 • 3 • Data Loss / Corrupt • Security Breach • Virus Attack • Loss of key personnel • File Server / Network Down • Power Outage • Loss of Phones / Fax • Loss of Internet

  22. Business Impact Analysis (BCP)(utilizing the BCP)

  23. Business Impact Analysis (BIA) Prioritize Critical Bus. Functions Establish Recovery Times Risk Evaluation Determine Dollar Value Exposure Monitor Test Adjust Return Business Impact Analysis Profitability Analysis Develop Document Implement BCP Alternative Strategies & Recommendations Evaluate Security & Controls Prioritize Risk X Impact Cost Benefit Analysis Personnel, Workplace, Customer Service, Billing, IT infrastructure, etc.

  24. Business Impact Analysis (BIA) Establish Recovery Times Prioritize Critical Bus. Functions Risk Evaluation Determine Dollar Value Exposure Monitor Test Adjust Return Business Impact Analysis Profitability Analysis Develop Document Implement BCP Alternative Strategies & Recommendations Evaluate Security & Controls Prioritize Risk X Impact Cost Benefit Analysis Immediate, up to 4 hours, Same day, 24-48-72 hours, or greater

  25. Business Impact Analysis (BIA) Establish Recovery Times Prioritize Critical Bus. Functions Risk Evaluation Determine Dollar Value Exposure Monitor Test Adjust Return Business Impact Analysis Profitability Analysis Develop Document Implement BCP Alternative Strategies & Recommendations Evaluate Security & Controls Prioritize Risk X Impact Cost Benefit Analysis Play the ‘what if’ game Explore cost of downtime/hr for each area of concern. $28- >$350 per man-hour

  26. Cost of Exposure A monetary value must be place on all key processes. This will help determine the importance of restoring that process

  27. Business Impact Analysis (BIA) Establish Recovery Times Prioritize Critical Bus. Functions Risk Evaluation Determine Dollar Value Exposure Monitor Test Adjust Return Business Impact Analysis Profitability Analysis Develop Document Implement BCP Alternative Strategies & Recommendations Evaluate Security & Controls Prioritize Risk X Impact • Each dept. is a business unit • Analyze all aspects of the unit • Determine its profitability • Determine necessities for operational status Cost Benefit Analysis

  28. Business Impact Analysis (BIA) Establish Recovery Times Prioritize Critical Bus. Functions Risk Evaluation Determine Dollar Value Exposure Monitor Test Adjust Return Business Impact Analysis Profitability Analysis Develop Document Implement BCP Evaluate Security & Controls Alternative Strategies & Recommendations Prioritize Risk X Impact Cost Benefit Analysis Very important phase in Risk Reduction Perform a security risk analysis

  29. Evaluate Security and Controls • Perform a Security Risk Analysis • Performed by: • Experienced internal IT staff • Outside professional firm • Review all potential risk exposures • Network vulnerabilities • Router & firewall vulnerabilities • Current password and data access policies • Remote access to network • Virus / SPAM protection & E-mail policies • Operating system security patches and updates • Other security Risks? _________________

  30. The Benefits • Expose existing system and policy vulnerabilities. • Strengthen existing security policies & procedures. • Creation of non-existing policies & procedures. • Thereby mitigating your risk.

  31. Business Impact Analysis (BIA) Establish Recovery Times Prioritize Critical Bus. Functions Risk Evaluation Determine Dollar Value Exposure Monitor Test Adjust Return Business Impact Analysis Profitability Analysis Develop Document Implement BCP Alternative Strategies & Recommendations Cost Benefit Analysis Evaluate Security & Controls Helps justify need for implementing solutions, to lower exposed risks. i.e. Tape backup hdwr/sftwr or secondary archiving/HA solution Prioritize Risk X Impact

  32. Business Impact Analysis (BIA) Establish Recovery Times Prioritize Critical Bus. Functions Risk Evaluation Determine Dollar Value Exposure Monitor Test Adjust Return Business Impact Analysis Profitability Analysis Develop Document Implement BCP Alternative Strategies & Recommendations Prioritize Risk X Impact Evaluate Security & Controls Values assigned to each risk & process Prioritized according to importance Helps determine order of restoration Cost Benefit Analysis

  33. Prioritize Risk X Impact(BIA)Impact on Business (Cost and Impact on business) 1=low, 2=medium, 3=high • Data Loss / Corrupt • Security Breach • Absent Producers • SPAM Attack • File Server / Network Down • Power Outage • Loss of Phones / Fax • Loss of Internet • 3 • 3 • 1 • 1 • 3 • 3 • 3 • 3 • 3

  34. Determine the order of Risk Avoidance & Mitigation Risk evaluation= Server down=3 BIA Impact on Business= Server down=3 Smart planners keep a coin handy to resolve equal-number risks…

  35. Alternative Strategies & Recommendations(utilizing the BCP)

  36. Develop Alternative Strategies Risk Evaluation Identify Strategy Needs Reduce Risk Profile Monitor Test Adjust Return Business Impact Analysis Focus on Quick Recovery Develop Document Implement BCP Alternative Strategies & Recommendations Focus on Mitigating Damages BIA info used to determine necessary changes Example: tape archive too long, multiple tapes, dip into production time… new solution needs to be implemented Business Interruption Insurance Alternate Sites & Storage

  37. Develop Alternative Strategies Risk Evaluation Identify Strategy Needs Reduce Risk Profile Monitor Test Adjust Return Business Impact Analysis Focus on Quick Recovery Develop Document Implement BCP Alternative Strategies & Recommendations Focus on Mitigating Damages New vs. upgrade equipment (mtbf) Employee training program, Increased security & awareness Think ‘out of box’, minimum down-time Business Interruption Insurance Alternate Sites & Storage

  38. Develop Alternative Strategies Risk Evaluation Identify Strategy Needs Reduce Risk Profile Monitor Test Adjust Return Business Impact Analysis Focus on Quick Recovery Develop Document Implement BCP Alternative Strategies & Recommendations Focus on Mitigating Damages Cross training of employees Software, hardware, vendor services availability All possible scenarios should be considered and prepared for Business Interruption Insurance Alternate Sites & Storage

  39. Develop Alternative Strategies Risk Evaluation Identify Strategy Needs Reduce Risk Profile Monitor Test Adjust Return Business Impact Analysis Focus on Quick Recovery Develop Document Implement BCP Alternative Strategies & Recommendations Focus on Mitigating Damages Preventative maintenance Cross training personnel Test data restore & system fail-over programs regularly Continued Awareness meetings Business Interruption Insurance Alternate Sites & Storage

  40. Develop Alternative Strategies Risk Evaluation Identify Strategy Needs Reduce Risk Profile Monitor Test Adjust Return Business Impact Analysis Focus on Quick Recovery Develop Document Implement BCP Alternative Strategies & Recommendations Focus on Mitigating Damages Business Interruption Insurance Alternate Sites & Storage multiple storage & HA technologies (replicate server, multiple site utilization, SAN, Online, etc.)

  41. Develop Alternative Strategies Risk Evaluation Identify Strategy Needs Reduce Risk Profile Monitor Test Adjust Return Business Impact Analysis Focus on Quick Recovery Develop Document Implement BCP Alternative Strategies & Recommendations Focus on Mitigating Damages Business continuance insurance, based on total risk discovered during the BIA phase. Helps mitigate costs incurred to rebuild and continue business immediately following a disaster Business Interruption Insurance Alternate Sites & Storage

  42. Develop, Document & Implement BCP(utilizing the BCP)

  43. Develop, Document & Implement BCP People Risk Evaluation Processes Monitor Test Adjust Business Impact Analysis Return Data Develop Document Implement BCP Alternative Strategies & Recommendations Create with confidence your BCP, protecting your people first Establish responsibilities & emergency workflows for each risk scenario Ensure communication & availability of key personnel (and cross-train) List & hand out cell phone, home phone, contact info, hot site location, etc

  44. Develop, Document & Implement BCP People Risk Evaluation Processes Monitor Test Adjust Business Impact Analysis Return Data Develop Document Implement BCP Alternative Strategies & Recommendations Document the who-where-how for all possible scenarios (Examples: Who is responsible for ensuring the tape backups are working & available? Who is the ‘alternate person’, and how will they have access to the tapes? Who is in charge of a replacement server & correct backup device

  45. Develop, Document & Implement BCP People Risk Evaluation Processes Monitor Test Adjust Business Impact Analysis Return Data Develop Document Implement BCP Alternative Strategies & Recommendations Both Preventative & Emergency procedures must be documented and agreed to by all parties responsible for ensuring the security & expedient restoration of company data ‘PM’ is less expensive than the aftermath of an unnecessary disaster (i.e. test restores, off-site backup, SAN, High Availability solutions)

  46. Monitor Test & Adjust Train Initial training Annual training Cross-training Risk Evaluation Return Implement Testing Program Monitor Test Adjust Business Impact Analysis Design Document Implement BCP Alternative Strategies & Recommendations Audit & Adjust

  47. Monitor Test & Adjust Train • Initial testing • Annual testing • Find weaknesses Risk Evaluation Return Implement Testing Program Monitor Test Adjust Business Impact Analysis Sftw-Hrdw changes Vendor & utilities External changes New personnel Policy changes Design Document Implement BCP Alternative Strategies & Recommendations Audit & Adjust

  48. Monitor Test & Adjust Train • Find weaknesses • Formulate solutions • Regularly reviewed • Continued positive effect Risk Evaluation Return Implement Testing Program Monitor Test Adjust Business Impact Analysis Design Document Implement BCP Alternative Strategies & Recommendations Audit & Adjust

  49. Key Considerations in Disaster Planning & Management For Independent Agencies & Brokerage Firms An Agents Council for Technology Report March 15, 2005

More Related