1 / 28

Business Resumption is…

Business Resumption Planning with Case Studies by PRITI SIKDAR (F.C.A., D.I.S.A., C.I.S.A., C.I.S.M.,I.S.O. 27001 L.A.) Manager-Business Risk Services 29 th November, 2007. Business Resumption is….

argus
Download Presentation

Business Resumption is…

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Business Resumption Planning with Case StudiesbyPRITI SIKDAR(F.C.A., D.I.S.A., C.I.S.A., C.I.S.M.,I.S.O. 27001 L.A.) Manager-Business Risk Services29th November, 2007.

  2. Business Resumption is… • When we think of Disaster Recovery we often think of occurrences such as a server crashing, a router going down, or a virus or worm damaging our data. More often than not we are ready for these situations with backups, a replacement drive, or the ability to divert traffic to another machine. • But implicit in the Disaster Recovery Plan is a critical, although often discounted component; business resumption! It is the process of recovery of all systems and related processes after a disaster to return to Business-as-Usual. • It involves re-opening each of the institution's components -- and testing and revising the process based upon the results.

  3. -Floods • -Fire • -Earthquakes • -Storms • -Lightening, • -Tornadoes • -High Winds • -Power Failures • -Hardware Failures Prepare Business Resumption Plan according to the type and impact of the disaster.

  4. How Do Businesses Survive Disaster? Businesses that survive disaster are those with a cohesive business resumption plan. What are we planning for? 1) Crisis • Localized to a system or resource- "Half of U.S. corporations rate their internet downtime costs at more than $1,000 per hour." Communication failure and link failure leads to loss of data. • Minor interruption to business due to virus infestation, computer crime and the like. 2) Disaster • Contained within an area due to economic sanctions, human error, • Damage of property due to terrorism and sabotage 3) Catastrophe • Regional or larger • Infrastructure disrupted loss

  5. Characteristics of a good BRP A good Business Resumption Plan • Identifies the pre-set arrangements you need to have on "stand-by" in order to get vital functions operating again with as little delay as possible • Ensures the availability of necessary resources including personnel, information, equipment, financial arrangements, services and accommodations • Helps an operation to survive an unplanned interruption by making sure essential clients needs can be met until normal operations are resumed.

  6. Two Major Factors consideration while implementing BRP • Business Factors: 1. Insurance of - Equipment and Facility insurance - Business interruption insurance - Extra Expense - Professional Liability - Extra Equipment Coverage - Data Reconstruction - Specialized Equipment Coverage - Valuable Papers and Records 2. Business Risk( dependency on Information Technology) • Driving Factor: Legal/Regulatory Compliance ( SOX 404, MI 52-109)

  7. People Process Technology Components of Business Resumption Plan

  8. Baseline Requirements Before you can begin to design a Business Resumption Plan there are some primary Disaster Recovery activities that must be implemented. Without these procedures in place, no plan will ever be successful. • Management buy-in for disaster recovery and resumption should be existing right from beginning. • Your mission critical data must be backed up, with a defined schedule, and fully documented. This includes which server is backed up onto which tape, where key data is located, type of backup device, and even backup type (differential, incremental etc). • At least one set of backups must be in secured offsite storage. This set should be rotated back onsite, with a more recent backup sent offsite. • Rotation should occur at a minimum of once per week. You should also maintain a full month end backup and a set of current emergency repair disks offsite.

  9. Steps involved in building an effective Business Resumption Plan 1) Establish a Business Resumption Planning Committee • Project Leader • Project Plan/Control • Committee Selection • Assign Responsibilities • Regular Committee Meetings • Periodic Management Briefings

  10. Steps involved in building an effective Business Resumption Plan 2) Perform a Business Resumption Capability Assessment • Assess how quickly and fully you need to resume if a disruption were to occur today. What are your critical business needs? • Security Check List • Recovery Analysis • Task Assignments 3)Perform a Risk Analysis • Risk Assessment • Risk Management • Evaluate Threats • Establish Controls • Review Security Measures

  11. 10 9 8 7 6 10 20 30 40 60 70 80 90 100 4 3 2 1 Study the business impact factors High Impact / Low Probability High Impact / High Probability Terrorist Attack Earthquake Tornado Hurricane Computer Failure Probability Factor Scale Workplace Violence Virus Attack Staffing Issues Snow Storm Low Impact / Low Probability Low Impact / High Probability

  12. 4) Analyze and Define Requirements for Recovery Hardware Software - system and application software Communications Back-up Data Physical Facility Vendor Support Inter-Campus Support Office Equipment Personnel Security Forms/Paper Supplies Logistics Storage Funding/Purchase Orders Steps involved in building an effective Business Resumption Plan

  13. Steps involved in building an effective Business Resumption Plan 5)Design and Document the BRP for Recovery Operations • Damage Assessment Team • User Liaison Team (if needed) • Communications Team • Operations Team • Security/Back-up Team • System Software Team • Procurement Team • Facilities Team • Identify Processes Required • Develop Procedures (by team) • Risk Manager or initiate an Audit Review and Approval team.

  14. Steps involved in building an effective Business Resumption Plan 6) Training for business resumption • Select Training Topics - emergency procedures, use of fire extinguishers, backup retrieval, etc. • Select Instructors • Develop Training Material • Risk Management • Procedures • Select Personnel for Training • Train Personnel

  15. Steps involved in building an effective Business Resumption Plan 7)Test the BRP • Frequency - at least annually • Develop a Test Plan/Script • Test Scenario • Evaluation and Reporting • Follow-up 8). Maintain and Update the BRP • Follow-up BRP Test • Report Test Results to Risk Manager • Institute Controls/Changes - environmental, procedural, personnel, training, etc.

  16. Goals Of The Disaster Recovery & Business Resumption Plan • Eliminate or reduce the potential for injuries or the loss of human life, damage to facilities, and loss of assets and records: This requires a comprehensive assessment of each department within the institution, to insure that appropriate steps have been taken to- -Minimize disruptions of services to the institution and its customers; -Minimize financial loss; -Provide for a timely resumption of operations in case of a disaster; and -Reduce or limit exposure to potential liability claims filed against the institution, and its directors, officers and other personnel. • Immediately invoke the emergency provisions of Disaster Recovery & Business Resumption Plan: For stabilizing the effects of the disaster, allowing for appropriate assessment and the beginning of recovery efforts. We then minimize the effects of the disaster and provide for the fastest possible recovery. • Implement the procedures contained in the Disaster Recovery & Business Resumption Plan: Care to be taken to gauge the disaster and measure the likely impact from the disaster.

  17. Recovery Time Objectives (RTO) & Recovery Point Objectives (RPO) RTO (recovery-time objective) indicates allowable downtime, or the earliest point in time at which the business operations must resume after disaster. RPO (recovery-point objective) signifies the amount of data that is acceptable to have been lost and subsequently recovered once the service is restored.

  18. Determining Recovery Objectives “Freshness” I’m up and running in seconds, but I’ve lost a day’s data Recovery Point Objective mths wks days I lost no data but it took me a week to get back up and running What are my disaster recovery needs? hrs mins Recovery Time Objective secs hrs “Downtime” secs mths wks days mins Zero

  19. Develop Recovery Time Objective Once you have completed the identification and prioritization of the business functions it is time to outline your planning objective, or basically what gets fixed, how quickly and to what level of service. It may help to structure this in the form of a table such as that shown below. Essential Function Resumption Objective Resumption (priority) Alternative Telephone Service 0 - Immediately Cellular Telephones Email Connectivity 0 - Immediately Free service – temporary solution Firewall Protection 1 - First Day Co-Location

  20. Set your priorities When we implement these procedures, we must prioritize all recovery efforts as follows: • Employees: Not only must we help to ensure their survival as a basic human concern, but because of their anticipated performance in helping other persons on the institution's premises when the disaster strikes; • Customers: As we do with employees, we must help to ensure the survival of or care for customers affected by the disaster: physically, mentally, emotionally and financially; • Facilities: After ensuring the safety of employees and customers, we then secure each facility as shelter for both people and assets; • Assets: Conducting a damage assessment will determine which assets have been destroyed, which ones are at risk and what resources that we have left; and • Records: Documenting the disaster and the actions taken by the institution's personnel -- when combined with comprehensive videotapes of facilities that are obtained during routine facility inspections -- reduce the likelihood of legal actions while helping to assess the responsibility for losses.

  21. Put thrust on training and updating of resumption plan • A comprehensive training program for all personnel at all facilities, conducted at specified intervals -- at least annually -- that may also include the: • Identification and operation of utility shut-off devices; • Location of emergency staging areas; • Basic first aid and survival techniques; and • Emergency responsibilities and re-assignment plans for all positions; and • Written copies of the final Disaster Recovery & Business Resumption Plan distributed to branch and department leaders -- including a complete list of appropriate emergency response agencies and facilities.

  22. Prioritizing resumption requirements • Prioritization is the process of understanding what will be needed, when, and how long you have to get things rolling again. • The one consistent activity is the establishment of basic telephone communication and should always be first on your list. • List the major functions or activities of your business or organization. (in a large organization, list the "time-critical" functions or activities of each unit, division, department, branch etc.)

  23. Recovery of Documents • Developed, maintained and implemented an effective storage and recovery plan for the institution's original documents and vital records?¡ • Recovering business operations after a disaster often requires the use of original documents and vital records not stored as electronic data. The contingency plan should in- • Include plans for the consolidation and storage of appropriate original documents and vital records in a central fireproofed location, including:: • Contracts; • Insurance policies; • Corporate papers; • An inventory list of stored items, stored in two (2) locations; and • Annual review for applicability, currency and legality

  24. Case Study 1-The Katrina Disaster • Hurricane Katrina left behind nearly a million displaced people and destroyed paper medical records, underscoring the critical need for a digital health system. Hurricane Katrina pounded the Gulf Coast as a Category 4 storm at 7 a.m.Monday, August 29, 2005. Raging winds sustained at 140 mph and nearly 13 inches of torrential rain inundated the city for 48 straight hours. • While the rest of the city went dark, redundant generator power kept St. Tammany alive with light, ensuring that computer operations, internal communication, and critical equipment including air conditioning and elevators never faltered.

  25. Model instance of coping with a disaster Overview: Merrill Lynch's Director of Global Contingency Planning, was in the company's world-wide headquarters in the World Financial Center, across the street from the World Trade Center, when the 9/11 attacks occurred. Within three to five minutes Merrill Lynch had its command center up and running. In the hour following the attacks, obtaining accurate information was a challenge. With the condition of the surrounding buildings becoming increasingly uncertain, they relied on media reports to keep them up to date. Within a few hours, they were able to go from an employee evacuation and accounting mode to a standard business recovery mode, prioritizing resumption as dictated by the continuity plan. Merrill Lynch mandated the use of LDRPS for all business units worldwide after Y2K.

  26. Building the Foundation for BCP & DC To unravel the complexity associated with Business Continuity, while maintaining an operational business, we advocate a comprehensive structural approach utilizing building blocks... …..Enabling your company to ensure organizational, business process and technological readiness, while limiting overall business impact to its Information Technology, Business Processes, the Supply Chain and its client base Business Strategy Best Results Come From Alignment & Optimization Organization Process Optimization Resource Management Processes Landscape Architecture Local Planning Activity Prioritization Deployment Planning Technology

  27. Agility Recovery A cohesive business resumption plan can prepare your business for nearly any contingency. An integral part of any business resumption plan is a fully-functional mobile command center.

  28. Thank You for your time…

More Related