400 likes | 555 Views
Recovering IT in a Disaster & Classic Mistakes. CS 577b Software Engineering II Supannika Koolmanojwong. http://en.wikipedia.org/wiki/Hurricane_Katrina http://napoleonlive.info/see-the-evidence/never-forget-9-11-essay/ http://news.nationalgeographic.com. Avian influenza. Cyber attack.
E N D
Recovering IT in a Disaster & Classic Mistakes CS 577b Software Engineering II Supannika Koolmanojwong
http://en.wikipedia.org/wiki/Hurricane_Katrina http://napoleonlive.info/see-the-evidence/never-forget-9-11-essay/ http://news.nationalgeographic.com
Avian influenza Cyber attack http://www.itrportal.com/absolutenm/templates/article-channelnews.aspx?articleid=7115&zoneid=45 http://bepast.org/dataman.pl?c=lib&frame_nav=1&dir=docs/photos/avian%20flu/
California Natural Disasters http://www.americanforests.org/magazine/article/regrowing-a-forest/ http://www.exponent.com/earthquake_engineering/
Recovering IT in a Disaster: Lessons from Hurricane Katrina Iris Junglas, Blake Ives, MIS Quarterly Executive Vol. 6 No. 1 / Mar 2007 August 29, 2005 - Hurricane Katrina destroyed a data center and communications infrastructure at the Pascagoula and Gulfport, Mississippi, operations of the Ship Systems sector of Northrop Grumman Corporation Also put a second data center out of commission in a shipyard near New Orleans http://www.scholastic.com/browse/article.jsp?id=3754772
NGC’s Shipyard • 20,000 employees in Ship Construction • Caused over US$1 billion in damage for the company • Brought two of the nation’s largest shipyards to a standstill
Recovering IT in a Disaster How to adapt when the business continuity plan; inadequate public infrastructure Reexamine our processes for preparing disaster plans Processes for assessing preparedness and response after a disaster or a near-disaster.
Northrop Grumman Corporation • Products : electronics, aerospace, and shipbuilding • Customers: government and commercial customers worldwide • Major business: • Ship construction - large military vessels • Revenue: US$5.7 billion in 2005 • Customers: DoD and Navy • 12,900 employees at Mississippi; • 7,100 employees at the New Orleans
Preparation for Hurricane • Hurricane is nothing new to ship industry • September 04 – Hurricane Ivan • July 05 - Hurricane Dennis • A bigger one is heading in • August 05 • 11 people dead, over US$1billion in damage in Florida http://www.fema.gov/hazard/flood/recoverydata/katrina/katrina_about.shtm
Preparation for Hurricane • Data • Data backups were sent to Iron Mountain (information management services) • Double back up in Dallas • Servers • power off • wrapped in plastic • New backup generator – in secure location • Only one extranet alive (crucial the Navy and DoD) • Human • Left the area
The storm smashed • NGC facilities were on the storm’s path • Communication failed • Extensive damage to shipyard and nearby communities • Emergency command center – at Dallas office – newly assembled emergency team is formed • Began to pull together the first stages of NGC disaster recovery response
Damages • Collect digital images of damages • At Mississippi, lost • 1,500 PC, 200 servers, 300 printers, 600 data input devices, and hundreds of two-way radios. • communications closets, routers, switches, fiber and copper cables and wires. • LAN / WAN / MAN – no longer worked • At New Orleans • Infrastructures are there • AC systems are not working, hence servers are automatic shutdown • A week after the storm, communication lines are down again due to cars are driving over them
First thing first • Not about restoring computer systems, but restoring human resources • But most of the 20,000 employees were out of contact • Tools • Press releases • Corporate web site (67,000 hits in the weeks after the storm ) • Toll-free call in number • Payroll through Wal-Mart and Western Union
Restoring IT infrastructure • Electronic communication – nonexistent due to public communication infrastructure • Communication through Black Berry can be used intermittently • Two-way radios, walkie-talkies • Key members using satellite phones • Required line-of-sight access to satellites • Later on, use wireless communication
Building new data center • Hardware acquisition • 1500 desktop, 200 servers, etc • Contact supplier, reorder the latest orders. • Incompatibilities between software and new hardware environment • Inaccessible or difficult to find system documentation, e.g. license keys, server names, addressing schemes, login IDs
Restoring data and applications Some firms found that their back up data is partially unreadable For NGC, 2 backups : iron mountain and Dallas Lost some data on desktops or local machines Two weeks after Katrina – had a new data center; essential systems are up and running
Disaster preparedness • Common mistake : prepare for disasters specific to their domain • financial institutions prepare for IT failures, • hospitals for pandemics • airliners for technical failures and sabotages. • An alternative approach : consider a broader spectrum of disaster types, such as the generic disaster • economic, information, physical, human resource, reputation, psychopathic, and natural disasters • Identify common characteristics of each disaster categories, then construct the plan
IT disaster preparedness framework • provide generic objectives and measurements, guidelines for establishing IT disaster preparedness, • emphasize developing an IT continuity plan, identifying and allocating critical resources, executing a business impact analysis, and maintaining, testing and training of the plan • COBIT (Control Objectives for Information and Related Technology) • For operational IT and business managers • Focus on three core elements of IT governance: IT as an asset, IT-related risks, and IT control structures. • ITIL (IT Infrastructure Library) • focus is to improve the efficiency and effectiveness of IT services delivered to customers within the enterprise • de facto standard for IT service management.
Lesson Learned Keep Data and Data Centers Out of Harm’s Way Don’t Assume the Public Infrastructure Will Be Available Plan for Civil Unrest Assume Some People Will Not Be Available Leverage Your Suppliers as Critical Team Members
Lesson Learned Expect the Unexpected Get Prepared – Crisis portfolio Establish a Strong Leadership Position Empower Decision Makers on the Team Exploit Fresh-Start Opportunities
IT disaster recovery (DR) planNational Institute for Standards and Technology (NIST) • Goal • minimize any negative impacts to company operations • By • identify critical IT systems and networks; • prioritize their recovery time objective; • delineates the steps needed to restart, reconfigure, and recover them. http://searchdisasterrecovery.techtarget.com/feature/IT-disaster-recovery-DR-plan-template-A-free-download-and-guide
Structure for an IT disaster recovery plan (1) Develop the contingency planning policy statement. A formal policy provides the authority and guidance necessary to develop an effective contingency plan. Conduct the business impact analysis (BIA). The business impact analysis helps to identify and prioritize critical IT systems and components. Identify preventive controls. These are measures that reduce the effects of system disruptions and can increase system availability and reduce contingency life cycle costs. Develop recovery strategies. Thorough recovery strategies ensure that the system can be recovered quickly and effectively following a disruption. National Institute for Standards and Technology (NIST)
Structure for an IT disaster recovery plan (2) Develop an IT contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system. Plan testing, training and exercising. Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness. Plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements. National Institute for Standards and Technology (NIST)
Important IT disaster recovery planning considerations Senior management support. Take the IT DR planning process seriously. need the right information, and that information should be current and accurate Availability of standards. IT DR plans are NIST SP 800-34, ISO/IEC 24762, and BS 25777. Keep it simple Review results with business units. Be flexible
Reviewing the IT disaster recovery plan template (1) Information Technology Statement of Intent -- This sets the stage and direction for the plan. Policy Statement -- Very important to include an approved statement of policy regarding the provision of disaster recovery services. Objectives -- Main goals of the plan. Key Personnel Contact Information -- Very important to have key contact data near the front of the plan. It's the information most likely to be used right away, and should be easy to locate.
Reviewing the IT disaster recovery plan template (2) Plan Overview -- such as updating. Emergency Response -- Describes what needs to be done immediately following the onset of an incident. Disaster Recover Team-- Members and contact information of the DR team. Emergency Alert, Escalation and DRP Activation -- Steps to take through the early phase of the incident, leading to activation of the DR plan. Media, Insurance, Financial and Legal Issues
Classic Mistakes IT Project Management: Infamous failures, Classic mistakes, and best practices MIS Quarterly 2007, R. Ryan Nelson
Classic Mistakes People Process Product Technology
Classic Mistakes : People Undermined motivation Individual capabilities of the team members Failure to take action to deal with a problem employee Adding people to a late project
Classic Mistakes : Process • Waste time on fuzzy front end, approval and budgeting, aggressive schedule later • human tendency to underestimate and produce overly optimistic schedules • Insufficient risk management • lack of sponsorship, changes in stakeholder commitment, scope creep, and contractor failure. • Risks from outsourcing and offshoring • QA, interfaces, unstable requirements
Classic Mistakes : Product • Requirements gold-plating • unnecessary product size and/or characteristics • Developer gold-plating • Developers try out new technology / features • Feature creep • +/- 25% change in requirements over lifetime
Classic Mistakes : Technology • Silver-bullet syndrome • Expect new technology to solve all problems • 4GL, CASE tools, OOD • Overestimated savings from new tools or methods • Did not account for learning curve and unknown unknowns • Switching tools in the middle of a project • Version upgrade
Findings from empirical Study – 99 projects - • Finding 1 • People (43%), Process (45%), Product (8%), Technology (4%) • Scope creep • Not a top 10, although ¼ of the projects faced scope creep and manager should watch out for it. • Top 3 mistakes found in ½ of the projects • Should have focused more on estimation, scheduling, stakeholders management, risk management
References IT Project Management: Infamous Failures, Classic Mistakes, and Best Practices Recovering IT in a Disaster: Lessons from Hurricane Katrina