1 / 22

General Membership Meeting April 15, 2004 St. Louis County Emergency Operations Center

Learn why testing recovery plans is crucial for business resilience, the impact of downtime, types of exercises, planning, executing, and follow-up strategies to improve recovery processes.

connellr
Download Presentation

General Membership Meeting April 15, 2004 St. Louis County Emergency Operations Center

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. General Membership Meeting April 15, 2004 St. Louis County Emergency Operations Center

  2. PLANNING AND EXECUTING CONTINGENCY EXERCISES WORKAREA, SYSTEMS, AREA-WIDE, REGIONAL Anna M. Bathon, CBCP Bank of America 1

  3. Agenda • Why test recovery plans? • Recovery Strategy Considerations • Types of Exercises • Establish A Testing Strategy • Exercise Phases • Planning the Exercise • Preparing for the Exercise • Executing/Conducting the Exercise • Follow-up / Issues Resolution • Closure / Next Exercise Date • Questions 2

  4. Why Test Recovery Plans? • The confluence of five major trends are driving acceptance and adoption of more aggressive recovery solutions: • Businesses’ increased reliance on IT and data • Availability of solutions • Economics – impact of downtime and declining cost of solutions • IT data management challenge • Gartner Group comments: “… Enterprises that today tolerate two-day recovery time objectives will see that horizon diminish to one day or less.” • Key disaster-related statistics: • 43% of companies having a disaster never reopen. An additional 29% close within two years. • 68% of businesses that lose their computers for more than 7 days never reopen. • Within 2 weeks of the loss of computer support, 75% of those organizations affected reach critical or total loss of business functions. • Average hourly revenue lost from downtime is $78,000. • Businesses’ availability requirements being measured in hours. 3

  5. Why Test Recovery Plans? • Demonstrates to Management ability of critical business processes to continue functionality within required timeframes following a disruption. • Recognizing a workable plan and making a plan work are two different things. • Regular testing and maintaining the plan accordingly will ensure optimum performance. • Exercising a plan is not a PASS or FAIL situation, but an opportunity to identify plan deficiencies and improve the recovery processes. • Testing is a dynamic process. • Provides an opportunity to stress test plans already reviewed as good; exercise strenuously to identify flaws. • Environments – workarea, systems – change and should be monitored continuously to assess the impact of changes to recovery strategies. • Major revisions to recovery plans require testing and appropriate documentation updated. 4

  6. Recovery Strategy Considerations • Workarea – physical workspace of business units, including critical components, to ensure functionality can be resumed appropriately: • Equipment / hardware • Software • Telecom • Vital records • Compliance • Associate support / Intellectual Capital – What if most or all associates or lost in a disaster situation? • Support partners • Regional impacts • Applications – systems, infrastructure: • File-and-print servers • Application components / locations: • Simple configurations • Complex configurations • Infrastructure dependencies (firewalls, shared components) • External dependencies 5

  7. Recovery Strategy Considerations • Third-Party Service Providers – Dependencies on vendors increasing, thus creating a greater impact when vendors encounter disruptions. • Who are the major strategic suppliers? • What is the product flow throughout your company? • Contingency plan options if vendor suffers a disruption? • Specialized equipment or processes? • Maximum potential for lost income if disruption encountered? • Does an interdependency chart exist? • Regional scenarios: • Natural • Weather (hurricane, earthquake, tornado, ice/snow) • Man-made • Fire • Terrorism • Disgruntled associate reactions • Accidental construction disruptions 6

  8. Recovery Strategy Considerations • Crisis Management: • Call tree notification processes • Associate impacts • Decision-making process to diminish roadblocks in recovery process 7

  9. Types of Exercises • Talk-Through / Table Top • Simulation / Connectivity • Integrated • Live 8

  10. Types of Exercises • Talk-Through / Table Top • Generally considered first test of a plan • Cost-effective method of exercising plans • Minimal disruption to business • Raise level of awareness of the actual state of readiness • Identify major weaknesses or steps requiring further documentation 9

  11. Types of Exercises • Simulation / Connectivity • Validates the facility, supplies, and equipment at the alternate site. • Should include connectivity testing, including voice and/or data connectivity. • Alternate site testing must include network connectivity testing, as appropriate. • Technical support participation dependent on extent of testing as defined by exercise objectives. 10

  12. Types of Exercises • Integrated • Exercises multiple components of a plan, in conjunction with each other, typically under simulated operating conditions. • Workarea involves recovery of multiple critical business functions and related onsite systems that would be lost in the event of a site disaster. • Systems involves testing of recovery of multiple applications running on a single component or within a single site, i.e., data center environment. • Where appropriate, upstream/downstream interfaces should be exercised. 11

  13. Types of Exercises • Live • Senior Management approval should be required for this type of exercise. • Perform production work at alternate recovery site. • High level of risk involved. • Selected associates, clients, vendors, technical support personnel, business continuity support personnel, and other dependent business units should participate. 12

  14. Establish A Testing Strategy • Identify critical components of the recovery plan. • Identify frequency of testing based on risk rating determined through completion of BIA, i.e. quarterly, annually, bi-annually. • Select test type to most adequately validate all critical components. • Several different test types may need to be conducted to address all critical components to remain compliant. • When possible, conduct fully integrated exercises, requiring testing of all critical components. 13

  15. Exercise Phases • Planning • Preparing • Executing / Conducting • Follow-up / Resolution • Closure / Next Exercise Date 14

  16. Planning the Exercise • Identify resources • Select a test coordinator • Select the type of test • Define the test scope • Develop test goals and objectives • Define the disaster scenario • Document test assumptions • Set test date and duration • Define test team and participants • Schedule meetings 15

  17. Preparing for the Exercise • Conduct preparatory meetings with participants • Develop tasks and issues lists • Identify equipment and site requirements • Document high-level test scripts • Develop exercise packet • Obtain approvals 16

  18. Executing / Conducting the Exercise • Facilitate communication among test teams/participants. • Ensure activities occur in order published in exercise packet / scripts. Document deviations. • Ensure appropriate participants in the command center or appropriate alternate sites. • Work with sequence of events to log timeframes, issues, and any pertinent notations regarding activities. • Ensure issues documented and turned into test coordinator. • Compile issues into Issues List Report for tracking/resolution purposes. • Issues resolved during the test should be noted so. • Unresolved issues documented, assigned and tracked to resolution following the exercise. • Conduct periodic executive and test team status meetings and issue status updates throughout the exercise. • Document all costs associated with conducting the exercise. • Update appropriate telephone status resources. 17

  19. Follow-up / Resolution • Schedule and conduct post-test review meeting shortly after concluding exercise. • Assign appropriate associates to work on resolving outstanding issues. • Follow up on resolution status. • Distribute test results and outstanding issues list report to Management, appropriate personnel. • Obtain validation sign-off forms from participant groups. • Retain exercise packets and test results for audit and regulatory reviews. • Follow up with participant groups to ensure recovery plans are updated based on test results / observations. 18

  20. Closure / Next Exercise Date • Draft Final Summary Report and review with team in preparation for submission to Management: • Final Report is a summary of actual date, time, and results of the exercise. • Include recent upgrades or changes to the workarea/units, systems, or equipment. • List exercise objectives • Briefly note outstanding issues with resolution status and target final resolution date. • Finalize Final Summary Report. • Submit Summary Report to Management. • Ensure all issues are resolved prior to next test. • Determine and communicate next exercise date. 19

  21. Future Testing Considerations • End-to-end process testing. • Integration of different types of plans: • Regional with workarea implications • Regional impacting numerous systems, workareas, vendors • Inclusion of new associates in process. • Participation in vendor contingency testing. • New regulatory concerns impacting recovery strategies. • Cyber-threat scenarios. • Others??? 20

  22. ??????? Questions ??????? 21

More Related