280 likes | 352 Views
Disaster Recovery versus Continuity of Operations. “Disaster recovery” is the process by which you resume business in the short term after a disruptive event.
E N D
Disaster Recovery versus Continuity of Operations • “Disaster recovery” is the process by which you resume business in the short term after a disruptive event. • "Business continuity planning" is a more comprehensive approach to making sure the organization continues to keep operating and making money. • Disaster recovery could be considered a sub-part of continuity of operations. • Both apply across a range from an earthquake to a computer virus attack.
Business continuity actions • Mitigation: Something done to reduce the likelihood of occurrence and the severity of the loss • Avoidance: Actions taken to eliminate the event from occurring • Transference: Shift the risk to a third party
Federal Government Continuity of Operations Plan (COOP) • FPC-65 describes the planning considerations and requirements for COOP plans. • FPC-65 requires that all Federal Executive Branch agencies must: • Be capable of implementing their COOP plans with and without warning. • Be operational not later than 12 hours after activation. • Be capable of maintaining sustained operations for up to 30 days. • Include regularly scheduled testing, training, and exercising of personnel, equipment, systems, processes, and procedures used to support the agency during a COOP event. • Provide for a regular risk analysis of current alternate operating facilities. • Locate alternate facilities in areas where the ability to initiate, maintain, and terminate COOP is optimal. • Take advantage of existing agency field infrastructures and give consideration to other options, such as telecommuting, work-at-home, and shared facilities.
Business Continuity Plans • Plans that enable your company to operate at possibly reduced levels during and immediately following a disaster.
Steps in Planning • To build a disaster recovery plan, the following steps should be taken: • Identify critical assets • Identify risks to the assets • Determine the likelihood of the threat and reduce it • Steps to minimize damage • Response actions
Contingency Plan Coordination • Designated person to coordinate the contingency plan • Adequate knowledge and knowledge to implement the plan • Select a team to develop and implement the plan • Finance • Legal • Safety • Production • Administration
Business Impact Analysis • A business impact analysis (BIA) is the first step in developing a BCP. It should include: • Identification of the potential impact of uncontrolled, non-specific events on the institution's business processes and its customers; • Consideration of all departments and business functions, not just data processing; and • Estimation of maximum allowable downtime and acceptable levels of data, operations, and financial losses.
Business Impact Analysis • As part of a disaster recovery plan, BIA is likely to identify costs linked to failures, such as loss of cash flow, replacement of equipment, salaries paid to catch up with a backlog of work, loss of profits, and so on. • A BIA report quantifies the importance of business components and suggests appropriate fund allocation for measures to protect them. • The possibilities of failures are likely to be assessed in terms of their impacts on safety, finances, marketing, legal compliance, and quality assurance.
Risk Assessment • Combined likelihood and severity of the event • Tangible losses • Costs that can be readily quantified • Lost productivity • Lost income • Extra expenses • Property damage • Intangible losses • Costs related to the event but hard to quantify • Lost business opportunities • Damaged reputation
Examples of Risk Assessments • Tornadoes • Earthquakes • Thunderstorms • Snows • Extreme thunderstorms • Hurricanes • Floods
Potential Manmade Risks • Maps of hazardous materials routes • Locations of hazardous facilities • Pipelines • Railroads • Dams • Rivers
Facility Risks • Electricity • Telephones • Water • Climate control • Data networks • Structural
Security Risks • Workplace violence • Bomb threats • Physical security of property • Sabotage • Intellectual property thefts
Medical Threats • Illness • Deaths • Serious accidents
Factors that can Affect Risks • Time of day • Day of the week • Location
COOP Elements • Elements that make a COOP plan viable, include: • Essential functions. • Delegations of authority. • Succession planning. • Alternate facilities. • Interoperable communications. • Vital records and databases. • Human capital. • Testing, training, and exercise program. • Plans for devolution and reconstitution.
COOP Plans • COOP planning objectives include: • Ensuring continued performance of essential functions. • Reducing loss of life and minimizing damage. • Ensuring succession to office of key leaders. • Reducing or mitigating disruptions to operations. • Protecting essential assets. • Achieving a timely recovery and reconstitution. • Maintaining a test, training, and exercise program for program validation.
FEMA’s COOP Elements • Elements that make a COOP plan viable, include: • Essential functions • Delegations of authority • Succession planning • Alternate facilities, communication systems • Vital records and databases • A test, training, and exercise program • Plans for devolution and reconstitution
Essential Functions • Essential functions are those functions that allow the organization to provide vital services • Essential functions are those functions which must continue to be provided without interruption
Delegations of Authority • Delegations should be predetermined and documented in writing. They should state explicitly: • What authorities are delegated. • To whom. • Exceptions to the successor’s authority to redelegate. • Limitations on the delegated authority.
Succession Planning • Order of Succession provides an orderly transition of power in the event of an emergency • Orders of succession should be established management, supervisors, etc. who are responsible for performing essential functions
Alternate Facilities, Communications • In the event of a disaster, arrangements for alternate facilities should be identified beforehand • Arrangements should be made ahead of time to ensure communication systems can be brought back up and operational with limited interruptions
Vital Records • In the event of a disaster, loss of data and loss of records may occur • Provisions and procedures should be made in advance to ensure back up copies are made and available • Examples of these records include legal records, financial records, etc.
Tests • From a COOP perspective, tests are an excellent way to evaluate functions such as: • Communications connectivities. • Alert and notification procedures. • Deployment procedures.
Training • Training is instruction in core competencies and skills and is the principal means by which individuals achieve a level of proficiency • Provides the tools needed to accomplish a goal, meet program requirements, or acquire a specified capability. • Training encompasses a range of activities, each intended to provide information and refine skills.
Exercises • Exercises are events that allow participants to apply their skills and knowledge to improve operational readiness. • Exercises also allow planners to evaluate the effectiveness of previously conducted tests andtraining activities.
Devolution • Devolution is the capability to transfer statutory authority and responsibility for essential functions from an agency’s primary operating staff and facilities to other employees and facilities.
Reconstitution • Reconstitution is the process by which agency personnel resume normal agency operations from the original or a replacement primary operating facility.