1 / 46

VTN Executive Forum Disaster Recovery Business Continuity

crescent
Download Presentation

VTN Executive Forum Disaster Recovery Business Continuity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. VTN Executive Forum Disaster Recovery & Business Continuity Terry Buchanan, VP Services, CONPUTE November 2nd, 2006

    2. Purpose & Expectations How to get started in DR/BCP and keep it simple How to evaluate risk for your company Risk mitigation and planning techniques Best practice processes to start planning Plan structure and application

    3. Definition Business Continuance (or Continuity) Planning (BCP) involves the processes and procedures organizations put in place to ensure that mission critical functions can continue during and after a disaster. BCP focuses on People (Human Safety), Procedures/Process (How to) and Infrastructure (Facilities & IT) continuance.

    4. Getting Started Considering the “What if scenario” Keeping your business running What does that mean for each of you? What does that mean for your staff + co-workers? Do you have a plan to: Stay open? Recover? Rebuild? Do nothing?

    5. Best Practice BCP Process

    6. Best Practice BCP Process Project Definition Risk Assessment Business Impact Analysis RTO, RPO, Time Critical, Mission Critical BC Management Design Emergency Response and Operations Crisis Communications Coordination with External Agencies Detail and Implementation Awareness and Education Exercise and Adapt

    7. Sponsorship Sponsor has to own initiative. Sponsor has to fund initiative. Sponsor is accountable for initiative. Different level of Sponsors. Who are sponsors? President, CEO (Primary) CIO, CAO, CFO (Secondary) Directors and Managers (Tertiary)

    8. Best Practice BCP Process

    9. Project Planning Sponsor Sets Goals and Charter Project/Program Manager Needs Project Management Experience Manages process/administration/negotiation Steering Committee Senior Management C level, VP, etc. Approves and makes decisions Manages budget Project Team Business Unit representatives Managers, Senior staff, Subject Matter Experts Primary knowledge base

    10. Best Practice BCP Process

    11. Risk Assessment

    12. Risk Assessment

    13. Risk Assessment Threats are the cause Nature – Flood (Peterborough), Hurricane (Katrina/Louisiana), Ice Storm (Ottawa) Political – Terrorist Attacks (9-11-01), Unions Engineered – Viruses (Blaster) Infrastructure – Power Outage (Ontario) Pandemics – Virus (SARS) Vulnerability Probability Severity

    14. Risk Assessment Risks relate to impact Function disruption to one or many Elapsed Time Reach Controls Deterrent Mitigates Reduces

    15. Risk Assessment Analysis Develop worst case scenarios Develop realistic scenarios Controllable versus uncontrollable Identify how risks necessary for conducting business operations and communication are impacted Identify how threats and risks impact human safety and revenue generation Preventive controls (security & redundancy) Reactive controls (failing to or restarting operations at a designated location)

    16. Risk Template

    17. Application Impact

    18. Ten Worst Mistakes IT Staff Make Connecting systems to the Internet before hardening them Connecting systems to the Internet with default passwords (wireless issues) Failing to update systems when vulnerabilities are found Using telnet or other unencrypted protocols for network management Giving network access over the phone/without authentication Failing to maintain backups according to legislated archiving Running misconfigured, unvalidated, security tools (hacker software, I/10) Failing to implement or update antivirus software Allowing untrained, uncertified users to take responsibility for securing important systems (accidental use of vendor bias / training) Failing to train users on what constitutes a security problem Source: RCMP Technical Security Branch, 2002

    19. Best Practice BCP Process

    20. Business Impact Analysis Exposure to loss over time Direct versus Indirect Cost to recover Cost to avoid recovery Business Process interdependencies Workflow Legal and Regulatory

    21. Recovery Objectives

    22. Business Impact Analysis Recovery Point Objective (RPO) The point in time your company’s data is replicated or stored off-site Doesn’t mean data is not corrupt or synchronized The frequency of initiating a RPO determines YOUR risk or data loss potential Recovery Time Objective (RTO) How long can you wait for certain functions to be restored? Tie in RTO to manual process

    23. DR SLA 101 for IT

    24. Risk Mitigation No BCP

    25. Risk Mitigation With BCP

    26. Legal Bill C-471, C-387 EI Wait period can be waived in Disaster Region Bill C-6 “PIPEDA” Personal Information Protection and Electronic Documents Act Bill C-145 “Westray” law to hold corporations, their directors and executives criminally accountable for the health and safety of workers

    27. Vital Records Management Legal Audits, Financials, Intellectual Property, Privacy Duplication Electronic, Hard Copy Off-Site Storage Access, security, maintenance

    28. Best Practice BCP Process

    29. ITIL Definition BCP is part of ITIL (IT Infrastructure Library) framework Continuity management involves the following basic steps: Prioritizing the businesses to be recovered by conducting a Business Impact Analysis (BIA). Performing a Risk Assessment (aka Risk Analysis) for each of the IT Services to identify the assets, threats, vulnerabilities and countermeasures for each service. Evaluating the options for recovery. Producing the Contingency Plan. Testing, reviewing, and revising the plan on a regular basis.

    30. BCM Design How will you avoid recovery? How will you recover? How will you manage recovery? Defined by RA and BIA Interdependencies Relates to RTO & RPO

    31. Planning Strategies Perform a Business Impact Analysis (BIA). Determine risk and cost of downtime by critical application or function. Create a Business Continuity Plan (BCP). Create a Disaster Recovery Plan (DRP). Create a Business Recovery Plan. Create a Business Resumption Plan. Create a Contingency Plan. Execute the Plans. Test and adapt the plans regularly.

    32. Technology BC and DR Planning Software assist tools iSCSI – low cost network data transport Vendor Support (Microsoft, Novell, HDS, EMC, SUN, STK, McData, CISCO, etc.) Drivers + Initiators, NICs, TOE FAS – data replication/compression Protocols: FC, FCIP, IFCP, iSCSI, TCP/IP, DWDM Data Networks: FAS, SAN, NAS Data Recovery Tape Backup Archiving Database log synchronization

    33. Data Replication

    34. Emergency Response SC becomes Critical Management Team Escalation & Notification Disaster declaration Emergency Operations Centre (EOC) Life Safety Evacuation Fire, Police, Medical Security Property and news media

    35. Crisis Communication Respond Emergency Response Team Contact lists (up to date) Recover Operations Departmental Recovery Teams Damage Assessment Team Restoration Clean Up Insurance, rebuild, fail back

    36. Communicate with EXT Agencies Plans to deal with local emergency services Plans to deal with media Plans to deal with volunteers Contact Lists Call them before they call you Lists for internal response teams Lists for restoration companies Lists for short/long term staffing

    37. Best Practice BCP Process

    38. Detail & Implement Plan is now a program BCP is part of business culture Implement controls Vital Records replication and storage Information Technology Physical Security Clean Desk Policies Test controls with scenarios

    39. Controls Information Technology Data Availability Clustering & Load Balancing Data Replication – Synch vs. Asynch Data Compression Off Site Storage – Tapes, CD/DVD, WORM Data Recovery – Tape Backup Intrusion Prevention/Detection Anti-Virus, Anti-Spam, Firewalls IP Surveillance

    40. Strategy Focus Embrace BCP as part of your culture Be prepared Educate and promote sponsorship Human Safety Security: Physical, records, IT Network Emergency Response Maintain business infrastructure Mission Critical Operations Support Operations Self Insurance as a strategy Reactive effort is not protection, it’s wasteful and costly Public Perception Privacy & Legislation Compliance Legislation

    41. Plan Structure Cheat sheet with numbers on a business card sized doc. Speed kills Outside help to identify risks and costs saves time One person owns editing on plan documents Get a partner to review it and or test it with you Keep main document short (no more than 4 pages) Write the document yourself (you’ll understand it better) Have backups to subject matter experts write content Appendices for workflow functions owned by departments Assume you will only have 50% of your staff to manage plan Assume whomever uses plan knows something about your business and or applications Assume you are on your own

    42. Best Practice BCP Process

    43. Application of the Plan Exercise the Controls Exercise different scenarios Exercise by cross training Communicate results Update documentation Audit requirements Develop New Hire training Develop general training

    44. Resources http://www.drii.org Disaster Recovery International http://www.dri.ca DRI Canada http://www.drj.com Disaster Recovery Journal http://www.redcorss.ca Red Cross http://www.fema.gov Federal Emergency Management Agency http://www.overt.ca Ontario Volunteer Emergency Response Team http://www.ocipep.gc.ca Public Safety and Emergency Preparedness Canada http://www.drie.org Disaster Recovery Information Exchange http://continuitycentral.com/itdr.htm Continuity Central

    45. Are you prepared?

    46. Questions?

More Related