Business Continuity Planning - PowerPoint PPT Presentation

1 / 35
About This Presentation
Title:

Business Continuity Planning

Description:

Tornadoes, severe winter storms, earthquakes, fires, dam failure, (floods and ... Minimize confusion, indecision. Instills confidence in staff and public ... – PowerPoint PPT presentation

Number of Views:37
Avg rating:3.0/5.0
Slides: 36
Provided by: vincec5
Category:

less

Transcript and Presenter's Notes

Title: Business Continuity Planning


1
Business Continuity Planning
Presented By Ken Sherman, President/CEO
Continuity Solutions, Inc.
2
What is a Disaster?
Any Situation That Impedes On Day-to-Day
Operations
  • Natural Disaster
  • Tornadoes, severe winter storms, earthquakes,
    fires, dam failure, (floods and water leaks are
    statistically the number one threat), etc.
  • Man-Made Disasters
  • Disgruntled employees/spouses/significant others
  • Disgruntled Students
  • Hazardous material spills
  • Terrorist (Foreign and Domestic)
  • Construction workers cutting power communication
    lines
  • Biological, chemical, nuclear devices
  • Civil uprisings
  • Technical Disasters
  • Hackers, cyber-terrorism, power outages, voice
    and data communications line failure, software
    and hardware failures

3
All Kinds of Disasters
4
What is Disaster Recovery?
Business Continuity Program An ongoing process
supported by senior management and funded to
ensure that the necessary steps are taken to
identify the impact of potential losses, maintain
viable recovery strategies and recovery plans,
and ensure continuity of services through
personnel training, plan testing, and
maintenance. Business Continuity Planning (BCP)
Process of developing advance arrangements and
procedures that enable an organization to respond
to an event in such a manner that critical
business functions continue with planned levels
of interruption or essential change. MANY SIMILAR
TERMS Contingency Planning, Business
Resumption. IT Disaster Recovery Planning (DRP)
Process of developing advance arrangements and
procedures that enable an IT department respond
to an event in such a manner that critical
business functions continue with planned levels
of interruption or essential change.
5
Why Should You Develop A Business Continuity and
Disaster Recovery Plan?
  • As a Leader in your College
  • PROTECT YOUR REPUTATION

6
Why Should You Develop A Business Continuity and
Disaster Recovery Plan?
  • Protect the Organizations Assets
  • People, Equipment, Information (Data), Financial
  • Minimize damage and loss
  • Minimize confusion, indecision
  • Instills confidence in staff and public
  • Ensure employee and student welfare and safety
  • Disaster Plan may be used for daily activities
  • A Business Recovery Plan saves TIME and MONEY
    responding to disasters
  • Deal with the media in an appropriate fashion
  • Expedite the return to business as usual

7
Plan for Proper Decisions
  • If You dont know where youre going, youre
    liable to end up someplace else -
  • Yogi Berra

8
Business Continuity Planning Methodology
The Path To Successful Planning
Analyze Data
Interviews and Observations Data Collection
Project Planning, Schedule and Kickoff
Recovery Analysis Risk Assessments Business
Impact Analysis Recovery Strategy Options
Present Recovery Solutions Consider Viable
Options
Plan Development
Plan Testing Exercise Rehearsals
Plan Enhancement Plan Maintenance
9
RECOVERY ANALYSIS
  • CONDUCT A BUSINESS IMPACT ANALYSIS
  • A management level analysis that identifies the
    impacts of losing the entitys resources. The
    analysis measures the effect of resource loss and
    escalating losses over time in order to provide
    the entity with reliable data upon which to base
    decisions concerning hazard mitigation, recovery
    strategies, and continuity planning.

10
RECOVERY ANALYSIS
  • UNDERSTANDING Business Impact Analysis(BIA)
  • Describes the business functions at the process
    level
  • Identifies critical equipment (all the equipment
    you need to operate in disaster mode)
  • Frequency of operations/functions
  • Continuously, annually, daily, weekly, etc.
  • Identifies periods of high volume
  • Financial, operational and service impacts
    identified
  • Considers if job descriptions and operational
    procedures exist
  • Sets business process priorities

11
RECOVERY ANALYSIS
  • UNDERSTANDING Business Impact Analysis(BIA cont.)
  • Recovery Time Objective (RTO) - The period of
    time within which systems, applications, or
    functions must be recovered after an outage (e.g.
    one business day). RTOs are often used as the
    basis for the development of recovery strategies,
    and as a determinant as to whether or not to
    implement the recovery strategies during a
    disaster situation.
  • CLASSIFY Priorities
  • Priority One, Two, Three, Four, Five
  • Many organization use terms like Continuous
    Availability
  • High Availability, Highly recoverable, Less
    Critical to classify
  • priorities business and computing priorities.
  • Consider classifying new systems and operations
    as they
  • evolve, turn BIA into part of the
    organizations lifecycle.

Recovery Point Objective (RPO) - The maximum
amount of data loss an organization can sustain
during an event.
12
RECOVERY ANALYSIS
  • UNDERSTANDING Business Impact Analysis(BIA cont.)
  • Identifies Functions Interfaces and
    Interdependencies
  • Identifies automated or manual transactions from
    other applications or systems
  • Internal departmental external companies
    (input-output)
  • Identifies if written manual procedures exist
  • Are they tested? Are associates trained to use
    them?
  • Is extra staff required for later data input or
    job function?
  • Number of Employees in Department
  • Number of shifts, which is most important?
  • Does each shift perform the same function or
    task?
  • Considers the minimum number of people needed to
    accomplish tasks in Disaster Mode?

13
Business Continuity Methods
  • Backup and Restore of Information
  • NO DATA NO RECOVERY

14
Business Continuity Methods
  • Information Media Recovery
  • Microfiche
  • SHOULD be backed up and stored OFF-SITE
  • Paper Records
  • Use fire proof filing or fire resistant filing
    cabinets
  • Use an imaging system
  • Critical stand alone pcs are they backed up?
  • Backup nightly - critical files to network
    storage, tape, or CD/DVDs be careful while
    conducting incremental backups.
  • Severs and Storage Networks - Is the IT
    department doing their job right? Are nightly
    backups tested?, Offsite storage, NAS (network
    attached storage, SAN (storage area networks)
  • Off-Site storage facility should be used for
    paper documents, CDs, Tapes, etc. (test your
    storage provider ask for a backup tape
    periodically)
  • Fire proof vault for cash, checks, blank checks,
    contracts, insurance policies, etc.

15
RECOVERY ANALYSIS
  • QUESTION
  • What is the best way to recover from a Disaster?
  •        

16
RECOVERY ANALYSIS
  • ANSWER
  • Never have one in the first place!
  •        
  • CONDUCT A RISK ASSESSMENT

17
RECOVERY ANALYSIS
  • How to Prevent Disasters
  • Identify Hazards That May Cause A Disaster
  • Mitigate The Identified Hazards

18
RECOVERY ANALYSIS
  • CONDUCT A RISK ASSESSMENT
  • Identifies vulnerabilities and ranks
    hazards/threats
  • Examines all possible risk sourcesphysical
    security, systems security, facility, location,
    surrounding area
  • The report will prioritize findings and
    recommendations for mitigation consideration
  • GFIs LanGuard and Microsofts Security
    Assessment Tools are recommended starting points
    for computer security risk assessments
  • COLLEGE RISKS WORKSHOP
  • When students submit an application, where does
    their personal data
  • flow and is it protected?
  • When people are hired, how is their personal data
    transmitted from human resources to payroll and
    other departments, and what is being done to
    protect their information?

19
RECOVERY ANALYSIS
  • CONDUCT A RISK ASSESSMENT
  • Some Items To Assess
  •  
  • Uninterrupted Power Supplies and Power Generators
  • In a secured location,
  • Is it tested regularly
  • Fuel contract (refill after testing) and a major
    supplier of fuel and an alternate    
  • Fire Suppression System
  • Wet or dry pipes
  • Fire extinguishers and usage training

20
RECOVERY ANALYSIS
  • CONDUCT A RISK ASSESSMENT
  • Items To Assess
  • Physical facility security
  • Electrical power grid feeds
  • Telecommunication central offices used
  • Multiple voice and data communication providers
    routing through same central office
  • Evaluation of data center and network security
    vulnerabilities
  • Virus protection,trojans, worms, adware/spyware
    detection, unnecessary open ports and services
    being used on servers and workstations and
    network equipment, identify opportunities hackers
    would use to attack your network
  • Physical facility security, backup validation and
    off-site storage rotation schedules
  • Evaluate the security of vital records and one of
    a kind documents
  • Insurance (do you have enough and the right
    coverage)

21
RECOVERY ANALYSIS
  • DETERMINE RECOVERY STRATEGIES
  • Alternate site arrangements
  • Communications and network equipment
  • Unique and/or irreplaceable equipment
  • Resources staff, operations support, office
    supplies, life support
  • (food, water, shelter)
  • Emergency relocation costs
  • Unique and/or irreplaceable equipment
  • Environmental and off-site requirements
  • Identification and suspension of non-critical
    functions or tasks
  • Implementing manual processing functions and
    tasks
  • (is this realistic in the aftermath?)
  • Recovery facilities should be at least 30-60
    miles away from the primary site
  • Consider different power grids and telecom points
    of presence

22
RECOVERY ANALYSIS
  • DETERMINE RECOVERY STRATEGIES
  • Use internal methods when possible - use your own
    facilities first
  • Alternate site arrangements
  • Hot Site Vendor Hot Site, Shared Hot Site,
    Company Owned Hot Site, Mobile Facilities
  • Service Bureau, Office or Warehouse Space,
    Reciprocal Agreement, Equipment Leasing, Drying
    Companies and Emergency Cleaning Companies
  • Cold Site, Warm Site, Work Area Recovery (Call
    Centers, Mail Room, Specialized Equipment)
  • Networking and Telephone Considerations
  • Continuous and High-Availability
  • Mirroring, Replication, Clustering
  • E-Vaulting, Disk to Disk (SAN, IP SAN, NAS, ATA)
  • Collocation Facilities
  • Grid Technology - supports distributed processing
  • connecting multiple organizational sites,
    devices and platforms transparently, Grid is
    designed to assist in recovery from system
    failures

23
Business Continuity Planning
  • Plans Must be DOCUMENTED
  • Invisible Plans don't work

24
Business Continuity Methods
  • Developing the Business Continuity Plan
  •  
  • Bring the research, analysis, strategies,
    procedures and recovery team assignments together
  • Tasks managed and controlled at the Command
    Center location
  • Contains recovery team(s) information
  • Detail the entire emergency response/crisis
    management process
  • Contains contact information and notification
    procedures
  • Detail tasks and responsibilities
  • Further identification of critical operations,
    functions and/or computer applications and how
    they will be recovered
  • Specify business process recovery and restore
    requirements
  • Specify software recovery and hardware
    configuration requirements
  • Specify off-site storage location for your data
    and vital documents
  •    

25
Business Continuity Methods
  • Developing the BCP (cont.)
  •  
  • Detail recovery task sequence and functional
    interdependencies
  • Identify everything that might be needed to
    perform part of the process teams of people,
    equipment, transportation, support items, support
    providers, etc.
  • Contain all procedures that might be used in the
    recovery process
  • Contain a list of all vendors, service providers
    you will need to support your recovery strategies
  • Contains a list of critical customers to contact
  • Contain standard forms (POs, Blank Checks, Travel
    Advances etc.), supplies and documents
  • Moving from Disaster Mode to Normal

26
Business Continuity Methods
  • Developing the BCP (cont.)
  • Scenario Based Planning
  • Plan for worst case disasters first (smoking
    hole)
  • Scenario Based Plans
  • Manage day-to-day risks that may become disasters
  • DETAILED recovery procedures developed to
    mitigate lacking recovery strategy
  • Business Function examples
  • Work at home/telecommute, trailers, office space,
    operating procedures,
  • machinery and equipment.
  • Information systems
  • Wiring and networking closets, hubs, routers,
    software failures, switches,
  • firewalls, disk drives, power outages, turnkey
    systems, data communications
  • and network security breaches

27
Business Continuity Testing
  • Plan Exercising The Plan is Alive
  • Before any recovery plan can be considered
    complete, it must be validated. Plan testing is
    a practice recovery it allows you to validate
    the strategies, procedures and recovery team
    structures documented in your recovery plan.
    Plan testing normally consists of a mock disaster
    scenario or moving your critical applications to
    an alternate facility. We recommend that your
    recovery teams participate fully in the plan
    rehearsal, to validate team structures and
    responsibilities.

28
Business Continuity Planning Lifecycle and Plan
Maintenance
Component Testing
Plan Review
Integrated Standards Planning and Testing
Update Plan
Awareness Training
Exercise Plan
Perform Maintenance Schedule
29
HOW DO I GET FUNDING?
  • Budget for it
  • Ask Emergency Manager
  • Federal Grants State Grants
  • Homeland Security Money
  • U.S. DEPARTMENT OF HOMELAND SECURITY ANNOUNCES
    EIGHT PERCENT INCREASE IN FISCAL YEAR 2008 BUDGET
    REQUEST
  • State Colleges should apply for grants to
    accomplish Business Continuity Planning for
    Equipment and Plans.
  • Many grants give Colleges money to educate on
    topics concerning Homeland Security however do
    not allocate money for actual Business Continuity
    Planning.

30
Business Continuity Planning Federal
Guidelines
  • Continuity of Operations (COOP)
  • COOP provides guidance on the system restoration
    for emergencies, disasters, mobilization, and for
    maintaining a state of readiness to provide the
    necessary level of information processing support
    commensurate with the mission requirements/priorit
    ies identified by the respective functional
    proponent. This term is traditionally used by the
    Government and its supporting agencies to
    describe activities otherwise known as Disaster
    Recovery, Business Continuity, Business
    Resumption, or Contingency Planning.
  • Continuity of Government (COG)
  • COG ensures the command and control of response
    and recovery operations as well as continuance of
    basic governmental functions. Key governance
    functions include legislative activities and the
    capability for elected officials to convene and
    operate in a safe location in accordance with
    local requirements.

31
Business Continuity Planning Federal Guidelines
  • NFPA 1600
  • Standard on
  • Disaster/Emergency Management
  • and
  • Business Continuity Programs
  • 2007 Current Edition
  • Published by FEMA, NEMA, IAEM,
  • Establishes a common set of criteria for disaster
    management
  • emergency management, and business continuity
    programs.

32
Business Continuity Planning Guidelines
  • National Incident Management System
  • (NIMS)
  • System recommended by Local, State, Federal
    Government Officials for managing many types of
    disasters.
  • Incorporate NIMS into the Command Center Guide
    portion of Business Continuity Plan so the
    College Disaster Manager can speak the language
    of Emergency officials like Fire Department,
    Emergency Medical Technicians, Police and Bomb
    Squad.

33
Business Continuity Planning Guidelines
  • WHEN PRIVATE PLANS GO PUBLIC
  • Many College,Universities and Government agencies
    have parts of their disaster plans available for
    ANYONE to see via the internet.
  • Templates and ideas are available
  • Security Breach (keep plans, status of plans and
    ideas for plans off the internet)

34
Business Continuity FAMILY FIRST
  • PEOPLE RECOVER
  • FROM DISASTERS
  • NOT COMPUTERS!

35
Discussion Thank You
Thank YOU for attending this presentation
Continuity Solutions, Inc. 6649 North
High Street Worthington Ohio 43085
(614)-885-5001 www.csigroup.cc
Write a Comment
User Comments (0)
About PowerShow.com