Top Banner
Business Resumption Planning with Case Studies by PRITI SIKDAR (F.C.A., D.I.S.A., C.I.S.A., C.I.S.M.,I.S.O. 27001 L.A.) Manager-Business Risk Services 29 th November, 2007.
28

Business Resumption is…

Jan 20, 2016

Download

Documents

ar_g_us

Business Resumption Planning with Case Studies by PRITI SIKDAR (F.C.A., D.I.S.A., C.I.S.A., C.I.S.M.,I.S.O. 27001 L.A.) Manager-Business Risk Services 29 th November, 2007. Business Resumption is…. - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Business Resumption is…

Business Resumption Planning with Case Studies

by

PRITI SIKDAR(F.C.A., D.I.S.A., C.I.S.A., C.I.S.M.,I.S.O. 27001 L.A.)

Manager-Business Risk Services29th November, 2007.

Page 2: Business Resumption is…

Business Resumption is…

• When we think of Disaster Recovery we often think of occurrences such as a server crashing, a router going down, or a virus or worm damaging our data. More often than not we are ready for these situations with backups, a replacement drive, or the ability to divert traffic to another machine.

• But implicit in the Disaster Recovery Plan is a critical, although often discounted component; business resumption! It is the process of recovery of all systems and related processes after a disaster to return to Business-as-Usual.

• It involves re-opening each of the institution's components -- and testing and revising the process based upon the results.

Page 3: Business Resumption is…

Prepare Business Resumption Plan according to the type and impact of the disaster.

-Floods-Fire

-Earthquakes -Storms -Lightening,

-Tornadoes -High Winds

-Power Failures-Hardware Failures

Page 4: Business Resumption is…

How Do Businesses Survive Disaster?Businesses that survive disaster are those with a cohesive business resumption plan. What are we planning for?

1) Crisis– Localized to a system or resource- "Half of U.S.

corporations rate their internet downtime costs at more than $1,000 per hour." Communication failure and link failure leads to loss of data.

– Minor interruption to business due to virus infestation, computer crime and the like.

2) Disaster– Contained within an area due to economic sanctions,

human error, – Damage of property due to terrorism and sabotage3) Catastrophe – Regional or larger– Infrastructure disrupted

loss

Page 5: Business Resumption is…

Characteristics of a good BRP

A good Business Resumption Plan•Identifies the pre-set arrangements you need to have on "stand-by" in order to get vital functions operating again with as little delay as possible•Ensures the availability of necessary resources including personnel, information, equipment, financial arrangements, services and accommodations•Helps an operation to survive an unplanned interruption by making sure essential clients needs can be met until normal operations are resumed.

Page 6: Business Resumption is…

Two Major Factors consideration while implementing BRP

• Business Factors:1. Insurance of

- Equipment and Facility insurance- Business interruption insurance- Extra Expense- Professional Liability- Extra Equipment Coverage- Data Reconstruction- Specialized Equipment Coverage- Valuable Papers and Records

2. Business Risk( dependency on Information Technology)• Driving Factor:

Legal/Regulatory Compliance ( SOX 404, MI 52-109)

Page 7: Business Resumption is…

Components of Business Resumption Plan

Process

People

Technology

Page 8: Business Resumption is…

Baseline RequirementsBefore you can begin to design a Business Resumption Plan there are some primary Disaster Recovery activities that must be implemented. Without these procedures in place, no plan will ever be successful.•Management buy-in for disaster recovery and resumption should be existing right from beginning.•Your mission critical data must be backed up, with a defined schedule, and fully documented. This includes which server is backed up onto which tape, where key data is located, type of backup device, and even backup type (differential, incremental etc).•At least one set of backups must be in secured offsite storage. This set should be rotated back onsite, with a more recent backup sent offsite.•Rotation should occur at a minimum of once per week. You should also maintain a full month end backup and a set of current emergency repair disks offsite.

Page 9: Business Resumption is…

Steps involved in building an effective Business Resumption Plan

1) Establish a Business Resumption Planning Committee

• Project Leader• Project Plan/Control• Committee Selection• Assign Responsibilities• Regular Committee

Meetings• Periodic Management

Briefings

Page 10: Business Resumption is…

Steps involved in building an effective Business Resumption Plan

2) Perform a Business Resumption Capability Assessment•Assess how quickly and fully you need to resume if a disruption were to occur today. What are your critical business needs?•Security Check List•Recovery Analysis•Task Assignments 3) Perform a Risk Analysis•Risk Assessment•Risk Management•Evaluate Threats•Establish Controls•Review Security Measures

Page 11: Business Resumption is…

Study the business impact factors

Probability

FactorScale

10 20 30 40 60 70 80 90 100

High Impact /

High Probability

Low Impact /

Low Probability

Hurricane Tornado

Workplace Violence

Snow Storm

Terrorist Attack

Earthquake

Virus Attack

High Impact /

Low Probability

Low Impact /

High Probability

Computer Failure

Staffing Issues

1

2

3

4

6

7

8

9

10

Page 12: Business Resumption is…

Steps involved in building an effective Business Resumption Plan

4) Analyze and Define Requirements for Recovery•Hardware•Software - system and application software•Communications•Back-up Data•Physical Facility•Vendor Support•Inter-Campus Support

• Office Equipment• Personnel• Security• Forms/Paper Supplies• Logistics• Storage• Funding/Purchase Orders

Page 13: Business Resumption is…

Steps involved in building an effective Business Resumption Plan

5)Design and Document the BRP for Recovery Operations•Damage Assessment Team•User Liaison Team (if needed)•Communications Team•Operations Team•Security/Back-up Team•System Software Team•Procurement Team•Facilities Team•Identify Processes Required•Develop Procedures (by team)•Risk Manager or initiate an Audit Review and Approval team.

Page 14: Business Resumption is…

Steps involved in building an effective Business Resumption Plan

6) Training for business resumption•Select Training Topics - emergency procedures, use of fire extinguishers, backup retrieval, etc.•Select Instructors•Develop Training Material•Risk Management•Procedures•Select Personnel for Training•Train Personnel

Page 15: Business Resumption is…

Steps involved in building an effective Business Resumption Plan

7)Test the BRP•Frequency - at least annually•Develop a Test Plan/Script•Test Scenario•Evaluation and Reporting•Follow-up 8). Maintain and Update the BRP•Follow-up BRP Test•Report Test Results to Risk Manager•Institute Controls/Changes - environmental, procedural, personnel, training, etc.

Page 16: Business Resumption is…

Goals Of The Disaster Recovery & Business Resumption Plan

• Eliminate or reduce the potential for injuries or the loss of human life, damage to facilities, and loss of assets and records: This requires a comprehensive assessment of each department within the institution, to insure that appropriate steps have been taken to-

-Minimize disruptions of services to the institution and its customers; -Minimize financial loss;

-Provide for a timely resumption of operations in case of a disaster; and -Reduce or limit exposure to potential liability claims filed against the institution, and its directors, officers and other personnel.

• Immediately invoke the emergency provisions of Disaster Recovery & Business Resumption Plan: For stabilizing the effects of the disaster, allowing for appropriate assessment and the beginning of recovery efforts. We then minimize the effects of the disaster and provide for the fastest possible recovery.

• Implement the procedures contained in the Disaster Recovery & Business Resumption Plan: Care to be taken to gauge the disaster and measure the likely impact from the disaster.

Page 17: Business Resumption is…

Recovery Time Objectives (RTO) & Recovery Point Objectives (RPO)

RTO (recovery-time objective) indicates allowable downtime, or the earliest point in time at which the business operations must resume after disaster.

RPO (recovery-point objective) signifies the amount of data that is acceptable to have been lost and subsequently recovered once the service is restored.

Page 18: Business Resumption is…

Determining Recovery Objectives

I’m up and running in seconds, but I’ve lost a day’s data

I’m up and running in seconds, but I’ve lost a day’s data

hrs days wks mthssecs minsZero “Downtime”

secs

mins

hrs

days

wks

mths

“Freshness”

RecoveryPointObjective

RecoveryTimeObjective

What are my disaster recovery

needs?

I lost no data but it took me a week to get back up and

running

I lost no data but it took me a week to get back up and

running

Page 19: Business Resumption is…

Develop Recovery Time Objective

Once you have completed the identification and prioritization of the business functions it is time to outline your planning objective, or basically what gets fixed, how quickly and to what level of service. It may help to structure this in the form of a table such as that shown below.

Essential Function Resumption Objective Resumption

(priority) Alternative

Telephone Service 0 - Immediately Cellular Telephones Email Connectivity 0 - Immediately Free service –

temporary solution

Firewall Protection 1 - First Day Co-Location

Page 20: Business Resumption is…

Set your priorities

When we implement these procedures, we must prioritize all recovery efforts as follows:

– Employees: Not only must we help to ensure their survival as a basic human concern, but because of their anticipated performance in helping other persons on the institution's premises when the disaster strikes;

– Customers: As we do with employees, we must help to ensure the survival of or care for customers affected by the disaster: physically, mentally, emotionally and financially;

– Facilities: After ensuring the safety of employees and customers, we then secure each facility as shelter for both people and assets;

– Assets: Conducting a damage assessment will determine which assets have been destroyed, which ones are at risk and what resources that we have left; and

– Records: Documenting the disaster and the actions taken by the institution's personnel -- when combined with comprehensive videotapes of facilities that are obtained during routine facility inspections -- reduce the likelihood of legal actions while helping to assess the responsibility for losses.

Page 21: Business Resumption is…

Put thrust on training and updating of resumption plan

• A comprehensive training program for all personnel at all facilities, conducted at specified intervals -- at least annually -- that may also include the: •Identification and operation of utility shut-off devices; •Location of emergency staging areas; •Basic first aid and survival techniques; and •Emergency responsibilities and re-assignment plans for all positions; and •Written copies of the final Disaster Recovery & Business Resumption Plan distributed to branch and department leaders -- including a complete list of appropriate emergency response agencies and facilities.

Page 22: Business Resumption is…

Prioritizing resumption requirements

• Prioritization is the process of understanding what will be needed, when, and how long you have to get things rolling again.•The one consistent activity is the establishment of basic telephone communication and should always be first on your list.•List the major functions or activities of your business or organization. (in a large organization, list the "time-critical" functions or activities of each unit, division, department, branch etc.)

Page 23: Business Resumption is…

Recovery of Documents

• Developed, maintained and implemented an effective storage and recovery plan for the institution's original documents and vital records?¡•Recovering business operations after a disaster often requires the use of original documents and vital records not stored as electronic data. The contingency plan should in-•Include plans for the consolidation and storage of appropriate original documents and vital records in a central fireproofed location, including::•Contracts;•Insurance policies;•Corporate papers;•An inventory list of stored items, stored in two (2) locations; and•Annual review for applicability, currency and legality

Page 24: Business Resumption is…

Case Study 1-The Katrina Disaster

•Hurricane Katrina left behind nearly a million displaced people and destroyed paper medical records, underscoring the critical need for a digital health system. Hurricane Katrina pounded the Gulf Coast as a Category 4 storm at 7 a.m.Monday, August 29, 2005. Raging winds sustained at 140 mph and nearly 13 inches of torrential rain inundated the city for 48 straight hours. •While the rest of the city went dark, redundant generator power kept St. Tammany alive with light, ensuring that computer operations, internal communication, and critical equipment including air conditioning and elevators never faltered.

Page 25: Business Resumption is…

Model instance of coping with a disaster

Overview: Merrill Lynch's Director of Global Contingency Planning, was in the company's world-wide headquarters in the World Financial Center, across the street from the World Trade Center, when the 9/11 attacks occurred. Within three to five minutes Merrill Lynch had its command center up and running. In the hour following the attacks, obtaining accurate information was a challenge. With the condition of the surrounding buildings becoming increasingly uncertain, they relied on media reports to keep them up to date. Within a few hours, they were able to go from an employee evacuation and accounting mode to a standard business recovery mode, prioritizing resumption as dictated by the continuity plan. Merrill Lynch mandated the use of LDRPS for all business units worldwide after Y2K.

Page 26: Business Resumption is…

…..Enabling your company to ensure organizational, business process and technological readiness, while limiting overall business impact to its

Information Technology, Business Processes, the Supply Chain and its client base

…..Enabling your company to ensure organizational, business process and technological readiness, while limiting overall business impact to its

Information Technology, Business Processes, the Supply Chain and its client base

Landscape Architecture

Process Optimization

Local Planning

Activity PrioritizationDeployment

Planning

Resource Management

To unravel the complexity associated with Business Continuity, while maintaining an operational business, we advocate a comprehensive structural approach utilizing building blocks...

Technology

Processes

Organization

Business StrategyBest Results Best Results Come From Come From Alignment &Alignment &OptimizationOptimization

Building the Foundation for BCP & DC

Page 27: Business Resumption is…

Agility Recovery

A cohesive business resumption plan can prepare your business for nearly any contingency. An integral part of any business resumption plan is a fully-functional mobile command center.

Page 28: Business Resumption is…

Thank You for your time…