view presentation

000000_1Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.

VTN Executive ForumVTN Executive ForumDisaster Recovery & Disaster Recovery & Business Continuity Business Continuity

Terry Buchanan, VP Services, CONPUTETerry Buchanan, VP Services, CONPUTENovember 2November 2ndnd, 2006, 2006

Partner Smart.™


Purpose & ExpectationsPurpose & Expectations

How to get started in DR/BCP and keep it How to get started in DR/BCP and keep it simplesimple

How to evaluate risk for your companyHow to evaluate risk for your company

Risk mitigation and planning techniquesRisk mitigation and planning techniques

Best practice processes to start planningBest practice processes to start planning

Plan structure and applicationPlan structure and application


DefinitionDefinition

Business Continuance (or Continuity) Planning Business Continuance (or Continuity) Planning (BCP) involves the processes and procedures (BCP) involves the processes and procedures organizations put in place to ensure that organizations put in place to ensure that mission mission critical functions can continue during and after a critical functions can continue during and after a disaster. disaster.

BCP focuses on BCP focuses on – People (Human Safety), People (Human Safety),

– Procedures/Process (How to) and Procedures/Process (How to) and

– Infrastructure (Facilities & IT) continuance.Infrastructure (Facilities & IT) continuance.


Getting StartedGetting Started

Considering the “What if scenario” Considering the “What if scenario”

Keeping your business runningKeeping your business running– What does that mean for each of you?What does that mean for each of you?

– What does that mean for your staff + co-workers?What does that mean for your staff + co-workers?

Do you have a plan to:Do you have a plan to:– Stay open?Stay open?

– Recover?Recover?

– Rebuild?Rebuild?

– Do nothing?Do nothing?


Best Practice Best Practice BCP ProcessBCP Process

Project Definition

Risk Assessment

Business Impact

Analysis

BCM DesignDetail &

Implement

EducationExercise &

Adapt



Project Definition Project Definition

Risk Assessment Risk Assessment

Business Impact Analysis Business Impact Analysis – RTO, RPO, Time Critical, Mission CriticalRTO, RPO, Time Critical, Mission Critical

BC Management DesignBC Management Design– Emergency Response and Operations Emergency Response and Operations – Crisis CommunicationsCrisis Communications– Coordination with External AgenciesCoordination with External Agencies

Detail and Implementation Detail and Implementation

Awareness and EducationAwareness and Education

Exercise and Adapt Exercise and Adapt


SponsorshipSponsorship

Sponsor has to own initiative.Sponsor has to own initiative.

Sponsor has to fund initiative.Sponsor has to fund initiative.

Sponsor is accountable for initiative.Sponsor is accountable for initiative.

Different level of Sponsors. Different level of Sponsors.

Who are sponsors?Who are sponsors?– President, CEO (Primary)President, CEO (Primary)

– CIO, CAO, CFO (Secondary)CIO, CAO, CFO (Secondary) Directors and Managers (Tertiary)Directors and Managers (Tertiary)



Project Definition


Project PlanningProject Planning

SponsorSponsor– Sets Goals and CharterSets Goals and Charter

Project/Program ManagerProject/Program Manager– Needs Project Management ExperienceNeeds Project Management Experience– Manages process/administration/negotiationManages process/administration/negotiation

Steering CommitteeSteering Committee– Senior ManagementSenior Management

C level, VP, etc.C level, VP, etc.– Approves and makes decisionsApproves and makes decisions– Manages budgetManages budget

Project TeamProject Team– Business Unit representativesBusiness Unit representatives

Managers, Senior staff, Subject Matter ExpertsManagers, Senior staff, Subject Matter Experts– Primary knowledge basePrimary knowledge base



Risk Assessment


Risk AssessmentRisk Assessment

ASSETS

RISK

RISK

THREAT



RISK

RISK

PROACTIVE

THREAT

REACTIVE

CONTROL

ASSETS



Threats are the causeThreats are the cause– Nature – Flood (Peterborough), Hurricane Nature – Flood (Peterborough), Hurricane

(Katrina/Louisiana), Ice Storm (Ottawa)(Katrina/Louisiana), Ice Storm (Ottawa)

– Political – Terrorist Attacks (9-11-01), UnionsPolitical – Terrorist Attacks (9-11-01), Unions

– Engineered – Viruses (Blaster)Engineered – Viruses (Blaster)

– Infrastructure – Power Outage (Ontario)Infrastructure – Power Outage (Ontario)

– Pandemics – Virus (SARS)Pandemics – Virus (SARS)

VulnerabilityVulnerability– ProbabilityProbability

– SeveritySeverity



Risks relate to impactRisks relate to impact– Function disruption to one or many Function disruption to one or many

– Elapsed TimeElapsed Time

– ReachReach

ControlsControls– DeterrentDeterrent

– MitigatesMitigates

– ReducesReduces


Risk Assessment AnalysisRisk Assessment Analysis

– Develop worst case scenariosDevelop worst case scenarios Develop realistic scenariosDevelop realistic scenarios

– Controllable versus uncontrollableControllable versus uncontrollable– Identify how risks necessary for conducting business Identify how risks necessary for conducting business

operations and communication are impactedoperations and communication are impacted– Identify how threats and risks impact human safety Identify how threats and risks impact human safety

and revenue generationand revenue generation– Preventive controls (security & redundancy)Preventive controls (security & redundancy)– Reactive controls (failing to or restarting operations at Reactive controls (failing to or restarting operations at

a designated location)a designated location)


Risk TemplateRisk Template

Threat Severity Probability Risk

Flood Medium MediumWater DamageLoss of Access

Mold/Fire

Terrorism High LowLife

Media

Security Hacker High HighIntellectual

Property LossData theft or loss

Power Outage Low Medium

Loss of Data Consistency

Loss of Controls (like Security)

Controllable?

No

Some

Yes

No


Application ImpactApplication Impact

WAN


Ten Worst Mistakes IT Staff MakeTen Worst Mistakes IT Staff Make

Connecting systems to the Internet before hardening themConnecting systems to the Internet before hardening them

Connecting systems to the Internet with default passwords (wireless issues)Connecting systems to the Internet with default passwords (wireless issues)

Failing to update systems when vulnerabilities are foundFailing to update systems when vulnerabilities are found

Using telnet or other unencrypted protocols for network management Using telnet or other unencrypted protocols for network management

Giving network access over the phone/without authenticationGiving network access over the phone/without authentication

Failing to maintain backups according to legislated archivingFailing to maintain backups according to legislated archiving

Running misconfigured, unvalidated, security tools (hacker software, I/10)Running misconfigured, unvalidated, security tools (hacker software, I/10)

Failing to implement or update antivirus software Failing to implement or update antivirus software

Allowing untrained, uncertified users to take responsibility for securing important Allowing untrained, uncertified users to take responsibility for securing important systems (accidental use of vendor bias / training)systems (accidental use of vendor bias / training)

Failing to train users on what constitutes a security problemFailing to train users on what constitutes a security problem

Source: RCMP Technical Security Branch, 2002Source: RCMP Technical Security Branch, 2002



Business Impact

Analysis


Business Impact AnalysisBusiness Impact Analysis

Exposure to loss over timeExposure to loss over time– Direct versus IndirectDirect versus Indirect

– Cost to recoverCost to recover

– Cost to avoid recoveryCost to avoid recovery

Business Process Business Process interdependenciesinterdependencies– WorkflowWorkflow

Legal and RegulatoryLegal and Regulatory


Recovery ObjectivesRecovery Objectives


Business Impact AnalysisBusiness Impact Analysis

Recovery Point Objective (RPO)Recovery Point Objective (RPO)– The point in time your company’s data is replicated The point in time your company’s data is replicated

or stored off-siteor stored off-site– Doesn’t mean data is not corrupt or synchronizedDoesn’t mean data is not corrupt or synchronized– The frequency of initiating a RPO determines YOUR The frequency of initiating a RPO determines YOUR

risk or data loss potentialrisk or data loss potential

Recovery Time Objective (RTO) Recovery Time Objective (RTO) – How long can you wait for certain functions to be How long can you wait for certain functions to be

restored?restored?– Tie in RTO to manual processTie in RTO to manual process


$$ to Recover

DR SLA 101 for ITDR SLA 101 for IT

Time to Recover (RTO)

Ex

po

su

re t

o L

os

s (

$$

)

$$ of Impact

Ideal Recovery Point(Risk + Cost)

SLA


$$ to Recover

Risk MitigationRisk MitigationNo BCPNo BCP


Ex

po

su

re t

o L

os

s (

$$

)

$$ of Impact


$$ of Impact

$$ to Recover

Risk MitigationRisk MitigationWith BCPWith BCP


Ex

po

su

re t

o L

os

s (

$$

)


LegalLegal

Bill C-471, C-387Bill C-471, C-387– EI Wait period can be waived in Disaster RegionEI Wait period can be waived in Disaster Region

Bill C-6 “PIPEDA”Bill C-6 “PIPEDA”– Personal Information Protection and Electronic Personal Information Protection and Electronic

Documents ActDocuments Act

Bill C-145 “Westray”Bill C-145 “Westray”– law to hold corporations, their directors and executives law to hold corporations, their directors and executives

criminally accountable for the health and safety of criminally accountable for the health and safety of workers workers


Vital Records ManagementVital Records Management

LegalLegal– Audits, Financials, Intellectual Property, PrivacyAudits, Financials, Intellectual Property, Privacy

DuplicationDuplication– Electronic, Hard CopyElectronic, Hard Copy

Off-Site StorageOff-Site Storage– Access, security, maintenanceAccess, security, maintenance



BCM Design


ITIL DefinitionITIL Definition

BCP is part of ITIL (IT Infrastructure Library) BCP is part of ITIL (IT Infrastructure Library) framework framework

Continuity management involves the following Continuity management involves the following basic steps:basic steps:– Prioritizing the businesses to be recovered by conducting a Prioritizing the businesses to be recovered by conducting a

Business Impact Analysis (BIA).Business Impact Analysis (BIA).– Performing a Risk Assessment (aka Risk Analysis) for each of Performing a Risk Assessment (aka Risk Analysis) for each of

the IT Services to identify the assets, threats, vulnerabilities the IT Services to identify the assets, threats, vulnerabilities and countermeasures for each service.and countermeasures for each service.

– Evaluating the options for recovery.Evaluating the options for recovery.– Producing the Contingency Plan.Producing the Contingency Plan.– Testing, reviewing, and revising the plan on a regular basis.Testing, reviewing, and revising the plan on a regular basis.


BCM DesignBCM Design

How will you avoid recovery? How will you avoid recovery?

How will you recover?How will you recover?

How will you manage recovery? How will you manage recovery?

Defined by RA and BIADefined by RA and BIA– Interdependencies Interdependencies

Relates to RTO & RPORelates to RTO & RPO


Planning StrategiesPlanning Strategies

Perform a Business Impact Analysis (BIA).Perform a Business Impact Analysis (BIA).– Determine risk and cost of downtime by critical Determine risk and cost of downtime by critical

application or function.application or function.

Create a Business Continuity Plan (BCP).Create a Business Continuity Plan (BCP).– Create a Disaster Recovery Plan (DRP).Create a Disaster Recovery Plan (DRP).– Create a Business Recovery Plan.Create a Business Recovery Plan.– Create a Business Resumption Plan.Create a Business Resumption Plan.– Create a Contingency Plan.Create a Contingency Plan.

Execute the Plans.Execute the Plans.

Test and adapt the plans regularly.Test and adapt the plans regularly.


TechnologyTechnology

BC and DR Planning Software assist tools BC and DR Planning Software assist tools

iSCSI – low cost network data transportiSCSI – low cost network data transport– Vendor Support (Microsoft, Novell, HDS, EMC, SUN, STK, Vendor Support (Microsoft, Novell, HDS, EMC, SUN, STK,

McData, CISCO, etc.)McData, CISCO, etc.)– Drivers + Initiators, NICs, TOEDrivers + Initiators, NICs, TOE

FAS – data replication/compressionFAS – data replication/compression– Protocols: FC, FCIP, IFCP, iSCSI, TCP/IP, DWDMProtocols: FC, FCIP, IFCP, iSCSI, TCP/IP, DWDM– Data Networks: FAS, SAN, NASData Networks: FAS, SAN, NAS

Data RecoveryData Recovery– Tape BackupTape Backup– ArchivingArchiving– Database log synchronizationDatabase log synchronization


Data ReplicationData Replication


Emergency ResponseEmergency Response

SC becomes Critical Management TeamSC becomes Critical Management Team– Escalation & NotificationEscalation & Notification– Disaster declarationDisaster declaration– Emergency Operations Centre (EOC)Emergency Operations Centre (EOC)

Life SafetyLife Safety– EvacuationEvacuation– Fire, Police, MedicalFire, Police, Medical

SecuritySecurity– Property and news mediaProperty and news media


Crisis CommunicationCrisis Communication

RespondRespond– Emergency Response TeamEmergency Response Team– Contact lists (up to date)Contact lists (up to date)

Recover OperationsRecover Operations– Departmental Recovery Teams Departmental Recovery Teams – Damage Assessment TeamDamage Assessment Team

RestorationRestoration– Clean UpClean Up– Insurance, rebuild, fail backInsurance, rebuild, fail back


Communicate with EXT AgenciesCommunicate with EXT Agencies

Plans to deal with local emergency services Plans to deal with local emergency services

Plans to deal with mediaPlans to deal with media

Plans to deal with volunteersPlans to deal with volunteers

Contact ListsContact Lists– Call them before they call youCall them before they call you

– Lists for internal response teamsLists for internal response teams

– Lists for restoration companiesLists for restoration companies

– Lists for short/long term staffingLists for short/long term staffing



Detail & Implement


Detail & ImplementDetail & Implement

Plan is now a programPlan is now a program– BCP is part of business cultureBCP is part of business culture

Implement controlsImplement controls– Vital Records replication and storageVital Records replication and storage

– Information TechnologyInformation Technology

– Physical SecurityPhysical Security

– Clean Desk PoliciesClean Desk Policies

Test controls with scenariosTest controls with scenarios


ControlsControlsInformation TechnologyInformation Technology

Data Availability Data Availability

Clustering & Load BalancingClustering & Load Balancing

Data Replication – Synch vs. AsynchData Replication – Synch vs. Asynch

Data CompressionData Compression

Off Site Storage – Tapes, CD/DVD, WORMOff Site Storage – Tapes, CD/DVD, WORM

Data Recovery – Tape BackupData Recovery – Tape Backup

Intrusion Prevention/DetectionIntrusion Prevention/Detection

Anti-Virus, Anti-Spam, FirewallsAnti-Virus, Anti-Spam, Firewalls

IP SurveillanceIP Surveillance


Strategy FocusStrategy Focus

Embrace BCP as part of your cultureEmbrace BCP as part of your culture– Be preparedBe prepared– Educate and promote sponsorshipEducate and promote sponsorship

Human SafetyHuman Safety– Security: Physical, records, IT NetworkSecurity: Physical, records, IT Network– Emergency ResponseEmergency Response

Maintain business infrastructureMaintain business infrastructure– Mission Critical OperationsMission Critical Operations– Support OperationsSupport Operations

Self Insurance as a strategySelf Insurance as a strategy– Reactive effort is not protection, it’s wasteful and costlyReactive effort is not protection, it’s wasteful and costly

Public PerceptionPublic Perception

Privacy & LegislationPrivacy & Legislation

Compliance LegislationCompliance Legislation


Plan StructurePlan Structure

Cheat sheet with numbers on a business card sized doc.Cheat sheet with numbers on a business card sized doc.

Speed killsSpeed kills– Outside help to identify risks and costs saves timeOutside help to identify risks and costs saves time

One person owns editing on plan documentsOne person owns editing on plan documents

Get a partner to review it and or test it with youGet a partner to review it and or test it with you

Keep main document short (no more than 4 pages)Keep main document short (no more than 4 pages)– Write the document yourself (you’ll understand it better)Write the document yourself (you’ll understand it better)– Have backups to subject matter experts write contentHave backups to subject matter experts write content– Appendices for workflow functions owned by departmentsAppendices for workflow functions owned by departments– Assume you will only have 50% of your staff to manage planAssume you will only have 50% of your staff to manage plan– Assume whomever uses plan knows something about your business Assume whomever uses plan knows something about your business

and or applicationsand or applications– Assume you are on your ownAssume you are on your own



EducationExercise &

Adapt


Application of the PlanApplication of the Plan

Exercise the ControlsExercise the Controls

Exercise different scenariosExercise different scenarios

Exercise by cross trainingExercise by cross training

Communicate resultsCommunicate results

Update documentationUpdate documentation

Audit requirementsAudit requirements

Develop New Hire trainingDevelop New Hire training

Develop general trainingDevelop general training


ResourcesResources

http://http://www.drii.orgwww.drii.org Disaster Recovery International Disaster Recovery International

http://http://www.dri.cawww.dri.ca DRI Canada DRI Canada

http://http://www.drj.comwww.drj.com Disaster Recovery Journal Disaster Recovery Journal

http://http://www.redcorss.cawww.redcorss.ca Red Cross Red Cross

http://http://www.fema.govwww.fema.gov Federal Emergency Management Agency Federal Emergency Management Agency

http://http://www.overt.cawww.overt.ca Ontario Volunteer Emergency Response Team Ontario Volunteer Emergency Response Team

http://http://www.ocipep.gc.cawww.ocipep.gc.ca Public Safety and Emergency Preparedness Public Safety and Emergency Preparedness CanadaCanada

http://http://www.drie.orgwww.drie.org Disaster Recovery Information Exchange Disaster Recovery Information Exchange

http://http://continuitycentral.com/itdr.htmcontinuitycentral.com/itdr.htm Continuity Central Continuity Central


Are you prepared?Are you prepared?


Questions?Questions?

Thank You!Thank You!


Partner Smart.™

view presentation

Business

risk assessment analysis

risk assessment risks

risk assessment threats

risk template

business operations

business impact analysis

company risk mitigation

application impact