Business Continuity Planning Disaster Recovery Planning A Business Continuity Plan (BCP) is an approved set of advanced arrangements and procedures that enable an organization to: Facilitate the recovery of business operations to reduce the overall impact of an event, while at the same time resuming the critical business functions within a predetermined period of time. Minimize the amount of loss. Repair or replace the damaged facilities as soon as possible. Traditionally, recovery plans focused on the recovery of critical computer systems running at data centers (aka “disaster recovery”). Today, recovery plans must also focus on the critical computer systems operating in a distributed environment involving PCs, LANs, telecommunications, etc. Essentially, continuity plans address every critical function of an enterprise. A disaster is something that interrupts normal business processing. A disaster is defined as a sudden, unplanned calamitous event that brings about great damage or loss. In the business environment, it is any event that creates an inability to support critical business functions for some predetermined period of time. Reasons for BCP It is better to plan activities ahead of time rather than to react when the time comes “Proactive” rather than “Reactive” Take the correct actions when needed Allow for experienced personnel to be absent Maintain business operations Saves time, mistakes, stress and $$ Keep the money coming in Short and long term loss of business Have necessary materials, equipment, information on hand Planning can take up to 3 years Effect on customers Public image Loss of life BCP Requirements Provide an immediate, accurate and measured response to emergency situations. Provide procedures and a listing of resources to assist in the recovery process. Identify vendors that may be needed in the recovery process and put agreements in place with selected vendors. Avoid confusion experienced during a crisis by documenting, testing and training plan procedures. Clear guidance for declaring a disaster. BCP Requirements Provide the necessary direction to ensure the timely resumption of critical services. Document storage, safeguarding and retrieval procedures for critical systems and supporting functions. Describe the actions, resources and materials required to restore critical operations at an alternate site in the event that the primary site(s) has suffered a serious outage. Document recovery procedures so they can be executed by knowledgeable people. Developing the BCP Project Management and Initiation Determine the need for automated data collection tools, including plans to provide training on how to use the software. Establish members of the BCP team, both technical and functional representatives. Prepare and present an initial report to management on how the BCP will meet the objectives. Developing the BCP Project Management and Initiation “Automated” plan development can help you: Speed the process Avoid missing critical elements Organize teams Maintain the plan Developing the BCP Project Management and Initiation Team Members BCP Planner/Coordinator Senior management, CFO, etc. Legal, HR Business unit/functions Recovery team leaders InfoSec, Telecomm, etc. The same people who would be responsible for executing the plan in the event of an outage must also be involved in preparing the BCP Developing the BCP Business Impact Analysis (BIA) The BIA is a functional analysis that identifies the impacts should an outage occur. Impact is measured by the following: Allowable business interruption - the maximum tolerable downtime (MTD) Financial and operational considerations Regulatory requirements Organizational reputation The BIA sets the stage for determining a business-oriented judgment concerning the appropriation of resources for recovery planning efforts. Developing the BCP - BIA Impact Assessment Purpose Identify risks Identify business requirements for continuity Quantify impact of potential threats Balance impact and countermeasure cost Establish recovery priorities Developing the BCP - BIA Benefits Relates security objectives to organization mission Quantifies how much to spend on security measures Provides long term planning guidance Site selection Building design HW configuration SW Internal controls Criteria for contingency plans Security policy Protection requirements Significant threats Responsibilities Developing the BCP - BIA Risk Assessment Potential failure scenarios Likelihood of failure Cost of failure (loss impact analysis) Dollar losses Additional operational expenses Violation of contracts, regulatory requirements Loss of competitive advantage, public confidence Assumed maximum downtime (recovery time frames) Rate of losses Periodic criticality Time-loss curve charts Developing the BCP - BIA Risk Assessment/Analysis Key Potential failure scenarios (risks) Likelihood of failure Cost of failure, quantify impact of threat Assumed maximum downtime Annual Loss Expectancy Worst case assumptions Based on business process model? Or IT model? Identify critical functions and supporting resources Balance impact and countermeasure cost Potential damage Likelihood Developing the BCP - BIA Definitions Quantitative Risk Analysis quantified estimates of impact, threat frequency, safeguard effectiveness and cost, and probability Powerful aid to decision making Difficult to do in time and cost Qualitative Risk Analysis Risk Analysis is performed as a continuum from fully qualitative to less than fully quantitative minimally quantified estimates Exposure scale ranking estimates Easier in time and money Less compelling Developing the BCP - BIA Goals Understand economic & operational impact Determine recovery time frame (business/DP/Network) Identify most appropriate strategy Cost/justify recovery planning Include BCP in normal decision making process Developing the BCP - BIA Risk Analysis Steps 1 - Identify essential business functions Dollar losses or added expense Contract/legal/regulatory requirements Competitive advantage/market share Interviews, questionnaires, workshops 2 - Establish recovery plan parameters Prioritize business functions Developing the BCP - BIA Risk Analysis Steps 3 - Gather impact data/Threat analysis Probability of occurrence, source of help Document business functions Define support requirements Document effects of disruption Determine maximum acceptable outage period Create outage scenarios Developing the BCP - BIA Risk Analysis Steps 4 - Analyze and summarize Estimate potential losses Destruction/theft of assets Loss of data Theft of information Indirect theft of assets Delayed processing Consider frequency Combine potential loss & probability Magnitude of risk is the ALE (Annual Loss Expectancy) Guide to security measures and how much to spend Developing the BCP - BIA Maximum tolerable downtime (MTD) Item Required recovery time following a disaster Non-essential Normal Important Urgent Critical/essential 30 days 7 days 72 hours 24 hours minutes to hours Developing the BCP Recovery Strategies Business Recovery Focus is on the critical resources and the maximum tolerable downtime for each business/support unit system. This may included identification of: Critical IT system hardware, software and data Critical equipment, supplies, furniture and office space Key personnel for each business unit and support unit, such as Operations, Facilities, InfoSec, etc. Developing the BCP Recovery Strategies Facility and Supply Recovery Focus is on restoration and recovery, such as: Facility - main building, remote facilities Inventory - supplies, equipment, paper, forms Equipment - network environments, servers, mainframe, PCs, etc. Telecomm - voice and data Documentation - application, technical materials Transportation - movement of equipment, personnel Supporting equipment - HVAC, safety, security 21 Developing the BCP Recovery Strategies User Recovery Focus is on personnel requirements, such as: Manual procedures Vital record storage (i.e., medical, personnel) Employee transportation Critical documentation and forms User workspace and equipment Alternate site access procedures User Recovery (continued) Procedures for the organization’s employees to follow during the outage include items such as: Team responsibilities Distribution of information Manual processing techniques Disaster policies Notification procedures High priority tasks Emergency accounting Checklists Developing the BCP Recovery Strategies Operational Recovery Determine the necessary equipment configurations such as: Mainframes, LANs, PCs, peripherals Explore opportunities for integration/consolidation Usage parameters Data communications configurations include: Switching equipment, routers, bridges, gateways 23 Developing the BCP Recovery Strategies Operational Recovery (continued) Outline alternative strategies for technical capabilities, such as network infrastructure components. Options include: Hot site, warm site, cold site, mobile site Reciprocal or mutual aid agreements Multiple processing centers Service bureaus 24 Developing the BCP Recovery Strategies Software and Data Recovery Focus is on the recovery of information - the data. Options include: Backing up and off-site storage Electronic vaulting Online tape vaulting $<P*V Remote journaling Database shadowing $ = expense of backup Standby services P = probability of loss Software escrow V = cost of recreating lost data Manuals and documentation Backup frequency - criticality and rate of change 25 Developing the BCP Recovery Strategies Software and Data Recovery (continued) Security and controls of backup data and materials While being transported to the offsite facility While stored at the offsite facility Backup site may need even better protection than primary site Data at backup facility is not accessed very often Problems could go undetected for a long time Consider encryption of backup data Too much processing overhead? Bank of America lost backup tapes 26 Developing the BCP Plan Design and Development In this phase the team prepares and documents a detailed plan for recovery of critical business systems. End products include: Business and service recovery plans Test method descriptions Restoration plans Plan maintenance programs Employee awareness and training programs 27 Developing the BCP Plan Design and Development 1. Determine management concerns and priorities. 2. Determine planning scope such as geographical concerns, organizational issues, and the various recovery functions to be covered in the plan. 3. Establish outage assumptions. 4. Identify response procedures, such as ensuring evacuation and safety of personnel, notification of disaster, initial damage assessment, activating teams and relocating to alternate sites. . Identify resumption strategies for mission-critical and non-missioncritical systems at alternate sites. 6. Identify the location for the emergency operations center/command center. 7. Identify restoration procedures for salvage, repair and return to the primary site. Also, the procedures to deactivate the recovery site 28 Developing the BCP Plan Design and Development 8. Plan and implement the gathering of data required for plan completion. Personnel information Vendor services Equipment, software, forms, supplies Vital records Technical information Office space requirements 29 Developing the BCP Plan Design and Development 9. Review and outline who (and how) the organization will interface with external groups. Customers Shareholders Civic officials Community, region, and state emergency services groups Utility providers Industry group coalitions Media 30 Developing the BCP Plan Design and Development 10. Review and outline how the organization will cope with other complications beyond the actual disaster. Responsibility to families Coordination with human resource and legal departments Fraud opportunities Exposure of sensitive data Looting and vandalism Ensuring primary site is protected during disaster Safety and legal problems Expenses exceeding emergency manager authority Insurance coverage and timing of claim payment 31 Developing the BCP Plan Design and Development 11. Develop support service plans, including human resources, public relations, transportation, facilities, IT, telecomm, etc. 12. Develop business function plans and procedures. 13. Develop facility recovery (i.e., the building) plans. 32 Plan Testing Proves feasibility of recovery process Verifies compatibility of backup facilities Ensures adequacy of team procedures Identifies deficiencies in procedures Trains team members Provides mechanism for maintaining/updating the plan Upper management comfort 33 Plan Testing Desk checks/checklist Structured walkthroughs Simulations Parallel tests Full interruption tests 34 Plan Maintenance Develop processes that maintain the currency of continuity capabilities and the BCP document in accordance with the organization’s strategic direction. This includes: Changing management procedures Resolving problems found during testing Building maintenance procedures into the process Centralizing responsibility for updates Reporting results regularly to team members 35 Plan Maintenance Plan maintenance functions are: Receive and monitor input on needed revisions - maintain revision history Plan maintenance reviews as needed Monitor changes within business units, such as upgrades to systems Control plan maintenance distribution - who receives a copy of plan updates Ensuring version control - obsolete editions of the plan are collected and destroyed. 36 Awareness and Training The goal is to design and develop a program to create corporate awareness and enhance the skills required to develop, implement, maintain and execute the plans. The objectives should cover a range of outcomes from simple awareness of the major provisions to the ability to carry out specific procedures. Train the teams used for recovery strategies. Train those employees who will have specific roles in the recovery process, such as systems staff, team leaders, etc. 37