Presentation Slides
advertisement
Slide Heading Business Continuity Management Why DR is not enough! Christopher LaVesser GE HealthCare February 15th 2012 Welcome Welcome ISACA members and friends! Before we start • Please silence cell phones and mute remote phones For local attendees • WIFI • Rest facilities • Food and beverage Announcements • February newsletter • Membership Renewal Deadline • International Volunteer Opportunities – Deadline, Feb 29 • Exam Prep Review Course Nominations for elections Upcoming ISACA KM Events BMIS - Business Model for Information Security - Mar 14 • 3 CPE, 1.30P start time Ethical Hacking - Security Processes and Procedures Apr 11 2nd Annual GRC Symposium - May 16 • 8:00AM - 5:00PM • 8 CPE • Ken Vander Wal, ISACA International President • Robert Stroud, ISACA Strategic Advisory Council, itSMF International Board Slide Heading Business Continuity Management Why DR is not enough! Christopher LaVesser GE HealthCare February 15th 2012 About GE • 4 businesses operating in more than 160 countries … 125+ years • Over 300,000 employees worldwide • 2010 revenue $150B Energy Infrastructure • Power & Water • Energy Services • Oil & Gas Technology Infrastructure • Aviation • Healthcare • Transportation GE Capital Home & Business Solutions • Appliances • Intelligent Platforms • Lighting About Chris LaVesser IT Service Continuity Manager – GE Healthcare Responsible for: • • • • • • • ITSCM Strategy, BCM Alignment, Awareness and Communication ITSCM Critical Business Process Alignment Data Center Failover and Recovery Plans ITSCM Vitality – Architecture, Strategic Platforms, Solutions and Automation Hosted Solutions DR Service Catalog DR Council IT Recovery Plan Approvals Prior to GE … 2004—2011: 2003—2004: 1996—2003: Education: ProHealth Care, Aurora Healthcare, information systems strategy Application delivery and recovery strategy Department of Defense (consultant to) Healthcare IT strategy and EMR deployment Hospital Corpsman, United States Navy Pre-hospital emergency care, Preventive medicine, Clinic operations Women’s health, Information systems development and strategy Bachelor of Science—Business Administration, MBA Agenda Business Continuity and Disaster Recovery – SWWC (So What, Who Cares)? Business Continuity Methodology Slide ITSCM atHeading GE Healthcare Assurance and Audit Framework DR Technologies and Virtualization: Saving Time & Money Justifying and selling ITSCM to your executives Agenda Business Continuity and Disaster Recovery - SWWC (So What Who Cares)? • Why are we taking about DR … AGAIN? • Probability ≠ Consequence: What is your cost of downtime? Slide Heading • Terminology • Implementing BCP Projects: Issues, Risks and Challenges So What, Who Cares? Why are we talking about Disaster Recovery … AGAIN? Why are we talking about DR? DR/BC Drivers • More data than ever before, big data • More tech-supported workflows • Strict data/availability requirements, regulatory issues • Interconnectedness, customer/user disruption and consequence • Corporate reputation and image Increasing reliance on availability DR Competition in the Cloud Reality Check Probability ≠ Consequence • 93% of companies that lost the use of their data center for 10 days or more filed for bankruptcy within one year of the disaster (Source: National Archives & Records Administration, Washington D.C.). • Of the companies experiencing disasters, 43% never reopen, and 29% close within two years (Source: McGladrey & Pullen, LLP). • The average cost of downtime as a function of labor (for large organizations) is $1,010,536 per hour (Source: Meta Group Study). • “Post” Katrina, over 100 healthcare agencies – which served over 21,000 patients combined – in the New Orleans area were flooded or permanently destroyed. (Source: TMC Healthcare Technology) Lessons Learned “Never confuse the PROBABILITY of failure with the CONSEQUENCE of failure.” ~ Rear Admiral Stephen Turcotte, Space Shuttle Columbia Disaster Interagency Investigation Board ~ The Big Guys Fall…Harder What is your cost of downtime? Productivity Lost shifts Lost days Wasted supplies Missed shipments Service failures Expense Temporary employees Temporary facilities Extra equipment Non-productive overhead Revenue Compensatory payments Missed sales Contract failures Billing losses Reputation Customers Creditors Suppliers Employees Distributors Trade groups Markets Competitors Performance Revenue recognition Cash flow Missed discounts Reporting failures Know Your Downtime Cost Per: • • • • Hour Day Week Month So What, Who Cares? Why are we talking about Disaster Recovery … AGAIN? We rely HEAVILY on system availability. BCP ≠ DR ≠ ITSCM Business Continuity Plans (BCP) • Define the minimum critical requirements for service delivery and acceptable operating conditions during times of unexpected outage. • Designed to mitigate potential loss and serve to minimize disruptions and financial impact during even minor events. Disaster Recovery (DR) /Disaster Recovery Plans (DRP) • Are IT focused plans designed to restore operability of the target system, applications, or computer facility at an alternate site after a major and usually catastrophic event. • Concentrates on deploying technology, writing scripts, and doing annual drills to practice recovery of IT systems after a disaster. DR is necessary but not sufficient. IT Service Continuity Management (itSCM) • The ‘technical' subcomponent of BCP; • Takes the IT-related business threats and addresses them through risk reduction, response, recovery, or avoidance actions. • Governs the execution of Business Continuity Management requirements. Business Continuity Management Is not just another name for Disaster Recovery, it includes… • Disaster Recovery – IT systems • • Hardware Restoration – Devices, Network, Communications Software Recovery – OS, Applications, Data • System Reliability and Availability • • • • Security Updates / Patches Interoperability Redundancy • Business Recovery and Resumption • • • Corporate escalation procedures Total site recovery plans Partial site recovery plans • Contingency Planning • Crisis Management BCM goes beyond BCP and also covers management aspects such as policy, training and awareness, maintenance and exercise, and continuous improvement, as well as understanding the organization and embedding BCM into its culture. Evolution of Business Continuity 1980s 1990s 2000s Business Focus Traditional Dot.com eBusiness Requirements Restore Recover High Availability 24x7 Scalable Driven By Regulation E-Commerce Competition Magnified by Disaster Absence of Brick E-Commerce and Mortar Recovery Hardware Hardware and Data Hardware, Data, Applications Expectation Days / Hours Minutes / Seconds Minutes / Seconds Decision Optional Recommended Mandatory Why are we talking about DR? • Trends and changes in Business Continuity Management • • • • • • • Consistency across acquired and outsourced teams Shifting Environments and Responsibility – new media, new threats (social media, cloud, wireless/mobile devices) Integration between incident management and corporate communications Regulatory and contractual obligations can be met Catastrophic event scenarios - protests and extreme weather Cyberspace attacks (zero-day virus) that impact customer-facing sites, partners and service providers on a much broader scale Testing: • Multi-day tests to ease burden on normal business operations • Multi-scenario, involves partners/providers • Continuity and communications plans (including social media) Issues, Challenges and Risks • Senior management commitment and involvement • Lack of thorough understanding of the data dynamics and dependencies involved in data recovery by BCM practitioners • Inappropriate approach in executing BCM processes • Incorrect and/or inappropriate assumptions in formulating business continuity and disaster recovery plans • Perception that DR is an IT problem Source: Key Issues, Challenges and Resolutions in Implementing Business Continuity Projects Issues, Challenges and Risks • Senior management commitment and involvement • Delegation by Senior Management • • • BCM Implementation for the Wrong Reasons • • People, processes and resources must be part of the equation Absence of a Single BCM Framework Across Multiple Offices • • Failure to align system capability with business needs and growth projections results in solution gaps and performance issues Technology-only Approach Toward Resilience • • Compliance driven not business-risk driven Business/IT Disconnect • • Reduces visibility Leads to lack of serious attention and cross-departmental cooperation For consistency, start with enterprise-wide standard/framework Lack of Consensus Between Senior Management and Operations Management – RPO/RTO Issues, Challenges and Risks • Lack of thorough understanding of the data dynamics and dependencies involved in data recovery by BCM practitioners • Incomplete Understanding of Data Recovery Requirements • • • • • Upstream and downstream systems End user computing systems (spreadsheets, batch processes) Synchronized recovery of transactional data Permissions, profiles, configurations, license keys Failure to Consider Full Recovery • Return to normal can be as painful as the failover itself Issues, Challenges and Risks • Inappropriate approach in executing BCM processes • • Location-based Risk Assessments • Building or Site-based not as effective as service/processbased risk assessment • Co-location arrangements share HVAC, physical security, etc. Inappropriate BIA Approach • • Analysis of individual business applications conducted in silos; business owners tend to overstate the importance of its function Equal Weight (Risk Priority Number) Assigned to All Risk Attributes • Failure Modes and Effects Analysis (FMEA) used alone may result in unnecessary investments for low-severity risks Risk 3 is more critical than the other two risks. When risks are prioritized for treatment, the effective way to establish risk acceptance criteria is to use both RPN and criticality. Issues, Challenges and Risks • Incorrect and/or inappropriate assumptions in formulating business continuity and disaster recovery plans • Failure to Consider All Relevant Assumptions and Limiting Factors • Disasters do not occur in isolation -- multiple systems and processes are impacted by disasters • Multiple businesses and service providers can be impacted by disasters • Competition for scarce resources in disasters can negatively impact recovery times • Local/regional disasters impact availability of key human resources – people first. Agenda Business Continuity Methodology • Awareness / Operation and Planning / Site Evaluation • Risk Assessment Slide Heading • Business Impact Analysis • Strategy Development • Recovery Plan Development • Validation/Testing • Recovery Plan Implementation, Maintenance Business Continuity Methodology Validation and Testing Procedures Awareness Organization & Planning Recovery Plan Development Site Evaluation Strategy Development Risk Assessment Business Impact Analysis Recovery Plan Training Recovery Plan Approval Recovery Plan Implentation Maintenance Program Most BCM activity is limited to just DR testing and if you are lucky, DR training. Business Continuity Methodology Awareness • • • • Over 90% of BCP projects fail at the onset beginning because of a lack of awareness & support by upper-management. First goal is to help develop awareness to confirm commitment. Trending towards board level initiation of BCP – risk, image Integrate into Operating Mechanisms: • • • • • C-Level Accountability Reviews Architecture Review Boards and Coaching Sessions Project Steering/Tollgate Reviews, Project Manager Training Programs Shouldn’t always be driven by IT. Business Continuity Methodology Organization & Planning • Similar to other large projects • • • Obtain management approval for funding, personnel, etc Develop overall program plans: implementation plan, communications plan, change control, maintenance and continuous improvement plans For BC/DR Programs - Develop standards and guidelines • Scope (of the system portfolio Must, Should, Could) Roles and Responsibilities Document creation, review, approvals, storage, maintenance Initiating, Aligning and Engaging Resources Create templates • Crisis Management • Business Impact Analysis / Business Continuity Plans • Disaster Recovery Plans and Disaster Recovery Test Plans • Test Summary Reports • Determine test cycles: what to test, when and how often • • • • Business Continuity Methodology Organization & Planning, continued • For discrete BC/DR projects • • Develop project plan Initiate/align/engage resources • • • • • • • • Create/update documents Obtain approval of documents Test Business Continuity Plans Test Recovery Plans Conduct After Action Review – What went wrong and what went right. • • • • Business Owners IT Owners Technology Owners Close issues / mitigate gaps Update documents Action plan for improvement (issues and scope) Schedule next test – Retest, regular test cycle, change/release cycle Business Continuity Methodology Site Evaluation(s) • Identify and document your business locations? • What business functions are performed there? • • • • • • • • Manufacturing / Industrial Sales / Retail Administration / Finance Customer Service / Call Center Data Center What vital records (paper, electronic) are stored there? Identify and document Business Systems – systems needed (i.e. accounting – are manual processes defined, existing procedures documented) Identify and document IT Systems - hardware, software, recovery plans, telecommunication, people, process, procedures, etc. Business Continuity Methodology Risk Assessment Should be performed/reviewed annually • What are the business vulnerabilities? • • • • • • • • • • • • Hardware Information / Data Systems and Processes Buildings People Partnerships / Suppliers Other Determine if there have been past interruptions What is the potential for future disruptions? What is the cost of that disruption if it is known? Need to consider factors unique to local environment/community. Evaluate and rate the probability of business interruptions…. Risk Assessment Evaluate and Rate Probability of Business Interruptions • • Physical • Human Error • Hardware Failure • Fire, Smoke, Water • Loss of Power • Malicious Attack Natural • Flood / Tsunami • Tornado / Hurricane • Volcano • Earthquake • Sink Holes • • Electronic • Bugs • Viruses • Hacking • Sabotage • Denial of Service Other • Strike • Material Shortage • Supplier Loss • Geo-Political Events • Endemic/Pandemics • More… Risk Assessment Considerations in analyzing risk will include the following: • • • • • Investigating the history and frequency of particular types of disasters (often versus seldom). Determining the degree of predictability of the disaster. Analyzing the speed of onset of the disaster (sudden versus gradual). Determining the amount of forewarning associated with the disaster. Estimating the duration of the disaster. Risk Assessment, Example Natural Threats Description Internal flooding Dry pipe: Probability of inadvertent activation is 10 raised to -6. Raised floor has all cooling fluids below surface. Drainage tiles are in place and have proven to work in the 2010 flood that surrounded building. External flooding One flood has occurred in last 5 years. Cars were floating in parking lot. Water did seep into conduit; however, drain design prevented any damage. There has not been any internal fires and data center has dry pipe. Building has gas suppression and water to save building. Based on historical accident data, in combination with site-specific data, such as the mass and arrangement of the cabling, the probability of a fire occurring in the data center area is usually estimated to be Internal fire “somewhat likely” (0.0001 - 0.01/yr). A fire in such a data center, particularly under the raised floor, could result in significant downtime - in excess of a week or more. This would typically be attributed to the mass of cabling in many areas and the toxic and corrosive combustion products resulting from a PVC fire. According to NFPA, the probability of an external commercial fire that could potentially spread to other buildings External fire is .452% The 1947 Wisconsin earthquake took place on May 6, 1947 immediately south of Milwaukee at 4:25 a.m. It was Seismic the largest tremor to be historically documented in Wisconsin, though it was not recorded by seismographs. No activity serious property damage resulted here or elsewhere, and the Milwaukee Gas Light Co. reported no breaks or trouble in the gas system. There are redundant telecom entrance lines that are below ground. However, they are below ground on company High winds property but are above at carrier. Snow and ice There are redundant telecom entrance lines. However, they are below ground on GE property but are above at storms carrier. Since 1950, 14 tornadoes have been reported in Milwaukee County . The earliest tornado in the City of Milwaukee was March 8, 2000. The F1 tornado with winds up to 110mph started near the airport and then went Tornado through Cudahy and St Francis. The strongest ever recorded tornado in Milwaukee was an F2 on August 4, 1980. The Tower building can withstand an F2. Hurricane N/A In the last 30 years, there has been the Avian Influenza and 1993 Milwaukee Cryptosporidium outbreak was a Epidemic significant distribution of the Cryptosporidium protozoan in Milwaukee, Wisconsin, and the largest waterborne disease outbreak in documented United States history. Tidal Wave Tower is sufficiently inland. Typhoon No recorded typhoon in Midwest Probability of annual Impact Risk occurrence (0-3) Value (0-10) 0 2 0 3 1 3 0.1 1 0.1 0.0452 3 0.1356 0 2 0 10 1 10 9 1 9 0.2 3 0.6 0 3 0 1 1 1 0 0 0 0.002 0 0 Risk Map Milwaukee Site Natural Threats 12 10 P r o b a b i l i t y 8 Internal fire 6 Tornado External fire High winds Snow and ice storms 4 External flooding Epidemic 2 0 0 0.5 1 1.5 2 Impact 2.5 3 3.5 Business Impact Assessment Purpose This BIA documents the critical business processes of system to be used in disaster recovery planning. • • • • Identify all the mission critical applications and functions in the environment. Priority Planning – Identify core biz apps & systems. Rate them. Mission critical if it must be restored in less than 2 hours because the financial impact is so great. Classifying the core function. Quantifying the impact. Determine recovery priority. Business Function – more in depth. Core functions. (quantify the impact on manufacturing plant lines) Through this analysis, the following are documented: • • • The potential impact on the business if the system or parts of the system were unavailable, as it applies to disaster recovery planning. The business continuity plan to develop workarounds for business users to operate during the system disruption time. Recovery objectives will state the length of time the business can tolerate an outage and how much data the business can risk losing. Results will drive development of strategy and scope Business Impact Assessment Scope of the BIA • Description of the system • What is in scope – Applications, Modules, Interfaces, Peripherals • What is not in scope – Upstream/downstream systems • Assumptions – Some systems your plan(s) depend are available The results of this analysis can be used for the following: • To identify the business requirements for the user acceptance segment of DR testing • To create the disaster recovery (DR) test plan • To develop strategic site-based IT Service Continuity planning; application information can be used to compare applications located at a site and an appropriate and objective recovery priority level assigned Business Impact Assessment • • • • What business functions use this system? At what point during the year is the system used most frequently? Is this system in scope for any compliance regulations? Did any unplanned service disruptions occur in the past 2 years associated with the system that caused an impact to the business and/or users of the system? • What was the impact of the disruption? • Should be reviewed/updated annually, and after any major change/event. Business Impact Assessment Critical business process: […] Describe the process within the Process identifier number: [SYSID-0#] application. Example: Create purchase order. This sub process aligns to the following Business Process(es): Go To Market (GTM), New Product Intro (NPI) Inquiry to Order (ITO), Order to Remittance (OTR) Close the Books (CTB) Service, Post Market , Customer Loyalty Other ____________________ Critical business process owner: Should be listed in the Communications Plan. System dependencies for this process: List any interfaces, applications, and/or other data inputs needed for this process. This information will help trace applications and their respective DR plans to each other. What is the input of this process? What is the output of this process? […]Describe inputs required for this process to work. This […]Describe outputs required for this process may be an input from a dependency listed above. to work. This may be an output from a dependency listed above. How frequently does this process occur? […] If this process were unavailable, what would be the operational impact? […] What else is affected if this process were unavailable? […] If this process were unavailable, what are the compliance risks? […] In the event of a disaster, does this process need to be Is there a workaround that can be used available? [Yes/No] If yes, this business process shall trace to a until the application is fully restored? test script within the application’s DR test plan. [Yes/No] If yes, explain that workaround in Section 7 of this document. These processes will be tested during the DR test, after the recovery steps, to ensure the critical processes are available in a DR environment Business Continuance Plan What process does this workaround replace? Is this workaround for the entire application? There may be one workaround for the entire application, or different workarounds documented for specific processes. Process identifier number: This workaround aligns to business process [#] Workaround steps: Describe the business continuity plan in the boxes below for short-, medium-, and longterm. Provide details for an appropriate sequence of actions to be executed in the event that the application is not available for the determined period of time. With agreement from the system owner, it is acceptable that the plan may be to take no action, and wait until the application is recovered. The boxes below state the length of time that is considered short, medium and long term, respectively. If the length of time is different during a period in which the application is used more frequently, also document that length of time. Short-term: Describe the steps that would be used in the short-term. Is there a Work Instruction for this business continuance process? Y/N Has this process been tested? Y/N After x hours/days Medium-term: Describe the steps that would be used in the medium-term. Is there a Work Instruction for this business continuance process? Y/N Has this process been tested? Y/N After x hours/days Long-term: Describe the steps that would be used in the long-term. Is there a Work Instruction for this business continuance process? Y/N Has this process been tested? Y/N After x hours/days Business Continuance Plan Return to Normal How will this critical business process return to normal? • Is this a return-to-normal process for the entire application? There may be one for the entire application, or different processes and quality checks documented for specific business processes. • If no workaround exists, or is not possible, complete one of these tables for the critical business process and state briefly how the lack of a workaround influences the Recovery Point Objective (RPO) or Recovery Time Objective (RTO) listed below. Return-to-normal steps: • Describe the process to be followed to ensure data created/captured during downtime are properly entered into the system for each critical business process, such that normal workflows and reporting with the system can be restored. • How will these data be verified after the return-to-normal process is complete? • Who is responsible for verifying the data? Recovery data source: e.g. Spreadsheet name, journal location, responsible party? Prerequisites: • • Is there a pre-requisite to resuming normal user activity?: Y/N If yes, does this process have to be completed before allowing normal users back on system? Dependencies: Which return-to-normal processes must be completed before this process is executed? List in order, and indicate “none” for those with no dependencies. Communication: How will completion be communicated? Recovery Objectives RPO: The maximum amount of data that may be lost when service is restored after an interruption. Measured by the point in the past to which you could restore data from a backup. RTO: The speed with which systems and processes must be in operation following an incident. This is measured by the maximum time allowed for recovery of an IT service following an interruption. BCP Communications Plan Internal Contacts Contact (or Contact (or How to notify? group) role distribution list) name External (Vendor) Contacts Contact (or Contact (or How to notify? group) role distribution list) name Communication plan: (How to remain in contact? Is there a physical meeting place? If a teleconference will be used, what is the number?) Communication plan. Primary point of contact. Who invokes the plan and who needs to know? BCP Risk Risk Workarounds are not available for some/all of the critical business processes. There is a risk that resources that should be notified that alternate processing is in effect will not receive timely notification if contact and distribution lists are not current. Unable to contact or engage sufficient resources required for business continuity plan. While the continuity plan is in effect, there is the risk of non-communication or delayed communication of critical issues and detail on them to all parties involved in resolution. Business Continuance Plans and work around processes have not been tested. There is a risk that some end users may continue using alternate methods once the system is available again. There is a risk of manually captured data being incorrectly entered into the system or missed being entered, once the system is available. There is a risk that applications and systems that the application depends on do not have detailed out their business-specific continuity plan and do not have alternate tools and processes in place to deal with an unplanned outage situation. There is a regulatory / compliance risk of …. Describe if applicable Mitigation Business Continuity Methodology Strategy Development • • • Identify systems or critical needs that will financially justify the strategy moving forward. Based on Risk Probability and Business impact, level of disaster, risk appetite, solution will be defined. Balance the cost of risk reduction measures and recovery actions • • • • • • • • • • Backup and recovery strategy Off-Site Storage Eliminate single points of failure Multiple outsourcing providers – SLAs, Disaster SLAs, Resilient IT systems and networks Hot site / High Availability Site, Warm/Cold Site Change controls Greater security control Better service disruption detection Continual improvement Strategy Development Strategy Development – Recovery Options • Do nothing • Manual Workarounds - Administrative actions take a lot of resources • Reciprocal Arrangements - Agree to use the infrastructure of another organization • Gradual Recovery – Cold Standby • An empty room available (in house or outsourced), mobile or fixed, where IT infrastructure can be rebuilt • Takes longer than 72 hours • Intermediate Recovery - Warm Standby • Contract with 3rd party recovery organization to use their infrastructure in a contingency situation (Sungard) • 24-72 hours to recover • Fast Recovery – Hot Standby • Recovery site with infrastructure only • Immediate Recovery – Hot Standby / High Availability • Recovery site – full redundancy infrastructure, mirrored data Business Continuity Methodology Recovery Plan Development • • • Identify resources that enable the business functions and their outputs to be generated • Business resources (e.g. fax, photocopiers, staff, application software etc) • Support resources (e.g. network drives, servers, PABX etc) • Infrastructure resources (e.g. computer rooms, storage facilities, etc) Develop the recovery plan based on the Strategy and approved budget. • i.e. Data center costs, business (interruption) insurance, etc. could be justified in the losses. Validation of BCM method(s) maintain service and compliance levels Recovery Plan • Overview • Document Purpose • Assumptions • Dependencies/Prerequisites • Inclusions • Exclusions • Limitations • Roles And Responsibilities • Test Items • Test Setup – Prerequisites, How conducted, Who engaged/how • Components And Functions To Be Tested • Infrastructure Recovery Segment • User Acceptance Segment – Traceability to BIA • Components And Functions Not To Be Tested Recovery Plan • Disaster Recovery Physical And Technical Requirements • Disaster Recovery Requirements • Backup Requirements • Other Disaster Recovery Requirements • Physical And Technical Environmental Needs • Physical Environment • Physical Application Architecture • Technical Environment • Risk Strategy • Training Requirements • Test Scripts • Execution Of Test Scripts • Incident Management • Retest Procedure • Acceptance Criteria For Test Scripts Recovery Plan • Acceptance Criteria – Test scripts passed, RPO/RTO met • Return To Normal Operations – Back out changes, restore/revert connections, take down test DBs, Business As Usual (BAU) mode • Exit Criteria – Test scripts approved, issues closed, BAU mode • Qualified Infrastructure • At Time Of Disaster – How is test plan different from the recovery plan? • References • Internal Quality References • Project Documentation References and Work Instructions • Glossary: Acronyms/Definitions Used Test Scripts DR Rehearsal Tasks Owner Disaster Occurs Disaster Activate Command Center CCT Team ComputeFacilities CTO Damage Assessment Disaster Declaration Actual Start Time (CST) Actual End Time (CST) Elapse d time Disaster Mobilization Initiate Tcon / WebEx DR Leader Notification to Business CCT Escalation Command Center CCT Invoke Business Communication Plan DR Leader CCT / SP DR Lead CCT & Compute CCT ComputeFacilities ComputeFacilities Mobilize Recovery Teams Review and Verify Customer Specific Info Initiate Recovery Process Identify alternate location and target h/w Engage the Facilities team to rack, power and network the equipment Rebuild the Catalogue for NetBackup to get list of tapes to recall from Iron Mountain. Request Iron Mountain rep to deliver tapes Re-import the tapes to appropriate data center tape library. Storage Admin Storage Admin Storage Admin - Test Scripts DR Rehearsal Tasks Server restore Root – Operating System SAN / NAS configuration Application Directories Application Data Engage networking to make DNS changes if necessary, reconfigure F5 Reboot after all configurations NAS/SAN Recovery Export file systems Open SRA for the exports and quotas Mount NAS Points to Directories on Servers Database restore Engage DBA Team Restore PRODdb to DRdb DR instance Startup the recovered DRdb Web Server & App Server restore Configure Application on DR target Configure Connection Pools Where applicable Citrix Check published application is available Validation H/W validation Database validation - Status check Owner Compute - Server Compute – SAN Compute - Server Compute - Server Compute - Server Compute - Server NAS Admin NAS Admin Unix Admin DBA Data Protection Team DBA Web Services Web Services Citrix Team Compute Compute Actual Start Time (CST) Actual End Time (CST) Elapse d time Test Scripts DR Rehearsal Tasks Test Application Test Script 1 Test Script 2 Test Script 3 Test Script 4 Test Script 5 Calculate RPO / RTO Return to Normal Operations Revert connections NAS Request to release temporary storage Take down dr database Disable access to DR environment Resume functions Return home Close the TCON Document findings Owner Actual Start Time (CST) Actual End Time (CST) Elapsed time Recovery Objective Recovery Results 1:00 0:00 24:00 0:00 Functional Team Functional Team Functional Team Functional Team Functional Team DR Leader NetworkingTeam Storage Team DBA Team Networking Team Business ALL CCT ALL RPO (Hours) RTO (Hours) Business Continuity Methodology Validation and Testing Procedures • The plan must be tested to: • • • • Ensure completeness and accuracy of recovery steps Uncover any problems or overlooked issues Verify recovery objectives can be met Testing Approaches: • • • Table Top - Roundtable review (virtual dry run) of plan to check completeness and begin training; also used when physical test is too risky (full failover), cost prohibitive (total loss of datacenter) or impossible to simulate (pandemic) Partial Test – Segments can be tested separately – backup / recovery Full Test • Either on weekends or planned outage: Business functions, IT systems, communication methods are interrupted and the plan is tested. • An alternative is to go off site and restore without access to the main facility. Business Continuity Methodology Recovery Plan Implementation • • • Once the plan has been tested and “approved”, it is then implemented Plan must be stored in secure common location and that location is communicated with business departments. Procedures on when it should be accessed is communicated. Maintenance Program • • • • Very important to keep it updated and review regularly Very important to have risk-based approach to frequency and scope of testing (criticality, availability, vulnerability) Define the change control Recommend a centralized department that encompassed security, asset management, Business Continuity Planning Agenda ITSCM at GE Healthcare • Current State of DR • Goals, Objectives and Strategic Imperatives Slide Heading • Why not just DR? • ITSCM – A new philosophy and new imperative • Virtualizing DR What IF….. … we lost one of our key data centers? • • • • Multiple businesses impacted Thousands of systems not available Recovery time 60-90 days (estimate) 1 M transactions/day don't happen! Recovery Goals • Tier 1 recovery < 24 hours • Tier 2 recovery < 72 hours HISTORICAL SHIFT Consolidation to key locations for cost out STRATEGIC Strengthen key locations + Leverage virtualization technology + Test and audit, address obsolescence Current State of DR • Fragmented and Imbalanced • Every application for itself • Compliance focus • Strong facilities and tools Fragmented and Imbalanced • Too much focus on the application • Too much focus on the smoking hole scenario • Too little focus on the smoking hole scenario • Wildly different approaches, understandings, motivations, etc. Every Application For Itself • • • • • Don’t we have an “easy” button? App-specific DR plans, tech, tests Poorly-understood requirements No standard approach—historically It’s based on “metal” classification… …no it isn’t. Compliance focus… SOX Enterprise GE Corporate: ITCF HIPPA HITECH JCAHO Contract Hosted Technology Solutions Strong facilities and tools Strategic Data Centers Recovery Tools / Knowledge Milwaukee Data Domain Waukesha Oracle RAC & SQL Polyserve Buc, France Virtualization Grove, UK H/A Clusters Beijing, China Redundancy Chicago Log Shipping How can we leverage these? Goals and Objectives Strategic Imperatives IT Service Continuity Mgmt. Disaster Recovery & Testing Critical Business Process Alignment Meet Compliance Requirements Proactive measures reducing risk of disruption to IT services • • • • Ensure business continuity by reducing the impact of disruptive events Reduce IT vulnerabilities/risk to the business through analysis and risk mgmt. Prevent loss of reputational value & customer and user confidence Create tight integration between ITSCM and BCM Automate the compliance process…eliminate complexity • • • Define and understand DR architecture options (SRM, HA, Bare Metal, etc.) Implement technology to simplify DR Testing and Recovery Define DR architecture standards … enforce through Enterprise Architecture Understand business impact of disruption to IT services • • • Establish applications mappings to servers and datacenters (2011-2012) Map applications to critical business processes (2012-2014) Institutionalize mechanisms to establish and maintain control of relationships Win at compliance 100% of the time • Define, align with, and meet GEHC enterprise, Managed Solutions, and Corporate Enterprise Risk Management compliance requirements for Disaster Recovery Why not just DR? • • • • • • 1900+ applications Complex architecture Large, cumbersome, outdated plans Constantly cycling technology Constantly adding/retiring systems Knowledge too-far removed from process • DR alone is never enough… Why not just DR? 1900+ Applications Inefficient & Expensive Technology & Process Separation Compliance Scope: 2011: ~ 50 Apps 2012: ~ 150 Apps Constant Application Change Constantly +/Applications DR alone won’t get us there… A new philosophy—Not just DR • Leverage what we’re doing well Improve Recoverability • Balance focus on smoking hole • Standardize Compliance Remove / Reduce Risk • DR-ready platforms/technologies • Proactive risk management • BC plans span residual risks Tightly-Bound BCP Planning RecoveryReady Infrastructure The ITSCM Imperative Competitors NPI CTB Ensure Continuous Service Service ITO OTR Enterprise Hosted Technologies ITSCM: TSO Focus Areas Guided by DR Council Reduce Risk IT Service Continuity Management IT Disaster Recovery & Crisis Management Improve Recoverability Reduce Cost Ensure Compliance Platform Risk Remediation Recovery Tools • SRM • Data Domain Recovery Tools • SRM • Data Domain SOX-DR Data Center Risk Remediation Virtualization Virtualization ITCF-DR HTS Contract Review Balanced Replication Strategy Balanced Replication Strategy HTS-DR Data Center Core Services Restoration Plans Standardization Continuous & iterative: Drive ITSCM maturity 2012 2014 ITSCM Continuous Improvement New New Products/Services Markets/Suppliers Capabilities App/Data Classification Business Continuity Planning New Regulations Risk Appetite Targets Process Improvement Test Results Obsolete Technology Budget Disaster Recovery Planning Resource Availability Priorities New Technology Agenda Assurance and Audit Framework • GE Compliance Framework – Mapping DR to regulations • ITSCMHeading Framework - COBIT Slide • ITSCM Assessment Checklist GEHC Compliance Framework Healthcare Industry Standards Area HIPAA FDA CFR IT Continuity Plans 164.308(a)(7)(ii)(B) 164.308(a)(7)(ii)(E) 164.310(a)(2)(i) Critical IT Resources 164.308(a)(7)(ii)(C) Maintenance of the IT Continuity Plan 164.308(a)(7)(ii)(D) Testing of the IT Continuity Plan 164.308(a)(7)(ii)(D) SD 4.5.5.2 SD 4.5.5.3 SD App K SD 4.4.5.2 SD 4.5.5.4 XI. B SD 4.5.5.4 IT Continuity Plan Training Distribution of the IT Continuity Plan IT Services Recovery and Resumption Post-resumption Review ITIL SD 4.5 SD 4.5.5.1 CSI 5.6.3 IT Continuity Framework Offsite Backup Storage Industry best practices 21CFR11 164.308(a)(7)(ii)(A) 164.310(d)(2)(iv) XI. C 21CFR11 SD 4.5.5.3 SD 4.5.5.4 SD 4.5.5.3 SD 4.5.5.4 SD 4.5.5.3 SD 4.5.5.4 SD 4.4.5.2 SD 4.5.5.4 SD 4.5.5.2 SO 5.2.3 SD 4.5.5.3 SD 4.5.5.4 Internal ISO/IEC 27002:2005 InfoSec 6.1.6 6.1.7 14.1.1 12.1.4 14.1.2 14.1.4 6.1.6 12.1.2 6.1.7 12.1.3 14.1.3 14.1.1 12.1.1 14.1.2 14.1.5 12.1.6 14.1.5 12.1.5 14.1.5 12.1.5 14.1.5 12.1.1 14.1.1 14.1.3 12.1.5 10.5.1 12.1.1 14.1.5 12.1.5 ITSCM Framework - COBIT COBIT Area Section Details (abbreviated) DS 4.1 IT Continuity Framework Develop a framework for IT continuity to support enterprise wide business continuity management using a consistent process DS 4.2 IT Continuity Plans Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on key business functions and processes DS 4.3 Critical IT Resources Focus attention on items specified as most critical in the IT continuity plan to build in resilience and establish priorities in recovery situations DS 4.4 Maintenance of the IT Encourage IT management to define and execute change control procedures to ensure that the Continuity Plan IT continuity plan is kept up to date and continually reflects actual business requirements. DS 4.5 Testing of the IT Continuity Plan Provide all concerned parties with regular training sessions regarding the procedures and their roles and responsibilities in case of an incident or disaster Determine that a defined and managed distribution strategy exists to ensure that plans are Distribution of the IT DS 4.7 properly and securely distributed and available to appropriately authorized interested parties Continuity Plan when and where needed Plan the actions to be taken for the period when IT is recovering and resuming services. IT Services Recovery DS 4.8 Ensure that the business understands IT recovery times and the necessary technology and Resumption investments to support business recovery and resumption needs. Store offsite all critical backup media, documentation and other IT resources necessary for IT DS 4.9 Offsite Backup Storage recovery and business continuity plans Determine whether IT management has established procedures for assessing the adequacy of Post-resumption DS 4.10 the plan in regard to the successful resumption of the IT function after a disaster, and update Review the plan accordingly. DS 4.6 IT Continuity Plan Training Test the IT continuity plan on a regular basis to ensure that IT systems can be effectively recovered, shortcomings are addressed and the plan remains relevant ITSCM Assessment Checklist Item Category 1 2 3 4 Business impact analysis Critical process Communication 5 COBIT Control Objective section Has a Business Impact Analysis (BIA) been conducted? If yes, when was the last DS 4.1 update? DS 4.1 DS 4.2 DS 4.2 6 Workaround DS 4.1 7 Backup site DS 4.9 8 Level of service DS 4.8 DS 4.2 Role and responsibility 10 DS 4.3 11 Operational procedure 12 Critical software and hardware 13 Support equipment BIA DS 4.2 9 Assessment Reference Are critical processes documented and included in the Disaster Recovery Plan (DRP)? Is a communication plan included? Are several communication channels included? Are call trees and lists, staff names, and recovery procedures documented automated and/or manual? Are there layers of contingencies such as IT and/or manual workarounds documented? Does the DRP provide an alternate site for recovery? Does the DRP specify the level of service (which the business owner has agreed to be acceptable) to be provided while in recovery mode? Does the DRP have distinct management and staff assignment of responsibilities immediately following a disaster and continuing through the period of reestablishment of normal operations? Does the facilities section have predetermined contracts to recover facilities and/or rebuild plans for critical computing equipment and business area workstations? N/A BIA BIA BIA BIA BIA DRER BIA BIA - DS 4.1 Are the operational procedures documented in a systematic fashion that will allow recovery to be achieved in a timely and orderly way? DREP DS 4.3 Does the DRP identify hardware and software critical to recover the mission critical business and/or functions? DREP DS 4.3 Does the DRP identify necessary support equipment (forms, spare parts, office equipment, etc.) to recover the mission critical business and/or functions? BIA ITSCM Assessment Checklist Item Category COBIT section Control Objective Assessment Reference DS 4.3 Is there a back-up generator to support critical systems, technical staff and business area workstations? 15 DS 4.7 Is a current copy of the DRP maintained off-site? NA 16 DRP availability DS 4.7 Is the off-site DRP copy up-to-date? NA 17 DS 4.4 Do all users of the DRP have ready access to a current copy and/or copies at all times? NA DS 4.1 Are all critical or important data required to support the business being backed-up? How often is the backup? DREP DS 4.6 Does the training, testing/exercise plan list exercise type, sequence, and frequency of occurrence? - DS 4.6 Do all employees responsible for the execution of the DRP receive training? - Do the business conduct exercise(s) of the DRP at least annually? - Does the document cover method(s) used to test the DRP? DRER / BIA Has the DRP corrective action plan been completed and closed? DRER Are there DRP maintenance procedures and schedules? DRPlanning Is the summary of changes made to plan since last submission been documented? DREP 14 18 19 Infra backup Critical data backup Training 20 21 DS 4.5 Testing 22 DS 4.5 23 Corrective actions DS 4.10 24 Review and approval DS 4.1 25 Change management DS 4.4 Agenda Disaster Recovery Technologies and Virtualization • VMWare – Site Recovery Manager • Data Domain Slide Heading • DR in the Cloud Virtualizing Disaster Recovery • Site Recovery Manager • What is it? • • • Allows VM’s to be moved across sites Digitizes DR Testing Process Who can use it? • • Any virtualized infrastructure could be a potential candidate How does it work? • Leverages Data Replication and VMotion Site Recovery Manager Automate the recovery process…eliminate complexity • Rapid DR for critical applications and systems • Hardware agnostic, flexible DR design • Eliminate human error through DR automation • Lower DR costs through virtualization Virtualizing Disaster Recovery • Benefits of Site Recovery Manager • • • • • • • • • Simplifies recovery process Reduces complexity and stress Reduces recovery time Backup Agents and missed open files are not an issue with an image backup of a virtual server guest Most SANs have a built-in replication option Virtual server disk images can be replicated to a remote DR site • Allows you to pre-stage servers at remote DR site • Consolidating servers reduces hardware (and possibly colocation) costs of remote DR site Ability to test and fine tune DR procedures with significantly smaller investment Ideally suited to Vmware cluster environment running SAN Supports many-to-one failover using shared recovery sites Site Recovery Manager Estimated Recovery Time Recovery Method Bare Metal Recovery with Physical Servers 23 Hours Bare Metal Recovery with Virtual Servers 11.7 Hours Bare Metal Recovery with Pre-Staged Images 1.2 Hours Which do you prefer? Virtualizing Disaster Recovery • DR in the Cloud • What is it? • • • Who can use it? • • • Just starting to emerge Connectivity to compute and storage resources hosted on remote, scalable, elastic, multi-tenancy clouds Based on an OPEX model Suited to all organizations, ranging from small and medium businesses to large enterprises How does it work? • VMs are hosted in a third-party facility and are essentially operating from the cloud DR Competition in the Cloud Data Domain • Data Domain • What is it? • • • Who can use it? • • • • Disk-based backups with built-in intelligence Centralized Backup, Management and Reporting Organizations with large/growing data stores (and budgets) Companies offering cloud services Multi-site / Multi-data center organizations How does it work? • • Deduplication reduces data to smallest size to optimize transfer and storage Disk devices replacing linear tape Data Domain Benefits • Benefits of Data Domain • Centralized Backup, Management and Reporting • • Automate Backup and Recovery Process • • • 10% of images on tape are unrecoverable (this is optimistic) Lower cost of operation • • • • • 229% increase ability to run concurrent backups 16 staff hours/week saved by not changing tapes Increased reliability • • Provides off-site replication for BCP/DR Reduction in hardware footprint Eliminates tapes and trucks Reduced storage costs (30:1) data compression Reduced WAN bandwidth: 40:1 reduction for WAN transfer Improved recovery (restore) time • • Data restores minutes vs. hours/days Backups available despite community disruption Legacy Technology …Tape • Challenges at GEHC • • • • • • • • Massive data growth (store multiple copies) Mechanical failures Reliant on local personnel Longer recovery times DR via trucks Accidental loss Regulatory compliance challenges GEHC is replacing all tape backups with 88 DataDomain Deduplication • Opportunity • Offsite backups 365 days per year • Data securely encrypted at rest and on transition • Devices highly redundant • Improved backup success rates • Not reliant on local personnel • Simplifies Compliance and auditing • Leveraged heavily for application migrations and centralisation GEHC Enterprise Architecture Remote site A Site Deployment Status Data Protection Hubs Buc/Beijing/Milwaukee Backup Server Application Servers n AP - 75% Data Domain Device Backup Servers 100% US remote sites (45+ sites) Replicate Remote Office Data Remote Site B Backup Server WAN Data Domain Device EU - 90% Outstanding Milwaukee Q2 ‘12 Waukesha Q2 ‘12 Buc Q2 ’12 Cardiff Q2 ’12 Beijing Q2 ’12 Bangalore Q3 ‘12 Satellite sites DataDomain Dedupe Device 90 Agenda Justifying and Selling ITSCM to your executives • Audience • Drivers Slide Heading • Facts • Methods Justifying – The audience • Who is the audience(s) • • • • • • Board of Directors Executive leadership (“C monsters”) Technical leadership Line of Business/Unit (LOB) leadership Clients / partners / regulators Others • May be selling to multiple audiences Justifying – The drivers • What are the drivers (designed to the audience) • What is a driver? • Some of your work is already done • BIA – quality, depth, accuracy, completeness • Validate the drivers – make sure aimed at right target • Big, long term project requires long term vision • What’s now, what’s next • “Skating to where puck will be” • “Hard” and “soft” drivers Justifying – The facts • Current benchmarks – where are you now? • Gap analysis • Use specific, hard metrics wherever possible • SLA, contractual, implicit/explicit requirements • “STROLE” model (risk and reward for each) • • • • • • Strategic – soft, but meaningful Technical Reputational – image Operational Legal – risks, requirements and regulations Economic – money Justifying – The methods • The story – the Business Case, which explains: • What is our situation? (Exec overview) • Is there a problem? How big? Worth solving? • How do we know? (facts) • What if we don’t do it, or delay it? (drivers) • What are eligible options? Tradeoffs? • What will it cost? (Cost/benefit and friends) • What are your recommendations? (the plan) • What will we get/gain/avoid? (benefits) Lessons Learned • Do • Engage the right SMEs early in the process • System Owners, Architecture, Technology Owners • Communicate to Stakeholders • Form a Business Continuity Steering / DR Council • Leverage “Table Top” or Dry Run when appropriate • Conduct After Action Reviews (AAR) • Formalize, document and approve results • Link ITSM to Change Management to keep plans, scope and recovery options up to date Lessons Learned • Don’t… • Expect it to work the first time • Try to boil the ocean • Build the IT solution before you define the critical business solution • Rely on plans alone, “planning” is everything • Confuse probability with consequence So What, Who Cares? Why are we talking about Disaster Recovery … AGAIN? Ensuring continuous service determines not just recoverability, but survival. References ISACA • • • Business Continuity and Assurance Program http://www.isaca.org/KnowledgeCenter/ITAF-IT-Assurance-Audit-/Audit-Programs/Documents/WAPBC-Mgmt1Sept2011.doc BC / DR Planning Community - http://www.isaca.org/Groups/ProfessionalEnglish/business-continuity-disaster-recovery-planning/Pages/Overview.aspx Business Model for Information Security (BMIS) http://www.isaca.org/Knowledge-Center/BMIS/Pages/Business-Model-forInformation-Security.aspx Disaster Recovery International - https://www.drii.org/ Disaster Recovery Journal - http://www.drj.com/ Questions? Closing comments (if any)
