Gulf Coast Energy International Business Continuity / Disaster Recovery Planning and Design Proposal Prepared by Andrew Rolf, Felipe Torres, Pranay Jaiswal BCP/DR & Emergency Preparedness Plan Disaster Recovery Plan IT systems Corporate processes and procedures © 2006. IT Consulting LLC. All Rights Reserved. Business continuity, emergency management and disaster recovery are interconnected to protect, recover and resume business operations How to initiate a BCP? Perform in-depth review of existing DRP and perform immediate improvements as appropriate. Establish a GCE Project Sponsor and Steering Committee. Establish Business Continuity Definitions, Terms and Assumptions © 2006. IT Consulting LLC. All Rights Reserved. Business Continuity Lifecycle Stage 1 Initiation Initiate Business Continuity Management Stage 2 Requirements and Strategy Risk Assessment Business Impact Analysis Strategy Evaluation and Selection Stage 3 Implementation BR Organization and Responsibilities Implement stand-by arrangements Develop IT Recovery Plans Implement Risk Reduction Measures Develop Standard Operating Procedures Stage 4 Operational Management Review and Audit Testing Education and Awareness Training Quality Assurance © 2006. IT Consulting LLC. All Rights Reserved. Change Management Schedule for BCP/DR (SOW) Hurricane Season Starts 2006 2007 STABILIZE OPTIMIZE Review / Validate Existing BCP/DR processes & procedures for ability to meet SLAs Project Initiation Scope / Assumptions Schedule CURRENT STATE Team Contract •DR not a priority •DR plans not updated to meet new business req. •Plans not tested •DR HW out-dated TRANSFORM Recommend immediate updates to current procedures as appropriate Project Planning Project Execution Develop Recovery Plans Develop Procedures Periodic Review/ Implementation Validate BIAs Conduct And DRPs Annual Exercise Implement Critical Functions Initiate Risk Assessment (RA) Initiate Business Impact Analysis (BIA) Initiate Strategy Evaluation And Selection Deliverable (RA) Deliverable (BIA) © 2006. IT Consulting LLC. All Rights Reserved. Plan Annual Exercise Deliverable (SES) Deliverable (Exercise Result) Coordinate Regular DR Tests per SLAs TARGET STATE •New BCP/DR Plan •Annual Testing •Constant Update •Periodic BIAs validations •Updated HW •Management commitment Risk and Business Impact Analysis Analysis Team Members – Individuals from each functional business unit – DR consultants from IT Consulting Analysis Team Responsibility – Plan & conduct Risk & Business Impact Analysis – Report findings to management © 2006. IT Consulting LLC. All Rights Reserved. Risk and Business Impact Analysis Data Gathering – Cross-functional analysis – Interviews, Meetings, Questionnaires, Polls – On-site and electronic conferences Data Storage and Distribution – Stored on LAN – Software: Microsoft Office – Distributed by mail, email, LAN, face to face © 2006. IT Consulting LLC. All Rights Reserved. Risk Analysis Risk Evaluation Areas – Geographical Locations – Building Composition – Upstream, Downstream, Corporate, & IT • • • • • Physical access controls and security Computing environments Personal practices Operating practices Backup practices © 2006. IT Consulting LLC. All Rights Reserved. Risk Analysis Items Included in Risk Analysis – List of potential disasters/crisis – Impact to people, assets, environment, reputation – Likelihood of occurrence – Severity rating based on impact and likelihood – Others… © 2006. IT Consulting LLC. All Rights Reserved. Risk Analysis © 2006. IT Consulting LLC. All Rights Reserved. People and Disasters Disaster Awareness and Training – Detailed Evacuation Plans – Evacuation Drills Emergency Communication Processes – Contact Information for All Employees Laptops for Critical Functions © 2006. IT Consulting LLC. All Rights Reserved. Business Impact Analysis Critical Functions Questionnaire – Is function time critical? – Can function be performed at reduced efficiency? – Max time function can be unavailable? – Loss of revenue? – Fines or penalties? – Legal liabilities? – Loss of public image? – Others… © 2006. IT Consulting LLC. All Rights Reserved. Business Impact Analysis Steps in Analysis – Compare to risk analysis – Develop matrix of critical functions, risks, impacts – Review with stakeholders/management © 2006. IT Consulting LLC. All Rights Reserved. Business Impact Analysis © 2006. IT Consulting LLC. All Rights Reserved. Business Impact Analysis © 2006. IT Consulting LLC. All Rights Reserved. Steps for a Disaster Recovery Plan Identify staffing requirements Identifying recovery strategies Selecting recovery strategies Draft Creation of disaster recovery plan Testing the disaster recovery plan © 2006. IT Consulting LLC. All Rights Reserved. Staffing Resources IT Consulting Gulf Coast Energy BCP/DR BCP/DR Manager Manager DR DRCoordinator/ Coordinator/ Project ProjectManager Manager DR DR Transition Transition Manager Manager Disaster Disaster Recovery Recovery Specialist Specialist Project Project Sponsor Sponsor Disaster Disaster Recovery Recovery Specialist Specialist Disaster Disaster Recovery Recovery Specialist Specialist Mainframe Mainframe Business Business SME SME Distributed Distributed Computing Computing Business Business Network Network Business Business SME SME Other Other Businees Businees SMEs SMEs Steering Committee Mainframe Mainframe DR DR Technicians Technicians Distributed Distributed Computing Computing Specialists Specialists © 2006. IT Consulting LLC. All Rights Reserved. Network Network DR DR Specialists Specialists Legend • DR Disaster Recovery • SME Subject Matter Expert Staffing Resources IT Consulting Gulf Coast Energy BCP/DR BCP/DR Manager Manager DR DRCoordinator/ Coordinator/ Project ProjectManager Manager DR DR Transition Transition Manager Manager Disaster Disaster Recovery Recovery Specialist Specialist Mainframe Mainframe DR DR Technicians Technicians Project Project Sponsor Sponsor Disaster Disaster Recovery Recovery Specialist Specialist Distributed Distributed Computing Computing Specialists Specialists © 2006. IT Consulting LLC. All Rights Reserved. Disaster Disaster Recovery Recovery Specialist Specialist Mainframe Mainframe Business Business SME SME Distributed Distributed Computing Computing Business Business Network Network Business Business SME SME Time Dedication: Not more than 30% of their total work time should be needed to provide guidance to Network Network DR the IT Consulting Project Team. DR Specialists Specialists Other Other Businees Businees SMEs SMEs Steering Committee Legend • DR Disaster Recovery • SME Subject Matter Expert Relationship between RTO, RPO & Cost Weeks Days Hrs Secs Cost (RTO) Secs Hrs Days Weeks Acceptable Downtime Loss (RPO) DISASTER RTO Money RPO Maximum cost of plan Time to recover Recovery Point Objective (RPO): Refers to the point in time to which data must be recovered. Recovery Time Objective (RTO): Refers to the acceptable time period within which the business functions should be restored and made available to ensure normal functioning of the organization. © 2006. IT Consulting LLC. All Rights Reserved. Identifying Recovery Strategies Computer facilities recovery strategy – Hot sites, Cold sites, Mirror sites, etc Data and documentation recovery strategies – RPO, RTO Department recovery strategies – Business Functions Telecommunication recovery strategies – Voice and Data © 2006. IT Consulting LLC. All Rights Reserved. Selecting Recovery Strategies Cost Benefit Analysis Cost Hardware Equipment Telecom Setup Time Location Med / High Full Full Short Fixed WARM Site Med Partial Partial / Full Med Fixed COLD Site Low None None Long Fixed MIRRORED Site High Full Full None Fixed Mobile Site High Dependent Dependent Dependent Variable Site HOT Site © 2006. IT Consulting LLC. All Rights Reserved. Selecting Recovery Strategies Cost Benefit Analysis Cost Hardware Equipment Telecom Setup Time Location Med / High Full Full Short Fixed WARM Site Med Partial Partial / Full Med Fixed COLD Site Low None None Long Fixed MIRRORED Site High Full Full None Fixed Mobile Site High Dependent Dependent Dependent Variable Site HOT Site © 2006. IT Consulting LLC. All Rights Reserved. Selecting Recovery Strategies Cost Benefit Analysis Cost Hardware Equipment Telecom Setup Time Location Med / High Full Full Short Fixed WARM Site Med Partial Partial / Full Med Fixed COLD Site Low None None Long Fixed MIRRORED Site High Full Full None Fixed Mobile Site High Dependent Dependent Dependent Variable Site HOT Site © 2006. IT Consulting LLC. All Rights Reserved. GCE Global Operations Corporate Headquarters Division Headquarters European Headquarters Asia Pacific Headquarters Houston: Lockport, LA: Brussels: Kuala Lumpur Corporate Upstream Downstream Real Estate IT ~4K employees Upstream Real Estate IT ~1K employees Upstream IT ~200 employees Upstream IT ~150 employees © 2006. IT Consulting LLC. All Rights Reserved. GCE Gulf Coast Operations As Is © 2006. IT Consulting LLC. All Rights Reserved. GCE Corporate IT Group (as-is) Fax ` LAN Router ` Phone Firewall Firewall ` FRAD Support/Op. Personnel Office Firewall ` Firewall LAN ` ` ` LAN ` Remote Office Firewall File ` Developers & PM Office Database Server Application Server Developer Datacenter © 2006. IT Consulting LLC. All Rights Reserved. E-Comm. Email DB Operations/Support Datacenter Oil Platforms GCE Gulf Coast Operations Redundancy – On-Shore – Off-Shore © 2006. IT Consulting LLC. All Rights Reserved. GCE Gulf Coast Operations Critical Data © 2006. IT Consulting LLC. All Rights Reserved. Fax ` LAN Router ` Phone Firewall Firewall ` FRAD Support/Op. Personnel Office Firewall ` Firewall LAN ` ` ` LAN ` Remote Office Firewall File ` Developers & PM Office Database Server Application Server Developer Datacenter Email E-Comm. Oil Platforms DB Operations/Support Datacenter Satellite ` LAN ` Firewall Firewall Firewall ` Remote Office Support/Op. Personnel HOTSITE File Email Router Firewall Developers & PM Office COLDSITE © 2006. IT Consulting LLC. All Rights Reserved. Database Server Application Server MIRRORED Developer Datacenter E-Comm. DB MIRRORED Operations/Support Datacenter Selecting Recovery Strategies Data, Time, and Criticality © 2006. IT Consulting LLC. All Rights Reserved. Selecting Recovery Strategies Data, Time, and Criticality – Huge Data Quantity – Low Business Criticality – RTO → Delayed © 2006. IT Consulting LLC. All Rights Reserved. Selecting Recovery Strategies Data, Time, and Criticality – Small Data Quantity – High Business Criticality – RTO → Immediate © 2006. IT Consulting LLC. All Rights Reserved. Steps for a Disaster Recovery Plan Identifying recovery strategies Selecting recovery strategies Draft Creation of disaster recovery plan – Reviews and discussion sessions – Finalize and Sign-off Testing the disaster recovery plan – Initial Test – Subsequent annual tests © 2006. IT Consulting LLC. All Rights Reserved. Gulf Coast Energy International Business Continuity / Disaster Recovery Planning and Design Proposal Project Cost Estimates GCE losses estimated to be $1 Million a day without a comprehensive disaster recovery plan. Total Project Cost: $3.1 Million – .51% of GCE 2005 Income of $600M – .03% of GCE 2005 Revenue of $10B – Costs based on work completed through DR implementation for Critical systems (June 1, 2007) © 2006. IT Consulting LLC. All Rights Reserved.