Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

Lecture14 - The University of Texas at Dallas

advertisement 
Business Continuity
and
Disaster Recovery Planning
Dr. Bhavani Thuraisingham
The University of Texas at Dallas (UTD)
June 2011
Domain Agenda
•
•
•
•
•
•
•
Project Scope Development and Planning
Business Impact Analysis (BIA) and Functional Requirements
Business Continuity and Recovery Strategy
Plan Design and Development
Implementation
Restoration / Disaster Recovery
Feedback and Plan Management
Domain Objectives
•
•
•
•
Understand the planning process
Integrating BCP into the organization
Defining inputs and outputs of process
Understand the difference between BCP and DRP
Sources of Information
•
•
•
•
•
Disaster Recovery Institute International
Business Continuity Institute
ISO 25999
ISO 27001, Section 10
NIST SP 800-34
ISO 25999:
Business Continuity Management
•
•
•
•
•
Risk management
Disaster recovery
Facilities management
Supply chain management
Quality management
•
•
•
•
•
Health and safety
Knowledge management
Emergency management
Security
Crisis communications and
PR
Overview of BCP
•
•
•
•
Direct benefits
Indirect benefits
Overlap with Risk Management
BCM vs. BCP vs. COOP
The Enterprise BCP
• DRP
– Backup strategies
– Emergency procedures
– Contracts and provisioning
• BIA
– Reciprocal agreements
– Alternate sites
• Incident response planning
– Succession Plan
– Incidence Response Team
The Enterprise BCP (cont.)
• Risk analysis
– Safeguards / countermeasures
– Insurance plan
• Corporate communication plan
– User awareness training
– Media/stakeholder relations plan
The Business Continuity Life Cycle
•
•
•
•
•
Analyze the business
Assess the risks
Develop the BC strategy
Develop the BC plan
Rehearse the plan
BC Project Phases
•
•
•
•
•
•
•
Project Scope Development and Planning
Business Impact Analysis (BIA) and Functional Requirements
Business Continuity and Recovery Strategy
Plan Design and Development
Implementation
Restoration / Disaster Recovery
Feedback and Plan Management
Reflecting Organizational Context
•
•
•
•
•
•
•
Policy is the driver
Aligned with requirements
Provides direction and focus
Use Business Impact Analysis
Identify inputs
Outcomes and deliverables
Reviewed annually
Policy
•
•
•
•
•
Organizational authority
Policy document
Program scope
Resources
Outsourcing
Policy contents
•
•
•
•
Framework
Tools and techniques
Policy contents
Change is infrequent
Outsourced Activities
• You are still responsible
• Resilience in outsourcing
• Supplier continuity
Scope and Choices
• Limit scope
• Ensure clarity of scope
• Strategy, Return on Investment (ROI), and SWOT (Strengths,
Weaknesses, Opportunities, Threats)
• Review yearly
Program Management
•
•
•
•
•
•
Assigning responsibilities
Initiating BCP in the organization
Project management
Ongoing management
Documentation
Incident readiness and response
Documentation
•
•
•
•
•
Review current BCP if available
Documentation may not equal capability
Staff must be trained to use any necessary software
Types of documentation
Review as directed by policy
Initiating BCP
•
•
•
•
Awareness, data, implementation
Staff and budget
Result must be a long-term, sustainable program
Review progress monthly
Incident Readiness & Response
•
•
•
•
•
•
Planners become leaders
Be prepared
Triage
Incident management
Success = Return to Operations
Immediate lessons learned
Key Indicators of Success
•
•
•
•
•
Senior management commitment
Policy content
BCP Resources
Project management
Documentation
BCP Project Phases
•
•
•
•
•
•
•
Project Scope Development and Planning
Business Impact Analysis (BIA) and Functional Requirements
Business Continuity and Recovery Strategy
Plan Design and Development
Implementation
Restoration / Disaster Recovery
Feedback and Plan Management
Understanding the Organization
• Business Impact Analysis (BIA)
– Benefits
– Objectives
• Evaluating Threats (Risk Assessment)
• Emergency Assessment
• Indicators of Critical Business Functions
Business Impact Analysis
•
•
•
•
•
•
•
Identifies, quantifies and qualifies loss
Scope and support required
Documents impact and dependencies
MTD, RPO
Business impact analysis process
Workshops, questionnaires, interviews
Business justifications for budget
Maximum Tolerable Period of Disruption
Item
Required recovery time
following a disaster
Non-essential
30 days
Normal
7 days
Important
72 hours
Urgent
24 hours
Critical/Essential
Minutes to hours
Estimating Continuity Requirements
•
•
•
•
Total budget for disaster recovery
Identification of necessary resources
Outcomes feed BCP strategy selection
Reviewed with BIA
Evaluating Threats (Risk Assessment)
•
•
•
•
Risk equation + time element
Risk = Threat impact * probability
Prioritize key processes and assets
Outcomes
Key Indicators or Success
• Corporate governance
• BIA practice
• Risk assessment practice
BCP Project Phases
•
•
•
•
•
•
•
Project Scope Development and Planning
Business Impact Analysis (BIA) and Functional Requirements
Business Continuity and Recovery Strategy
Plan Design and Development
Implementation
Restoration / Disaster Recovery
Feedback and Plan Management
Determining Business Continuity
Strategy
•
•
•
•
•
High-level strategies
RTO < MTPD
Separation distance
Resilience
Address specific business types
Determining Strategy
•
•
•
•
Determining BC strategies
Strategy options
Activity continuity options
Resource-level consolidation
Activity Continuity Options
•
•
•
•
•
Selecting recovery tactics
Reliability
Extent of planning
Cost/benefit analysis
Outcome
Recovery Alternatives
Alternative
Description
Readiness
Cost
Multiple processing/
mirrored site
Fully redundant
identical equipment
and data
Highest level of availability
and readiness
Highest
Mobile site/trailer
Designed, selfcontained IT and
communications
Variable drive time; load data
and test systems
High
Hot site
Fully provisioned IT
and office, HVAC,
infrastructure and
communications
Short time to load data, test
systems. May be yours or
vendor staff
High
Warm site
Partially IT equipped,
some office, data and
voice, infrastructure
Days of weeks. Need
equipment, data
communications
Moderate
Cold site
Minimal
infrastructure, HVAC
Weeks or more. Need all IT,
office equipment and
communications
Lowest
Processing Agreements
Agreement
Description
Consideration
Reciprocal or Mutual Aid
Two or more organizations
agree to recover critical
operations for each other.
Technology upgrades/
obsolescence or business
growth. Security and access
by partner users
Contingency
Alternate arrangements if
primary provider is
interrupted, i.e. voice or data
communications
Providers may share paths or
lease from each other.
Question them.
Service Bureau
Agreement with application
service provider to process
critical business functions.
Evaluate their loading
geography and ask about
backup mode.
BCP Project Phases
•
•
•
•
•
•
•
Project Scope Development and Planning
Business Impact Analysis (BIA) and Functional Requirements
Business Continuity and Recovery Strategy
Plan Design and Development
Implementation
Restoration / Disaster Recovery
Feedback and Plan Management
Resource Level Consolidation
•
•
•
•
•
Consolidation plan
Availability of solutions
Consolidate, approve, implement
Methods and techniques
Outcomes and deliverables
Business Continuity Plan
•
•
•
•
Master plan
Modular in design
Executive endorsement
Review quarterly
Business Continuity Plan Contents
•
•
•
•
When team will be activated
Means by which the team will be activated
Places to meet
Action plans/task list created
Business Continuity Plan Contents
• Responsibilities of the team or of specific individuals
–
–
–
–
–
–
Liaising with Emergency Services (fire, police ambulance)
Receiving or seeking information from response teams
Reporting information to the Incident Management Team
Mobilizing third party suppliers of salvage and recovery services
Allocating available resources to recovery teams
Invocation / mobilization instructions
Developing and Implementing Response
•
•
•
•
•
Incident response structure
Emergency response procedures
Personnel notification
Communications
Restoration
BCP Project Phases
•
•
•
•
•
•
•
Project Scope Development and Planning
Business Impact Analysis (BIA) and Functional Requirements
Business Continuity and Recovery Strategy
Plan Design and Development
Implementation
Restoration / Disaster Recovery
Feedback and Plan Management
Implementing Incident Management Plan
•
•
•
•
Rapid response is critical
Crisis management
Steps to develop an Incident Management Plan
Action plans
Incident Response Structure
• Strategic
• Tactical
• Operational
Key Indicators of Success
• Development and acceptance of Recovery Strategies and
Business Continuity Plans
BCP Project Phases
•
•
•
•
•
•
•
Project Scope Development and Planning
Business Impact Analysis (BIA) and Functional Requirements
Business Continuity and Recovery Strategy
Plan Design and Development
Implementation
Restoration / Disaster Recovery
Feedback and Plan Management
Disaster Recovery
•
•
•
•
Salvage
Separate function and team
Facility restoration
System recovery
BCP Project Phases
•
•
•
•
•
•
•
Project Scope Development and Planning
Business Impact Analysis (BIA) and Functional Requirements
Business Continuity and Recovery Strategy
Plan Design and Development
Implementation
Restoration / Disaster Recovery
Feedback and Plan Management
Testing the Program
•
•
•
•
Find the flaws
Outsourcing
Timetable for tests
Test design process
Testing Types
Types
Desk Check
Walkthrough
Simulation
Parallel
testing
Full
Process
Check the contents
of the plan, aid in
maintenance.
Check interaction
and roles of
participants.
Includes: business
plans, buildings,
communications
Moves work to
another site.
Recreates the
existing work from
the displaced site.
Shuts down and
relocates all work
Participants
Author
Frequency
Complexity
Often
LOW
Rare
HIGH
Author and
main people
Main people
and auditors
Everyone at
location
Everyone at
both locations
Embedding BCP
• Assessing level of awareness and training
• Developing BCP within the Culture
• Monitoring cultural change
Test BCP Arrangements
•
•
•
•
•
Test, rehearsal, exercise
Combine all plan activities
Stringency, realism and minimal exposure
Contents of a test
Outcomes
Maintaining BCP Arrangements
•
•
•
•
•
Ready and embedded
Triggered by change management
Owners keep information current
Documented
Review as needed
Reviewing BCP Arrangements
• Audit
• Independent BCP audit opinion
• As directed by audit policy
Factors for Success
•
•
•
•
Supported by senior management
Everyone is aware
Everyone is invested
Consensus
Assessing the Level of Awareness
and Training
•
•
•
•
Where are we now
What does the policy state
Current vs. desired levels
Training framework in place
Developing a BCP Within the
Organization’s Culture
•
•
•
•
•
•
•
Training, education, awareness
Well-implemented policy
Design
Delivery planning
Delivery
Cost effective delivery
Higher awareness
Domain Summary
•
•
•
•
•
•
•
Project Scope Development and Planning
Business Impact Analysis (BIA) and Functional Requirements
Business Continuity and Recovery Strategy
Plan Design and Development
Implementation
Restoration / Disaster Recovery
Feedback and Plan Management
Related documents
Business Continuity Plan and Disaster Recovery Plan
Business Continuity Plan and Disaster Recovery Plan
BCP Assumptions - Government of Alberta
BCP Assumptions - Government of Alberta
Business Continuity Plan
Business Continuity Plan
Class Capture powerpoint presentation auditory version
Class Capture powerpoint presentation auditory version
BCP for Auditors
BCP for Auditors
Crisis Management/ Business Continuity
Crisis Management/ Business Continuity
Business Continuity Management
Business Continuity Management
Key Elements to an Effective Business Continuity Plan
Key Elements to an Effective Business Continuity Plan
Business Continuity Planning in the Mountain Parks
Business Continuity Planning in the Mountain Parks
Business Continuity Basics
Business Continuity Basics
Download
advertisement