Mid-Missouri AGA
Membership Development Conference
Business Continuity & Disaster Recovery
December 2, 2014
6 CityPlace Drive, Suite 900 | St. Louis, Missouri 63141 | 314.983.1200
1520 S. Fifth Street, Suite 309 | St. Charles, Missouri 63303 | 636.255.3000
2220 S. State Route 157, Ste. 300 | Glen Carbon, IL 62034 | 618.654.3100
888.279.2792 | www.bswllc.com
Presenter
Alan DeVaughan, CISA, MCSE, MCSA
Advisory Services
314-824-5278
adevaughan@bswllc.com
 Senior Auditor in the IT Audit practice
 Background in both IT audit and network
administration
 Prior experience includes 3 years with
CliftonLarsonAllen
 Specialist in general information systems
control, network architecture assessment,
and technical compliance with regulations
reviews of financial institutions
© 2014 Brown Smith Wallace All Rights Reserved
Agenda
 Changing Strategies for Disaster Recovery
 DR/BC Plan Structure
 Templates and Approaches
 Business Impact Analysis
 Contents of a Good Plan
 Business Continuity Planning
 What Can I Do?
 Consequences for Lack of a Plan
 Questions
© 2014 Brown Smith Wallace All Rights Reserved
Acronyms
• BIA – Business Impact Analysis
• TRA – Threat and Risk Analysis
• RTO – Recovery Time Objective
• RPO – Recovery Point Objective
• DRP – Disaster Recovery Plan
• BCP – Business Continuity Plan
© 2014 Brown Smith Wallace All Rights Reserved
Changing Strategies for Disaster Recovery
•
•
•
•
•
External Factors
• 9/11 Gave Us a Boost to Planning Activities
• Hurricane Sandy
• Tornados
However:
• It couldn’t happen again syndrome sets in
• Realities of economy stalling efforts
• Confusion over emerging regulations occurring
Organizations Outsourcing More Disaster Recovery Efforts
• Use of commercial hot-site contracts, moving to multiple
datacenters, colocation.
• Complexity of task overwhelming for many organizations
Higher Emphasis Placed on Cyber Security – perceived as the bigger risk
Confusing Standards and Lack of Common Criteria
© 2014 Brown Smith Wallace All Rights Reserved
Then and Now
THEN
NOW
Few key applications
Many applications
Standalone systems
Highly integrated systems
Single platform
Multiple platforms
Local connection
LAN, WAN, remote connection
Tape backups
Data replication
Office based
Remote workers
Slow communications
Instant connection
Bricks & mortar
e-commerce
In-house systems
Remote & outsourced systems
Big company need
Every company’s need
© 2014 Brown Smith Wallace All Rights Reserved
Components of Planned Recovery
• Executive Sponsorship
• Business Impact Analysis
• Disaster Recovery Planning
• Business Continuity Planning
© 2014 Brown Smith Wallace All Rights Reserved
BCP/DRP Plan Structure



Conduct a Business Impact Analysis and Risk Assessment
 identifies mission critical business functions and processes
 assess the probability and impact to the business if critical business processes are disrupted
 identifies recovery requirements
Disaster Recovery Plans

usually developed using business process data flow diagrams

identifies the priorities for infrastructure, systems and applications that need to be recovered
based upon a hierarchy of dependencies or business needs
Crisis Management and Communication Plan


Business Continuity Plans


identifies alternate procedures to execute when primary business or work location and
resources are unavailable
Pandemic Plan Consideration


provides guidance to management and outlines the necessary steps to execute during a
significant business disruption (e.g. definition of a disaster, engaging crisis management
team, communication plan, public relations, etc.)
It is necessary to prepare a plan to protect a business’s #1 resource (employees) in the
event of a widespread communicable disease outbreak, such as avian flu, or chemical
contamination
Annual testing

Encourages continuous process improvement and plan maintenance

Continuous Update!
© 2012 Brown Smith Wallace All Rights Reserved
Templates and Approaches
• DRII - DRI International
• ISO – International Organization for Standardization
– ISO 27031:2011 – “Guidelines for information and communications
technology readiness for business continuity”
• ITIL – Information Technology Infrastructure Library
• NIST – National Institute of Standards and Technology
– Special Publication 800-34 “Contingency Planning Guide for IT
Systems”
– 800-84 “Test, Training & Exercise Programs”
• FEMA – Federal Emergency Management Agency
• GFOA – Government Finance Officers Association
– Planning for Recovery from a Technology Disaster
– Business Preparedness and Continuity Guidelines
– Disaster Preparedness
© 2014 Brown Smith Wallace All Rights Reserved
Business Impact Analysis
Step 1 – Risk Assessment
Perform a Business Impact Analysis (BIA) Risk Assessment to identify threats and risks, control options,
and their costs.
Approach:
– Identify and prioritize risk associated with each business unit/area within the company
– Develop a high level matrix providing management a summary view of the BIAs across the
enterprise
– Identify gaps and provide recommendations to mitigate the identified risks.
Deliverable:
An executive summary accompanied by a high level matrix identifying business processes and the threats
and risks that could cause a significant business disruption.
In addition, the matrix should contain a Threat and Risk Analysis (TRA) which includes risk control options,
cost of risk control options, effectiveness of risk control options, and comparison of risk control options cost
and effectiveness.
© 2014 Brown Smith Wallace All Rights Reserved
Business Impact Analysis
Step 2 – Identify Recovery Requirements
For mission critical business functions and processes, interview business owners and document desired
recovery time and point objectives.
Approach:
– Identify and prioritize critical business functions and processes associated with each business
unit/area within the company – including all back office systems
– For various RTOs and RPOs develop a cost analysis of the architecture required for the desired
recovery
– Identify any potential architectural or process improvements that would facilitate a more cost
effective approach to recovery
Deliverable:
An executive summary accompanied by a high level matrix identifying business processes desired recovery
requirements, and the costs associated with each approach.
In addition, recommendations should be presented for architecture and process improvements that will
mitigate the cost associated with the desired recovery objectives.
© 2014 Brown Smith Wallace All Rights Reserved
Business Impact Analysis
Step 3:
Based upon the results of the BIA, identify action steps necessary to develop the
Disaster Recovery Plan.
This may include Crisis Management, Continuity, and Disaster Recovery Plan
development.
Deliverable:
Provide management a gap analysis and action plan identifying the necessary steps for
completing the Disaster Recovery Planning and Business Continuity process.
© 2014 Brown Smith Wallace All Rights Reserved
Contents of a Good Plan
Definition
• The IT Disaster Recovery Plan is a written strategy
created to facilitate an organization’s quick and successful
response to severe disasters.
• Through the division and allocation of pre-defined
responsibilities and duties, response times are minimized.
• With the creation of an IT DR plan, effort is made to
provide a dependable and efficient restoration of services
in the event of a disaster.
© 2014 Brown Smith Wallace All Rights Reserved
Contents of a Good Plan
Objectives – know what they are, and limitations
• Document specific definitions and guidelines for declaring disaster
scenarios and corresponding emergency responses.
• Provide for the continuation of critical IT and related business functions
and recovery in the event of a disaster.
• Maximize the expediency and effectiveness of recovery operations
through an established set of strategic plans.
• Identify the necessary policies, procedures, and resources required to
maintain critical Information Technology support services during
prolonged interruptions to routine operations.
• Assign responsibilities and duties to designated personnel for the
implementation of disaster recovery procedures.
• Ensure coordination between appropriate staff concerning disaster
contingency planning strategies.
• Ensure appropriate plans have been created to coordinate external
vendors, clients, and contacts in the event of a disaster.
• Provide standards for testing components of the Disaster Recovery Plan.
© 2014 Brown Smith Wallace All Rights Reserved
Contents of a Good Plan
Assumptions – document & Validate them
•
•
•
•
•
•
•
•
•
Key personnel have been identified and trained in their emergency response and
recovery roles. It is also assumed that each person is available to activate and carry
out their assigned responsibilities and duties.
Current backup media, containing relevant data for applicable critical IT services and
components, are available thru designated data library relocation providers.
All required IT related hardware is either available, or can be obtained in a timely
fashion.
All required software is available and current along with appropriate licensing.
All required hardware and software vendor support contracts are maintained and are
current.
Contracted temporary disaster recovery sites will be available at the time of need.
Designated management staff will communicate appropriate status information to
those applicable personnel, vendors, and agents affected by a declared disaster.
All required disaster recovery related documentation is available and current.
Most importantly, it is assumed that this Disaster Recovery Plan is reviewed and
updated on an annual basis, at a minimum.
© 2014 Brown Smith Wallace All Rights Reserved
Contents of a Good Plan
•
•
•
•
•
•
•
•
•
•
•
•
Overview
Introduction
Scope
Objective
Assumptions
Disaster definitions
Disaster likelihood ratings
Threat levels
Declaration of disaster
Preparing for disaster
Disaster response budget
Disaster response team
defined
•
•
•
•
•
•
•
•
•
•
Disaster recovery escalation
process defined
Quick reference guide
DR temporary recovery site
Updated IT related
documentation
Dependencies
Contact listings
Vendor failures
Avoiding & minimizing disasters
IT recovery details
Plan monitoring, review, and
testing
© 2014 Brown Smith Wallace All Rights Reserved
Contents of a Good Plan
Make sure you include:
–
–
–
–
–
–
–
–
Wide Area Network Documentation
Local Area Network Documentation
Server Documentation
Password Documentation
Network/Software Application Documentation
Vendor Contract Documentation
Critical System Log Documentation
Telecommunications and Voice Infrastructure
Documentation
© 2014 Brown Smith Wallace All Rights Reserved
Business Continuity Planning
Business Continuity Planning is the next step after Disaster
Recovery Planning.
DRP provides the technology infrastructure for the company
to continue to function
BCP provides procedures for operation of the organization and
business units during a disaster
© 2014 Brown Smith Wallace All Rights Reserved
What is Business Continuity Planning?
Business Continuity Planning is a planning process that identifies
an organization’s exposure to internal and external threats and
identifies key processes that need to be protected to sustain
business operations and maintain a competitive advantage in the
event of a significant business disruption.
Key Objectives:
– Minimize the possibility of interruptions to business
operations
– Maintain a competitive advantage
– Prevent the company from becoming a business closure
statistic due lack of planning
© 2014 Brown Smith Wallace All Rights Reserved
Business Continuity Planning
•
•
Address all business functional areas (HR, Sales, Accounting,
etc.)
Address non-IT related items
–
–
–
–
•
Communications
–
–
–
–
•
Office supplies
Desks/workspaces
Business forms (check stock, purchase orders, sales orders, etc.)
Supply chain management
Employees and stakeholders
Media
Legal and regulatory
Customers
Incident response planning and handling
© 2014 Brown Smith Wallace All Rights Reserved
Plan Contents
Program Administration
– Define the scope, objectives, and assumptions of the
business continuity plan.
Business Continuity Organization
– Define the roles and responsibilities for team members.
– Identify the lines of authority, succession of
management, and delegation of authority.
– Address interaction with external organizations including
contractors and vendors.
© 2014 Brown Smith Wallace All Rights Reserved
Plan Contents
Business Impact Analysis
– Insert results of Business Impact Analysis
– Identify Recovery Time Objectives for business processes and
information technology
– Identify Recovery Point Objective for data restoration
Business Continuity Strategies & Requirements
– Insert detailed procedures, resource requirements, and
logistics for execution of all recovery strategies
– Insert detailed procedures, resource requirements, and
logistics for relocation to alternate worksites
– Insert detailed procedures, resource requirements, and data
restoration plan for the recovery of information technology
(networks and required connectivity, servers, desktop/laptops,
wireless devices, applications, and data)
© 2014 Brown Smith Wallace All Rights Reserved
Plan Contents
Manual Workarounds
– Document all forms and resource requirements for all
manual workarounds
Incident Management
– Define procedures:
• Incident detection and reporting
• Alerting and notifications
• Business continuity plan activation
• Emergency operations center activation
• Damage assessment (coordination with emergency
response plan) and situation analysis
• Development and approval of an incident action plan
© 2014 Brown Smith Wallace All Rights Reserved
Plan Contents
Training, Testing & Exercising
– Training curriculum for business continuity team
members
– Testing schedule, procedures, and forms for business
recovery strategies and information technology
recovery strategies
– Orientation, tabletop, and full-scale exercises
Program Maintenance and Improvement
– Schedule, triggers, and assignments for the periodic
review of the business continuity plan
– Details of corrective action program to address
deficiencies
© 2014 Brown Smith Wallace All Rights Reserved
Plan Contents
Also include references to related Policies & Procedures
– Emergency Response Plan
– Information Technology Disaster Recovery Plan (if not
included in the business continuity plan)
– Vendors, Suppliers and Partners Contact Information
– Crisis Communications Plan
– Employee Assistance Plan
© 2014 Brown Smith Wallace All Rights Reserved
What Can I Do?
•
Incorporate resiliency into capital planning process
–
–
–
–
•
Vendor Management
–
–
•
Consider resiliency during prioritization process for new construction,
maintenance, or replacement of infrastructure and assets
Promote financial literacy regarding resiliency towards your
clients/constituents
Provide financial cost/benefit analyses
Participate in Business Impact Analysis discussions
Incorporate emergency clauses into contracts for goods and services
needed in the event of a disaster
Ensure your vendors have plans to deliver goods/services in the event of
a disaster
Cost Tracking
–
Establish policies and procedures for appropriate tracking of costs related
to disaster events (ex. reimbursements, supplies, staff overtime, etc.)
© 2014 Brown Smith Wallace All Rights Reserved
Consequences Due to Lack of DRP/BCP
• Lost data
• Longer data recovery time
• No contingency procedures during
recovery process
• Damage to organizational reputation
• Employee downtime
• Dependence on a few key people who
have required system/organizational
knowledge
© 2014 Brown Smith Wallace All Rights Reserved
Questions
28
•
© 2014 Brown Smith Wallace All Rights Reserved