LECTURE SERIESLECTURE SERIES

2

Business Continuity Planning

April 2005

Inland Empire CIO RoundtableClaremont University

Architectures & Strategies

3Copyright ULTIGON 2005

• The Premise

• Business Continuity Components

• Planning & management commitment

• Detection and response

• Project Life cycle

• Process integration & problem management

• Testing and reporting

• Cost of downtime

• Availability cost curve

• Market Dynamics

• Resourcing

Overview

4Copyright ULTIGON 2005

New risks

• Human Error/ Operations Risk

• Performance/Capacity

• Outsourced Service Providers

• Planned/Unplanned Downtime

• Security Incidents

• Content/Application Links to Third Parties

• Regulatory Compliance

5Copyright ULTIGON 2005

New rules/ New realties

• IT and business process management are integrated — no longer separate views

• Production costs increase — no separate budget for BCP

• Risk identification and management take on a matrix management focus, e.g., technology, financial, trading, operations

• Problems are public — IT and business problem management must be integrated; root cause analysis

• Only as strong as your weakest link — good application/bad operations

• Contingency plans become critical when automation isn’t there — every component of the business process now must have a plan

• Sarbanes-Oxley- implies BCP plans are in place

6Copyright ULTIGON 2005

Business Continuity Components

Disaster Recovery

Business Recovery

Business Resumption

Contingency Planning

Objective Mission-critical applications

Mission- critical business processing (workspace)

Business process workarounds

External event

Focus Site or component outage (external)

Site outage (external)

Application outage (internal)

External behavior forcing change to internal

Deliverable Disaster recovery plan

Business recovery plan

Alternate processing plan

Business contingency plan

Sample Event(s)

Fire at the data center; critical server failure

Electrical outage in the building

Credit authorization system down

Main supplier cannot ship due to its own problem

Sample Solution

Recovery site in a different location

Recovery site in a different power grid

Manual procedure 25% backup of vital products; backup supplier

Crisis Management

7Copyright ULTIGON 2005

Creating BC Plans

Business Impact Analysis

Risk Analysis

Recovery Strategy

Group Plans and Procedures

Business Continuity Planning Initiation

Risk Reduction

ImplementStandby Facilities

Create Planning Organization

Testing

PROCESS

Change Management Education Testing Review

Policy ScopeResourcesOrganization

Ongoing Process

Project

8Copyright ULTIGON 2005

Getting Management Commitment

• Catalysts like disasters, fires and outside audits

• Costs identified from business interruption and risk assessments

• Awareness programs and publicized information

• Fiduciary responsibilities and regulatory compliance

9Copyright ULTIGON 2005

Detection and Response

• Prevention/Planning

• Detection

• Incident Response

• Investigation

• Evidence

• Legal actions

Identified and established procedures in place and tested for:

10Copyright ULTIGON 2005

Business Req.

SystemArchitecture

SystemDesign Construct Test Implement

PostImple-ment

• Identify technology and business continuity risks from a business perspective – BIA/ risk analysis RTO/RPO

• Ensure complete cost estimate

• Ensure appropriately protected end product

• Assess risks of new technology products

• Identify secure infrastructure requirements

• Identify secure administrative requirements

• Establish security responsibilities and service- level regulations

• Identify BC/DR strategies

• Establish security test strategy

• Translate security architecture to detailed security infrastructure design

• Develop security baselines for new technologies/ products

• Develop detailed security admin. design

• Develop detailed BCP/DR design/ strategy

• Develop draft SLAs

• Develop security test plan

• Build/code security infrastructure environment and processes

• Build/code security admin. environment, roles/profiles and processes

• Build BCP/DR environment, plans and processes

• Build/code security test plan, processes, scripts and test environment

• Train secure administrative, operations, business unit, staff...

• Identify security noncompliance issues

• Identify new security exposures

• Test BCP/DR plans to ensure that RTO/RPO is attainable

• Turn over secure application infrastructure to production

• Implement secure administrative roles/profiles

• Implement business/ continuity DR environment

Project Life Cycle

• Identify changes to tested env.

• Finalize secure admin. env. and processes

• Finalize security infrastructure environment and processes

• Finalize BCP/DR env., plans and processes

• Assess SLA accuracy

• Finalize risk acceptance with business

• Ensure that info. security policies are current

11Copyright ULTIGON 2005

BC Integrated Processes

Business Process Owner

Architecture and

Standards Application andTech Design

BusinessContinuity Operations

Architecture and Design

IT OperationsProblem, Change, Performance, DR

Risk Management (Financial, Technology, Operations)

InformationSecurity

Recovery/continuity strategy/ design

IT Recovery management

BC Project Manager

Business Manager

Risk Manager

Business Continuity Mgr.

Audit

IT

Information Security

Business Operations

Legal/Compliance

HR / Public Relations

BC Recovery Team

Business continuity strategy/design

Audit — Financial and EDP

OSPs/Business Partners

Rules and tools

Security Incident identification/response design

Regulatory Compliance - Sarbanes-Oxley, etc.

12Copyright ULTIGON 2005

Problem Management

Problem Identification and Impact Assessment

Problem Status/ Communication

Problem Prevention and Planning

Problem Resolution

Root Cause Analysis

Problem Mgmt Team

Business Process Owner

Customer/Partner Relationship Owner

Risk Management

Business Continuity

Information Security

IT Technical Support

IT Applications Support

Vendors/OSPs/Third Parties

Legal/Compliance

Public Relations

13Copyright ULTIGON 2005

Testing and Reporting

BCP PhaseAccounts Payable

Accounts Receivable

Cash Mmgt.

R&D Prod. Eng.Order

Fulfillment

Impact Analysis

Risk Analysis

Strategy

Resources Committed

Last Tested

Change Mgmt.

Last Major Review

Workable Solution

Audit

Location, Business Process or Department

Management Reporting is Critical

14Copyright ULTIGON 2005

Cost of DowntimeRevenue

Know your downtime costs per hour, day, two

days...

Productivity• Number of

employees impacted X hours out X burdened hourly rate

Damaged Reputation

• Customers• Suppliers• Financial markets• Banks• Business partners

Financial Performance

• Revenue recognition• Cash flow• Lost discounts (A/P)• Payment guarantees• Credit rating• Stock price

Other ExpensesTemporary employees, equipment rental, overtime costs, travel expenses...

• Direct loss• Compensatory payments• Lost future revenue• Billing losses• Investment losses

RegulatorySarbanes-Oxley, HIPAA, SB1386

Cost Of

Operation

15Copyright ULTIGON 2005

Availability-Cost Curve

Cost

Disaster Recovery Times

24hrs48hrs72hrs Minutes12 hrs.

StandardRecovery

Elec.Vaulting

ElectronicJournaling

Shadowing

Mirroring

Database and/or fileand/or object backup

Log/journal transfer(continuous or periodic)

Database and/or file and/or object replication

Assumes mirroring or shadowing plusa complete application environment

net $host $disk $tape $

net $tape $

net $-$$+host $$+disk $$$$+

net $$$+host $$+disk $$$$+

net $$$+host $$$+disk $$$$+appl. $+

Hot Standby orLoad-Balanced

16Copyright ULTIGON 2005

Market Dynamics

High-Availability-

Based Service

2002 2005

Warm Site andMobile Recovery

Quick Ship

Warm Site and Mobile Recovery

Quick Ship

Load-Balanced (2+Sites)

17Copyright ULTIGON 2005

Resourcing

External (dedicated)

External (shared)Internal

• You have an alternative facility (50 km distant)

• BC vendors have insufficient capacity

• BC is a recognized and respected discipline

• You cannot economically benefit from syndication

• You do not have an alternate facility

• You desire multisite continuous availability or hot standby support

• RTOs/RPOs are very short

• You want to focus on core competencies

• Getting management sign-off for dedicated capital is difficult

• Experience of supporting an invocation is important

• Your planning scenarios include loss of technical staff

18Copyright ULTIGON 2005

Laws - Regulation & Technology

Warm Site andMobile Recovery

• Sarbanes–Oxley

802, 302, 404, 409

• HIPAA

• Gramm Leach Bliley Act

• SEC Rules 6835 & 17-a

• 21 CFR Part 11 (FDA regulated Companies

• IRS Revenue Procedure Ruling 97-22

• Patriot Act

• California Security Breach Notice Law

• Government Paper Work Elimination Act (GPEA)

19

References

• www.TechRepublic.com

• Gartner References (www.gartner.com/1_researchanalysis/focus/aftermath.html)

– Integrating BCP into IT Project Life Cycles

– BCP and Management

– BCP Tools

– BCP Checklist

– Key Elements of BCP

• Thinking Outside the SOX – Strohl Systems, 2004

• Regulatory Compliance and BCP – InQuest Corp, 2004

LECTURE SERIESLECTURE SERIESPart VIII