LECTURE SERIES. 2 Business Continuity Planning April 2005 Inland Empire CIO Roundtable Claremont...
-
Upload
kerry-stuart-rodgers -
Category
Documents
-
view
213 -
download
0
Transcript of LECTURE SERIES. 2 Business Continuity Planning April 2005 Inland Empire CIO Roundtable Claremont...
2
Business Continuity Planning
April 2005
Inland Empire CIO RoundtableClaremont University
Architectures & Strategies
3Copyright ULTIGON 2005
• The Premise
• Business Continuity Components
• Planning & management commitment
• Detection and response
• Project Life cycle
• Process integration & problem management
• Testing and reporting
• Cost of downtime
• Availability cost curve
• Market Dynamics
• Resourcing
Overview
4Copyright ULTIGON 2005
New risks
• Human Error/ Operations Risk
• Performance/Capacity
• Outsourced Service Providers
• Planned/Unplanned Downtime
• Security Incidents
• Content/Application Links to Third Parties
• Regulatory Compliance
5Copyright ULTIGON 2005
New rules/ New realties
• IT and business process management are integrated — no longer separate views
• Production costs increase — no separate budget for BCP
• Risk identification and management take on a matrix management focus, e.g., technology, financial, trading, operations
• Problems are public — IT and business problem management must be integrated; root cause analysis
• Only as strong as your weakest link — good application/bad operations
• Contingency plans become critical when automation isn’t there — every component of the business process now must have a plan
• Sarbanes-Oxley- implies BCP plans are in place
6Copyright ULTIGON 2005
Business Continuity Components
Disaster Recovery
Business Recovery
Business Resumption
Contingency Planning
Objective Mission-critical applications
Mission- critical business processing (workspace)
Business process workarounds
External event
Focus Site or component outage (external)
Site outage (external)
Application outage (internal)
External behavior forcing change to internal
Deliverable Disaster recovery plan
Business recovery plan
Alternate processing plan
Business contingency plan
Sample Event(s)
Fire at the data center; critical server failure
Electrical outage in the building
Credit authorization system down
Main supplier cannot ship due to its own problem
Sample Solution
Recovery site in a different location
Recovery site in a different power grid
Manual procedure 25% backup of vital products; backup supplier
Crisis Management
7Copyright ULTIGON 2005
Creating BC Plans
Business Impact Analysis
Risk Analysis
Recovery Strategy
Group Plans and Procedures
Business Continuity Planning Initiation
Risk Reduction
ImplementStandby Facilities
Create Planning Organization
Testing
PROCESS
Change Management Education Testing Review
Policy ScopeResourcesOrganization
Ongoing Process
Project
8Copyright ULTIGON 2005
Getting Management Commitment
• Catalysts like disasters, fires and outside audits
• Costs identified from business interruption and risk assessments
• Awareness programs and publicized information
• Fiduciary responsibilities and regulatory compliance
9Copyright ULTIGON 2005
Detection and Response
• Prevention/Planning
• Detection
• Incident Response
• Investigation
• Evidence
• Legal actions
Identified and established procedures in place and tested for:
10Copyright ULTIGON 2005
Business Req.
SystemArchitecture
SystemDesign Construct Test Implement
PostImple-ment
• Identify technology and business continuity risks from a business perspective – BIA/ risk analysis RTO/RPO
• Ensure complete cost estimate
• Ensure appropriately protected end product
• Assess risks of new technology products
• Identify secure infrastructure requirements
• Identify secure administrative requirements
• Establish security responsibilities and service- level regulations
• Identify BC/DR strategies
• Establish security test strategy
• Translate security architecture to detailed security infrastructure design
• Develop security baselines for new technologies/ products
• Develop detailed security admin. design
• Develop detailed BCP/DR design/ strategy
• Develop draft SLAs
• Develop security test plan
• Build/code security infrastructure environment and processes
• Build/code security admin. environment, roles/profiles and processes
• Build BCP/DR environment, plans and processes
• Build/code security test plan, processes, scripts and test environment
• Train secure administrative, operations, business unit, staff...
• Identify security noncompliance issues
• Identify new security exposures
• Test BCP/DR plans to ensure that RTO/RPO is attainable
• Turn over secure application infrastructure to production
• Implement secure administrative roles/profiles
• Implement business/ continuity DR environment
Project Life Cycle
• Identify changes to tested env.
• Finalize secure admin. env. and processes
• Finalize security infrastructure environment and processes
• Finalize BCP/DR env., plans and processes
• Assess SLA accuracy
• Finalize risk acceptance with business
• Ensure that info. security policies are current
11Copyright ULTIGON 2005
BC Integrated Processes
Business Process Owner
Architecture and
Standards Application andTech Design
BusinessContinuity Operations
Architecture and Design
IT OperationsProblem, Change, Performance, DR
Risk Management (Financial, Technology, Operations)
InformationSecurity
Recovery/continuity strategy/ design
IT Recovery management
BC Project Manager
Business Manager
Risk Manager
Business Continuity Mgr.
Audit
IT
Information Security
Business Operations
Legal/Compliance
HR / Public Relations
BC Recovery Team
Business continuity strategy/design
Audit — Financial and EDP
OSPs/Business Partners
Rules and tools
Security Incident identification/response design
Regulatory Compliance - Sarbanes-Oxley, etc.
12Copyright ULTIGON 2005
Problem Management
Problem Identification and Impact Assessment
Problem Status/ Communication
Problem Prevention and Planning
Problem Resolution
Root Cause Analysis
Problem Mgmt Team
Business Process Owner
Customer/Partner Relationship Owner
Risk Management
Business Continuity
Information Security
IT Technical Support
IT Applications Support
Vendors/OSPs/Third Parties
Legal/Compliance
Public Relations
13Copyright ULTIGON 2005
Testing and Reporting
BCP PhaseAccounts Payable
Accounts Receivable
Cash Mmgt.
R&D Prod. Eng.Order
Fulfillment
Impact Analysis
Risk Analysis
Strategy
Resources Committed
Last Tested
Change Mgmt.
Last Major Review
Workable Solution
Audit
Location, Business Process or Department
Management Reporting is Critical
14Copyright ULTIGON 2005
Cost of DowntimeRevenue
Know your downtime costs per hour, day, two
days...
Productivity• Number of
employees impacted X hours out X burdened hourly rate
Damaged Reputation
• Customers• Suppliers• Financial markets• Banks• Business partners
Financial Performance
• Revenue recognition• Cash flow• Lost discounts (A/P)• Payment guarantees• Credit rating• Stock price
Other ExpensesTemporary employees, equipment rental, overtime costs, travel expenses...
• Direct loss• Compensatory payments• Lost future revenue• Billing losses• Investment losses
RegulatorySarbanes-Oxley, HIPAA, SB1386
Cost Of
Operation
15Copyright ULTIGON 2005
Availability-Cost Curve
Cost
Disaster Recovery Times
24hrs48hrs72hrs Minutes12 hrs.
StandardRecovery
Elec.Vaulting
ElectronicJournaling
Shadowing
Mirroring
Database and/or fileand/or object backup
Log/journal transfer(continuous or periodic)
Database and/or file and/or object replication
Assumes mirroring or shadowing plusa complete application environment
net $host $disk $tape $
net $tape $
net $-$$+host $$+disk $$$$+
net $$$+host $$+disk $$$$+
net $$$+host $$$+disk $$$$+appl. $+
Hot Standby orLoad-Balanced
16Copyright ULTIGON 2005
Market Dynamics
High-Availability-
Based Service
2002 2005
Warm Site andMobile Recovery
Quick Ship
Warm Site and Mobile Recovery
Quick Ship
Load-Balanced (2+Sites)
17Copyright ULTIGON 2005
Resourcing
External (dedicated)
External (shared)Internal
• You have an alternative facility (50 km distant)
• BC vendors have insufficient capacity
• BC is a recognized and respected discipline
• You cannot economically benefit from syndication
• You do not have an alternate facility
• You desire multisite continuous availability or hot standby support
• RTOs/RPOs are very short
• You want to focus on core competencies
• Getting management sign-off for dedicated capital is difficult
• Experience of supporting an invocation is important
• Your planning scenarios include loss of technical staff
18Copyright ULTIGON 2005
Laws - Regulation & Technology
Warm Site andMobile Recovery
• Sarbanes–Oxley
802, 302, 404, 409
• HIPAA
• Gramm Leach Bliley Act
• SEC Rules 6835 & 17-a
• 21 CFR Part 11 (FDA regulated Companies
• IRS Revenue Procedure Ruling 97-22
• Patriot Act
• California Security Breach Notice Law
• Government Paper Work Elimination Act (GPEA)
19
References
• www.TechRepublic.com
• Gartner References (www.gartner.com/1_researchanalysis/focus/aftermath.html)
– Integrating BCP into IT Project Life Cycles
– BCP and Management
– BCP Tools
– BCP Checklist
– Key Elements of BCP
• Thinking Outside the SOX – Strohl Systems, 2004
• Regulatory Compliance and BCP – InQuest Corp, 2004