1 / 42

TASSCC Annual Conference 2010

TASSCC Annual Conference 2010. Business Resiliency Planning -Business Continuity Management- William Tompkins , CISSP, CBCP Teacher Retirement System of Texas August 2, 2010. William Tompkins.

declan
Télécharger la présentation

TASSCC Annual Conference 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TASSCC Annual Conference 2010 Business Resiliency Planning-Business Continuity Management- William Tompkins, CISSP, CBCP Teacher Retirement System of Texas August 2, 2010

  2. William Tompkins William Tompkins is Business Continuity/Disaster Recovery Coordinator and Information Security Officer at Teacher Retirement System of Texas. He has more than 26 years of technical, managerial and consulting experience in information technology and more than 18 years in business continuity and information security planning. He is a Certified Business Continuity Professional and a Certified Information Systems Security Professional. He is the current President of the Association of Contingency Planners chapter in Austin. William was elected to the ISSA Hall of Fame in 2006 by the ISSA International Board of Directors. (Information Systems Security Association) Mr. Tompkins holds two Bachelor of Science degrees, Psychology and Computer Information Science, from Troy State University in Alabama and Certification in Risk Management from University of Texas at Austin Division of Continuing Education.

  3. In this session we’ll overview business resiliency practices at Teacher Retirement System of Texas, including our planning & maintenance practices, coordination with other agencies, business partners, and our contracted recovery service provider.

  4. Agenda • Why ? • How ? • What ? • Q & A

  5. Presumptions Reality Are we ready? Versus *from Managing Managers: A Case Study by Philip Jan Rothstein; Copyright 1995, Rothstein Associates Inc.

  6. Presumption Reality Are we ready? The “wizards” (in IT Div.) could handle any crisis and business would be operational within a few hours. At best, recovery from a MAJOR disruption could take 30-36 hours. *from Managing Managers: A Case Study by Philip Jan Rothstein; Copyright 1995, Rothstein Associates Inc.

  7. Reality Are we ready? Presumption IT Div. “automatically” integrates all diverse technology and platforms into the Disaster Recovery Program. IT Div. did not implement -OR- operate many of these platforms. *from Managing Managers: A Case Study by Philip Jan Rothstein; Copyright 1995, Rothstein Associates Inc.

  8. Reality Are we ready? Presumption No matter what the cause or scope of disruption ... IT Div. would recover all data accurately AND to the point of failure. At best, recovery would be to the prior night's backup and, most probably, to a point at least 3 to 4 nights prior. *from Managing Managers: A Case Study by Philip Jan Rothstein; Copyright 1995, Rothstein Associates Inc.

  9. Reality Are we ready? Presumption Data entry sections have manually filed source documents, so the data entered since the last backup is clearly identified. ? ?

  10. Reality Are we ready? Presumption Well-respected practitioner had a very good program. Senior management was dissatisfied with the program…because the organization’s professionals were not familiar with the real business processes.

  11. Timeline Return to Normal Operations Disaster 7 pm Tues Evaluate & Decision Begin Response Mobilize people & Notify recoverycontractors Restore(most data &some infrastructure) Recovery (weeks to months?) 72 hrs Min. 4 hrs. Max. 12 hrs. 12 – 24 hours 48 hours Staff begins re-entering Tues work no earlier than Saturday morning

  12. By the end of this session . . . better understanding of business resiliency • Administrative activities • Planning activities • Technical activities • User education

  13. Administrative activities Policy (Business Continuity Management Policy) • Definitions • Business Impact Assessment (BIA) • Mission critical • Roles • Business Continuity/Disaster Recovery Coordinator -vs- Business Continuity Planner

  14. Roles Management support: • Executive management • Project initiation, scope, final approval, ongoing support • Senior business unit management • Identifies and prioritizes time-critical systems • Functional business units (departments) • Participate in implementing and testing

  15. Administrative activities Reporting • Annual BCP – a summary report includes copy of up-to-date BIA and dates of IMT Plan, Incident Response Plan, business unit continuity plans & IT’s DR & Telecommunications plans • After-action of Hot Site Exercise • Results of “primary” & “secondary” objectives • Annual Risk Assessment

  16. Program Goal( from “Policy” ) …to prepare to counteract interruptions to TRS’ business activities and to protect critical business processes from the effects of disasters or major failures of information systems and to ensure their timely resumption

  17. Planning

  18. What is BIA • A Business Impact Analysis (‘BIA’) identifies and prioritizes the critical business processes supported by the technology infrastructure. • BIA Key Components: • Identifies the impact of potential resource loss • Identifies the minimum resources needed to recover • Prioritizes the recovery of processes and supporting systems • Establishes the escalation of that loss over time

  19. Impact priority considerations{not in priority sequence} • Required by law • Critical or essential business need • Inaction (or incorrect action) violates fiduciary duty • Inaction causes harm • Impacts large number of people • Severe adverse impact on TRS’ mission, functions, or reputation

  20. BIA Questions • What are the critical functions? • Why are they critical? • How quickly does it need to be recovered? Why? • Does it need to be recovered in the event of a disruption/disaster? • If it is not recovered as quickly as it needs to be, what will happen? So what? Who else would be affected?

  21. Chart legend for following pages

  22. Contingency Planning • Risk Management identifies risks that require contingency plans • Risk decisions are based on BIA details • Contingency plans - business decisions based on real numbers and facts.

  23. Contingency Plans Are: • Interim recovery measures that ensure survival of the organization during a disaster event by providing for continuity of its critical business functions. • Long term outage provisions • Critical system relocation procedures • Personnel issues – get the right people to right place • (Internal) Temporary business operation modes • (External) How to deal with customers, partners, and shareholders through different channels

  24. Planning activities Business Continuity Plan ? • Not exactly . . . Business Resiliency Program ? Yes

  25. Plans • Incident Management Team Plan • Single reference for Exec & Sr. Mgmt • Crisis Management Plan* • After initial ‘triage’ …helps clarify event • What happened • How serious • What to do next • Incident Response Plan* • Addresses initial stages of any event *Note: in some organizations, crisis management & incident response is the same

  26. Plans • Disaster Recovery Plans • Enable quickly resuming operations for most critical units • Network infrastructure • IBM Mainframe (business class enterprise server) & a midrange system • Telecommunications

  27. Plans • Business Continuity Plans • Covers all critical and major business units (17), provides detail for staff involved in early recovery efforts

  28. Plans • Site Restoration Plan • Plan for restoration efforts by facilities • Vital Records Retention / Recovery Plan • Change Management Plan • Include plan updates when technology or business process changes

  29. Technical Activities

  30. Data Back Up • Routine Backups • Retention • Daily – 14 days • Weekly – 6 months • Monthly – 2 months • Archive [EOY] (annual: Member data, based on annuitant)

  31. Testing & Validation • Actual “Hot-site” exercise • Investment Div. has been actively involved in at least 6 exercises • Emergency Call Tree Exercise • Tabletop exercise • a sit down desk-check with the team leaders and team members

  32. User Education

  33. User Awareness Providing Awareness, leads to… Understanding Change in Attitude Change in Behavior!

  34. User Awareness • Executives and Senior Managers/Directors • ongoing familiarization sessions w / Sr. Mngt. • Business Unit Managers & Team Leaders • considerations as business processes and business partners change • Regular Staff, Temp Hires & Contractors • introductory classes given to new employees

  35. External “Partners”

  36. External Contracts & MOUs • Private • “Hot-site” contract • Business Continuity & Resiliency Services • Off site storage • Tape backups & hardcopies • Other State Agencies • TCEQ – Backup Command Center • TPASS(Tx Procurement & Support Svcs) – Mail • TxDOT– Web site

  37. Self-assessment

  38. www.theiia.org/technology

  39. Q U E S T I O N S ? Thank You William A. Tompkins (512) 542-6787 William.Tompkins@trs.state.tx.us

More Related