1 / 31

Business Continuity & Disaster Recovery

Business Continuity & Disaster Recovery. All about business Assumes the worst has happened. Domain Definition. Preparation, testing, & updating of actions required to protect critical business processes from the effects of major system & network failures. BCP.

ros
Télécharger la présentation

Business Continuity & Disaster Recovery

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Business Continuity & Disaster Recovery All about business Assumes the worst has happened

  2. Domain Definition • Preparation, testing, & updating of actions required to protect critical business processes from the effects of major system & network failures

  3. BCP • Created to prevent interruptions to normal business activity • Minimize effects of disruptive event • Enhance orgs capability to recover • Minimize cost • Mitigate risks

  4. BCP: Areas Covered • LANs, WANs, DMZ, Servers • Telecomm & data comm links • Workstations & workspaces • Applications, software, & data • Media & records storage • Staff duties & production processes

  5. BCP & DRP: Primary Concern • Life Safety • Evacuation routes • Assembly areas • Accounting for personnel • Protection of people always comes first

  6. Continuity Disruptive Events • All plans & processes are “After the Fact” • Examples: • Fires, explosions, spills • Earthquakes, storms, floods, ex • Power outages & other utility failures • Bombings, sabotage • Strikes & other job actions • Employee unavailability • Comm infrastructure failures

  7. Asset Loss • Revenues Lost during incident • Ongoing recovery costs • Fines & penalties • Competitive advantage, credibility or good will damaged by incident

  8. Four Prime Elements of BCP • Scope & Plan Initiation • Define scope & parameters of plan • Business Impact Assessment • Help buss units understand impact • BCP Development • Implementation, testing, maintenance • Plan Approval & Implementation • Senior mgt signoff & org. awareness

  9. BCP 1. Scope & Plan Initiation • Examine org. operations & support services • Distributed processing == special problems • All business units involved • BCP committee • Senior Management – total, highly visible support • Due diligence: Foreign corrupt practices act of 1977

  10. BCP: 2. Buss. Impact Assess. • What impact incident would have • Financial, Operational, Vulnerability • Primary Goals • Criticality Prioritization • Downtime Estimation • Resource Requirements

  11. BCP: 2. Buss. Impact Assess.Steps • Gathering info needed a. Critical business units & interdependencies • Vulnerability assessment (next slide) • Analyzing info compiled a. Clearly describe support required • Documenting results & present recommendations

  12. BCP: 2. BIA – Vulnerability Assess. • Similar to but smaller than Risk Analysis • Quantitative loss criteria • Revenue, capital, liability, operational expenses, contract agreements, regulatory requirements • Qualitative loss Criteria • Competitive advantage, mkt share, public confidence, etc • Common Steps • List Potential Emergencies, 2. Estimate likelihood, 3. Assess impact, 4. Resources Required

  13. Sample Vulnerability Table • Type of Emergency • Probability (High 5 – Low 1) • Human Impact (High Impact 5 …) • Property Impact • Business Impact • Internal Resources (Weak Resources 5 …) • External Resources • Total

  14. BCP: 3. BCP Development • Use BIA to create recovery strategy plan • Defining the continuity strategy • Elements: computing, facilities, people, supplies & equipment • Short-term goals & objectives • Vital personnel, systems, operations, equipment • Priorities for restoration • Acceptable downtime & minimum resources req. • Long-term goals & objectives • Org’s strategic plan • Funding, Management & coordination of events • Funding & fiscal Management • IT department: backup & restore, physical security, logical security, system administration

  15. BCP: 4. Approval & Implementation • Approval by Senior Management • Creating plan awareness • Org’s ability to recover will most likely depend on many individuals • Maintenance of Plan • Plans easily get out of date

  16. Disaster Recovery Planning (DRP) • Procedures for: • Responding to emergency • Providing extended backup operations • Managing recovery & salvage operations • “Primary objective is to implement critical processes at an alternate site & return to primary site & normal operations with time frame that minimizes loss to the organization.”

  17. DRP: Planning Process • Development & creation of recovery plans • BIA has been made so now defining steps needed to protect business in actual disaster • Recovery Timeframe Requiements • AAA – Immediate recovery needed, no downtime • AA – Full functional recovery within 4 hours • A – Same day business recovery needed • B – Up to 24 hours downtime acceptable • C – 24 – 72 hours downtime acceptable • D – Greater than 72 hours downtime ok

  18. DRP: Disaster Planning Process Steps • Data Processing Continuity Planning • Data Recovery Plan Maintenance

  19. DRP: Data Processing Continuity Planning • Common alternate processing types • Mutual Aid Agreements • Subscription services • Multiple centers • Service bureaus • Other data center backup alternatives • Automated Tools to create DRP (www.intiss.com/intisslinks)

  20. DRP: Mutual Aid Agreements • Both parties agree to support each other • Advantages • Very little or no cost • Same NOS, data comm needs, & transaction processing procedures • Disadvantages • Only use if no other option available • Same infrastructure with unused capacity highly unlikely • Limits responsiveness & support • What about disaster that affects both orgs

  21. DRP: Subscription Services • 3rd party commercial services & alternate processing • Basic Forms of Subscription Svcs • Hot Site • Warm Site • Cold Site

  22. DRP: Multiple Centers • Spread processing around multiple sites and insure excess capacity at each site • Adv: Financial • Dis: Mutual disaster could overtake both (or all) sites

  23. DRP: Service Bureaus & Other • Service Bureaus: Contractual Agreement to provide backup • Adv: Quick & available • Dis: Expensive • Rolling/Mobile backup site • Vendor remote re-supply of hdw • Prefabricated buildings

  24. DRP: Transaction Redundancy • Level of fault tollerance in transaction processing • Electronic Vaulting • Transfer of backup offsite • Remote Journaling • Offsite Parallel processing • Database Shadowing • Offsite parallel database(s)

  25. DRP: Maintenance • DRP easily get out-of-date • Regular audit procedures ensure currency • Review, evaluate, modify, update • After training exercises • After disaster response • When personnel change • When policies, procedures or infrastructure changes

  26. DRP: Testing • No plan really exists until tested • “Test plan must be created & carried out in orderly, standardized fashion & executed on a regular basis” • Reasons for Testing • Verifies accuracy of DRP • Prepares personnel • Verifies processing capacity of alternate site • To find weaknesses: if non found was probably a bad test. Mistakes WILL BE MADE

  27. DRP: Testing -- The Test Document • Documented Test scenario • Reasons for test, type of test, objectives • Granular details of what will happen • Scheduling of test • Duration of test • Specific test steps • Participants • Task assignments • Resources & services to be used

  28. DRP: Testing – Test Levels • Checklist review • Structured walk-through • Simulation test • Parallel test • Full-scale exercise

  29. DRP: Procedures • Details roles played & tasks assigned • External groups, financial considerations • Senior Management: • Remain visible • Directing, managing, monitoring recovery • Rationally amending plans • Clearly communicating roles & responsibilites • IT Management: • Identify mission critical apps • Reassess recovery site’s stability • Recovering & constructing data • Human resources • Financial

  30. DRP: Teams • Recovery Team • Primary task to get critical apps functioning at alternate site • Salvage Team • Isolate incident scene • Secure & control access • Return primary site to fully functional • Authority to declare incident over • Different personnel from Recovery Team

  31. DRP: Other Issues • Not over till main site fully functional • Interfacing with External Groups • Relations with external often overlooked • Employee Relations • Major incident == stress, pay checks? • Fraud & Crime • Alternate site much more easily exploited • Financial Disbursement • Media Relations

More Related