Upload
thomas-bronack
View
132
Download
0
Embed Size (px)
DESCRIPTION
Short White Paper on achieving Enterprise Resiliency and Corporate Certification via Virtualization
Citation preview
DCAG – Data Center Assistance Group © Thomas Bronack White Paper
Achieving Enterprise Resiliency and Corporate Certification through the use of industry “Best Practices”
Any computer related downtime, whether it is from a natural or man-made event, will impact your company’s bottom line and damage your company’s reputation. In the past only very rich and large companies could afford to implement business recovery, information security, compliance, and recovery management, but now it is possible for any company to achieve these goals by utilizing the latest technologies and automated tools.
You can reduce current costs and improve efficiency by moving your real environment to a virtual environment that takes advantage of replicated production at recovery sites for rapid recovery of production operations by switching from the failing site to the recovery site, restoring data up to the point of failure, and resuming production as normal. This process can be used for Small to Medium Sized Companies as well as for Large Enterprises. We have the
Implementing Enterprise Resiliency and Corporate Certification Page: 1
DCAG – Data Center Assistance Group © Thomas Bronack White Paper
experience and knowledge to help you achieve a safeguarded, efficient, and compliant environment that utilizes industry “Best Practices” and recovers from disaster events within contracted time and service requirements.
What do we want to achieve
The achievements shown above will allow you to convert your firm from a real server based environment, where each server is dedicated to a specific application(s), to a virtual server environment where each server can support multiple real servers and their workloads in a single physical server.
Included in a virtual environment are tools like VMware, vSphere, Cisco Network devices, SAN / NAS storage devises, Virtual Tape Libraries, Data Domains, and Recovery Point Applications (RPA) that synchronize data between production and recovery sites through snapshots and continuous data protection. These tools, and more, can support business operations by supporting maintenance and recovery operation that reduce / eliminate business operations and support client contractual uptime requirements. An example of their operation would be in support of a disaster event, where the recovery site would utilize a vSphere Site Recovery Manager (SRM) replication to restore the failing operation environment, and then synchronize data through RPA snapshots and data synchronization to the point of failure. At that time the users would be switched from accessing the production to accessing the recovery site where current applications and data can support uninterrupted processing. This can even be achieved for High Availability and Continuous Availability services via Failover / Failback, or Flip / Flop recovery operations.
Implementing Enterprise Resiliency and Corporate Certification Page: 2
DCAG – Data Center Assistance Group © Thomas Bronack White Paper
Virtual environments are scalable and can support small to large environments as needed.
An overview of the services we provide can be obtained through the abstract provided below.
As you can see, implementing Enterprise Resiliency and Corporate Certification is a complicated process, one that management may want to defer to a professional organization with years of experience in the field.
We have been optimizing data centers, repairing problems, improving procedures, performing recovery planning, and responding to disaster events for years. Our experience has led us to the field of Enterprise Resiliency to optimize recovery planning and response, while our knowledge of the current laws and regulations have provided us with the background and knowledge needed to implement Corporate Certification.
The Goals and Objectives achieved through our services are described below.
Implementing Enterprise Resiliency and Corporate Certification Page: 3
DCAG – Data Center Assistance Group © Thomas Bronack White Paper
Combining the many disciplines associated with Recovery Management and Corporate Compliance into a single organization will result in a more efficient approach to protecting the company against unplanned interruptions and still be able to recovery from disaster events in a rapid manner when they do occur.
Implementing Enterprise Resiliency and Corporate Certification will achieve this goal, while providing a common language and tool set to be used by recovery personnel in planning for and reacting to disaster events.
The structure of Enterprise Resiliency and Corporate Certification can be represented in the following manner, where its components can be defined and viewed.
It is responsible for: combining recovery operations into a single discipline that speaks the same language and utilizes a common set of tools; insuring compliance to the laws and regulations of countries where business is conducted; and planning, designing, implementing, and integrating recovery and compliance requirements into the everyday functions performed by your staff.
Implementing Enterprise Resiliency and Corporate Certification Page: 4
DCAG – Data Center Assistance Group © Thomas Bronack White Paper
The Enterprise Resiliency and Corporate Certification environment protects company assets and assures that the company can continue business operations with a minimum of loss productivity, thereby allowing for the adherence to client service time objectives and safeguarding the company reputation.
What makes us different from the other companies providing this service is a Proprietary Recovery Management Dashboard that provides management with instant access to the most current and accurate information associated with Business Continuity Planning and Activation. This information can be accessed by any authorized user from any location (work, home, traveling, or even on vacation), thereby eliminating the need for conference calls that are scheduled when you’re busy. The dashboard utilizes a Red, Amber, Yellow, Green color-code to make it easier to locate deviations from schedule. A Drill-Down process will allow management to go from overview to detail by simply clicking on links to the actual process being performed, with the name and contact information of the person performing the action.
Implementing Enterprise Resiliency and Corporate Certification Page: 5
DCAG – Data Center Assistance Group © Thomas Bronack White Paper
An example of our Recovery Management Dashboard is shown below.
Management Dashboard on Recovery Management
Completed In Process Not Started Yet Project Status at a glance
Phaise I - Management Guidelines and Goals1 2 3 4 5 6 7 8 9 10 11 12 13
Executive Committee Formulation
Perform a Needs
Analysis to establish Goals and Objectives
Define Goals & Objectives,
then Prioritize
Create a Business Plan
and Gain Executive
Management Approval
Receive Approval & Funding for
Development and
Maintenance
Obtain Strong Current and
Future Management
Support
Have Management
create a Project Inition Letter stating their Strong
Support
Define Stakeholders
and Participants, then review
Scope, Objectives, and
Create Recovery Teams and
Responsibilities, then develop a
Project Plan
Define Reporting
Audience and Time Frame
Define Reporting
Criteria and Format
Create and Deliver Desired
Reports as Scheduled
Receive Management
Feed-Back Comments and
Instructions
Phase II - Risk Management Goals and Objectives
Define all Compliance Laws
and Regulatory Needs for Countries you do Business In
Define Audit Controls and Monitoring Methods, then build into plan
Define Suply Chain
Management Needs
Define SLA / SLR / RTO and
PKI Requirements
Report on uncovered
Gaps & Exceptions
Report on Obstacles that
Impede Recovery
Operations
Calculate Impacts and Repair Costs
Define Insurance Costs
to Repair Reported Flaws
Provide Management with
Report and Presentation on
Findings
Obtain Management approval for
repairs, controls, and
insurance
Mitigate / Mediate, or
Obtain Insurance to cover flaws
Create a Letter of Attestation
Creation Process for
Management
Repeat Process on a Periodic
Basis
Phase III - Business Impact Analysis
Define Locations and / or Business Units that need a
BIA
Define Applications,
by Priority (CA, HA, Non-
Crital)
Create Business
Recovery Plan for Locations and Business
Units
Create Disaster Recovery Plan
for Information Technology
Perform Workplace Safety and Violence
Prevention Review
Perform Physical
Security and Site Access
Controls
RTO / RPO / RTC and PKI
and Vital Records
Management
Rate Ability to Achieve Goals,
using Quantitative or
Qualitative Methods
Define Gaps & Exceptions against Compliance Laws and Regulations
Define Obstacles that
Impede Processing Operations
Define Impact of Gaps,
Exceptions, and Obstacles
and their Repair Costs
Define Insurance Costs
and Select Insurance Plan
that best meets needs
Gain Management Approval to Mitigate / Mediate /
Insure
Phase IV - Automated Tool Selection (Locate, Review, Select, Implement, and Train)
Decide upon using an Automated Risk Assessment Tool
Define Automated
Tool Selection Criteria
Audit and Controls Tool
Business Impact
Analysis (BIA) Tool
Business Continuity
Planning Tool
Disaster Recovery
Planning Tool
Define Application
Recovery Certification
Tool
Select Vendors to Demonstrate
Their Tools
Select Best Tool that meets needs
Obtain & Implement
Tools
Train Staff on Tools
Incorporate Tools into Recovery Planning Process
Adhere to Version & Release
Management
Phase V - Create Recovery Plans
Business and Location Recovery
Plan
Protection, Salvage &
Restoration Plan
Disaster and Business
Recovery Plan
Application Recovery Plan
Crisis Management
Plan
Establish a Recovery Plan
Repository
Connect Recovery Plans
to Command Centers
Define Contingency
Manager
Define Team Members
Define Initiation and
Recovery Team Tasks
Initiate Recovery Plan and Monitor
Status
Report on Recovery Plan Status to CCC
and EOC
Create Management
"Letter of Attestation"
Phase VI - Initiate Recovery Plan when Disaster Event Occurs
Help Desk Identifies Disaster Event or a Disaster
Event is reported to Help Desk
Help Desk Notifies
Contingency Recovery Plan
Coordinator
Contingency Coordinator
Declares Disaster and Initiates Plan
Team is Called and Recovery
Tasks Performed
Failing Site Protection,
Salvage, and Restoration is
Initiated
Disaster Site is Evacuated, as
needed
Recovery Personnel are Transferred to Recovery Site
Recovery Operations are
Initiated and Conducted for Life of Disaster
Failing Site is Salvaged and
Restored
Personnel Return to
Original Site and Resume Production
Post Mortem is Conducted
and Improvement
s Identified
Improvements are
Incorporated in Future
Recovery Plans
Recovery Steps are added to Testing Process and Periodicically Repeated
Phase VII - Community Relations, Communications, and Administration
Notify First Responders,
Community, and Government Agencies of
Disaster Event as needed
Coordinate with Clients,
other Building Park Resident,
Community, and Personnel
Coordinate with
Government (OSHA, OEM,
City, etc.)
Notify Supply Chain
Management to make
Deliveries to Recovery Site
Establish Financial and
Personnel Considerations
during Recovery
Manage Emergency Operations
Center (EOC)
Respond to Encountered Problems and Update Status
Communicate Disaster Event
Status to Community and
Media
Manage Recovery Process from Start
to Finish
Declare Disaster Event
is Over and Production is
Resumed
Manage Post Mortem and
Plan Enhancement
s
Ensure Recovery
Planning is Integrated
Ensure Documentation,
Training, and Awareness is
current
Each of the seven phases and thirteen steps per phase can be drilled down into so that you can find specific information whenever you need to view it, either from work or while on the road, without having to call a conference call requiring many people contributing their knowledge
Implementing Enterprise Resiliency and Corporate Certification Page: 6
DCAG – Data Center Assistance Group © Thomas Bronack White Paper
and detracting them from performing their assigned tasks. This information can be related to Recovery Planning or Recovery Activation activities.
We are presently performing this service for a major manufacturing conglomerate, but our past experience includes banks, brokerage, and a full-range of financial and service companies. Our clients have achieved “LEED” 100% Green compliance, reduced costs, and improved personnel morale, which has resulted in a happier staff and clients that were more easily retained and recruited.
Six phase project approach
Phases associated with this project included:
1. Creating an inventory of existing real Information Technology resources; 2. Building of regional production data centers (Geographically dispersed); 3. Construction of a single recovery data center under the company’s control; 4. The transformation of real equipment to virtualized equipment that reduces costs, floor
foot print, and supportive infrastructure (electricity, air conditioning,locations, etc.);
Implementing Enterprise Resiliency and Corporate Certification Page: 7
DCAG – Data Center Assistance Group © Thomas Bronack White Paper
5. Transitioning the equipment to their assigned regional production site and eliminating replaced sites, equipment, contracts, and personnel;
6. Validating that the Recovery Data Center can indeed support recovery operations for applications residing in each of the Regional Production Sites through the use of vSphere, Recovery Point Application, and CISCO network services;
7. Providing Enterprise Resiliency services by performing Application Recovery Certification associated with company provided services;
8. Insuring Compliance with the laws and regulations of countries where business is conducted;
9. Integrating all processes into the everyday functions and responsibilities of the staff to insure current and accurate information via Version and Release Management guidelines;
10. Improving the Systems Development and Maintenance Life Cycle, including testing and recovery verification of all current and enhanced services; and
11. Documentation, Training, and Awareness procedures created and delivered.
Replicating / Restoring business sites via SRM
Implementing Enterprise Resiliency and Corporate Certification Page: 8
DCAG – Data Center Assistance Group © Thomas Bronack White Paper
Keeping data in sync between production and recovery sites
Adhering to Compliance Laws
Implementing Enterprise Resiliency and Corporate Certification Page: 9
1. Grahm Leach Bliley - Safeguard Act (was Bank Holding Act).2. Dodd – Frank – Wall Street Reform and Consumer Protection Act.3. HIPAA – Healthcare regulations (including: ePHI, HIYECH, and Final Ombudsman Rule).4. Sarbanes – Oxley Act (sections 302, 404 and 409) on financial assessment and
reporting by authorized “Signing Officer”.5. EPA and Superfund - how it applies to Dumping and Asset Management Disposal.6. Supply Chain Management - “Laws and Guidelines” described in ISO 27031.7. Patriots Act – Know your customer, Money Laundering, etc.8. Workplace Safety and Violence Prevention – via OSHA, OEM, DHS, and governmental
regulations (State Workplace Guidelines and Building Requirements).9. Income Tax and Financial Information Protection – via Office of the Comptroller of the
Currency (OCC) regulations like:Foreign Corrupt Practices Act, OCC-177; Contingency Recovery Plan, OCC-187; Identifying Financial Records, OCC-229; Access Controls, and OCC-226 End User Computing
DCAG – Data Center Assistance Group © Thomas Bronack White Paper
As a result of our contract, the client improved their reputation, reduced costs, improved efficiency, insured compliance, and generally improved personnel and client morale. We would love to do the same for you and your company. Please contact Tom Bronack via email at [email protected], or via phone at (917) 673-6992 to discuss your needs.
Implementing Enterprise Resiliency and Corporate Certification Page: 10