Achieving enterprise resiliency and corporate certification through the use of industry

DCAG – Data Center Assistance Group © Thomas Bronack White Paper

Achieving Enterprise Resiliency and Corporate Certification through the use of industry “Best Practices”

Any computer related downtime, whether it is from a natural or man-made event, will impact your company’s bottom line and damage your company’s reputation. In the past only very rich and large companies could afford to implement business recovery, information security, compliance, and recovery management, but now it is possible for any company to achieve these goals by utilizing the latest technologies and automated tools.

You can reduce current costs and improve efficiency by moving your real environment to a virtual environment that takes advantage of replicated production at recovery sites for rapid recovery of production operations by switching from the failing site to the recovery site, restoring data up to the point of failure, and resuming production as normal. This process can be used for Small to Medium Sized Companies as well as for Large Enterprises. We have the

Implementing Enterprise Resiliency and Corporate Certification Page: 1


experience and knowledge to help you achieve a safeguarded, efficient, and compliant environment that utilizes industry “Best Practices” and recovers from disaster events within contracted time and service requirements.

What do we want to achieve

The achievements shown above will allow you to convert your firm from a real server based environment, where each server is dedicated to a specific application(s), to a virtual server environment where each server can support multiple real servers and their workloads in a single physical server.

Included in a virtual environment are tools like VMware, vSphere, Cisco Network devices, SAN / NAS storage devises, Virtual Tape Libraries, Data Domains, and Recovery Point Applications (RPA) that synchronize data between production and recovery sites through snapshots and continuous data protection. These tools, and more, can support business operations by supporting maintenance and recovery operation that reduce / eliminate business operations and support client contractual uptime requirements. An example of their operation would be in support of a disaster event, where the recovery site would utilize a vSphere Site Recovery Manager (SRM) replication to restore the failing operation environment, and then synchronize data through RPA snapshots and data synchronization to the point of failure. At that time the users would be switched from accessing the production to accessing the recovery site where current applications and data can support uninterrupted processing. This can even be achieved for High Availability and Continuous Availability services via Failover / Failback, or Flip / Flop recovery operations.



Virtual environments are scalable and can support small to large environments as needed.

An overview of the services we provide can be obtained through the abstract provided below.

As you can see, implementing Enterprise Resiliency and Corporate Certification is a complicated process, one that management may want to defer to a professional organization with years of experience in the field.

We have been optimizing data centers, repairing problems, improving procedures, performing recovery planning, and responding to disaster events for years. Our experience has led us to the field of Enterprise Resiliency to optimize recovery planning and response, while our knowledge of the current laws and regulations have provided us with the background and knowledge needed to implement Corporate Certification.

The Goals and Objectives achieved through our services are described below.



Combining the many disciplines associated with Recovery Management and Corporate Compliance into a single organization will result in a more efficient approach to protecting the company against unplanned interruptions and still be able to recovery from disaster events in a rapid manner when they do occur.

Implementing Enterprise Resiliency and Corporate Certification will achieve this goal, while providing a common language and tool set to be used by recovery personnel in planning for and reacting to disaster events.

The structure of Enterprise Resiliency and Corporate Certification can be represented in the following manner, where its components can be defined and viewed.

It is responsible for: combining recovery operations into a single discipline that speaks the same language and utilizes a common set of tools; insuring compliance to the laws and regulations of countries where business is conducted; and planning, designing, implementing, and integrating recovery and compliance requirements into the everyday functions performed by your staff.



The Enterprise Resiliency and Corporate Certification environment protects company assets and assures that the company can continue business operations with a minimum of loss productivity, thereby allowing for the adherence to client service time objectives and safeguarding the company reputation.

What makes us different from the other companies providing this service is a Proprietary Recovery Management Dashboard that provides management with instant access to the most current and accurate information associated with Business Continuity Planning and Activation. This information can be accessed by any authorized user from any location (work, home, traveling, or even on vacation), thereby eliminating the need for conference calls that are scheduled when you’re busy. The dashboard utilizes a Red, Amber, Yellow, Green color-code to make it easier to locate deviations from schedule. A Drill-Down process will allow management to go from overview to detail by simply clicking on links to the actual process being performed, with the name and contact information of the person performing the action.



An example of our Recovery Management Dashboard is shown below.

Management Dashboard on Recovery Management

Completed In Process Not Started Yet Project Status at a glance

Phaise I - Management Guidelines and Goals1 2 3 4 5 6 7 8 9 10 11 12 13

Executive Committee Formulation

Perform a Needs

Analysis to establish Goals and Objectives

Define Goals & Objectives,

then Prioritize

Create a Business Plan

and Gain Executive

Management Approval

Receive Approval & Funding for

Development and

Maintenance

Obtain Strong Current and

Future Management

Support

Have Management

create a Project Inition Letter stating their Strong

Support

Define Stakeholders

and Participants, then review

Scope, Objectives, and

Create Recovery Teams and

Responsibilities, then develop a

Project Plan

Define Reporting

Audience and Time Frame

Define Reporting

Criteria and Format

Create and Deliver Desired

Reports as Scheduled

Receive Management

Feed-Back Comments and

Instructions

Phase II - Risk Management Goals and Objectives

Define all Compliance Laws

and Regulatory Needs for Countries you do Business In

Define Audit Controls and Monitoring Methods, then build into plan

Define Suply Chain

Management Needs

Define SLA / SLR / RTO and

PKI Requirements

Report on uncovered

Gaps & Exceptions

Report on Obstacles that

Impede Recovery

Operations

Calculate Impacts and Repair Costs

Define Insurance Costs

to Repair Reported Flaws

Provide Management with

Report and Presentation on

Findings

Obtain Management approval for

repairs, controls, and

insurance

Mitigate / Mediate, or

Obtain Insurance to cover flaws

Create a Letter of Attestation

Creation Process for

Management

Repeat Process on a Periodic

Basis

Phase III - Business Impact Analysis

Define Locations and / or Business Units that need a

BIA

Define Applications,

by Priority (CA, HA, Non-

Crital)

Create Business

Recovery Plan for Locations and Business

Units

Create Disaster Recovery Plan

for Information Technology

Perform Workplace Safety and Violence

Prevention Review

Perform Physical

Security and Site Access

Controls

RTO / RPO / RTC and PKI

and Vital Records

Management

Rate Ability to Achieve Goals,

using Quantitative or

Qualitative Methods

Define Gaps & Exceptions against Compliance Laws and Regulations

Define Obstacles that

Impede Processing Operations

Define Impact of Gaps,

Exceptions, and Obstacles

and their Repair Costs

Define Insurance Costs

and Select Insurance Plan

that best meets needs

Gain Management Approval to Mitigate / Mediate /

Insure

Phase IV - Automated Tool Selection (Locate, Review, Select, Implement, and Train)

Decide upon using an Automated Risk Assessment Tool

Define Automated

Tool Selection Criteria

Audit and Controls Tool

Business Impact

Analysis (BIA) Tool

Business Continuity

Planning Tool

Disaster Recovery

Planning Tool

Define Application

Recovery Certification

Tool

Select Vendors to Demonstrate

Their Tools

Select Best Tool that meets needs

Obtain & Implement

Tools

Train Staff on Tools

Incorporate Tools into Recovery Planning Process

Adhere to Version & Release

Management

Phase V - Create Recovery Plans

Business and Location Recovery

Plan

Protection, Salvage &

Restoration Plan

Disaster and Business

Recovery Plan

Application Recovery Plan

Crisis Management

Plan

Establish a Recovery Plan

Repository

Connect Recovery Plans

to Command Centers

Define Contingency

Manager

Define Team Members

Define Initiation and

Recovery Team Tasks

Initiate Recovery Plan and Monitor

Status

Report on Recovery Plan Status to CCC

and EOC

Create Management

"Letter of Attestation"

Phase VI - Initiate Recovery Plan when Disaster Event Occurs

Help Desk Identifies Disaster Event or a Disaster

Event is reported to Help Desk

Help Desk Notifies

Contingency Recovery Plan

Coordinator

Contingency Coordinator

Declares Disaster and Initiates Plan

Team is Called and Recovery

Tasks Performed

Failing Site Protection,

Salvage, and Restoration is

Initiated

Disaster Site is Evacuated, as

needed

Recovery Personnel are Transferred to Recovery Site

Recovery Operations are

Initiated and Conducted for Life of Disaster

Failing Site is Salvaged and

Restored

Personnel Return to

Original Site and Resume Production

Post Mortem is Conducted

and Improvement

s Identified

Improvements are

Incorporated in Future

Recovery Plans

Recovery Steps are added to Testing Process and Periodicically Repeated

Phase VII - Community Relations, Communications, and Administration

Notify First Responders,

Community, and Government Agencies of

Disaster Event as needed

Coordinate with Clients,

other Building Park Resident,

Community, and Personnel

Coordinate with

Government (OSHA, OEM,

City, etc.)

Notify Supply Chain

Management to make

Deliveries to Recovery Site

Establish Financial and

Personnel Considerations

during Recovery

Manage Emergency Operations

Center (EOC)

Respond to Encountered Problems and Update Status

Communicate Disaster Event

Status to Community and

Media

Manage Recovery Process from Start

to Finish

Declare Disaster Event

is Over and Production is

Resumed

Manage Post Mortem and

Plan Enhancement

s

Ensure Recovery

Planning is Integrated

Ensure Documentation,

Training, and Awareness is

current

Each of the seven phases and thirteen steps per phase can be drilled down into so that you can find specific information whenever you need to view it, either from work or while on the road, without having to call a conference call requiring many people contributing their knowledge



and detracting them from performing their assigned tasks. This information can be related to Recovery Planning or Recovery Activation activities.

We are presently performing this service for a major manufacturing conglomerate, but our past experience includes banks, brokerage, and a full-range of financial and service companies. Our clients have achieved “LEED” 100% Green compliance, reduced costs, and improved personnel morale, which has resulted in a happier staff and clients that were more easily retained and recruited.

Six phase project approach

Phases associated with this project included:

1. Creating an inventory of existing real Information Technology resources; 2. Building of regional production data centers (Geographically dispersed); 3. Construction of a single recovery data center under the company’s control; 4. The transformation of real equipment to virtualized equipment that reduces costs, floor

foot print, and supportive infrastructure (electricity, air conditioning,locations, etc.);



5. Transitioning the equipment to their assigned regional production site and eliminating replaced sites, equipment, contracts, and personnel;

6. Validating that the Recovery Data Center can indeed support recovery operations for applications residing in each of the Regional Production Sites through the use of vSphere, Recovery Point Application, and CISCO network services;

7. Providing Enterprise Resiliency services by performing Application Recovery Certification associated with company provided services;

8. Insuring Compliance with the laws and regulations of countries where business is conducted;

9. Integrating all processes into the everyday functions and responsibilities of the staff to insure current and accurate information via Version and Release Management guidelines;

10. Improving the Systems Development and Maintenance Life Cycle, including testing and recovery verification of all current and enhanced services; and

11. Documentation, Training, and Awareness procedures created and delivered.

Replicating / Restoring business sites via SRM



Keeping data in sync between production and recovery sites

Adhering to Compliance Laws


1. Grahm Leach Bliley - Safeguard Act (was Bank Holding Act).2. Dodd – Frank – Wall Street Reform and Consumer Protection Act.3. HIPAA – Healthcare regulations (including: ePHI, HIYECH, and Final Ombudsman Rule).4. Sarbanes – Oxley Act (sections 302, 404 and 409) on financial assessment and

reporting by authorized “Signing Officer”.5. EPA and Superfund - how it applies to Dumping and Asset Management Disposal.6. Supply Chain Management - “Laws and Guidelines” described in ISO 27031.7. Patriots Act – Know your customer, Money Laundering, etc.8. Workplace Safety and Violence Prevention – via OSHA, OEM, DHS, and governmental

regulations (State Workplace Guidelines and Building Requirements).9. Income Tax and Financial Information Protection – via Office of the Comptroller of the

Currency (OCC) regulations like:Foreign Corrupt Practices Act, OCC-177; Contingency Recovery Plan, OCC-187; Identifying Financial Records, OCC-229; Access Controls, and OCC-226 End User Computing


As a result of our contract, the client improved their reputation, reduced costs, improved efficiency, insured compliance, and generally improved personnel and client morale. We would love to do the same for you and your company. Please contact Tom Bronack via email at [email protected], or via phone at (917) 673-6992 to discuss your needs.


mailto:[email protected]