4. Disaster Recovery and Business Continuity

8/7/2019 4. Disaster Recovery and Business Continuity

http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 1/87

5% Extra Credit5% Extra Credit

Rick Valdez & Maria LopezRick Valdez & Maria Lopez

Contingency Planning Outsourcing (CPO)Contingency Planning Outsourcing (CPO)

Outsourcing to India for Over-night WorksOutsourcing to India for Over-night Works

For 90% Cost Saving & Twice The SpeedFor 90% Cost Saving & Twice The Speed By Professional Information Systems AuditorsBy Professional Information Systems Auditors

For Professional Information Systems AuditorsFor Professional Information Systems Auditors

4. Disaster Recovery and

Business Continuity (10%)



pp

The Cost Of DowntimeThe Cost Of Downtime

REVENUEDirect LossDeferred LossesCompensatory PaymentsLost Future Revenue

Billing LossesInvestment Losses

FINANCIAL

PERFORMANCELost Market ShareRevenue RecognitionCash Flow

Lost DiscountsPayment GuaranteesStock PriceCredit RatingOTHER EXPENSES

Temporary employees,Equipment Rental,Overtime,Extra Shipping Costs,Travel Expenses,Etc.

REPUTATIONCustomersSuppliersFinancial MarketsBanksBusiness PartnersEtc.

PRODUCTIVITYLoss Of ProductivityEmployees Impacted @ X

Burdened Hourly Rate

LEGAL/REGULATORYContractual RequirementsSLAsRegulatory Requirements

Why Business Continuity?



Business Continuity Program Pyramid



Steering CommitteeSteering Committee

WhoWho Senior personnel from all key entities with a stake in the ongoingSenior personnel from all key entities with a stake in the ongoing

program program Have the authority to make decisions, implement new policies, commitHave the authority to make decisions, implement new policies, commit

resources to support and implement the projects/programresources to support and implement the projects/program Charter Charter

Provides strategic direction and decision makingProvides strategic direction and decision making Approves annual program objectives and ensures appropriateApproves annual program objectives and ensures appropriate

commitment of resources to the programcommitment of resources to the program

BenefitBenefit Builds consensus, unit of effortBuilds consensus, unit of effort Project/Program policies, procedures, and guidance enforcementProject/Program policies, procedures, and guidance enforcement






Continuity Program OfficeContinuity Program Office WhoWho

Core dedicated staff with industry/governmentCore dedicated staff with industry/government andand business business

continuity expertisecontinuity expertise

Charter Charter Business Continuity Program project managementBusiness Continuity Program project management

Lifecycle Continuity Program oversight and managementLifecycle Continuity Program oversight and management

BenefitBenefit

Dedicated expertise and focusDedicated expertise and focus Continuity of planning and operationsContinuity of planning and operations






Continuity PlanningContinuity Planning

WhoWho All departments/entities of the corporation/governmentAll departments/entities of the corporation/government

Charter (read What)Charter (read What) The ongoing design, procurement, and use of robustThe ongoing design, procurement, and use of robust

systems, facilities, staffing models, and equipmentsystems, facilities, staffing models, and equipment totomitigate the risk of outagesmitigate the risk of outages,, or or thethe impact of outagesimpact of outages..

BenefitBenefit More robust processes, systems, facilitiesMore robust processes, systems, facilities Less downtimeLess downtime






Business Impact AnalysisBusiness Impact Analysis

WhoWho All business and support units/entitiesAll business and support units/entities

Charter Charter Identify/validate department/entity critical business and support functionsIdentify/validate department/entity critical business and support functions determine Information Technology and connectivity requirements to supportdetermine Information Technology and connectivity requirements to support

critical business/support functionscritical business/support functions determine the Recovery Time Objectives (RTO) for critical functionsdetermine the Recovery Time Objectives (RTO) for critical functions establish a Minimum Acceptable Recovery Configuration (MARC) for establish a Minimum Acceptable Recovery Configuration (MARC) for

business and support units/entities business and support units/entities

BenefitBenefit Know your businessKnow your business Establish recovery requirementsEstablish recovery requirements






Disaster Recovery/ BusinessDisaster Recovery/ Business

Resumption PlanningResumption Planning Disaster Recovery PlanningDisaster Recovery Planning

The strategic and detailedThe strategic and detailed

planning for the timely planning for the timely

restoration of informationrestoration of informationtechnology, network andtechnology, network and

telephony following a disaster.telephony following a disaster.

Business ResumptionBusiness Resumption

PlanningPlanning The strategic and detailedThe strategic and detailed

planning for the timely planning for the timelyrestoration of vital business/restoration of vital business/

support functions following asupport functions following a

disaster.disaster.






Crisis Management ProgramCrisis Management Program

WhoWho All key business and support units/entitiesAll key business and support units/entities

Charter Charter

Provide policies, procedures and guidance, to organize, train, equip andProvide policies, procedures and guidance, to organize, train, equip andmanage staff, equipment, and facilities to ensure a capability to rapidlymanage staff, equipment, and facilities to ensure a capability to rapidlyevaluate and respond to significant incidents that impact, or may impact, anevaluate and respond to significant incidents that impact, or may impact, an

organization’s critical operationsorganization’s critical operations

BenefitsBenefits Rapid, coordinated identification and response to incidents in an effort toRapid, coordinated identification and response to incidents in an effort to

prevent the incidents from becoming disasters prevent the incidents from becoming disasters Protection of: life; corporate image, prestige, revenue, market shareProtection of: life; corporate image, prestige, revenue, market share Mitigation of incident generated legal and regulatory risksMitigation of incident generated legal and regulatory risks



IMT IMT

Sites A-n

Facilities Department

ADepartment

B

Department

n

SITE RECOVERY PLANS DATA CENTER DISASTER RECOVERY PLANS

DEPARTMENT SPECIFIC RECOVERY CHAPTERSBusinessResumptio

n/Disaste r

Recovery/ C

risisManagemen

tPlans

CORPO

RATECR

ISISMANAG

EMENT

PLAN

Corporate Crisis Management TeamCorporate Crisis Management Team

(CMT)(CMT)

Sites A-n

GENERAL

IT/DATA NETWORK BUSINESS RESUMPTION

SUPPORT PLANS

Integrated Response/Recovery Plan Structure

App

Group

Server

GroupTape

Group

Network

Group





Plan Scorecarding and TestingPlan Scorecarding and Testing WhatWhat

Crisis Management PlanCrisis Management Plan Business Resumption PlansBusiness Resumption Plans Disaster Recovery PlansDisaster Recovery Plans

Charter Charter

Scorecarding- Evaluate plan content for structure, scope, and breadth of Scorecarding- Evaluate plan content for structure, scope, and breadth of information in preparation for testing of plan for recovery operationsinformation in preparation for testing of plan for recovery operations

Testing- Evaluation of plan content for effectiveness/adequacy in recoveryTesting- Evaluation of plan content for effectiveness/adequacy in recoveryoperationsoperations

BenefitsBenefits Quality control of plansQuality control of plans

Training of personnelTraining of personnel ConfidenceConfidence






Certification ProgramCertification Program

WhatWhat Business Resumption PlansBusiness Resumption Plans Disaster Recovery PlansDisaster Recovery Plans

Charter Charter Annual, formal rating of Business Resumption and Disaster RecoveryAnnual, formal rating of Business Resumption and Disaster Recovery

Plans using scorecard results, testing results, and other criteria to assessPlans using scorecard results, testing results, and other criteria to assess plan readiness. plan readiness.

BenefitsBenefits a standardized assessment of plan quality and readinessa standardized assessment of plan quality and readiness targeted program planning and budgetingtargeted program planning and budgeting confidence in plan readiness and qualityconfidence in plan readiness and quality



Maintain-•Testing Metrics/Program•Maintenance Program,•Change Management Program;•Audit,

•Certification Program5

Develop & Implement-

An Enterprise Recovery

Management Process

4

1

Understand Your Business-

Accomplish A Business Impact Analysis

3Develop-•IT Disaster Recovery Plans;•Business Resumption Plans;

•Testing and Certification Program

2Develop-IT Disaster Recovery And

Business Resumption

StrategiesCPO

Continuity Program Development Cycle



Initiation

Controlling

Planning

INITIATION PROCESSES

•Feasibility

•High Level Planning

•Charter Definition

CLOSING

PROCESSES

EXECUTION PROCESSES

•Information Coordination and Distribution

•Risk Response

•Risk Estimation

•Resource Management

•Issue Resolution

CONTROLLING PROCESSES

•Quality, Scope, Change, Risk, Schedule,

Performance Control

•Analysis and Reporting

PLANNING PROCESSES

•Plan Development

•Policies, Procedures, Guidance

•Communications Planning

•QC Planning

•Risk Management Plan

•Contract/Project Change Management

•Deliverable Acceptance Criteria

CPO Project Responsibilities



CPO

Recovery

Plan Scorecarding

& Certification

Training /

Awareness Program

Plan Development/

Maintenance

Program

Methodology,Policies, Procedures,

& Guidance Change Control-

New Systems

New Functions

New Designs

Etc.

Testing-

Metrics,

Accomplishment,

And Required

Plan Changes

Strategy Validation/

Updates

Initial and OngoingCritical Vendor

Qualification and

SLA/

Contract Review

Crisis Management

&

Recovery Plan

Implementation

CPO Lifecycle Responsibilities



PROJECT PP&Gs

•Project initiation

•Project planning

•Execution and control

•Closure

•Evaluate Business Needs

•Business Cases

•Project Justification

•RecommendationsContractor

Database

Contractor and Corp

Resource Pool

Knowledge

Library

Training, Awareness

And Education Program

Steering Committee

Project Managers

R e

p o

r t s

Requirements

•Work with CPO

•Customize Project WBS/Schedule

•Daily Project Management•Identify Issues

• Incorporates Best Practices

•Updates Templates

•Evaluates Project Results•Maintains Knowledge Library

Decisions

•Policy

•Vision

•Strategy

•Direction

Guidance/Oversight/

Analysis

PROGRAM PP&Gs

•Methodology,

•Plan development templates

•Change control

•Communications management

•Crisis management

•Plan scorecards and certification

•Vendor qualification, SLAs•Recovery strategies

•Risk management

•Testing and metrics

•Software

SLAs And Access

Provides

Provides

P r o v i d

e s R e s o u r c e s

T o P r o j e c t

CRISIS MANAGEMENT

Planning & Execution

CONTINUITY PROGRAM

OFFICE

IT and Business Units

Recovery Planning & Testing

P o

l i c i e

s ,

P r o

c e d u

r e s

,

G u

i d a

n c e

CPO Summary Chart Of

Responsibilities



CPO Staffing- Executive Sponsor

STAFFING PLANNING ROLE IMPLEMENTATION ROLE

ExecutiveSponsor

Secure funding and resources.Make Go/No-Go decisions.

Link to Executive SteeringCommitteeProvide strategic guidance toCPO

Integration with other corporatestrategic initiatives.

Issue resolution.Resource commitment.Approval authority for changerequests.Link to Executive SteeringCommittee



CPO Staffing- CPO Leader STAFFING PLANNING ROLE IMPLEMENTATION ROLE

CPO Lead Oversee development andapproval of project managementand Enterprise RecoveryManagement Process (ERMP) policies, procedures, methodologyand guidance.Develop CPO & project staffing

models.Project Initiation and Planning.Development of IssueResolution Plan.Development of deliverableacceptance procedures.

Design of vendor qualification program.Design and administration of thecorporate Crisis Management Plan.

Daily leadership, oversight, andmanagement of CPO staff.Responsible for CPO performanceand deliverables.Champion project managementmethodology implementation andERMP.

Project Implementation, Control, andClosure.Responsible for implementation andmanagement of program/projectCommunications Plan, CertificationProgram, Awareness and Training

Program, Change Control, and Risk Management Program.Leadership, or administration of, thecorporate Crisis Management Team.



CPO Staffing- CPO Leader STAFFING PLANNING ROLE IMPLEMENTATION ROLE

CPO Staff Develop program/projectmanagement books, forms,templates, etc.Develop plan CertificationProgram; Training and AwarenessProgram; Communications

Management Plan; Risk Management Plan.Develop Change ManagementProgram.Program budget.Business continuity risk analysisof new facilities design, hardware purchases, software, network design, business processes,vendors, etc.Project Initiation and Planning.

Tracking of project and program progress against plans/schedule(project/ program implementation andcontrol).Maintain recovery plan CertificationProgram database.

Implement Awareness and TrainingProgram.Set-up and maintenance of programKnowledge Library.Ensure compliance with programERMP.Issue/problem resolution.Support Executive Sponsor with presentations and reports.Vendor qualification program.Support for corporate CrisisManagement Team.



Establishing a CPOEstablishing a CPO

Identify and define measures of success for theIdentify and define measures of success for theCPOCPO Define goals and objectives of the CPODefine goals and objectives of the CPO

Codify the charter of the CPOCodify the charter of the CPO

Write a vision and mission statement for the CPOWrite a vision and mission statement for the CPO

Document the purpose of the initiative and what value isDocument the purpose of the initiative and what value is

to be createdto be created

Determine how return-on-investment will be measuredDetermine how return-on-investment will be measured

Determine what other metrics and measurements shouldDetermine what other metrics and measurements should

be used (e.g., quality, customer satisfaction, productivity) be used (e.g., quality, customer satisfaction, productivity)






Define leadership and communications PP&GsDefine leadership and communications PP&Gs Establish how information, status updates and decisionsEstablish how information, status updates and decisions

will be communicatedwill be communicated

Determine how and who will make key decisionsDetermine how and who will make key decisions

Define risks and develop mitigation strategyDefine risks and develop mitigation strategy Identify risks to program successIdentify risks to program success

Determine how risks will be mitigatedDetermine how risks will be mitigated

Establish how additional risks that may arise later will beEstablish how additional risks that may arise later will be

identified and mitigatedidentified and mitigated




Define program supportDefine program support Identify support requirements for each CPO project, andIdentify support requirements for each CPO project, and

lifecycle functions assigned the CPOlifecycle functions assigned the CPO

Identify standard methods and procedure for project andIdentify standard methods and procedure for project and

program execution, reporting and management program execution, reporting and management

Develop process for the creation of additional standards asDevelop process for the creation of additional standards as

the need arisesthe need arises

Decide if CPO should create a Disaster Recovery/BusinessDecide if CPO should create a Disaster Recovery/Business

Resumption Center of Excellence for critical technicalResumption Center of Excellence for critical technical

knowledge that will be shared by multiple projectsknowledge that will be shared by multiple projects




Define integration approach and methodsDefine integration approach and methods How will programs and projects that haveHow will programs and projects that have

interrelationships and dependencies be identifiedinterrelationships and dependencies be identified

and integratedand integrated

How well does the portfolio of programs andHow well does the portfolio of programs and

projects assigned to the CPO support the projects assigned to the CPO support the

business goals and objectives of the corporation business goals and objectives of the corporation



Meetings

Organizational Entities

Change Triggers

• Recovery Objectives Change• Organizational Changes•

Network Changes• Vault List• Software Upgrades• Database Changes• Hardware Changes• Operating System Upgrades• Restoration Procedure Changes• Changes in Disaster Declaration Authority• Off-site Storage Access• Off-site Storage

• Hardware/Inventory• Recovery Site Changes• Hot Site Changes• Process and Sub-process Owner Changes• Client Server Interfaces• All Technology Profile “fields”• Changes to Standards• Backups Procedures• Modifications Resulting from Tests

CHANGE

TRIGGERSAnalysis Of Actions

Required By Change

Trigger

Analysis Of Actions

Required By Change

Trigger

FACILITIES

INFOTECHNOLOGY BUSINESS

UNITS

OTHER

DIVISIONS

REQUESTS FOR CHANGES

COORDINATED CHANGES TO

Disaster Recovery Information

Technology

Profile

Recovery

Plans

Recovery

StrategyInfrastructure



Corporate

Regions

Markets

RCMT Tasks To Market CMTs

Regional Objectives

Regional CMT Response Planning/Execution Flow

Market CMT Tasking Out

RCMT Taskings Received

Market CMTs Response/Execution Flow

Objectives

Received From

CMT Response

Planning

RCMT Tasks To Market CMTsRCMT Tasks To Market CMTs

Regional Objectives

Regional CMT Response Planning/Execution Flow

Market CMT Tasking Out

RCMT Taskings Received

Market CMTs Response/Execution Flow

Objectives

Received From

CMT Response

Planning

Corporate

Response

Plan

Corporate Strategy ObjectivesCMT

Planning

Cell

CMT

Ops Cell

Situation Report

Department

Tasks To

The Field

Regional Objectives

To

Regional CMTs

Department/Regional Objectives

Corporate

Response

Plan

Corporate Strategy ObjectivesCMT

Planning

Cell

CMT

Ops Cell

Situation Report

Department

Tasks To

The Field

Regional Objectives

To

Regional CMTs

Department

Tasks To

The Field

Regional Objectives

To

Regional CMTs

Department/Regional Objectives

Corporate Response Flow - CMT Activated

Response

Plan

Implementation

CRISIS RESPONSE PLANNING



CPA’s Role in DRP, BCP & BIACPA’s Role in DRP, BCP & BIA

Disaster Recover Plan (DRP),Business Improvement Area (BIA)Information Systems Auditing & Control Association (ISACA)business continuity plan (BCP)

COSO-Committee Of SponsoringOrganizationsControl Objectives for Information and related Technology (CobIT)

IT IS Information Technology InformationSystems

Business Continuity Management (BCM)

Business Continuity (BC)



Disaster Recovery andDisaster Recovery andBusiness Continuity PlanningBusiness Continuity Planning

in a University Environmentin a University Environment

Mardecia BellMardecia Bell

Ann HarrisAnn Harris

Copyright Mardecia Bell/Ann Harris 2005. This work is the intellectual property of the authors. Permissionis granted for this material to be shared for non-commercial, educational purposes, provided that thiscopyright statement appears on the reproduced materials and notice is given that the copying is bypermission of the authors. To disseminate otherwise or to republish requires written permission from theauthors.





History/TimelineHistory/Timeline

1997 Initiated with the administrative environment

Mainframe environment recovery test

1999 Y2K - Business Continuity conceptAcquired central repository software (LDRPS)

2001 Scheduled annual Mainframe recovery testIncluded communications & academic environment

2002 Expanded to include Enterprise BusinessContinuity/Disaster Recovery Planning

2004 Successful DR test of ERP systems2005 Co-processing of production services began in Data

Center II



Implementation StepsImplementation Steps

Gain SponsorshipGain Sponsorship

Establish Steering CommitteesEstablish Steering Committees

Develop University Policy/RegulationDevelop University Policy/Regulation Create DR Structure/Establish StaffingCreate DR Structure/Establish Staffing

Market ProgramMarket Program

Establish Central RepositoryEstablish Central Repository Review & Test Plans RegularlyReview & Test Plans Regularly



Gain SponsorshipGain Sponsorship

Office of the President – University SystemOffice of the President – University System

Chancellor Chancellor

Executive ManagementExecutive Management Present your Business CasePresent your Business Case

Identify the roles involvedIdentify the roles involved

Provide Executive Summary of BC/DR ProgramProvide Executive Summary of BC/DR Program

Present Statement of Work and Project PlanPresent Statement of Work and Project Plan

Add responsibilities to staff work plansAdd responsibilities to staff work plans





Policy/Regulations/RulePolicy/Regulations/Rule

Develop a Policy or Regulation to affirm theDevelop a Policy or Regulation to affirm the

mandate and promote cooperationmandate and promote cooperation



Divide Campus Into GroupingsDivide Campus Into Groupings Space/FacilitiesSpace/Facilities Teaching and Academic ProgramsTeaching and Academic Programs

Academic ITAcademic IT

Administrative ITAdministrative IT Environmental Health and Public SafetyEnvironmental Health and Public Safety

Business AdministrationBusiness Administration

Research ProgramsResearch Programs Student AffairsStudent Affairs

Extension and EngagementExtension and Engagement



Resource ProjectionsResource Projections

Hire Full-Time Business Continuity and Disaster Hire Full-Time Business Continuity and Disaster

Recovery PersonnelRecovery Personnel Director of Business Continuity (plus 1 Business Analyst)Director of Business Continuity (plus 1 Business Analyst)

Admin IT DR Coordinator (plus 1 Business Analyst)Admin IT DR Coordinator (plus 1 Business Analyst)

Academic DR Coordinator (part-time)Academic DR Coordinator (part-time)

Add BC/DR responsibilities to work plan of existingAdd BC/DR responsibilities to work plan of existing

staff staff Identify Coordinators for each business unitIdentify Coordinators for each business unit





Establish Central InformationEstablish Central Information

RepositoryRepository

Continuous Implementation



AccomplishmentsAccomplishments

Disaster Recovery and Business Continuity PlanDisaster Recovery and Business Continuity Plan Risk Assessments for Critical Business UnitsRisk Assessments for Critical Business Units Successful Mainframe Recovery TestsSuccessful Mainframe Recovery Tests Designed and implemented infrastructure for Designed and implemented infrastructure for

central computing environment (academic &central computing environment (academic &administrative) in secondary data center.administrative) in secondary data center. Implementation of recovery strategies inImplementation of recovery strategies in

secondary data center secondary data center

Creation of Administrative IT Disaster RecoveryCreation of Administrative IT Disaster RecoveryUnitUnit



Illustration of Various DRDeployments

Fault-tolerant cluster (file and print

services)A ProductionB Configuration

B ProductionA Configuration

B ProductionA Production

Distributed deployment (hosted

systems)A Production A Development A Production

Co-processing and load-balancing

(ERP)A ProductionA Production A Production

Data replication (mainframe)

Server Data Server Data Server Data

Enterprise Resource Planning



Enterprise Resource Planning(ERP) Deployment

DC II

Financial System

Human Resources (Version 8.8) Student Information System(under construction)

DC IWeb

Server

DB

Server

Application

Server

Batch

Server

Campus

Users

Web

Server

Application

Server

Batch

Server

Web

Server

Application

Server

Web

Server

Application

Server

Batch

Server

DB

Server

Batch

Server

Data

Storage

Area

Network

S d S



Summary and Future Steps

DC II

Hosted

systems

Infrastructure

DataData

Storage

Area

Network

Active Directory

/ Windows

Novell Directory

Services / Novell

Citrix

ERP

Web

ERP

Batch

ERP

Application

Data

Backup/vaulting

ERP DB

Server

DC I

Hosted

systems

Infrastructure

DataData

Data

Storage

Area

Network

Backup/vaulting

Active Directory

/ Windows

Novell Directory

Services / Novell

Citrix

ERP

Web

ERP

Batch

ERP DB

Server

ERP

Application

Development

Server Mainframe

Server

Email/Calendar

Anti-SPAMFile/Print,

User

Home

Web

Server

Database

Server Development

Server Mainframe

Server Web

Server

Database

Server

DataData

Storage

Area

Network

Data

Email/Calendar

Anti-SPAMFile/Print,

User

Home



Administrative IT Disaster Recovery Unit

Mission

• Ensure minimal risk of major disruptions to

critical University systems and processes

in the event that all or part of its computer

operations are rendered inoperable.

• Ensure timely recovery of infrastructure

and services in the event of a disruption.

• Ensure that business continuity plans areavailable and viable relative to its

scenario.



Ri k M



Risk ManagementRisk Management

IdentifyIdentify

MitigateMitigate

Process MappingProcess Mapping

Ri k M tRi k M t



Risk ManagementRisk ManagementRisk MitigationRisk Mitigation

Prioritize ActionsPrioritize Actions Evaluate recommended ControlEvaluate recommended Control

OptionsOptions Conduct Cost-Benefit AnalysisConduct Cost-Benefit Analysis Select ControlsSelect Controls

Assign ResponsibilityAssign Responsibility Develop SafeguardDevelop Safeguard

Implementation PlanImplementation Plan Implement Selected ControlsImplement Selected Controls

Risk Assessment Risk Assessment

System CharacterizationSystem Characterization

Threat IdentificationThreat Identification

Vulnerability IdentificationVulnerability Identification

Control AnalysisControl Analysis

Likelihood DeterminationLikelihood Determination Impact AnalysisImpact Analysis

Risk DeterminationRisk Determination

Control RecommendationsControl Recommendations

Results DocumentationResults Documentation

NIST SP 800-30

iP M i



FinancialsWebLogic

v8.1Financials

WebLogic

v8.1

iPlanet

v6.0Proxy

Server authenticati

on

FinTrainWebLogic

v8.1FinTrain

WebLogic

v8.1

iPlanet

v6.0Proxy

Server authenticati

on

SunFire v240 (2-cpu, 8GB)

Veritas Foundation Suite

Web Server

Web Server

2

SunFire v240 (2-cpu, 8GB)Veritas Foundation Suite Web Server

5

SunFire v240 (2-cpu, 8GB)Veritas Foundation Suite

SunFire v240 (2-cpu, 8GB)

Veritas Foundation SuiteWeb Server

1Web Server

4


Web Server

6



Web Server

3

FinRepWebLogic

v8.1Fin Rep

WebLogic

v8.1

iPlanet

v6.0ProxyServer

authentication

Distributed Web

Servers

Application Server 1SunFire v1280 (12-cpu, 24GB)


Distributed Application

Transaction Servers(AppServers)

Financials

AppServer Tuxedo v6.5



FinRep

AppServer

Tuxedo v6.5





FinTrainAppServer

Tuxedo v6.5Application Server SunFire v240 (2-cpu, 4GB)Veritas Foundation Suite

Sun

ENTER

PRISE450

Ultr

a

HR

AppServer Tuxedo

HRRep

AppServer

Tuxedo

HRTrain

AppServer Tuxedo

Application Server Sun E450Solaris 7

(4 SparcII cpu, 4GB)Veritas Foundation Suite

Distributed Process

Schedulers (Batch Servers)

Financials

BatchServer

Tuxedo v6.5

FinRepBatchServer Tuxedo v6.5

FinTrain

BatchServer

Tuxedo v6.5

Batch Server 1


Batch Server 4


Batch Server 5SunFire v240 (2-cpu, 4GB)


Batch Server 2SunFire v240 (2-cpu, 4GB)Veritas Foundation Suite

Batch Server 3SunFire v240 (2-cpu, 4GB)Veritas Foundation Suite

SunENTERPRISE

100

00

HRTuxedo

ProcessScheduler

Batch Server Sun E10K OS Domain

Solaris 7(8 SparcII cpu, 8GB)


Data Server 1SunFire E25K OS Domain

(12 SparcIV cpu, 96GB)Veritas DBE Oracle w/ FlashSnap

Financials

OLTPOracle 9i

FinRep

Reporting

Oracle 9i

FinTrainTraining

Oracle 9i

Sun

ENTERPRIS

E1000

0

Data Server 2

Sun E10K OS DomainSolaris 8

(12 SparcII cpu, 12GB)Veritas DBE Sybase w/

FlashSnap

HRSybase ASE

12.0.0.6

HRRep

Sybase ASE12.0.0.6

HRTrain

Sybase ASE12.0.0.6

UsersWeb/

Application

Clients

Databases

Process MappingProcess Mapping

I f t tI f t t



InfrastructureInfrastructure

Total DR through distributed high availabilityTotal DR through distributed high availability

Client Recovery SolutionsClient Recovery Solutions

Application RestorationApplication Restoration

Establish collaborative partnerships with other Establish collaborative partnerships with other

UniversitiesUniversities

Cli t R S l ti ( )Cli t R S l ti ( )



Client Recovery Solution(s)Client Recovery Solution(s)

A li ti R t tiA li ti R t ti

http://store.sun.com/images/product_images/Sun_Ray_170_Ultra-thin_Client.Image_1.UE.jpg

http://images.google.com/imgres?imgurl=http://www.osnews.com/img/8761/laptop.jpg&imgrefurl=http://www.osnews.com/story.php%3Fnews_id%3D8780&h=450&w=600&sz=33&tbnid=JtiGb37B504J:&tbnh=99&tbnw=133&hl=en&start=3&prev=/images%3Fq%3Dlaptop%26svnum%3D10%26hl%3Den%26lr%3D



Application RestorationApplication Restoration

EventEvent

TimeTime

Scope of ImpactScope of Impact InfrastructureInfrastructure

SoftwareSoftware

HardwareHardware

C ll b ti P t hiC ll b ti P t hi



Collaborative PartnershipsCollaborative Partnerships

V lti



Readily accessibleReadily accessible

SecureSecure

OnsiteOnsite OffsiteOffsite

Vaulting

Critical Business Units



Critical Business Units

Advancement Services All Campus Network Budget Office College of Agriculture and Life Sciences - Personnel Office ComTech - Data Networking ComTech - Telecommunications Contracts and Grants Controller's Office Enterprise Application and Database Services EH&S - Business Continuity EH&S - Campus Police EH&S - Emergency Response EH&S - Environmental Affairs

EH&S - Health and Safety EH&S - Industrial Hygiene EH&S - Insurance and Risk Management EH&S - Radiation Safety EH&S - Transportation EH&S - Waste Management

Enrollment Management - Admissions

Enrollment Management - Office of Scholarships & Financial Aid

Enrollment Management - Registration and Records

• Enterprise Technology Services and Support

• Facilities - Construction Management

• Facilities - Design and Construction Services

• Facilities - Operations

• Facilities - University Architect

• Fire Protection

• Foundations Accounting & Investments

• HR - Benefits

• HR - Employment & Compensation

• HR - Human Resource Information Management

• HR - Payroll

• ITD - Business Services

• ITD - Computer Operations

• ITD - Computer Services

• ITD - Systems

• Libraries - Administration

• Materials Management - Materials Support

• Materials Management - Purchasing

• Materials Management - University Graphics

• Real Estate

• Student Health Services

• University Cashier's Office

• University Dining

• University Housing

B i C ti it Pl iB siness Contin it Planning



Business Continuity PlanningBusiness Continuity Planning

C i tiCommunication



CommunicationCommunication

Consistency in plan updatingConsistency in plan updating TrainingTraining

PartneringPartnering

Emergency Communication standardizationEmergency Communication standardization Call TreesCall Trees

Mobile DevicesMobile Devices

WebsiteWebsite

Incident Command System Call Center Incident Command System Call Center

Incident Report PlanIncident Report Plan

IT Di t C t i tiIT Disaster Categorization



IT Disaster CategorizationIT Disaster Categorization

Category 1Category 1: A single person or group in a Critical: A single person or group in a CriticalBusiness Unit (CBU) is unable to perform their Business Unit (CBU) is unable to perform their critical functionscritical functions

Category 2Category 2: An entire CBU is unable to perform: An entire CBU is unable to perform

its critical functionsits critical functions Category 3Category 3: Multiple CBUs are unable to perform: Multiple CBUs are unable to perform

their critical functionstheir critical functions Category 4Category 4: Non CBUs are not able to perform: Non CBUs are not able to perform

their critical functionstheir critical functions Category 5Category 5: A wide spread event that impacts the: A wide spread event that impacts the

entire Universityentire University

GoalsGoals



GoalsGoals

Total DR through distributed highTotal DR through distributed high

availabilityavailability

Standardized Emergency CommunicationsStandardized Emergency Communications

Immediate Client Recovery SolutionsImmediate Client Recovery Solutions

Improved RTOImproved RTO

on ro ec ves or n orma ond l d h l ( b )d l d T h l

(C bIT)



and related Technology (CobIT)and related Technolog y (CobIT)

Control Objective:Control Objective:

Ensure Continuous ServiceEnsure Continuous ServiceManaging continuous service includes the ability toManaging continuous service includes the ability to

recover from a disaster.recover from a disaster.

Controls need to be in place to manage various disaster Controls need to be in place to manage various disaster

scenarios, from backup and recovery to full businessscenarios, from backup and recovery to full businesscontinuity.continuity.

Actions performed in this area align with the controlActions performed in this area align with the controlactivities and monitoring components of activities and monitoring components of COSO-Committee Of COSO-Committee Of

Sponsoring OrganizationsSponsoring Organizations ..

Deficiencies in this area could significantly impactDeficiencies in this area could significantly impactfinancial reporting and disclosure of an entity.financial reporting and disclosure of an entity.For instance, the inability to recover from a disaster after year-end could prevent the organization fromFor instance, the inability to recover from a disaster after year-end could prevent the organization from

producing financial report that are supported with source documentation and details of transactions that make producing financial report that are supported with source documentation and details of transactions that makeup financial reporting balances.up financial reporting balances.



Ensure Continuous ServiceEnsure Continuous Service

IT management, in cooperationIT management, in cooperation

with business process owners,with business process owners,

has established a businesshas established a business

continuity framework thatcontinuity framework thatdefines the roles,defines the roles,

responsibilities, risk-basedresponsibilities, risk-based

approach/methodology to beapproach/methodology to be

adopted, and the approvaladopted, and the approval

procedures. procedures.

COSO ComponentCOSO Component Control ActivitiesControl Activities




The business continuityThe business continuity

plan identifies the plan identifies the

critical applicationcritical application

programs, third-party programs, third-party

services, operatingservices, operating

systems, personnel andsystems, personnel and

supplies, data files, andsupplies, data files, andtime frames needed for time frames needed for

recoveryrecovery





The IT continuity plan isThe IT continuity plan is

aligned with the overallaligned with the overall

business continuity plan business continuity plan

to ensure consistencyto ensure consistency




The IT organizationThe IT organization

members responsiblemembers responsible

for disaster continuityfor disaster continuity

plans have been trained plans have been trained

regarding theregarding the

procedures to be procedures to be

followed in case of anfollowed in case of anincident or a disaster incident or a disaster





IT management hasIT management has

ensured that theensured that the

continuity plancontinuity plan

adequately tested, atadequately tested, at

least annually, and thatleast annually, and that

any deficiencies areany deficiencies are

addressed within aaddressed within areasonable period of reasonable period of

timetime







Offsite storage andOffsite storage and

recovery facilities arerecovery facilities are

periodically assessed, at periodically assessed, at

least annually, for least annually, for

viability, adequacy andviability, adequacy and

security mechanismssecurity mechanisms

COSO ComponentCOSO Component MonitoringMonitoring




A business impact analysisA business impact analysis

assessment has beenassessment has been

performed that performed that

considers the impact of considers the impact of

systems failure on thesystems failure on the

financial reporting andfinancial reporting and

disclosure processdisclosure process





Management has reviewedManagement has reviewed

the impact assessmentthe impact assessment

in determining thein determining the

nature and extent of nature and extent of

system recoverysystem recovery

procedures necessary to procedures necessary to

support the timeliness of support the timeliness of financial reporting andfinancial reporting and

disclosure processesdisclosure processes





IS Auditing GuidelineIS Auditing Guideline




1.4 Purpose of the Guideline1.4 Purpose of the Guideline

1.4.11.4.1 The primary objective of BCP is to protect theThe primary objective of BCP is to protect the

organization in the event that all or part of its operations and/or organization in the event that all or part of its operations and/or

information systems services are rendered unusable and aid theinformation systems services are rendered unusable and aid theorganization to recover from the effect of such events.organization to recover from the effect of such events.

1.4.21.4.2 The purpose of this guideline is to describe theThe purpose of this guideline is to describe the

recommended practices in performing arecommended practices in performing a business continuitybusiness continuity

plan (BCP) plan (BCP) review.review.




1.4.31.4.3 The purpose of a BCP review is to identify,The purpose of a BCP review is to identify,

document, test and evaluate the controls and thedocument, test and evaluate the controls and the

associated risks relating to the process of BCP asassociated risks relating to the process of BCP as

implemented in an organization to achieve relevantimplemented in an organization to achieve relevant

control objectives.control objectives.

1.4.41.4.4 These control objectives can be primary,These control objectives can be primary,

directly related to BCP, and secondary, indirectlydirectly related to BCP, and secondary, indirectlyrelated to BCPrelated to BCP




1.4.51.4.5 This guideline provides guidance in applying ISThis guideline provides guidance in applying IS

auditing standard 060 (Performance of Audit Work) toauditing standard 060 (Performance of Audit Work) to

obtain sufficient,reliable, relevant and useful evidenceobtain sufficient,reliable, relevant and useful evidence

during review of the business continuity plan. The ISduring review of the business continuity plan. The ISauditor should consider it in determining how to achieveauditor should consider it in determining how to achieve

implementation of the above standard, use professionalimplementation of the above standard, use professional

judgment in its application and be prepared to justify any judgment in its application and be prepared to justify any

departure.departure.




1.5 Guideline Application1.5 Guideline Application

1.5.11.5.1 This guideline is applied when conducting a reviewThis guideline is applied when conducting a review

of BCP from an IT perspective in an organization.of BCP from an IT perspective in an organization.

1.5.21.5.2 When applying this guideline, the IS auditor shouldWhen applying this guideline, the IS auditor should

consider its guidance in relation to other relevantconsider its guidance in relation to other relevant

Information Systems Auditing & Control Inf ormation Systems Auditing & Control

Association (ISACA) Association (ISACA) standards and guidelines.standards and guidelines.




2.1.32.1.3 Risk assessment followed by aRisk assessment followed by a Business Business

Improvement Area (BIA) Improvement Area (BIA) must be performed tomust be performed to

assess the overall financial exposures and operationalassess the overall financial exposures and operationaleffects due to a disruption in business activities. The BIAeffects due to a disruption in business activities. The BIA

should identify and prioritize the critical business processesshould identify and prioritize the critical business processes

supported by the IS infrastructure including, but not limitedsupported by the IS infrastructure including, but not limited

to, cost-benefit analysis of controls in different disruptionto, cost-benefit analysis of controls in different disruption

scenarios.scenarios.




2.1.4 Disaster Recover Plan (2.1.4 Disaster Recover Plan (DRP), a keyDRP), a key

component of BCP, refers to the technologicalcomponent of BCP, refers to the technological

aspect of BCP—the advance planning andaspect of BCP—the advance planning and

preparations necessary to minimize loss and ensure preparations necessary to minimize loss and ensure

continuity of critical business functions in the eventcontinuity of critical business functions in the event

of a disaster. DRP comprises consistent actions toof a disaster. DRP comprises consistent actions to

be undertaken prior to, during and subsequent to a be undertaken prior to, during and subsequent to adisaster.disaster.




2.1.52.1.5 A sound DRP should be built from aA sound DRP should be built from a

comprehensive planning process, involving all of thecomprehensive planning process, involving all of the

enterprise. In today's interconnected economy,enterprise. In today's interconnected economy,

organizations are more vulnerable than ever to theorganizations are more vulnerable than ever to the possibility of technical difficulties disrupting business. possibility of technical difficulties disrupting business. AnyAny

disaster, from floods or fire to viruses any cyber terrorism,disaster, from floods or fire to viruses any cyber terrorism,

can affect the availability, integrity and confidentialitycan affect the availability, integrity and confidentiality



Business Continuity Planning Initiation

Policy Organization Resources Scope

Risk Analysis

Business Impact Analysis

Recovery Strategy

Create Planning Organization

Plans/Procedures Risk Reduction Standby Facilities

Testing

Change Management Education Testing/Review

Process

Source: Gartner Group

Ongoing

Process

Project

BCM ModelBCM Model



BCM Program ElementsBCM Program Elements

BUSINESSBUSINESS

RECOVERYRECOVERY

PLANPLAN

BusinessBusiness

RecoveryRecovery

OrganizationOrganization

(BRO)(BRO)

RecoveryRecovery

Location(s)Location(s)

SwitchableSwitchableTelecomm.Telecomm.

Network(s)Network(s)

Data/RecordsData/Records

Backup & Off-Backup & Off-

Site StorageSite Storage RecoveryRecovery

Actions, TasksActions, Tasks

& Procedures& Procedures

Recovery PlanRecovery PlanDevelopmentDevelopment

Recovery PlanRecovery PlanMaintenanceMaintenance

Program JustificationProgram Justification& Authorization& Authorization

Business Impact

Analysis (BIA)

RecoveryStrategies

Budget &

Policies

Commitment byCommitment byExecutiveExecutive

ManagementManagement

UpdatedRecovery

Strategies

Plan Changes& Updates

Test Systems,Software &

Environments

New Processes &

Procedures

Availability & Survivability ComponentsAvailability & Survivability Components

- Evacuation & Life-Safety Plans- Fire Detection, Alerting & Suppression

- Physical & Logical Security- UPS & Emergency Generators

- Redundant Equipment Components- Equipment Maintenance &

Replacement- Redundant Power,

Telecommunications and Water

RECOVERYRECOVERY

CAPABILITYCAPABILITY

CONTINUITYCONTINUITY

Risk Analysis(RA)

Training &Exercises-Prove

Plans & TeamsProcess

Identification



BC PhasesBC Phases

Continuity Planning PolicyContinuity Planning Policy



Continuity Planning PolicyContinuity Planning Policy

The process is generally initiated by issuing a continuity planningThe process is generally initiated by issuing a continuity planning policy statement that: policy statement that: Establishes and documents the basic planning requirements, standards,Establishes and documents the basic planning requirements, standards,

and guidelines that responsible offices will apply in developing,and guidelines that responsible offices will apply in developing,implementing, and executing their respective continuity plans.implementing, and executing their respective continuity plans.

Outlines the organizational framework for continuity planning andOutlines the organizational framework for continuity planning andexecutionexecution

Determines the scope (services, functions and resources subject toDetermines the scope (services, functions and resources subject tocontinuity planning requirement).continuity planning requirement).

DefinesDefines continuity planning objectivescontinuity planning objectives..



Continuity Planning ObjectivesContinuity Planning Objectives

Organization-wide continuity planning policyOrganization-wide continuity planning policyobjectives need to be:objectives need to be: IdentifiedIdentified

Prioritized, andPrioritized, and

Validated by senior management.Validated by senior management.

Policy objectives ensure that continuity plansPolicy objectives ensure that continuity plans

focus on achievingfocus on achieving essential missionessential mission

requirements.requirements.

Objectives establish the criteria for assessingObjectives establish the criteria for assessing

Documents

4. Disaster Recovery and Business Continuity