Embed Size (px)
Citation preview
Business Continuity and Disaster Recovery Roadmap
John A GreenTexas Department of Motor VehiclesDisaster Recovery and Business Continuity Planner5/10/2017
Goals of this Presentation
o Why conduct a Business Impact Analysis (BIA)
o What is in a BIA and what other processes does it drive
o Who should be involved in the inputs and the analysis
o When should it be conducted and reviewed
o Where in the cycle do the Continuity of Operations Plan (COOP) and Disaster Recovery Plan get developed
o How are the BIA, COOP and Disaster Recover Plan used
Texas Department of Motor Vehicles
o Background:o The TxDMV mission is “to serve, protect and advance the
citizens and industries in the state with quality motor vehicle related services.
o ”o WHY TxDMV -> Mission Essential Functions
• TEF 5: Maintain Law and Order. Focus• TEF 6: Ensure Availability of Emergency Services• TEF 7: Maintain Economic Stability. Focus
• Standards solution MS-ISAC crosswalk NIST to FEMA
Texas Department of Motor Vehicles
o Background:o TEF is (SORM)
• Standards solution MS-ISAC crosswalk NIST to FEMA
Business Impact AnalysisBackground
o TxDMV is committed to ensuring that essential business functions will be continued:
• Provide for the safety of the citizens of Texas• Provide Law Enforcement accurate and timely information• Provide for the motor vehicle industries to conduct business
• Dealers• Vehicle owners
• Provide for the motor carrier industries to conduct businesso The Business Impact Analysis should Identify:
• Priority of Business Functions• Systems Impact ranking• Critical information resources • Risks• RPO• Cost of Downtime for Business • Recovery Time Objective (RTO) for Disaster Recovery
Identify Agency Essential Functions
Texas Essential Functions
FEMA National Essential Functions
DMV Vision & Mission
Identify Risks to Agency Opperations
Working sessions with
POC from DMV Divisions
SORM Data
COOP Round Table
Texas Admin Code
Texas Occupations Code
Texas Transportation Code
US Labor Code
Vernon’s Civil Statute
Texas Government Code
FEMA Data
Identify Impacts to Agency for
Interruption of Functions
Working sessions with
POC from DMV Divisions
Identify Agency
Statutory Requirements
Gartner BPA
BPA Responses from Divisions
Revenue Data
LE & Public Safety Functions
Create Mitigation Strategies
Identify Alternate Work Site &
Establish MOA
Identify Divisions & Personnel
Supporting Agency Functions
Identify Recovery Time Obectives
Business Impact
Analysis
Working sessions with
POC from DMV Divisions
Agency Statutory Requirements
Agency Contract Requirements
Working sessions with
POC from DMV Divisions
Working sessions with OGC, FAS, and
Exec
Validate Business Impact
Analysis
Prioritize Agency Function Recovery
Working sessions with
Exec Team
Business Continuity
Plan
Validate Business
Continuity Plan
Identify Additional IT Resources Needed
to support BCP
Identify DCS Systems Needed to
Support BCP
Working sessions with
SMEs & IT
DCS CMDB
Create Policy and Process for
Succession, HR, and Purchasing
Working sessions with OGC, HR, FAS,
and Exec
Identify Systems / Applications
Supporting Agency Functions
Working sessions with
SMEs & IT
Disaster Recovery
Plan
Identify Recovery Point Objectives
Working sessions with
SMEs & ITAgency Rule Requirements
Engineering, Evaluation,
and Purchasing
Offsite Backup Phone System
Backup Power Generator
Uninterrupted Power Supplies
Additional HV/AC
Business Continuity and Disaster Recovery Planning Process
INPUTS help tell the Story, Mission Essential Functions, Code, Laws
More Analysis Inputs: Risks, Policies and Priorities
The BIA in turn is validated and provides Inputs into the Continuity Of Operations Plan (COOP)
Completed Business Impact Analysis (sanitized)
Agency Functions Registration & Titling Permitting Industry Licensing Industry Credentialing Enforcement & Hearings Vital Records HR, Payroll Purchasing &
AccountingABTPA Grant Fund
AdministrationCustomer Service (Call
Center, etc.)Texas Essential Functions TEF 4, 5, 6, 7 & 8 TEF 4, 5, 6, 7 & 8 TEF 7 & 8 TEF 7 & 8 TEF 1 & 5 TEF 1 & 4 TEF 1 TEF 1 & 7 TEF 5 & 6Statutory Compliance Transportation Code 501, 502,
504, 621, 645, and 681; Admin Code 43 TAC 217
Transportation Code 621, 622, 623, ; Admin Code 43 TAC 219
Occupations Code 2301; Trans Code 503
Transportation Code 643, 644 & 646; Admin Code 43 TAC 218
Occupations Code 2301Occupations Code 2305; Admin Code 13 TAC 6; Government Code 441 & 552
Gov Code 551, 552, 572, 605, 654, 656, 659, 2113; Labor Code 21, 22, 501; 29 U.S.C. 8, 206, 621-34
Government Code 2101, 2103, 2155
VCS Art. 4413(37) Government Code 681
Average Daily RevenuePrimary Mission Essential Function Divisions VTR, RSC MCD, RSC MVD MCD ENF, OAH FIN/ADM FIN/ADM, HR FIN/ADM ABTPA CRD, VTR, MCD, IT, RSCMission Essential Function Divisions IT, EXEC IT, EXEC IT, EXEC IT, EXEC IT, EXEC, CRD OGC, IT, EXEC IT, EXEC, Civil Rights IT, EXEC IT, EXEC EXEC, GSCLower Priority Function Divisions OGC, IA, GSC, HR, FIN, CRD OGC, IA, GSC, HR, FIN, CRD OGC, IA, GSC, HR, FIN, CRD OGC, IA, GSC, HR, FIN, CRD OGC, IA, GSC, HR, FIN IA, GSC, HR, FIN OGC, IA, GSC, HR, FIN OGC, IA, GSC, HR OGC, IA, GSC, HR, FIN OGC, IA, HR, FINRecovery Time Objective (RTO) Hours Hour Day Day Day Day Day Day Day DaySupporting Systems:
Really big ApplicationReally big Application
Another Really Large AppWeb based App
CC ProcessingPretty Big Application
Imaging ApplicationStorage Application
Web stuffPurchasing
HRPayrollGrants
Internet/Intranet SitesPhone/email
Call CenterFile Shares
Law EnforcementImpacts:
Revenue Generation 1-5 1-5 1-5 1-5 1-5 1-5 1-5 1-5 1-5Public Safety 1-5 1-5 1-5 1-5 1-5 1-5 1-5 1-5 1-5
Legal & Regulatory 1-5 1-5 1-5 1-5 1-5 1-5 1-5 1-5 1-5Service Delivery 1-5 1-5 1-5 1-5 1-5 1-5 1-5 1-5 1-5
Security Controls 1-5 1-5 1-5 1-5 1-5 1-5 1-5 1-5 1-5Agency Reputation 1-5 1-5 1-5 1-5 1-5 1-5 1-5 1-5 1-5
Personnel 1-5 1-5 1-5 1-5 1-5 1-5 1-5 1-5 1-5Public/Dealer Satisfaction 1-5 1-5 1-5 1-5 1-5 1-5 1-5 1-5 1-5
Impact Rating 8-40 8-40 8-40 8-40 8-40 8-40 8-40 8-40 8-40
High Impact TimeframesRegistration March; Titling November-December End of the month
Beginning & End of each Month
= Mandatory System to perform the function= Major System needed to perform the function
= Improves performance of the function
Business Impact Analysis Results
Business Impact AnalysisBackground
o EXPLAIN BIA o TEF Vs National
o What area ourso Every Depart/Divisions input
o How many DR plans o How many COOPo Org Chart o POC for IT , Business, DCS, Org Charto Exercise once a year, lots of resourceso How often report to , metrics, audit o BIA once every other year, DR exercise once/year, Table Top v full DREo DRE labor intensive o Table Top with *all* divisionso Scheduleo Fire, Water, events
BCP /COOP to Disaster Recovery Plan
An Aside: Identified Risks addressed in parallel
D/R Class RTO RPO Replicated or Tape Recovery
Production Storage Tier
Recovery Storage Type/Tier
Available at: CDC/LDC
Production Server
Recovery Site
Recovery Server
Data Type (Recommended Use)
Exercise Frequency
Class P 1 hour 1 hour Replicated to Fast Storage
Tier 1 Includes Fast Replication
CDC Only Platinum Alt CDC Hot Standby All Data Annual Recovery
Class 1 72 hours 6 hours Replicated to Fast Storage
Tier 1 Includes Fast Replication
CDC Only Gold / Silver Alt CDC Comparable to Production
All Data Annual Recovery
Class 2A 7 days 48 hours Non-Replicated, Media Based Recovery to Fast Storage
Tier 2 Tier 2 CDC Only Gold / Silver Alt CDC Comparable to Production
All Data Annual Table Top or Recovery
Class 2B 14 days 48 hours Non-Replicated, Media Based Recovery to Fast Storage
Tier 2 Tier 2 CDC & LDC Gold / Silver Alt CDC & LDC
Comparable to Production
All Data TRG Review Exercise every two years
Class 3 21 days 48 hours Acquired at time of disaster (ATOD)
Tier 2 ATOD CDC & LDC Gold, Silver, or Bronze
Alt CDC ATOD All Data Annual Enterprise Table Top
Class 4 Low Priority Best Effort Non-Replicated, Media Based Recovery to Fast Storage
Tier 2 / Tier 3 Low Priority CDC & LDC Gold, Silver, or Bronze
Alt CDC Best Effort All Data N/A
Class 5 7 days 48 hours Replicated to Slow Storage
Replicated Tier 3
Includes Slow Replication
CDC Only Gold, Silver, or Bronze
Alt CDC Comparable to Production
non-Transactional
Data Only. Customer
assumes the risk that the
application will provide
acceptable performance on
slower disk
Annual Table Top Exercise or Regular
Class 6 14 days 48 hours Non-Replicated, Media Based Recovery from Fast to Slow Storage
Tier 2 Tier 3 CDC Only Gold, Silver, or Bronze
Alt CDC Comparable to Production
TRG Review Exercise every two years
Statewide Data Center Disaster Recovery RTO/RPO….ad hoc Class 8….Explain words
D/R Class RTO RPO Replicated or Tape Recovery
Production Storage Tier
Recovery Storage Type/Tier
Available at: CDC/LDC
Production Server
Recovery Site
Recovery Server
Data Type (Recommended Use)
Exercise Frequency
Class P 1 hour 1 hour Replicated to Fast Storage
Tier 1 Includes Fast Replication
CDC Only Platinum Alt CDC Hot Standby All Data Annual Recovery
Class 1 72 hours 6 hours Replicated to Fast Storage
Tier 1 Includes Fast Replication
CDC Only Gold / Silver Alt CDC Comparable to Production
All Data Annual Recovery
Class 2A 7 days 48 hours Non-Replicated, Media Based Recovery to Fast Storage
Tier 2 Tier 2 CDC Only Gold / Silver Alt CDC Comparable to Production
All Data Annual Table Top or Recovery
Class 2B 14 days 48 hours Non-Replicated, Media Based Recovery to Fast Storage
Tier 2 Tier 2 CDC & LDC Gold / Silver Alt CDC & LDC
Comparable to Production
All Data TRG Review Exercise every two years
Class 3 21 days 48 hours Acquired at time of disaster (ATOD)
Tier 2 ATOD CDC & LDC Gold, Silver, or Bronze
Alt CDC ATOD All Data Annual Enterprise Table Top
Class 4 Low Priority Best Effort Non-Replicated, Media Based Recovery to Fast Storage
Tier 2 / Tier 3 Low Priority CDC & LDC Gold, Silver, or Bronze
Alt CDC Best Effort All Data N/A
Class 5 7 days 48 hours Replicated to Slow Storage
Replicated Tier 3
Includes Slow Replication
CDC Only Gold, Silver, or Bronze
Alt CDC Comparable to Production
non-Transactional
Data Only. Customer
assumes the risk that the
application will provide
acceptable performance on
slower disk
Annual Table Top Exercise or Regular
Class 6 14 days 48 hours Non-Replicated, Media Based Recovery from Fast to Slow Storage
Tier 2 Tier 3 CDC Only Gold, Silver, or Bronze
Alt CDC Comparable to Production
TRG Review Exercise every two years
Glossary
