Upload
buidat
View
215
Download
0
Embed Size (px)
Citation preview
www.preparednessllc.com
DONALD L. SCHMIDT, ARM, CBCP, MCP, CBCLA, CEM©
PREPAREDNESS, LLCMARCH 30, 2017
Business Continuity & IT Disaster Recovery
What are Business Continuity & IT Disaster Recovery?■ BUSINESS CONTINUITY: “An ongoing process to ensure that the
necessary steps are taken to identify the impacts of potential losses and maintain viable continuity and recovery strategies and plans.” NFPA 1600 www.nfpa.org/1600
■ BUSINESS CONTINUITY MANAGEMENT: “management process that identifies risk, threats, and vulnerabilities that could impact continued operations. Business continuity provides a framework for building organizational resilience and the capability for an effective response.” DRI’s Professional Practices www.drii.org
■ DISASTER RECOVERY: The collection of resources and activities to re-establish information technology services (including components such as infrastructure, telecommunications, systems, applications and data) at an alternate site following a disruption of IT services. Disaster Recovery Journal (DRI’s International Glossary for Resiliency) www.drii.org
2
Key Elements of a Continuity & Recovery Program
1. Management commitment, direction & support (policy statement)
2. Program management
3. Risk assessment4. Business impact
analysis5. Resource needs
assessment
6. Continuity & recovery strategies
7. Incidentmanagement system
8. Education & training9. Testing & exercises10.Reviews and
continuous improvement
3
Why is senior management support so important?
■ Provides leadership■ Approves program
resources■ Ensures people get
involved■ Provides insight into
the business■ Can build a culture of
preparedness
4
Understanding the business is critical!■ Mission & vision■ Value stream■ Profits vs. revenues■ Growth potential■ Research & development■ Customers■ Regulations■ Essential services
(nonprofits and public sector)
■ What are the priorities?
2015 % Sales
Product A Product BProduct C Product D
5
0
20
40
60
80
2015 2016 2017 2018
Sales 2015-2018 projected
Product A Product BProduct C Product D
2015 % Profits
Product A Product BProduct C Product D
Build a strong team to manage your program
■ Program Coordinator☑ Vested with authority and
held accountable■ Program Committee
☑ Management☑ Operations☑ Information Technology☑ Supply Chain management☑ Facilities Management☑ Quality☑ Finance☑ Sales & Marketing☑ Human Resources☑ EH&S☑ Purchasing☑ …others
6
Credit: katemangostar Freepik
Risk Assessment; Evaluate planning scenario(s)
■ Make the best possible decisions about loss prevention, hazard mitigation, risk financing, and continuity planning.
■ Identify availability of resources for planning scenarios.
7
Business Impact Analysis: What’s critical and when?
“Management level analysis that identifies, quantifies, and qualifies the impacts resulting from interruptions or disruptions of an entity’s resources. The analysis can identify time-critical functions, recovery priorities, dependencies, and interdependencies so that recovery time objectives can be established and approved.” NFPA 1600
8
■ Identify impacts☑ Lost sales and
revenue☑ Loss of customers☑ Customer
dissatisfaction■ Determine minimum
acceptable production or service level to avoid unacceptable impacts
■ Identify how quickly minimum level must
be restored: “Recovery Time Objective”
■ Assess the Timing of Interruption☑ Customer
requirements☑ Peaks in business
activity☑ End of month or
quarter☑ Deadlines
ProductionDowntimeAvoided
Recovery Time Objective (RTO)
Time
Prod
uctio
n
Pre-DisasterProduction or Service Level
T disaster T recovery
RTO
Lost ProductionMinimum AcceptableProduction or Service Level
9
BIA continued: What resources are required?
■ People■ Facilities■ Machinery & equipment■ Internal dependencies■ Supply chain■ Vital records■ Information &
communications technology
10
Conducting the BIA
■ Focus on priorities identified by senior management
■ Identify and agree upon the planning scenario(s) (e.g., loss of facility, supply chain failure, technology or power outage, pandemic, etc.)
■ Provide specific criteria to quantify and qualify impacts and recovery time objectives
1. Develop questionnaires with built-in criteria specific to each function
2. Conduct a workshop to introduce the project and explain how to complete questionnaires
3. Use spreadsheets or a database to compile resource requirements
4. Review questionnaires and interview persons to validate information
11
BIA Methodology & Process
Report
Quantify Impacts Recovery Time Objectives Compile Resource Requirements
Prioritize Functions, Processes & Applications
Conduct Interviews
Validate Assumptions Fill-in Gaps in Information Question Criticality
Conduct BIA Workshop & Distribute Questionnaires
Why is the BIA important? What information is needed? How should questionnaire be completed?
Develop Questionnaire
Impacts Resources Vital Records Dependencies Workarounds Pending Changes
12
Continuity & Recovery Strategies
■ Considerations☑ Availability, capability,
capacity, and cost of resources
☑ Planning scenarios☑ Consistent with
assumptions☑ Intellectual property☑ Quality☑ Customer requirements☑ Time to execute
■ Options☑ Work extra shifts☑ Relocate or transfer to
a surviving site☑ Displace lower priority
operations☑ Inventory management☑ Partnership
agreements☑ Outsource☑ Telecommuting☑ Lease space☑ Repair or rebuild
13
Implementation: IT Disaster Recovery
“Identify the acceptable amount of data loss for physical and electronic records to identify the recovery point objective (RPO)” – NFPA 1600
■ IT Strategies☑ Data backups☑ Application recovery☑ The “cloud”☑ Active-active sites☑ Hot sites☑ Mobile recovery center☑ Equipment procurement
and rebuild
■ Scope☑ Enterprise apps☑ Productivity apps☑ Process control systems☑ Building management,
security, and other systems
■ Considerations☑ Scope & alignment with
business needs☑ Cost☑ Reliability☑ Availability
14
Training, Testing & Exercises
■ Training☑ Alerting of team☑ Activation of the plan☑ Incident management,
roles, responsibilities, lines of authority and lines of succession
☑ Coordination internally and externally
☑ Continuity strategies and manual workarounds
■ Exercises evaluate plans, procedures, training, and capabilities
■ Testing☑ Data backups and
restoration capabilities☑ Failover of systems and
equipment☑ IT disaster recovery:
validation of the sequence and procedures for restoration of operating systems, applications, and data on specified hardware and networks
☑ Recovery strategies☑ Alerting capabilities
15
Program Reviews & Continuous Improvement
■ Change is constant but does your program keep pace?
■ “Triggers” for program review☑ New/revised regulations☑ Acquisitions and divestitures☑ Changes in operations☑ Changes in infrastructure
including technology environment
☑ Resource availability or capabilities
☑ Funding change■ Appropriate action to
address program deficiencies
16
Program Development Resources
17
www.PreparednessLLC.com
For More Information
■ Donald L. Schmidt, ARM, CBCP, MCP, CBCLA, CEM©Preparedness, LLC(781) [email protected]
18©2017 Preparedness, LLC