Upload
trinhtuyen
View
229
Download
5
Embed Size (px)
Citation preview
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
DISASTER RECOVERY AND BUSINESS CONTINUITY:An Executive Overview
SEPTEMBER 27, 2016
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
MEET YOUR PRESENTERS
Tim Maloney, Associate DirectorMike Smith, Director
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
OUR AGENDA
+ The difference between Disaster Recovery and Business Continuity
+ The Business Continuity Management (BCM) program Lifecycle
+ Why should we care?
+ Conducting a Risk
Assessment
+ Prevent vs.
Respond
+ What is a
Business Impact
Analysis?
+ What are
Maximum
Allowable
Downtime (MAD),
Recovery Time
(RTO), and
Recovery Point
Objective (RPO)
+ Determining MAD,
RTO, and RPO
+ A typical
disruption timeline
+ Roles &
Responsibilities
+ Writing a scalable
response plan
+ Keeping your
program fresh
+ External
Frameworks
+ Supporting Tools
+ Lessons Learned
Determining what threats matter
What is Disaster Recovery?
Prioritizing impact and recovery requirements
Nurturing and maintaining a BCM / DR program
02 03 04 0501
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
What is Disaster Recovery?
3
“”
It's not whether
you get knocked
down; it's whether
you get up.
Vince Lombardi
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
THE BCM LIFECYCLE
Crisis Management
Strategy
Implement Crisis
Management Plan
Test Crisis Management
Plan
Business Recovery Strategy
Implement Business
Recovery Plan
Test Business Recovery Plan
IT Disaster Recovery Strategy
Implement IT Disaster
Recovery Plan
Test IT Disaster Recovery Plan
Design IT Architecture
Implement IT Architecture
BCM Quality Assurance
BCM Program Governance
Quality AssuranceImplementationStrategy DesignBusiness Assessment
Program Review and Planning
Risk Assessment
Business Impact Analysis
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Determining what threats matter
“
”
There's nothing
like a jolly good
disaster to get
people to start
doing something.
Prince Charles
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
ADDRESSING RISK ASSESSMENT RESULTS
Prevent
Respond
8
Technology
People
Lo
ca
tio
ns V
en
do
rs
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Prioritizing impact & recovery
“
”
It is not the strongest or
the most intelligent who
will survive but those
who can best manage
change.
Charles Darwin
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
PRIORITIZE IT SYSTEM
RECOVERY NEEDS
PRIORITIZE BUSINESS PROCESS
RECOVERY NEEDS
DEFINE MINIMUM
OPERATING NEEDS
WHAT IS BUSINESS IMPACT ANALYSIS?
Business Impact Analysis (BIA): A systematic process to determine and
evaluate the potential effects of a disruption to critical business operations as a
result of a disruption.
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
UNDERSTANDING THE RECOVERY TIMELINE
Disaster
Occurs
Maximum Allowable Downtime
Recovery Time
Objective
Manual work-arounds
required TIME
Desired Recovery Point Objective
Technical Recovery
Point Objective
Manual Catch-up /
Unacceptable Loss
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
MAPPING OPERATIONAL IMPACTS
Time Horizon
Functional Area 0 - 8 hours 8 - 24 hours 24 - 72 hours 3 - 7 days 1 - 2 weeks 2 weeks +
Patient Delivery High High High High High High
Record Keeping High High High High High High
Facilities Management High High High High High High
Supply Chain Management Medium High High High High High
Regulatory / Legal Compliance Low Medium High High High High
Patient Finance Low Medium Medium High High High
Accounting Low Low Medium High High High
Outcome Improvement Low Low Medium Medium High High
HR / Payroll Low Low Low Medium High High
Manage External Relations Low Low Low Low Medium High
Strategic Planning Low Low Low Low Low High
Research Low Low Low Low Low High
Fundraising / Philanthropy Low Low Low Low Low Medium
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
“”
At the onset of an
emergency,
everyone's IQ goes
immediately to zero.
Winston ScottFormer Astronaut & Director of Florida Space Port
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
TYPICAL PLAN STRUCTURED
isru
pti
ve R
isk A
ssessm
en
t
Bu
sin
ess I
mp
act
An
aly
sis
Crisis Management PlanEvent Handling
Communication Plan / Tree
Escalation Plan
Disaster Declaration
Recovery Plan Invocation
Location Specific Procedures
IT Disaster Recovery Plan
Data Center
Inventory &
Procedures
Business Resumption Plan
HQ / Field
Offices
Inventory &
Procedures
Functional Area
Procedures
Functional Area
Procedures
Business
Recovery
Locations /
Strategies
Technology
Recovery
Architecture
Business
Resumption
Plan Test
Results
IT DR Plan
Test Results
Crisis
Management
Plan Test
Results
BCM / DR Governance Charter or Policy
Functional Area
Procedures
Functional Area
Procedures
Crisis
Management
Tools /
Strategies
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
TYPICAL DISRUPTION TIMELINE
Disaster Occurs
IT/Business
Recovery
Normal
OperationsBusiness Resumption
Validate Personnel Safety and
Execute Crisis Communication Plan
Normal
Operations
Continuous Communication Across the Enterprise
Operate at Alternative Facilities if Necessary
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
PROGRAM ROLES & RESPONSIBILITIES
BCM Leader
or Team
Executive
Management
Team
Business Unit
& Department
Leads
Continuity
Coordinators
Before an Event During an Event
• Sets tone at the top and makes
BCM / DR a strategic priority
• Reviews periodic reporting and
performance metrics
• Leads risk and impact analyses
• Oversees and guides plan
development
• Facilitates plan testing and
lessons learned
• Provides input to risk and
impact analyses
• Leads development of individual
plan components
• Participates in plan testing
• Develops plan procedures
• Participates in plan testing
• Executes remediation actions
identified during testing
• Declares disaster and direct
enactment of plans
• Makes decisions based on
reports from the field
• Manages plan execution
• Serves as coordinator between
the field and executives
• Oversees “return to normal”
efforts
• Verifies individual personnel
safety
• Executes plan components
• Reports issues and status
• Leads “return to normal” efforts
• Supports plan execution
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Nurturing your plan
“
”
BCM is not a project,
it is a culture!
Deutsche Bank IT Director
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
WHAT HAVE WE OBSERVED?
Communication must be a priority
Have a defined decision hierarchy
Business continuity planning is not an “IT only” venture.
Do not place too much reliance on the availability of a small group of individuals
Routinely test disaster preparation and crisis response
Companies should understand critical vendor recovery requirements