Embed Size (px)
Citation preview
TEL382
Greene Chapter 11
10/27/09 2
Outline• What is a Disaster?
• Disaster Strikes Without Warning
• Understanding Roles and Responsibilities
• Preparing For Disaster
• Responding to a Disaster
• Planning For Contingencies
• Recovering From Disaster
• Testing and Maintaining the Plan
10/27/09 3
What is a Disaster?• A disruption of normal business functions where
the expected time for returning to normalcy would impact the organization’s ability to maintain operations, including customer commitments and regulatory compliance
• Steps:– Determine Threats, Perform Business Impact Analysis
(BIA), Determine Safeguards
• BIA provides direction and guidance to those who plan the response, recovery and continuity efforts
10/27/09 4
Disaster Strikes Without Warning
• Must have a written plan!
• Business Continuity Plan (BCP) should have:– Disaster Preparation : to be done in anticipation – Disaster Response: to be done immediately following
incident– Business Contingency: alternate business processes
prior to full recovery – Business Recovery: recovering information systems
to their original state
10/27/09 5
Understanding Roles and Responsibilities
• Senior Management Leadership• BCP Team• Operational Management defines needs of department • IT Department • HR Department• Internal Audit Department• BCP Team Responsibilities:
– Assessing damage, declaring a disaster, managing response, providing leadership, provide post-disaster assessment, plan impact analysis when changes made, testing plan, reviewing plan with management
10/27/09 6
Preparing For Disaster• Predefined key elements:
– Establish organizational structure to respond: chain of command and succession
– Designate Emergency Command Center: Location where BCP Team meets and directs operations
– Prepare Notification Procedures: Call trees, cell phones
– Design Alternate Operations Sites: Delivery (product to customer) and Operational (HR, accounting, security, etc.) functions
– Invest in redundant infrastructure: Hot Sites, Warm Sites, Cold Sites, Mobile Sites
– Develop and implement procedures to support response, recovery and continuity activities
10/27/09 7
Responding to a Disaster• Four Stages of Disaster Notification
– Detection: Whoever first discovers it– Notification: Notify BCP Team– Declaration: BCP Team evaluates the situation and activates
the plan– Activation: BCP Team Leader (or alternate)
• Non-operational Business Concerns to be addressed before disaster:– Public Safety: Who, how, when, etc– Employee Relations: Show up to work, where, when, how, etc.– Media Relations: Single media focal point– Customer Relations: Who, how, what, etc.– Crime:
10/27/09 8
Planning For Contingencies• Contingency Operations Established at Main Site
or Alternate Location
• Develop Business Contingency Operating Procedures (BCOP)
10/27/09 9
Recovering From Disaster• Break Down into categories:
– Mainframe, Network, Communications
• Detailed Procedures Need to be Developed and Documented Before Needed– What needs to be done, where it needs to be done,
how it needs to be done
• Recovery Manuals on specific systems and/or devices
10/27/09 10
Testing and Maintaining the Plan• Plans and Procedures are only theoretical until tested• Must be accurate, relevant and operable under adverse
conditions• 5 Standard Testing Techniques:
– Preliminary Review, Structured Walkthrough, Tabletop Simulation, Parallel Testing, Full-Scale Testing
• Must revisit plan frequently to take into account changes • Should have SLAs with Major Vendors• Some Regulated Industries MUST Audit Plan
TEL382
Wallace Chapter 1
10/27/09 12
Outline• Introduction
• Initiating the Project
• Contingency Planning Coordinator
• Scope of the Project
• Adequate Funding
• Selecting a Team
• Planning the Project
• Executing and Controlling
• Closing the Project
10/27/09 13
Introduction• Building a BCP is like any other business project• In developing a BCP, the early stages must be done
sequentially. After a certain point, then many tasks can be done in parallel
• Typical Steps:– Management Decision
– Contingency Plan Coordinator (CPC) is selected
– Sponsor and CPC define effort Scope
– CPC selects Team
– CPC and Team develop Project Plan
– Project Plan is Executed
– Reports Produced and CPC closes Project
10/27/09 14
Initiating the Project• Sponsor from Senior Management
• Selection of CPC
10/27/09 15
Contingency Planning Coordinator• Public announcement
• May begin by using an Outside Consultant
• Tasking begins as plan developer, evolves to plan implementer, then plan maintainer
10/27/09 16
Scope of the Project• Defines boundaries of what will be accomplished
• A guideline:– Any event that would cost >5% of quarterly revenues
merits its own plan
• Build slowly and systematically
• Written Scope Statement
• Focus on Critical Business Functions and the Processes that Support Them
• Most Plans can be developed within 6 Months
10/27/09 17
Adequate Funding• Indicates Management Commitment
• Project Budget Items:– BCP Training for CPC and some Team Members– Consultant– Overtime Expenses– Temporary Administrative Help– Food/Beverages– Bonuses/Trinkets, etc.
10/27/09 18
Selecting a Team• Identify Stakeholders• Core Team (CPC, Assistant, Administrative Assistant)• Other Team Members:
– Building Maintenance or Facilities Manager– Facility Safety and Security– Labor Union Representative– HR– Line Management – Community Relations– Public Information Officer– Sales and Marketing– Finance and Purchasing– Legal
• Use Standard Tools• Initial Training• Knowledge of Department Processes• Team Meetings
10/27/09 19
Planning the Project• Identify Activities
– Write Paragraph on Each Task, Document Assumptions and Constraints
• Estimate How Long Each Will Take
• Decide Who Should Do What
• Sequence the Tasks Into a Logical Work Flow– Assign Start Dates
• Look for Problems in Plan– Resource Overobligation, Availability, etc.
10/27/09 20
Planning the Project• Common Problems
– CPC lacks experience– Lack of Management Support– Inadequate Funding– Too Many Locations– Too Many Departments– Business Interruptions– Not Enough Time
10/27/09 21
Executing and Controlling• Scope Verification• Communications Plan
– Mandatory, Informational, Marketing
• Controlling– Change– Scope– Cost– Quality– Performance Reporting– Risk Response
• Plan Testing
10/27/09 22
Closing the Project• Turn Files over to Administrator
• Report Results to Management
• Identify Known Exposures
• Thank the Team
