000000_1Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
VTN Executive ForumVTN Executive ForumDisaster Recovery & Disaster Recovery & Business Continuity Business Continuity
Terry Buchanan, VP Services, CONPUTETerry Buchanan, VP Services, CONPUTENovember 2November 2ndnd, 2006, 2006
Partner Smart.™
000000_2Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Purpose & ExpectationsPurpose & Expectations
How to get started in DR/BCP and keep it How to get started in DR/BCP and keep it simplesimple
How to evaluate risk for your companyHow to evaluate risk for your company
Risk mitigation and planning techniquesRisk mitigation and planning techniques
Best practice processes to start planningBest practice processes to start planning
Plan structure and applicationPlan structure and application
000000_3Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
DefinitionDefinition
Business Continuance (or Continuity) Planning Business Continuance (or Continuity) Planning (BCP) involves the processes and procedures (BCP) involves the processes and procedures organizations put in place to ensure that organizations put in place to ensure that mission mission critical functions can continue during and after a critical functions can continue during and after a disaster. disaster.
BCP focuses on BCP focuses on – People (Human Safety), People (Human Safety),
– Procedures/Process (How to) and Procedures/Process (How to) and
– Infrastructure (Facilities & IT) continuance.Infrastructure (Facilities & IT) continuance.
000000_4Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Getting StartedGetting Started
Considering the “What if scenario” Considering the “What if scenario”
Keeping your business runningKeeping your business running– What does that mean for each of you?What does that mean for each of you?
– What does that mean for your staff + co-workers?What does that mean for your staff + co-workers?
Do you have a plan to:Do you have a plan to:– Stay open?Stay open?
– Recover?Recover?
– Rebuild?Rebuild?
– Do nothing?Do nothing?
000000_5Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Best Practice Best Practice BCP ProcessBCP Process
Project Definition
Risk Assessment
Business Impact
Analysis
BCM DesignDetail &
Implement
EducationExercise &
Adapt
000000_6Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Best Practice Best Practice BCP ProcessBCP Process
Project Definition Project Definition
Risk Assessment Risk Assessment
Business Impact Analysis Business Impact Analysis – RTO, RPO, Time Critical, Mission CriticalRTO, RPO, Time Critical, Mission Critical
BC Management DesignBC Management Design– Emergency Response and Operations Emergency Response and Operations – Crisis CommunicationsCrisis Communications– Coordination with External AgenciesCoordination with External Agencies
Detail and Implementation Detail and Implementation
Awareness and EducationAwareness and Education
Exercise and Adapt Exercise and Adapt
000000_7Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
SponsorshipSponsorship
Sponsor has to own initiative.Sponsor has to own initiative.
Sponsor has to fund initiative.Sponsor has to fund initiative.
Sponsor is accountable for initiative.Sponsor is accountable for initiative.
Different level of Sponsors. Different level of Sponsors.
Who are sponsors?Who are sponsors?– President, CEO (Primary)President, CEO (Primary)
– CIO, CAO, CFO (Secondary)CIO, CAO, CFO (Secondary) Directors and Managers (Tertiary)Directors and Managers (Tertiary)
000000_8Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Best Practice Best Practice BCP ProcessBCP Process
Project Definition
000000_9Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Project PlanningProject Planning
SponsorSponsor– Sets Goals and CharterSets Goals and Charter
Project/Program ManagerProject/Program Manager– Needs Project Management ExperienceNeeds Project Management Experience– Manages process/administration/negotiationManages process/administration/negotiation
Steering CommitteeSteering Committee– Senior ManagementSenior Management
C level, VP, etc.C level, VP, etc.– Approves and makes decisionsApproves and makes decisions– Manages budgetManages budget
Project TeamProject Team– Business Unit representativesBusiness Unit representatives
Managers, Senior staff, Subject Matter ExpertsManagers, Senior staff, Subject Matter Experts– Primary knowledge basePrimary knowledge base
000000_10Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Best Practice Best Practice BCP ProcessBCP Process
Risk Assessment
000000_11Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Risk AssessmentRisk Assessment
ASSETS
RISK
RISK
THREAT
000000_12Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Risk AssessmentRisk Assessment
RISK
RISK
PROACTIVE
THREAT
REACTIVE
CONTROL
ASSETS
000000_13Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Risk AssessmentRisk Assessment
Threats are the causeThreats are the cause– Nature – Flood (Peterborough), Hurricane Nature – Flood (Peterborough), Hurricane
(Katrina/Louisiana), Ice Storm (Ottawa)(Katrina/Louisiana), Ice Storm (Ottawa)
– Political – Terrorist Attacks (9-11-01), UnionsPolitical – Terrorist Attacks (9-11-01), Unions
– Engineered – Viruses (Blaster)Engineered – Viruses (Blaster)
– Infrastructure – Power Outage (Ontario)Infrastructure – Power Outage (Ontario)
– Pandemics – Virus (SARS)Pandemics – Virus (SARS)
VulnerabilityVulnerability– ProbabilityProbability
– SeveritySeverity
000000_14Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Risk AssessmentRisk Assessment
Risks relate to impactRisks relate to impact– Function disruption to one or many Function disruption to one or many
– Elapsed TimeElapsed Time
– ReachReach
ControlsControls– DeterrentDeterrent
– MitigatesMitigates
– ReducesReduces
000000_15Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Risk Assessment AnalysisRisk Assessment Analysis
– Develop worst case scenariosDevelop worst case scenarios Develop realistic scenariosDevelop realistic scenarios
– Controllable versus uncontrollableControllable versus uncontrollable– Identify how risks necessary for conducting business Identify how risks necessary for conducting business
operations and communication are impactedoperations and communication are impacted– Identify how threats and risks impact human safety Identify how threats and risks impact human safety
and revenue generationand revenue generation– Preventive controls (security & redundancy)Preventive controls (security & redundancy)– Reactive controls (failing to or restarting operations at Reactive controls (failing to or restarting operations at
a designated location)a designated location)
000000_16Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Risk TemplateRisk Template
Threat Severity Probability Risk
Flood Medium MediumWater DamageLoss of Access
Mold/Fire
Terrorism High LowLife
Media
Security Hacker High HighIntellectual
Property LossData theft or loss
Power Outage Low Medium
Loss of Data Consistency
Loss of Controls (like Security)
Controllable?
No
Some
Yes
No
000000_17Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Application ImpactApplication Impact
WAN
000000_18Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Ten Worst Mistakes IT Staff MakeTen Worst Mistakes IT Staff Make
Connecting systems to the Internet before hardening themConnecting systems to the Internet before hardening them
Connecting systems to the Internet with default passwords (wireless issues)Connecting systems to the Internet with default passwords (wireless issues)
Failing to update systems when vulnerabilities are foundFailing to update systems when vulnerabilities are found
Using telnet or other unencrypted protocols for network management Using telnet or other unencrypted protocols for network management
Giving network access over the phone/without authenticationGiving network access over the phone/without authentication
Failing to maintain backups according to legislated archivingFailing to maintain backups according to legislated archiving
Running misconfigured, unvalidated, security tools (hacker software, I/10)Running misconfigured, unvalidated, security tools (hacker software, I/10)
Failing to implement or update antivirus software Failing to implement or update antivirus software
Allowing untrained, uncertified users to take responsibility for securing important Allowing untrained, uncertified users to take responsibility for securing important systems (accidental use of vendor bias / training)systems (accidental use of vendor bias / training)
Failing to train users on what constitutes a security problemFailing to train users on what constitutes a security problem
Source: RCMP Technical Security Branch, 2002Source: RCMP Technical Security Branch, 2002
000000_19Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Best Practice Best Practice BCP ProcessBCP Process
Business Impact
Analysis
000000_20Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Business Impact AnalysisBusiness Impact Analysis
Exposure to loss over timeExposure to loss over time– Direct versus IndirectDirect versus Indirect
– Cost to recoverCost to recover
– Cost to avoid recoveryCost to avoid recovery
Business Process Business Process interdependenciesinterdependencies– WorkflowWorkflow
Legal and RegulatoryLegal and Regulatory
000000_21Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Recovery ObjectivesRecovery Objectives
000000_22Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Business Impact AnalysisBusiness Impact Analysis
Recovery Point Objective (RPO)Recovery Point Objective (RPO)– The point in time your company’s data is replicated The point in time your company’s data is replicated
or stored off-siteor stored off-site– Doesn’t mean data is not corrupt or synchronizedDoesn’t mean data is not corrupt or synchronized– The frequency of initiating a RPO determines YOUR The frequency of initiating a RPO determines YOUR
risk or data loss potentialrisk or data loss potential
Recovery Time Objective (RTO) Recovery Time Objective (RTO) – How long can you wait for certain functions to be How long can you wait for certain functions to be
restored?restored?– Tie in RTO to manual processTie in RTO to manual process
000000_23Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
$$ to Recover
DR SLA 101 for ITDR SLA 101 for IT
Time to Recover (RTO)
Ex
po
su
re t
o L
os
s (
$$
)
$$ of Impact
Ideal Recovery Point(Risk + Cost)
SLA
000000_24Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
$$ to Recover
Risk MitigationRisk MitigationNo BCPNo BCP
Time to Recover (RTO)
Ex
po
su
re t
o L
os
s (
$$
)
$$ of Impact
000000_25Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
$$ of Impact
$$ to Recover
Risk MitigationRisk MitigationWith BCPWith BCP
Time to Recover (RTO)
Ex
po
su
re t
o L
os
s (
$$
)
000000_26Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
LegalLegal
Bill C-471, C-387Bill C-471, C-387– EI Wait period can be waived in Disaster RegionEI Wait period can be waived in Disaster Region
Bill C-6 “PIPEDA”Bill C-6 “PIPEDA”– Personal Information Protection and Electronic Personal Information Protection and Electronic
Documents ActDocuments Act
Bill C-145 “Westray”Bill C-145 “Westray”– law to hold corporations, their directors and executives law to hold corporations, their directors and executives
criminally accountable for the health and safety of criminally accountable for the health and safety of workers workers
000000_27Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Vital Records ManagementVital Records Management
LegalLegal– Audits, Financials, Intellectual Property, PrivacyAudits, Financials, Intellectual Property, Privacy
DuplicationDuplication– Electronic, Hard CopyElectronic, Hard Copy
Off-Site StorageOff-Site Storage– Access, security, maintenanceAccess, security, maintenance
000000_28Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Best Practice Best Practice BCP ProcessBCP Process
BCM Design
000000_29Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
ITIL DefinitionITIL Definition
BCP is part of ITIL (IT Infrastructure Library) BCP is part of ITIL (IT Infrastructure Library) framework framework
Continuity management involves the following Continuity management involves the following basic steps:basic steps:– Prioritizing the businesses to be recovered by conducting a Prioritizing the businesses to be recovered by conducting a
Business Impact Analysis (BIA).Business Impact Analysis (BIA).– Performing a Risk Assessment (aka Risk Analysis) for each of Performing a Risk Assessment (aka Risk Analysis) for each of
the IT Services to identify the assets, threats, vulnerabilities the IT Services to identify the assets, threats, vulnerabilities and countermeasures for each service.and countermeasures for each service.
– Evaluating the options for recovery.Evaluating the options for recovery.– Producing the Contingency Plan.Producing the Contingency Plan.– Testing, reviewing, and revising the plan on a regular basis.Testing, reviewing, and revising the plan on a regular basis.
000000_30Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
BCM DesignBCM Design
How will you avoid recovery? How will you avoid recovery?
How will you recover?How will you recover?
How will you manage recovery? How will you manage recovery?
Defined by RA and BIADefined by RA and BIA– Interdependencies Interdependencies
Relates to RTO & RPORelates to RTO & RPO
000000_31Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Planning StrategiesPlanning Strategies
Perform a Business Impact Analysis (BIA).Perform a Business Impact Analysis (BIA).– Determine risk and cost of downtime by critical Determine risk and cost of downtime by critical
application or function.application or function.
Create a Business Continuity Plan (BCP).Create a Business Continuity Plan (BCP).– Create a Disaster Recovery Plan (DRP).Create a Disaster Recovery Plan (DRP).– Create a Business Recovery Plan.Create a Business Recovery Plan.– Create a Business Resumption Plan.Create a Business Resumption Plan.– Create a Contingency Plan.Create a Contingency Plan.
Execute the Plans.Execute the Plans.
Test and adapt the plans regularly.Test and adapt the plans regularly.
000000_32Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
TechnologyTechnology
BC and DR Planning Software assist tools BC and DR Planning Software assist tools
iSCSI – low cost network data transportiSCSI – low cost network data transport– Vendor Support (Microsoft, Novell, HDS, EMC, SUN, STK, Vendor Support (Microsoft, Novell, HDS, EMC, SUN, STK,
McData, CISCO, etc.)McData, CISCO, etc.)– Drivers + Initiators, NICs, TOEDrivers + Initiators, NICs, TOE
FAS – data replication/compressionFAS – data replication/compression– Protocols: FC, FCIP, IFCP, iSCSI, TCP/IP, DWDMProtocols: FC, FCIP, IFCP, iSCSI, TCP/IP, DWDM– Data Networks: FAS, SAN, NASData Networks: FAS, SAN, NAS
Data RecoveryData Recovery– Tape BackupTape Backup– ArchivingArchiving– Database log synchronizationDatabase log synchronization
000000_33Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Data ReplicationData Replication
000000_34Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Emergency ResponseEmergency Response
SC becomes Critical Management TeamSC becomes Critical Management Team– Escalation & NotificationEscalation & Notification– Disaster declarationDisaster declaration– Emergency Operations Centre (EOC)Emergency Operations Centre (EOC)
Life SafetyLife Safety– EvacuationEvacuation– Fire, Police, MedicalFire, Police, Medical
SecuritySecurity– Property and news mediaProperty and news media
000000_35Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Crisis CommunicationCrisis Communication
RespondRespond– Emergency Response TeamEmergency Response Team– Contact lists (up to date)Contact lists (up to date)
Recover OperationsRecover Operations– Departmental Recovery Teams Departmental Recovery Teams – Damage Assessment TeamDamage Assessment Team
RestorationRestoration– Clean UpClean Up– Insurance, rebuild, fail backInsurance, rebuild, fail back
000000_36Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Communicate with EXT AgenciesCommunicate with EXT Agencies
Plans to deal with local emergency services Plans to deal with local emergency services
Plans to deal with mediaPlans to deal with media
Plans to deal with volunteersPlans to deal with volunteers
Contact ListsContact Lists– Call them before they call youCall them before they call you
– Lists for internal response teamsLists for internal response teams
– Lists for restoration companiesLists for restoration companies
– Lists for short/long term staffingLists for short/long term staffing
000000_37Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Best Practice Best Practice BCP ProcessBCP Process
Detail & Implement
000000_38Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Detail & ImplementDetail & Implement
Plan is now a programPlan is now a program– BCP is part of business cultureBCP is part of business culture
Implement controlsImplement controls– Vital Records replication and storageVital Records replication and storage
– Information TechnologyInformation Technology
– Physical SecurityPhysical Security
– Clean Desk PoliciesClean Desk Policies
Test controls with scenariosTest controls with scenarios
000000_39Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
ControlsControlsInformation TechnologyInformation Technology
Data Availability Data Availability
Clustering & Load BalancingClustering & Load Balancing
Data Replication – Synch vs. AsynchData Replication – Synch vs. Asynch
Data CompressionData Compression
Off Site Storage – Tapes, CD/DVD, WORMOff Site Storage – Tapes, CD/DVD, WORM
Data Recovery – Tape BackupData Recovery – Tape Backup
Intrusion Prevention/DetectionIntrusion Prevention/Detection
Anti-Virus, Anti-Spam, FirewallsAnti-Virus, Anti-Spam, Firewalls
IP SurveillanceIP Surveillance
000000_40Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Strategy FocusStrategy Focus
Embrace BCP as part of your cultureEmbrace BCP as part of your culture– Be preparedBe prepared– Educate and promote sponsorshipEducate and promote sponsorship
Human SafetyHuman Safety– Security: Physical, records, IT NetworkSecurity: Physical, records, IT Network– Emergency ResponseEmergency Response
Maintain business infrastructureMaintain business infrastructure– Mission Critical OperationsMission Critical Operations– Support OperationsSupport Operations
Self Insurance as a strategySelf Insurance as a strategy– Reactive effort is not protection, it’s wasteful and costlyReactive effort is not protection, it’s wasteful and costly
Public PerceptionPublic Perception
Privacy & LegislationPrivacy & Legislation
Compliance LegislationCompliance Legislation
000000_41Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Plan StructurePlan Structure
Cheat sheet with numbers on a business card sized doc.Cheat sheet with numbers on a business card sized doc.
Speed killsSpeed kills– Outside help to identify risks and costs saves timeOutside help to identify risks and costs saves time
One person owns editing on plan documentsOne person owns editing on plan documents
Get a partner to review it and or test it with youGet a partner to review it and or test it with you
Keep main document short (no more than 4 pages)Keep main document short (no more than 4 pages)– Write the document yourself (you’ll understand it better)Write the document yourself (you’ll understand it better)– Have backups to subject matter experts write contentHave backups to subject matter experts write content– Appendices for workflow functions owned by departmentsAppendices for workflow functions owned by departments– Assume you will only have 50% of your staff to manage planAssume you will only have 50% of your staff to manage plan– Assume whomever uses plan knows something about your business Assume whomever uses plan knows something about your business
and or applicationsand or applications– Assume you are on your ownAssume you are on your own
000000_42Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Best Practice Best Practice BCP ProcessBCP Process
EducationExercise &
Adapt
000000_43Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Application of the PlanApplication of the Plan
Exercise the ControlsExercise the Controls
Exercise different scenariosExercise different scenarios
Exercise by cross trainingExercise by cross training
Communicate resultsCommunicate results
Update documentationUpdate documentation
Audit requirementsAudit requirements
Develop New Hire trainingDevelop New Hire training
Develop general trainingDevelop general training
000000_44Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
ResourcesResources
http://http://www.drii.orgwww.drii.org Disaster Recovery International Disaster Recovery International
http://http://www.dri.cawww.dri.ca DRI Canada DRI Canada
http://http://www.drj.comwww.drj.com Disaster Recovery Journal Disaster Recovery Journal
http://http://www.redcorss.cawww.redcorss.ca Red Cross Red Cross
http://http://www.fema.govwww.fema.gov Federal Emergency Management Agency Federal Emergency Management Agency
http://http://www.overt.cawww.overt.ca Ontario Volunteer Emergency Response Team Ontario Volunteer Emergency Response Team
http://http://www.ocipep.gc.cawww.ocipep.gc.ca Public Safety and Emergency Preparedness Public Safety and Emergency Preparedness CanadaCanada
http://http://www.drie.orgwww.drie.org Disaster Recovery Information Exchange Disaster Recovery Information Exchange
http://http://continuitycentral.com/itdr.htmcontinuitycentral.com/itdr.htm Continuity Central Continuity Central
000000_45Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Are you prepared?Are you prepared?
000000_46Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Questions?Questions?
Thank You!Thank You!
000000_47Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
Partner Smart.™
Recommended