BCP/DRP Consultancy Project- An approach

By D V RamamohanGlobal Head of IT Consultancy Practice3i Infotech Ltd

2 - Confidential

AgendaAgenda

Overview of BCM- BCP/DRP ? Approach to Execution of BCP/DRP

Assignments Interaction

3 - Confidential

What is BCM…………..What is BCM…………..

Business Continuity Management is an holistic management process that identified potential impacts that threaten an organization and provides a framework for building resilience and capability for an effective response that safeguards the interest of its key stakeholders, reputation, brand and value creating activities.

Business continuity means maintaining the uninterrupted availability of all key business resources required to support essential business activities.

4 - Confidential

What is BCP/DRP?What is BCP/DRP?

The difference between business continuity and disaster recovery is not a ‚what' but a ‚whose'.

This holistic view of business continuity management differs from what many managers traditionally term Disaster Recovery Planning which has been closely, if not solely, associated with information technology. By changing the focus, the emphasis is placed on the whole business, not just on technology issues alone. This reinforces the concept of continuity of all key processes, extending beyond information technology systems, important though they are in modern business.

5 - Confidential

Threats to Availability

COMPONENT FAILURECOMPONENT FAILURECOMPONENT FAILURECOMPONENT FAILUREDATA CORRUPTIONDATA CORRUPTIONDATA CORRUPTIONDATA CORRUPTION APPLICATION FAILUREAPPLICATION FAILUREAPPLICATION FAILUREAPPLICATION FAILURE

MAINTENANCEMAINTENANCEMAINTENANCEMAINTENANCEUSER ERRORUSER ERRORUSER ERRORUSER ERROR SITE OUTAGESITE OUTAGESITE OUTAGESITE OUTAGE

Why BCP-DRP….

6 - Confidential

Goals of Disaster Recovery Planning

Disaster scenarios and Recovery Strategies:

1. “Building on fire / Shambles”

Alternate Site, Hot site vendor, Data vaulting

2. Facility stands inaccessible

Remote connectivity, tape libraries

3. Facility accessible, physical failure

Redundant systems, HW Vendor SLA’s

4. Facilitate & equip operational, logical failure

Standards, Documented procedures, security

7 - Confidential

Why DRP?.....Few statistics

Major disasters: 9/11attack, UK bombings, Flooding in Mumbai,

Earthquake in Indonesia Other statistics:

% of Hardware failure % of Operational errorCost per hour of downtime? - $ 78000Average incidents per hour? 9Hours per incidents? 4.2 hrs Downtime cost per year? $ 2,970,000

Source: Contingency Planning Research conducted on 450 fortune 1000 companies

(Research shows 80%)

8 - Confidential

Let us execute an DRP assignment…

9 - Confidential

What will be scope of workWhat will be scope of work

Subjects: IT Systems/Applications/Data Data Centre/Facilities/Services People

Technical/Functional: Disaster Recovery Strategy and Solutions Disaster Recovery Plan and Procedures Implementation Guidance to implement proposed

solutions Testing the Plan Training

10 - Confidential

What will be the deliverables….What will be the deliverables….

Business Impact Study Analysis and Risk Assessment Report

Disaster Recovery Strategy vis-à-vis Scenarios DR Solution Architecture DR Team Organization and Roles Disaster Recovery Plan and Procedures Setting up Disaster Recovery Site, if need be Test Plans/ Mock drills reports Maintenance Plan Training

11 - Confidential

What should be the Approach……..What should be the Approach……..Project Management Methodology:

Your own…. Kick off meeting Execution Closure meeting

Execution of assignment: Step one: Key IT Assets identification and RA Step two: Business impact analysis (BIA) Step three: Design continuity treatments Step four: Document the Plans Step Five: Implement continuity treatments Step Six: Test and maintain the plan Step Seven: Training

12 - Confidential

Step one: Key IT Assets identification and RA

13 - Confidential

Asset identification…

Obtain/inventory the key assets

Hardware

System Software

Applications

Data

People

Facilities/Services

Perform Risk Analysis

Qualitative

Quantitative

Judgemental

14 - Confidential

Risk Assessment and Management

Business Riks

Rating/RankingOf Risks

Level of Acceptable Risk

Identification of threats

Identification ofvulnerabilities

Asset IdentificationAnd valuations

Asset IdentificationAnd valuations

15 - Confidential

Step Two: Business Impact Analysis

16 - Confidential

Business Impact Analysis

Establish the Organization’s Recovery requirements

Requirements defined by Business Units

Identify and Define Critical Business Processes

Identify Systems

Identify Recovery Timeframes and Recovery

objectives for each process

IT Department’s involvement is the enabler for the Plan

17 - Confidential

Step Three: Design Continue treatments

18 - Confidential

Recovery objectives

Backup

Mirroring / Replication

Mins DaysHrsSecs WksDays MinsHrsWks Secs

Data LossData Loss(Recovery Point Objective)(Recovery Point Objective)

DowntimeDowntime(Recovery Time Objective)(Recovery Time Objective)

Restore from Tape

Clustering

Restore from Disk

Vaulting

19 - Confidential

Step Four: Document the plans

20 - Confidential

Document Plans

Organization of the Teams

Detailed Procedures – Technical & Manual Workarounds

Emergency Response Flow

Emergency Contact Lists

Crash Kits

21 - Confidential

BCP Team Organization

Business Continuity Committee(Management Authorization)

Execution TeamsExecution Teams

BCP Team Leader

BCP Spokesperson Internal Auditor

EmergencyAction Team

Damage Asst. &

Salvage Team

RelocationTeam

ITTeam

Admin,Security &

Support Team

OperationsTeam

22 - Confidential

Enterprise business process, people and technology

Environmental Management

Crisis Management

Knowledge Management

Human Management

Security and Privacy

Communications PR

Risk Management

Emergency Management

IT Disaster Recovery

Facility Management

Supply Chain Management

Health and Safety

Documentation should cover

23 - Confidential

Step Five: Implement Continue Treatments

24 - Confidential

Step six: Test/Exercise the plans

25 - Confidential

Test/Exercising the Plans

Controlled Test of Procedures

Structured Walkthroughs

Desktop Tests

Simulation Test

Partial Technical Tests

Full Scale Tests

Allows Management to understand:

Inaccuracies

Omissions

Apply Lessons Learned

Revise Procedures & Incorporate into the Plan

26 - Confidential

Step six: Training…

27 - Confidential

Training……….

Create Corporate Awareness of Developed Plans

Team needs to be made knowledgeable of their role

Training Primary & Alternates Contacts

Awareness on task handling (JD) for Team

“Management Support is Key for any BCP-DR Activity”

28 - Confidential

Few websites…

www.pas56.com Guide for BCM www.thebci.org for BC Guidelines www.bsi-global.com for BS25999

(Replacement of PAS 56) www.iso.org/iso/catalogue_detail?

csnumber=41532 for ISO/IEC 24762:2008

29 - Confidential

Interaction