from implementation to testing: information technology disaster recovery planning for universities...
TRANSCRIPT
From Implementation to Testing:
Information Technology Disaster Recovery Planning for Universities
Cheryl Barkby and Ed GregoryInformation ServicesDePaul University
Copyright Ed Gregory, Cheryl Barkby, 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Today’s Agenda
Background information Overview of DePaul’s Information
Technology(IT) Disaster Recovery Plan Selecting a hotsite vendor How to secure funding Importance of exercising/testing DePaul University’s response to September 11th
Importance of Disaster Recovery Disaster Recovery Journal has reported:
“94% of companies that experience a catastrophic data loss go out of business within two years.”
Source: Yatish Mishra, “Can Your Company be Liable for not Implementing DR Plans?”, Disaster Recovery Journal, Summer 2002.
“97% of respondents reported that their specific plans needed to be altered in light of the new realities of Sept. 11 attacks, and about half of those said that the needed alterations had to be complete or significant.”
Source: Robert Chandler, Ph.D., J.D. Wallace, Ph.D., “What Disaster Recovery Experts Were Thinking Just After the Attacks”, Pgs. 28-31, Disaster Recovery Journal, Winter 2002.
DePaul University: Who we are Founded in 1898
Largest Catholic university in the U.S.
8th largest private university in the U.S.
Over 23,000 students
Over 4,000 faculty and staff
Total of seven campuses: two within the city of Chicago, five in the surrounding suburbs
Overall Map of DePaul
Map of Downtown Campus
Previous disaster recovery efforts were minimal
Original plan designed for mainframe operations
Plan then updated for Y2K compliance Contracted for hotsite No exercising/testing was planned or done
IT Plan Review for New System In August of 2001, review was necessary due to the
university’s transition from a mainframe computer system to PeopleSoft.
Events of September 11, 2001 forced further scrutiny.
Steps necessary to update plan Revise DRP team Produced walllet-sized cards Verify mission critical business applications Update processes and procedures Perform data, hardware, and software inventory
IT Disaster Recovery Planning Process
Determine end-userneeds and requireddata, software, and
hardware
Determine hotsiteoptions and costs
Review for possiblenetworkingimplications
Plan and optionsreviewed by
directors and VP ofIT
Executives reviewand decide on
options and costs
Hotsite optionsoperationalized
Create a draftdisaster recovery
plan
Plan finalizedbased on
Executive, VP,and director input
Planoperationalized
Developing HotSiteOptions
DevelopingDisaster
RecoveryPlan
Selecting a HotSite Vendor
DePaul analysisAnalyzed three hotsite vendors, including current
provider.Selection criteria
Number of sites available Distance from site Equipment Cost Contract
Selected SunGard as sole vendor
Securing Funding DePaul’s method for securing funding
Received executive support Created proposals detailing:
Hot-site services Emergency communication tools Off-site storage Back-up web presence Back-up Internet connection
Suggestions for acquiring executive support Scare the executives Stakeholder support Solid proposal:
Cost of not having recovery plan Possible disaster scenarios Keep it simple
Exercising/Testing
Preparation for exercise Review of exercise for IT mission critical systems Exercise outcomes
Problems identified Software and hardware changes Updated procedures
Demonstrated need for additional funding Post-exercise meeting
Overall University Response to September 11 Chaotic response/evacuation on September 11th
Further response to events: Performed external audit of disaster recovery plans for key areas.
Discovered numerous areas that lacked a plan or required major updating.
Overall guidance and cross-divisional collaboration were not in place.
Began updating university-wide disaster recovery plans including: Communication processes (e-mail, back-up phone system,
pagers) Evacuation and emergency procedures Began to develop a comprehensive university plan.
Overall Timeline
1/1/028/1/01 5/1/02
September 11, 2001
IT DRP AnalysisUniversity-Wide DRP Analysis
4/01/02Univ. Audit Completed
3/27/02First DRP Exercise for IT
9/30/01Univ. Crisis Mgnt. Team Formed
11/15/01Contracted with HotSite Vendor
3/1/02Table-top IT DRP exercise
Final Recommendations
Testing/Exercising is key: IT, evacuation, communications
Collaboration with other university departments, especially business units
Perform Business Impact Analysis (BIA) Analyze all hotsite options: outsourcing, internal, mobile Obtain certification Make use of consultants/experts Network with other universities about their experiences
Vendor and Website Information Vendors:
Strohl Systems, www.strohlsystems.com Contact: Matt Ott, 1-800-634-2016
SunGard, www.sungard.com
Iron Mountain, www.ironmountain.com Useful Websites:
Disaster Recovery International Institute: www.drii.org
Disaster Recovery Journal: www.drj.com
Contingency Planning Management:www.contingencyplanning.com
Continuity Insights:www.continuityinsights.com
Contact Information Ed Gregory
Manager of Data Center, Information Services
312-362-5374 [email protected]
Cheryl Barkby DRP Analyst, Information Services 312-362-6419 [email protected]
Questions?