gartner best practices in business continuity planning report

Download Gartner Best Practices in Business Continuity Planning Report

Post on 23-Feb-2015




2 download

Embed Size (px)


New E-Commerce Risks


Human Error/ Operations Risk

Planned/Unplanned Downtime Outsourced Service ProvidersSecurity Incidents

Content/Application Links to Third Parties

E-Commerce BC: New Rules/New Realities IT and business process management are integrated no longer solo views Production costs increase no separate budget for BCP Risk identification and management take on a matrix management focus, e.g., technology, financial, trading, operations Problems are public IT and business problem management must be integrated; root cause analysis Only as strong as your weakest link good application/bad operations Contingency plans become critical when automation isnt there every component of the business process now must have a plan

BC ComponentsDisaster Recovery Business Recovery Business Resumption Contingency Planning


Mission-critical applications

Mission- critical business processing (workspace)Site outage (external) Business recovery plan

Business process workarounds

External event


Site or component outage (external) Disaster recovery plan

Application outage (internal) Alternate processing plan

External behavior forcing change to internal Business contingency plan


Sample Event(s)Sample Solution

Fire at the data center; critical server failureRecovery site in a different location

Electrical outage in the buildingRecovery site in a different power grid

Credit authorization system downManual procedure

Main supplier cannot ship due to its own problem25% backup of vital products; backup supplier

Crisis Management

Creating Business Continuity PlansPROCESS Change Management Education Testing Group Plans and Procedures Testing Review Ongoing Process

Risk Reduction

Implement Standby Facilities Project

Create Planning Organization Recovery StrategyRisk Analysis

Business Impact Analysis Policy OrganizationResources Scope

Business Continuity Planning Initiation

Obtaining Management Commitment


BIA & Risk Assessment

Awareness Programs

Fiduciary Responsibility

Security Incident Detection & Response



Incident Response



Legal Action

Project Life CycleBusiness Req. Identify technology and business continuity risks from a business perspective BIA/ risk analysis RTO/RPO Ensure complete cost estimate Ensure appropriatel y protected end product

System Architecture Assess risks of new technology products Identify secure infrastructure requirements Identify secure administrative requirements Establish security responsibilities and servicelevel regulations Identify BC/DR strategies Establish security test strategy

System Design Translate security architecture to detailed security infrastructure design Develop security baselines for new technologies/ products Develop detailed security admin. design Develop detailed BCP/DR design/ strategy Develop draft SLAs Develop security test plan

Construct Build/code security infrastructure environment and processes Build/code security admin. environment, roles/profiles and processes Build BCP/DR environment, plans and processes Build/code security test plan, processes, scripts and test environment



Post Implement

Train secure Turn over administrati secure ve, application operations, infrastructure business to production unit, staff... Implement Identify secure security administrative noncomplia roles/profiles nce issues Implement Identify new business/ security continuity exposures DR Test environment BCP/DR plans to ensure that RTO/RPO is attainable

Identify changes to tested env. Finalize secure admin. env. and processes Finalize security infrastructure environment and processes Finalize BCP/DR env., plans and processes Assess SLA accuracy Finalize risk acceptance with business Ensure that info. security policies are current

E-Commerce BC Integrated ProcessesE-Biz Recovery Team

Risk Management (Financial, Technology, Operations)OSPs/ Business Partners Business Process Owner

E-Biz Project Manager Business Manager Risk Manager

Architecture and Standards

Rules and tools

Application and Tech Design

Business Continuity Mgr. Business continuity Business Operations Continuity strategy/design Architecture and Audit Design Security Incident identification/response IT IT Recovery management design Information Security IT OperationsBusiness Operations

Recovery/continuity strategy/ design

Information Security

Problem, Change, Performance, DR

Legal/ComplianceHR / Public Relations

Audit Financial and EDP

Problem Management Life CycleProblem Prevention and Planning Problem Identification and Impact AssessmentProblem Mgmt Team Business Process Owner Customer/Partner Relationship Owner

Problem Resolution

Problem Status/ Communication

Risk Management

Business ContinuityInformation Security

Root Cause Analysis

IT Technical Support

IT Applications SupportVendors/OSPs/Third Parties

Legal/CompliancePublic Relations

Too Much Testing and Reporting Is Never EnoughManagement Reporting is CriticalLocation, Business Process or Department Accounts Cash Order Accounts R&D Prod. Eng. Payable Fulfillment Receivable Mmgt.

BCP Phase Impact Analysis Risk Analysis Strategy Resources Committed Last Tested

Change Mgmt.Last Major Review Workable Solution Audit

What Is Your Cost of Downtime?Productivity Number of employees impacted X hours out X burdened hourly rate Damaged Reputation Customers Suppliers Financial markets Banks Business partners ... Revenue Direct loss Compensatory payments Lost future revenue Billing losses Investment losses Financial Performance

Revenue recognition Cash flow Lost discounts (A/P) Payment guarantees Know your downtime Credit rating costs per hour, day, two Stock price days...

Other Expenses Temporary employees, equipment rental, overtime costs, extra shipping costs, travel expenses...

Applying High Availability to Disaster RecoveryHot Standby or Assumes mirroring or shadowing plus Load-Balanced a complete application environment Database and/or file and/or object replication Mirroring Log/journal transfer (continuous or periodic) Shadowing net $$$+ host $$$+ Cost Database and/or file disk $$$$+ and/or object backup Electronic appl. $+ Elec. Journaling Vaulting Standard Recovery net $-$$+ net $$$+ net $ host $$+ host $$+ host $ disk $$$$+ disk $$$$+ net $ disk $ tape $ tape $ 72 48 24 12 hrs. hours hours hours Disaster Recovery Times Minutes

Designing E-Commerce Applications for No Single-Point-of-FailureSite Load Balancer Geographic Load Balancer Web Server Clusters Site Load Balancer

Application Server Clusters

Transaction Replication

Database Clusters

Database Replication

Database Clusters Standby or Active

Data Replication for Continuous AvailabilityDatabase Clusters Host-based Disk-based Database Clusters

Replication Methods Disk-to-Disk mirroring Log-based DBMS replicationServer-based block or file replication

Examples EMC SRDF, Compaq DRM, IBM PPRC and XRC, HDS HARC and HRC Quest Shareplex, Oracle Standby Database, ENET RRDF, SQL Server 2000 Legato Octopus, NSI Doubletake, Veritas SRVM Typically implemented with message-queuing middleware

Application-based replication

Emerging Technologies/Services Capacity on demand/emergency back-up

Wide-area clusters HP Continental Clusters IBM Geographically Dispersed Parallel Sysplex Cascading data replicationHost High Bandwidth (fiber) Disks Disks Disks Host Host

Tape Backup/Archival

Operational Site

Metropolitan/Regional Recovery Facility

Primary Recovery Site

Disaster Recovery: Market DynamicsLoad-Balanced (2+Sites)

HighAvailabilityBased Service Warm Site and Mobile Recovery Quick Ship 2000Warm Site and Mobile Recovery

Quick Ship 2004

Resource Internally or ExternallyInternal You have an alternative facility (50 km distant) BC vendors have insufficient capacity BC is a recognized and respected discipline You cannot economically benefit from syndication

External (shared) External You want to focus (dedicated) on core competencies You do not have an alternate facility You desire multisite continuous availability or hot standby support RTOs/RPOs are very short Getting management sign-off for dedicated capital is difficult Experience of supporting an invocation is important Your planning scenarios include loss of technical staff

North American Business Continuity MarketFull-Service Providers Comdisco Recovery Services and Web Availability Services IBM Business Continuity Recovery Services and Outsourcing Services SunGard Recovery Services and E-Sourcing

Business Continuity and Internet Services Professional services Planning software Hot/warm/cold standby Mobile/static facilities Mainframe/midrange/desktop Quick ship Peripherals Networks Work area Specialized ancillary services such as check processing and data recovery

Whats new Full-service Web-hosting with BC designed in, multisite infrastructures for continuous availability, Web site and network throttling for performance

Negotiating a Favorable BC Contract Balance Risk With Economies of ScaleCostAlways use competitive tendering, even at renewal Keep contracts to three years Unbundle cont


View more >