three steps to a successful business continuity plan … · create dr, bcp and incident management...
TRANSCRIPT
Three Steps to A Successful Three Steps to A Successful Business Continuity PlanBusiness Continuity Plan
Patrick Dunn, CBCP, CISSPPractice Manager, Consonus Technology
The needs of the many outweigh the needs of the few or the one…
A Business Continuity Program is concerned about the needs of all –The People, The IT Infrastructure, The Facility and more. It’s more than just making sure you have backup media. It’s a proactive way of addressing recovery response capabilities.
Has your company ever…
Run out of time during a hot-site test?Been unable to respond or respond appropriately to a business outage or crisis?Been unable to identify key applications or understand application interdependencies?Failed an audit due to lack of or incomplete Disaster Recovery/Business Continuity Plans?Asked the question: “WHAT IF?”
Atlanta Tornado 2008 Hurricane Katrina BP Oil Spill Spring-Summer 2010
CA Fires 2008
It looks easy, but…
Disaster Recovery/ Business Continuity is a very complex issue.
Success demands commitment at ALL levelsof the organization.
Without this commitment, your BC/DR efforts will be unsuccessful.
Where do I start?
Educate yourself and develop abetter understanding
TerminologyKnow your environmentKnow your environmentRegulatory, business drivers, etc.Corporate politics
Obtain executive supportDevelop business caseWork with a trusted advisorUse a phased approach
Follow the 3 STEPS1 Understand the organization & develop relevant strategies1.Understand the organization & develop relevant strategies2.Develop and implement a business continuity response3.Exercise, maintain, review
Build awareness programs
Step 1 – Understand the Organization & Develop Relevant Strategies
Know What is Important
Business Impact Analysis
Risk Analysis and AssessmentRisk Analysis and Assessment
Corporate Culture and Environment
Case Study: Manufacturing & Distribution Co.
SituationThis manufacturing company currently had no BC/DR plan in place
and business needs did not align properly with IT assumptions.
Critical IssuesProperly align IT assumptions with business
ReasonsManagement needed to prioritize IT efforts to accommodate a limited budget
Capabilities Provided
Business Impact Analysis
Cost of downtime unknown
Unconfirmed RTOs or RPOs
Application interdependencies undefined
Elimination of IT over-spend
Multiple facilities needed protection
Could not pursue aggressive growth strategy without a BC/DR plan in place
Business Continuity Consulting
Professional Services
Results
• Cost of downtime defined
• Acceptable level of risk determined
• Recovery priorities identified
• Current/potential vulnerabilities addressed
• Existence of relevant threats uncovered
• Mapped departmental and application interdependencies
• Detailed BC/DR roadmap for the enterprise
Step1a - Develop a Disaster Recovery Strategy
Explore all possible options
Remember to incorporate regulatory and PS-PREP regulatory and PS-PREP requirements
Eliminate solutions that don’t meet all business and IT requirements
Perform cost benefit analysis on top remaining solutions
Acquire top management commitment to proceed
Step 2 – Develop & Implement a BC Response
Create DR, BCP and Incident Management PlansDo not develop in a vacuum!!
Each functional area should develop their own recovery procedures
A bl d ll d i d t t bli h lt t i d Assemble and merge all procedures required to establish an alternate processing and work site in the event of a disaster
Establish method of distributing, updating and protecting the plan
Create a “Public Facing” strategy document for vendors and clients
Develop a method of exercising and testing the plan
Incorporate Standards (i e PS PREP)Incorporate Standards (i.e. PS-PREP)
Incorporate Disaster Recovery into your IT Methodology
Case Study: Accounting Services Company
SituationThis accounting services firm had no BC/DR strategy in place
and no idea where to start.
Critical Issues
No business continuity strategy
Reasons
The business was unprepared in the event of a data disaster
Capabilities Provided
A holistic BC/DR plan
Critical assets were unprotected
No actionable recovery plans
or disruption in service.
The business needed to protect valuable assets and mission-critical data.
Detailed data recovery procedures
Verifiable technical recovery capabilities
Plans for end user access
Results
“This detailed BC/DR plan has given us peace of mind that our customer data and essential business systems are protected in the event of a disaster. We now have policies in place to safeguard our business against outages, downtime, outside data threats, even hurricanes. Consonus covered it all.”
--President and COO, Accounting Services Company
Step 3 – Exercise, Maintain, Review
Testing
The more you test, the better your tests and recoveries will beBaby Steps – Start small and work your way upInclude scenario-based exercises and alternate data centers/hot-sitesPLAN PLAN PLAN at least 8 planning sessions prior to a testPLAN, PLAN, PLAN – at least 8 planning sessions prior to a testHave both achievable and stretch goalsConduct offsite tests if possibleInvolve vendors and end users, as well as ITRemember to perform a post-mortem and incorporate into your lessons learned yPublish test results internally, as well as a sanitized version in your public-facing documentsCase Study: A Biopharmaceuticals Company
SituationThis biopharmaceutical company needed to improve their current BC/DR plan to more thoroughly define a recovery strategy and establish a roadmap for business continuity.
Critical Issues
Application interdependencies unknown
ReasonsA recent Business Impact Analysis (BIA) provided the cost of downtime and its impact on
Capabilities Provided
Business Continuity Assessment
No recovery priorities
Could not validate RTOs or RPOs
No actionable recovery plans
the business.
The company was vulnerable to multiple recovery challenges.
Management needed to mitigate risk and proactively protect the business against disastrous events.
Disaster Recovery Tabletop Exercises
Vulnerability Assessment
IT Professional Services
Results
• Mapped departmental and application interdependencies
• Documented recovery priorities
• Actionable plans for business continuitythroughout the Enterprise
• Documented Gap Analysis of business versus IT disaster recovery expectations
• Relevant exercises of disaster recovery plans for selected departments
• A recovery plan that can be validated
Updating Plans
Quarterly
After every test y
When IT infrastructure changes
After key executive or resource changes
Obtain executive signoff and approval
If using a hot-site provider, make sure your Schedule A is up-to-date
Is that it? ... NO WAY!
Crisis Management
Pandemic Planning
Information Security
Update and Test
All part of a BCM plan
A BCM solution is a living, breathing entity that must be fed and nurtured.
Recommendations
Use a trusted advisor to assist you in the process
Require assistance from strategic suppliers
Know PS-PREP and its implications
Learn from others Attend conferencesWhen using consultants, grequire knowledge transferImmerse yourself in the subject
Questions?
For More Information Contact:
Patrick Dunn, CBCP, CISSPPractice Manager, Consonus Technologies
www.consonus.com/[email protected]
770-777-7923
Come by our booth and learn about our BC/DR offerings plus talk to a consultant, obtain additional case studies and more!