Three Steps to A Successful Three Steps to A Successful Business Continuity PlanBusiness Continuity Plan

Patrick Dunn, CBCP, CISSPPractice Manager, Consonus Technology

The needs of the many outweigh the needs of the few or the one…

A Business Continuity Program is concerned about the needs of all –The People, The IT Infrastructure, The Facility and more. It’s more than just making sure you have backup media. It’s a proactive way of addressing recovery response capabilities.

Has your company ever…

Run out of time during a hot-site test?Been unable to respond or respond appropriately to a business outage or crisis?Been unable to identify key applications or understand application interdependencies?Failed an audit due to lack of or incomplete Disaster Recovery/Business Continuity Plans?Asked the question: “WHAT IF?”

Atlanta Tornado 2008 Hurricane Katrina BP Oil Spill Spring-Summer 2010

CA Fires 2008

It looks easy, but…

Disaster Recovery/ Business Continuity is a very complex issue.

Success demands commitment at ALL levelsof the organization.

Without this commitment, your BC/DR efforts will be unsuccessful.

Where do I start?

Educate yourself and develop abetter understanding

TerminologyKnow your environmentKnow your environmentRegulatory, business drivers, etc.Corporate politics

Obtain executive supportDevelop business caseWork with a trusted advisorUse a phased approach

Follow the 3 STEPS1 Understand the organization & develop relevant strategies1.Understand the organization & develop relevant strategies2.Develop and implement a business continuity response3.Exercise, maintain, review

Build awareness programs

Step 1 – Understand the Organization & Develop Relevant Strategies

Know What is Important

Business Impact Analysis

Risk Analysis and AssessmentRisk Analysis and Assessment

Corporate Culture and Environment

Case Study: Manufacturing & Distribution Co.

SituationThis manufacturing company currently had no BC/DR plan in place

and business needs did not align properly with IT assumptions.

Critical IssuesProperly align IT assumptions with business

ReasonsManagement needed to prioritize IT efforts to accommodate a limited budget

Capabilities Provided

Business Impact Analysis

Cost of downtime unknown

Unconfirmed RTOs or RPOs

Application interdependencies undefined

Elimination of IT over-spend

Multiple facilities needed protection

Could not pursue aggressive growth strategy without a BC/DR plan in place

Business Continuity Consulting

Professional Services

Results

• Cost of downtime defined

• Acceptable level of risk determined

• Recovery priorities identified

• Current/potential vulnerabilities addressed

• Existence of relevant threats uncovered

• Mapped departmental and application interdependencies

• Detailed BC/DR roadmap for the enterprise

Step1a - Develop a Disaster Recovery Strategy

Explore all possible options

Remember to incorporate regulatory and PS-PREP regulatory and PS-PREP requirements

Eliminate solutions that don’t meet all business and IT requirements

Perform cost benefit analysis on top remaining solutions

Acquire top management commitment to proceed

Step 2 – Develop & Implement a BC Response

Create DR, BCP and Incident Management PlansDo not develop in a vacuum!!

Each functional area should develop their own recovery procedures

A bl d ll d i d t t bli h lt t i d Assemble and merge all procedures required to establish an alternate processing and work site in the event of a disaster

Establish method of distributing, updating and protecting the plan

Create a “Public Facing” strategy document for vendors and clients

Develop a method of exercising and testing the plan

Incorporate Standards (i e PS PREP)Incorporate Standards (i.e. PS-PREP)

Incorporate Disaster Recovery into your IT Methodology

Case Study: Accounting Services Company

SituationThis accounting services firm had no BC/DR strategy in place

and no idea where to start.

Critical Issues

No business continuity strategy

Reasons

The business was unprepared in the event of a data disaster

Capabilities Provided

A holistic BC/DR plan

Critical assets were unprotected

No actionable recovery plans

or disruption in service.

The business needed to protect valuable assets and mission-critical data.

Detailed data recovery procedures

Verifiable technical recovery capabilities

Plans for end user access

Results

“This detailed BC/DR plan has given us peace of mind that our customer data and essential business systems are protected in the event of a disaster. We now have policies in place to safeguard our business against outages, downtime, outside data threats, even hurricanes. Consonus covered it all.”

--President and COO, Accounting Services Company

Step 3 – Exercise, Maintain, Review

Testing

The more you test, the better your tests and recoveries will beBaby Steps – Start small and work your way upInclude scenario-based exercises and alternate data centers/hot-sitesPLAN PLAN PLAN at least 8 planning sessions prior to a testPLAN, PLAN, PLAN – at least 8 planning sessions prior to a testHave both achievable and stretch goalsConduct offsite tests if possibleInvolve vendors and end users, as well as ITRemember to perform a post-mortem and incorporate into your lessons learned yPublish test results internally, as well as a sanitized version in your public-facing documentsCase Study: A Biopharmaceuticals Company

SituationThis biopharmaceutical company needed to improve their current BC/DR plan to more thoroughly define a recovery strategy and establish a roadmap for business continuity.

Critical Issues

Application interdependencies unknown

ReasonsA recent Business Impact Analysis (BIA) provided the cost of downtime and its impact on

Capabilities Provided

Business Continuity Assessment

No recovery priorities

Could not validate RTOs or RPOs

No actionable recovery plans

the business.

The company was vulnerable to multiple recovery challenges.

Management needed to mitigate risk and proactively protect the business against disastrous events.

Disaster Recovery Tabletop Exercises

Vulnerability Assessment

IT Professional Services

Results

• Mapped departmental and application interdependencies

• Documented recovery priorities

• Actionable plans for business continuitythroughout the Enterprise

• Documented Gap Analysis of business versus IT disaster recovery expectations

• Relevant exercises of disaster recovery plans for selected departments

• A recovery plan that can be validated

Updating Plans

Quarterly

After every test y

When IT infrastructure changes

After key executive or resource changes

Obtain executive signoff and approval

If using a hot-site provider, make sure your Schedule A is up-to-date

Is that it? ... NO WAY!

Crisis Management

Pandemic Planning

Information Security

Update and Test

All part of a BCM plan

A BCM solution is a living, breathing entity that must be fed and nurtured.

Recommendations

Use a trusted advisor to assist you in the process

Require assistance from strategic suppliers

Know PS-PREP and its implications

Learn from others Attend conferencesWhen using consultants, grequire knowledge transferImmerse yourself in the subject

Questions?

For More Information Contact:

Patrick Dunn, CBCP, CISSPPractice Manager, Consonus Technologies

www.consonus.com/DRpatrick.dunn@consonus.com

770-777-7923

Come by our booth and learn about our BC/DR offerings plus talk to a consultant, obtain additional case studies and more!