Operational Resilience DR’s Big Data Dilemma September 16, 2015 Datalink IT Resiliency Practice

“The significant problems we face today cannot be solved at the same level of thinking we were at when we created them. ” - Albert Einstein

Common Business Demands Solutions We need a cloud strategyDetermine if public or hybrid cloud is a possibility for the organization by using criteria from best practice Understand if my infrastructure costs are in-line with a hybrid or private cloud approach Develop Total Cost of Ownership Models for Private, Public and Hybrid Cloud to Determine Best-Fit Hosting options Where do I place a new workload?Develop a Decision Tool for New workload placement based on business requirements and other criteria provided by IT consumers Choosing a specific cloud architecture that suits the needs of the business Review various workload models and converged infrastructure options to determine optimal cloud architecture for the enterprise Proper handling and efficient resource utilization of new and existing workloads Determine which workloads are fit for Public or Private Cloud Difficulties in balancing workloads across various private or public cloud environments Develop a decision tool to determine which workloads are fit for migration to public cloud Protect the Company’s Data and keep all data secureDevelop criteria to determine for mapping of Company workloads to strategic providers Develop a Service Provider Strategy for my OrganizationDetermine which service providers meet the needs of the business and IT organizations requirements

Agenda 5 Reality check Why? - The role of Operational Resilience How? - Relationships & Governance What? - Things to do to set a solid foundation

The role of operational resilience Why?

Reality Check Key Challenges Greater organizational complexity Increasing dependence on technology Growing number of products and channels Increasing transaction volumes Growing competition More stringent regulatory landscape Performance Demands Maintain operating and net margins Maintain service levels Minimize Business Disruption incidents Minimize loss events Maintain compliance with all regulations 7

Operational Resilience Why do we manage it? Is it to comply with regulatory requirements? …to protect from failure? …to create value?

Relationships and Governance How…?

10 BCM Relationship Model Contractual Obligations (SLA’s) Market Forces Industry Trends Regulatory Landscape Functional Areas Influence Cooperation Partnership BCM Audit Security ERM Executive Management Business Strategy Direction

Things to do to set a solid foundation What…?

Regulatory Demands –SANS  The SANS Institute was established in 1989 as a cooperative research and education organization. –ISO  The ISO family of standards helps organizations keep information assets secure. –SAS 70  Statement on Auditing Standards (SAS) No. 70, Service Organizations, was a widely recognized auditing standard developed by the American Institute of Certified Public AccountantsAmerican Institute of Certified Public Accountants –FFIEC  The Federal Financial Institutions Examination Council (FFIEC) was established on March 10, 1979, pursuant to title X of the Financial Institutions Regulatory and Interest Rate Control Act of 1978 (FIRA), Public Law In 1989, title XI of the Financial Institutions Reform, Recovery and Enforcement Act of 1989 (FIRREA) established The Appraisal Subcommittee (ASC) within the Examination Council.ASC

Regulatory Demands continued –National Institute of Standards and Technology  Founded in 1901 and now part of the U.S. Department of Commerce, NIST is one of the nation's oldest physical science laboratories. –FINRA  FINRA is dedicated to investor protection and market integrity through effective and efficient regulation of the securities industry. –SOX  Sarbanes–Oxley Act of 2002 also known as the "Public Company Accounting Reform and Investor Protection Act" (in the Senate) and "Corporate and Auditing Accountability and Responsibility Act" –HIPPA  The HIPAA Privacy regulations require health care providers and organizations, as well as their business associates, develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. –Consumer Privacy Bill of Rights Act of 2015 Using this family of standards will help your organization manage information entrusted to your organization.

Business requirements around data protection are not defined or are out dated Backup architecture is out of date Archival technology (tape) and methodology is not in use today Customer backs up everything in their environment Retention policy is non-existent or limited Back up admins are overloaded managing the environment –Staff are reactive versus proactive –BURA reporting is time consuming with limited benefits Back up costs are out of control Situation

Customer’s IT organization need to validate their current Backup environment from a technical and operational perspective. Highlights would include: Validate “Current” State with opportunities to improve backup governance and service standardization Envision “Future” State based upon their business/backup/retention requirements and leverage industry “best practices” Identify Gaps between “Current” and “Future” State Back up, Recovery and Archive (BURA) Establish a Roadmap/Timeline with ROI to Close Gaps Background and Objectives

16 BCM – Program Management Model

In summary…

Putting it all together “Begin with the end in mind” - Do we know why? Frameworks should be adapted to your organization’s needs, NOT the other way around Do we know how? Regardless of the chosen framework, develop an integrated governance model - Do we know who? Start where you are and build from there - Do we have a defined road map? Measure and report - Have we defined KPI’s? Foundation for Operational Resilience KPI’s Governance Business Alignment

Questions Paul Thomann Manager – IT Resiliency Practice Manager

Thank You!