A Business Continuity Planning Toolkit Security 2008 – EDUCAUSE & Internet2 Security Professionals Conference Robert J. Block (B.J.), IT Security Analyst University of Rochester Beth Buse, Deputy Director of Internal Auditing Minnesota State Colleges and Universities Leslie Maltz, Deputy VP for IT Planning & Standards (retired) Columbia University
Copyright Leslie Maltz, Beth Buse, Robert Block, 2008 This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the authors.
What would your college or university do if…. A fire destroyed your administration building? A tornado destroyed a resident hall? A water pipe burst and flooded your data center? Half of your faculty and staff called in sick? A bomb exploded in a classroom?
Terminology and Definitions All Hazards Planning – an integrated planning approach to all domestic terrorist attacks, major disasters, and other emergencies. Business Continuity Planning (also referred to as Continuity of Operations Planning and Service Continuation Planning) – process for determining an institution's ability to maintain or restore its business and academic services when some circumstance disrupts normal operations. Disaster Recovery Plan – refers to the technological portions of the business continuity plan. This plan contains the details to ensure systems and communications are restored within a predetermined timeframe. Business Impact Analysis - A management level analysis, which identifies the impacts of losing resources. This analysis measures the effect of resource loss and escalating losses over time, in order to provide senior management with reliable data upon which to base decisions on risk mitigation and continuity planning. Pandemic Planning – preparation in the event that the Avian Flu virus reaches pandemic stage. Emergency Response Plan – this plan includes details for responding to sudden states of danger that require immediate action.
Importance of Preparing Planning provides for backup If primary staff unavailable – who will do the work? If primary system is gone – how do we operate? If a specific building cannot be occupied – where do we go? Planning creates routines Routines create repetition and normalcy Normalcy generates calm instead of panic
Homeland Security Presidential Directives HSPD-5 Subject: Management of Domestic Incidents Established the National Incident Management System (NIMS) and National Response Plan (NRP) HSPD-8 Subject: National Preparedness Added definition to the National Response Plan (NRP) and established the term "all-hazards preparedness".
Homeland Security Vision Statement for Higher Education That all schools and universities are prepared to mitigate/prevent, respond to, and recover from all hazards, natural or man-made by having a comprehensive, all-hazards plan based on the key principles of emergency management to enhance school safety, to minimize disruption, and to ensure continuity of the learning environment. U.S. Department of Education Sector Specific Plan
MnSCU - All Hazards Plan MnSCU Board Policy 1A.10 Long Term Emergency Management Each college, and university and the Office of the Chancellor shall develop and maintain an All Hazards Plan that provides guidelines in the event of long term emergency. The plan shall be developed in accordance with guidelines developed and administered by the Office of the Chancellor in accordance with state and federal directions. The All Hazards Plan will include sections that address crisis intervention, continuity of operations, and emergency preparedness.
Minnesota State Colleges and Universities All Hazards Planning Architecture Emergency Preparedness Continuity of Operations Crisis Intervention Minnesota State Colleges and Universities All Hazards Plan
Minnesota State Colleges and Universities All Hazards Planning Architecture Continuity of Operations Facilities Functions Academic Functions Essential Services Communications Functions Operations Functions Pandemic Event Wind Event Healthcare/Student Services Functions Fire Event IT Services Event Special functions: Library and Information Services Public Safety IT System Support Athletics Other Water Event Utilities Loss Event Plan Elements
Where to Start? EDUCAUSE - Business Continuity Planning Toolkit: Provides a resource of guides, examples and templates Need to have executive level buy-in to succeed. Ideal: have dedicated resources Need to have a cross-functional team.
Business Impact Analysis If one of the afore mentioned disasters were to occur, how would you know where to focus your recovery efforts first.
Business Impact Analysis Definition: A management level analysis, which identifies the impacts of losing resources. This analysis measures the effect of resource loss and escalating losses over time. In order to provide senior management with reliable data upon which to base decisions on risk mitigation and continuity planning.
Goals of the Business Impact Analysis To establish the value of each organizational unit or resource as they relate to the function of the total organization To provide the basis for identifying the critical resources required to develop a business recovery strategy To establish an order or priority to restoring the function of the organization in the event of a disastrous event
Considerations Enterprise (or University) wide Goes beyond IT Need to have executive level buy-in Need to have a cross-functional team Willing to make tough decisions A time consuming effort
Terminology MTTR – Mean time to Recover MTBF – Mean Time Before Failure Criticality Level Tangible Impact Intangible Impact RPO – Recovery Point Objective RTO – Recovery Time Objective
Business Impact Analysis Phases Project Planning Data Collection Data Analysis Reporting Findings Approval for Next Phase
Business Impact Analysis Project Planning Identify Objectives Criticality of business functions Critical dependencies Impact of disruptions Critical resources Scope Departmental Facility Complex Region Organization
Business Impact Analysis Data Collection How to collect information from the community Questionnaire Interview Hybrid
Business Impact Analysis Data Collection Questionnaire Approach Design questionnaire Develop data analysis process Develop instructions Cover Letter Formal presentation Questionnaire distribution Questionnaire collection Interview Approach Develop interview guide Train interviewers Formal Presentation Schedule interview Conduct interview Validate
Business Impact Analysis Data Collection Topics to address Mission Service Objectives Dependencies Impacts over time Critical time periods Financial impact Operational impact Legal, regulatory, contractual requirements
Business Impact Analysis Data Collection Additional items to reference Mission Statements Service Objectives Service Level Agreements Organizational Charts Policies and Procedures
Business Impact Analysis Data Analysis Quantitative Impact Losses identified in quantities or percentages that can be described in monetary terms Qualitative Impact Intangible losses that can impact operationally but that can not be quantified in monetary terms
Business Impact Analysis Data Analysis List of business functions ordered by restoration time Consolidation Simplify the process Create priority levels Project lead confirms with management
Business Impact Analysis Report Findings Confirm findings with end users and functional departments Present formal findings to executive management
Business Impact Analysis Approval for Next Phase Just when you thought it was done… Begin moving on to the next phase
Business Impact Analysis Resources EDUCAUSE website ( ntinuity+Planning+Toolkit) Disaster Recovery Journal website (
Disaster Recovery No Longer an Optional Activity
Why Have a Disaster Recovery Plan? Natural and Man-Made emergencies cannot be prevented Preparedness means quick response Part of an All Hazards response effort Tough to function during an emergency It will never happen here is NOT TRUE
BUY-IN Clear mandate (Senior Executives) Facilities Staffing (DR and Business Unit staff) Coordination during emergencies Authority to take actions Funding Testing
Not Just for Central IT Units Business Units must identity and prioritize key resources and define acceptable risks This is NOT just a technology issue
Critical Resources Prioritization Dependencies/Relationships Alternate resources Command Centers Coordination/Management of Response Funding
Disaster Recovery Plan Gives a blueprint for reestablishing critical business processes under extraordinary conditions
Disaster Recovery Planning is NOT a One Time Activity You Must Have Frequent: Updates Drills Training Reviews
Identify Applications Determine Criticality Resources Needed Priorities and Dependencies
Identify Applications Have Business Units Review and Revise Priorities
Contact Information Identify (and keep current) staff contacts and all means for communication: Office Home Mobile addresses
Compile all Required Documentation Operational Documentation Emergency Recovery Action Templates (ERAT) Contact Info Command Center Inventory Checklist
Command Centers Identify Locations Establish and stock resources Inventory Checklists Schedule for inventory assessment
Duty Managers aka Team Leaders Schedule and Coverage Train Assess Command Center Inventory Substitution Procedure
Drills and Testing Table top exercises Real tests and emergencies Evaluate the response, procedures, and staff
Repeat!
Forms and Templates ERAT Emergency Application Template Log and Post Mortem Forms for use during and after emergencies and drills Contact Information Office, home, mobile phones Team Leader Training Team Leader Responsibilities Command Center Inventory Checklist
Business Continuity Planning Toolkit
Questions