A Business Continuity Planning Toolkit Security 2008 – EDUCAUSE & Internet2 Security Professionals Conference Robert J. Block (B.J.), IT Security Analyst.

Slides:



Advertisements
Similar presentations
Volunteer Orientation Buchanan County Emergency Management.
Advertisements

Museum Presentation Intermuseum Conservation Association.
Practical Preparations Planning for Safety and Emergencies.
All-Hazard Emergency Planning for Colleges and Universities
Information Technology Disaster Recovery Awareness Program.
Business Continuity Planning at CSULB Business Continuity Services California State University, Long Beach CSULB, 2008.
Business Continuity and Disaster Recovery Planning.
A Brief Overview of Emergency Management Office of Emergency Management April 2006 Prepared By: The Spartanburg County Office of Emergency Management.
National Incident Management System (NIMS)  Part of Homeland Security Presidential Directive-5, February 28,  Campuses must be NIMS compliant in.
Disaster Recovery Planning Because It’s Time! Copyright Columbia University and Bentley College, This work is the intellectual property of the author.
Brief Introduction: Business Continuity Business Continuity Services California State University, Long Beach CSULB, 2008.
Connecticut Emergency Management and Response
1 Disaster Recovery “Protecting City Data” Ron Bergman First Deputy Commissioner Gregory Neuhaus Assistant Commissioner THE CITY OF NEW YORK.
Visual 3.1 Unified Command Unit 3: Unified Command.
1 Executive Office of Public Safety. 2 National Incident Management System.
Continuity of Operations (COOP) Planning McDonnell A Tuesday 1:30 – 2:45 Emergency Preparedness 101: Personal, Organizational, and Community Don Sheldrew.
Business Crisis and Continuity Management (BCCM) Class Session
Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.
IS-0700.A: National Incident Management System, An Introduction
Enterprise Risk Management EXECUTIVE POLICY GROUP Enterprise Risk Managementwww.utdallas.edu Enterprise Risk Management Campus Safety.
Emergency Response & Continuity of Operations Planning Stephen A. Morash Daniel R. Wieland Emergency Response Planning Boston University.
Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College "Copyright Penn State University This work is the intellectual.
Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.
Understanding Multiagency Coordination IS-701.A – February 2010 Visual 2.1 Unit 2: Understanding Multiagency Coordination.
Intellectual Property Protocol and Assessment for Distance Learning Liz Johnson Project Manager Advanced Learning Technologies Board of Regents of the.
Classroom Technologies Re-organization Copyright Kathy Bohnstedt, This work is the intellectual property of the author. Permission is granted for.
Business Continuity and You! The Ohio State University Business & Finance Enterprise Continuity Program Quarterly Update October 2008Business and Finance.
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
Continuity of Operations Planning COOP Overview for Leadership (Date)
Institute for Criminal Justice Studies School Safety Teams School Safety Teams ©This TCLEOSE approved Crime Prevention Curriculum is the property of CSCS-ICJS.
Part of a Broader Strategy
Module 3 Develop the Plan Planning for Emergencies – For Small Business –
Managing Intellectual Property for Distance Learning Liz Johnson Project Manager Advanced Learning Technologies Board of Regents of the University System.
MITIGATION I PREPAREDNESS I RESPONSE I RECOVERY I STRATEGIC ADVICE Shanti S. Smith Program Director Witt Associates GVF's Disaster Preparedness & Response.
Value & Excitement University Technology Services Oakland University Information Technology Strategic Planning Theresa Rowe October 2004 Copyright Theresa.
Unit 8:COOP Plan and Procedures  Explain purpose of a COOP plan  Propose an outline for a COOP plan  Identify procedures that can effectively support.
ISA 562 Internet Security Theory & Practice
Insurance Institute for Business & Home Safety Even if the worst happens, be prepared to stay.
2012 MITA-ATA Annual Conference August 6-8, 2012 Disaster Recovery Planning for Telecommunications Companies.
Developing Plans and Procedures
Safeguarding Research Data Policy and Implementation Challenges Miguel Soldi February 24, 2006 THE UNIVERSITY OF TEXAS SYSTEM.
DRP World Class Operations - Impact Workshop Info-Tech Research Group, Inc. Is a global leader in providing IT research and advice. Info-Tech’s products.
Business Continuity Program Orientation (insert presentation date) (This presentation is a template that requires adjustments to meet your needs)
NFPA 1600 Disaster/Emergency Management and Business Continuity Programs.
This course, Essential Records Seminar, is part of
Key Terms Business Continuity Plan (BCP) – A comprehensive written plan to maintain or resume business in the event of a disruption Critical Process –
1 Effective Incident Response Presented by Greg Hedrick, Manager of Security Services Copyright Purdue University This work is the intellectual property.
Chapter 3: Business Continuity Planning. Planning for Business Continuity Assess risks to business processes Minimize impact from disruptions Maintain.
NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.
NATIONAL INCIDENT MANAGEMENT SYSTEM Department of Homeland Security Executive Office of Public Safety.
Business Continuity Disaster Planning
CBIZ RISK & ADVISORY SERVICES BUSINESS CONTINUITY PLANNING Developing a Readiness Strategy that Mitigates Risk and is Actionable and Easy to Implement.
Harris County Case Study.  Aligning plans with emergency support functions (ESFs) can facilitate an efficient and effective response to emergencies.
Business Continuity Planning 101
MANAGEMENT of INFORMATION SECURITY, Fifth Edition.
THINK DIFFERENT. THINK SUCCESS.
Safe Schools Program Campus Orientation
EMERGENCY RESPONSE PLANNING
What is Continuity of Operations Planning?
Business Continuity / Recovery
Berry College Disaster Recovery Soft Exit
Fundamentals of a Business Impact Analysis
Mission Essential Functions Identification and Prioritization
Audit Planning Presentation - Disaster Recovery Plan
Incident command use for pipeline emergencies
Business Continuity Planning
Safe Schools Program Campus Orientation
Introduction to: National Response Plan (NRP)
Continuity of Operations Planning
Foundations of Homeland Security & Emergency Management Law & Policy Post NPHS 1510.
Presentation transcript:

A Business Continuity Planning Toolkit Security 2008 – EDUCAUSE & Internet2 Security Professionals Conference Robert J. Block (B.J.), IT Security Analyst University of Rochester Beth Buse, Deputy Director of Internal Auditing Minnesota State Colleges and Universities Leslie Maltz, Deputy VP for IT Planning & Standards (retired) Columbia University

Copyright Leslie Maltz, Beth Buse, Robert Block, 2008 This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the authors.

What would your college or university do if…. A fire destroyed your administration building? A tornado destroyed a resident hall? A water pipe burst and flooded your data center? Half of your faculty and staff called in sick? A bomb exploded in a classroom?

Terminology and Definitions All Hazards Planning – an integrated planning approach to all domestic terrorist attacks, major disasters, and other emergencies. Business Continuity Planning (also referred to as Continuity of Operations Planning and Service Continuation Planning) – process for determining an institution's ability to maintain or restore its business and academic services when some circumstance disrupts normal operations. Disaster Recovery Plan – refers to the technological portions of the business continuity plan. This plan contains the details to ensure systems and communications are restored within a predetermined timeframe. Business Impact Analysis - A management level analysis, which identifies the impacts of losing resources. This analysis measures the effect of resource loss and escalating losses over time, in order to provide senior management with reliable data upon which to base decisions on risk mitigation and continuity planning. Pandemic Planning – preparation in the event that the Avian Flu virus reaches pandemic stage. Emergency Response Plan – this plan includes details for responding to sudden states of danger that require immediate action.

Importance of Preparing Planning provides for backup If primary staff unavailable – who will do the work? If primary system is gone – how do we operate? If a specific building cannot be occupied – where do we go? Planning creates routines Routines create repetition and normalcy Normalcy generates calm instead of panic

Homeland Security Presidential Directives HSPD-5 Subject: Management of Domestic Incidents Established the National Incident Management System (NIMS) and National Response Plan (NRP) HSPD-8 Subject: National Preparedness Added definition to the National Response Plan (NRP) and established the term "all-hazards preparedness".

Homeland Security Vision Statement for Higher Education That all schools and universities are prepared to mitigate/prevent, respond to, and recover from all hazards, natural or man-made by having a comprehensive, all-hazards plan based on the key principles of emergency management to enhance school safety, to minimize disruption, and to ensure continuity of the learning environment. U.S. Department of Education Sector Specific Plan

MnSCU - All Hazards Plan MnSCU Board Policy 1A.10 Long Term Emergency Management Each college, and university and the Office of the Chancellor shall develop and maintain an All Hazards Plan that provides guidelines in the event of long term emergency. The plan shall be developed in accordance with guidelines developed and administered by the Office of the Chancellor in accordance with state and federal directions. The All Hazards Plan will include sections that address crisis intervention, continuity of operations, and emergency preparedness.

Minnesota State Colleges and Universities All Hazards Planning Architecture Emergency Preparedness Continuity of Operations Crisis Intervention Minnesota State Colleges and Universities All Hazards Plan

Minnesota State Colleges and Universities All Hazards Planning Architecture Continuity of Operations Facilities Functions Academic Functions Essential Services Communications Functions Operations Functions Pandemic Event Wind Event Healthcare/Student Services Functions Fire Event IT Services Event Special functions: Library and Information Services Public Safety IT System Support Athletics Other Water Event Utilities Loss Event Plan Elements

Where to Start? EDUCAUSE - Business Continuity Planning Toolkit: Provides a resource of guides, examples and templates Need to have executive level buy-in to succeed. Ideal: have dedicated resources Need to have a cross-functional team.

Business Impact Analysis If one of the afore mentioned disasters were to occur, how would you know where to focus your recovery efforts first.

Business Impact Analysis Definition: A management level analysis, which identifies the impacts of losing resources. This analysis measures the effect of resource loss and escalating losses over time. In order to provide senior management with reliable data upon which to base decisions on risk mitigation and continuity planning.

Goals of the Business Impact Analysis To establish the value of each organizational unit or resource as they relate to the function of the total organization To provide the basis for identifying the critical resources required to develop a business recovery strategy To establish an order or priority to restoring the function of the organization in the event of a disastrous event

Considerations Enterprise (or University) wide Goes beyond IT Need to have executive level buy-in Need to have a cross-functional team Willing to make tough decisions A time consuming effort

Terminology MTTR – Mean time to Recover MTBF – Mean Time Before Failure Criticality Level Tangible Impact Intangible Impact RPO – Recovery Point Objective RTO – Recovery Time Objective

Business Impact Analysis Phases Project Planning Data Collection Data Analysis Reporting Findings Approval for Next Phase

Business Impact Analysis Project Planning Identify Objectives Criticality of business functions Critical dependencies Impact of disruptions Critical resources Scope Departmental Facility Complex Region Organization

Business Impact Analysis Data Collection How to collect information from the community Questionnaire Interview Hybrid

Business Impact Analysis Data Collection Questionnaire Approach Design questionnaire Develop data analysis process Develop instructions Cover Letter Formal presentation Questionnaire distribution Questionnaire collection Interview Approach Develop interview guide Train interviewers Formal Presentation Schedule interview Conduct interview Validate

Business Impact Analysis Data Collection Topics to address Mission Service Objectives Dependencies Impacts over time Critical time periods Financial impact Operational impact Legal, regulatory, contractual requirements

Business Impact Analysis Data Collection Additional items to reference Mission Statements Service Objectives Service Level Agreements Organizational Charts Policies and Procedures

Business Impact Analysis Data Analysis Quantitative Impact Losses identified in quantities or percentages that can be described in monetary terms Qualitative Impact Intangible losses that can impact operationally but that can not be quantified in monetary terms

Business Impact Analysis Data Analysis List of business functions ordered by restoration time Consolidation Simplify the process Create priority levels Project lead confirms with management

Business Impact Analysis Report Findings Confirm findings with end users and functional departments Present formal findings to executive management

Business Impact Analysis Approval for Next Phase Just when you thought it was done… Begin moving on to the next phase

Business Impact Analysis Resources EDUCAUSE website ( ntinuity+Planning+Toolkit) Disaster Recovery Journal website (

Disaster Recovery No Longer an Optional Activity

Why Have a Disaster Recovery Plan? Natural and Man-Made emergencies cannot be prevented Preparedness means quick response Part of an All Hazards response effort Tough to function during an emergency It will never happen here is NOT TRUE

BUY-IN Clear mandate (Senior Executives) Facilities Staffing (DR and Business Unit staff) Coordination during emergencies Authority to take actions Funding Testing

Not Just for Central IT Units Business Units must identity and prioritize key resources and define acceptable risks This is NOT just a technology issue

Critical Resources Prioritization Dependencies/Relationships Alternate resources Command Centers Coordination/Management of Response Funding

Disaster Recovery Plan Gives a blueprint for reestablishing critical business processes under extraordinary conditions

Disaster Recovery Planning is NOT a One Time Activity You Must Have Frequent: Updates Drills Training Reviews

Identify Applications Determine Criticality Resources Needed Priorities and Dependencies

Identify Applications Have Business Units Review and Revise Priorities

Contact Information Identify (and keep current) staff contacts and all means for communication: Office Home Mobile addresses

Compile all Required Documentation Operational Documentation Emergency Recovery Action Templates (ERAT) Contact Info Command Center Inventory Checklist

Command Centers Identify Locations Establish and stock resources Inventory Checklists Schedule for inventory assessment

Duty Managers aka Team Leaders Schedule and Coverage Train Assess Command Center Inventory Substitution Procedure

Drills and Testing Table top exercises Real tests and emergencies Evaluate the response, procedures, and staff

Repeat!

Forms and Templates ERAT Emergency Application Template Log and Post Mortem Forms for use during and after emergencies and drills Contact Information Office, home, mobile phones Team Leader Training Team Leader Responsibilities Command Center Inventory Checklist

Business Continuity Planning Toolkit

Questions