BCP/DRP Consultancy Project- An approach By D V Ramamohan Global Head of IT Consultancy Practice 3i Infotech Ltd

Agenda Overview of BCM- BCP/DRP ? Approach to Execution of BCP/DRP Assignments Interaction

What is BCM………….. Business Continuity Management is an holistic management process that identified potential impacts that threaten an organization and provides a framework for building resilience and capability for an effective response that safeguards the interest of its key stakeholders, reputation, brand and value creating activities. Business continuity means maintaining the uninterrupted availability of all key business resources required to support essential business activities.

What is BCP/DRP? The difference between business continuity and disaster recovery is not a ‚what' but a ‚whose'. This holistic view of business continuity management differs from what many managers traditionally term Disaster Recovery Planning which has been closely, if not solely, associated with information technology. By changing the focus, the emphasis is placed on the whole business, not just on technology issues alone. This reinforces the concept of continuity of all key processes, extending beyond information technology systems, important though they are in modern business.

Threats to Availability Why BCP-DRP…. COMPONENT FAILURE DATA CORRUPTION APPLICATION FAILURE MAINTENANCE USER ERROR SITE OUTAGE Why BCP-DRP….

Business Continuity Planning A few definitions to get started: … a “disaster” The cake I was baking to bring to Xmas dinner He lost a laptop with the only copy of his thesis She lost her research and papers in the lab fire Payroll system failed the day before payday Asbestos released in a dorm renovation The death of a student The Northeast blackout The recent tsunami

Business Continuity Planning … a “disaster” is an event, often unexpected, that seriously disrupts your usual operations or processes and can have long term impact on your normal way of life or that of your organization.

Business Continuity Planning A few definitions to get started: … RTO [Recovery Time Objective] the point in time when you must have at least the critical aspects of your business operational again. Define disaster as a crisis

Business Continuity Planning A few definitions to get started: …RPO [Recovery Point Objective] The last copy of your data that is out of harm’s way – hopefully it is recently current. Though initially defined for IT these terms also apply outside of IT

Business Continuity Planning The Risk Matrix PROBABILITY LOW HIGH NORMAL PROCEDURES LOW IGNORE IMPACT CHANGE SOMETHING Change HIGH PLAN

Business Continuity Planning Network Operations Disruptions Power Hardware Source: Gartner Group and Comdisco

Goals of Disaster Recovery Planning Disaster scenarios and Recovery Strategies: “Building on fire / Shambles” Alternate Site, Hot site vendor, Data vaulting Facility stands inaccessible Remote connectivity, tape libraries Facility accessible, physical failure Redundant systems, HW Vendor SLA’s Facilitate & equip operational, logical failure Standards, Documented procedures, security

Why DRP?.....Few statistics Major disasters: 9/11attack, UK bombings, Flooding in Mumbai, Earthquake in Indonesia Other statistics: % of Hardware failure % of Operational error Cost per hour of downtime? - $ 78000 Average incidents per hour? 9 Hours per incidents? 4.2 hrs Downtime cost per year? $ 2,970,000 (Research shows 80%) Source: Contingency Planning Research conducted on 450 fortune 1000 companies

Let us execute an DRP assignment…

What will be scope of work Subjects: IT Systems/Applications/Data Data Centre/Facilities/Services People Technical/Functional: Disaster Recovery Strategy and Solutions Disaster Recovery Plan and Procedures Implementation Guidance to implement proposed solutions Testing the Plan Training

What will be the deliverables…. Business Impact Study Analysis and Risk Assessment Report Disaster Recovery Strategy vis-à-vis Scenarios DR Solution Architecture DR Team Organization and Roles Disaster Recovery Plan and Procedures Setting up Disaster Recovery Site, if need be Test Plans/ Mock drills reports Maintenance Plan Training

What should be the Approach…….. Project Management Methodology: Your own…. Kick off meeting Execution Closure meeting Execution of assignment: Step one: Key IT Assets identification and RA Step two: Business impact analysis (BIA) Step three: Design continuity treatments Step four: Document the Plans Step Five: Implement continuity treatments Step Six: Test and maintain the plan Step Seven: Training

Step one: Key IT Assets identification and RA

Asset identification… Obtain/inventory the key assets Hardware System Software Applications Data People Facilities/Services Perform Risk Analysis Qualitative Quantitative Judgemental

Risk Assessment and Management Asset Identification And valuations Identification of vulnerabilities Identification of threats Asset Identification And valuations Business Riks Rating/Ranking Of Risks Level of Acceptable Risk

Step Two: Business Impact Analysis

Business Impact Analysis Establish the Organization’s Recovery requirements Requirements defined by Business Units Identify and Define Critical Business Processes Identify Systems Identify Recovery Timeframes and Recovery objectives for each process IT Department’s involvement is the enabler for the Plan

Step Three: Design Continue treatments

(Recovery Point Objective) (Recovery Time Objective) Recovery objectives Wks Days Hrs Mins Secs Secs Mins Hrs Days Wks Data Loss (Recovery Point Objective) Downtime (Recovery Time Objective) Mirroring / Replication Clustering Backup Restore from Disk Vaulting Restore from Tape

Step Four: Document the plans

Document Plans Organization of the Teams Detailed Procedures – Technical & Manual Workarounds Emergency Response Flow Emergency Contact Lists Crash Kits

Business Continuity Committee (Management Authorization) BCP Team Organization Business Continuity Committee (Management Authorization) Execution Teams BCP Team Leader BCP Spokesperson Internal Auditor Emergency Action Team Damage Asst. & Salvage Team Relocation Team IT Admin, Security & Support Team Operations

Documentation should cover Risk Management Environmental Management Emergency Management Crisis Management IT Disaster Recovery Knowledge Management Facility Management Human Management Supply Chain Management Security and Privacy Health and Safety Communications PR Enterprise business process, people and technology

Step Five: Implement Continue Treatments

Step six: Test/Exercise the plans

Test/Exercising the Plans Controlled Test of Procedures Structured Walkthroughs Desktop Tests Simulation Test Partial Technical Tests Full Scale Tests Allows Management to understand: Inaccuracies Omissions Apply Lessons Learned Revise Procedures & Incorporate into the Plan

Step six: Training…

Training………. Create Corporate Awareness of Developed Plans Team needs to be made knowledgeable of their role Training Primary & Alternates Contacts Awareness on task handling (JD) for Team “Management Support is Key for any BCP-DR Activity”

Few websites… www.pas56.com Guide for BCM www.thebci.org for BC Guidelines www.bsi-global.com for BS25999 (Replacement of PAS 56) www.iso.org/iso/catalogue_detail?csnumber=41532 for ISO/IEC 24762:2008

Interaction