Business Continuity and Disaster Recovery Planning Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2015 Business Continuity and Disaster Recovery Planning
Domain Agenda Project Scope Development and Planning Business Impact Analysis (BIA) and Functional Requirements Business Continuity and Recovery Strategy Plan Design and Development Implementation Restoration / Disaster Recovery Feedback and Plan Management
Domain Objectives Understand the planning process Integrating BCP into the organization Defining inputs and outputs of process Understand the difference between BCP and DRP
Sources of Information Disaster Recovery Institute International Business Continuity Institute ISO 25999 ISO 27001, Section 10 NIST SP 800-34
ISO 25999: Business Continuity Management Risk management Disaster recovery Facilities management Supply chain management Quality management Health and safety Knowledge management Emergency management Security Crisis communications and PR
Overview of BCP Direct benefits Indirect benefits Overlap with Risk Management BCM vs. BCP vs. COOP
The Enterprise BCP DRP BIA Incident response planning Backup strategies Emergency procedures Contracts and provisioning BIA Reciprocal agreements Alternate sites Incident response planning Succession Plan Incidence Response Team
The Enterprise BCP (cont.) Risk analysis Safeguards / countermeasures Insurance plan Corporate communication plan User awareness training Media/stakeholder relations plan
The Business Continuity Life Cycle Analyze the business Assess the risks Develop the BC strategy Develop the BC plan Rehearse the plan
BC Project Phases Project Scope Development and Planning Business Impact Analysis (BIA) and Functional Requirements Business Continuity and Recovery Strategy Plan Design and Development Implementation Restoration / Disaster Recovery Feedback and Plan Management
Reflecting Organizational Context Policy is the driver Aligned with requirements Provides direction and focus Use Business Impact Analysis Identify inputs Outcomes and deliverables Reviewed annually
Policy Organizational authority Policy document Program scope Resources Outsourcing
Policy contents Framework Tools and techniques Policy contents Change is infrequent
Outsourced Activities You are still responsible Resilience in outsourcing Supplier continuity
Scope and Choices Limit scope Ensure clarity of scope Strategy, Return on Investment (ROI), and SWOT (Strengths, Weaknesses, Opportunities, Threats) Review yearly
Program Management Assigning responsibilities Initiating BCP in the organization Project management Ongoing management Documentation Incident readiness and response
Documentation Review current BCP if available Documentation may not equal capability Staff must be trained to use any necessary software Types of documentation Review as directed by policy
Initiating BCP Awareness, data, implementation Staff and budget Result must be a long-term, sustainable program Review progress monthly
Incident Readiness & Response Planners become leaders Be prepared Triage Incident management Success = Return to Operations Immediate lessons learned
Key Indicators of Success Senior management commitment Policy content BCP Resources Project management Documentation
BCP Project Phases Project Scope Development and Planning Business Impact Analysis (BIA) and Functional Requirements Business Continuity and Recovery Strategy Plan Design and Development Implementation Restoration / Disaster Recovery Feedback and Plan Management
Understanding the Organization Business Impact Analysis (BIA) Benefits Objectives Evaluating Threats (Risk Assessment) Emergency Assessment Indicators of Critical Business Functions
Business Impact Analysis Identifies, quantifies and qualifies loss Scope and support required Documents impact and dependencies MTD, RPO Business impact analysis process Workshops, questionnaires, interviews Business justifications for budget
Maximum Tolerable Period of Disruption Item Required recovery time following a disaster Non-essential 30 days Normal 7 days Important 72 hours Urgent 24 hours Critical/Essential Minutes to hours
Estimating Continuity Requirements Total budget for disaster recovery Identification of necessary resources Outcomes feed BCP strategy selection Reviewed with BIA
Evaluating Threats (Risk Assessment) Risk equation + time element Risk = Threat impact * probability Prioritize key processes and assets Outcomes
Key Indicators or Success Corporate governance BIA practice Risk assessment practice
BCP Project Phases Project Scope Development and Planning Business Impact Analysis (BIA) and Functional Requirements Business Continuity and Recovery Strategy Plan Design and Development Implementation Restoration / Disaster Recovery Feedback and Plan Management
Determining Business Continuity Strategy High-level strategies RTO < MTPD Separation distance Resilience Address specific business types
Determining Strategy Determining BC strategies Strategy options Activity continuity options Resource-level consolidation
Activity Continuity Options Selecting recovery tactics Reliability Extent of planning Cost/benefit analysis Outcome
Recovery Alternatives Description Readiness Cost Multiple processing/ mirrored site Fully redundant identical equipment and data Highest level of availability and readiness Highest Mobile site/trailer Designed, self-contained IT and communications Variable drive time; load data and test systems High Hot site Fully provisioned IT and office, HVAC, infrastructure and communications Short time to load data, test systems. May be yours or vendor staff Warm site Partially IT equipped, some office, data and voice, infrastructure Days of weeks. Need equipment, data communications Moderate Cold site Minimal infrastructure, HVAC Weeks or more. Need all IT, office equipment and communications Lowest
Processing Agreements Description Consideration Reciprocal or Mutual Aid Two or more organizations agree to recover critical operations for each other. Technology upgrades/ obsolescence or business growth. Security and access by partner users Contingency Alternate arrangements if primary provider is interrupted, i.e. voice or data communications Providers may share paths or lease from each other. Question them. Service Bureau Agreement with application service provider to process critical business functions. Evaluate their loading geography and ask about backup mode.
BCP Project Phases Project Scope Development and Planning Business Impact Analysis (BIA) and Functional Requirements Business Continuity and Recovery Strategy Plan Design and Development Implementation Restoration / Disaster Recovery Feedback and Plan Management
Resource Level Consolidation Consolidation plan Availability of solutions Consolidate, approve, implement Methods and techniques Outcomes and deliverables
Business Continuity Plan Master plan Modular in design Executive endorsement Review quarterly
Business Continuity Plan Contents When team will be activated Means by which the team will be activated Places to meet Action plans/task list created
Business Continuity Plan Contents Responsibilities of the team or of specific individuals Liaising with Emergency Services (fire, police ambulance) Receiving or seeking information from response teams Reporting information to the Incident Management Team Mobilizing third party suppliers of salvage and recovery services Allocating available resources to recovery teams Invocation / mobilization instructions
Developing and Implementing Response Incident response structure Emergency response procedures Personnel notification Communications Restoration
BCP Project Phases Project Scope Development and Planning Business Impact Analysis (BIA) and Functional Requirements Business Continuity and Recovery Strategy Plan Design and Development Implementation Restoration / Disaster Recovery Feedback and Plan Management
Implementing Incident Management Plan Rapid response is critical Crisis management Steps to develop an Incident Management Plan Action plans
Incident Response Structure Strategic Tactical Operational
Key Indicators of Success Development and acceptance of Recovery Strategies and Business Continuity Plans
BCP Project Phases Project Scope Development and Planning Business Impact Analysis (BIA) and Functional Requirements Business Continuity and Recovery Strategy Plan Design and Development Implementation Restoration / Disaster Recovery Feedback and Plan Management
Disaster Recovery Salvage Separate function and team Facility restoration System recovery
BCP Project Phases Project Scope Development and Planning Business Impact Analysis (BIA) and Functional Requirements Business Continuity and Recovery Strategy Plan Design and Development Implementation Restoration / Disaster Recovery Feedback and Plan Management
Testing the Program Find the flaws Outsourcing Timetable for tests Test design process
Testing Types Types Process Participants Frequency Complexity Desk Check Check the contents of the plan, aid in maintenance. Author Often LOW Walk-through Check interaction and roles of participants. Author and main people Simulation Includes: business plans, buildings, communications Main people and auditors Parallel testing Moves work to another site. Recreates the existing work from the displaced site. Everyone at location Full Shuts down and relocates all work Everyone at both locations Rare HIGH
Embedding BCP Assessing level of awareness and training Developing BCP within the Culture Monitoring cultural change
Test BCP Arrangements Test, rehearsal, exercise Combine all plan activities Stringency, realism and minimal exposure Contents of a test Outcomes
Maintaining BCP Arrangements Ready and embedded Triggered by change management Owners keep information current Documented Review as needed
Reviewing BCP Arrangements Audit Independent BCP audit opinion As directed by audit policy
Factors for Success Supported by senior management Everyone is aware Everyone is invested Consensus
Assessing the Level of Awareness and Training Where are we now What does the policy state Current vs. desired levels Training framework in place
Developing a BCP Within the Organization’s Culture Training, education, awareness Well-implemented policy Design Delivery planning Delivery Cost effective delivery Higher awareness
Domain Summary Project Scope Development and Planning Business Impact Analysis (BIA) and Functional Requirements Business Continuity and Recovery Strategy Plan Design and Development Implementation Restoration / Disaster Recovery Feedback and Plan Management