BC / DR Implementation Tying Disaster Recovery Investment to Measurable Business Value

Transcription

1 BC / DR Implementation Tying Disaster Investment to Measurable Business Value Continuity Insights Conference May 16-18, 2005 Agenda Purpose Discuss best practice process and tools that might be leveraged to accelerate IT Disaster program Agenda Introductions Level-set Business Continuity terminology and concepts Best practice BC / DR program implementation considerations BC / DR Integration Issues 2 Implementation Considerations The Business Continuity Program Life Cycle modified U.S. DoD graphic Normal Operations Incident Occurs Return to Normal Operations Capability Minimum Acceptable Level of Capability Emergency Response Risk Avoidance Risk Mitigation Restoration Contingency Planning and Crisis Management Proactive BCM Activities Prevention and Preparedness Risk Avoidance Proactive BCM Activities Reactive BCM Activities Prevention and Preparedness Response, & Restoration 3 1

2 What is Business Continuity? The four central disciplines Incident Management All aspects of emergency response, crisis management, and any other activities involved in command, control, and communications during a disastrous event Security Management Physical security, information security, and any other activities associated with protecting the integrity of targeted information and Technology Ensuring that all critical assets including information systems hardware, software, networks and applications are recoverable within defined recovery time objectives Business Ensuring that critical business functions and are recoverable within defined recovery time objectives 4 The Business Continuity Plans 6 BC Plans Working Together Incident Occurs Normal Operations Mitigation Action Plan may allow organization to avoid disruption Crisis Management Plan Activated Emergency Response Preparing for and of Damage Assessment Critical Operations Normal Operations Minimal Acceptable Level of Capability Hour 0 Begins Operating in Implement mode Restoration Plan Disaster Plan Activated Restoration Back to in place Begins Normal Emergency Response Plan Save lives and protect assets Conduct damage assessment Site Emergency Operations Center (EOC) Crisis Management Plan Executive Command Center (ECC) Regional and/or higher ECC(s) activated Command, Control, and Communications Mitigation Action Plan Tasks to initiate mitigation action(s) Avoid or minimize disruption Business Plan Ensure that critical functions continue to be performed Departmental Plans Requires EOC communications and authorizations Disaster Plan Ensure critical technical infrastructure is available Hot site recovery Restoration Plan A plan to return to normal operations 5 BC / DR Program Launch Strategy 7-Step approach to a sustainable BC / DR program Steps 1 6: BC / DR Project 1-time project Initiate BC / DR at sites in scope Integrate all BC disciplines Develop initial BC / DR plans Conduct first BC / DR plan tests Step 7: BC / DR Program Institutionalize BC / DR Annually repeat Steps 1 6 Link to Change Management Evolve BC / DR competency Utilize Business Continuity Maturity Model SM Improve state-of-preparedness 6 2

3 DR Methodology Summary Current status of your Company s DR Initiative Step 1- Scope DR Project Assemble Project Leadership Team Assemble Local Implementation Team Assemble Technology Teams incl. solution engineering / implementation Determine systems "in scope" and "out-of-scope Step 2 - Conduct DR Data Collection Business Impact Data Application and Systems Impact Data Step 3 - Complete DR Impact Analysis RTO determination RPO cost/benefit analysis System Dependency Analysis incl. infrastructure systems Physical / cyber / business risk assessment 7 DR Methodology Summary Current status of your Company s DR Initiative Step 4 - Formulate DR Strategies Systems Scalability Sequence DR Strategy Workbook Solution Engineering Authorization to proceed Step 5 - Implement Solutions and Document DR Plans Solution implementation Assemble DR Organization Document DR Plans Desk Check DR Plans 8 DR Methodology Summary Current status of your Company s DR Initiative Step 6 Test DR Plans Develop DR Test Strategy Schedule DR Test Conduct and Monitor DR Test Post-mortem DR Test Step 7 Maintain DR Plans Update DR Plans Link DR Plans to ISM Change Management Baseline DR Competency Establish Competency Goals and Annual Program 9 3

4 PAGE 1 Step GLOBAL BUSINESS CONTINUITY & DISASTER RECOVERY - LEVEL 0 PROCESS FLOW REVISION: DATE FEB 3, 2004 Step Step Step Step BC / DR Best Practices Implementing Sustainable BC / DR Programs Aventis BC/DR Implementation Governance and program support Board of Management Finance and Audit Committee Aventis Risk Council Collection, cross-functional evaluation, and prioritization of risks Review and monitor implementation timelines of plans to manage risks Recommend key business processes to be reviewed; Collaborate on processes and communications to build risk anticipation & proactivity and foster a culture of courage in risk reporting Aventis Operations Management Committee (OMC) Linked / Integrated with: Crisis Management SOX, Internal audit CFR Part 11 HIPAA Info Solution (ISM) policy Global Implementation Team (GIT) Program Management Daily BC program coordination / direction Project planning, control, and reporting Program communications BC / DR Center of Excellence BC / DR experts, program framework, toolkit, implementation support, and training of global BC/DR Business Continuity Council (BCC) Program Strategy Support Support the GIT in their strategic and operational planning; Review and provide feedback on program-wide goals, processes, and tools Business Function Liaison Serve as liaison to assure business needs are met, always keeping in mind that responsibility for implementing BC/DR lies within the Business In-country BC / DR Program Implementation Teams Global Processes and Systems DIA, IO, Comm Opes, F&A, Pasteur Regional Processes and Systems Europe, N.A., Asia, S.A., C.A., Africa Support Processes & Systems IS, Legal, QC, HR, Logistics, etc. 11 BC / DR Implementation Methodology 5-Step Process to Build & Test 1 st BC / DR Plans Step 1 Scope BC/DR Program Assemble team Define Scope Communicate project plan Global Business Continuity, Disaster - Level 0 Process Flow Process Number: 18 Step 2 Conduct BIA & Risk Assessment Conduct BIA survey Identify material process RTOs Identify material system RTOs Assess material process & systems risk Process Initiators Business change Systems change Periodic review Scope BC / DR Program 1 2 Understand Business Impact Complete Risk Assessment 3 Step 3 Formulate BC/DR Strategy Define & cost justify BC strategies Define & cost justify DR strategies Identify capex / opex requirements and timing Step 4 Build Process / Systems, Assemble Teams, and Document Plans Engineer & implement approved processes and systems Assemble & train recovery teams Document BC / DR Plans Step 5 Test and Update Plans Schedule and conduct DR / BC tests Update BC / DR plans, as required Identify & train site BC / DR Committee 5 Test and Update BC / DR Plans Exception Handling Build Approved Process / Systems Assemble Teams & Document Plans 12 4 Develop BC / DR Strategy 4

5 In Parallel with BC Program Launch Disaster Program Deliverables DR PROGRAM DR Program Charter Program (project) Plan, Milestones, Responsibilities DR Information Repository Periodic Status Reports DR STRATEGIES, FRAMEWORK, SERVICE LEVELS Preliminary DR Framework and Strategies Document Preliminary DR Service Level Catalogue Final DR Framework and Strategies Document Final DR Service Level Catalogue DR BASELINE PHASE 1 (Regulatory Compliance Applications) Project Plan Affected Applications List Baseline SOPs/Guidelines/Standards Back Up /Restore Validation Current Operating Gap analysis Validation / Testing Recommendation Implementation plan BUSINESS CONTINUITY FOR IS BIA s Risk Assessment Dependency analysis IS Process Strategy plans for Material Application and Infrastructure Services IMPLEMENT VERY HIGH DR SERVICES Material VH Application Inventory VH Applications DR requirements VH DR SOP/Guidelines/Standards Very High DR Service Infrastructure Recommendations Detailed Implementation schedules and project plans CREATE ENTERPRISE DATA CENTER DRP S DRP Standards, Guidelines Document Create self-directed Data Center DRP toolkit Major Data Center DRP Review & assessment. Implementation plan CREATE A SUSTAINABLE DR CAPABILITY ISM Update DR Roles and Responsibilities Document DR Change Management plan Implementation plan 13 BC / DR Methodology Summary A best practice approach to a sustainable program Step 1- Scope DR Program Assemble IT Disaster Program Resources Program Leadership Team Local Implementation Team Technology Teams incl. solution engineering / implementation Engage the Business Quantify executive risk appetite Get it right up front BC vs. DR-driven program and minimize Define and Document DR Vision confusion and redundant work effort Connect to BC/DR Program Design throughout Disaster Service Catalog implementation and Disaster Framework support efforts Disaster Strategies Bounding the DR Program ( Changing tires on a moving taxi ) Determine Systems In Scope" and Out-of-Scope Determine breadth of BC / DR data collection Initial Engineering of Infrastructure and Enterprise Application DR Solutions 14 IT Disaster Program Resources Implementation team for enterprise DR Implementations Enterprise DR Leadership Team (IT-SLT) Oversight and governance for Global DR program Provider of DR implementation Approver of DR policies, strategies, standards, and tools Final escalation point for resolving DR-related conflicts Business owners for their areas relative to BC for IS project (function as LIT) Speak for the business when defining DR business requirements for IS Shared Systems Preference: direct engagement with the business Enterprise Disaster Working Team Creator of methods and tools Manager of DR infrastructure projects Coordinate AG participation, as required Primary resource pool Initial escalation point for resolving conflict Site DR Working Teams To be formed as needed Enterprise DR Working Team Membership Sponsor: Chairperson: DR Strategy Lead: Data Center Consolidation Rep: Business Rep: Consulting Team Rep: GIS Functional Leads: Service Delivery Storage Platform Architecture Data Base Server Operations Network Operations Solutions Team Member Other Stakeholders: AGs, AIS, Business contacts 15 5

6 Engage the Business How much DR investment is appropriate? Materiality (protecting shareholder value) Quantify risk appetite for financial impact Establish implementation standards BIA Survey data provides details to determine process materiality Our Experience: System RTOs derived from business RTOs >60% of previously committed IS DR investments exceeded business requirements Significant reduction in DR CAPEX / OPEX Impact Categories determine level of BC/DR protection required 16 BC / DR Integration Issues Alternative Methods to Engage the Business Option #1 DR-driven project Assemble IT who can intuitively quantify business impact of disrupted applications Workshop to quantify impact Financial Legal Other preset measures Business executive signs-off on established RTOs Proceed with Disaster Steps 3 thru 7 Option # 2 Business-driven project Engage business at Step 1 Define Materiality criteria Conduct true Business Impact Analysis incl. application impacts System RTOs driven from BIA findings Proceed with BC / DR Steps 3 through 7 17 Define and Document Program Vision Connecting to Business Continuity Program Design Deliverables Relationship Chart Goal: Design an appropriately scaled and sustainable BC / DR Program High-Level Enterprise BIA Foundation Materials BIA Interview Results BIA Analysis Findings BC Program Design Roles & Work List Responsibilities Tools Document Grid BC Program Implementation Plan Business Continuity Function Plan Budget Staffing Plan Documents AIA to BIA Bridge Document Senior Management Authorization to Proceed BIA Findings Document BC Glossary BC Program Orientation Materials BC 1-Page Handout 18 6

7 Enterprise Business Impact Analysis Summary Build the Business Case for implementing a sustainable BC program (start building sr. mgmt support and commitment) Identify organization exposures, threats and risks and the adverse business impacts that might occur Prioritize launch sequence for all departments / business functions included in BC program launch High-Level Enterprise BIA Foundation Materials BIA Interview Results BIA Analysis Findings AIA to BIA Bridge Document BIA Findings Document 19 BC Program Design Summary Define BC delivery organization required to achieve conceived vision Work List BC Program Design Roles & Responsibilities Grid Tools Document Develop implementation plan based on thorough understanding of work to be done and how it can be achieved within your organization Business Continuity Function Plan BC Program Implementation Plan Budget Staffing Plan Documents Gain senior management commitment to and participation in your BC program launch Senior Management Authorization to Proceed BC Program BC 1-Page BC Glossary Orientation Handout Materials 20 Define and Document Program Vision Disaster Service Level Catalog Business Requirements for Service Level Categories BASE MED HIGH VERY HIGH IS will deliver 4 DR Service Levels Based upon Business Requirements Point Restoration These requirements will be identified through the Business Continuity project/s. Determinants of a DR Service Level Category Character istics of a DR Service Level Category time time time time is based on within 1 to 6 weeks within -7 1 days within 24 hours best effort (to minimum service level) Restoration restored based restored within 2 restored within 2 restored within on best effort months weeks 1 week (to full production capacity) to to latest to of latest full full weekly and latest full weekly latest 2 hours Point weekly and incremental daily and incremental of data incremental backup. All tapes daily backup. All collected daily backup. are stored off site. tapes are stored All tapes are off site. stored off site. Infrastructure No dedicated Limited physical Required physical Required facilities or physical facilities & are identified identified and plan made available are exists to acquire within recovery made available additional within the time. Plan exists within recovery Required timeframe. to acquire time. additional within the Required timeframe. DR plan DR plan is DR plan is DR plan available DR plan and stored both available and not mandatory not mandatory on and off site. stored both on DR plan tested and off site. once a year. DR plan tested twice a year. 21 7

8 (to minimum service level) (to full production capacity) time is based on best effort restored based on best effort to latest full weekly and incremental daily backup. All tapes are stored off site. No dedicated facilities or identified DR plan available and stored both on and off site. DR plan test is not mandatory time within 4 days to 1 week restored within 1 month to latest full weekly and incremental daily backup. All tapes are stored off site. Required physical identified and plan exists to acquire them within the Required timeframe. DR plan available and stored both on and off site. DR plan tested once a year. time within 1-3 days restored within 2 weeks to latest full weekly and incremental daily backup. All tapes are stored off site. time within 24 hours restored within 1 week of latest 2 hours of data collected Limited physical Required physical are made available are within recovery made available time. Plan exists within recovery to acquire time. additional within the Required timeframe. DR plan available and stored both on and off site. DR plan tested once a year. DR plan available and stored both on and off site. DR plan tested twice a year. DR Framework DR Services are described via the adoption of a consistent Framework which is used Globally to define the components that make up the DR services BASE MED HIGH VERY HIGH Data Backup Storage Disaster Services Infrastructure Facilities Computing Network Shared Services End User 22 Business Requirements Determine Service Levels Service Levels and Framework Combine to define Standardized Strategies Business Requirements for Service Level Categories Service levels Determine DR strategies / solutions BASE MED HIGH VERY HIGH Determinants of a DR Service Level Category Restoration BASE MED HIGH VERY HIGH Character istics of a DR Service Level Category Point Infrastructure facilities & DR plan Disaster Services Data Backup Storage Infrastructure Facilities Computing Network Shared Services End User 23 Standardized Strategies leveraged across the enterprise Standardized Strategies were selected for each Service level based upon best practices and Program objectives. Then as specific solutions were engineered, these Strategies were validated against the real applications business requirements. Data BASE MED HIGH VERY HIGH Backup Tape Tape Tape evault Storage Offsite Offsite Offsite Infrastructure Facilities Best Efforts Intra company Computing Best Efforts w/ Leverage Existing Bias Network Redundant Replaceme nt Shared Services Substitution Unlike Leverage Existing nonmaterial H/W Split Coml. Mobile Coml Vendor Intra Company Leverage Existing nonmaterial H/W Co Location Coml Vendor Coml Vendor evault Asynch Disk to Disk Redundant Hot Site Redundant Best Efforts Pre Wired Pre Wired Pre Wired Collaboration Services Systems Management Software Distribution Routing Redundancy BU & Servers InfoSec Remote Access Support Desk 24 8

9 Bounding the BC / DR Program Changing tires on a moving taxi Determine functions, sites, and systems that are In Scope" and Out-of-Scope Intuitive scoping exercises Establish local buy-in Determine breadth of BC / DR data collection What and how much data to be gathered from whom Finalize data collection / validation process Initial Engineering of Infrastructure and Enterprise Application DR Solutions Leveraging capital infrastructure and improvements 25 DR Methodology Summary A best practice approach to sustainable program Step 2 - Conduct BC / DR Data Collection Business Functions / Processes Work Inflows / Outflows (functional dependencies) Vital Records Requirements Business Impacts Known Mitigation, Safeguard, and Contingency Strategies Resource Requirements IT Applications, Network, and Other Infrastructure Systems Impacts Step 3 - Complete DR Impact Analysis RTO determination RPO cost/benefit analysis System Dependency Analysis incl. infrastructure systems Physical / cyber / business risk assessment 26 DR Methodology Summary A best practice approach to sustainable program Step 4 - Formulate DR Strategies Systems Scalability Sequence DR Strategy Workbook Solution Engineering Authorization to proceed Step 5 - Implement Solutions and Document DR Plans Solution implementation Assemble DR Organization Document DR Plans Desk Check DR Plans 27 9

10 DR Methodology Summary A best practice approach to sustainable program Step 6 Test DR Plans Develop DR Test Strategy Schedule DR Test Conduct and Monitor DR Test Post-mortem DR Test Step 7 Maintain DR Plans Update DR Plans Link DR Plans to ISM Change Management Baseline DR Competency Establish Competency Goals and Annual Program 28 Contact Information Scott W. Ream President Virtual Corporation (973) sream@virtual-corp.net Brian Bobich Chief Technology Officer Core Systems Group (732) brian@coresystemsgroup.com