1 Understanding Disaster Recovery in California Protecting your Enterprise
2 Session Overview Why do we Prepare What is? How do I analyze (measure) it? What to do with it? How do I communicate it? What does it mean to management?
3 : A Decade of Natural Disasters 1 million thunderstorms 100,000 floods Tens of thousands of landslides, earthquakes, wildfires & tornadoes Several thousand hurricanes, tropical cyclones, tsunamis & volcanoes Sources: CDC & EK Noji, The Public Health Consequences of Disaster
4 Executives and Management are being held to a higher level of performance or Governance Governance and Culture Rising Expectations The Regulatory Environment (HIPAA, PCI, SAM, BL) Control Framework manage risk (ITIL, ISO, COBIT) Aligning business with IT Having a resilient business model Processes and Procedures Efficiency addressing mandates Delivering value Tools and technology Improve the management of Trust
5 Identifying exposures and managing associated risks increases your appeal to customers, stakeholders, business partners, and regulators. A stable and prepared business builds trust with its: The Public Regulators Stakeholders Business partners Increased customer satisfaction and. Lower total operating expenses Optimized expenditures Enhanced public value
6 Video?? Video
7 Three Phases of Continuity Departments Planning, Documenting, Testing, and Training Emergency Response - Life Safety First 72 Hours Damage Assessment First 72 hours Business Recovery up to 30 days IT Disaster Recovery up to 30 days Restoration Business back back to normal Phase I Phase II Phase III
8 Definitions Life Safety ERP Essential State Government Functions COG Essential Department Functions COOP Communications Functions CCP Business Recovery Functions BCP IT Recovery Functions DRP
9 Emergency Response The immediate reaction and response to an emergency situation commonly focusing on ensuring life safety and reducing the severity of the incident. typically the first 24 hours & up to... Definition from Disaster Recovery Journal (DRI) website at:
10 Continuity of Operations & Continuity of Government (COOP/COG) (Also known as Business Continuity) Continuity of Operations (COOP) The activities of individual departments and agencies and their subcomponents to ensure that their essential functions are continued under all circumstances. This includes plans and procedures that delineate essential functions; specify succession to office and the emergency delegation of authority; provide for the safekeeping of vital records and databases; identify alternate operating facilities; provide for interoperable communications; and validate the capability through tests, training, and exercises. Office of Emergency Services (OES)
11 (DRP) Disaster Recovery Plan (formally known as - Operational Recovery Plan): The management approved document that defines the resources, actions, tasks and data required to manage the technology recovery effort. It provides for owners to define the Maximum Allowable Outage (MAO) requirements for the essential applications. This is a component of the Business Continuity Management Program. Definition from Disaster Recovery Journal (DRI) website at:
12 Relationship of Plans Business Continuity Continuity of Operations Continuity of Government Emergency Response Operational Recovery
13 Costs Costs of of Disaster Disaster Events Events Costs Costs of of Recovery Recovery Controls Controls Total Cost of of Recovery Minimized Total Costs Level of of Protection Provided
14 Risk Assessment A Risk Assessment is the analysis of possible disasters, including natural, technical, social and human threats that can result in short or long term downtime. Each functional area of the organization should be analyzed to determine the potential negative consequences and impact associated with various disaster scenarios. During the risk assessment process consideration should be given to evaluate the safety of critical documents and vital records related to the continuance of business operations.
15 Risk Assessment Items to consider in determining the probability of a specific disaster should include, but not be limited to: Proximity to power sources, water bodies, and airports History of the area s susceptibility to natural threats Proximity to major highways which transport hazardous waste and combustible products Business climate and cultural risks Other factors
16 Business and Operation Impact Assessment A Business Impact Assessment (BIA) is the foundation for business and patient care continuity planning. A detailed BOIA should identify the business, financial and clinical operational impacts that may result from a disruption of operations. Negative impacts may results in: Cost of downtime Loss of Revenue Inability to continue with patient care Loss of automated processes
17 Awareness Financial Impact High Availability Cannot Be Acquired Out-Of-The-Box; It Is Built Into the Architecture and Preserved by Effective Processe Lost Revenue Direct Loss Compensatory Payments Lost Future Revenues Investment Loss Extra Expense Cost to Recover Overtime Expense Increased Fraud Risk Increased Error Rate Travel Expenses Temporary Employees Penalties Contractual Regulatory Legal Productivity Loss Number of Fully Burdened Employee impacted Delayed Collections Billing Losses Missed Discounts Damaged Reputation Patient, Suppliers, Partners, Banks, Financial Markets Credit Ratings
18 Assessing Key Business Areas The disaster recovery plan should include a descriptive list of the organization's major business areas. This list should rank the areas in order of importance to the overall organization. Each item should include a brief description of the business and processes and main dependencies on systems, communications, personnel, information systems and data.
19 The Process Getting Started Assess Assessments are critical to the planning of healthcare disaster recovery. They can provide detail information that can be crucial when making a decision. Accurate can be accomplished by having information before hand regarding risk factors and the impact of operations interruption. Determine what the Recovery Plan and Time Recovery Objectives. Determine what the objectives are for planning and recovery time. Determine the requirements for planning. These are the planning requirements that need to be met in order to accomplish your recovery plan and time objectives (RPO & RTO).Infrastructure
20 The Office space, phones, intranets, LAN/WAN access, internet/intranet, security etc. Systems Restore Includes both Hardware and Operating System Critical Applications Includes programs that are critical to the continuity of the business and patient care. Data Live records containing business and clinical transactions as well as specific procedures and business rules. Operations Continuity Daily operations and tasks to secure the continuance business and patient care processes.
21 Departments ITSD DTS Third-party vendors??????????????? Who Owns It?
22 What s It Worth? States Image Replacement Branding Daily Operations Competitive Advantage
23 Assessing our Knowledge Assets Employee Brains Paper Documents 42% 12% 26% 20% * 2005 disaster Resource Guide Sharable Electronic Knowledge Base Electronic Documents
24 Department Data Classification Matrix Time Sensitive Nature Category A (Highest, most essential) Category B (Moderate, some level of criticality) Category C (Very low, but still desirable) Legal requirements Protection of data is required by law (see attached list for specific HIPAA and FERPA data elements) Department has a contractual obligation to protect the data Reputation risk High Medium Low Other Institutional Risks Information which provides access to resources, physical or virtual Smaller subsets of Category A data from a department Data about very few people or other sensitive data assets
25 The Hamster Wheel of Pain (how management sees Disaster Recovery strategies) Disaster Management to most is Risk Identification Captures a simple Risk Management message, Identifying and fixing things Disaster Management (and the analysis and assessment of it s performance) needs to be organizationally focused & using business domain knowledge It s Fixed Ignorance Management s View Sheer Panic Yes Am I Hosed How do my strategies compare with my peers?
26 The Disaster Recovery Plan The Workflow It is crucial to develop an effective workflow. The workflow can determine how your DR plan will be executed. It also provides a guide and road map to the decision making process. The response and recovery time frame will impact on overhead costs and loss of revenue. Crisis Anticipation/ Declaration Emergency Response Mobilize Resources Restore Application Restore From Backup Resume Operations Restore To Normal Operations Remote Location Remote Location Remote Location Remote Location Overhead Costs and Loss of Revenue
27 Testing Annual testing of the ORP is essential to: Ensure for training the management and recovery teams. Validate that the procedures have the appropriate level of detail. Verify Call Back lists are current. Confirm that Recovery strategies are appropriate for your environment.
28 IMPLEMENTATION OF PLANS Disruption of business occurs and you are informed, next steps Emergency Response safety and security of staff. Securing the site. Activate COOP/COG Plan to ensure the continuation of essential functions. Implementation of the communication plan. After assessing incident, determine if implementation of BCP & ORP is required. Contact SISO to report incident. Implement BCP and ORP
29 OISPP Requirements DRPs must describe: Agency Administrative Information Critical Business Functions/Applications Recovery Strategy Backup and Offsite Storage Procedures Operational Recovery Procedures Data Center Services Resource Requirements Assignment of Responsibility Contact Information Testing
30 Disaster Recovery Lifecycle How well are we protected, now and in the future? What can we add or change to improve our recoverability? Given what we have, how do we handle a catastrophic Disaster? Put all this in place with our business partners
31 What else do I need to consider? Several things, but first and foremost, make sure your critical data/vital records, as in tape files, mirrored disk, paper archives, etc., are stored in a safe location (off-site storage) and can be retrieved Without your data, your plan will not work Maintain the plan on a regular basis Think out of the box!
32 Conclusions Physical and IT security will become more tightly integrated BCP must encompass all aspects of an organization Security is a crucial component to BC and disaster prevention Proper identification, planning, and implementation will ensure not only success, but business survival
33 At a Personal Level Contact your Emergency management or civil defense office Meet with your family and discuss how to prepare and respond Plan how your family will stay in contact if separated Complete these steps: Post emergency numbers on each phone Show responsible family members where to shut off utilities Install (and test) smoke detectors on each level of your home Contact your local fire department and learn about in-home fire hazards Learn first aid and CPR Meet with your neighbors and plan how the neighborhood could work together after a disaster Know your neighbor s skills (medical, technical) Consider special needs such as elderly, disabled, child care
34 Resources SISO web site: Budget Letter ORP Policy Changes ORP Policy in the State Administrative Manual (SAM): Operational Recovery Planning: Operational Recovery Plan ORP SIMM 65A:
35 Resources Web Sites: Professional Organizations
36 Business Continuity Disaster Recovery Thank You! Jack Orlove (916) Business Analysis Cyber Security