2014 NABRICO Conference

Transcription

1 Business Continuity Planning 2014 NABRICO Conference September 19, CityPlace Drive, Suite 900 St. Louis, Missouri S. Fifth Street, Suite 309 St. Charles, Missouri S. State Route 157, Ste. 300 Glen Carbon, IL

2 Presenter Tony Munns Partner IT Risk Advisory Services CISA, FBCS, CITP, CIRM Tel: Cell: Leads the Risk IT Audit Services for the firm s clients for the past 11 years. Prior experience includes 3 years with Andersen LLP as Technology Risk Consulting Practice Leader Previous employment experience over 18 years at 3 Fortune 500 companies: Lucent Technologies, Kraft Foods and the Prudential Assurance Company 2014 Brown Smith Wallace All Rights Reserved

3 Agenda Changing strategies Then and Now Business Impact Analysis Disaster Recovery Planning Business Continuity Planning Questions 2013 Brown Smith Wallace All Rights Reserved

4 Acronyms BIA Business Impact Analysis TRA Threat and Risk Analysis RTO Recovery Time Objective RPO Recovery Point Objective DRP Disaster Recovery Plan BCP Business Continuity Plan

5 Changing Strategies External Factors 9/11 Gave Us a Boost to Planning Activities Hurricane Sandy Tornados However: It couldn t happen again syndrome sets in Realities of economy stalling efforts Confusion over emerging regulations occurring Companies Outsourcing More Disaster Recovery Efforts Use of commercial hot-site contracts, moving to multiple datacenters, colocation. Complexity of task overwhelming for many companies Higher Emphasis Placed on Cyber Security perceived as the bigger risk Confusing Standards and Lack of Common Criteria 2013 Brown Smith Wallace All Rights Reserved

6 Then and Now THEN Few key applications Standalone systems Single platform Local connection Tape backups Office based Slow communications Bricks & mortar In-house systems Big company need NOW Many applications Highly integrated systems Multiple platforms LAN, WAN, remote connection Data replication Remote workers Instant connection e-commerce Remote & outsourced systems Every company s need 2013 Brown Smith Wallace All Rights Reserved

7 Components of Planned Recovery Executive Sponsorship Business Impact Analysis Disaster Recovery Planning Business Continuity Planning

8 BCP/DRP Plan Structure Conduct a Business Impact Analysis and Risk Assessment identifies mission critical business functions and processes assess the probability and impact to the business if critical business processes are disrupted identifies recovery requirements Disaster Recovery Plans usually developed using business process data flow diagrams identifies the priorities that infrastructure, systems and applications need to be recovered based upon a hierarchy of dependencies or business needs Crisis Management and Communication Plan provides guidance to management and outlines the necessary steps to execute during a significant business disruption (e.g. definition of a disaster, engaging crisis management team, communication plan, public relationships, etc.) Business Continuity Plans identifies alternate procedures to execute when primary business or work location and resources are unavailable Pandemic Plan Consideration It is necessary to prepare a plan to protect a business s #1 resource (employees) in the event of a wide spread influenza outbreak or chemical contamination Annual testing Encourages continuous process improvement and plan maintenance Continuous Update! 2012 Brown Smith Wallace All Rights Reserved

9 Templates and Approaches DRII - DRI International ISO International Organization for Standardization ISO 27031:2011 Guidelines for information and communications technology readiness for business continuity ITIL Information Technology Infrastructure Library NIST National Institute of Standards and Technology Special Publication Contingency Planning Guide for IT Systems Test, Training & Exercise Programs FEMA Template for SMBs FINRA

10 Business Impact Analysis Step 1 Risk Assessment Perform a Business Impact Analysis (BIA) Risk Assessment to identify: threats and risks, control options and their cost. Approach: Identify and prioritize risk associated with each business unit/area within the company Develop a high level matrix providing management a summary view of the BIAs across the enterprise Identify gaps and provide recommendations to mitigate the identified risks Deliverable: An executive summary accompanied by a high level matrix identifying business processes and the threats and risks that could cause a significant business disruption. In addition, the matrix should include a TRA (Threat and Risk Analysis) that includes risk control options, cost of risk control options, effectiveness of risk control options, and comparison of risk control options cost and effectiveness Brown Smith Wallace All Rights Reserved

11 Business Impact Analysis Step 2 Identify Recovery Requirements For mission critical business functions and processes, interview business owners and document desired recovery time and point objectives. Approach: Identify and prioritize critical business functions and processes associated with each business unit/area within the company including all back office systems For various RTOs and RPOs develop a cost analysis of the architecture required for the desired recovery Identify any potential architectural or process improvements that would facilitate a more cost effective approach to recovery Deliverable: An executive summary accompanied by a high level matrix identifying business processes desired recovery requirements, and the costs associated with each approach. In addition, recommendations should be presented for architecture and process improvements that will mitigate the cost associated with the desired recovery objectives Brown Smith Wallace All Rights Reserved

12 Business Impact Analysis Step 3: Based upon the results of the BIA, identify action steps necessary to develop the Disaster Recovery Plan and Business Continuity Plan. This may include Crisis Management, Continuity, and Disaster Recovery Plan development. Deliverable: Provide management a gap analysis and action plan identifying the necessary steps for completing the Disaster Recovery Planning and Business Continuity process Brown Smith Wallace All Rights Reserved

13 Contents of a Good Plan Definition The IT Disaster Recovery Plan is a written strategy created to facilitate an organization s quick and successful response to severe disasters. Through the division and allocation of pre-defined responsibilities and duties, response times are minimized. With the creation of an IT DR plan, effort is made to provide a dependable and efficient restoration of services in the event of a disaster.

14 Contents of a Good Plan Objectives know what they are, and limitations Document specific definitions and guidelines for declaring disaster scenarios and corresponding emergency responses. Provide for the continuation of critical IT and related business functions and recovery in the event of a disaster. Maximize the expediency and effectiveness of recovery operations through an established set of strategic plans. Identify the necessary policies, procedures, and resources required to maintain critical Information Technology support services during prolonged interruptions to routine operations. Assign responsibilities and duties to designated personnel for the implementation of disaster recovery procedures. Ensure coordination between appropriate staff concerning disaster contingency planning strategies. Ensure appropriate plans have been created to coordinate external vendors, clients, and contacts in the event of a disaster. Provide standards for testing components of the Disaster Recovery Plan.

15 Contents of a Good Plan Assumptions document & Validate them Key personnel have been identified and trained in their emergency response and recovery roles. It is also assumed that each person is available to activate and carry out their assigned responsibilities and duties. Current backup media, containing relevant data for applicable critical IT services and components, are available thru designated data library relocation providers. All required IT related hardware is either available, or can be obtained in a timely fashion. All required software is available and current along with appropriate licensing. All required hardware and software vendor support contracts are maintained and are current. Contracted temporary disaster recovery sites will be available at the time of need. Designated management staff will communicate appropriate status information to those applicable personnel, vendors, and agents affected by a declared disaster. All required disaster recovery related documentation is available and current. Most importantly, it is assumed that this Disaster Recovery Plan is reviewed, tested, and updated on an annual basis at a minimum.

16 Contents of a Good Plan Overview Introduction Scope Objective Assumptions Disaster definitions Disaster likelihood ratings Threat levels Declaration of disaster Preparing for disaster Disaster response budget Disaster response team defined

17 Contents of a Good Plan Disaster recovery escalation process defined Quick reference guide DR temporary recovery site Updated IT related documentation Dependencies Contact listings Vendor failures Avoiding & minimizing disasters IT recovery details Plan monitoring, review, and testing Continuous Update

18 Contents of a Good Plan Make sure you include: Wide Area Network Documentation Local Area Network Documentation Server Documentation Password Documentation Network/Software Application Documentation Vendor Contract Documentation Critical System Log Documentation Telecommunications and Voice Infrastructure Documentation

19 Business Continuity Planning Business Continuity Planning is the next step after Disaster Recovery Planning. DRP provides the technology infrastructure for the company to continue to function BCP provides procedures for operation of the organization and business units during a disaster

20 What is Business Continuity Planning? Business Continuity Planning is a planning process that identifies an organization s exposure to internal and external threats and identifies key processes that need to be protected to sustain business operations and maintain a competitive advantage in the event of a significant business disruption. Key Objectives: Minimize the possibility of interruptions to business operations Maintain a competitive advantage Prevent the company from becoming a business closure statistic due lack of planning

21 Business Continuity Planning Address all business functional areas (HR, Sales, Accounting, etc.) Address non-it related items Office supplies Desks/workspaces Business forms (check stock, purchase orders, sales orders, etc.) Reference material Supply chain management Communications Employees and stakeholders Media Legal and regulatory Customers Incident response planning and handling

22 BCP Lifecycle

23 Plan Contents Program Administration Define the scope, objectives, and assumptions of the business continuity plan. Business Continuity Organization Define the roles and responsibilities for team members. Identify the lines of authority, succession of management, and delegation of authority. Address interaction with external organizations including contractors and vendors.

24 Plan Contents Organization Chart Include a schedule of team member contact information, role, alternatives

25 Plan Contents Business Impact Analysis Insert results of Business Impact Analysis Identify Recovery Time Objectives for business processes and information technology Identify Recovery Point Objective for data restoration Business Continuity Strategies & Requirements Insert detailed procedures, resource requirements, and logistics for execution of all recovery strategies Insert detailed procedures, resource requirements, and logistics for relocation to alternate worksites Insert detailed procedures, resource requirements, and data restoration plan for the recovery of information technology (networks and required connectivity, servers, desktop/laptops, wireless devices, applications, and data)

26 Plan Contents Manual Workarounds Document all forms and resource requirements for all manual workarounds Incident Management Define procedures: Incident detection and reporting Alerting and notifications Business continuity plan activation Emergency operations center activation Damage assessment (coordination with emergency response plan) and situation analysis Development and approval of an incident action plan

27 Plan Contents Training, Testing & Exercising Training curriculum for business continuity team members Testing schedule, procedures, and forms for business recovery strategies and information technology recovery strategies Orientation, tabletop, and full-scale exercises Program Maintenance and Improvement Schedule, triggers, and assignments for the periodic review of the business continuity plan Details of corrective action program to address deficiencies

28 Plan Contents Also include references to related Policies & Procedures Emergency Response Plan Information Technology Disaster Recovery Plan (if not included in the business continuity plan) Vendors, Suppliers and Partners Contact Information Crisis Communications Plan Employee Assistance Plan

29 Consequences Due to Lack of DRP/BCP Lost data Longer data recovery time No contingency procedures during recovery process Damage to company reputation Employee downtime Dependence on a few key people who have required system/organizational knowledge

30 Closing Quotes Bob Clark CEO Clayco I don t want to become a Katrina statistic; like some of my competitors in Louisiana CBS MoneyWatch Big, disruptive events like the BP oil spill, Hurricane Katrina, and the California wildfires make the news, but it's more often the smaller, unexpected disasters that wreak havoc on a company's ability to function. Unknown An organization that fails to provide a minimum level of service to its clients following a disastrous event may not have a business to recover. Protect all to protect one in order to protect any single business function, the enterprise must be protected Brown Smith Wallace All Rights Reserved

31 Questions 2013 All Rights Reserved Brown Smith Wallace LLC 31

32 Presenter Tony Munns Partner IT Risk Advisory Services CISA, FBCS, CITP, CIRM Tel: Cell: Leads the Risk IT Audit Services for the firm s clients for the past 11 years. Prior experience includes 3 years with Andersen LLP as Technology Risk Consulting Practice Leader Previous employment experience over 18 years at 3 Fortune 500 companies: Lucent Technologies, Kraft Foods and the Prudential Assurance Company 2014 Brown Smith Wallace All Rights Reserved