IBM Global Services IBM s Approach to Disaster Recovery and Business Continuity Lausanne, May, 2008 Gérard Vanel, IBM certified Managing Consultant IT infrastructure, BCRS Integrated Technology Services
Gérard Vanel IBM certified Managing Consultant, IT infrastructure, Multi-industry Profile Gérard Vanel is a IBM Certified Managing Consultant within IBM Switzerland ITS, focusing on Business Continuity and Recovery Services and IT infrastructure consulting in multi industry sectors. He as over 24 years of experience in the IT business including 17 years in IT architecture on project such directories design & implementation for worldwide project and 6 years in IT consulting with BCRS and IT infrastructure consulting projects for bank, communication and food industrial sector. Professional Experience Managing & Senior Consultant Performed various projects for large international companies, BCRS, working in ITIL implementation processes projects, system management consolidation, IT optimization, service delivery reorganisation, companies IT mergers. Senior IT Specialist Recognized as architect for various directories Microsoft Active Directory, Novell NDS environments projects for companies at Worldwide, EMEA, country and local levels. Instructor For 7 years, teaching in the IT community. CV G.Vanel
The objective of this presentation is to introduce IBM approach in regard to disaster recovery. Objectives Present Business Continuity and Recovery Services (BCRS) Methodology 3
Reaching your Business Resilience goals involves choosing viable security, availability, and continuity solutions based on business needs. Different BCRS modules exists to reach the goal but what are their meaning? 4
An effective recovery solution must fully support the requirements of the business. In order to insure that the solution is aligned with those requirements. This lifecycle is based on the IT Service Management process (ITIL, ITPM) 5
Initiate the project Define scope of the project, staff, organization, and methodology. Allocate resources in ad equation with project scope. Build a project plan and agree on goals. 6
Business Impact Analysis 1. Vital Business Processes and supporting applications. 2. Maximum tolerable outage 3. Data vintage requirements 4. Financial Impact 5. Impact intangible 6. Definition of a disaster for the company 7
The objective is to quantify the impact on Client resulting directly or indirectly from a disaster. Each business process is assessed. gandalf dialin 3174 7171 3174 3725 Accounting Budget Locals WANG S/9000 Links to DEC IDNX/20 Dial RJE Corporate Accounting World Wide Procurement Human? Resources Operations Manufacturing Assumptions The following assumptions and guidelines were used when conducting this study and while analyzing the data gathered: 1) A major disruption of the Information Technology systems has occurred at your location and all computer systems will be unavailable for up to thirty days. 2) Due to the outage, all network data lines are inaccessible. 3) Assume that this event happens at "your" worst time of the year, quarter, month, etc. 8
Impact tangible and intangible are also evaluated Index Relationships with transport providers Work load fluidity of work Impact on donors loss of market share Credibility Litigation Regulatory Compliance Index Fines, Penalties Organization image Employee morale Data integrity Quality of Service to member states, donors, partners 0 20 40 60 80 100 120 140 9
Business Impact analysis outcome (1of2) 10
Application prioritization (2of2) Applications can be classified in 4 type of emergency prioritization. Classe 1 and 2 are critical for the company busines business continuity 11
Risk Assessment 8. The objective is to identify the risks that pose the gravest threat to your employees, business assets, business operations and IT Security. 9. The outcome allows an organization to measure, integrate, and consider cost effective mitigation and security efforts based on scenario. 12
4 Example: As an output of the questionnaire, the risk assessment chart show that fire, Intentional damage, carelessness, water, sabotage, technical faults and are main risks Occurence probability 1 2 3 4 5 5 Lev Risk Groups (Legend): el Fire of Imp Technical act Faults ( air-conditioning etc). 4 3 2 Level of Impact Water (water pipes, extinguisher water) Employees intentional damage, carelessness Criminal Actions (Theft, Fraud, Burglary ) Sabotage, Terror (Vandalism, occupation) Environmental Risks (Transport roads, tramlines, gaz station) Natural threats (Earthquake, flooding). Plane crash 1 13
Based on the risk assessment 3 disaster scenario are elaborated Scenario for site 1 1. Destruction of main building system room (fire, water, sabotage) 2. Destruction of annex system room (fire, water) 3. Destruction main building (fire, Sabotage) 14
Recoverability Assessment 10. The ability of the current IT to recover the business processes in the specified Return Time Objective 15
A cartography is build showing the problematic points. Recoverability capabilities are analyzed 16
Recoverability assessment facts, finding and conclusion 17
Business Continuity Startegy 11. The strategy is build based on the requirements 18
Disaster Recovery Plan 12. Disaster Recovery Plan (IT) 19
Disaster Recovery Plan support in an organized manner the company in case of a disaster Potential Loss Preventive Measures Impact Analysis Risk Assessment Strategy Selection Recoverability Assessment CONTINUITY PLAN Plan Development Test/Update/Maintain 20
Disaster Recovery Macro-Plan 21
Initial test of the Disaster Recovery Plan Initial tests. A test needs to involved all stand-by arrangements, including the recovery of business processes and the participation of external parties. This tests completeness of the plans and confirms: time objectives staff preparedness Commitment of key resources Responsiveness, effectiveness and awareness of external parties. 13. Test the DRP 22
Operations Training. Training the IT members to ensure that they have the necessary level of competence to facilitate recovery. Review Regular review of all of the deliverables needs to be undertaken to ensure that they remain current. Testing Following the initial test it is necessary to establish a test program to ensure that the critical components are tested at least annually. Change control Following tests and reviews and, there is a need for the plans to be updated. It must be included as part of Change Management. Assurance The last process in the lifecycle involves obtaining assurance that the quality of the deliverables is acceptable 23
Business Continuity Plan and Disaster Recovery Plan. Business Impact Analysis Recoverability Capabilities Risk Evaluation Disaster recovery Plan Disaster Recovery Business Continuity Plan Personnel capabilities Business Operations analysis Facilities, power Communications, analysis Business support function analysis Business Continuity Planning Business Continuity Disaster Recovery Plan The The availability availability of of IT IT services services is is required required for for the the continuity continuity of of business business processes processes The The Disaster Disaster Recovery Recovery Plan Plan is is a part part of of Business Business Continuity Continuity Plan Plan 24
IBM Global Services Thank you for your attention Gérard Vanel Managing Consultant IGS Consulting gva@ch.ibm.com Integrated Technology Services
Contact Gérard Vanel Managing Consultant Certified Professional IBM Global Business Services IBM Suisse Chemin de Blandonnet 8 Mobile No:+41 79 4482741 CH-1214 Vernier E-mail:gva@ch.ibm.com Switzerland 26