Fundamentals of Business Continuity Planning Have a Plan! Michael Kadar, MBCP, CISSP 2008 MK Continuity & Availability LLC kadarsro@talkamerica.net InfraGard Meeting Walsh College, Novi March 25, 2008
Overview In this session: We will discuss the post-incident transition from emergency response to business continuity. We will review the components of business continuity planning. You will perform a quick assessment of your organization s readiness to resume business after an incident. 2008 MK Continuity & Availability LLC 2
The Incident At 9:00 am on Tuesday a power supply overheats and starts a fire in a communication closet at Plasco Inc. A smoke sensor in the closet sets off the fire alarm. Security calls 911. 2008 MK Continuity & Availability LLC 3
Emergency Response Employees are ordered to evacuate and go to designated assembly areas. Employees gather in the assembly areas and are recorded. Employees are told to go home and await further word. The fire destroys part of the building and causes heavy smoke damage before fire fighters put it out. 2008 MK Continuity & Availability LLC 4
ER Transition BC Employees suffering smoke inhalation are treated on-site by EMS personnel. Worse cases are taken to the hospital. Transportation arrangements are made to get all employees home. Fire personnel pack up, and leave. Management and employees ask the question: What do we do next? Prepared companies have an answer. Does your company? 2008 MK Continuity & Availability LLC 5
Continuation of Business After personnel are safe or being treated, the next step is to begin the task of continuing business. This is undertaken in one of two ways: Reactively: Management has no plans or measures to deal with a major business disruption. They must begin by holding meetings to decide how to recover the business. Unfortunately, they have no way to quickly replace injured employees, damaged equipment, damaged computers, and lost data. Proactively: Management activates business continuity plans. 2008 MK Continuity & Availability LLC 6
Business Continuity Planning DEFINITION* Process of developing advance arrangements and procedures that enable an organization to respond to an event in such a manner that critical business functions continue without interruption or essential change. * Disaster Recovery Institute International (www.drii.org) 2008 MK Continuity & Availability LLC 7
Professional Practices for Business Continuity Professionals 1. Project Initiation & Management 2. Risk Evaluation & Control 3. Business Impact Analysis 4. Developing Business Continuity Strategies 5. Emergency Response & Operations 6. Developing & Implementing Business Continuity Plans 7. Awareness & Training Programs 8. Maintaining & Exercising Business Continuity Plans 9. Crisis Communications 10. Coordination With External Agencies Disaster Recovery Institute International, Business Continuity Institute 2008 MK Continuity & Availability LLC 8
Business Continuity Components Process Output: Deliverables. Input Business Processes Business Process Sub-Process Output Business Processes Sub-Process Supporting Resources Personnel Information Finances Facilities/Equip. 2008 MK Continuity & Availability LLC 9
From Normal to Recovery Operations NORMAL Business Process Sub-Process 1 Threat occurs: Loss of Application/System Sub-Process 2 Personnel Information/Data Facilities/Equip Finances - $. DISRUPTED Business Process Business Continuity Plan RECOVERY Business Process Loss of key data resource. 2008 MK Continuity & Availability LLC 10
Normal & Recovery Operations Level Requirements Business Process Operations Level Normal Business Operations Level NORMAL Requirement Level Return to Normal Level Recovery Operations Level RECOVERY Requirement Level Recovery Point Objective (Max. work in progress lost) OUTAGE Recovery Time Objective (RTO) Normal Time Objective (NTO) Time 2008 MK Continuity & Availability LLC 11
Operations Level Requirements Key Support Processes Business Process Operations Level Recovery Operations Level Normal Business Operations Level RECOVERY Requirement Level NORMAL Requirement Level Return to Normal Level OUTAGE Recovery Time Objective (RTO) Normal Time Objective (NTO) Time 2008 MK Continuity & Availability LLC 12
Business Continuity Plan Phases 1. Prevention & Preparedness Phase 2. Response Phase 3. Recovery Phase 4. Restoration Phase 2008 MK Continuity & Availability LLC 13
Business Continuity Plan Phases Business Process Operations Level Normal Business Operations Level Return to Normal Level Response Phase Preparedness Phase Recovery Phase Preparedness Phase Restoration Phase OUTAGE Time 2008 MK Continuity & Availability LLC 14
1. Prevention & Preparedness Pre-incident Prevention & Preparedness ensures a readiness: to prevent injuries and property damage; and failing that >>> to minimize injuries and property damage. to recover business operations to a level and within a time period acceptable to management 2008 MK Continuity & Availability LLC 15
1. Prevention & Preparedness Risk Analysis (RA) Identify threats, hazards Identify existing controls and vulnerabilities to threats Identify impacts resulting from threats Identify and prioritize risk Implement needed additional controls Business Impact Analysis (BIA) Estimate tangible and intangible impacts (losses) at various times after the business disruption Identify the Recovery Time Objective Red Target Identify the Recovery Operations Level Identify interdependent processes Identify resources needed for recovery 2008 MK Continuity & Availability LLC 16
1. Prevention & Preparedness Recovery Strategies Develop recovery operations strategies Business Continuity Plan (BCP) development Business Continuity Team training BCP exercises Tabletop exercise Simulation exercise (more realistic) Full-scale drills that exercise most or all of the BCP BCP maintenance Review contact numbers, resource lists, etc. Awareness: articles, activities, presentations 2008 MK Continuity & Availability LLC 17
2. Response Post-incident Response activities Minimize injuries and property damage Primary notification of continuity team leaders Initial damage assessment Decide on whether to activate BCP Recovery procedures 2008 MK Continuity & Availability LLC 18
3. Recovery Post-Response Recovery activities Assemble personnel at an alternate facility, restore computer systems and data Recover business operations within the Recovery Time Objective to the Recovery Operations Level (red target) Sustain business operations at the acceptable level, replenish depleted resources Crisis Management Emergency Operations Center Crisis Communications Employees, customers, suppliers, public, stock holders 2008 MK Continuity & Availability LLC 19
Restoration activities 4. Restoration Assess damaged facility and equipment Determine what can be salvaged and what must be replaced Restore / rebuild facility and resources Return business operations from the alternate facility back to the permanent facility 2008 MK Continuity & Availability LLC 20
Is Your Organization Ready to Recover? Two key indicators of an organization s readiness to resume business after a disaster Existence and status of the Business Continuity Program Existence and status of Business Continuity Plans The following slides contain two quick assessments of the state of your business continuity program and plans 2008 MK Continuity & Availability LLC 21
BC Program Assessment Does your organization have: 1. Personnel dedicated to the development, exercising, and maintenance of Business Continuity Plans (BCP)? 2. A Corporate Business Continuity Policy? 3. Results from Business Impact Analyses (BIA) and/or Risk Analyses for all business processes? 4. A prioritized business process recovery sequence list based on BIA results showing the mission-critical business processes (MCBP)? 5. Documented business recovery requirements for all MCBPs? 6. An inventory of resources needed by MCBPs during a recovery? 7. An inventory of resources currently available to MCBPs during and shortly after a recovery? 8. A list of BCPs currently documented? 9. The date of last review for each BCP? 10. The frequency of exercises (drill) for each BCP? 11. The date of last exercise of each BCP? 12. The name of the person responsible for each BCP exercise? 13. A list of MCBPs that do not have a documented BCP? 14. A project plan (schedule) showing when MCBPs will have a documented BCP? Yes/No 2008 MK Continuity & Availability LLC 22
Business Continuity Plan Assessment Does your organization have: 1. A consistent methodology for BCP development? 2. A consistent template for BCP documentation? 3. A BCP for each mission-critical business process? 4. All BCPs document a designated continuity Team including 24 hour contact numbers? 5. All BCPs include Response, Recovery, and Restoration objectives? 6. All BCPs include Response, Recovery, and Restoration procedures? 7. All BCPs are designed to provide the resources needed during Response and Recovery? 8. All BCPs document support vendors and suppliers including 24 hour contact numbers? 9. All BCPs are reviewed and updated at least twice per year? 10. All BCPs are exercised at least once per year? 11. Each BCP exercise is documented in a report including lessons-learned and scheduled improvements? Yes/No 2008 MK Continuity & Availability LLC 23
Abstract Revisited In this session: We discussed the post-incident transition from emergency response to business continuity. We reviewed the components of business continuity planning. You performed a quick assessment of your organization s readiness to resume business after an incident. 2008 MK Continuity & Availability LLC 24
Where To Get Help Business Continuity Institute - http://www.thebci.org/ Contingency Planning & Management (CPM) - http://www.contingencyplanning.com/ Disaster Recovery Information Exchange (DRIE) - http://www.drie.org/ Disaster Recovery Institute International (DRII) - http://www.drii.org/ Disaster Recovery Journal (DRJ) - http://www.drj.com/ Federal Emergency Management Administration (FEMA) - http://www.fema.gov/ Michigan State Police / Emergency Management Division - http://www.michigan.gov/msp/0,1607,7-123-1593_3507---,00.html 2008 MK Continuity & Availability LLC 25
Questions? Michael Kadar, MBCP, CISSP MK Continuity & Availability, LLC kadarsro@talkamerica.net 248-545-2397 2008 MK Continuity & Availability LLC 26