Why Should Companies Take a Closer Look at Business Continuity Planning?



Similar documents
Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

Business Resiliency Business Continuity Management - January 14, 2014

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK

Business Continuity and Disaster Recovery Planning

Business Continuity Planning Preparing Your Organization

Business Continuity Plan

Table of Contents... 1

Business Continuity and Disaster Survival Strategies for the Small and Mid Size Business.

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

CISM Certified Information Security Manager

Business Continuity Planning for Risk Reduction

Business Continuity Planning and Disaster Recovery Planning

Temple university. Auditing a business continuity management BCM. November, 2015

FORMULATING YOUR BUSINESS CONTINUITY PLAN

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

Desktop Scenario Self Assessment Exercise Page 1

Business Continuity Planning (800)

MANAGEMENT AUDIT REPORT DISASTER RECOVERY PLAN DEPARTMENT OF FINANCE AND ADMINISTRATIVE SERVICES INFORMATION TECHNOLOGY SERVICES DIVISION

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

The PNC Financial Services Group, Inc. Business Continuity Program

Business Unit CONTINGENCY PLAN

Business Continuity and Disaster Survival Strategies for the Small and Mid Size Business

Building and Maintaining a Business Continuity Program

Unit Guide to Business Continuity/Resumption Planning

Assessing Your Disaster. Andrews Hooper Pavlik PLC. Andrews Hooper Pavlik PLC

Overview of how to test a. Business Continuity Plan

Business Continuity Overview

Business Continuity Management

Creating a Business Continuity Plan for your Health Center

State of South Carolina Policy Guidance and Training

Executive Briefing Topic 5 Info Assurance and Security. Business Continuity and Disaster Recovery For Information Technology

Business Continuity Glossary

Business Continuity & Recovery Plan Summary

IT Disaster Recovery and Business Resumption Planning Standards

BUSINESS CONTINUITY PLAN OVERVIEW

Some companies never recover from a disaster related loss. A business that cannot operate will lose money, customers, credibility, and good will.

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

2014 NABRICO Conference

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

Business Continuity & Recovery Plan Summary

By: Tracy Hall. Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level. June 9, 2015

Success or Failure? Your Keys to Business Continuity Planning. An Ingenuity Whitepaper

Intel Business Continuity Practices

FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk

Evaluation of the Railroad Retirement Board s Disaster Recovery Plan Report No , August 14, 2006 INTRODUCTION

PPSADOPTED: OCT BACKGROUND POLICY STATEMENT PHYSICAL FACILITIES. PROFESSIONAL PRACTICE STATEMENT Developing a Business Continuity Plan

IT Disaster Recovery Plan Template

Ohio Supercomputer Center

White Paper. Lifecycle Disaster Recovery Costs

BUSINESS CONTINUITY PLANNING GUIDELINES

DISASTER RECOVERY PLANNING GUIDE

Western Intergovernmental Audit Forum

Business Continuity and Disaster Planning

Managing business risk

BUSINESS CONTINUITY PLAN

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning MARCH 2003 IT EXAMINATION H ANDBOOK

Business Continuity Position Description

Continuity of Operations Planning. A step by step guide for business

Disaster Recovery Plan

Interactive-Network Disaster Recovery

Datacenter Migration Think, Plan, Execute

AUDITING A BCP PLAN. Thomas Bronack Auditing a BCP Plan presentation Page: 1

The University of Iowa. Enterprise Information Technology Disaster Plan. Version 3.1

The PNC Financial Services Group, Inc. Business Continuity Program

Principles for BCM requirements for the Dutch financial sector and its providers.

Disaster Recovery and Business Continuity Plan

Business Continuity & Disaster Recovery

Disaster Recovery Plan

Offsite Disaster Recovery Plan

BCP and DR. P K Patel AGM, MoF

Business Continuity Management Software

Statement of Guidance

<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP

Information Security Management: Business Continuity Planning. Presentation by Stanislav Nurilov March 9th, 2005 CS 996: Info. Sec. Mgmt.

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

CITY UNIVERSITY OF HONG KONG Business Continuity Management Standard

Building a strong business continuity plan

Technology Recovery Plan Instructions

MHA Consulting. Business Continuity Management 101

Hanh Do, Director, Information System Audit Division, GAA. SUBJECT: Review of HUD s Information Technology Contingency Planning and Preparedness

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS

Business Continuity and Disaster Recovery Planning

Business Continuity Planning. Presentation and. Direction

HA / DR Jargon Buster High Availability / Disaster Recovery

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

Business Continuity. Port environment

ASX SETTLEMENT OPERATING RULES Guidance Note 10

Keys to a Successful Data Center Relocation

Q uick Guide to Disaster Recovery Planning An ITtoolkit.com White Paper

Disaster Recovery Journal Spring World 2014

BUSINESS RESILIENCE READY OR NOT

SAMPLE IT CONTINGENCY PLAN FORMAT

DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES

The events of September 11, 2001 didn t

Business Continuity and Disaster Recovery Planning from an Information Technology Perspective

Company Management System. Business Continuity in SIA

ASX CLEAR (FUTURES) OPERATING RULES Guidance Note 10

Disaster Recovery Policy

Recovery Site Evaluation: Finding Viable Alternatives

Transcription:

whitepaper Why Should Companies Take a Closer Look at Business Continuity Planning? How Datalink s business continuity and disaster recovery solutions can help organizations lessen the impact of disasters and incidents. Over the last 30 years, companies have significantly changed their approach to ensuring that their businesses can continue to run in the event of a catastrophe. In the 1970s, IT departments responsible for companies information-based assets focused on the recovery of the data center and associated networks. By the 1990s, the focus had shifted to business units. The commitment of management became a critical success factor in the development of business continuity plans, as both IT and the business were required to develop those plans. As a result of 9/11, organizations extended business continuity planning to create enterprise-wide plans. Today, executive management is much more involved in ensuring the success of the plans, and the focus has shifted from power, hardware, and software outages to regulatory requirements, business requirements, and non-traditional events such as terrorist attacks. 1970 1980 1990 2000 Disaster recovery planning > Recovery of data centers and networks > Located in IT department Contingency planning > Expanded scope of planning > Focus of audit / limited support Business continuity > Move within business areas > Management commitment Business resiliency > Enterprise-wide planning > Executive management involvement > Resiliency and sustainability Power outage Hardware outage Software outage Power outage Hardware outage Software outage Power outage Hardware outage Software outage Pandemics Terrorist attacks Biological / chemical attacks Business requirements May 2010 page 1

Business continuity planning / disaster recovery (BC / DR) definitions Many organizations still merge the terms disaster recovery and business continuity. However, for the purpose of this paper, each term is defined so that all parties involved have the same foundation from which to work. Disaster recovery is the process by which you resume business after a disruptive event. Events can range from significant (e.g., an earthquake, a terrorist attack) to something smaller like malfunctioning software caused by a computer virus. However, given the human tendency to look on the bright side, many business executives are prone to ignoring disaster recovery because disasters seem unlikely to occur. Business continuity planning suggests a more comprehensive approach to ensuring that the business can continue to make money, not only after a natural calamity, but also in the event of smaller disruptions including illness or departure of key staffers, supply chain partner problems, or other challenges that businesses face from time to time. The business continuity plan (BCP) encompasses every aspect of any recovery procedure used to keep a company operating. It provides an understanding of the risks the company has identified, mitigation for those risks, business impacts of the risks, and a mapping of critical business functions to the organization. A part of the BCP, the disaster recovery plan focuses on the recovery or resumption of IT as it supports the business. Disaster recovery plan Business continuity plan > The document that defines the resources, actions, tasks, and data required to manage the recovery of IT systems that support business functions. > The plan involves: _ Deficiency analysis _ Test drills _ Disaster recovery handbook > Technological recovery, mostly IT Disaster recovery plan Business continuity plan > The creation and validation of a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical (urgent) functions within a predetermined time after a disaster or extended disruption. > The plan involves: _ Risk assessment _ Business impact analysis _ Timely recovery of mission-critical processes _ Return to normal operations May 2010 page 2

Reasons for developing business continuity capabilities Changes in business processes and technology, increased terrorism concerns, recent catastrophic natural disasters, and the threat of a pandemic have focused even greater attention on the need for effective business continuity planning. Executive management is now expected to consider the potential for area-wide disasters that could affect an entire region and result in significant losses to the organization. In most cases, recovery time objectives (RTOs) are now much shorter than they were a few years ago, and for some institutions, RTOs are based on hours and even minutes. Ultimately, all business units should anticipate and plan for the unexpected and ensure that their business continuity planning processes appropriately address the lessons they have learned from past disasters. General Dwight D. Eisenhower said, In preparing for battle, I have always found that plans are useless, but planning is indispensable. The same thing can be said about business continuity planning. The real value in business continuity planning lies not in the report that is produced (although call-out lists and procedures are definitely of value), but in the following three areas: The decision-making / assessment process: Identifying what could happen, associated consequences, prevention and mitigation, and the business risks. The data gathering process: Evaluating what type of data you have, who uses it, where it is located, and what risks it faces. The increased awareness that results from such a project. The board and executive management are responsible for ensuring that the organization identifies, assesses, prioritizes, manages, and controls risks as part of the business continuity planning process. The board and senior management should establish policies that define how the organization will manage and control the identified risks. Once a policy is established, the board and senior management must understand the consequences of these identified risks and support continuity planning on a continuous basis. The business continuity planning process should include regular updates to the BCP. The BCP should be updated based on changes in business processes, audit recommendations, and lessons learned from testing. Changes in business processes include technological advancements that allow faster and more efficient processing, thereby reducing acceptable business process recovery periods. For example, in response to competitive and customer demands, many financial institutions are moving toward shorter recovery periods and designing technology recovery solutions into business processes. These technological advances underscore the importance of maintaining a current, enterprise-wide BCP. May 2010 page 3

Reasons for developing business continuity capabilities (cont.) Additional industry practices that are commonly used to maintain a current BCP include: Integrating business continuity planning into every business decision Incorporating BCP maintenance responsibilities in applicable employee job descriptions and personnel evaluations Human resources represent one of most critical BCP components, and often, personnel issues are not fully integrated into the enterprise-wide plan. Based on the business impact analysis (BIA), the BCP should assign responsibilities to management, specific personnel, teams, and service providers. Assigning the responsibility for periodic review of the BCP to a planning coordinator, department, group, or committee Performing regular audits and annual, or more frequent, tests of the BCP Business continuity plan Business managers > Availability of service _ Continuous uptime (24x7) _ ebusiness > Manage data _ Timely _ Reliable _ Accurate _ Available > Manage change _ Address customer demands _ Quick delivery times _ Change management BCP CEO, CFO, and CIO > Globalization of businesses _ Single global source of products business model > Corporate image _ Robust _ Reliable _ Resilient Legal authorities and customers > Shareholder value _ Reason to invest > Legal requirements _ Sarbanes-Oxley Act _ HIPA A _ NFPA 1600 Standard > Insurance and financial conditions _ Financial decisions _ Insurance discounts > Customer consideration _ Competitive advantage _ Customer contract _ Customer disaster recovery requests from vendors May 2010 page 4

Plan purpose A BCP provides for the continuation of critical business functions and the recovery of those functions in the event of a disaster. Many potential contingencies and disasters can be averted, or the damage they cause can be reduced, if appropriate steps are taken to manage through the event. A completed plan outlines the course of action taken in the event of an emergency and the recovery process for business units to return to normal business operation. The BCP addresses the following: How will management prepare employees for a disaster, reduce the overall risks, and shorten the recovery window? How will decision-making succession be determined in the event management personnel are unavailable? How will management continue operations if employees are unable or unwilling to return to work due to personal losses, closed roads, or unavailable transportation? Who will be responsible for contacting employees and directing them to their alternate locations, if required? Who will be responsible for leading the various BCP teams (e.g., crisis / emergency, recovery, technology, communications, facilities, human resources, business units and processes, and customer service)? Who will be the primary contact for critical vendors, suppliers, and service providers? Who will be responsible for security (information and physical)? May 2010 page 5

Plan objectives Objectives of the BCP include: Reducing the risk of disruption of operations or loss of information Communicating responsibilities for the protection of information and continuity of mission-critical business functions Minimizing the number of decisions that must be made following an event Decreasing dependence on the participation of any one specific person in the response process Minimizing the need to develop procedures during response May 2010 page 6

Plan components All BCPs need to encompass how employees will communicate, where they will go, and how they will keep doing their jobs. Details can vary greatly, depending on the size and scope of a company and the way it does business. For some businesses, issues such as supply chain logistics are most crucial and are the focus of the plan. For others, IT may play a more pivotal role, and the developed plan may concentrate on systems recovery. For example, the plan at one global manufacturing company would restore critical mainframes with vital data at a backup site within four to six days of a disruptive event; obtain a mobile PBX unit with 3,000 telephones within two days; recover the company s more than 1,000 LANs in order of business need; and set up a temporary call center for 100 agents at a nearby training facility. But the critical point is that neither IT systems nor supply chain logistics can be ignored, and IT and human resources plans cannot be developed in isolation from each other. BC / DR is about constant communication. Business and IT leaders should work together to determine what kind of plan is necessary and which processes and business units are most crucial to the company. Together, they should decide which people are responsible for declaring a disruptive event and mitigating its effects. Most importantly, the plan should establish a process for locating and communicating with employees after such an event. In case of a catastrophic event, the plan also needs to account for employees who have more pressing concerns than returning to work, as was recently demonstrated along the U.S. Gulf Coast during the aftermath of Hurricane Ike. May 2010 page 7

Plan components (cont.) To be successful, the BCP should include the following items at a minimum: 1. Escalation chart documents the escalation path for specific issues based on prepared scenarios 2. Call list determines who is on call and how to contact those people supporting specific components of the plan 3. Actions to take document action items and recommended decisions to minimize decisionmaking in a crisis 4. Recovery inventories identify the items required for recovery to determine what can be recovered if lost (e.g., building, systems, etc.). 5. Disaster recovery plans establish the procedure for recovering IT systems 6. Responsibilities determine roles and responsibilities of personnel during a disaster and as part of ongoing plan maintenance 7. Priorities provide the recovery priority and sequence 8. Administration maintenance and exercising identify required maintenance and sign-offs 9. Organization details organizational charts 10. Alternate facilities and resources list backup work and recovery locations (e.g., contracts, vendor) Alternate facilities and resources Recovery time objectives / recovery point objectives Escalation Call lists Organization Actions Administrative maintenance and exercising Recovery inventories Priorities Responsibilities Disaster recovery plans May 2010 page 8

Plan organization Business continuity plan Risk analysis and business impact analysis Mission-critical processes Business impact analysis and assessment Risk identification Risk analysis and assessment Countermeasures development of recovery strategy disaster recovery plan response and escalation strategy Complete infrastructure Applications and processes Network topology Escalation procedures Notification tree Revoery process Workstations / notebooks / printers Contracts and service-level agreements Data backup and archiving Emergency declaration procedures Emergency response teams Support function teams Statutory infrastructure Telecom infrastructure Servers Vendor notification Facilities management External agencies Development and implementation of plan Solution deployment based on strategy adopted Test drills Training and maintenance May 2010 page 9

Plan organization (cont.) Below is a sample of how a BCP might be organized: Section 1: General company information Plan mission statement Outage emergency definition Escalation levels Service levels during an outage emergency Listing of business functions and processes Definition of criticality Section 2: Business recovery teams Description of recovery teams List of team members List of team tasks Section 3: Backup procedures Configurations Inventories Applications Backup procedures Inventories of offsite data, documents, forms, and supplies Section 4: Recovery procedures Hardware Software Communications Applications Section 5: Implementation plan Tasks required for execution of BCP Section 6: Recovery exercise plan Parameters Objectives Measurement criteria Section 7: Recovery plan maintenance Requirements Procedures Section 8: Relocation / migration plan Tasks required to return to permanent site Appendices: Vendor contacts Equipment lists Personnel information Forms / documents May 2010 page 10

Why build a BCP rather than move to a second data center for disaster recovery? The most significant benefits of developing a BCP are the organization and prioritization of processes and applications required to recover critical business processes in an orderly fashion. Moving to a secondary site without developing a plan essentially doubles your infrastructure costs and does not ensure business continuity or disaster recovery. Key drivers for these excess costs include: Lack of application consolidation and virtualization planning could make determining budget priorities more difficult. Lack of process modification could lead to disruptions and additional downtime. Unplanned outages during the transition phase could impact the business and customers. Not all processes or applications will need redundancy immediately, if at all. Lack of a plan may emphasize quantity over quality, which in turn, will decrease productivity and impact the customer experience. Failover of equipment does not guarantee failover of systems, extending potential outages. Lack of planning could conceal critical interdependencies among in-house applications and other companies. Lack of planning may result in purchasing infrastructure to mirror technologies at end of life or late in the technology refresh cycle. Lack of planning may impact balancing the risks and benefits of the second site. May 2010 page 11

Why Datalink? Datalink s consultative methodology provides a consistent framework for our customers to execute the basic steps to develop a BCP for their organizations. By introducing the steps needed to develop a complete plan, customers can lessen the impact an incident or disaster has on their businesses. By integrating our proven best practices into an individualized process, we turn business continuity and disaster recovery into an overall change process. We get to know each customer s organization, and then leveraging our 20 years of experience as end-to-end data center specialists, we develop a reliable foundation that is tailored to your organization. Our consultative methodology includes: Identifying and validating mission-critical business functions aligned with IT support capabilities Improving security and compliance Optimizing capital investments Reducing the risk of disruption to operations or loss of information Establishing documented responsibilities for mission-critical business functions Defining and testing disaster recovery plans phase one Project initiation > Execution support (sponsor, committee) > Objective setting Business leaders / decision makers phase two Discovery and assessment > Identify business-critical needs > Risk identification and assessment > Business impact assessment Historical and current understanding Development of strategies phase three > Disaster recovery plan (DR) > Business continuity plan (BCP) > Response and escalation plans DR BCP Piecing it together Testing and maintenance phase four > Gap assessments > Training > Preparation Testing and training May 2010 page 12

Why Datalink? (cont.) Critical to the execution of a successful project, initiation activities occur during the first week of our projects. Datalink works with customers to finalize the project schedule, secure resource commitments, and outline key procedural processes. A key element of the discovery and assessment phase is a BIA that identifies the business most crucial systems and processes and the effect an outage would have on the business. The greater the potential impact, the more money a company should spend to restore a system or process quickly. For instance, a stock trading company may decide to pay for completely redundant IT systems that would allow it to immediately start processing trades at another location. On the other hand, a manufacturing company may decide that it can wait 24 hours to resume shipping. A BIA will help companies set a restoration sequence to determine which parts of the business should be restored first. Upon completion of the discovery and assessment, we work with customers to develop the recovery strategies, response and escalation strategies, and the BCP. The final phase of our methodology includes the development and implementation of the plans, including the deployment, testing, and integration into change management. Schedule valuable time with one of our IT specialists to review your BCP objectives today by calling 800.448.6314. May 2010 page 13

Contact our sales team To learn more, visit us online at www.datalink.com. Making IT happen A complete data center solutions and services provider, Datalink helps Fortune 500 and mid-tier enterprises get the most from every IT investment with storage, server, and network expertise across the infrastructure. We deliver greater business results throughout, designing what we sell, deploying what we design, and supporting what we deliver. Corporate Headquarters 10050 Crosstown Circle, Suite 500 Eden Prairie, MN 55344 800.448.6314 WWW.DATALINK.COM 2010-2012, Datalink. All rights reserved. The information contained herein is subject to change without notice. WP-BCDR-2.0.12.11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information