Executive Briefing Topic 5 Info Assurance and Security. Business Continuity and Disaster Recovery For Information Technology



Similar documents
Why Should Companies Take a Closer Look at Business Continuity Planning?

Business Continuity and Disaster Survival Strategies for the Small and Mid Size Business.

Business Continuity and Disaster Recovery Planning

Business Continuity and Disaster Recovery Planning

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

Business Continuity Planning for Risk Reduction

BUSINESS CONTINUITY PLAN OVERVIEW

Desktop Scenario Self Assessment Exercise Page 1

Protecting your Enterprise

Business Unit CONTINGENCY PLAN

Disaster Recovery & Business Continuity. James Adamson Library Systems Office

BUSINESS CONTINUITY PLAN

Ensure Absolute Protection with Our Backup and Data Recovery Services. ds-inc.com (609)

Business Resiliency Business Continuity Management - January 14, 2014

Business Continuity and Disaster Survival Strategies for the Small and Mid Size Business

Disaster Recovery 100 Success Secrets

Some companies never recover from a disaster related loss. A business that cannot operate will lose money, customers, credibility, and good will.

Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

Success or Failure? Your Keys to Business Continuity Planning. An Ingenuity Whitepaper

Disaster Recovery Plan (DRP) / Business Continuity Plan (BCP)

Information Security Management: Business Continuity Planning. Presentation by Stanislav Nurilov March 9th, 2005 CS 996: Info. Sec. Mgmt.

Evaluation of the Railroad Retirement Board s Disaster Recovery Plan Report No , August 14, 2006 INTRODUCTION

TO AN EFFECTIVE BUSINESS CONTINUITY PLAN

Business Continuity & Disaster Recovery

Disaster Recovery. Hendry Taylor Tayori Limited

CISM Certified Information Security Manager

A risky business. Why you can t afford to gamble on the resilience of business-critical infrastructure

Building a strong business continuity plan

Business Continuity and Disaster Recovery Planning 3/16/2011. Lee Goldstein CPCP, MBCI President Business Contingency Group

DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES

Protecting Your Business

FINRMFS9 Facilitate Business Continuity Planning and disaster recovery for a financial services organisation

AUDITING A BCP PLAN. Thomas Bronack Auditing a BCP Plan presentation Page: 1

Business Continuity and Disaster Planning

Business Continuity and Disaster Recovery Planning from an Information Technology Perspective

Western Intergovernmental Audit Forum

Disaster Recovery 81 Success Secrets. Copyright by Michelle Stein

Business Continuity Management

Department of Information Technology Data Center Disaster Recovery Audit Report Final Report. September 2006

How to Prepare for Business Continuity After A Disaster

SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT IT IT Backup, Recovery and Disaster Recovery Planning

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Disaster Recovery and Business Continuity Planning: A Case Study of an Incident at ABC Corporation

Business Continuity Planning (800)

KPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity

Disaster Prevention and Recovery for School System Technology

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK

Business Continuity Planning

Overview of how to test a. Business Continuity Plan

Beyond Disaster Recovery: Why Your Backup Plan Won t Work

STEP-BY-STEP BUSINESS CONTINUITY AND EMERGENCY PLANNING MAY

Disaster Preparedness & Response

Business Continuity Planning and Disaster Recovery Planning. Ed Crowley IAM/IEM

Business Continuity & Recovery Plan Summary

How to write a DISASTER RECOVERY PLAN. To print to A4, print at 75%.

Business Continuity Management Software

Information Services IT Security Policies B. Business continuity management and planning

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

SECTION 15 INFORMATION TECHNOLOGY

State of South Carolina Policy Guidance and Training

GETTING STARTED WITH DISASTER RECOVERY PLANNING

Running head: COMPONENTS OF A DISASTER RECOVERY PLAN 1

addition, business functions should be linked to IT systems using either business impact analysis (BIA) or business modeling which will be covered

Creating a Business Continuity Plan for your Health Center

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

BUSINESS CONTINUITY PLANNING

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

NIST SP , Revision 1 Contingency Planning Guide for Federal Information Systems

Business Continuity Management and The Extended Enterprise

Clinic Business Continuity Plan Guidelines

Attachment N CPIC Vendor Resiliency Business Continuity Planning Questionnaire

Business Continuity Planning in IT

Business Continuity and the Cloud. Aaron Shaver US Signal, Solution Architect

Statement of Guidance

Business Continuity Planning and Disaster Recovery Planning

University of Michigan Disaster Recovery / Business Continuity Administrative Information Systems 4/6/2004 1

Intel Business Continuity Practices

Continuity of Operations Planning. A step by step guide for business

Why. Your business. Needs. a Disaster RecoveryPlan.

How to Plan for Disaster Recovery and Business Continuity

BUSINESS CONTINUITY PLANNING GUIDELINES

Assessment of natural hazards, man made hazards, technical and societal related risks and associated impact.

Business Continuity & Recovery Plan Summary

Protecting Your Business

Disaster Recovery Plan Documentation for Agencies Instructions

Overview of Business Continuity Planning Sally Meglathery Payoff

Subject: Internal Audit of Information Technology Disaster Recovery Plan

Unit Guide to Business Continuity/Resumption Planning

Clinic Business Continuity Plan Guidelines

Disaster Recovery. 1.1 Introduction. 1.2 Reasons for Disaster Recovery. EKAM Solutions Ltd Disaster Recovery

PPSADOPTED: OCT BACKGROUND POLICY STATEMENT PHYSICAL FACILITIES. PROFESSIONAL PRACTICE STATEMENT Developing a Business Continuity Plan

Best Practices in Disaster Recovery Planning and Testing

FORMULATING YOUR BUSINESS CONTINUITY PLAN

Emergency Response and Business Continuity Management Policy

Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP).

Business continuity plan

D2-02_01 Disaster Recovery in the modern EPU

DIR CONTRACT NO. DIR-TEX-AN-NG-CTSA-010 ATTACHMENT F-3 TO EXHIBIT F BUSINESS CONTINUITY AND DISASTER RECOVERY PLAN FINAL VERSION

MARQUIS DISASTER RECOVERY PLAN (DRP)

Transcription:

Executive Briefing Topic 5 Info Assurance and Security Business Continuity and Disaster Recovery For Information Technology John Pardini ISYM 540 SSII Current Topics in ISM 7/26/2009

Overview Disaster recovery (DR) is the process of preparing for restoration or continuation of information technology infrastructure and critical data to an organization after a natural or man-made disaster. Disaster recovery planning (DRP) is a subset of an inclusive process called business continuity planning (BCP) and should include planning for restoration of applications, data, hardware and communications infrastructure. BCP includes preparation for non-information Technology business areas such as key personnel, facilities, disaster communication and data protection. A DR event could be considerable, such as an earthquake or the terrorist attacks on the World Trade Center, or something small such as malfunctioning software caused by a worm or virus. Given the human tendency toward optimism in relation to technology, many business executives tend to ignore DR because disaster does not seem to be a likely event. (This student s Vice President of Information Technology often jocularly pronounces: All disasters shall be scheduled to occur after my retirement. ) BCP suggests a comprehensive approach to ensuring an organization is able to function, not only after a natural or large-scale disaster but also in the event of minor disruptions including illness or departure of key staffers and vendor issues or other challenges that businesses face (Lyons). Despite these distinctions, the two terms are often married under the acronym BC/DR because of their many common considerations for the business. Interruption of service or data loss can have serious financial impact, whether directly or through loss of customer confidence; thus, DR has become an integral aspect of enterprise computing. As devices, systems and networks become ever more complex, the points of failure have increased exponentially and DR plans have become more complicated as a result. Years ago, if there was a threat to systems from a fire, a DRP might consist of powering down those systems before the sprinkler system activated, disassembling components and subsequently drying circuit boards with a hair dryer (Togio). Current enterprise systems tend to be too large and intricate for such hands-on (and preposterous) approaches. Appropriate plans vary from one enterprise to another, depending on variables such as the type of business, the processes involved and the level of security needed. DR plans may be developed within an organization or purchased as a software application or an external service. It is not unusual for an enterprise to spend 25% of its Information Technology (IT) budget on DR (Doherty). Nevertheless, the consensus within the DR industry is that most enterprises are not prepared for a disaster. According to a survey conducted by Harris Interactive, "Despite the number of very public disasters since 9/11, still only about 50 percent of companies report having a disaster recovery plan. Of those that do, nearly half have never tested their plan, which is tantamount to not having one at all." Additionally, the same Harris poll indicated more IT leaders than business executives understood that planning for DR should be a top priority and pursued at whatever investment is required. The survey also reveals that IT departments are not receiving the budgets required to achieve the recovery objectives desired by the business line leaders.

Business Considerations All BC/DR plans need to encompass how employees will communicate, where they will go and how they will perform their jobs when a disaster strikes. The details can vary greatly, depending on the size and nature of an organization and its methods for doing business. IT may play a pivotal role but the BC/DR plan should focus more on overall recovery for the entire organization. For example, the BC/DR plan at an energy company would restore critical mainframes with vital data at a backup site within two days of a disruptive event, obtain a call center management unit with several hundred telephones within two days, recover the company's computers in order of business need and set up a temporary call center for 50 agents at a nearby divisional facility. The critical point is that no elements can be ignored and physical, IT and human resources plans cannot be developed independently (Humphrey). Business leaders and IT management should work together to determine what kind of plan is necessary and which systems and business units are vital to the company after a disaster. They should decide which employees are responsible for declaring a disaster event and mitigating its effects. The BC/DR plan should also establish a process for locating and communicating with employees after a disaster event. In a catastrophic natural event, the plan will also need to take into account that many employees may have more pressing personal concerns than work and their employer s recovery efforts. Due diligence for BC/DR planning should include a comprehensive business impact analysis (BIA). This exercise will identify the organization s essential systems and processes and the effect an outage would have on the organization. The greater the potential impact, the more expense that should allocated to restore a system or process rapidly. Another goal of the BIA should be to define objectives for the recovery of computing systems that run the applications to support the business processes. The Recovery Time Objective is the number of hours or days business leaders have required for a business process or a system to be returned to service. The Recovery Point Objective describes the age of the data to be restored in event of a disaster. Technology, personnel and facilities are in a constant state of flux at any company. IT and business leaders should train additional employees to perform emergency tasks. The primary employees counted on to lead in an emergency may not always be available (or worse, be involved in the disaster themselves in a way that precludes their involvement in the recovery). The BC/DR plan should establish an offsite meeting location and a disaster communication plan for all employees (including executives). Recovery plans should be practiced with employees and recovery teams to determine the integrity of the plan as well as to prepare people in advance of a disaster. Companies should schedule regular tests of their BC/DR plans to reveal and accommodate changes and work toward constant improvement. Organizations should invest in an alternate means of communication in case the phone networks are disrupted. (This student persuaded his firm to purchase satellite phones for deployment to the company s critical locations for disaster situations.) Leadership should make BC/DR exercises realistic enough to tap into employees' emotions to gauge reactions when the situation becomes stressful (Collett). The BC/DR planning team should strive to create partnerships with local emergency response groups to establish a closer rapport.

Failure to bring business leaders into planning and testing of the organization s recovery efforts and insufficient support from senior-level managers could lead to calamity during and after the disaster. BC/DR teams should review the organization s performance during each test BC/DR exercises to reveal weaknesses in the plan that can be remedied before an actual disaster occurs. "There are so many interdependencies today. It's not just a physical recovery issue, it's not just a technology issue, it's not just a line of business issue, and it's not just a corporate issue. Until you've actually gone through the exercise, you don't see how it might unfold. The more times you do it, the better prepared you'll be" (Collett). Conclusion As recognition increases about the key role a well developed, maintained and exercised BC/DR plan plays in the make-up of an organization, it is critical to recognize that the role of upper management should evolve beyond buy-in. The buy-in level of support implies a willingness to fund the enterprise, hire the appropriate staff and delegate responsibility. The overall success of a BC/DR plan and the ability of an enterprise to remain resilient in challenging situations will become increasingly dependent on the integrated involvement of the corporate leadership throughout the process. While essential roles are played during all phases of BCP, one of the most obvious being the role played by emergency personnel during the immediate response to an incident, much of the ability for a successful response is determined in some of the earliest phases of the business continuity plan development lifecycle. It is in these early phases that corporate leadership must play an integrated and comprehensive role in the process. Deciding how much loss it can accept must be made by executive management based on a full understanding of the organization s interdependencies and all the potential impacts of a loss (Sharon). The ideal end state for a business continuity plan is one that permits on-going functionality at an acceptable level, even when impeded by challenging circumstances and unscheduled disasters.

Sources Collett, Stacey. Disaster Drill: Practice Makes Perfect. CSO. June 15, 2005. < http://www.csoonline.com/article/217660> Croy, Michael. Landing On Your Feet Being Prepared in the 21st Century. Disaster Recovery Journal. March 7, 2005. <http://www.drj.com/articles/win05/1801-01.html> Doherty, Patrick. Calling IT to Action for DRP. ZDNet. July 8, 2009. < http://news.zdnet.com/2100-9595_22-318844.html> Harris Interactive. State of DR Planning 2009. Sungard DDA. May 3, 2009. <http://www.sungard.com> Hoffman, Paul. Disaster Avoidance and Recovery Planning. Focus. July 10, 2009. < http://www.focus.com/ugr/research/information-technology/disaster-avoidance-andrecovery-planning/> Humphrey, Anne. Beyond Buy-In: The Case for Executive Level Involvement in Developing a Business Continuity Plan. SANS Institute. 2006. <http://www.sans.org> Lyons, Barry L. Determining Which Functions Should Be Up First Disaster Recovery Considerations. SANS Institute. 2006. <http://www.sans.org> Sharon, Bill. Risk and Disaster Management. Continuity Central. June 1, 2009. < http://www.continuitycentral.com/feature0230.htm> Toigo, Jon. Disaster Recovery Planning. Toigo International. Wiley. New York: 2006. Wheatley, Malcolm. Disaster Recovery: Write People into the Plot. CSO Online. June 5, 2006. < http://www.csoonline.com/article/220446/disaster_recovery_ Write_People_into_the_Plot>

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information