Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
1
Business Continuity Business Continuity Planning: Planning:
Bridging the Gap Bridging the Gap Between IT and Between IT and
BusinessBusiness
Steve Burns, PresidentSteve Burns, PresidentEverGreen Data Continuity, Inc. EverGreen Data Continuity, Inc.
sburns@[email protected]
2
The Hard FactsThe Hard Facts
• One-third of businesses don’t include a recovery sequence for business functions. . . . META Group
• Nearly half of the organizations that lose data as a result of a disaster
never re-open and are out of business within 2 years. . .
University of Texas, Center for Research on IS
3
Why Do Plans Fail?Why Do Plans Fail?
• The answer is in the question– It’s a plan, not a program– Programs are living and threaded
throughout the organization
• The wrong recovery strategy was chosen– It worked for IT, but not the business– The technology in the plan is no longer used
4
Continuous Operations Continuous Operations vs. Disaster Recoveryvs. Disaster Recovery
• Disaster recovery is traditionally an IT responsibility
• Covered IT infrastructure and network communications
• Business functions require continuous operations
How do you bridge the gap?
5
Work Backwards
• Throw out the traditional way of thinking
FirstDefine business requirements and priorities
Then• Map requirements to infrastructure that
supports it– applications, systems, voice, networks, data
center as an entity
6
How?
• Conduct a BIA independent of the IT staff
• BIA from a financial standpoint is only half the story– Outage Tolerance– Operational Dependency
7
The Business Perspective
• Get the business perspective on IT usage– Perform functions– Create critical prioritization of assets and IT
infrastructure based on business need
• Viewpoints– Financial– Tolerance– Dependency
8
IT Recoverability
• Conduct a Risk Assessment independent of the business staff
• Review all applications, systems, data centers, storage, high availability, security and disaster preparedness
• Define true recoverability of the IT infrastructure
9
There is a GAP!
Most organizations have a tremendous gap between
the time business units say they need critical
functions “live” and how fast the IT staff says they
can actually recover the functions.
10
How Do You Close the Gap?
• Set up a Recovery Task Force– Business leaders that
identify critical resources, assets and priorities– IT leaders that identify system requirements
and recovery procedures for critical systems– Responsibility to identify interdependencies
and their links– Reports must outline 4-5 levels of priority
11
DefiningInterdependencies
• Two-Phased Approach• Business Process
Dependencies Matrix– Functions, not departments– Two-way dependency
• IT Dependencies Matrix– Recovery procedures of each system,
application– Two-way dependency
12
Business Continuity Planning Matrix
• Business Recovery Needs
• IT Recovery Needs
• Aligned by RTO and RPO
13
Formulating Recovery Strategies• Multiple options – hot
site, cold site, internal, etc.• Blend of: – Best technological solution to close the gap
from an IT perspective – Solutions within budget constraints
Close the GAP as much as you can in Year 1 of a 3 year plan to mitigate your risks
14
Business Continuity Planning
• Goal is to provide an actionable and streamlined Business Continuity Plan for the recovery of business operations and supporting IT
• Define all organizations, locations, applications, systems, assets
• Define recovery team structures and responsibilities
15
Business Continuity Workshop
• Introduce the program to business leaders
• Business units begin to formulate continuous operation procedures
• Review recovery procedures with individual business units
16
IT Workshops
• Introduce project to IT participants
• Formulate recovery procedures for applications, servers, networks, etc.
• Review recovery procedures with individual IT participants
17
Emergency Management Workshop
• Define emergency management team hierarchy
• Command center procedures• Incident response procedures• Recovery site activation procedures• Communications plans• Transportation plans• Continuous operation management
18
Final Planning Pieces
• Develop change management process from an enterprise perspective
• Assist with management program approval and buy-in
• Integrate the plan with current business processes
19
Your Business Continuity Plan
• Chapter 1 – BCP Overview• Chapter 2 – Potential Impacts• Chapter 3 – Recovery Phases &
Organization• Chapter 4 – EMT and DRC
Recovery Team Tasks• Chapter 5 – IT Recovery Plans• Chapter 6 – Business Unit
Recovery Plans• Appendices detailing Command
Centers, Contact Lists, Recovery Requirements, Emergency Plans and a Glossary of Terms
20
Plan Testing
• Disaster simulation andworkgroup recovery
done together
• Identify test objectives for IT and business units
• Document post test report
21
Plan Maintenance
• Develop programs for all components in program, including risk assessments,
BIA, plans and testing
• Teach BCP Coordinator and other critical staff to successfully manage, update and maintain the overall program
22
Critical Responsibilities
• Business Unit and IT Leaders (at least one per unit)– Provide documentation– Attend workshop(s)– Define continuous operations for
critical processes– Manage tasks/responsibilities
related to program– Timely information turnaround– Plan reviews/tabletop exercise– Incorporation of change management
23
Pain Points• Communication is Key
– Project Manager and Project Coordinators
• Lack of Understanding– “Why are you here, why do you
want to know?”• Timeliness of turnaround
– “When do you need this by?”• Process, Process, Process
– Standardize on all data output across the organization• Tread Lightly
– Know your audience• Experience
– Sometimes it’s what they don’t say
24
It’s Easy if You Know How To . . .
• Communication is Key– Weekly/bi-weekly scheduled reviews
• Lack of Understanding– Pre-engagement summaries and notification schedules– Checklists
• Timeliness of turnaround– Defined escalation processes
• Process, Process, Process– Standardize data gathering, analysis and reporting
• Tread Lightly– Coordination of resources with project and unit coordinators
• Experience– Create the best team possible
25
Recipe for Success
• Internal– Software to manage the program– Business Continuity program
manager– Business Continuity Planner– 1-2 Administrators for program– Internal sponsor from management
Or• Outsource the entire program to Experts
– Software– Program Management– Planners and Administrators at Your Location– Monthly Managed Service Fees