Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Disaster Recovery Plan (DRP)
Presentation for Management
Arriva Serbia (Arriva Litas doo)
Venue – Location
Date
CONTENTS
1. The Necessity of DRP (Disaster Recovery Plan)
2. Current state od DRP
3. Business Impact Analyses (BIA)
4. High-Medium Level Design of DRP
5. CAPEX and OPEX for DRP
6. Discussion
7. Conclusion
2
The Necessity of DRP (Disaster Recovery Plan)
The Necessity of DRP (Disaster Recovery Plan)
• Disaster Recovery Plan (DRP) is documented process or set of procedures with
set of actions that must be executed in case of disaster
• It is "a comprehensive statement of consistent actions to be taken before, during
and after a disaster.“ *
* Wold, Geoffrey H. (1997). "Disaster Recovery Planning Process". Adapted from Volume 5 #1. Disaster Recovery
World. Retrieved 8 August 2012.
• DRP has to protect the business by protecting the IT infrastructure in case of
disaster.
4
The Necessity of DRP (Disaster Recovery Plan)
• The disaster can be catastrophe,
major incident or any other event
with permanent temporary effect
which seriously affect IT
infrastructure and services and, as
a consequence, services provided
to the customers fail and other
business activities also fail or has
very limited functionality.
• The disaster could be:
– be natural
– Environmental
– man-made.
5
The Necessity of DRP (Disaster Recovery Plan)
Relationship to the Business Continuity Plan… *
According to the SANS institute, the Business Continuity Plan (BCP) is a
comprehensive organizational plan that includes the disaster recovery plan. The
Institute further states that a Business Continuity Plan (BCP) consists of the five
component plans: *
• Business Resumption Plan
• Occupant Emergency Plan
• Continuity of Operations Plan
• Incident Management Plan
• Disaster Recovery Plan
* The Disaster Recovery Plan. Chad Bahan.
GSEC Practical Assignment version 1.4b. SANS InstituteInfoSec Reading Room. June 2003. Retrieved 24 August 2012.
Good, short and high level overview from business executive perspective you may read on
https://en.wikipedia.org/wiki/Disaster_recovery_plan
6
The Necessity of DRP (Disaster Recovery Plan)
Reasons why disaster recovery
plans fail: *
1. Fail to Take Disaster Recovery
Seriously
2. Fail to Set Priorities
3. Fail to Update the Disaster
Recovery Plan regularly
4. Fail to Understand Reliance on
3rd party Vendors
5. Fail to Test the Disaster
Recovery Plan
* http://www.burgesscomputer.com/burgess-
technology-blog/maine-technology-news/5-reasons-
disaster-recovery-plans-fail/
7
The Necessity of DRP (Disaster Recovery Plan)
IT disaster recovery plan should be a
top priority: *
1. Machines and hardware fail
2. Much like machines, humans are not
perfect. They make mistakes.
3. Customers expect perfection.
4. Customer retention is costly, but customer
re-acquisition is devastatingly expensive.
5. You’re only as strong as your weakest
link.
Conclusion: Save Money, Save Time, Save
Your Business. Develop a Solid IT Disaster
Recovery Plan.
* http://www.onlinetech.com/resources/references/top-5-
reasons-why-your-it-disaster-recovery-plan-should-be-a-top-
priority
8
The Necessity of DRP (Disaster Recovery Plan)
9
Current state od DRP in Arriva Serbia
Current state of DRP in Arriva Serbia
Out of technical perspective, some
of necessary DRP building blocks
are:
1. Backup&Restore system in place
2. Regular checks of backup/restore
system
3. Offsite store (out of main data
center)
4. Network (Internet and other
connections like VPN) connectivity
and reliability
5. Consolidated server infrastructure –
virtualized as much as possible
6. DR location as secondary
datacenter
11
Arriva Serbia has fulfilled,
comparing to the left side:
• Fully: items 1, 3, 4, 5
• Partially: items 2 and 6
Arriva Serbia is not ready in case of
disaster:
• Still Arriva Serbia does not have
DRP in place
• In case of disaster at least 1 week is
needed to recover some of base IT
services and 2-6 weeks for rest
• Business Impact (damage) would be
substantial.
Current state of DRP in Arriva Serbia
12
How it should look
like:
General graph of
data centres - main
and DR and their
relation
Arriva Serbia does
not have DR Data
Centre
Business Impact Analyses (BIA)
Business Impact Analyses (BIA)
BIA performed for Arriva Serbia:
1. Period June 2015 – January 2016
2. DB template is used (sent to us by Arriva group)
3. Performed by local management team: lead by IT manager, supported by MD
4. 68 applications and tools are covered *.
5. For every application or tool we have clearly stated:
– Responsible persons: Process owner, application owner, technical maintenance
– ICT Security Officer (same for all)
– Objectives: RTO (Recovery Time Objective), RPO (Recovery Point Objective)
6. Most critical applications and tools have RTOs and RPOs 1-2 days.
7. Internal audit (report from May 2016) requested BIA. In Feb 2016 we reported back that
BIA is completed and sent all BIA documentation back to the group
8. BIA is base for DRP development
* We used BEAM (Arriva application landscape tool) list for BIA; note that one application is stated as several separated
applications if it is categorized in different business domain. So we have less than 68 in reality.
14
Business Impact Analyses (BIA)
15
RPO and RTO
Business Impact Analyses (BIA)
16
RPO and RTO
Business Impact Analyses (BIA)
17
RPO and RTO
High-Medium Level Design of DRP
High-Medium Level Design of DRP
1. Considerations started in 2014 by IT manager
2. Considerations intensified since October 2015
3. Decision is made (Jan 2016) by MD is to implement DRP until 30 June 2016;
4. Internal Audit is informed about the decision;
5. Approval is given to IT manager to complete high-medium level design of DRP
6. IT system integrator (Coming Computer Engineering) is given to do the job (Jan
2016) as one of most serious system integrators in the country with excellent
references in DRP designs and DRP implementations.
7. The design is done by:
– Arriva IT employees (IT manager, system administrator)
– Coming CE (3 system engineers)
– MDS (Cisco partner for networking, maintain Arriva network for years)
8. The design is completed on 09 Mar 2016 and quote received on 11 Mar 2016
19
High-Medium Level Design of DRP
The solution designed provides following benefits:
1. Cloud based:
1. Significantly less CAPEX+OPEX needed in total, primarily less CAPEX
2. Much more flexibility possible (both in IT resources volumes and time)
2. Legislation conditions met:
1. Still not all data can be stored out of Serbia / legislation not clear enough
3. Improvements in server virtualization platform (technical from Hyper-V to
VMware)
4. Unified solution for disaster recovery, backup and restore
5. Improvements in regular restore tests
6. Improvements in backup&restore process and procedures since technical
platform will change (from SBE to VEAAM)
7. Disk-to-disk backup solution: first set of backup copies in main data center and
second set on DR site. We will not use data tapes anymore.
20
High-Medium Level Design of DRP
The solution designed is made having in mind the following assumptions:
1. Current state and desired state of Arriva Serbia IT infrastructure;
2. Arriva Serbia does not want to have some solution where Arriva would be the
first client of Coming;
3. Arriva Serbia want to use a solution like solution already proven as very good
ones with other Coming clients; we need proven processes, technologies and
vendors involved
4. Agreements to sign:
– SLA (Service Level Agreement) – 24x7 support, defined RTOs and RPOs
– NDA (Non Disclosure Agreement);
5. 2 disaster recovery test per year.
6. Minimal (as possible) disruption and downtime of IT services and of daily
operations – part of work will have to be done out of working hours
21
Implementation proposal – timeline, CAPEX, OPEX
Implementation proposal – timeline, CAPEX, OPEX
Timeline:
1. Preconditions to meet before start of DR solution implementation:
– Complete implementations during April 2016:
– new servers
– new Active Directory (2012 R2)
2. DRP implementation for 6 weeks:
– start on Monday 09 May 2016 and complete until Friday 17 June 2016.
– Work during working hours and out of working hours included.
– Post implementation work needs to be done until end od 2016 to optimize
other less critical processes for restore on client (users) side. That will be
also included in DRP plan
23
Implementation proposal – timeline, CAPEX, OPEX
24
CAPEX and OPEX needed:
1. CAPEX 22.748 EUR in 2016:
– software permanent licences virtualization (VMware) and backup&restore
system (VEEAM) and 1st year vendor support – all for main datacentre
– implementation costs (virtualization, backup&restore, network, etc.)
2. OPEX monthly – starting from June 2016:
– 2.250 EUR for current needs:
– Few near future pending needs included already;
– price is of renting infrastructure on the cloud side (DR data centre):
– virtual resources (servers, storage, processors, memory, network, etc.)
– support 24x7 with SLA
– 2 DR tests during the year
– Price for maintaining virtualization platform on main (Arriva’s) data centre
Discussion
Conclusion
Conclusion
27
Disaster Recovery Plan needs to be implemented in near future as planned to:
• protect our business from substantial damage or even closure;
• be able to keep good reputation as reliable company among:
– Our customers;
– Communities where we operate;
– Partners;
– Competitors;
– Authorities.