ONLINE REPORT SPONSORED BY: BUSINESS CONTINUITY

ONLINE REPORTSPONSORED BY:

BUSINESS CONTINUITY

Special Report

P2

BUSINESS CONTINUITY: IT BEGINS WITH A PLAN

WHEN IT COMES TO NETWORKING, PLAN FOR THE WORST

P4

CLOUD: TAILOR-MADE FOR CONTINUITY PLANNING

P7

21ST CENTURY COMMS BRING OPPORTUNITIES, PITFALLS

P9

TELEWORK READY FOR STARRING ROLE IN CONTINUITY PLANS

P6

FCW SPONSORED REPORT 2

Special Report BUSINESS CONTINUITY

WWW.FCW.COM/2013BUSINESSCONTINUITY

I f the unthinkable were to occur and your agency had to continue providing essential services and performing essential activities, would you know what

to do and where to go?In most cases, the answer is yes. Today, thanks to

lessons learned from past disasters and government requirements, most government agencies and departments have some type of business continuity plan that allows them to maintain critical functions.

The groundswell for developing formal business continuity plans began in 2007, when President Bush issued the National Continuity Policy, requiring a single National Continuity Coordinator responsible for coordinating the development and implementation of federal continuity policies. That spurred most federal agencies to start developing business continuity plans, with many state governments following suit.

To help federal agencies develop effective plans, FEMA offers a continuity of operations plan template and instructions for federal departments and agencies. The template includes sample text that complies with federal continuity directives.

FEMA offers a similar template and instructions specifically for non-federal entities. In addition, the National Association for State CIOs (NASCIO) has developed a suite of planning tools, with different templates for different government functions.

Making a plan truly effectiveThe effectiveness of an organization’s business continuity plan rests on several factors: how well it spells out what data, applications and personnel are critical, how well it communicates the plan, and how often it is tested.

The first step in developing a business continuity plan is to conduct a business impact analysis. This step, which can be aided either by software or a consultant, involves

doing an inventory of all applications, data, and people and assessing their impact on operations – and what happens if they are not available.

Be careful during this process to ensure that adjunct but important applications that help keep critical applications running are included in the assessment, warns Bob Laliberte, senior analyst for Enterprise Strategy Group.

It’s also important during this stage to ensure that various groups that work together in a disaster are coordinated. That means understanding what capabilities of each group would work together with the capabilities of other groups, and communicating your business continuity measures with those other groups. For example, Montana’s business continuity plan includes a continuity of operations agreement between its Department of Military Affairs, Disaster and Emergency Services Division and Department of Administration.

From the assessment, it will become obvious where gaps exist. If the organization doesn’t have written procedures or hasn’t notified people what to do in case of emergency and how to access data and applications remotely, for example, this is the time to address that.

The next step is writing the plan. The document should address which resources are critical, how those resources will be allocated, which applications and data will be accessible via mobile devices, how crisis communications will occur, physical locations where personnel can go, and how to manage likely incidents.

Once the plan is in place, don’t simply put it aside until an emergency arises, or you could be in for an unpleasant surprise.

“What was implemented and worked on Day 1 might not work as well on Day 100,” Laliberte says. “Technology changes and needs change.”

BUSINESS CONTINUITY: IT BEGINS WITH A PLAN




Instead, test the plan once it is finalized and again at set intervals after that. In the beginning, your training drills should simulate situations that could realistically arise, which allow staff to fully understand how things will change and what it will take to get back to full capacity again.




If a hurricane, flood, earthquake or even local construction strikes your data center, will your network survive unscathed? There are many reasons why networks fail during

disasters. There is, of course, the physical networking equipment; if it isn’t properly secured, it can be subject to ruin. Preventing disaster during a flood, for example, requires having the foresight to keep equipment off of the ground. In addition, using carrier-grade telecommunications equipment instead of enterprise-grade equipment will provide better backup and protection, making the equipment better able to withstand a host of problems.

But far more prevalent is interruption of the telecommunications path, because network connectivity is susceptible to interruption through fiber cuts, which are caused by natural disasters or even outside activity like construction.

To protect against fiber cuts, it is important to have fully diverse fiber optic connectivity in the data center, says Paul Savill, a senior vice president at Level 3, a Tier 1 Internet provider.

The problem is that different telecommunications carriers often use the same rights-of-ways to bring fiber into a given building or data center.

“So it’s not good enough to get half of your circuits from Verizon and half from AT&T,” he said. “You have to ask your service provider for physical network maps with enough detail to show detail about where the fiber runs—what street, what side of the street, how it comes into the building. And make sure that those entrances into the building are on different sides of the building.”

It’s also critical to ensure that the service level agreement offers the full range of protection needed. That means, for example, that the SLA from the prime contractor should cover you end-to-end, even if a third

party is involved. In addition, your service provider should be willing to custom design your data center to suit your targeted SLA and performance level.

It’s also a good idea to include wireless networking as part of the plan in case your fiber optic network is out of service—something more likely to happen with wired networks because network infrastructure is so complex.

Wireless networking increasingly is becoming an important part of business continuity planning. According to a 2012 business continuity study from AT&T, which focused on IT executives in Texas, two-thirds of executives now include their wireless network capabilities as part of the business continuity plan.

Critical for governmentWhile maintaining connectivity is critical for all businesses, it is especially important for government agencies, many of which provide vital services that must be running continuously.

“Federal agencies can’t afford to just ‘check the box’ for continuity of operations and disaster recovery,” said Edward Morche, senior vice president and general manager of Level 3’s Government Markets Group. “Any disruption in network connectivity can seriously compromise operations, confidence and the mission.”

The Social Security Administration is one agency that hasn’t left anything to chance. Through its Networx contract with Level 3, the agency now has multiple 10 Gigabit connections in its data centers. The solution meets SSA’s network performance, scale, capacity and usability requirements.

State and local government agencies have similar requirements. Buncombe County, N.C., for example, has deployed four BridgeWave AR80 point-to-point 80 GHz capacity wireless links, which provide backup for its main county fiber-based network. The solution helps

WHEN IT COMES TO NETWORKING, PLAN FOR THE WORST




Buncombe County’s police, fire and emergency medical dispatch continue working during crises.

As networks get more complex, the importance of network viability and redundancy, along with wireless networking backup, is more important than ever.




With the federal government’s “Cloud First” initiative as a motivator, government agencies are taking the value of the cloud seriously. Cloud

adoption has risen dramatically over the past few years and continues to rise as the business case is proven over and over again.

One area where the cloud makes a great deal of sense is for business continuity. If your applications, infrastructure or valuable data is accessible from anywhere, a disturbance in standard operations has much less of an impact.

“The merits of the cloud by default make it one of the prime candidates for continuity of operations,” says Chris Smith, U.S. Federal Chief Technology and Innovation Officer at Accenture. “The fact that you have a ubiquitous computing capability that, if architected correctly, could withstand just about any type of event and have resilient failover between sites, is what makes it so valuable.”

Take the example of 2012’s historic east coast storms, including Hurricane Sandy. Agencies that had their information residing in a cloud- or shared services-based environment had access to that information as long as they had access to a network. Agencies that didn’t ran the risk of having their operations come to a grinding halt.

The federal government’s General Services Administration showed exactly how that works. All of the agency’s IT systems functioned properly during the storm, and the agency was able to use its cloud-based email platform to foster emergency response and recovery operations.

Most agencies can’t put everything in the cloud, however. When evaluating cloud candidates with business continuity in mind, it’s most important to consider moving whatever is critical to the mission of the organization. That might include applications, records,

planning documents and vital records. For example, the financial arm of an agency charged

with making grants in case of emergencies would need access to the rules, regulations and program information to execute those grants.

Other functions to consider for the cloud include unified communications, email and storage. Unified communications are especially important because they can keep people in touch when traditional channels are disrupted.

Making it workAccording to Market Research Media’s report, “U.S. Federal IT Business Continuity and Disaster Recovery Market Forecast 2013-2018,” the federal government will greatly increase adoption of cloud technologies with integrated business continuity functions. Many agencies are well on their way, including the Defense Department and the National Oceanic and Atmospheric Administration (NOAA).

Many state governments have turned to the cloud with business continuity in mind as well, including Michigan, Texas, New Mexico and North Carolina.

Deciding what to move to the cloud for business continuity reasons is an important step. But what really brings it together is having a comprehensive plan and using the right tools to define policies. That means being able to set up policies for what will happen in case of emergency—how applications will scale, how access will be extended, and who gets priority access.

“The cloud isn’t a silver bullet. There needs to be diligence and forethought: how are you going to operate, where are you going to operate from?” says Smith.

CLOUD: TAILOR-MADE FOR CONTINUITY PLANNING




When disaster strikes, communication is key. Getting the right information to the right people is not only useful for keeping organizations

afloat, but can be critical to physical safety.Two technologies that have made a big difference in

how key team members communicate in recent disasters are mobility and social media.

“They provide alternative ways to communicate, which is especially useful when traditional methods aren’t available,” says Bob Laliberte, a senior analyst for Enterprise Strategy Group. “Anything that helps enable collaboration or sharing information in times of crisis is positive.”

Smartphones, of course, provide an alternative means of voice communications, which is important. But just as important, they can be used for texting, email, and accessing access social networks.

They can also be used to find out what locations are operational and where employees are directed to go, and what applications and services are still functional. What’s more, smartphones and tablets are a good place to store a copy of the organization’s business continuity plan and emergency contacts, which may not be accessible via normal means during a disaster. With that in mind, it’s important to ensure that the devices are kept up to date and backed up periodically.

Mobility also fosters productivity. If your files or applications are stored in the cloud, for example, you’ll still have access to them and can conduct some level of business. The same is true if you store critical apps and/or files in a service like Evernote or Dropbox.

Social media also can be a lifesaver during emergencies. In fact, Gartner, a market research and consulting firm predicts that by 2015, 75 percent of organizations with business continuity management programs will include social media services in their crisis communications plans.

There are many benefits to using social media in times

of crisis. Not only can organizations use social media to keep employees or citizens up to date, but it can be used to collaborate with other agencies or divisions providing relief or trying to bring a data center back up.

In fact, it has been used successfully in many emergencies. For example, when a gunman opened fire at Ft. Hood, Texas, in November of 2009, soldiers, as well as the public, got updates via Twitter.

After a 2010 earthquake in Haiti, social media helped connect healthcare workers who needed supplies with those who had them. During that crisis, related tools such as text messaging, interactive online maps and crowdsourcing also played a big role.

And during a 2012 tornado in Joplin, Mo., state officials asked for help by sending this tweet: “We’re looking for photos of damage & recovery efforts in #Joplin. Submit them to us on Twitter or on Flickr at http://on.mo.gov/finIKJP.”

Use with cautionAs useful as these technologies are, Laliberte recommends caution.

“You don’t want someone sending a message on Twitter saying that the data center was just flooded,” he notes. “You have to have policies around the use of social media in particular or you can do as much harm as good.”

The best uses of social media in a disaster situation are to dispel rumors, announce important information such as closures and weather warnings and provide guidance. On the other hand, it’s probably not a good idea to use social media when the message is meant for a specific group, when it contains confidential information, or when you need a response back.

The Information Systems Audit and Control Association, a global association for IT governance professionals, recommends that business continuity plans include policies and procedures defining the proper

21ST CENTURY COMMS BRING OPPORTUNITIES, PITFALLS




use of social networks during a crisis, including a list of approved sites and approved spokespeople. Taking this step in advance of a crisis will help ensure that they don’t create panic in a tough situation.

Gartner, in its most recent advisory, also recommends determining which social media platforms are most often used by employees and citizens and sticking to those when disaster strikes.




Telework has become increasingly popular in government over the past several years, mostly due to the potential for cost savings, better employee

satisfaction and less pollution. Arizona, for example, started teleworking in 1989, and today, more than 17 percent of the state’s workforce in Maricopa County work remotely.

And yet some experts say that most government agencies have not realized telework’s full potential, especially when it comes to business continuity planning.

“I haven’t always seen business continuity as a main driver for telework, but I can’t imagine a business continuity plan without telework as an essential part of it,” says Vanessa Godshalk, managing director for talent and organization in Accenture’s federal practice. “It helps build resilience in your organization when your people can work anywhere, anytime.”

During Hurricane Sandy, more than 4,000 GSA employees in affected areas used telework as a way to maintain continuity of operations. And during a massive snowstorm in the Washington, DC, area that shut down much of the government, more than 2,500 employees from the U.S. Patent and Trademark Office were able to continue working uninterrupted.

State and local governments are also getting the message. In a November, 2012 memorandum about adopting telework in Montgomery County, Md., business continuity was a selling point. Likewise, Texas health and human services agencies are considering expanding the current telework policy, citing one major benefit as business continuity.

Laying the groundworkThe agencies that are most successful in using telework when disaster strikes are those that take business continuity into consideration when developing their

telework policies and infrastructure. They implement the technology and policies necessary, they make telework part of the fabric of the agency, and they put their technology and plans to the test.

On the technology side, that means ensuring that all employees have some type of mobile device. The move toward notebooks in the office is a good example, but increasingly employees are using smartphones or tablets for work purposes as well. If they are expected to use these devices from home, it’s important not only to have a secure network but policies that stipulate what data and applications employees can access depending on how they are connecting to the network.

A unified communications infrastructure can be invaluable, letting people can virtually check in and communicate through whatever means are available at the time, whether that is email, text, landline, video chat or cellphone. Collaboration tools, built on that infrastructure, can enable meetings to continue as usual, even if everybody is in a different location.

On-demand services also are useful in this scenario. Desktop virtualization, for example, allows employees to access their personal desktops, along with their applications and data, remotely. The settings and data are streamed to whatever device is being used.

Finally, it is important to change the perception of telework as something that is convenient and cost-effective to something that is essential for business continuity.

“Don’t underestimate the management and cultural challenges that still exist,” Godshalk says. “There are still a lot of people who are very uncomfortable managing in this model, and that has to change for it to work as a business continuity strategy. It forces management to think about how to plan work differently.”•

TELEWORK READY FOR STARRING ROLE IN CONTINUITY PLANS

©2013 Level 3 Communications, LLC. All rights reserved.

Many providers of continuity of operations and disaster recovery (COOP/DR)

solutions share information about strategy, data center design and data replication

techniques. But few directly address one of the most fundamental elements of an

effective COOP/DR strategy: the underlying communications network. To help

agencies protect against disaster, Level 3 Communications advises government

agencies to ask four critical questions of their communications provider.

Ask the right questions — Scan to read the white paper:

Learn more at level3.com/government

THAT’S THELEVEL 3 DIFFERENCE

PEACE OF MIND THAT YOUR DATAIS SAFE AND YOUR OPERATIONSARE UNINTERRUPTED.

Documents

ONLINE REPORT SPONSORED BY: BUSINESS CONTINUITY