Upload
nostrad
View
690
Download
0
Tags:
Embed Size (px)
Citation preview
1
Continuity of Operations Planning Continuity of Operations Planning COOP 101COOP 101
Stephen X. MazzucaSr. Account Executive
Federal Sales
www.ParadigmSolutionsCorp.com
2
As defined by the Disaster Recovery Institute:
The ability of an organization to ensure continuity of service The ability of an organization to ensure continuity of service and support for its customers and to maintain its viability and support for its customers and to maintain its viability before, after, and during an event.before, after, and during an event.
Simply Stated: Simply Stated:
The ability to stay in business after a disaster strikesThe ability to stay in business after a disaster strikes !!
Copyright © CER 2003
What is CONTINUITY OF OPERATIONS CONTINUITY OF OPERATIONS PLANNING?PLANNING?
3
BENEFITS OF A CONTINUITY OF BENEFITS OF A CONTINUITY OF OPERATIONS PLANNING PROGRAMOPERATIONS PLANNING PROGRAM
. . Reduce Disaster Impact on the
company.
. . Provide a Reliable Source of Information to be used at time of
Disaster.
. . Provide Ongoing Maintenance of all Plans
. . Provide Ongoing Testing of all Plans
. . Plan Timely response to loss of business and computing resources.
. . Provide Clear understanding of Roles and Responsibilities
Copyright © CER 2003
4
NEED FOR CONTINUITY OF OPERATIONS NEED FOR CONTINUITY OF OPERATIONS PLANNINGPLANNING
Contractual &Contractual &Legal obligationsLegal obligationsContractual &Contractual &
Legal obligationsLegal obligations
Employees Health Employees Health & Safety& Safety
Employees Health Employees Health & Safety& Safety
Liability Liability ExposureExposure Liability Liability ExposureExposure
Cash flow andCash flow andFinancial PerformanceFinancial Performance
Cash flow andCash flow andFinancial PerformanceFinancial Performance
Market ShareMarket ShareMarket ShareMarket Share
CustomerCustomerServiceService
CustomerCustomerServiceService
Brand Image &Brand Image &
ReputationReputation
Brand Image &Brand Image &
ReputationReputationSalesSalesSalesSales
RegulatoryRegulatoryRequirementsRequirements
COMPLIANCE
RegulatoryRegulatoryRequirementsRequirements
COMPLIANCE
5
• It will happen only to the "other company." and / or• The odds of our business being struck by a disaster are extremely low, or at least the
damage will be minimal.• Continuity of Operations/Business Continuity Plans are not a government `` Continuity of Operations/Business Continuity Plans are not a government ``
requirement.``requirement.``• It is Human nature to put off something that “ we think ” we are not required to have.• Continuity of Operations Planning, testing, and proper data backup and archiving
activities cost money and offer no obvious return on investment.
Statistical InformationAverage Hourly Cost of Downtime:
Brokerage House (or large e-commerce site) $ 6.4 million Credit Card Sales and Authorization $ 2.6 million Catalog Sales $ 90 thousand Package Shipping and Transportation Industry $ 28 thousand UNIX Networks $ 75 thousand PC LANs $ 18 thousand
Average Hourly Cost to Re-create Data $ 50 thousand
Perfect Reasons Not to ProcrastinatePerfect Reasons Not to Procrastinate
Objections to COOP/BCPObjections to COOP/BCP
6
Federal Mandate“The head of each Federal department and agency shall ensure the continuity of essential functions in any national security emergency by providing for: succession to office and emergency delegation of authority in accordance with applicable law; safekeeping of essential resources, facilities and records; and establishment of emergency operating capabilities.”Executive Order 12656
Legal Statute - D&O Insurance Limitations"Directors and Officers of companies have a fiduciary responsibility to ensure that any and all reasonable efforts are made to protect their companies. D&O insurance only protects officers if they used good judgment and their decisions resulted in harm to their company and/or employees. "Courts will assess liability by determining the probability of loss, multiplied by the magnitude of the harm, balanced against the cost of prevention.
BURDEN of PROOFThe burden of proof would be on Company X to prove that all reasonable measures had been taken to mitigate the harm caused by the disaster.
FCPAThe FCPA (Foreign Corrupt Practices Act ) is unique in that it holds corporate managers personally liable for protecting corporate assets. Failure to comply with the FCPA exposes individuals and companies to the following: Personal fines up to $10,000, Corporate fines up to $1,000,000, and Prison terms up to five years.
FFEICFederal Financial Institutions Examination Council (FFIEC) issued an updated policy statement on "Corporate Business Resumption and Contingency Planning" (SP-5) for financial institutions, as of March 1997. It emphasizes that the directors and management of financial institutions must address the inherent risks associated with the loss or disruption of services to themselves and their customers.
LEGAL / REGULATORY REASONS FOR LEGAL / REGULATORY REASONS FOR COOP/BCPCOOP/BCP
7Copyright © CER 2003
The Primary Objectives of COOP/BCP:The Primary Objectives of COOP/BCP:
Ensure 'survival' of the organization under a number of postulated business interruption scenarios.
. . Define strategies for resumption of the critical business functions to specific performance targets within specified time periods (RTO, RPO, SLA) following the interruption scenario.
The assumption is that the organization's short-term survival will be assured if the resumption/recovery strategies are correctly implemented
The assumption is that the organization's short-term survival will be assured if the resumption/recovery strategies are correctly implemented
Objectives are delivered, via a set of contingency plan components better known collectively as the “Continuity of Operations Plan” or “Business Continuity Plan”. These contingency plans include: Emergency Management/Crisis Management, Agency/Business Recovery, and Disaster Recovery
OBJECTIVES OF CONTINUITY OF OBJECTIVES OF CONTINUITY OF OPERATIONS PROGRAMOPERATIONS PROGRAM
8
PLAN COMPONENTSPLAN COMPONENTS
9
Contingency Plan ComponentsContingency Plan Components
Copyright © CER 2003
Continuity of Operations/Business Continuity Plan
ARP/BRPEnterprise-wide
Emergency/CrisisManagement
Response/Decision Making/Communications
Planning focused on resumption of critical processes
Planning focused on quickly restoring failed IT systems in line with acceptable IT budget impact
DRPSystem-oriented
Continuing the Operations of an enterprise –”continuity”
User CommunityIA and funding dictatethe level of recovery a
Business Unit/IT Applicationwill receive
(i.e.. hours, days, weeks)
Continuity of Operations/Business Continuity Plan
ARP/BRPEnterprise-wide
Emergency/CrisisManagement
Response/Decision Making/Communications
Planning focused on resumption of critical processes
Planning focused on quickly restoring failed IT systems in line with acceptable IT budget impact
DRPSystem-oriented
Continuing the Operations of an enterprise –”continuity”
User CommunityIA and funding dictatethe level of recovery a
Business Unit/IT Applicationwill receive
(i.e.. hours, days, weeks)
ARP/BRPEnterprise-wide
Emergency/CrisisManagement
Response/Decision Making/Communications
Planning focused on resumption of critical processes
Planning focused on quickly restoring failed IT systems in line with acceptable IT budget impact
DRPSystem-oriented
Continuing the Operations of an enterprise –”continuity”
User CommunityIA and funding dictatethe level of recovery a
Business Unit/IT Applicationwill receive
(i.e.. hours, days, weeks)
10Copyright © CER 2003
Contingency Plan Components - DefinedContingency Plan Components - Defined
Continuity of Operations Plan - COOP(GSA)
a,k,a, Business Continuity Plan -Commercial
Emergency Management/Crisis
Management
Agency/Business Recovery
Disaster Recovery(IT)
Methods for managing a crisis
Crisis decision-making tool for Executives
Methods of assessing the criticality of a crisis
Methods of communicating to employees, media, and emergency response entities
Methods for Disaster Declarations
Methods for recovering IT applications, systems, and networks, etc
Methods for establishing backup procedures
Methods for determining alternate processing sites.
May or may not include telecommunications or non-IT business systems
Methods of ensuring the resumption/ recovery of business processing.
Methods for identifying work-arounds/alternatives
Methods of recovering key business processing systems (telecommunications, shop equipment
Includes Team Work Area Recovery
Continuity of Operations Plan - COOP(GSA)
a,k,a, Business Continuity Plan -Commercial
Emergency Management/Crisis
Management
Agency/Business Recovery
Disaster Recovery(IT)
Methods for managing a crisis
Crisis decision-making tool for Executives
Methods of assessing the criticality of a crisis
Methods of communicating to employees, media, and emergency response entities
Methods for Disaster Declarations
Methods for recovering IT applications, systems, and networks, etc
Methods for establishing backup procedures
Methods for determining alternate processing sites.
May or may not include telecommunications or non-IT business systems
Methods of ensuring the resumption/ recovery of business processing.
Methods for identifying work-arounds/alternatives
Methods of recovering key business processing systems (telecommunications, shop equipment
Includes Team Work Area Recovery
Continuity of Operations Plan - COOP(GSA)
a,k,a, Business Continuity Plan -Commercial
Emergency Management/Crisis
Management
Agency/Business Recovery
Disaster Recovery(IT)
Methods for managing a crisis
Crisis decision-making tool for Executives
Methods of assessing the criticality of a crisis
Methods of communicating to employees, media, and emergency response entities
Methods for Disaster Declarations
Methods for recovering IT applications, systems, and networks, etc
Methods for establishing backup procedures
Methods for determining alternate processing sites.
May or may not include telecommunications or non-IT business systems
Methods of ensuring the resumption/ recovery of business processing.
Methods for identifying work-arounds/alternatives
Methods of recovering key business processing systems (telecommunications, shop equipment
Includes Team Work Area Recovery
11
STRATEGIC PLANNING – PHASE 1STRATEGIC PLANNING – PHASE 1
12
The goal of any mitigation strategy is to minimize negative impact. Planning strategies should be based on the outcome of the Impact Assessment and Risk Assessment.
Planning strategies must encompass the key planning initiatives:
1: Identification
To identify potential disaster scenarios
1: Identification
To identify potential disaster scenarios
3. Planning
To create recovery plans, strategies, and tactics.
3. Planning
To create recovery plans, strategies, and tactics.
6. Recovery:
To put the pieces back together, providing business resumption and
recovery
6. Recovery:
To put the pieces back together, providing business resumption and
recovery
5. Action:
To mobilize when disaster occurs.
5. Action:
To mobilize when disaster occurs.
4. Testing
To test recovery plans and related activities
4. Testing
To test recovery plans and related activities
2. Assessment
To quantify consequences and disaster impact
2. Assessment
To quantify consequences and disaster impact
Copyright © CER 2003
Mitigation StrategiesMitigation Strategies
13
Recovery plans must be tested at least once a year to Recovery plans must be tested at least once a year to effectivelyeffectively support critical business requirements..support critical business requirements..
The most cost-effective COOP/BCP plans The most cost-effective COOP/BCP plans will be based on priorities determined by a will be based on priorities determined by a
comprehensive Impact Analysis - IA.comprehensive Impact Analysis - IA.
Financial
Regulatory
Legal Employees
Sales
Customer
Production
Other
Copyright © CER 2003
Best Practices for COOP/BCPBest Practices for COOP/BCP
14
BCP/ COOP StrategyBCP/ COOP Strategy
It is much easier to react with a plan in hand! It is much easier to react with a plan in hand!
PreventionPrevention
To avoid and minimize To avoid and minimize disaster frequency and disaster frequency and
occurrence to the extent occurrence to the extent possible.possible.
AnticipationAnticipation
To identify likely disasterTo identify likely disaster scenarios and assess scenarios and assess related consequencesrelated consequences..
MitigationMitigation
To take the necessaryTo take the necessary steps to react, respond,steps to react, respond,
and and minimize any negativeminimize any negative
While it is essential to build strategies around a “worse-case” disaster, the strategy must also address three basic needs:
15
A Comprehensive contingency plan must address five major elements:
Impact Analysis
Risk Analysis
The Emergency Response/Crisis Management organization and procedures for reacting to and coordinating recovery efforts. – Crisis/Emergency Management
Plan
The Business Resumption procedures for the continuation of critical business processes – Business Agency Recovery Plan
The Recovery Support procedures for restoring key Information Technology resources – Disaster Recovery Plan.
Copyright © CER 2003
Five Major COOP ElementsFive Major COOP Elements
16
PLAN DEVELOPMENT/PLAN DEVELOPMENT/
IMPLEMENTATION - PHASE 2IMPLEMENTATION - PHASE 2
17
Organize procedures to
effectively initiate and manage the
recovery activities.
Identify the critical
workload and where
it will process at time of disaster
Identify recovery
responsibilities and functions necessary to
resume computer
processing of critical
applications.
Identify the personnel
responsible for maintaining and exercising the
various parts of the plan
Copyright © CER 2003
Develop and Implement – Phase 2Develop and Implement – Phase 2
18
COOP/BCP LifecycleAnalysis
Continuity Of OperationsContinuity Of Operations/Business Continuity/Business Continuity
AAnalysisnalysis
Plan Development
Plan DevelopmentImpl
emen
tatio
n
Impl
emen
tatio
n
COOP/BCP LifecycleCOOP/BCP Lifecycle
19Copyright © CER 2003
BUSINESS RECOVERY PLANNING – ARPBUSINESS RECOVERY PLANNING – ARP
The process of planning to ensure that the agencies can survive an event that causes interruption to normal processes.
It includes :• Resumption, recovery and restoration phases of all identified agency functions as dictated by SLA (service level agreement) and RTO (recovery time objectives).
• Resumption - Interim procedures to resume survival-critical agency functions
• Recovery - Interim procedures to continue processing survival-critical, mission critical, and essential agency functions prior to restoration of the stricken facility
• Restoration - Returning to reconstructed/permanent facility. All processing restored. Backlog cleaned-up.
• Identifying critical agency functions and workarounds.
• Instructions and information on what to do including essential details on procedures, directions, and schedules.
• Documenting plans to enable agency functions to be resumed /recovered/restored in the event of a disruption.
• In general, the agency recovery plan should expect the worst case.
BUSINESS RECOVERY PLANNING – ARPBUSINESS RECOVERY PLANNING – ARP
The process of planning to ensure that the agencies can survive an event that causes interruption to normal processes.
It includes :• Resumption, recovery and restoration phases of all identified agency functions as dictated by SLA (service level agreement) and RTO (recovery time objectives).
• Resumption - Interim procedures to resume survival-critical agency functions
• Recovery - Interim procedures to continue processing survival-critical, mission critical, and essential agency functions prior to restoration of the stricken facility
• Restoration - Returning to reconstructed/permanent facility. All processing restored. Backlog cleaned-up.
• Identifying critical agency functions and workarounds.
• Instructions and information on what to do including essential details on procedures, directions, and schedules.
• Documenting plans to enable agency functions to be resumed /recovered/restored in the event of a disruption.
• In general, the agency recovery plan should expect the worst case.
Develop and Implement – Phase 2Develop and Implement – Phase 2
20
CRISIS MANAGEMENT PLANNING – CMPCRISIS MANAGEMENT PLANNING – CMP
The process for facilitating communications, information gathering and decision-making immediately following the onset of a crisis. It includes and is dependent upon preparedness.
Specifically, crisis management focuses on:
• Identification of the crisis communications team (and others who might assist the team in certain situations)
• Predefined individual and team responsibilities for the crisis management team members
• Contact lists for all internal and external stakeholders
• Responsibilities and procedures for crisis/disaster declaration
• Establishment of Crisis Command Centers for directing the crisis event
• Coordination with effected constituents, such as the community, neighboring industries, and identified support entities (fire, police, hospitals, etc.)
• Links Agency Recovery and Disaster Recovery, via Emergency Management and Direction
CRISIS MANAGEMENT PLANNING – CMPCRISIS MANAGEMENT PLANNING – CMP
The process for facilitating communications, information gathering and decision-making immediately following the onset of a crisis. It includes and is dependent upon preparedness.
Specifically, crisis management focuses on:
• Identification of the crisis communications team (and others who might assist the team in certain situations)
• Predefined individual and team responsibilities for the crisis management team members
• Contact lists for all internal and external stakeholders
• Responsibilities and procedures for crisis/disaster declaration
• Establishment of Crisis Command Centers for directing the crisis event
• Coordination with effected constituents, such as the community, neighboring industries, and identified support entities (fire, police, hospitals, etc.)
• Links Agency Recovery and Disaster Recovery, via Emergency Management and Direction
Copyright © CER 2003
Develop and Implement – Phase 2 – continuedDevelop and Implement – Phase 2 – continued
21
IT DISASTER RECOVERY PLANNINGIT DISASTER RECOVERY PLANNING Component – DRP
The process of planning to ensure disaster recovery support services for the resumption, recovery and restoration of all identified critical applications, associated systems, and infrastructure contained within corporate computer processing centers, in a timeframe dictated by business requirements (SLA, RPO, RTO).
Until recently, DRP was the only component addressed. Other BCP components did not become essential until after 9-11.
It includes:• Identifying critical IT applications, systems and their dependencies.• Preventing Failure when appropriate. • Providing instructions and information on what to do including essential details on procedures, directions, and schedules • Documenting plans to enable critical applications/systems and related infrastructure to be resumed in the event of a disruption as dictated by the Business. • In general, the disaster recovery plan should expect the worst case.
High Availability Perspective:
Plans should ensure that the inevitable, occasional interruption is transparent to the enterprise's key stakeholders, Plans should ensure that the inevitable, occasional interruption is transparent to the enterprise's key stakeholders, including customers, stockholders, and employeesincluding customers, stockholders, and employees ..
IT DISASTER RECOVERY PLANNINGIT DISASTER RECOVERY PLANNING Component – DRP
The process of planning to ensure disaster recovery support services for the resumption, recovery and restoration of all identified critical applications, associated systems, and infrastructure contained within corporate computer processing centers, in a timeframe dictated by business requirements (SLA, RPO, RTO).
Until recently, DRP was the only component addressed. Other BCP components did not become essential until after 9-11.
It includes:• Identifying critical IT applications, systems and their dependencies.• Preventing Failure when appropriate. • Providing instructions and information on what to do including essential details on procedures, directions, and schedules • Documenting plans to enable critical applications/systems and related infrastructure to be resumed in the event of a disruption as dictated by the Business. • In general, the disaster recovery plan should expect the worst case.
High Availability Perspective:
Plans should ensure that the inevitable, occasional interruption is transparent to the enterprise's key stakeholders, Plans should ensure that the inevitable, occasional interruption is transparent to the enterprise's key stakeholders, including customers, stockholders, and employeesincluding customers, stockholders, and employees ..
Develop and Implement – Phase 2 – continuedDevelop and Implement – Phase 2 – continued
22
TESTING and MAINTENANCETESTING and MAINTENANCE
PHASE 3PHASE 3
23
The method of training provided is dependent on the level and complexity of a disaster scenario.
Full-Scale Exercise
Full-Scale Exercise
Fully integrated exercise that pulls
together all functional areas.
Fully integrated exercise that pulls
together all functional areas.
Functional Exercise
Functional Exercise
Test individual functional areas
within the organization.
Test individual functional areas
within the organization.
Tabletop / Mini-Drill
Tabletop / Mini-Drill
Test parts of the plan and to
reinforce logic and decision-
making.
Test parts of the plan and to
reinforce logic and decision-
making.
Orientation / Walkthrough
Orientation / Walkthrough
Designed to familiarize
personnel with the plans and equipment.
Designed to familiarize
personnel with the plans and equipment. Awareness, commitment, and skills must be repeatedly practiced to maintain
the edge necessary for the greatest level of response.
LOW
HIGH
Copyright © CER 2003 30
Training Methods – Exercising the PlanTraining Methods – Exercising the Plan
24
Questions and AnswersQuestions and Answers
25
Continuity of Operations Planning Continuity of Operations Planning COOP 101COOP 101
www.ParadigmSolutionsCorp.com
Stephen X. MazzucaSr. Account Executive, Federal Sales
Tel (240) 283-3420Cell (410) 207-7969