www.paranet.com
| 2
Introduction
The Snowpocalypse of 2015 brought one winter storm after another, paralyzing the eastern half of the United States. It knocked out power for days and weeks at a time, sorely testing the resiliency of companies of all sizes. In all, the financial damage topped $15 billion.
Barely two years before, Superstorm Sandy hammered New Jersey and New York with gale-force winds and massive ocean surges instead of ice and snow drifts, flooding thousands of businesses and even more thousands of homes. It even silenced the mighty Stock Exchange on Wall Street for nearly a week.
Sounds like real life, playing out the catastrophes predicted in the movie 2012, doesn’t it? Disasters like this happen all the time – a hurricane, an earthquake or a wildfire. With our growing reliance on IT systems and data, business disasters can unfold like a thriller – until you realize that this
isn’t some kind of made for TV movie or New York Times best seller.
www.paranet.com
| 3
But disrupting your business doesn’t require a natural disaster or even a cyber attack. These days it’s just as likely a sudden power loss or a failed software upgrade. (For example, July 2015 saw a computer glitch halt flights at United Airlines for two hours before it was corrected. The resulting ripple affected 4900 flights worldwide – and cost millions.)
Regardless of the cause, business disruptions happen. Big or small, when they happen to you, the result can be catastrophic to your bottom line.
When companies are hit by disasters, natural or man-made, their physical facilities can be damaged and sustain huge physical losses. However, the potential
operations losses can cost even more. Recovering the infrastructure, systems and data to restore operations could take months – if it’s even possible – putting their entire business at risk. In some cases, data losses can even lead to additional lawsuits and litigation fees.
As for Wall Street, a decade earlier an even worse disaster had forced the NYSE to upgrade and harden its infrastructure. But what would have happened to our financial system if they hadn’t? And even though United Airlines suffered only a two-hour outage, look how much damage occurred, by not being able to switch instantly over to a safe-mode?
Your company doesn’t have to be a financial clearing house or a major airline to be at risk. Restoring your network, your systems, and your applications – rapidly and without loss of data – is critical for resuming normal operations.
www.paranet.com
| 4
What exactly is a business continuity plan (BCP)? A business continuity plan is a set of documented procedures to continue operations if a place of business is affected by different levels of disaster.
The disaster can be short or long term, can be localized to a single office or multiple facilities, and can be centered on physical or information assets.
While a disaster recovery plan (DRP) tends to focus on a company’s physical assets, a business continuity plan covers both physical and information assets. The ultimate goal of a BCP, then, is
resiliency – allowing your business to resume normal operations with minimal impact to customers,
employees and revenue.
The ultimate goal of a BCP is resiliency – allowing your business to maintain and resume normal operations with minimal impact to customers, employees and revenue.
www.paranet.com
| 5
In reality, there’s no longer a question of if your company need a recovery plan, but rather how extensive the plan should be. It’s not just about backup up your desktop computers anymore.If you have more that a handful of employees, you’ve got several servers, either on-site or in the cloud. You’ve also got desktops and databases and applications for corporate email, customer
relationship management (CRM), HR, payroll, and web presence, as well as the network infrastructure itself. All have to be highly-available – possibly 24/7. And all of them are vulnerable to a disaster, hackers, even a simple failure.
How long can your company operate with the interruption of one – or all – of these systems? If you’d find yourself or your customers crippled in such a case, you need a comprehensive plan to restore your operations, data flow and revenue streams.
www.paranet.com
| 6
If your company doesn’t have data recovery in its business continuity plan, or you fear the plans are no longer adequate to protect you in the event of a disaster, here are five steps that will put you on the right path.
Create a Business Continuity Contingency Statement
Conduct a Business Impact Analysis (BIA)
Identify and Implement Control Measures
Create and Document Recovery Plans
Implement Plan Testing, Training, Metrics and Maintenance
Five Steps to an Effective Business Continuity Plan
www.paranet.com
| 7
So what is a Business Continuity Contingency Statement? It’s a formalized policy that authorizes development and implementation of a BCP plan. It acknowledges, from an executive level, the necessity of a business continuity plan to the
company’s survival. It also commits resources, time and budget to that effort. Does this statement authorize a short-term project to develop a BCP? Absolutely not. Achieving business continuity is not a static, one-time effort. Information Technology assets are constantly changing and evolving. Even a software update changes the dynamics of many companies’ IT systems. To address this constant change, the BCP’s structure has to be flexible and adaptable; it has to be a “living” document. Therefore, developing and maintaining a BCP requires an on-going commitment of time, resources and budget.
IT is not a standalone island of company information, either. When you’re
developing a BCP, it’s important to understand the various departments involved and how they mesh together. The BC team, therefore, must have members from departments across the company, not just one or two from IT.
www.paranet.com
| 8
Determining the scope of the plan
• Identifying internal and external elements and assets • Choosing third-party vendors and systems
• Briefing senior management on the progress of the plan
Assembling documentation necessary to develop a relevant BCP
• Compiling network diagrams • Reviewing systems documentation • Documenting equipment configurations
Identifying the following:
• What are the serious threats to the infrastructure - both natural and man-made? This could include power and system failures, cyber attacks, human error, fire, earthquakes, etc.
• What are the most serious vulnerabilities? • What is the history of any previous disruptions?
• Prioritize the most critical areas that must get back up and running first. Remember that the plan should be flexible to deal with constant technology changes. But creating a BCP should never be a case of The Blob That Ate Your Company. When you’re creating the plan, keep in mind the scope of the work. Create a timeline with several time-boxed phases to prevent endless iterations.
This will allow the BCP team to track its own progress, will prevent “analysis-paralysis” and will keep senior management informed.
After completing the information gathering process, the team should be able to compile and document its findings. It will then
work with senior management to create and refine the business continuity plan.
www.paranet.com
| 9
Step #2: Conduct a Business Impact Analysis (BIA)
After the BCP team has gathered the relevant information, it’s time to create a Business Impact Analysis (BIA). The BIA is used to determine how the identified risks will effect the company’s business operations, should they occur. When an incident causes a negative impact to operations, the consequences could be disastrous.
A BIA identifies critical business functions and processes, potential threats to those functions and potential costs associated with the threats. Then the BC team uses this information to prioritize the order in which systems and data must be restored. In this process, you’ll need to do the following assessments:
• Business assessment: Identify functions and processes required to operate at both normal and “acceptable” levels. Rank the functions by their impact to servicing the customer, internal operations and revenue impact.
• Risk assessment: Next, identify and document threat scenarios that can cause business disruption. Categorize each of these by type and likelihood. • Cost assessment: For each function, quantify the cost and/or loss of
revenue an interruption would bring, if possible. This will be easy for some functions, difficult for others. Knowing these costs is especially important when it’s time to seek budget for resources, tools and vendor services to put your BCP into effect.
• Priority assessment: By now, you have the information to rank the business functions and supporting systems by operational criticality, the probability of various threats, and the potential costs should they be interrupted. Those with highest likelihood and cost should have the highest priority in BCP.
PROBABILITY OF OCCURRENCE
IMPACT RISK
www.paranet.com
| 10
When completing these assessments and compiling your findings, it might be helpful to create a risk/impact probability chart to help you determine which risks to prioritize and deal with immediately.
Items in the “critical risk” corner are the most probably and highest impact, and should therefore be addressed first. The items in the “low-level risk” corner are less of a concern.
www.paranet.com
| 11
Step #3: Implement Control Measures
Within the business continuity plan, one of the most important areas is identifying control measures and eliminating threats.
What are control measures? Control measures are steps you can take to avoid or reduce the impact of threats to company infrastructure and information.
There are three different kinds of control measures you can implement:
1. Detective measures. Detective measures are controls that will detect and discover events.
2. Preventative measures. A preventative measure will help prevent an incident from occurring.
3. Corrective measures. A corrective measure will rectify or restore a network or system after an incident has occurred.
The first two kinds are most often preventative in nature, while the third – corrective measures – defines how you deal with a disruption after it happens.
Prevention: Mitigating the Risk
Mitigating risk means identifying control measures to avoid or eliminate threats before they cause disruption. Internal threats can often be contained using control measures. For example, employees often use company computers to surf to any Internet site they choose. Unrestricted surfing opens up the company servers to potential viruses, Trojan Horse and other dangerous malware.
www.paranet.com
| 12
Taking action: Creating contingency plans
Whether it’s Mother Nature or the local power company, outside entities don’t ask permission before they interrupt your business. Control measures for dealing with large-scale disruptions are called contingency plans. Preventative contingency plans include methods to backup, synchronize or mirror one or more systems, applications or servers to alternate storage. Reactive contingency plans are activated after a disruption occurs.
Control measures go way beyond just backing up your company’s data. They create safe restoration points for all components of your infrastructure, so you can ensure availability no matter what.
Step #4: Create and Document Recovery Plans
You’ve documented your critical business functions and processes, identified the risks and costs of each threat, and put control measures in place. Now, what do you do when worse comes to worst, and an actual disruption occurs?
IT may have all the systems backed up, mirrored and on standby, but IT’s
contingency plans do not stand on their own. Each department in your company needs a detailed recovery strategy. There have to be well-documented plans to utilize these contingencies in the right order, for short and medium term outages, as well as for catastrophic failures or disasters. Using the BIA and the control measures from previous steps, you can now construct the recovery plans for each system and function.
1. Order the recovery by priority of business functions.
2. Within each function, document the critical departments and job functions within each department that are crucial to the company’s ability to serve its customers.
3. For each department, document a list of well-defined recovery tasks in the order they need to be restored.
4. List all IT systems contingency plans associated with that function, as well as any external dependencies.
www.paranet.com
| 14
By now you can see how critical the Business Impact Analysis and Control Measures steps are. The information gathered in those steps allows you to document the recovery of each function, by each department and each system – in the order of priority required for the business to survive the event. And each can be recovered individually, or as part of a larger need.
Many companies choose to outsource their data recovery to a managed services provider (MSP) that specializes in data protection and recovery. An MSP can be an expert, cost-effective way to handle your data backup and recovery. They can also be a valuable resource in creating the IT portion of your BCP.
“Focus on business, not IT
headaches. We can help!”
www.paranet.com
| 15
If you spend the time, money and energy to visit the doctor when you’re sick, would you disregard his advice and let your prescriptions sit on your shelf, unused? Some people would, probably the ones that would probably gamble with their company’s information assets. Just like your health, it’s important to treat a continuity strategy as a vital, flexible and ongoing plan.
Each individual recovery plan should be tested regularly. With today’s elastic and highly-available cloud infrastructures, virtual servers are cost-effective stand-ins for production systems – or for entire infrastructures. These can be used to stage and test the data and systems backups.
If full recovery tests are not possible, at minimum the integrity of the backup media should be tested. In either situation, the goal is the same: to ensure the virtual servers and data are safe and available when you need to activate them.
The success of your business continuity plan doesn’t just depend on IT, nor on
management and the BCP teams. It’s important for each employee to understand their own responsibilities in the recovery strategy. Involving and training all your employees in the recovery plans will ensure they know what to do when a business disruption occurs. Finally, continuity requires attention to change. Technology
changes. Business needs change. Processes and their owners change. Set a regular and mandatory schedule for the BC / DR management team to review the priorities of each department. This should not be an optional meeting – it’s important to your business survival.
Step #5: Implement Plan Testing, Training, Metrics
and Maintenance
www.paranet.com
| 16
Wrap Up
You can’t keep a disaster from coming around, but you can ensure that your business keeps running and your data is protected when it does. By following these five steps to an effective business continuity plan, you’ll be ready when the time comes.
Here at Paranet, we firmly believe that IT should be focused on your
business – not the other way around. Disasters can strike at any time, but that doesn’t mean your team should divert time, money, and effort away from critical business processes to worry about a possible outage. An effective BCP can help your team align your technology with your business goals and ensure readiness when a disruptive event happens. This way, your company can return to “business as usual”– without missing a beat.
Have comments, questions, or feedback? Just let us know!
