6 CityPlace Drive, Suite 900 | St. Louis, Missouri 63141 | 314.983.1200 1520 S. Fifth Street, Suite 309 | St. Charles, Missouri 63303 | 636.255.3000
2220 S. State Route 157, Ste. 300 | Glen Carbon, IL 62034 | 618.654.3100 888.279.2792 | www.bswllc.com
Business Continuity Planning
2014 NABRICO Conference
Presenter
Tony Munns
Partner – IT Risk Advisory Services CISA, FBCS, CITP, CIRM
Tel: 314.983.1297 Cell: 314.614.6582
Leads the Risk IT Audit Services for the firm’s clients for the past 11 years.
Prior experience includes 3 years with Andersen LLP as Technology Risk Consulting Practice Leader
Previous employment experience over 18 years at 3 Fortune 500 companies: Lucent Technologies, Kraft Foods and the Prudential Assurance Company
Changing strategies
Then and Now
Business Impact Analysis Disaster Recovery Planning Business Continuity Planning
Questions
© 2013 Brown Smith Wallace All Rights Reserved
• BIA – Business Impact Analysis
• TRA – Threat and Risk Analysis
• RTO – Recovery Time Objective
• RPO – Recovery Point Objective
• DRP – Disaster Recovery Plan
• BCP – Business Continuity Plan
© 2013 Brown Smith Wallace All Rights Reserved
Changing Strategies
• External Factors
• 9/11 Gave Us a Boost to Planning Activities
• Hurricane Sandy
• Tornados
• However:
• It couldn’t happen again syndrome sets in
• Realities of economy stalling efforts
• Confusion over emerging regulations occurring
• Companies Outsourcing More Disaster Recovery Efforts
• Use of commercial hot-site contracts, moving to multiple datacenters,
colocation.
• Complexity of task overwhelming for many companies
• Higher Emphasis Placed on Cyber Security – perceived as the bigger risk
THEN NOW
Few key applications Many applications
Standalone systems Highly integrated systems
Single platform Multiple platforms
Local connection LAN, WAN, remote connection
Tape backups Data replication
Office based Remote workers
Slow communications Instant connection
Bricks & mortar e-commerce
In-house systems Remote & outsourced systems
Big company need Every company’s need
• Executive Sponsorship
• Business Impact Analysis
• Disaster Recovery Planning
• Business Continuity Planning
Conduct a Business Impact Analysis and Risk Assessment
identifies mission critical business functions and processes
assess the probability and impact to the business if critical business processes are disrupted
identifies recovery requirements
Disaster Recovery Plans
usually developed using business process data flow diagrams
identifies the priorities that infrastructure, systems and applications need to be recovered based upon a hierarchy of dependencies or business needs
Crisis Management and Communication Plan
provides guidance to management and outlines the necessary steps to execute during a significant business disruption (e.g. definition of a disaster, engaging crisis management team, communication plan, public relationships, etc.)
Business Continuity Plans
identifies alternate procedures to execute when primary business or work location and resources are unavailable
Pandemic Plan Consideration
It is necessary to prepare a plan to protect a business’s #1 resource (employees) in the event of a wide spread influenza outbreak or chemical contamination
Annual testing
– Encourages continuous process improvement and plan maintenance – Continuous Update!
• DRII - DRI International
• ISO – International Organization for Standardization
– ISO 27031:2011 – “Guidelines for information and
communications technology readiness for business continuity”
• ITIL – Information Technology Infrastructure Library
• NIST – National Institute of Standards and Technology
– Special Publication 800-34 “Contingency Planning Guide for IT Systems”
– 800-84 “Test, Training & Exercise Programs”
• FEMA – Template for SMBs
• FINRA
Step 1 – Risk Assessment
Perform a Business Impact Analysis (BIA) Risk Assessment to identify: threats and risks, control options and their cost.
Approach:
– Identify and prioritize risk associated with each business unit/area within the company – Develop a high level matrix providing management a summary view of the BIAs across the
enterprise
– Identify gaps and provide recommendations to mitigate the identified risks
Deliverable:
An executive summary accompanied by a high level matrix identifying business processes and the threats and risks that could cause a significant business disruption.
In addition, the matrix should include a TRA (Threat and Risk Analysis) that includes risk control options, cost of risk control options, effectiveness of risk control options, and comparison of risk control options cost and effectiveness.
Step 2 – Identify Recovery Requirements
For mission critical business functions and processes, interview business owners and document desired recovery time and point objectives.
Approach:
– Identify and prioritize critical business functions and processes associated with each business unit/area within the company – including all back office systems
– For various RTOs and RPOs develop a cost analysis of the architecture required for the desired recovery
– Identify any potential architectural or process improvements that would facilitate a more cost effective approach to recovery
Deliverable:
An executive summary accompanied by a high level matrix identifying business processes desired recovery requirements, and the costs associated with each approach.
In addition, recommendations should be presented for architecture and process improvements that will mitigate the cost associated with the desired recovery objectives.
© 2014 Brown Smith Wallace All Rights Reserved
Step 3:
Based upon the results of the BIA, identify action steps necessary to develop the Disaster Recovery Plan and Business Continuity Plan.
This may include Crisis Management, Continuity, and Disaster Recovery Plan development.
Deliverable:
Provide management a gap analysis and action plan identifying the necessary steps for completing the Disaster Recovery Planning and Business Continuity process.
Contents of a Good Plan
Definition
• The IT Disaster Recovery Plan is a written strategy
created to facilitate an organization’s quick and successful
response to severe disasters.
• Through the division and allocation of pre-defined
responsibilities and duties, response times are minimized.
• With the creation of an IT DR plan, effort is made to
provide a dependable and efficient restoration of services
in the event of a disaster.
Contents of a Good Plan
Objectives – know what they are, and limitations
– Document specific definitions and guidelines for declaring disaster scenarios and corresponding emergency responses.
– Provide for the continuation of critical IT and related business functions and recovery in the event of a disaster.
– Maximize the expediency and effectiveness of recovery operations through an established set of strategic plans.
– Identify the necessary policies, procedures, and resources required to maintain critical Information Technology support services during prolonged interruptions to routine operations.
– Assign responsibilities and duties to designated personnel for the implementation of disaster recovery procedures.
– Ensure coordination between appropriate staff concerning disaster contingency planning strategies.
– Ensure appropriate plans have been created to coordinate external vendors, clients, and contacts in the event of a disaster.
Contents of a Good Plan
Assumptions – document & Validate them
– Key personnel have been identified and trained in their emergency response and recovery roles. It is also assumed that each person is available to activate and carry out their assigned responsibilities and duties.
– Current backup media, containing relevant data for applicable critical IT services and components, are available thru designated data library relocation providers. – All required IT related hardware is either available, or can be obtained in a
timely fashion.
– All required software is available and current along with appropriate licensing. – All required hardware and software vendor support contracts are maintained and
are current.
– Contracted temporary disaster recovery sites will be available at the time of need.
– Designated management staff will communicate appropriate status information to those applicable personnel, vendors, and agents affected by a declared
disaster.
– All required disaster recovery related documentation is available and current. – Most importantly, it is assumed that this Disaster Recovery Plan is reviewed,
Contents of a Good Plan
• Overview • Introduction • Scope • Objective • Assumptions • Disaster definitions• Disaster likelihood ratings
• Threat levels
• Declaration of disaster
• Preparing for disaster
• Disaster response budget
Contents of a Good Plan
• Disaster recovery escalation process defined
• Quick reference guide
• DR temporary recovery site
• Updated IT related documentation
• Dependencies
• Contact listings
• Vendor failures
• Avoiding & minimizing disasters
• IT recovery details
• Plan monitoring, review, and testing
Make sure you include:
– Wide Area Network Documentation – Local Area Network Documentation – Server Documentation
– Password Documentation
– Network/Software Application Documentation – Vendor Contract Documentation
– Critical System Log Documentation
– Telecommunications and Voice Infrastructure Documentation
Business Continuity Planning
Business Continuity Planning is the next step after Disaster
Recovery Planning.
DRP provides the technology infrastructure for the company
to continue to function
BCP provides procedures for operation of the organization and
business units during a disaster
Business Continuity Planning is a planning process that identifies an organization’s exposure to internal and external threats and identifies key processes that need to be protected to sustain
business operations and maintain a competitive advantage in the event of a significant business disruption.
Key Objectives:
– Minimize the possibility of interruptions to business operations
– Maintain a competitive advantage
– Prevent the company from becoming a business closure statistic due lack of planning
Business Continuity Planning
• Address all business functional areas (HR, Sales, Accounting,
etc.)
• Address non-IT related items
– Office supplies – Desks/workspaces
– Business forms (check stock, purchase orders, sales orders, etc.) – Reference material
– Supply chain management
• Communications
– Employees and stakeholders – Media
– Legal and regulatory – Customers
Program Administration
– Define the scope, objectives, and assumptions of the
business continuity plan.
Business Continuity Organization
– Define the roles and responsibilities for team members.
– Identify the lines of authority, succession of
management, and delegation of authority.
– Address interaction with external organizations including
contractors and vendors.
Plan Contents
Organization Chart Include a schedule of team member contact information, role, alternativesBusiness Impact Analysis
– Insert results of Business Impact Analysis
– Identify Recovery Time Objectives for business processes and information technology
– Identify Recovery Point Objective for data restoration
Business Continuity Strategies & Requirements
– Insert detailed procedures, resource requirements, and logistics for execution of all recovery strategies
– Insert detailed procedures, resource requirements, and logistics for relocation to alternate worksites
– Insert detailed procedures, resource requirements, and data restoration plan for the recovery of information technology
(networks and required connectivity, servers, desktop/laptops, wireless devices, applications, and data)
Manual Workarounds
– Document all forms and resource requirements for all manual workarounds
Incident Management
– Define procedures:
• Incident detection and reporting • Alerting and notifications
• Business continuity plan activation
• Emergency operations center activation
• Damage assessment (coordination with emergency response plan) and situation analysis
• Development and approval of an incident action plan
Training, Testing & Exercising
– Training curriculum for business continuity team
members
– Testing schedule, procedures, and forms for business
recovery strategies and information technology
recovery strategies
– Orientation, tabletop, and full-scale exercises
Program Maintenance and Improvement
– Schedule, triggers, and assignments for the periodic
review of the business continuity plan
– Details of corrective action program to address
deficiencies
Also include references to related Policies & Procedures
– Emergency Response Plan
– Information Technology Disaster Recovery Plan (if not
included in the business continuity plan)
– Vendors, Suppliers and Partners Contact Information
– Crisis Communications Plan
– Employee Assistance Plan
• Lost data
• Longer data recovery time
• No contingency procedures during recovery
process
• Damage to company reputation
• Employee downtime
• Dependence on a few key people who have
required system/organizational knowledge
Bob Clark – CEO Clayco
“I don’t want to become a Katrina statistic; like some of my competitors in Louisiana”
CBS MoneyWatch
“Big, disruptive events like the BP oil spill, Hurricane Katrina, and the California wildfires make the news, but it's more often the smaller, unexpected disasters that wreak havoc on a company's ability to function.”
Unknown
“An organization that fails to provide a minimum level of service to its clients following a disastrous event may not have a business to recover. Protect all to protect one – in order to protect any single business function, the enterprise must be protected. “
© 2013 All Rights Reserved
Brown Smith Wallace LLC 31
Presenter
Tony Munns
Partner – IT Risk Advisory Services CISA, FBCS, CITP, CIRM
Tel: 314.983.1297 Cell: 314.614.6582
Leads the Risk IT Audit Services for the firm’s clients for the past 11 years.
Prior experience includes 3 years with Andersen LLP as Technology Risk Consulting Practice Leader
Previous employment experience over 18 years at 3 Fortune 500 companies: Lucent Technologies, Kraft Foods and the Prudential Assurance Company
