THE ESSENTIAL GUIDE TO

THE ESSENTIAL GUIDE TO

THE ESSENTIAL GUIDE TO

© Business Data Record Services Technology Solutions Group

201 9th Avenue SW, New Brighton, MN 55112 T: (651) 631-8663 E: [email protected]

A Small Business eBook

BACKUP & RECOVERY

BACKUP & RECOVERY

FOR SMALL & MIDSIZE BUSINESSES

FOR SMALL & MIDSIZE BUSINESSES

a publication of

DATTO SIRIS BACKUP SYSTEMS…

deliver true Business Continuity in one,

powerful, integrated system.



Protect Your Business: Instantly restore entire systems, email boxes, single files, and databases in minutes!



Verified Backups: Each backup is verified with a screenshot showing that each backup can be instantly virtualized.



Hybrid Cloud: Leverage the advantages of local backup and the security of a purpose-built backup and recovery cloud.



Image-Based Backups: Take a complete picture of the workstation or server. Provides quick full system restores, granular recoveries, Bare Metal Restore (BMR), and the ability to boot individual backups as virtual machines.



End-to-End Encryption: All data is encrypted by AES-256 both in transit and in the cloud, with the option to encrypt data locally.

SIMPLIFIED

BACKUPS EACH BACKUP VERIFIED

RECOVER SYSTEMS

IN MINUTES EXTENSIVE OS SUPPORT

UNIVERSAL

DATA-BASE SUPPORT ONSITE & OFFSITE BACKUPS

VIRTUAL SYSTEM

THE ESSENTIAL GUIDE TO

THE ESSENTIAL GUIDE TO

THE ESSENTIAL GUIDE TO

BACKUP & RECOVERY

FOR SMALL & MIDSIZE BUSINESSES (SMBs)

Business Data Record Services (BDRS), founded in 1979, is the largest privately owned

and managed full service records management, storage, and secure shredding

company in the Upper Midwest. Its solutions for Records Management, Cloud Backup

and Recovery Services, Document Shredding and Media Destruction, and Secure

Vaulting help organizations of every size to lower storage costs, comply with

regulations, recover from disaster, and better protect their most valuable assets, data

and information.

Our highly trained and knowledgeable staff will work together with you and your

team to design, develop and maintain a customized approach to manage and protect

your information needs.

Let‘s discuss how we can protect your data: call (651) 631-8663 or email

[email protected].

The Right People...The Right Choice...The Right Solutions!

The Right People...The Right Choice...The Right Solutions!

TABLE OF CONTENTS

TABLE OF CONTENTS

TABLE OF CONTENTS

Why Backup Your Data?... 5

What Data to Backup?... 6

How Often Should You Backup? ... 7

How to Check Your Backups?... 8

What Are Your Choices For Backup Systems?

Local Backup & Recovery Systems……….. 9

Cloud Backup & Recovery Systems………. 9

Local Virtualization Backup & Recovery Systems……….. 10

Cloud Virtualization Backup & Recovery Systems………. 11

Hybrid Cloud Virtualization Backup & Recovery Systems……… 12

Industry Features for Backup & Recovery Systems……….. 13

How to Select the Right Backup System………... 14

Selecting a Backup Service Provider……… 14

Test Your Backups Regularly……….. 14

Disaster Recovery Plan Overview……….. 15

Appendix A: Backup Assessment

Ask the Following Questions……… 16

Technician Checklist - Overview……… 17

Background Research - for the Final Report Overview………. 18

Appendix B: Business Impact Analysis (BIA) Overview

Business Impact Analysis Defined……… 19

Conducting a BIA for Small to Midsize Business………. 19

10 Steps to Carry Out a BIA……….. 21

WHY BACKUP YOUR DATA?

No matter the size of your business, if you store your business or customer data on a computer or server you need a safe, secure way to backup and store that data. Many experts argue that selecting a data backup system or service should be one of the first things you do as a business owner, right up there with finding an attorney, a bank, and an accountant.

As soon as your business starts storing client information, you have a responsibility to protect that information. The chance that your computers or servers are going to fail at some point is 100% guaranteed. It is just a matter of when. And when that happens, the question is, are you going to be prepared.

The most common business disaster is data loss, which can result from a number

causes including hardware failure, human error, software corruption, and theft. Fortunately, data loss is easy to recover from if you have a backup and recovery solution in place. Every business should have a comprehensive disaster recovery

plan. Unfortunately, because the idea of developing one can seem overwhelming, many businesses choose to go without one. Forty three percent (43%) of all businesses affected by a disaster or failure without a recovery plan will never re-open for business, and 80% of those that do re-open will fail within 13 months.

“The chance that your

computers or servers

are going to fail is

100% guaranteed.”

Appendix A & B provide material to help guide you in creating a “Backup Disaster Recovery

(BDR)” plan for your business. It includes guidance in performing a “Backup Assessment,” as well as a “Business Impact Analysis (BIA).” The findings within the Backup Assessment and BIA will provide the foundation of your “Backup Disaster Recovery” plan.

WHAT DATA TO BACKUP?

At a minimum, you need to backup all information that you are legally required to keep. Next, you need to determine what information and systems are critical to running your business. Not sure what that is? We recommend businesses go through an exercise where you ask, “If I walked into

my office tomorrow and nothing was there, what are the most critical applications and data I need?” And from there, determine what information you haven’t touched in years. Please see

(Appendix A).

Do you need to backup operating systems and software? We advise clients to determine which systems are critical, and the required speed of recovery for each system (how long can you be without each server). It’s also highly recommended to back up any proprietary applications or systems that have been developed for your business.

“At a minimum, you

need to back up all

information that you

are legally required to

keep.”

Don’t Forget Your Cloud (SaaS) Data

Bullet-proof your cloud data - business is happening in the cloud. As your business depends

more and more on cloud-based applications such as Google Apps, Office 365, Salesforce, and Social Media, your employees, vendors and customers are constantly generating streams of data that’s just as vital as on-premise information. While the applications may offer some security features, they aren’t designed to protect business critical data from the most likely form of loss: humans. Accidental deletions, ex-employees, even malicious activity - Backupify backs up, protects and allows you to instantly restore accounts and data so business can return to normal.

Google Apps - Protect emails, documents, calendars, sites, and contacts Office 365 - Protect emails and calendars in Microsoft Office 365

Salesforce - Protect objects, customer objects, attachments, files, metadata, and

Chatter messages

HOW OFTEN SHOULD YOU BACKUP?

At a minimum, you should back up your important data on a daily basis. However, most clients implement a multi-day backup routine, so they can restore their data and databases from any point in time. Data you haven’t used in a long time can be backed up less frequently.

Important Backup Metrics

Metrics: When assessing whether a particular solution is capable of meeting your data

recovery requirements, two key items need to be assessed. The fist is Recovery Point Objective

(RPO). RPO represents how frequently backups can be taken, or how much data one is willing

to lose if a production system were to fail.

For example, if a business is utilizing a backup solution with a RPO of one (1) hour, then a

backup can be taken once an hour. If a business were to utilize that solution to backup an

important system, then it is stating that it is comfortable with sacrificing up to an hour worth of data change on that system in the event of an outage. Both business continuity and traditional backup solutions can provide good RPOs, with some solutions achieving RPOs down to 5

minutes.

Where business continuity truly differentiates itself is with the Recovery Time Objective (RTO). RTO represents how long it will take to get data back after a disaster. This is an essential figure to know because even though data is backed up and secured from loss, a business cannot function properly until the data is restored to the production environment.

True business continuity solutions should be able to provide RTOs of under 60 seconds. This is far superior to the days or weeks it can take to download large backup records from online services, or the hours that it takes to recover server images for virtualization on a traditional BDR (Backup & Disaster Recovery) unit.

HOW TO CHECK YOUR BACKUPS?

Most backup software and service providers generate backup logs and reports. You or someone in your company should check the logs each morning to quickly make sure data was properly backed up the night before.

Most recently developed are virtualization backup & recovery systems (described further in this eBook), that will send an email of a screenshot from each completed backup process, that tests the backup integrity and proactively identifies any issues.

The screenshot shows whether or not the backup can be instantly booted into a virtual machine. Seeing is believing!

Bootable Screenshot

Screenshot Backup Verification

No more guessing if your backup is working properly. Datto’s SIRIS 2 boots backups as virtual machines, capturing an image of the login page to give you visual proof that your data has been successfully backed up. An industry first!

WHAT ARE YOUR CHOICES FOR BACKUP SYSTEMS?

Local Backup & Recovery Systems

Local backup systems are varied, and can include DVDs, tape backup systems, thumb drives, and disk based backup systems. The disk based systems can be a dedicated server with a drive array, a Network Attached Storage (NAS) drive, or a Storage Area Network (SAN).

For most businesses we recommend a backup system that is automated, requiring no human intervention. For business owners, IT managers, office managers etc., time can be the most precious commodity in your daily routine. Finding time to do everything can seem impossible especially on days where business is flowing.

We strongly recommend disk based backup systems over tape, DVDs or thumb drives. It’s much more reliable...and that is the purpose of backing up data.

Cloud Backup & Recovery Systems

(also referred to as Offsite or Online Backup)

Cloud backup & recovery systems automatically back up your selected data and systems to an offsite location. Most backup

transmissions are secure and encrypted, but it is always advisable to ask the vendor to provide this information. Most backup vendors will house your data in a couple of backup locations, providing an extra layer of redundancy and protection. Enquire about this with the backup vendor, and ask how your data is protected at their facilities.

It is also advisable to have a discussion, or at least be aware, that you may need to “seed” your first backup set. For large backup sets, most vendors will send you an external hard drive (free of charge), where your initial “full” back set will be copied to and couriered over the backup vendor (ensure data will be encrypted when transferring to the seed drive). Sending very large volumes of backed up data over the internet will simply take too long. Transferring an initial 2TB backup set across the internet at 1MBps would take upwards of 22 days...far too long!

Local Virtualization Backup & Recovery Systems

Virtualization backup & recovery systems are relatively new and incorporate some of the latest virtualization technologies. They dramatically speed up and simplify the backup & recovery process, and generally are more expensive as a result.

These backup systems take data directly from the server and convert it into virtual machine files that can be booted instantly from a web interface, or by using a common hypervisor (vmware, Hyper-V, XenServer).

“This innovative way of

storing data allow for

instant recovery and can

prevent businesses from

having to experience

downtime in the event of a

failure or disaster, offering

the peace of mind that

backups will be available

at a moments notice.”

Instant Local Virtualization

Should a business experience a server failure, the system can be virtualized instantly on the Datto SIRIS 2 appliance. The advanced web interface allows for configuration of CPU and memory resources. Networking resources can also be configured dynamically, allowing for changes to be made without restarting the virtual machine. With the system now virtualized, the business can operate “business as usual” until it has the time to fix its server issue, without compromising any data or incurring any downtime.

Cloud Virtualization Backup & Recovery Systems

Cloud based virtualization backup & recovery systems offer true redundancy in the event of a disaster. Backups are sent to the cloud and ready to be virtualized at a moments notice.

Each backup is a fully bootable virtual machine, there is no need for a conversion to occur before performing a restore. With no complicated rollup or restore process, data is always available immediately. Even when virtualized, data can continue to backup to the cloud.

“Backups are sent to the

cloud and ready to be

virtualized at a moments

notice.”

Instant Offsite Virtualization

In the event of a local disaster like a fire or flood, the entire network can be recreated in the secure, private and purpose -built Datto cloud in a matter of minutes. Secure connections are provided to employees and a business can resume

Hybrid Cloud Virtualization Backup & Recovery Systems

Many Small and Midsized Businesses (SMB) today are implementing cost-effective Hybrid Cloud Virtualization Backup & Recovery Systems to improve redundancy and provide greater protection of their systems and data. Hybrid Cloud continuity is simple in concept yet robust in feature set; it leverages the advantages of local disk backup and the security of a purpose-built backup and recovery cloud.

Datto’s Purpose-Built Hybrid Cloud Backup & Recovery System

It starts with workstations and servers protecting data locally across the Local Area Network (LAN) to the purpose-built Datto appliance. From there it is automatically synced to the secure private Datto cloud. This technology improves fault tolerance while reducing the reliance on bandwidth speed. The local Datto appliance can act as a restore hub for everything from files to applications and system failover. It can also act as sandbox for testing upgrades/updates, and a staging environment for offsite transfer. Scheduling offsite data transfers can be critical for bandwidth management and carries no risk of having unsaved backups. In addition, should the local device be compromised, data that was transferred to the Datto cloud can act as a replica site for the business. A local only backup option cannot ensure data integrity should a site wide disaster occur.

INDUSTRY FEATURES FOR BACKUP & RECOVERY SYSTEMS

Below is a chart that breaks the Backup and Recovery industry down into three (3) major

categories: Backup, Disaster Recovery, and Business Continuity. The features detailed in this chart represent the state of the market at the beginning of 2015. Today it is safe to say that pretty much every business is employing some form of backup, but to what extent they are actually protected varies greatly.

_{Typically Includes May Include Typically Doesn’t Include}

Backup

 File/Folder (Windows, Mac)

 Cloud backup

 USB backups

 NAS appliance

 Tape storage

 Agent-based

 Linux file backup

 Image-based backup  Hybrid cloud  Virtual failover  Encryption  Backup verification  Granular recovery  SaaS backup Disaster Recovery (DR)  Image-based backup

 Bare Metal Restore (BMR)

 Customer-provided storage

 Cloud backup

 Reverse (data) seeding

 Agent-based backup

 Backup verification

 Linux image backup

 Encryption

 Physical / Virtual backup

 Onsite virtual failover

 Offsite virtual failover

 iSCSI support

 Hybrid cloud

 Granular recovery

 Hyper-V / ESXi integration

 Mac image backup

Business Continuity

(BC, less commonly abbreviated)

 Hybrid cloud

 Onsite virtual failover

 Offsite virtual failover

 Image-based backup

 Bare Metal Restore (BMR)

 Agent-based backup

 Physical / virtual backup

 iSCSI support

 Hyper-V / ESXi integration

 BC appliance (integrated NAS storage & robust failover hardware)

 SaaS backup

 Encryption

 Redundant offsite data center

 Granular recovery

 Backup verification

 Agent-less backup

 Mac image backup

 High Availability (HA)

 Server cluster support

HOW TO SELECT THE RIGHT BACKUP SYSTEM?

When contemplating which backup method to use, it’s easy to feel overwhelmed. Should you backup locally or use a cloud based backup solution, or both? Should you use a system that virtualizes your backups so you can instantly restore your systems and data in case of failure or disaster?

We believe every business should employ a fully automated backup system requiring no human intervention. We have seen too many instances where human intervention has failed.

We highly recommend that most businesses backup their data locally first, and then offsite. Backing up data locally allows for quicker restoration and retrieving of files. Restoring a large amount of data from the cloud can take upwards of a week. During this time your business is down, and your clients are looking elsewhere. Backing up offsite allows for recovery, in case of disaster or failure. It will happen, it’s just a matter of when.

If your business cannot be without your servers and data for longer than one day, we recommend selecting a backup system that virtualizes your backups. These systems can have your

servers and computers back up in minutes, reduced from days or weeks. For businesses heavily reliant on quick recovery of their servers and data, these recovery systems are a saving grace and the costs are quickly recovered.

SELECTING A BACKUP SOLUTION PROVIDER

If you outsource your backup needs, make sure that you choose a provider that offers: security, end-to-end data encryption, monitoring, technical support, database and exchange capabilities, various OS capabilities, deduplication, and Bare Metal Restore (BMR) capabilities.

TEST YOUR BACKUPS REGULARLY

Even if you review the logs on a regular basis, review the emailed screenshots, you need to test your backups on a regular basis. We suggest testing your backups quarterly or bi-annually.

Backup is nothing without recovery. Do a run-through of the recovery process to be sure that you are familiar with the process and confident it works smoothly. If you have selected a provider, they should be happy to walk you through a regularly scheduled test recovery procedure.

“We highly recommend

that most businesses

backup their data

locally first, and then

offsite for redundancy

to protect their most

valuable asset.”

“Backup is nothing

without recovery. We

suggest testing your

backups quarterly.”

DISASTER RECOVERY PLAN OVERVIEW

Every business should have a comprehensive disaster recovery plan. Unfortunately, because the idea of developing one can seem time consuming and overwhelming, many businesses choose to go without one. In this guide we’ll provide an overview so you can begin to prepare:

 Get your employees involved in the plan-development phase. Brainstorm scenarios with them.

 Be sure that you upload critical documents to an offsite location.

 Decide on an intercompany communications method to be used if you cannot enter your office.

 Make arrangements for incoming communications (how clients will reach you).

 Create contact lists so that you aren’t stuck without critical information when you lack access to your servers.

 Decide who will be responsible for your critical functions.

 Designate a location where everyone in your office will meet if you need to evacuate.

 Designate an alternative working location (or locations), whether it be another office, or home.

 Make sure your plan addresses all of the likely emergencies that might occur to your business.  Do a test run of your plan regularly.

 When your plan is complete, distribute it to every employee, have a hardcopy readily available, and upload a copy offsite.

At some point your business is going to face an emergency situation - it’s just a matter of when, what type, and what magnitude. The best preparation for any situation you may face is to have a well thought-out plan in place and to educate your team on its elements.

“An ounce of

PREVENTION is

worth a pound

of CURE.”

SCHEDULE A PERSONAL DEMO

INSTANT VIRTUALIZATION

When disaster strikes every second counts. Taking days or weeks to recover information and computer systems translates into money lost. Discover how you can recreate servers and computers with the click of a mouse.

Appendix A: BACKUP ASSESSMENT

Below are a few questions and technical guidelines you may want to consider when performing a Backup Self-Assessment for you business.

Interview the company stakeholders. Ask the following questions:

1. What are you doing for backup now? 2. What software are you using?

3. What hardware are you using? 4. How do you get the backup offsite?

5. What is your top Line of Business Application(s)? *Usually accounting plus any vertical

market applications that are critical to day-to-day operations.

6. Who is responsible for backups (changing tapes or disks, monitoring logs etc.)? 7. Who is responsible for providing technical support if something goes wrong? 8. Are there any known problems with the backup?

9. Are you backing up any workstations or just servers?

10. Are users storing data on their local workstations (60% of users do)? Are there any group policies or automated methods in place to prevent users from storing locally?

11. Is there a secondary backup? Secondary backup would typically use different software and hardware than the primary backup. Examples might be an online service or simply copying data down to a large workstation hard drive.

12. Do you ever do test restores? When was the last one?

13. When have you last successfully restored a single file or folder? How long did that take? 14. Do you backup non-Windows machines (Linux, UNIX, Mac etc.)?

15. What is your Recovery Time Objective (RTO)? In other words, can you stand to be down for 15 minutes, 1 hour, 1 day, or 1 week if there is a server failure? This is the maximum

acceptable amount of time for restoring a network or application and regaining access to data.

16. What is your Recovery Point Objective (RPO)? In other words, how frequently do you need backups taken of specific systems, or how much data are you willing to lose if a production system were to fail, 15 minutes, 1 hour, 1 day?

17. Is your server hardware under warranty or hardware service contract? 18. Does your server use redundant drives (RAID 1, 5, 6, 10, etc.)?

Technician checklist - Overview

1. Check and record the size of server(s) hard drives, along with space currently used. This information will be compared to size of the backup to determine whether all data is included in backup. If there is a size difference determine why - it may be due to compression or omission of certain folders.

2. Identify backup software - what is installed and what version of software is in use?

3. Under what security context (Username and Password) is the backup running? *A common

backup problem is when the administrator password is changed, causing backup software to fail.

4. Go into backup software - verify and record the schedule (time of backup jobs), name of job, and what files/folders are being backed up.

5. Is a full backup being done nightly or is an incremental system in place? 6. Is compression or encryption currently being used?

7. Is the software doing image (complete system - files, data, application and operating system) of just files/folders?

8. Check the log files of the backup. Are there indications that the backup is running nightly (file dated last night, backup log indicating successful)?

9. From the logs or by looking at destination drive are any files or folders being skipped (usually because the files are left open)?

10. Look at destination of backup. What is the size and date of the latest backup file(s)? 11. Is data being automatically replicated offsite? To what site or company?

12. How full is the backup media or destination currently? Is there a danger of filling it up? 13. How long is the backup taking to complete?

14. Do there appear to be multiple versions of the backup? How many days/weeks/months are being retained? In other words, how far back and how many versions can be relied on? 15. Under Control Panel > Programs - try to identify any secondary backup software.

16. Check to see if Microsoft’s shadow copy (previous versions) is implemented so users can right click a file and replace a previous version.

Background Research - for the final Report Overview

Verify whether current version of software has any updates.

Use the Internet to verify whether the backup software handles, at a minimum, the following:  Active Directory (System state in a domain environment)

 Open files (Microsoft VSS support)

 SQL

 Exchange (Block level or granular restore capability)?  Virtual machines

 Bare Metal Restore (BMR)

 Dissimilar hardware restore (driver injection)

 Incremental backup with synthetic roll up to a single file

 Does the backup preserve the security (Windows permissions) of network files?  Does backup encrypt the data at rest (on the destination media) and/or in transit?

If evaluating “full service” backup vendors do they provide E&O (Error & Omissions) insurance coverage for failure to restore? How munch?

Appendix B: BUSINESS IMPACT ANALYSIS (BIA) OVERVIEW

Business Impact Analysis Defined

A Business Impact Analysis (BIA) is the cornerstone of a Disaster Recovery (DR) strategy and plan. A BIA will identify the processes, systems and functions that are critical to the survival of your company. Understanding these elements allows you to allocate resources wisely to ensure operations even with unexpected events disrupting normal business operations.

The main focus of a disaster recovery (DR) plan is the technology, while a business impact analysis (BIA) focuses on the business processes and the people who perform the processes. A BIA defines the priorities of each business function and how soon they are required, what dependencies they may have, as well as required staff levels. The BIA also defines what timeframes are required for personnel, data, etc.

Some departments may have different priorities within their own functions. The business impact analysis helps define the business process recovery, interaction between departments,

dependencies of departments, and required staff levels to perform these functions. Often when compiling a business impact analysis, the first reaction is “everything is priority 1,” then, as the processes get defined, the BIA gets broken down into a manageable and more accurate list. Also keep in mind that it is important to periodically review your BIA to determine if it accurately reflects your current business focus.

Conducting a BIA for Small to Midsize Business (SMB)

Conducting a business impact analysis is often viewed as an exercise that is exclusive to enterprise-class organizations with seemingly limitless funds for consulting services. Large

consulting firms often spend months mapping every business process and interviewing numerous business unit representatives to come up with sophisticated financial loss projection charts.

These projects are time-consuming and costly because of the complexity of large companies, which rely on dozens of core functions and sometimes hundreds of support functions.

The recommended process to be followed for SMBs has six (6) elements:

1. Identify core business functions

The first thing you need to do is identify the core business functions; these are the functions that have the most impact on the revenue stream. You can then create a list of support functions for those core functions. This is a business process mapping exercise that is essential to gaining and understanding of how the business actually works. At this point in the process, you must resist the temptation of downplaying the criticality of a function because you already have a

workaround in mind should that particular function be interrupted. This is jumping ahead into “solution mode” (putting the cart before the horse), which comes later in the business continuity planning process as part of the recovery strategy.

2. Timing and Duration

Identify point(s) in time when interruption would have greater impact (e.g., season, end of month/quarter, etc.).

Identify duration of the interruption when operational or financial impacts will occur (minutes, hours, days, week, month, etc.).

3. Operational Impacts

Identify likely operational impacts resulting from interruption (lost sales, increased expenses, etc.).

4. Financial Impact

This is where most BIA efforts appear to stall for smaller organizations because it is sometimes difficult to clearly establish financial losses in the event of an unplanned interruption or disaster. For most companies, a single business function is rarely responsible for generating the entire revenue stream. This is where your accounting people can help by putting some revenue and cost perspective around business activity. Use this “Recovery Time Calculator” to help you understand the cost to your business being down.

5. IT Dependencies

This is where you map your IT infrastructure to the business functions it supports. Understanding the relationship between a business function, the software application necessary to keep that function running and the IT systems and component that support the application will allow you to set recovery objectives for IT. These objectives are known as Recovery Time Objective (RTO) and Recovery Point Objective (RPO), and are a set based on the maximum tolerable losses resulting from an unplanned interruption or set based on the maximum tolerable losses resulting from an unplanned interruption or disaster. These objectives also dictate the type of IT technology that must be deployed to ensure the availability or recoverability of systems within the established timeframe.

6. Risk and Probability of Occurrence

Of course, when discussing the potential impact of an interruption on a business, the next logical question is: “What is the probability of an interruption actually striking?”

Once the probability is known, the next question is: “What is the risk to our business of the occurrence, regardless of probability?”

The objective is to identify those functions that, if interrupted, could devastate the business, regardless of how improbable. So some planning to avoid and/or recover from an interruption or disaster makes sense to do. Conversely, identify those probable interruptions that are a

‘nuisance’, requiring minimal planning for avoidance and recovery.

10 Steps to Carry Out a BIA

To start, you need to understand the business operations of your company in detail. Here is a simple step-by-step approach that will put you on your way to conducting a successful business impact analysis:

1. Hold kickoff meeting with the people responsible for the core business processes and introduce the program goals, timelines and deliverables.

2. Collect data. Create a business impact analysis questionnaire, which you will distribute at the meeting to all managers. Instruct each manager on how to complete the document. Make it clear that you will be following up with each manager on an individual basis to review the document. Appendix A includes a model BIA Worksheet.

3. Often it is useful to include an incident description for interviewees to use when answering the questions. An example of such a situation is:

 The business unit’s portion of the building is completely destroyed;

 All records, data files, technology, supplies, and other support systems are lost;  Some key personnel may not be available;

 Primary business processes will be affected immediately and for at least 30 days;  The disaster occurs during a peak processing period for the business unit.

Incident descriptions help frame the interviewee’s response so it will be in alignment with specific risks and threats.

Ultimately, the BIA’s purpose is to identify, prioritize and document the relative importance of various business processes conducted by business units.

4. Document the gross revenue and net profits your organization generates per year. This can be done at the appropriate business unit levels as well. The data sets the upper limit for business losses related to the business operation. Include this in your presentations to drive home the importance of the program.

5. Meet with each manager and review the data collected. If needed, block off a couple of hours to help complete and refine the document.

6. Merge all the data into a spreadsheet or database for easy data analysis and reporting capability.

7. Schedule and conduct a “BIA review and prioritization meeting” with all managers

participating in the program. Look for gaps not mentioned by the departments, especially between departments. Prioritize each process based on impact to the business, both direct and indirect as the process may be a critical dependency for another process. High, medium and low can be used as measures.

8. During the prioritization discussion you will need to document a recovery time objective (RTO) for each process. The recovery time objective (RTO) is the duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity.

9. Create groups or bands of process RTOs. Start with the shortest allowable RTO first and then define the upper limits not to exceed 24 hours. These items constitute the Tier 0 RTOs. The next band of RTOs is the Tier 1 group. This group generally extends from 24 to 48 hours. Recovery point objectives (RPOs) are different as they deal more with data recovery and are used more in a “data protection strategy” context. They are also usually measured in minutes to hours as in the case of a production database. It may have a RPO of 15 minutes between scheduled backups/replications.

10. Lastly, convene a summary meeting to present the results of the program to senior management, managers and others core to the processes. You will want to present the

business processes in order of RTO and importance, along with other process details collected during the program. Issue a final report to meeting attendees to reinforce the learning and memory of the participants. Make the report available in hard copy to use in the event of an actual outage to help prioritize actions to resume operations.

The business impact analysis report ideally provides a foundation for the business continuity plan that should follow this exercise. It can also provide an important input to risk

management programs that may follow, now that you have insights into where business risk lives.

Business Data Record Services, as your trusted Backup and Disaster Recovery partner, is available to help with your BIA.

RECOVERY TIME CALCULATOR

Use this “Recovery Time Calculator” to help you understand the cost to your business being down.

BU SINE SS IM PAC T A N A LYS IS W O R K SH EE T De p ar tme n t Fu n cti on Pr oc e ss Oper ati o na l a nd F in anci al I mpac ts Ti m in g / Dur ati on O p e ra ti on al Im p act s Fi n an ci al Im p act IT De p e n d e n ci e s R isk / Pr ob ab ili ty O cc u rr e n ce Ti m in g: Po in t in tim e wh en in terru p tion wou ld h av e gre at er im p act [ se ason , en d o f mon th , p ay ro ll, etc.] D u rati o n : H o w lo n g b ef o re a n d imp act < 1 h o u r > 1 h o u r, b u t < 8 h o u rs > 8 h o u rs , b u t < 24 > 1 w e ek >1 mon th Op e rati o n al Im p ac ts: Lo st Sale s/In com e N egativ e Ca sh Flo w In cre as ed E xp en se s Re gu lat o ry Fin e s Con tra ctu al Pena lti e s Cus to m er Di ss atis faction / De fe cti o n Fi n an ci al Im p ac t: Qu an tif y o p era tion al im p act in fi n an cial term s. IT D e p e n d e n ci e s: Wh at sys tem d o es fu n cti o n u se ? Wh ere d o sys te m s re sid e [o n -p re m is e, clou d , etc.] ? H o w is fu n cti o n a cce ss ed ? Pr o b ab ili ty: Lo w [u n like ly t o n ev e r h ap p en ; n ev er h as h ap p en ed b ef o re ], Me d iu m [ha s h ap p en ed /like ly t o aga in ], H igh [o fte n h ap p en s] R isk: Acc ep ta b le [in terru p tion t o w ith in b o u n d s] U n acce p ta b le [ in terru p tion t o le Consider ati on s [cu st omiz e f or y ou r bu si n es s]