Business Continuity Planning

2/12/20081Business Continuity Planning“The Power is in the Planning”Pat Rosa, ManagerTechnology Recovery ServicesWachovia Corporation2/12/20082Business Continuity Planning“The Power is in the Planning”Getting StartedUnderstand the business you represent. What do we do and where?Identify your business partnersMeet with your business partners to discuss the relationship to your businessThere are five interdependent steps for Business Continuity Planning(See Slides)2/12/20083Identify Your Business PartnersBusiness relationships –up and downstreamTechnologyInfrastructureOther SupportCorporate Real EstateBCPG Consultant2/12/20084Meet With Your Business Partner To Discuss The Relationship To Your BusinessHow do I depend on you?How do you depend on me?Quantify the relationship –volume of data exchange, critical timeframes, number of people required2/12/20085Five Interdependent Steps of Business Continuity Planning1.Complete the Business Impact Analysis (BIA) –identify risks, critical functions and processes. 2.Utilizing the information formulated in the BIA, develop a Business Continuity Plan (BCP) –How will I continue critical business (identified in the BIA) during an interruption in my business?3.Test the BCP for accuracy, adequacy, and effectiveness –The plan is documented but does it work?4.Based on the results of testing, improve the BCP –Testing revealed opportunities for improvement. Based on those findings, update the BIA and BCP to reflect those changes.5.Update the BIA and BCP and test the BCP per the established schedule –This is a living document. Your business changes and evolves –so should the plan.2/12/20086RTO RatingElapsed Time5.0 -1 Hours4.1 -4 Hours3.4 -24 Hours2.24 -48 Hours1.48 Hours –PlusRecovery Time Objectives (RTOs)2/12/20087Business Continuity PlanAfter the critical processes are identified, who will be responsible for leading the various tasks during an interruption? The following teams include:Department Crisis Management Team –BCM and othersSite Crisis Team –including phases for resumption, recovery & restoration.Business PartnersTechnology Team-MembersVendors (external and internal)Corporate Crisis Management Team –standardRespondResume RecoverRestore2/12/20088Business Continuity PlanIf I lose my primary location, where will the work be done and by whom?Is relocation an alternative?How many team members will be required immediately? Dial-in ports are limited. Only those responsible for critical processes may use this option immediately following an interruption. Confirm the employees designated for recovery efforts have the appropriate dial-in software, secure cards, and access authorization.2/12/20089Successful Test ExercisesPoints to think about when evaluating the success of a test exercise:Up-to-date information was included in the plan for contacts. Include team members, partners, and support personnel.Recovery strategies were valid and required resources were available to the workaround procedures must be in place to accommodate the delay.Applications and other technology were available within an acceptable length of time. If not, Interim Plans or workaround procedures must be in place to accommodate the delay.2/12/200810Business Continuity Plan UpdatesIn a rapidly changing business environment, Business Continuity Plans can become periodic updates of the plan must occur in order to maintainaccuracy.Maintain accurate contact listsUpdate the BIA and BCP when business processes change (add, delete, change)Maintain communication with all business partners. Changes in those environments could impact the BIA and BCP for the business.Redistribute the BIA and BCP to all parties when significant changes occur.2/12/200811DefinitionsBusiness Continuity Plan (BCP):The documentation of a predetermined set of instructions or procedures that describe how an organization’s business functionswill be sustained during and after a significant disruption.Business Impact Analysis (BIA):A management level analysis that identifies the impacts of losing company resources. The BIA measures the effect of resource loss and escalating losses over time, in order to provide senior management with reliability data upon which to base decisions on risk mitigation and continuity planning. (Associated terms: Business Impact Assessment; Business Impact Analysis Assessment).2/12/200812Definitions (Cont’d):Business Recovery/Resumption Plan ( BCP):The documentation of a predetermined set of instructions or procedures that describe how businessprocesseswill be restored after a significant disruption has occurred.Disaster Recovery Plan (DRP):A written plan for processing critical applications in the event of a major hardware or software failure or destruction of facilities.Risk Management:The ongoing process of assessing the risk to mission/business as part of a risk-based approached used to determine adequate security for a system by analyzing the threats and vulnerabilities and selecting appropriate, cost-effective controls to achieve and maintain an acceptable level or risk.2/12/200813ResourcesAssociation of Contingency Plannerswww.acp-international.comAvailability.comwww.availability.comCBS News Disaster Linkshttp://www.cbsnews.com/digitaldan/disaster/disasters.htmContingency Planning Management (CPM)www.contingencyplanning.comDisaster Recovery Institute International (DRII)www.drii.org2/12/200814Resources (Cont’d):Disaster Recovery Journal (DRJ)www.dri.comGlobal Continuity.comwww.globalcontinuity.comINFOSYSSEChttp://www.infosyssec.org/infosyssec/buscon1.htmNational Emergency Management Associationwww.nemaweb.orgSurvivewww.survive.com