More Related Content Similar to Risk Based Planning for Mission Continuity (20) More from Dan Houser (14) Risk Based Planning for Mission Continuity2. 2©Copyright 2006, Dan Houser
Agenda
Discuss Disaster Recovery, Business
Continuity & Emergency Planning
Effective Business Impact Assessment
Risk Management approach to continuity
risk mitigation
Implementation
Q&A
3. 3©Copyright 2006, Dan Houser
Obligatory Dilbert Slide
This image used in compliance with United Feature Syndicate copyright restrictions.
4. 4©Copyright 2006, Dan Houser
Continuity Management
Disaster Recovery
Business Continuity
Emergency Response
5. 5©Copyright 2006, Dan Houser
Causes of Disasters
Boston Molasses Disaster of January 15, 1919
Warehouse FireEarthquake
Columbus School for the Blind – Jan 15, 2001Pontifical College Josephinum – 12/15/99
6. 6©Copyright 2006, Dan Houser
Causes of Disasters
Natural
Floods
Hurricanes
Tornadoes
Earthquakes
Volcano Eruptions
Wildland fires
Thunderstorms and
lightening
Man Made
Hazardous Materials
House/Building Fires
Nuclear Power Plant
Emergencies
Terrorism
Criminal Hacking
Civil Unrest
Strikes
Political Unrest
All effect essential elements – such as people, buildings, applications, data, and
equipment – all required to sustain critical business operations. Disasters create
downtime for computer systems. Statistics can be found at www.fema.org and
www.storagetek.com
7. 7©Copyright 2006, Dan Houser
Continuity Management
Business Continuity
1) Ensures continuity of the critical business
functions,
2) Captures vital transactions, and
3) Facilitates the rapid recovery of business
operations to reduce the overall impact of
the disaster.
Focus = no interruption of vital business
functions
8. 8©Copyright 2006, Dan Houser
Continuity Management
Disaster Recovery
Procedures for when the computer
installation suffers loss of computer
resources and physical facilities.
1. Emergency response,
2. Extended backup operations and
3. Post-disaster recovery
Focus = restoring normal automated
operations for critical functions.
9. 9©Copyright 2006, Dan Houser
Crisis vs. Emergency vs. Disaster
Events occur, which may lead to an
incident or crisis
An emergency is a crisis that may also
cause injury, loss of life or destruction
of property.
A Disaster is declared, in accordance
with the DRP, following a sudden
unplanned catastrophic event
Typically, disasters are not declared
following an incident (your mileage may
vary)
10. 10©Copyright 2006, Dan Houser
BCP is a Business Process
Disaster Recovery is system
focused, BCP is focused on the
continuity of the business.
Business drives business needs
Fundamental issue: what VITAL
business functions must survive?
The Bottom Line: Continuity planning is a
business process requiring business
management attention and guidance.
11. 11©Copyright 2006, Dan Houser
Disaster Lifecycle
0
20
40
60
80
100
120
Event
Crisis
Disaster
Recovery
Restoration
13. 13©Copyright 2006, Dan Houser
Business Continuity Process
The Business Continuity Institute’s BCM
process (also known as the BC Life Cycle)
combines 6 key elements
1. Understanding Your Business
2. Continuity Strategies
3. Developing a BCM Response
4. Establishing a Continuity Culture
5. Exercising, Rehearsal & Testing
6. The BCM Management Process
14. 14©Copyright 2006, Dan Houser
Risk Management & BIA
Business Impact Analysis (BIA) is
the starting point for determination
of risk.
Sets the stage for shaping a business-
oriented judgment concerning the
appropriation of resources for recovery
planning efforts*
* Jackson
15. 15©Copyright 2006, Dan Houser
Business Impact Analysis
What drives your organization?
What vital functions can you not live
without?
Revenue generation
Asset management
Access to capital
Operations execution
Customer/account servicing
Which of these are most time critical?
16. 16©Copyright 2006, Dan Houser
Risk Management
Human Life &
Vital Business Processes
Information
Software
Facilities
17. 17©Copyright 2006, Dan Houser
Business Impact Analysis
What’s a vital function?
What is your mission?
Vital Functions execute the mission statement
Preservation of mission integrity
Maintaining core values of the organization
18. 18©Copyright 2006, Dan Houser
Additional Vital Functions
Overhead functions necessary to weather
the storm:
Public Relations / Corporate Communications
Human Resources
Communications
Legally required operations
Facility Management (?)
Supporting functions
Compliance-mandated record keeping
Abnormal record keeping required to permit
recovery following the disaster
19. 19©Copyright 2006, Dan Houser
Quantitative Loss Impact
Consider financial costs of potential disruption
Lost revenue
Lost trade discounts
Interest lost on float
Interest paid on borrowed funds
Contractual Fines & Penalties
Increase in extraordinary expense
Emergency Purchases
Outside Services/ Temporary Staff
Cancelled orders
Unavailability of capital
Prioritize [0-5], [Critical, High, Medium, Low]
20. 20©Copyright 2006, Dan Houser
Qualitative Loss Impact
Loss impact in terms of intangibles,
emotions and understanding
Lost confidence: customers, shareholders,
regulators, investors
Loss of customer services capability
Drop in staff morale
Drop in staff productivity
Customer inconvenience
21. 21©Copyright 2006, Dan Houser
Risk Analysis Process
Human Life &
Vital Business Processes
Information
Software
Facilities
22. 22©Copyright 2006, Dan Houser
BIA Worksheet
Function Financial Qualitative RTO RPO
Human Resources $100,000 Medium
Public Relations Minimal Critical
Asset Environ'tl Controls $1,250,000 High
Soup Kitchen $34,000 Critical
Operations Center $55,000 High
23. 23©Copyright 2006, Dan Houser
Analysis of Loss Estimates
Threshold analysis:
Interview senior management for a better
understanding of loss threshold.
At what threshold do losses become
unbearable?
$1 million? $10 million? $100 million?
Stability of Threat Environment
Unstable environments get higher priority
Example: Processing center near fault line
24. 24©Copyright 2006, Dan Houser
Time Sensitivity of Vital Functions
Conduct interviews to determine time
criticality of vital functions.
What is the maximum downtime that can
be absorbed without a significant impact
to the mission?
What are the costs associated with ½ that
duration? 1/3? (linear, exponential,
logorithmic, bursty)
Determination of vital time functions…
25. 25©Copyright 2006, Dan Houser
BCP Recovery Time Parameters
MTD: Maximum Tolerable Downtime
Maximum outage duration, by business
function. (a.k.a. – RTO)
RPO: Recovery Point Objective
Maximum outage duration before normal
operations are resumed
Note that the RPO doesn’t start when the
disaster starts, but starts at the first prior
viable restart point (e.g. previous night
backup tape).
26. 26©Copyright 2006, Dan Houser
BIA Worksheet
Function Financial Qualitative RTO RPO
Human Resources $100,000 Medium 1 day 2 wks
Public Relations Minimal Critical 1 hr 4 wks
Asset Environ'tl Controls $1,250,000 High 1 hr 3 days
Soup Kitchen $34,000 Critical 4 hr 2 wks
Operations Center $55,000 High 1 hr 5 days
27. 27©Copyright 2006, Dan Houser
Continuity Strategies
Facility Plans
Minor – shelter in place
Major – relocate
Disaster – execute disaster relocation plan
Business Plans
Manual processing
Co-processing / Reciprocal agreements
Queue and hold
Outside services
28. 28©Copyright 2006, Dan Houser
Business Continuity ROI
For each vital function covered by BCP, calculate
the qualitative and quantitative costs.
Catastrophic loss of the business function = ____
Qualitative loss of the function means ______ &
______.
Planning, exercising and maintaining the BCP will
cost _______.
Executing the BCP will cost ____ per day,
forecasted maximum cost of _____.
29. 29©Copyright 2006, Dan Houser
BCP ROI Example: Operations Center
Predicted Losses
1 Day 3 Day 7 Day 21 Day
Loss of Facility 14000 51800 191660 1341620
Business Function Offline 0 10000 67000 603000
Contractual Penalties 0 0 25000 45000
Parallel Operations 1500 12000 44400 164280
Extraordinary Expenses 100 5000 15000 72000
Recovery Costs 500 1850 6845 25327
Likelihood 2 0.2 0.1 0.01
ALE $29,200 $13,730 $28,291 $16,482
$87,703
Business Continuity Planning & Testing
BIA $11,000
Continuity Plan Development $16,000
BCP Exercises & Refinement $49,500
BCP Mgmt - Year 2-4 $6,000
BCP Exercises - Year 2-4 $10,500
Amortized cost $23,250
Net Risk:
$64,453
30. 30©Copyright 2006, Dan Houser
Risk Analysis Process
Critical
High
Medium
Low
$100,000 $1 million $10 million $100 million
Net Cost
31. 31©Copyright 2006, Dan Houser
Critical
High
Medium
Low
$100,000 $1 million $10 million $100 million
Net Cost
Risk Analysis Process
A
C
B
D
E
F
J
G
H
32. 32©Copyright 2006, Dan Houser
Continuity Procedure Development
Objectives:
Document a detailed business continuity procedure
Establish testing and training methods
Establish a maintenance approach for the Continuity Plan
Major Activities:
Develop service function plans, including data processing,
telecommunications, etc.
Develop business function plans
Develop facility plans
Test selected continuity procedures
Define ongoing support processes
Deliverables:
Business and service recovery plans
Plan maintenance programs
Employee awareness program
Test / Excersize documentation
Restoration plan
33. 33©Copyright 2006, Dan Houser
Recovery Testing / Excercise
Structured Walk-Through Exercise
Occurs when the functional representatives meet
to review the plan in detail. This involves a
thorough look at each of the plan steps, and the
procedures that are invoked at that point in the
plan. This ensures that the actual planned
activities are accurately described in the plan.
Checklist Exercise
Method of testing the plan by distributing copies
to each of the functional areas. Each area reviews
the plan and checks off the points that are listed.
This process ensures that the plan addresses all
concerns and activities.
Tabletop Exercise
Participants review and discuss the actions they
would take per their plans, but do not perform
any of these actions. The exercise is typically
under the guidance of exercise facilitators.
34. 34©Copyright 2006, Dan Houser
Recovery Testing / Excercise
Standalone Test
A test conducted on a specific component of a
plan, in isolation from other components, typically
under simulated operating conditions.
Integrated Test
A test conducted on multiple components of a
plan, in conjunction with each other, typically
under simulated operating conditions
35. 35©Copyright 2006, Dan Houser
Recovery Testing / Exercise
Simulation Exercise
where all operational and support functions meet to
practice execution of the plan based on a scenario
that is played out to test the reaction of all functions
to various situations. Only those materials and
information available in a real disaster are allowed to
be used during the simulation, and the simulation
continues up to the point of actual relocation to the
alternate site and shipment of replacement
equipment. (a.k.a. Scenario Testing)
Parallel Exercise
Essentially an operational test. In this test, the
critical systems are placed into operation at the
alternative site to see if things run as expected. The
results can be compared with the real operational
output and differences noted.
36. 36©Copyright 2006, Dan Houser
Recovery Testing
Full Interruption Test
When full normal operations are
completely shut down, and the
processing is conducted at the
alternate site using the materials that
are available in the offsite storage
location and personnel that are
assigned to the recovery teams.
38. 38©Copyright 2006, Dan Houser
Summary
While interlocked, ensure that Business
Continuity is a different exercise from DRP.
Use a blend of quantitative and qualitative
determinates for risk
Keep in mind the pyramid: People, Process, Data,
Software, Hardware
Ensure continuous assessment of BCP – address
with any significant business change
40. 40©Copyright 2006, Dan Houser
Sources
Jackson, Carl B. The Business Impact Assessment Process,
The Handbook of Information Security Management, 3rd
Ed.
1999. Accessed 4/26/2006, http://tinyurl.com/zgq7f
Stacey, Timothy R. Best Practice in Contingency Planning or
Contingency Planning Program Maturity, The Handbook of
Information Security Management, 5th
Ed. Vol 2, Auerbach
Publishers, 2005.
Texas Department of Information Resources, Information
Resources Asset Protection Council. Business Continuity
Planning Guidelines, 2nd
ed, 2004. Accessed 4/26/2006,
http://tinyurl.com/l4pyv