business continuity overview business continuity services, user support services, itr california...
Post on 20-Dec-2015
218 views
TRANSCRIPT
Business Continuity Overview
Business Continuity Services, User Support Services, ITR
California State University, Northridge
CSUN, 2006
Agenda—About BC
WSIC? WDINTK? WSID?
--Context of BC in Higher Ed, CSU--BC Program Components--BC Culture
Presentation Caveats and Disclaimers
Functionally agnostic: Not specific to IT, administration and finance, academic units, student services, financial aid, etc.
Overview of business continuity program components for your consideration and application
Emphasizes efficient, continuous approach to yield useful results (a comprehensive DRII methodology exists)
CSU Business Continuity Drivers
CSU Executive Order 921, Emergency Management Program (November 2004) Look for a new/superseding EO with more specifics on BC Planning, per system audit office
Governor’s Executive Order S-4-06 (April 2006) mandates compliance by all state agencies with Continuity of Operations/Continuity of Government plans and guidelines. (CSU requested to assist in implementation.)
All pre-mitigation and recovery grant monies are now tied to Federal Government Emergency Preparedness Standards.
Other BC Drivers
Common institutional standards:
--Protect people, buildings, and infrastructure
--Address potential threats and exposures to unit’s essential functions
--Minimize campus and unit disruption; loss; and costs due to delays, interruptions, outages
--Do the right thing
Regulations, competition stimulate constituent expectations/requirements:
--High availability of service, data accuracy, adaptability and flexibility...
Up a Creek?
Your Business Continuity Program to the Rescue!
Photo, slide text from Business Continuity Strategies content of UC Berkeley, Copyright © 2002, The Regents of the University of California.
Context of Higher Education BC Planning
HIGHER EDUCATION PAST
HIGHER EDUCATION PRESENT
Emergency management focusContinuum from
emergency response to operational continuity
Disjointed, short-term maneuvers/projects, written plans
Strategic, driven from the top, ongoing programmatic actions
Limited to individual areasInvolves all aspects of
the enterprise
Expense-driven Investment-oriented
It’s about IT and the IT organization.
It’s about all units, especially IT, and sustaining the institution.
Business Continuity Strategy at CSUN
Simultaneous, phased approach
Phase One: Facilitate plan/program development with high-priority units; opportunistic, high-need testing; support based on EO 921
Phase Two: Provide tools, outreach, and training to support independent unit-level development of program/plan; facilitate development of campus-wide program/plan; targeted, periodic testing, review, and improvement events; support based on Presidential Charter, Cabinet-level Executive sponsorship, EO 921
Unified, integrated across campus units (e.g., DPS, EHS, SHC, EOC)
Planning answers two questions: --What key functions need to be recovered by a unit during an emergency?--How will the unit recover and execute those functions?
Business Continuity
An ongoing program of advanced planning and preparation activities conducted by academic and business operational units to ensure continuation of mission-critical functions and maintain campus viability before, during, and after an adverse event
Sometimes called “continuity of operations...”
BC Program Elements You May Already Have in Place...
INFRASTRUCTURE ASPECTS
• Emergency Evacuation/Safety Protocols• Data Backup & Recovery Practices• IT Change Management Practices• Onsite/Offsite Data Storage, Replication• Alternate Site (Cold, Warm)• IT Recovery Processes
MANAGEMENT ASPECTS
• Validation and Testing Practices• RFP Practices• Campus-wide Emergency Operations
Center, Emergency Response Plan Forsythe
BC Program Components
Enact Personal/Emergency Preparedness, Building/Environmental/Work Safety
Assess Potential Disruptions Identify Critical Functions Determine Essential Resource/Asset Needs and
Resumption Approach(es) for each function Capture procedural info about how to recover each function Establish Concept of Operations and BC Program Calendar Compile and develop written plan Conduct maintenance (Train, exercise, revise plan, lather,
rinse, repeat.)
Risk Assessment
Describe causes, effects, consequences of disruptions (CAUSES--fire, flood, earthquake, aircraft/transportation accidents, landslides, pandemic, hazmat incidents, civil disorder, heat emergencies, drought, terrorism, sabotage; EFFECTS—area denial/contamination, personnel death/injury, property/structural damage, explosive/shock wave, fire, heat, flood, loss of food/water, loss of transportation, lack of medical care/surge capacity; CONSEQUENCES—operational viability, legal liability, damaged reputation/credibility, decreased safety, etc.)
Work involved in estimating consequences of each effect is enormous (for ex., for a power outage, flood, or malicious employee, estimate damages considering all prevention, mitigation, and SOPs that might reduce harm...)
GAK!!
Risk Assessment—Disruption-based Focus
Loss of people (local or area wide? executives, department decision-makers, key operational experts?)
Loss of facility, localized event Loss of facility, regional event Loss of a communication system/mode Loss of vital records, key databases Loss of specialized equipment, supplies, or systems (HW, SW
apps, servers, OS platforms, networks, email/Internet, etc.) Loss of key vendors services, other agency services
Risk Assessment—Disruption-based Focus
ID specialized risks are not addressed by one or more of the disruption scenarios
ID risks that are not contemplated or covered
Risk Assessment—Disruption-based Focus
Disruption scenarios help you determine resumption strategies—
If key resources (people, buildings, infrastructure) are not available, what alternatives exist to resume a given function?
If alternatives do not exist, what should be/can be put in place?
Critical Functions
What key functions need to be recovered by your unit during an adverse event?
What’s a critical function?
One that must or should continue under all circumstances, without significant interruption, because of safety or security.
One that is vital to the instructional, research, or service mission of the University.
One that provides vital support to another department, unit, organization that delivers essential functions.
Now, strategize...
Given a disruption, how will each critical function be recovered, and what functional level(s) are adequate?
Consider Alternate Ops
Build in internal backup(s) External backup(s) Restricted Ops Virtual Ops Parallel Capacity Like-kind exchanges (MOUs) Re-construct process at alternative site (warm, cold; staff work
at alt site, hotels, home locations) Substitute processes (for ex., w/communications: telephone,
email, Web site, cell phones, fax, in person meetings) CROSS-TRAINING
Analyze Resource Requirements, Recovery Approach(es) for each
Activities and tasks to be conducted Facilities/worksites (space, security, access) Communication systems Personnel Vital Records and Databases Systems (sw, other) and Equipment (hw, office, etc.) Key vendors; other agencies, organizations Key constituents Specific Recovery Instructions (maps, diagrams,
procedures)
Additional Considerations
RTOs—
For those very few under an hour, straight recovery with hot/warm backup
For the few under 24 hours, the several 72 hours to a week, scaled / layered recovery with limited recovery for <24 hours.
For those between 24 hours and a week, more extensive recovery, but perhaps not full, capability.
Scales and layers of disruption—unit-level, organization-, region-wide; factor in multiple recovery site options
Atchoo! Pandemic Planning
Understand the difference between seasonal flu, avian (bird) flu, and pandemic flu.
Implement remote work schedules: Practice working and communicating remotely with colleagues on a routine basis.
Cross-train today—BE THREE DEEP for essential functions and related processes.
Gear up and prepare systems and IT staff members for increased demand for service within framework of greatly reduced IT workforce and outside support...
For each essential function, establish service-level matrix when campus is closed or open and staff levels are normal, 70%, and 30%
Put your personal and family emergency preparedness plan in place—at home, at work, and on the road. Seriously.
Interest Areas for CSU Auditors?
What are risks specific to campus/general operational area (RA)? Assessment of realistic worst-case scenarios to determine what can cause disruption to critical function(s)? Potential impact of uncontrolled, non-specific events on an institution's business processes identified (BIA)?
Specific business continuity goals, objectives, and needs for operational area are enumerated?
Prioritized list of functions and assets critical for continuing operations after a disaster?
Budgetary requirements for operational restoration and continuity?
Plan Maintenance: A written plan with revision dates included exists and is reviewed, updated, exercised/tested at least annually?
Challenges—The Continuity Culture
No program or plan comes into existence fully completed and highly operational!
Deficiencies: Operational vulnerabilities, recovery inconsistencies, low readiness of teams, tribal knowledge, inadequate testing, poor awareness, lack of measurement to validate plan quality, poor links with vendors....
Anticipate that your plan will require upgrades/alterations to operations or to standby provisions so it can be effective...
Some changes may require many months, even years to alter practices, obtain funding, and satisfy needs...
Something is better than nothing—unless you’ve made the explicit decision to do nothing.
Success Factors —The Continuity Culture
Every mission-critical function has its recovery documented in a continuity plan
Essential personnel have been identified and know what to do
All personnel are familiar with their unit’s operational continuity plan
Plan is updated and exercised on a regular basis Executive level BC directive to management and abiding
BC commitment from executive leadership that is communicated to management and staff
Success Factors—The Continuity Culture
Operational continuity integrated into strategic planning—at campus and unit-level—and each employee’s job description
Campus meets, anticipates BC-related regulatory requirements
Unity of emergency preparedness, environmental health and safety, operational continuity programs, public health
Ready, routine assessment and mitigation against critical risk drivers
Provide BC leadership in your campus community
In a Jam?
Your Business Continuity Program to the Rescue!
THANK YOU!
Business Continuity Services, User Support Services, ITR
California State University, Northridge