![Page 1: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/1.jpg)
Dr. Bhavani ThuraisinghamThe University of Texas at Dallas (UTD)
June 2011
Business Continuityand
Disaster Recovery Planning
![Page 2: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/2.jpg)
Domain Agenda• Project Scope Development and Planning• Business Impact Analysis (BIA) and Functional Requirements• Business Continuity and Recovery Strategy• Plan Design and Development• Implementation• Restoration / Disaster Recovery• Feedback and Plan Management
![Page 3: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/3.jpg)
Domain Objectives• Understand the planning process• Integrating BCP into the organization• Defining inputs and outputs of process• Understand the difference between BCP and DRP
![Page 4: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/4.jpg)
Sources of Information• Disaster Recovery Institute International• Business Continuity Institute• ISO 25999• ISO 27001, Section 10• NIST SP 800-34
![Page 5: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/5.jpg)
ISO 25999: Business Continuity Management
• Risk management• Disaster recovery• Facilities management• Supply chain management• Quality management
• Health and safety• Knowledge management• Emergency management• Security• Crisis communications and
PR
![Page 6: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/6.jpg)
Overview of BCP• Direct benefits• Indirect benefits• Overlap with Risk Management• BCM vs. BCP vs. COOP
![Page 7: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/7.jpg)
The Enterprise BCP• DRP
– Backup strategies– Emergency procedures– Contracts and provisioning
• BIA– Reciprocal agreements– Alternate sites
• Incident response planning– Succession Plan– Incidence Response Team
![Page 8: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/8.jpg)
The Enterprise BCP (cont.)• Risk analysis
– Safeguards / countermeasures– Insurance plan
• Corporate communication plan– User awareness training– Media/stakeholder relations plan
![Page 9: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/9.jpg)
The Business Continuity Life Cycle• Analyze the business• Assess the risks• Develop the BC strategy• Develop the BC plan• Rehearse the plan
![Page 10: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/10.jpg)
BC Project Phases• Project Scope Development and Planning• Business Impact Analysis (BIA) and Functional Requirements• Business Continuity and Recovery Strategy• Plan Design and Development• Implementation• Restoration / Disaster Recovery• Feedback and Plan Management
![Page 11: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/11.jpg)
Reflecting Organizational Context• Policy is the driver• Aligned with requirements• Provides direction and focus• Use Business Impact Analysis• Identify inputs• Outcomes and deliverables• Reviewed annually
![Page 12: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/12.jpg)
Policy• Organizational authority• Policy document• Program scope• Resources• Outsourcing
![Page 13: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/13.jpg)
Policy contents• Framework• Tools and techniques• Policy contents• Change is infrequent
![Page 14: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/14.jpg)
Outsourced Activities• You are still responsible• Resilience in outsourcing• Supplier continuity
![Page 15: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/15.jpg)
Scope and Choices• Limit scope• Ensure clarity of scope• Strategy, Return on Investment (ROI), and SWOT (Strengths,
Weaknesses, Opportunities, Threats)• Review yearly
![Page 16: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/16.jpg)
Program Management• Assigning responsibilities• Initiating BCP in the organization• Project management• Ongoing management• Documentation• Incident readiness and response
![Page 17: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/17.jpg)
Documentation• Review current BCP if available• Documentation may not equal capability• Staff must be trained to use any necessary software• Types of documentation• Review as directed by policy
![Page 18: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/18.jpg)
Initiating BCP• Awareness, data, implementation• Staff and budget• Result must be a long-term, sustainable program• Review progress monthly
![Page 19: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/19.jpg)
Incident Readiness & Response• Planners become leaders• Be prepared• Triage• Incident management• Success = Return to Operations• Immediate lessons learned
![Page 20: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/20.jpg)
Key Indicators of Success• Senior management commitment• Policy content• BCP Resources• Project management• Documentation
![Page 21: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/21.jpg)
BCP Project Phases• Project Scope Development and Planning• Business Impact Analysis (BIA) and Functional Requirements• Business Continuity and Recovery Strategy• Plan Design and Development• Implementation• Restoration / Disaster Recovery• Feedback and Plan Management
![Page 22: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/22.jpg)
Understanding the Organization• Business Impact Analysis (BIA)
– Benefits– Objectives
• Evaluating Threats (Risk Assessment)• Emergency Assessment• Indicators of Critical Business Functions
![Page 23: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/23.jpg)
Business Impact Analysis• Identifies, quantifies and qualifies loss• Scope and support required• Documents impact and dependencies• MTD, RPO• Business impact analysis process• Workshops, questionnaires, interviews• Business justifications for budget
![Page 24: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/24.jpg)
Maximum Tolerable Period of DisruptionItem Required recovery time
following a disaster
Non-essential 30 days
Normal 7 days
Important 72 hours
Urgent 24 hours
Critical/Essential Minutes to hours
![Page 25: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/25.jpg)
Estimating Continuity Requirements• Total budget for disaster recovery• Identification of necessary resources• Outcomes feed BCP strategy selection• Reviewed with BIA
![Page 26: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/26.jpg)
Evaluating Threats (Risk Assessment)• Risk equation + time element• Risk = Threat impact * probability• Prioritize key processes and assets• Outcomes
![Page 27: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/27.jpg)
Key Indicators or Success• Corporate governance• BIA practice• Risk assessment practice
![Page 28: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/28.jpg)
BCP Project Phases• Project Scope Development and Planning• Business Impact Analysis (BIA) and Functional Requirements• Business Continuity and Recovery Strategy• Plan Design and Development• Implementation• Restoration / Disaster Recovery• Feedback and Plan Management
![Page 29: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/29.jpg)
Determining Business Continuity Strategy
• High-level strategies• RTO < MTPD• Separation distance• Resilience• Address specific business types
![Page 30: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/30.jpg)
Determining Strategy• Determining BC strategies• Strategy options• Activity continuity options• Resource-level consolidation
![Page 31: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/31.jpg)
Activity Continuity Options• Selecting recovery tactics• Reliability• Extent of planning• Cost/benefit analysis• Outcome
![Page 32: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/32.jpg)
Recovery AlternativesAlternative Description Readiness Cost
Multiple processing/ mirrored site
Fully redundant identical equipment
and data
Highest level of availability and readiness
Highest
Mobile site/trailer Designed, self-contained IT and communications
Variable drive time; load data and test systems
High
Hot site Fully provisioned IT and office, HVAC, infrastructure and communications
Short time to load data, test systems. May be yours or
vendor staff
High
Warm site Partially IT equipped, some office, data and voice, infrastructure
Days of weeks. Need equipment, data communications
Moderate
Cold site Minimal infrastructure, HVAC
Weeks or more. Need all IT, office equipment and
communications
Lowest
![Page 33: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/33.jpg)
Processing AgreementsAgreement Description Consideration
Reciprocal or Mutual Aid Two or more organizations agree to recover critical operations for each other.
Technology upgrades/ obsolescence or business growth. Security and access by partner users
Contingency Alternate arrangements if primary provider is interrupted, i.e. voice or data communications
Providers may share paths or lease from each other. Question them.
Service Bureau Agreement with application service provider to process critical business functions.
Evaluate their loading geography and ask about backup mode.
![Page 34: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/34.jpg)
BCP Project Phases• Project Scope Development and Planning• Business Impact Analysis (BIA) and Functional Requirements• Business Continuity and Recovery Strategy• Plan Design and Development• Implementation• Restoration / Disaster Recovery• Feedback and Plan Management
![Page 35: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/35.jpg)
Resource Level Consolidation• Consolidation plan• Availability of solutions• Consolidate, approve, implement• Methods and techniques• Outcomes and deliverables
![Page 36: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/36.jpg)
Business Continuity Plan• Master plan• Modular in design• Executive endorsement• Review quarterly
![Page 37: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/37.jpg)
Business Continuity Plan Contents• When team will be activated• Means by which the team will be activated• Places to meet• Action plans/task list created
![Page 38: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/38.jpg)
• Responsibilities of the team or of specific individuals– Liaising with Emergency Services (fire, police ambulance)– Receiving or seeking information from response teams– Reporting information to the Incident Management Team– Mobilizing third party suppliers of salvage and recovery services– Allocating available resources to recovery teams– Invocation / mobilization instructions
Business Continuity Plan Contents
![Page 39: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/39.jpg)
Developing and Implementing Response
• Incident response structure• Emergency response procedures• Personnel notification• Communications• Restoration
![Page 40: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/40.jpg)
BCP Project Phases• Project Scope Development and Planning• Business Impact Analysis (BIA) and Functional Requirements• Business Continuity and Recovery Strategy• Plan Design and Development• Implementation• Restoration / Disaster Recovery• Feedback and Plan Management
![Page 41: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/41.jpg)
Implementing Incident Management Plan
• Rapid response is critical• Crisis management• Steps to develop an Incident Management Plan• Action plans
![Page 42: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/42.jpg)
Incident Response Structure
• Strategic• Tactical• Operational
![Page 43: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/43.jpg)
Key Indicators of Success• Development and acceptance of Recovery Strategies and
Business Continuity Plans
![Page 44: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/44.jpg)
BCP Project Phases• Project Scope Development and Planning• Business Impact Analysis (BIA) and Functional Requirements• Business Continuity and Recovery Strategy• Plan Design and Development• Implementation• Restoration / Disaster Recovery• Feedback and Plan Management
![Page 45: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/45.jpg)
Disaster Recovery• Salvage• Separate function and team• Facility restoration • System recovery
![Page 46: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/46.jpg)
BCP Project Phases• Project Scope Development and Planning• Business Impact Analysis (BIA) and Functional Requirements• Business Continuity and Recovery Strategy• Plan Design and Development• Implementation• Restoration / Disaster Recovery• Feedback and Plan Management
![Page 47: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/47.jpg)
Testing the Program• Find the flaws• Outsourcing• Timetable for tests• Test design process
![Page 48: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/48.jpg)
Testing TypesTypes Process Participants Frequency Complexity
Desk Check Check the contents of the plan, aid in
maintenance.
AuthorOften LOW
Walk-through
Check interaction and roles of participants.
Author and main people
Simulation Includes: business plans, buildings, communications
Main people and auditors
Parallel testing
Moves work to another site. Recreates the
existing work from the displaced site.
Everyone at location
Full Shuts down and relocates all work
Everyone at both locations Rare HIGH
![Page 49: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/49.jpg)
Embedding BCP• Assessing level of awareness and training• Developing BCP within the Culture• Monitoring cultural change
![Page 50: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/50.jpg)
Test BCP Arrangements• Test, rehearsal, exercise• Combine all plan activities• Stringency, realism and minimal exposure• Contents of a test• Outcomes
![Page 51: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/51.jpg)
Maintaining BCP Arrangements• Ready and embedded• Triggered by change management• Owners keep information current• Documented• Review as needed
![Page 52: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/52.jpg)
Reviewing BCP Arrangements• Audit• Independent BCP audit opinion• As directed by audit policy
![Page 53: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/53.jpg)
Factors for Success• Supported by senior management• Everyone is aware• Everyone is invested• Consensus
![Page 54: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/54.jpg)
Assessing the Level of Awarenessand Training
• Where are we now• What does the policy state• Current vs. desired levels• Training framework in place
![Page 55: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/55.jpg)
Developing a BCP Within the Organization’s Culture
• Training, education, awareness• Well-implemented policy• Design• Delivery planning• Delivery• Cost effective delivery• Higher awareness
![Page 56: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011](https://reader036.vdocuments.us/reader036/viewer/2022081603/5681306d550346895d964cf5/html5/thumbnails/56.jpg)
Domain Summary• Project Scope Development and Planning• Business Impact Analysis (BIA) and Functional Requirements• Business Continuity and Recovery Strategy• Plan Design and Development• Implementation• Restoration / Disaster Recovery• Feedback and Plan Management