legal ny 2010 business continuity and disaster recovery session by dave cunningham feb 2 2010
DESCRIPTION
TRANSCRIPT
Business Continuity and Disaster Recovery Planning
A panel discussion on recovery planning and related key issues
Panel:
David Cunningham, Hildebrandt Baker Robbins
Nick L. Krishnani, Paul, Weiss, Rifkind, Wharton & Garrison LLP
Cliff Forrester, Shearman & Sterling, LLP
February 2, 2010 2:30pm – 3:45pm
LegalTech New York 2010
Panel Members
• Nick L. Krishnani– Head of Global Infrastructure and Security– Paul, Weiss, Rifkind, Wharton & Garrison LLP
• Cliff Forrester– IT Manager, Head of IT Shared Services– Shearman & Sterling, LLP
• David Cunningham– Managing Director, Co-Leader, Strategic Technology and Risk Practices– Hildebrandt Baker Robbins
Infrastructure Management
[Firm Name] Median Firm High Firm
Infrastructure Operations
Facilities Management
Security Management
Service Continuity Management
+ Smooth transitions to EMS for e-mail failures+ Crisis communications plans underway+ Actual recovery efforts successful Key systems do not meet RTOs and RPOs Document Mgmt and Litigation recoveries
untested Annual DR exercises; no actual tests
User Management
Database Management
Desktop Management
Law Firm IT Continuity Benchmark (excerpt)
Scope of Legal Risk Management
Law Firm Assets at Risk
Data
Transfer Agreements
Consistency
Conflicts Laterals, Mergers Conf. Matters
Regulatory Compliance Protective Orders Discovery
SecurityConfidentiality
Integrity Access
Data DataIT Systems
Continuity
Recovery
Access/Security
Third-Party Suppliers
DataFacilities
Security
Damage
Environmental
Resource Access
DataLitigationSupport
Evidence Chain of Custody
Access/Security
Vendor Mgmt
DataClientEngagements
Profitability
Quality
Scope Control
Resource Mgmt
Records Mgmt
Legal Holds
Disaggregation
Project Management
DataClientRelationships
Know Your Client
Communications
Clients Going Bad
Ethical Walls
DataFirm
Reputation
Directors and Officers
Communications
Insurance Mediation
DataEnvironment
Natural Disasters
Epidemics
Resource Access
DataMarket
Commoditization Pricing Pressure
New Competition
Outsourcing
Decline in Market Demand
DataPractice
Profitability
Lateral Lawyers
Rogue Partners
Bad Clients
Talent Monitoring
Bar Admission Monitoring
DataLawyer Professional
Responsibility
Malpractice
Conflicts
Professional Development
DataMoney
Audit
Internal Controls
Anti-Money Laundering
Counter Terrorist Financing
DataEmployees
Employment
Fraud
Privacy
Theft
Key Planning Questions
• How were people outside the IT department involved in the Business Impact Analysis?
• How is your effort split across creating a “high availability” environment versus “fast recovery” capabilities?
• For mission critical applications, what RTOs and RPOs do you believe are realistic for law firms?
• How do you see that cloud computing vendors (and other third party services) are changing the nature of high availability and disaster recovery planning?
• How can the cost and complexity of continuity and recovery be reduced?
• How is your role evolving to address data confidentiality needs?
• How have the needs of litigation support, including changes in the Federal Rules of Civil Procedure, affected your recovery plans?
Sample Business Continuity Planning Process
Program Initiation & Management
Risk Evaluation &
Control
Business Impact
Analysis Develop & Implement
Plans
Awareness& Training Programs
Exercise & Maintain
Plans
Discovery & Strategic Planning Implementation Management
10 Professional Practices for BC Planners: Process of DRII as adapted by Baker Robbins & Company
Emergency Response & Operations
Crisis Communications
External Agency
Coordination
DevelopStrategies &
Design
DetailedDesign
Availability Targets
Availability Annual Downtime Monthly Downtime Weekly Downtime
95% 18 days 1.5 days 8.4 hrs
98% 7.3 days 14.5 hrs 3.4 hrs
99% 3.6 days 7.3 hrs 1.7 hrs
99.5% 44 hrs 3.6 hrs 50 min
99.8% 17 hrs 1.5 hrs 20 min
99.9% 8.7 hrs 43.5 min 10.5 min
99.95% 4.4 hrs 21.8 min 5 min
99.98% 1.7 hrs 8.7 min 2 min
99.99% 52 min 4.4 min 1 min
Based on 8,760 hours in a year less 48 hours for planned downtime = 8,712 hours of availability per year
Sample Technology Recovery Objectives for a Law Firm
High Availability Applications
Tier 1Critical
RTO < 1 – 4 hoursRPO ≤ 1 hour
Tier 2Essential
RTO ≤ 1 dayRPO ≤ 1-4 hour
Tier 3Important
RTO = 2-3 daysRPO ≤ 1-4 hour
Tier 4Supporting
RTO = 1 weekRPO = 4 hr – 1 day
Tier 5Low PriorityRTO = N/A
RPO ≤ 1 day
Phone Systems CRM – Client Contacts Time Entry Imaging System Conf Room Scheduling
Email Messaging Accounting Systems – Billing, AP, AR, GL Expense Systems Event Hosting System
Internet Access Conflicts/New Business Intake Intranet Recruiting Systems
Network / WAN Access Records System Cost Recovery System Library Systems
Document Management System Payroll Performance Management
Network File Shares - documents Human Resources Systems Financial Reporting
Docketing Systems Key Practice-Specific Applications Most Practice-Specific Applications
Litigation and Trial Support Other Litigation
User Remote Access Public Web Site and Client Extranets Other Marketing
Help Desk – Incident Support
Help Desk – Full Support
Printing Legal Research –Online Access to Accounts
Data Confidentiality
• Aspects considered– Search engine readiness– HIPAA compliance– Red Flag Rule– EU Data / Safe Harbor– ISO 27001– Discovery chain of custody– Preservation orders / litigation
holds– Ethical walls– Outsourced legal services– Client privacy expectations– Private firm documents– International Traffic in Arms
Regulations (ITAR)
• Data sets– Accounting– Cloud vendor– Conflicts– Document management– E-Mail– eRecords– Home systems (esp.
separated staff)– Human resources– Lateral hire data– Litigation– Marketing– Shared Drives
Nick L. Krishnani
Head of Global Infrastructure and Security
Paul, Weiss, Rifkind, Wharton & Garrison LLP
Cliff Forrester
IT Manager, Head of IT Shared Services
Shearman & Sterling
David Cunningham
Managing Director, Co-Lead of Strategic Technology and Risk Practices
Hildebrandt Baker Robbins