planning for the inevitable: it disaster preparedness - linda sharp
DESCRIPTION
TRANSCRIPT
SchoolDude University 2009
Planning for the Inevitable:IT Crisis Preparedness
Linda SharpCoSN Project Director
IT Crisis Preparedness
SchoolDude University 2009
Expect and prepare
for the unexpected!
SchoolDude University 2009
Schools Run 24/7
• Evening use of facilities
• Backup reports running at off-instructional hours
• Students and parents accessing the district website around the clock
Other activities and uses in your district?
SchoolDude University 2009
Reliance on Technology
• Instructional activities• Business operations• Student data and recordkeeping• Assessment and accountability• Internal and external communication
with stakeholders
Other areas of reliance in your district?
SchoolDude University 2009
District Objectives in Any Disaster
• Safety and welfare of students
• Safety and welfare of staff
• Protection of property and facilities
SchoolDude University 2009
District Objectives in Any Disaster
• Maintenance of essential services for as long as possible, shutting down least critical ones first
• Restoration of services - critical ones first - in the shortest amount of time possible
SchoolDude University 2009
Think About It?
What are some predictable threats in your own community?
SchoolDude University 2009
Potential Disasters
• Natural disasters• Violence, vandalism • Man-made threats
SchoolDude University 2009
Potential Disasters
• Natural disasters, acts of God
• Violence, vandalism• Man-made threats• Widespread medical
emergencies and pandemics
SchoolDude University 2009
Potential Disasters
• Natural disasters• Violence, vandalism• Man-made threats• Widespread medical
emergencies and pandemics
• Digital threats
SchoolDude University 2009
Cyber Security for the Digital District
www.securedistrict.org
• Tools and information to:– Assess and improve security of technology
systems – To protect safety of staff and students– Contribute to educational mission of their
schools – Maintain community support
SchoolDude University 2009
Security Planning Process
Outcome:Outcome:Security Project Description
goals processes resources decision-making standards
Phase 1: Create Leadership Team & Set Security Goals
Outcome:Outcome:Prioritized Risk Assessment
A ranked list of vulnerabilities to guide the Risk Reduction Phase
Phase 2: Risk Analysis
Outcome:Outcome:Implemented Security Plan
Risk Analysis and Risk Reduction processes must be regularly repeated to ensure effectiveness
Phase 3: Risk Reduction
Outcome:Outcome:Crisis Management Plan
A blueprint for organizational continuity
Phase 4: Crisis Management
SchoolDude University 2009
Security Planning GridSecurity Area Basic Developing Adequate Advanced
Management
Leadership:
Little participation in IT security
Aware but little support provided
Supports and
funds security
Aligns security
with organizational
mission
Technology
Network design and IT operations:
broadly
vulnerable
security roll out
is incomplete
mostly secure
seamless security
Environmental & Physical:
Infrastructure:
not secure partially secure
mostly secure
secure
End Users
Stakeholders:
unaware of role in security
Limited
awareness
and training
Improved
awareness,
Mostly
trained
Proactive
participants in
security
SchoolDude University 2009
Security Planning Grid
• Provides benchmarks for assessing key security preparedness factors
• Uses the same topic areas for consistency
• Helps prioritize security improvement action steps
SchoolDude University 2009
You never have time to plan for something you don’t think will ever happen.
SchoolDude University 2009
Disaster Planning
SchoolDude University 2009
Mitigation and Prevention
Actions you take to identify preventable and unavoidable disasters and to address what can be done to eliminate or reduce the likelihood of a disaster and/or its accompanying risks
Cameron ParishCameron ParishSchool Board OfficeSchool Board Office
SchoolDude University 2009
Preparedness
Consideration of worst-case scenarios and development of comprehensive plan for coordinated and effective response to any given disaster
South Cameron HighSouth Cameron High
SchoolDude University 2009
Response
Execution of the preparedness plan and management of the disaster
SchoolDude University 2009
Recovery
Efficient and timely restoration of mission-critical operations and processes
SchoolDude University 2009
Risk Assessment
• Analyze processes and functions deemed mission-critical.
• Identify types of potential disasters and impact of each on mission-critical items.
SchoolDude University 2009
Risk Assessment
• Prioritize based on acceptable period of unavailability.
• Chart the workflow, considering hardware, software, people and other resource requirements for continued operations.
SchoolDude University 2009
Risk Assessment
Imagine worst-case scenarios for all types of potential disasters.
– What would be lost?– What data would be critical?– How would you communicate?– How would you restore mission-critical
services?
SchoolDude University 2009
Consider Lack of Availability of Key Services and Operations
• What must be restored within 1 hour?
• What must be restored within 4 hours?
• What must be restored within 1 day?
• What must be restored within 3 days?
• What must be restored within 1 week?
• What could wait for 30 days or longer?
SchoolDude University 2009
Disaster Recovery Plan
• Easy to understand and follow• Organized into sections• Detailed steps of tasks to be accomplished• Multiple formats for different audiences• Print and electronic
SchoolDude University 2009
The worst case scenario . . .
No Plan!No Plan!
SchoolDude University 2009
First Steps
Identify Planning Team
SchoolDude University 2009
First Steps
• Identify and Classify Services, Operations and Records– Vital– Important– Non-essential
SchoolDude University 2009
Resources and Redundancies
• Hardware
• Software
• Communications
• Facilities
• People
SchoolDude University 2009
Hardware
• Identify all required hardware.• Be sure to include resources required
to run and maintain hardware.• Regularly update
your list.• Maintain key
documents offsite.
SchoolDude University 2009
Software
• Identify all required software.
• Regularly update the list.
• Keep copies of key applications offsite.
• Maintain key documents offsite.• Be certain your backup systems
are reliable - and redundant.
SchoolDude University 2009
Software
• Data– Secure and Restore Data– Assess Capabilities of Providers
SchoolDude University 2009
Communications
• Establish a communications plan
• Develop strategic partnerships
• Employee communications
SchoolDude University 2009
Communications
• Single point of contact
• What is communicated
• Technical staff support
• Ensure redundancies
SchoolDude University 2009
People
• Who is qualified to manage tasks?
• Have they been trained?
• What is their prior experience?
• Ensure key people resources are backed up.
SchoolDude University 2009
People
• Incident Response Team
• Identify critical personnel
• Communicate roles and responsibilities
• Ensure personnel have authority needed
SchoolDude University 2009
Facilities
• Have building blue prints available
• Have all shut-off valves clearly labeled or color coded on blue prints
• Identify evacuation sites
• Identify potential known hazard areas
SchoolDude University 2009
Emergency Operations Center (EOC)
• Determine overall strategy and priorities.
• Allocate resources.
• Manage the incident.
• Ensure objectives are met.
• Ensure strategies are followed.
SchoolDude University 2009
Develop a Staged Shutdown
• Move from simple preparedness to ceasing operations.
• Protect assets while staff is available to do the work.
• Ensure that mission-critical operations are the last to be stopped.
• Ensure shutdown can be reversed if needed.
SchoolDude University 2009
Exemplary District Plans
– Fairfax County (VA) Public Schoolswww.fcps.edu/emergencyplan
– Montgomery County (MD) Public Schoolswww.mcps.k12.md.us/info/emergency/
– North Carolina’s Critical Incident Response Kit Project
www.ncjjdp.org/cpsv/cirk/cirk.htm
SchoolDude University 2009
Those who have lived it!
• Dr. Sheryl Abshire, Ph.DChief Technology Officer Calcasieu Parish Public Schools, Lake Charles, LA
• Robert Gravina, Chief Technology OfficerPoway Unified School District, CA
• Wayne HowardTechnology DirectorPlatte Canyon School District
SchoolDude University 2009
Calcasieu Parish School System (LA)
• Hurricane Rita struck the Louisiana / Texas border on September 24, 2005 as a category 3 storm with 120 mph sustained winds. Calcasieu Parish was hit by the hurricane eyewall and the east quadrant which has the strongest winds.
• 34,000 students and 5,000 staff displaced
• 2008 experienced Ike and Gustav
SchoolDude University 2009
Calcasieu Parish School System
• Every school damaged. Many schools in Calcasieu Parish received extensive roof and water damage. The lack of power afterwards promoted mold and mildew growth.
• 24 hours after Rita hit, the CPSB weband email servers were back up andproviding information to evacueesacross the country.
• 34 days later, CPSB schools reopened.
SchoolDude University 2009
Calcasieu Parish School System
Many didn’t see IT as the recovery team – yet they took the initiative and were ready when disaster hit. Take the leadership if no one else is doing it.
SchoolDude University 2009
Calcasieu Parish School System
Document during response and
recovery
• Pictures
• Written records
• Items destroyed or damaged
• Items purchased
SchoolDude University 2009
Calcasieu Parish School System
Don’t just create a plan—
communicate and practice it
SchoolDude University 2009
Calcasieu Parish School System
• Develop a culture of preparedness.
• Revisit and actively practice the plan.
• Conduct periodic audits of the plan.
Practice, Practice, Practice
SchoolDude University 2009
Calcasieu Parish School System
• Staff
• Power and capabilities
• Computer and storage options
• Facilities
• Records and files
• Communication methods
Redundancy, Redundancy, Redundancy
SchoolDude University 2009
Calcasieu Parish School System
• You can’t over plan:
• Identify mission critical operations
• Think strategically• Pay attention to detail
“A plan needs to exist before it is needed. Making one on the fly is too late.”
SchoolDude University 2009
Poway Unified School DistrictPoway, CA
• Poway is the third largest school district in San Diego County covering 100 square miles and serving approximately 33,000 students.
• During the fires of 2007, the school district became the county’s communication center.
SchoolDude University 2009
Poway Unified School District
• School Business Continuity • Work on creating a stable and reliable
network for your organization
SchoolDude University 2009
Poway Unified School District
• Servers that can handle capacity in an emergencyYou may be the best form of
communication in your area• Clean data• Online access• Bandwidth for learning• Opening up applications to your stakeholders
SchoolDude University 2009
Poway Unified School District
Secure dedicated equipment, software,suppliesCapacity to Rebuild/Disaster Recovery
– Tape Drives and Juke Box (must be the same as what you are currently using)
– Back up server (work with your vendor)– Estimated time to recover– Personnel availability (cross training)
SchoolDude University 2009
Poway Unified School District
Moving your EOC• What would you do if you had to evacuate
your EOC?• Could you set up a fully functional IT
Department?• How long would it take?• Would you be able to have access to your
network?
SchoolDude University 2009
Poway Unified School District
Remote Learning• The Bird Flu, “when, not if”• Applications that allow for anywhere, anytime
learning• Content Management Systems• Online interactive tools• Online courses
SchoolDude University 2009
Poway Unified School District
What Worked…..
• Multiple Communications Systems
– Auto dialers
– Webpage
– Content systems
SchoolDude University 2009
Platte Canyon School District, CO
• Mountain Community – 45 minutes from Denver
• Approx 1300 students• Platte Canyon High School - 480
students• Preparations in place after Columbine
shootings• Lone intruder shot student
SchoolDude University 2009
Platte Canyon School District
• Communications and coordination with police was key
• Separate communication channels• Cameras• Constant testing
and update
SchoolDude University 2009
“It’s not the plan that’s important—it’s the planning.”
Graeme Edwards
SchoolDude University 2009
What are You Doing?
• Tips to share with colleagues
• What will you do now?
SchoolDude University 2009
Consortium for School Networking
www.cosn.org
www.cosn.org/itcrisisprep
SchoolDude University 2009
Thank you Sponsors
SchoolDude University 2009
Linda Sharp
CoSN Project Director
IT Crisis Preparedness
Hope is Not a Strategy!