TEL382

Wallace Chapter 2

11/3/09 2

Outline• Introduction• Building a Risk Analysis• Scope of Risk• The Five Layers of Risk• Layer 1: External Risks• Layer 2: Facility-Wide Risk• Layer 3: Data Systems Risk• Layer 4: Departmental Risks• Layer 5: Your Desk’s Risk• Severity of a Risk• Who Can You Call for Risk Assessment

Information?• Making the Assessment

11/3/09 3

Introduction• Heart of BCP is thorough analysis of events

from which you may need to recover

• Risk: potential of a disaster occurring

• Disaster: any event that disrupts a critical business function

• Business Interruption: something that disrupts the normal flow of business operations

11/3/09 4

Building a Risk Analysis• Risk Analysis: process of identifying probable

threats to a business• Risk Assessment (Business Impact Analysis):

compares risk analysis to controls in place today

• Recommended Approach– Assemble BCP Team and Perform Layers 1, 2,

and 3 Together

• Statement of “Essential” Business Functions– Manufacturing, Sales, Payroll, etc.– Examples: Factory, Call Center, Public Utility

11/3/09 5

Scope of Risk• Determined by Potential Damage, Cost of

Downtime, Cost of Lost Opportunity

• Cost of Downtime Includes:– Tangible: Lost Productivity, Lost Revenue, Legal

Costs, Late Fees/Penalties, etc.– Intangible: Damaged Reputation, Lost

Opportunities, Employee Turnover, etc.

11/3/09 6

The Five Layers of Risk• Layer 1: External Risks

• Layer 2: Facility-Wide Risk

• Layer 3: Data Systems Risk

• Layer 4: Departmental Risks

• Layer 5: Your Desk’s Risk

11/3/09 7

Layer 1: External Risks• Over a Wide-Area, Affecting Facility and

Surrounding Area

• Four Risk Categories:– Natural Disasters: Tornadoes, Earthquakes,

Thunderstorms, Snow, Extreme Temps, Hurricanes, Floods, Fires, Landslides, etc.

– Man-Made: Toxic Spills, Road/Bridge Outages, Railroads, Pipelines, Aviation, Harbors, Chemical Users, Dams, etc.

– Civil: Riots, Labor Disputes, etc.– Suppliers: What are their risks?

11/3/09 8

Layer 2: Facility-Wide Risk• Impacting Local Facility

• Five Basic Office Utilities:– Electricity– Telephones– Water– Climate Control– Data Network

11/3/09 9

Layer 3: Data Systems Risk• Shared Resource Affecting Many

Departments• Identify Critical Processes• Locate Single Points of Failure• Beware “Grandfathered” Systems Running on

Old HW/SW• Data Systems• Data Communications Network• Telecommunications System• Shared Computers and LANs

11/3/09 10

Layer 4: Departmental Risks• Disasters Occurring Within a Department on

a Daily Basis– Employee Absence, Lost Files, etc.

• Unusual Occurrences– Small Fire, Water, Hardware Failure, etc.

• Identify Key Operating Equipment

• Establish Inventory of Vital Records

11/3/09 11

Layer 5: Your Desk’s Risk• Examine Every Process, Tool, Piece of

Information, Required Output

• Most Items Already Covered In Another Layer

11/3/09 12

Severity of a Risk• Time of Day

• Day of the Week

• Location of Risk

11/3/09 13

Who Can You Call for Risk Assessment Information?

• NOAA

• USGS

• FEMA

• Local Government Agencies

• Local Fire & Police Departments

11/3/09 14

Making the Assessment• Use Risk Analysis Format Similar to What

Done for IS Security Risk Analysis

• Sort to Identify Highest Value Disaster Risks

TEL382

Wallace Chapter 3

11/3/09 16

Outline• Introduction• Access To People• Access to the Facility• Service Contracts• Vendor List• Walk-Around Asset Inventory• Software Asset List• Critical Business Functions• Restoration Priorities• Toxic Material Storage• Emergency Equipment List• Trained First Responders

11/3/09 17

Introduction

• Access To People• Access to the Facility• Service Contracts• Vendor List• Walk-Around Asset

Inventory• Software Asset List

• Critical Business Functions

• Restoration Priorities• Toxic Material Storage• Emergency Equipment

List• Trained First

Responders

• Until Primary Disaster Plan Comes Together Do 11 Steps Below to Provide Some Initial Protection

• Put This Material Together in Books and Distribute

11/3/09 18

Access To People• Organizational Charts With Responsibilities

and Contact Information

11/3/09 19

Access to the Facility• Keys to All Doors, Cabinets, Closets, etc.

– Lists, Logs– Electronic Locks

• Passwords for Admin Accounts on Critical Systems– Protected in Sealed Envelope

11/3/09 20

Service Contracts• Serial Numbers of Equipment

• Contact Information For Service Providers

• Contract Number and Expiration Date

• Service Contract Types– 24/7– 8 to 5– Time and Materials– Exchange

• Place Info Cards With Equipment

11/3/09 21

Vendor List• List of Regular Vendors

• Contact Info

• Description of What We Usually Obtain From Them

• This Includes Public Utilities and Public Safety

11/3/09 22

Walk-Around Asset Inventory• Critical Assets That May Be Needed In

Contingency Operations– Manufacturer’s Name, Model Number, Serial

Number, Warranty Expiration Date, Location, Service Stickers, Maintenance, Calibration Information, Connected To, Feeds Into, etc.

• Note if any Spares Available

• Also Note Location of Manuals, Procedures, Supplies, etc.

11/3/09 23

Software Asset List• List of Software on Critical Devices

– Normal Applications, Operating Systems and Settings, Custom Applications, Nonstandard Drivers, Version Numbers, Original Media Location, Backup Information

11/3/09 24

Critical Business Functions• Identify Critical Functions and Why

• Try to Keep List to 10 or Less

11/3/09 25

Restoration Priorities• Prioritized List of

Functions/Capabilities/Equipment to be Restored if There are Limited Resources

11/3/09 26

Toxic Material Storage• Identity, Quantity and Location of ANY Toxic

Materials on Premises

• Guidelines for What to Do If Encountered

11/3/09 27

Emergency Equipment List• Locations For Shutoffs, Special Cleanup

Equipment and Materials

• Instructions for Operation, Use

11/3/09 28

Trained First Responders• Create Contact List

– Firefighters, EMTs, Critical Skills, Other Training

• Check Legalities with HR Department

TEL382

Wallace Chapter 4

11/3/09 30

Outline• Introduction

• What is a Disaster Recovery Emergency Operations Center?

• Emergency Operations Center Primary Functions

• Preparing an Emergency Operations Center

• Staff Responsibilities

• When a Disaster Strikes

11/3/09 31

Introduction• Emergency Operations Center’s Goal is to Return

To Service from Whatever the Business Emergency Was

• Allows Company Management to Reestablish Organizational Leadership, Allocate Resources, and Focus on Emergency Containment and Recovery.

• Must be Preestablished, Presupplied, and Its Location Well-Known Before It is Needed

• Before a Disaster – 3:– Normal Emergency Center for Small or Short Disasters– Longer Duration for More Widespread Disasters– Backup Facility When Primary is Not Usable

11/3/09 32

What is a Disaster Recovery

Emergency Operations Center? • Physical Place Where All Communications for the

Recovery Effort are Focused – Should be Located As Close to Problem Site as is Safe

• Outward Communications:– Company Executives, General Public, Suppliers,

Customers

• Administrative Support:– Purchasing, Public Relations, Safety, Site Security

• 3 Essential Functions:– Command & Control– Operational Control– Recovery Planning

11/3/09 33

Emergency Operations Center Primary Functions

• 2 Parallel Teams:– Containment – Stop Spread of Damage– Recovery – Restore Basic Level of Business

Service

• 3 Essential Functions– Command– Control– Communications

11/3/09 34

Preparing an Emergency Operations Center

• Electricity

• Emergency Lighting

• Sanitary Facilities

• Medical Kits

• Office Furniture and Supplies

• PCs, Printers, Data Network

• Telephones

• Copies of BCP

• Maps, Floor Plans

11/3/09 35

Staff Responsibilities• Disaster Containment Manager

– Declare That Disaster Exists– Coordinate with Emergency Services– Make Initial Damage Assessment– Select Emergency Operations Center– Activate Disaster Recovery Teams– Coordinates Supplies and Resources

• Facility Engineering Manager– Owns Floor Plans– Arranges for Skilled Labor for Repairs– Reestablishes Safety Alarms, Emergency Lights and Utilities

• Others:– Purchasing, PR, HR, Security, Safety, Sales, Facilities, etc.

11/3/09 36

When a Disaster Strikes• 3 Initial Actions:

– Protect Life– Contain Damage– Communicate

TEL382

Wallace

Chapter 5

11/3/09 38

Outline• Introduction

• Lay The Groundwork

• Departmental Plans

• Recovery Planning Considerations

11/3/09 39

Introduction• Writing Steps:

– Lay The Groundwork– Departmental Plans– Recovery Planning Considerations

11/3/09 40

Lay The Groundwork• Use Consistent Format

• What Processes Need a Plan– Every Critical Business Function

• Who Will Execute

• How Obvious Is Problem

• How Much Warning

• How Long to Continue Until Help Arrives

• How Soon Must Processes be Restored

• Are There Any Manual Workarounds

11/3/09 41

Departmental Plans• 3 Major Components:

– Immediate Actions– Detailed Containment Actions– Recovery Actions

• Inputs:– Asset List– Critical Process Impact Matrix– Risk Assessment– Process Restoration Priority List

11/3/09 42

Recovery Planning Considerations

• Planning

• Continuity of Leadership

• Insurance

• Recovery Operations