Professional Documents
Culture Documents
PRODUCTIVITY
Loss Of Productivity Employees Impacted. Burdened Hourly Rate
REPUTATION
Customers Suppliers Financial Markets Banks Business Partners Etc.
FINANCIAL PERFORMANCE
Lost Market Share Revenue Recognition Cash Flow Lost Discounts Payment Guarantees Stock Price Credit Rating
OTHER EXPENSES
Temporary employees Equipment Rental Overtime Extra Shipping Costs Travel Expenses
Steering Committee
Who
Senior personnel from all key entities with a stake in the ongoing program Have the authority to make decisions, implement new policies, commit resources to support and implement the projects/program
Provides strategic direction and decision making Approves annual program objectives and ensures appropriate commitment of resources to the program
Charter
Benefit
Builds consensus, unit of effort Project/Program policies, procedures, and guidance enforcement
Who
Core dedicated staff with industry/government and business continuity expertise Business Continuity Program project management Lifecycle Continuity Program oversight and management Dedicated expertise and focus Continuity of planning and operations
Charter
Benefit
Continuity Planning
Who
All departments/entities of the corporation/government The ongoing design, procurement, and use of robust systems, facilities, staffing models, and equipment to mitigate the risk of outages, or the impact of outages. More robust processes, systems, facilities Less downtime
Benefit
Who
All business and support units/entities Identify/validate department/entity critical business and support functions determine Information Technology and connectivity requirements to support critical business/support functions determine the Recovery Time Objectives (RTO) for critical functions establish a Minimum Acceptable Recovery Configuration (MARC) for business and support units/entities
Charter
Benefit
The strategic and detailed planning for the timely restoration of information technology, network and
The strategic and detailed planning for the timely restoration of vital business/ support functions following a disaster.
Who
Charter
Benefits
Rapid, coordinated identification and response to incidents in an effort to prevent the incidents from becoming disasters Protection of: life; corporate image, prestige, revenue, market share Mitigation of incident generated legal and regulatory risks
Server Group
Tape Group
Network Group
What
Crisis Management Plan Business Resumption Plans Disaster Recovery Plans Scorecarding- Evaluate plan content for structure, scope, and breadth of information in preparation for testing of plan for recovery operations Testing- Evaluation of plan content for effectiveness/adequacy in recovery operations Quality control of plans Training of personnel Confidence
Charter
Benefits
Certification Program
What
Charter
Benefits
MaintainTesting Metrics/Program Maintenance Program, Change Management Program; Audit, Certification Program
CPO
4
Develop & ImplementAn Enterprise Recovery Management Process
DevelopIT Disaster Recovery Plans; Business Resumption Plans; Testing and Certification Program
PLANNING PROCESSES Plan Development Policies, Procedures, Guidance Communications Planning QC Planning Risk Management Plan Contract/Project Change Management Planning Deliverable Acceptance Criteria
Controlling
CONTROLLING PROCESSES Quality, Scope, Change, Risk, Schedule, Performance Control Analysis and Reporting
EXECUTION PROCESSES Information Coordination and Distribution Risk Response Risk Estimation Resource Management Issue Resolution
CLOSING PROCESSES
CPO
Initial and Ongoing Critical Vendor Qualification and SLA/ Contract Review
Steering Committee
Contractor Database
PROGRAM PP&Gs Methodology, Plan development templates Change control Communications management Crisis management Plan scorecards and certification Vendor qualification, SLAs Recovery strategies Risk management Testing and metrics Software PROJECT PP&Gs Project initiation Project planning Execution and control Closure
Provides
Incorporates Best Practices Updates Templates Evaluates Project Results Maintains Knowledge Library
Knowledge Library
Executive Sponsor
Secure funding and resources. Make Go/No-Go decisions. Link to Executive Steering Committee Provide strategic guidance to CPO
CPO Lead
CPO Staff
Establishing a CPO
Define goals and objectives of the CPO Codify the charter of the CPO Write a vision and mission statement for the CPO Document the purpose of the initiative and what value is to be created Determine how return-on-investment will be measured Determine what other metrics and measurements should be used (e.g., quality, customer satisfaction, productivity)
Establishing a CPO
Define how the CPO will be organized and staffed Determine what rules the CPO will follow, how it will interface with corporate departments and subordinate headquarters Codify a CPO charter
Establish policies, procedures, and guidance on how changes, issues and other events that will impact CPO projects and program will be recorded, tracked and resolved
Establishing a CPO
Establish how information, status updates and decisions will be communicated Determine how and who will make key decisions
Identify risks to program success Determine how risks will be mitigated Establish how additional risks that may arise later will be identified and mitigated
Establishing a CPO
Identify support requirements for each CPO project, and lifecycle functions assigned the CPO Identify standard methods and procedure for project and program execution, reporting and management Develop process for the creation of additional standards as the need arises Decide if CPO should create a Disaster Recovery/Business Resumption Center of Excellence for critical technical knowledge that will be shared by multiple projects
Establishing a CPO
How will programs and projects that have interrelationships and dependencies be identified and integrated How well does the portfolio of programs and projects assigned to the CPO support the business goals and objectives of the corporation
The realization of a single point of failure with one data center for both the central academic and administrative IT environments, prompted NC State University to implement a disaster recovery strategy for communications and critical applications residing on the mainframe & open systems computing environment.
History/Timeline
1997 1999 2001 2002 2004 2005 Initiated with the administrative environment Mainframe environment recovery test Y2K - Business Continuity concept Acquired central repository software (LDRPS) Scheduled annual Mainframe recovery test Included communications & academic environment Expanded to include Enterprise Business Continuity/Disaster Recovery Planning Successful DR test of ERP systems Co-processing of production services began in Data Center II
Implementation Steps
Gain Sponsorship Establish Steering Committees Develop University Policy/Regulation Create DR Structure/Establish Staffing Market Program Establish Central Repository Review & Test Plans Regularly
Gain Sponsorship
Present your Business Case Identify the roles involved Provide Executive Summary of BC/DR Program Present Statement of Work and Project Plan
Vice Chancellor/Vice Provost Level Representatives from Critical Areas of the Campus Ex Officio members from IT areas
Mission of IT Steering Committee Provide guidance and oversight for the combined academic and administrative Disaster Recovery Plan.
Policy/Regulations/Rule
Space/Facilities Teaching and Academic Programs Academic IT Administrative IT Environmental Health and Public Safety Business Administration Research Programs Student Affairs Extension and Engagement
Resource Projections
Director of Business Continuity (plus 1 Business Analyst) Admin IT DR Coordinator (plus 1 Business Analyst) Academic DR Coordinator (part-time)
Add BC/DR responsibilities to work plan of existing staff Identify Coordinators for each business unit
Marketing
Present at campus departmental meetings Create a Website Utilize listserves Campus Newspaper Network with peer institutions Remain abreast of industry standards Attend conferences, workshops and seminars
Continuous Implementation
Accomplishments
Disaster Recovery and Business Continuity Plan Risk Assessments for Critical Business Units Successful Mainframe Recovery Tests Designed and implemented infrastructure for central computing environment (academic & administrative) in secondary data center. Implementation of recovery strategies in secondary data center Creation of Administrative IT Disaster Recovery Unit
B Production
A Configuration
B Production A Production
A Production
Server
Data
Server
Data
DC I
Batch Server Batch Server Web Server Web Server Web Server Web Server
DC II
Batch Server Batch Server
Application Server
Application Server
Application Server
Application Server
Data
Storage Area Network
DB Server
DB Server
DC II
Novell Directory Services / Novell
Email/Calendar Anti-SPAM
Citrix
Backup/vaulting
Citrix
Backup/vaulting
Hosted systems
Active Directory / Windows
Hosted systems
Infrastructure
Database Server
Infrastructure
Database Server
Web Server
ERP Application
Mainframe Server
Web Server
ERP Application
Mainframe Server
ERP Web
ERP DB Server
ERP Batch
ERP Web
ERP DB Server
ERP Batch
Administrative IT Disaster Recovery Unit Mission Ensure minimal risk of major disruptions to critical University systems and processes in the event that all or part of its computer operations are rendered inoperable.
Risk Management
Risk Management
Risk Mitigation
Risk Assessment
Prioritize Actions Evaluate recommended Control Options Conduct Cost-Benefit Analysis Select Controls Assign Responsibility Develop Safeguard Implementation Plan Implement Selected Controls
System Characterization Threat Identification Vulnerability Identification Control Analysis Likelihood Determination Impact Analysis Risk Determination Control Recommendations Results Documentation
NIST SP 800-30
Process Mapping
Infrastructure
Total DR through distributed high availability Client Recovery Solutions Application Restoration Establish collaborative partnerships with other Universities
Application Restoration
Collaborative Partnerships
Vaulting
Advancement Services All Campus Network Budget Office College of Agriculture and Life Sciences - Personnel Office ComTech - Data Networking ComTech - Telecommunications Contracts and Grants Controller's Office Enterprise Application and Database Services EH&S - Business Continuity EH&S - Campus Police EH&S - Emergency Response EH&S - Environmental Affairs EH&S - Health and Safety EH&S - Industrial Hygiene EH&S - Insurance and Risk Management EH&S - Radiation Safety EH&S - Transportation EH&S - Waste Management Enrollment Management - Admissions Enrollment Management - Office of Scholarships & Financial Aid Enrollment Management - Registration and Records
Enterprise Technology Services and Support Facilities - Construction Management Facilities - Design and Construction Services Facilities - Operations Facilities - University Architect
Fire Protection Foundations Accounting & Investments HR - Benefits HR - Employment & Compensation HR - Human Resource Information Management HR - Payroll ITD - Business Services ITD - Computer Operations ITD - Computer Services ITD - Systems Libraries - Administration Materials Management - Materials Support Materials Management - Purchasing Materials Management - University Graphics Real Estate Student Health Services University Cashier's Office University Dining University Housing
Communication
Call Trees Mobile Devices Website Incident Command System Call Center Incident Report Plan
IT Disaster Categorization
Category 1: A single person or group in a Critical Business Unit (CBU) is unable to perform their critical functions Category 2: An entire CBU is unable to perform its critical functions Category 3: Multiple CBUs are unable to perform their critical functions Category 4: Non CBUs are not able to perform their critical functions Category 5: A wide spread event that impacts the entire University
Goals
Total DR through distributed high availability Standardized Emergency Communications Immediate Client Recovery Solutions Improved RTO
Deficiencies in this area could significantly impact financial reporting and disclosure of an entity.
For instance, the inability to recover from a disaster after year-end could prevent the organization from producing financial report that are supported with source documentation and details of transactions that make up financial reporting balances.
IT management, in cooperation with business process owners, has established a business continuity framework that defines the roles, responsibilities, riskbased approach/methodology to be adopted, and the
COSO Component
Control Activities
Control Activities
Control Activities
Control Activities
Control Activities
Control Activities
Monitoring
Control Activities
IS Auditing Guideline
IS Auditing Guideline
1.4 Purpose of the Guideline 1.4.1 The primary objective of BCP is to protect the organization in the event that all or part of its operations and/or information systems services are rendered unusable and aid the organization to recover from the effect of such events. 1.4.2 The purpose of this guideline is to describe the recommended practices in
IS Auditing Guideline
1.4.3 The purpose of a BCP review is to identify, document, test and evaluate the controls and the associated risks relating to the process of BCP as implemented in an organization to achieve relevant control objectives. 1.4.4 These control objectives can be primary, directly related to BCP, and secondary, indirectly related to BCP
IS Auditing Guideline
1.4.5 This guideline provides guidance in applying IS auditing standard 060 (Performance of Audit Work) to obtain sufficient,reliable, relevant and useful evidence during review of the business continuity plan. The IS auditor should consider it in determining how to achieve implementation of the above standard, use professional judgment in its application and be prepared to justify any departure.
IS Auditing Guideline
1.5 Guideline Application 1.5.1 This guideline is applied when conducting a review of BCP from an IT perspective in an organization. 1.5.2 When applying this guideline, the IS auditor should consider its guidance in relation
IS Auditing Guideline
IS Auditing Guideline
2.1.4 Disaster Recover Plan (DRP), a key component of BCP, refers to the technological aspect of BCPthe advance planning and preparations necessary to minimize loss and ensure continuity of critical business functions in the event of a disaster. DRP comprises consistent actions to be undertaken prior to, during and subsequent to a disaster.
IS Auditing Guideline
2.1.5 A sound DRP should be built from a comprehensive planning process, involving all of the enterprise. In today's interconnected economy, organizations are more vulnerable than ever to the possibility of technical difficulties disrupting business. Any disaster, from floods or fire to viruses any cyber terrorism, can affect the availability, integrity and confidentiality
BCM Model
Process Change Management Plans/Procedures Education Testing Risk Reduction Standby Facilities
Project
Testing/Review
Ongoing Process
Create Planning Organization Recovery Strategy Business Impact Analysis Risk Analysis
Policy
Organization
Resources
Scope
BUSINESS
RECOVERY
PLAN
Process Identification
Recovery Location(s)
Switchable Telecomm. Network(s) Data/Records Backup & OffSite Storage
Budget & Policies
RECOVERY CAPABILITY
Recovery Strategies
CONTINUITY
BC Phases
The process is generally initiated by issuing a continuity planning policy statement that:
Establishes and documents the basic planning requirements, standards, and guidelines that responsible offices will apply in developing, implementing, and executing their respective continuity plans. Outlines the organizational framework for continuity planning and execution Determines the scope (services, functions and resources subject to continuity planning requirement). Defines continuity planning objectives.
Policy objectives ensure that continuity plans focus on achieving essential mission requirements. Objectives establish the criteria for assessing and determining critical business functions.