a business continuity planning toolkit
DESCRIPTION
TRANSCRIPT
![Page 1: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/1.jpg)
A Business Continuity Planning Toolkit
Security 2008 – EDUCAUSE & Internet2 Security Professionals Conference
Robert J. Block (B.J.), IT Security AnalystUniversity of Rochester
Beth Buse, Deputy Director of Internal AuditingMinnesota State Colleges and Universities
Leslie Maltz, Deputy VP for IT Planning & Standards (retired) Columbia University
![Page 2: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/2.jpg)
Copyright Leslie Maltz, Beth Buse, Robert Block, 2008
This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the authors.
![Page 3: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/3.jpg)
What would your college or university do if….
A fire destroyed your administration building?
A tornado destroyed a resident hall?
A water pipe burst and flooded your data center?
Half of your faculty and staff called in sick?
A bomb exploded in a classroom?
![Page 4: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/4.jpg)
Terminology and Definitions
All Hazards Planning – an integrated planning approach to all domestic terrorist attacks, major disasters, and other emergencies. Business Continuity Planning (also referred to as Continuity of Operations Planning and Service Continuation Planning) – process for determining an institution's ability to maintain or restore its business and academic services when some circumstance disrupts normal operations.Disaster Recovery Plan – refers to the technological portions of the business continuity plan. This plan contains the details to ensure systems and communications are restored within a predetermined timeframe.Business Impact Analysis - A management level analysis, which identifies the impacts of losing resources. This analysis measures the effect of resource loss and escalating losses over time, in order to provide senior management with reliable data upon which to base decisions on risk mitigation and continuity planning.Pandemic Planning – preparation in the event that the Avian Flu virus reaches pandemic stage. Emergency Response Plan – this plan includes details for responding to sudden states of danger that require immediate action.
![Page 5: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/5.jpg)
Importance of Preparing
Planning provides for backup If primary staff unavailable – who will do the
work? If primary system is gone – how do we
operate? If a specific building cannot be occupied –
where do we go?
Planning creates routines Routines create repetition and normalcy Normalcy generates calm instead of panic
![Page 6: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/6.jpg)
Homeland Security Presidential Directives
HSPD-5 Subject: Management of Domestic Incidents Established the National Incident Management
System (NIMS) and National Response Plan (NRP)
HSPD-8 Subject: National Preparedness Added definition to the National Response Plan
(NRP) and established the term "all-hazards preparedness".
![Page 7: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/7.jpg)
Homeland Security Vision Statement for Higher Education
“That all schools and universities are prepared to mitigate/prevent, respond to, and recover from all hazards, natural or man-made by having a comprehensive, all-hazards plan based on the key principles of emergency management to enhance school safety, to minimize disruption, and to ensure continuity of the learning environment.”
U.S. Department of Education Sector Specific Plan
![Page 8: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/8.jpg)
MnSCU - All Hazards Plan
MnSCU Board Policy 1A.10 Long Term Emergency Management
“Each college, and university and the Office of the Chancellor shall develop and maintain an All Hazards Plan that provides guidelines in the event of long term emergency. The plan shall be developed in accordance with guidelines developed and administered by the Office of the Chancellor in accordance with state and federal directions. The All Hazards Plan will include sections that address crisis intervention, continuity of operations, and emergency preparedness.”
![Page 9: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/9.jpg)
Minnesota State Colleges and Universities
All Hazards Planning Architecture
Emergency Preparedness
Continuity of Operations
Crisis Intervention
Minnesota State Colleges and UniversitiesAll Hazards Plan
![Page 10: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/10.jpg)
Minnesota State Colleges and Universities
All Hazards Planning Architecture
Continuity of Operations
Facilities Functions
Academic Functions
Essential Services
Communications Functions
Operations Functions
Pandemic Event
Wind Event
Healthcare/Student Services Functions
Fire Event
IT Services Event
Special functions:Library and Information Services Public Safety IT System SupportAthleticsOther
Water Event
Utilities Loss Event
Plan Elements
![Page 11: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/11.jpg)
Where to Start?
EDUCAUSE - Business Continuity Planning Toolkit: https://wiki.internet2.edu/confluence/display/secguide/Business+Continuity+Planning+Toolkit
Provides a resource of guides, examples and templates
Need to have executive level buy-in to succeed.Ideal: have dedicated resourcesNeed to have a cross-functional team.
![Page 12: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/12.jpg)
Business Impact Analysis
If one of the afore mentioned disasters were to occur, how would you know where to focus your recovery efforts first.
![Page 13: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/13.jpg)
Business Impact Analysis
Definition: A management level analysis, which
identifies the impacts of losing resources. This analysis measures the effect of resource loss and escalating losses over time. In order to provide senior management with reliable data upon which to base decisions on risk mitigation and continuity planning.
![Page 14: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/14.jpg)
Goals of theBusiness Impact Analysis
To establish the value of each organizational unit or resource as they relate to the function of the total organizationTo provide the basis for identifying the critical resources required to develop a business recovery strategyTo establish an order or priority to restoring the function of the organization in the event of a disastrous event
![Page 15: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/15.jpg)
Considerations
Enterprise (or University) wide
Goes beyond IT
Need to have executive level buy-in
Need to have a cross-functional team
Willing to make tough decisions
A time consuming effort
![Page 16: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/16.jpg)
Terminology
MTTR – Mean time to Recover
MTBF – Mean Time Before Failure
Criticality Level
Tangible Impact
Intangible Impact
RPO – Recovery Point Objective
RTO – Recovery Time Objective
![Page 17: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/17.jpg)
Business Impact Analysis
Phases Project Planning Data Collection Data Analysis Reporting Findings Approval for Next Phase
![Page 18: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/18.jpg)
Business Impact Analysis Project Planning
Identify Objectives
• Criticality of business functions• Critical dependencies• Impact of disruptions• Critical resources
Scope• Departmental• Facility• Complex• Region• Organization
![Page 19: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/19.jpg)
Business Impact Analysis Data Collection
How to collect information from the community Questionnaire Interview Hybrid
![Page 20: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/20.jpg)
Business Impact Analysis Data Collection
Questionnaire Approach Design questionnaire Develop data analysis
process Develop instructions Cover Letter Formal presentation Questionnaire distribution Questionnaire collection
Interview Approach Develop interview guide Train interviewers Formal Presentation Schedule interview Conduct interview Validate
![Page 21: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/21.jpg)
Business Impact Analysis Data Collection
Topics to address Mission Service Objectives Dependencies Impacts over time Critical time periods Financial impact Operational impact Legal, regulatory, contractual requirements
![Page 22: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/22.jpg)
Business Impact Analysis Data Collection
Additional items to reference Mission Statements Service Objectives Service Level Agreements Organizational Charts Policies and Procedures
![Page 23: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/23.jpg)
Business Impact Analysis Data Analysis
Quantitative Impact Losses identified in quantities or percentages
that can be described in monetary terms
Qualitative Impact Intangible losses that can impact operationally
but that can not be quantified in monetary terms
![Page 24: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/24.jpg)
Business Impact Analysis Data Analysis
List of business functions ordered by restoration time
Consolidation Simplify the process Create priority levels
Project lead confirms with management
![Page 25: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/25.jpg)
Business Impact Analysis Report Findings
Confirm findings with end users and functional departments
Present formal findings to executive management
![Page 26: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/26.jpg)
Business Impact Analysis Approval for Next Phase
Just when you thought it was done…
Begin moving on to the next phase
![Page 27: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/27.jpg)
Business Impact Analysis Resources
EDUCAUSE website (https://wiki.internet2.edu/confluence/display/secguide/Business+Continuity+Planning+Toolkit)
Disaster Recovery Journal website (http://www.drj.com)
![Page 28: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/28.jpg)
Disaster RecoveryNo Longer an Optional Activity
![Page 29: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/29.jpg)
Why Have a Disaster Recovery Plan?
Natural and Man-Made emergencies cannot be prevented
Preparedness means quick response
Part of an All Hazards response effort
Tough to function during an emergency
“It will never happen here is NOT TRUE”
![Page 30: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/30.jpg)
BUY-IN
Clear mandate (Senior Executives)
Facilities
Staffing (DR and Business Unit staff)
Coordination during emergencies
Authority to take actions
Funding
Testing
![Page 31: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/31.jpg)
Not Just for Central IT Units
Business Units must identity and prioritize key resources and define acceptable risks
This is NOT just a technology issue
![Page 32: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/32.jpg)
Critical Resources
Prioritization
Dependencies/Relationships
Alternate resources
Command Centers
Coordination/Management of Response
Funding
![Page 33: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/33.jpg)
Disaster Recovery Plan
Gives a blueprint for reestablishing critical business processes under extraordinary conditions
![Page 34: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/34.jpg)
Disaster Recovery Planning is NOT a One Time Activity
You Must Have Frequent:
Updates
Drills
Training
Reviews
![Page 35: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/35.jpg)
Identify Applications
Determine Criticality
Resources Needed
Priorities and Dependencies
![Page 36: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/36.jpg)
Identify Applications
Have Business Units Review and Revise Priorities
![Page 37: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/37.jpg)
Contact Information
Identify (and keep current) staff contacts and all means for communication: Office Home Mobile Email addresses
![Page 38: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/38.jpg)
Compile all Required Documentation
Operational Documentation
Emergency Recovery Action Templates (ERAT)
Contact Info
Command Center Inventory Checklist
![Page 39: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/39.jpg)
Command Centers
Identify Locations
Establish and stock resources
Inventory Checklists
Schedule for inventory assessment
![Page 40: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/40.jpg)
Duty Managersaka Team Leaders
Schedule and Coverage
Train
Assess Command Center Inventory
Substitution Procedure
![Page 41: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/41.jpg)
Drills and Testing
Table top exercises
Real tests and emergencies
Evaluate the response, procedures, and staff
![Page 42: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/42.jpg)
Repeat!
![Page 43: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/43.jpg)
Forms and Templates
ERAT Emergency Application Template
Log and Post Mortem Forms for use during and after emergencies and drills
Contact Information Office, home, mobile phones
Team Leader Training
Team Leader Responsibilities
Command Center Inventory Checklist
![Page 44: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/44.jpg)
Business Continuity Planning Toolkit
![Page 45: A Business Continuity Planning Toolkit](https://reader036.vdocuments.net/reader036/viewer/2022062319/553b9bd04a7959d9368b46e9/html5/thumbnails/45.jpg)
Questions