Business Continuity Planning

In 5 Months or Less (Talk about a Deadline)

Session Agenda

• Business Continuity Planning Process– Prince George’s Community College

• Business Continuity Plan Testing Process– University of Rochester

• Q&A

BCP Agenda

• The Origins of Planning Effort

• Who Plans ?

• Planning Process

• Business Impact Analysis

• Recommendations

• Selling the Plan

Introduction

• Name

• Profession

• Job Roles

• Involvement in Compliance

• Favorite Technology

• Favorite Tool

• Hobbies

Introductions

• Ajay Gupta, CISSP

Director of IT Security Services

Prince George’s Community College

President and CEO

Gsecurity, Inc

Alphabet Soup

• BCP– Primary Systems to Secondary Systems

• DRP– Secondary Systems to Primary Systems

• COOP– Term used most widely in the Government

Best Laid Plans

• Planning for Bad Times– Inconvenient– Inefficient– Costly– Will not Serve all Needs/Users

• We do the Best we Can

The Origins

• BCP included in long term College goals– Early in current President’s term

• Slowly rose up the agenda– 9/11– Proximity to Washington, DC

• ERP– Significant change to College IT and Business

Processes

• Retirement‘What – you don’t have a plan, yet!?!’

The Planning Team

• The Most Critical Step– Qualified People to do the Work– Public Relations – Selling the Plan

• Team must be College Wide – Assigned by highest governing body– Represent all areas – especially the other

governing bodies

• Get College-Wide Support

College Reporting Structure

Board of Trustees

President

VP for StudentServices

VP for Finance &Administration

VP for InstructionVP for Continuing

Education

VP forTechnology

Services

ExecutiveAssistance to the

President

AdministratorsFaculty

Staff

AdministratorsStaff

Adjuncts

AdministratorsStaff

AdministratorsStaff

AdministratorsStaff

AdministratorsStaff

Faculty

College Governance Structure

Board of Trustees

President

Faculty SenateAdministrativeOrganization Staff

Organization

Chair’s Council

Dean’s Council

College-WideForum

President’sCouncil

FacultyFaculty

Administrators

FacultyAdministrators

Staff

College-Wide Involvement

• Support from President / Board– Give Charge

• Involve President’s Council– Appoint all Members

• Senior Representatives of College Organizations

Criteria for Involvement

• Understand College-Wide Processes– Goals, Mission, Vision– Academic Programs– Community Relations– Budget Constraints– Have the Time!!!

The Committee

• Campus Police (1)• Facilities Management (1)• Finance (1)• Media Relations (1)• Faculty (2)• Technology/Data Center (4)• Money $$$ Groups (2)• Health Center• Students

Planning Process

• Understand the Risks– Why is a plan necessary ?– Consequences to not having a plan ? – Resist the “Snow Day” Temptation

• Review Past Disasters/Incidents– At your institution– Neighboring institutions– Hurricane Katrina ?

• Business Impact Analysis

Business Impact Analysis

• Identify the College’s Resources• Identify the Individual Business Units• Identify the Functions of each Unit

– What does the Business Unit Do• Does it Map to our Mission

– How does the Business Unit Do It • Resources

• Create a mapping between Functions and Resources

College Business Groups

• Library• Student Services• Instructional Services (Academic Departments)• Finance and Administration

– Human Resources– Institutional Research

• Alumni Development• Continuing Education • Distance Learning• College-Wide

PGCC Business Functions

• Teach Classes

• Payroll

• Community Outreach

PGCC Primary Resources

• Personnel

• Campuses / Building / Labs

• Data Center

• Mainframe

• Internet / Network

• Telephone System

• E-mail

PGCC Secondary Resources

• Laserfiche – Document Scanning

• Ad Hoc Databases– Donor Perfect

Ranking the Resources

• Knock-Down Drag Out Fight ?

• Not so in our Case Given Shared Dependence on Resources – Mainframe (home grown)– Data Center

• On to Creating Recommendations

Recommendations: Process

• Question for Planning Task Force: What do we do if we lose a Single Resource

• Develop Contingency Plan– Around the Table Discussion– Take Notes– Write up Plan– Distribute– Review, Revise

Recommendations: Research

• With Draft Contingency Plan in Hand• How much will it Cost

– Acquisition– Manpower

• Existing Staff• Temporary Staff

– Can we do without it?• How Quickly can the Plan be put in Place

– Take Action Now– Defer to FY08, beyond

• Where are the Holes

Continuing Classes

• Move all Courses to Blackboard• Protects against loss of campuses,

buildings, Data Center, faculty• Costs:

– Additional Blackboard Licensing Fees (take action now)

– Additional Storage Requirement (take action now)

– Additional Faculty Training (recommend for near term, not mandated)

Continuing Classes (2)

• Holes:– Hands-On Courses– Shop Classes– Vocational Courses– Faculty Readiness– Student Readiness

• Retake Class

• Refunds

Internet Connectivity

• Redundant Connection to Internet– Multiple Carriers– Single Carrier with Two+ Networks

• Costs:– May have additional connectivity fees– May be able to leverage local, regional networks

• Holes:– Downstream Considerations– We may have two carriers, but if both carriers run

through the same connection point….

Preserving Ad Hoc Databases

• Databases Maintained by Offices – Off of the Mainframe

• “Should” be Addressed by Conversion to ERP

• Burn all data to CD/DVDs on regular basis

• Holes:– May not Provide Service– Users may not Self Report

Recommendations

• Personnel: – Cross Train

• Part-Time Work Force

– Expand Remote Access

• Campuses/Buildings– Assign Alternate Work Space– Expand Remote Access

• Data Center / Mainframe: – Improve Backup Power, HVAC – Keep in running

• Data Center Replaced in 5 years (Under Design)• Mainframe to be Obsolete in 3 years (ERP)

Recommendations (2)

• Network: – Improve Backup Power

• Telephone: – Cell Phones

• PBX to be replaced in 5 years or sooner

• E-mail: – Outsource E-mail (by Student E-mail

Provider)

Selling the Plan

• Right Team Members Involved– Pick the Team Members Best Suited to

Present to Each Specific Party• Member of Chair’s Council to Present to Chair’s

council• Member of Faculty Senate to Present to Faculty

Senate

Single Voice – Different Message

• Different Message to Different Parties– This is what we have to do to keep the

institution running– This is what we have to do to keep classes

going– This is what we have to do to maintain payroll

Sell Slow

• Received Input from all Parties– Make it seem as if they came up with the

ideas

• Areas of Disagreement:– “That’s something we’ll have to iron out during

testing.”

Thank You

Ajay Gupta, CISSP301-785-4581

agupta@pgcc.edu agupta@gsecurity.com