PLANNING: Business Continuity and Disaster Recovery

INTRODUCTION
The September 2001 attack on the World Trade Center in New York City tested the contingency plans of American businesses to an unanticipated degree. Companies that had business continuity plans and contracts in place with vendors of recovery services were able to continue business at alternate sites with minimum downtime and minimum loss of data. Unfortunately, the massive loss of life and its dramatic impact on co-workers, business processes, and communities was not anticipated. As organizations throughout the world attempt to return to business as usual, they must not neglect the very necessary review and updating of their business continuity plans and contracts. In the aftermath of recent natural disasters, terrorism, and equipment breakdown, businesses have recognized more than ever the need for an organization to be prepared. Companies are striving to meet the demand for continuous service. With the growth of e-commerce and other factors driving system availability expectations toward 24x365, the average organizations requirement for recovery time from a major system outage now ranges between two and 24 hours. This requirement is pushed by the expectation an organization faces on all sides from its stakeholders. Business survival necessitates planning for every type of business disruptions. While such disruptions cannot be predicted, they can wreak havoc upon the business, with results ranging from insured to uninsurable capital losses. Other business disruptions, such as a hurricane, may give advance warning. Others, such as terrorism, flash floods, fire, etc., can strike without notice. This paper will explore several of the key components of a Business Continuity planning effort. It will also provide a high level framework for the creation, implementation, and maintenance of Business Continuity Plan.

WHAT

IS

BUSINESS CONTINUITY

PLANNING

(BCP)?

A Business Continuity Plan (BCP) is a document approved by management. It seeks to ensure that the company can continue operations business as usual in the event of a disaster. It is described as a long-term plan for emergency response, backup operations, and post-disaster recovery to ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation. At the most basic level, Business Continuity Planning (BCP) can be defined as an iterative process that is designed to identify mission critical business functions and enact policies, processes, plans and procedures to ensure the continuation of these functions in the event of an unforeseen event. The terms Disaster Recovery and Business Continuity are often used interchangeably. They are in fact, different but complementary components of businesss overall recovery and continuity planning. Whereas Disaster Recovery Planning is concerned with the recovery of systems and infrastructure components, Business Continuity Planning has a larger scope namely, the determination of which business components and functions need to be recovered and those which can be ignored. Krishna Kant Vyas | CRO 0249879 Page 1

Disaster Recovery Plan is a subset of Business Continuity Plan. It is the companys immediate response to a disruption and focuses on: Recovery in predetermined recovery times. Maintaining the operation of critical business functions. Identifying resource requirements necessary for recovery. Identifying alternative recovery strategies.

Business Continuity covers the following areas: 1. Business Resumption Planning (BRP): Operational aspect of BCP, i.e., to continue mission-critical functions at the production site through work-around until the application is restored. 2. Disaster Recovery Planning (DRP): Technical aspects of BCP, i.e., advance planning and preparation necessary to minimize losses and ensure continuity of critical business functions of the organization in the event of disaster. 3. Crisis management (CM): overall co-ordination of an organizations response to a crisis in an effective timely manner, with the goal of avoiding or minimizing damage to the organizations profitability, reputation or ability to operate.

WHAT IS

DISRUPTIVE EVENT?

A disruptive event is any act, occurrence, or incident that suspends normal operations. Disruptive events can be intentional or unintentional: 1. Natural disastersTornado, earthquake, hurricane, fire, landslide, flood, electrical storm, tidal wave. 2. System/technicalSystem reboots, erasing of data, system and equipment failure, virus, hacker. 3. Supply systemsUtility failures such as severed gas or water lines, communication line failures, electrical power outages (blackouts), energy shortage. 4. Human-made/politicalTerrorism, theft, disgruntled worker, arson, labour strike, sabotage, riots, vandalism, crime.

A PHASED APPROACH

TO

BCP

Several steps must be taken to design an effective BCP: 1. Project Management and Initiation: Obtain management support in developing the BCP. Perform a risk analysis to identify potential outages to critical systems. After approval is obtained from management, appoint a project planner and identify staff to participate in the development and execution of the plan. BCP team members should be from various parts of the organization and contain representatives from: a. Senior management, CFO b. Legal c. Business unit d. Application and systems support e. Data center f. Communications Krishna Kant Vyas | CRO 0249879 Page 2

g. Information security Develop a project plan similar to traditional project plan phases. 2. Business Impact Analysis: This analysis enables business continuity team to identify the critical systems, processes and functions and assess the economic impacts of various incidents. This important stage identifies the following: Potential threats, the impact of each threat, and its likelihood. Critical business processes and data systems. Maximum allowable downtime (MTD) a critical system can incur. Priorities for critical systems based on MTD. Internal and external customers to define which business processes are the most important to the organizations survival. Financial and operational considerationsdetermine the cost impact if a disruption would occur. Regulatory requirementswhat regulations must the company adhere to and how to sustain them in the event of a disaster. Organizational reputationhow is market share and the companys reputation impacted if a disaster would occur. 3. Recovery Strategies: The recovery phase of the BCP is one of the most important aspects of planning. Recovery strategies are predefined actions approved by management and executed in emergency situations. In this stage, a Disaster Recovery Plan (DRP) is developed. The key element of a recovery strategy is the recovery time of critical business systems in the event of a disaster. Recovery strategies are based on the maximum allowable downtime (MTD) determined in the Business Impact Analysis (BIA). The recovery process should focus on: Respond to the disaster. Recover critical functions. Recover noncritical functions. Salvage and repair hardware and software. Return to the primary site for operations.

The DRP includes various recovery strategies necessary to return the business to operation. Evaluate the cost of each recovery strategy and document that plan for contingent operations. Ensure vendor agreements are documented. Obtain management approval for chosen strategies: Business RecoveryIdentification of critical systems, data, equipment, materials, office space, and key business support personnel. Facility and Supply RecoveryFocus on main facility; remote sites; and equipment needed at these sites such as network, servers, telecommunication, and HVAC systems. Include technical documentation, paper, forms and other required supplies, and the transportation of equipment and staff. User Recovery Krishna Kant Vyas | CRO 0249879 Page 3

o Document procedures for employees to follow in emergency situations, viz., team responsibilities; manual processing techniques need to be performing most automated tasks; notification procedures & disaster policies. o Focus on personnel requirements, such as, vital records storage & accessibility from alternative site; employee transportation and desks, computers, and phones for users. Operational Recovery o Determine recovery: the configurations of computer equipment required for

Mainframes, servers, peripherals, LANs, switches, routers, and other data communication equipment o Determine alternative strategies for recovery locations based on MTD and acceptable costs. Businesses may opt to secure a facility equipped as follows: Cold sitemaintains the critical equipment and resources in duplicate form at some off-site location. In case of disaster, it provides necessary or critical services form this off-site location. Low-cost maintenance but does not provide 100% downtime elimination. Hot siteconsidered as most robust disaster recovery technique. It maintains all equipment and resources of a working data center, instead of critical equipment and resources as in case of Cold site. Warm siteThis technique is in between the cold site and hot site, i.e., better than cold siting but worse than hot site. Pre-equipped and partially prepared for operations. Reciprocal or mutual aid agreementsTwo or more organization might agree to provide backup facilities to each other for continuance of services in case of any disaster. While using such an arrangement the security administrator must ensure that a proper agreement is signed for protecting interest of organization. Software and Data RecoveryFocus is on the recovery of the data and software. There are various types of backup, such as: o Full Backup: All files are entirely backed-up during each backup process, due to this time and space consuming backup technique. This is simplest form of backup for restoring of data and only a single session of backup is required to restore the entire data. o Differential backup: In this backup, those files are backed up which have changed since last full backup. o Incremental Backup: In this backup, those files which have changed from last backup (whether full, differential or incremental). o Mirror Backup: It is exact copy of files, i.e., backup are stored in exact format, instead of in a Zip format (as in case of full backup). 4. Plan Design and Development: The BCP team prepares and documents a detailed plan for recovery of critical business systems. The combination of the various steps and actions in the design and development phase result in the deliverable of the BCP document. The plan

Krishna Kant Vyas | CRO 0249879

Page 4

includes both long-term and short-term goals such as recovery plans, employee training, plan maintenance, and testing procedures. Define the scope of the plan a. Identify critical sites, systems, and business processes. b. Set priorities for restoration. c. Define why the plan is important. Identify potential disasters that may impact the site and minimum resources needed to recover. Includes any assumptions that might impact the success of the plan and identify actions that might eliminate risks in advance Define the BCP strategyIf a disruptive event occurs, what steps are taken to restore critical business functions? Document the procedures to avoid confusion during a time of crisis: o Select recovery strategies. o Identify which vital personnel, systems, and equipment are needed to recover. o o Identify the teams roles and responsibilities. Document clear guidance on declaring a disaster: Who will declare a disaster? Which event is considered a disaster to our business? When/at which point/after how much time will a disaster be declared? Which method of communication will be used? What will be communicated? How will the information be cascaded to staff? How will communications to external groups shareholders, the media, the community, organizations, etc. be handled? such as customers, emergency services

Calculate funding required accomplishing the long and short-term goals identified. 5. Testing, Maintenance, Awareness, and Training: The final phase of BCP is testing and maintenance of the BCP, as well as staff training. How will you know that the BCP plan works? It is imperative that the plan made in the plan design and development phase is effective regardless of the disaster, and that it can be executed as designed. Training and awareness programs are required for key staff to ensure that they understand what to do in the event of a disaster. A. Testing Five types of BCP testing: ChecklistCopies of the plan are sent to different department managers and business unit managers for review. This is a simple test and should be used in conjunction with other tests.

Krishna Kant Vyas | CRO 0249879

Page 5

 Structured Walk-throughTeam members and other individuals responsible for recovery meet and walk through the plan step-by-step to identify errors or assumptions. Simulation-This is a simulation of an actual emergency. Members of the response team act in the same way as if there was a real emergency. ParallelThis is similar to simulation testing, but the primary site is uninterrupted and critical systems are run in parallel at the alternative and primary sites. Full interruptionThis test involves all facets of the company in a response to an emergency. It mimics a real disaster where all steps are performed to test the plan. Systems are shut down at the primary site and all individuals who would be involved in a real emergency, including internal and external organizations, participate in the test. This test is the most detailed, time-consuming, and expensive all of these. B. Plan Maintenance It is important to establish change management procedures to maintain and make changes to the plan. If changes are required due to testing, reclassification of systems from to critical or noncritical, locations, or personnel changes, a centralized command and control structure is effective for the maintenance of the plan. C. Awareness and Training Organizations should design and develop training programs to ensure each employee knows what to do in case of an emergency. Periodic awareness programs will allow the company to keep employees interested in the criticality of business continuity.

DISASTER RECOVERY PROCEDURAL PLAN

Disaster recovery is a complex and large process and it includes various plans such as: Emergency plan: specifies the actions to be undertaken immediately when a disaster occurs. Backup plan: A good backup plan helps in efficient recovery from disaster. This plan considered as supportive plan to the recovery plan. It specifies type of backup to be kept, frequency and procedures to be applied. Recovery plan : This part of DRP explains the steps to be taken to recover immediately from disaster. Recovery plans should identifyo o Recovery committee, its responsibilities. Guidelines on priorities, periodic review & practice.

Test plan: This plan outlines for identify deficiencies in the emergency, backup or recovery plans or in the preparedness of an organization and its personnel for facing a disaster.

All these plans details are documented under Disaster Recovery Procedural Plan/Document/Manual. The DRP Manual may include the following areas: Conditions, for activating various plans. Page 6

Krishna Kant Vyas | CRO 0249879

Emergency procedures, which describe the actions to be taken following a disruptive incident. Backup procedures, which describe the action to be taken to move essential activities to alternate temporary locations, to continue operation. Resumption procedures, which describe actions to be taken to return to normal business operation. Description of purpose and scope of plan. Maintenance schedule- how and when plan will be test and update. Contingency plan testing and recovery procedure. Awareness and education activities. Alternate manual procedures. Responsibilities of individuals, name and phone list of employees trained. Vendors contact details. Emergency phone no. of fire dept., police, hospital and backup locations, etc. Medical procedures, first aid and life saving techniques. Insurance papers and claim forms. Detail about of hardware and software configuration. Location of files, documentation, backup media.

CONCLUSIONS
Disaster recovery and business continuity planning are not new topics. Both have been around for a number of years. However, while the concepts have been around for a long time, they were not that widely implemented. In addition, the catastrophes that were envisioned in most disaster recovery or business continuity plans were somewhat narrow in scope. As one financial firm in New York City explained: We had business continuity planning prior to September 11.One part of that plan was to fly our traders to London where they would be as functional as they had been in New York City. Who knew that they would shut down all of the airports? In the aftermath of the terrorist attacks of September 2001, it will be a rare company indeed that does not need to re-evaluate its current business continuity and recovery plans and contracts very carefully. Organizations need to review all their security policies and plans. Advisors can assist with baseline assessments and initial plan development. Service providers can manage the plans implementation. Organizations need to make the commitment to keep the plans current and test the continuity tactics as often as needed. Business continuity planning and management is a core responsibility of every company and requires executive sponsorship to ensure its success.

Krishna Kant Vyas | CRO 0249879

Page 7