Business Continuity Planning and
Disaster Recovery Planning
Corporate risks could cause an organization to
suffer
• Inability to maintain critical customer services
• Damage to market share, reputation or brand
• Failure to protect the company assets including intellectual
properties and personnel
• Business control failure
• Failure to meet legal or regulatory requirements
1
�Business Continuity Planning
… a “disaster”
is an event, often unexpected, that seriously
disrupts your usual operations or processes
and can have long term impact on your
normal way of life or that of your
organization.
Business Continuity Planning
2
� Security Management, Sec Business
Architecture & Models, Laws, Disaster Continuity &
Ethics, Physical Sec Controls,, Disaster
Access Control, OpSec, Apdev
Recovery
Sec, TNI Sec, Cryptography
Business Continuity Planning
… it is:
• a process to minimize the impact of a major
disruption to normal operations
• a process to enable restoration of critical
assets
• a process to restore normalcy as soon as
possible after a crisis.
… it is not just:
• recovery of information technology resources
3
� Business Continuity Planning
… and it is the phase of crisis management
that follows the immediate actions taken to
protect life and property and contain the
event
… it begins when the situation has been
stabilized.
Business Continuity Planning
Incident Management
All types of incidents should be categorized
• Negligible
• Minor
• Major
• Crisis
4
� Business Impact Analysis
• Critical step in developing the business continuity
plan
• Three main questions to consider during BIA phase:
1. What are the different business processes?
2. What are the critical information resources related to an
organization’s critical business processes?
3. What is the critical recovery time period for information
resources in which business processing must be resumed
before significant or unacceptable losses are suffered?
Recovery Point Objective and Recovery
Time Objective
• Recovery Point Objective (RPO)
– Based on acceptable data loss
– Indicates earliest point in time in which it is acceptable
to recover the data
• Recovery Time Objective (RTO)
– Based on acceptable downtime
– Indicates earliest point in time at which the business
operations must resume after a disaster
5
� Recovery Point Objective and
Recovery Time Objective
Business Continuity Planning
• When is it a Crisis?
Minutes Hours Days Weeks
Continuity Continuum
6
�Business Continuity Planning
• When is it a Crisis?
Minutes Hours Days Weeks
Continuity Continuum
Business Continuity Planning
• When is it a Crisis?
Minutes Hours Days Weeks
Continuity Continuum
7
�Business Continuity Planning
• When is it a Crisis?
Minutes Hours Days Weeks
Continuity Continuum
Business Continuity Planning
Alarm Notification to First Responders
Data center fire
Restoration of Critical Processing
8
�Business Continuity Planning
Activate the Emergency Operations Center
Restoration of Critical Processing
Business Continuity Planning
IT decision to move to a backup facility
Restoration of Critical Processing
9
�Business Continuity Planning
Assemble IT recovery team at appropriate sites
Restoration of Critical Processing
Business Continuity Planning
Obtain backup tapes from off-premises storage
Restoration of Critical Processing
10
�Business Continuity Planning
Acquire and install backup hardware
and network connections
Restoration of Critical Processing
Business Continuity Planning
Restore Operating System and Network
Restoration of Critical Processing
11
�Business Continuity Planning
Reload database and other data
Restoration of Critical Processing
Business Continuity Planning
Restore Critical Applications
Restoration of Critical Processing
12
� Business Continuity Planning
Begin Critical Processing -
This is your Recovery Time Objective (RTO)
Restoration of Critical Processing
Business Continuity Planning
High Level Look at a Recovery Effort
Lost Data
Vital Records Resume Move to Return
Restore Technology Capability Business Alternate Home
Notifications Site
Restore Communications
(If necessary)
Restore Business Functions Data Synchronization
Data Recovery Objective
Recovery Time Objective
Source: Gerald Isaacson 2005
13
� Recovery Strategies
• A recovery strategy is a combination of
preventive, detective and corrective measures
• The selection of a recovery strategy would
depend upon:
– The criticality of the business process and the
applications supporting the processes
– Cost
– Time required to recover
– Security
14
� Recovery Strategies
Recovery strategies based on the risk level
identified for recovery would include
developing:
• Hot sites
• Warm sites
• Cold sites
• Duplicate information processing facilities
• Mobile sites
• Reciprocal arrangements with other organizations
Recovery Strategies
Types of offsite backup facilities
• Hot sites - Fully equipped facility
• Warm sites - Partially equipped but lacking
processing power
• Cold sites - Basic environment
• Duplicate (redundant) information processing facility
• Mobile sites
• Reciprocal agreement
– Contract with hot, warm or cold site
– Procuring alternative hardware facilities
15
� Recovery Strategies
Types of offsite backup facilities
• Hot sites - Fully equipped facility
• Warm sites - Partially equipped but lacking processing
power
• Cold sites - Basic environment
• Duplicate (redundant) information processing
facility
• Mobile sites
• Reciprocal agreement
– Contract with hot, warm or cold site
– Procuring alternative hardware facilities
Recovery Alternatives
(continued)
Provisions for use of third-party sites should
cover:
• Configurations
• Disaster
• Speed of availability
• Subscribers per site and area
• Preference
• Insurance
• Audit
• Reliability
16
� Recovery Alternatives
(continued)
Procuring alternative hardware facilities
• Vendor or third-party
• Off-the-shelf
• Credit agreement or emergency credit cards
Recovery Alternatives
Provisions for use of third-party sites should
cover:
• Configurations
• Disaster
• Speed of availability
• Subscribers per site and area
• Preference
• Insurance
• Audit
• Reliability
17
� Development of Business
Continuity and Disaster
Recovery Plans
Factors to consider when developing the plans
• Pre-disaster readiness
• Evacuation procedures
• Circumstances under which a disaster should be declared
• Identification of plan responsibilities
• Identification of contract information
• Recovery option explanations
• Identification of resources for recovery and continued
operation of the organization
• Application of the constitution phase
Organization and Assignment of
Responsibilities
The emergency management team coordinates the
activities of all other recovery teams. This team oversees:
• Retrieving critical and vital data from offsite storage
• Installing and testing systems software and applications at the
systems recovery
• Identifying, purchasing, and installing hardware at the system
recovery site
• Operating from the system recovery site
• Rerouting network communications traffic
18
�Organization and Assignment
of Responsibilities (continued)
The emergency management team coordinates the
activities of all other recovery teams. This team oversees:
• Reestablishing the user/system network
• Transporting users to the recovery facility
• Reconstructing databases
• Supplying necessary office goods, i.e., special forms, check stock,
paper
• Arranging and paying for employee relocation expenses at the
recovery facility
• Coordinating systems use and employee work schedules
Other Issues in
Plan Development
• Management and user involvement is vital to
the success of BCP
– Essential to the identification of critical systems,
recovery times and resources
– Involvement from support services, business
operations and information processing support
• Entire organization needs to be considered
for BCP
19
� Components of a Business
Continuity Plan
A business continuity plan may consist of more
than one plan document
• Continuity of operations plan (COOP)
• Disaster recovery plan (DRP)
• Business resumption plan
• Continuity of support plan / IT contingency plan
• Crisis communications plan
• Incident response plan
• Transportation plan
• Occupant emergency plan (OEP)
Components of a
Business Continuity Plan
(continued)
Components of the plan
• Key decision-making personnel
• Backup of required supplies
• Telecommunication networks disaster recovery methods
• Redundant array of inexpensive disks (RAID)
• Insurance
20
