Chapter 8: Business Continuity Planning & Disaster Recovery Planning

Chapter 8: Business Continuity Planning & Disaster Recovery Planning

Chapter 8: Business Continuity Planning & Disaster Recovery Planning

Chapter 8: Business Continuity Planning & Disaster Recovery Planning

Chapter 8: Business Continuity Planning & Disaster Recovery Planning

Chapter 8: Business Continuity Planning & Disaster Recovery Planning

Chapter 8: Business Continuity Planning & Disaster Recovery Planning

Business Impact Analysis:

Chapter 8: Business Continuity Planning & Disaster Recovery Planning

Three steps are typically involved in accomplishing the BIA: 1. Determine mission/business processes and recovery criticality. Mission/Business processes supported by the system are identified and the impact of a system disruption to those processes is determined along with outage impacts and estimated downtime. The downtime should reflect the maximum time that an organization can tolerate while still maintaining the mission. 2.Identify resource requirements. Realistic recovery efforts require a thorough evaluation of the resources required to resume mission/business processes and related interdependencies as quickly as possible. Examples of resources that should be identified include facilities, personnel, equipment, software, data files, system components, and vital records.

3.Identify recovery priorities for system resources. Based upon the results from the previous activities, system resources can be linked more clearly to critical mission/business processes and functions. Priority levels can be established for sequencing recovery activities and resources.

BIA Critical Resource Example

Time and attendance reporting may require use of a local area network (LAN) server, wide area network (WAN) access, e-mail, and an e-mail server

Chapter 8: Business Continuity Planning & Disaster Recovery Planning

BIA Resource Impact Example

LAN disruption to the time and attendance reporting system for 8 hours may create a delay in time sheet processing.

BIA Recovery Time Objective Example

The LAN server must be recovered within 8 hours to avoid a delay in time sheet processing.

Chapter 8: Business Continuity Planning & Disaster Recovery Planning

Cold Sites. Cold sites are locations that have the basic infrastructure and environmental controls available (such as electrical and HVAC), but no equipment or telecommunications established or in place. There is sufficient room to house needed equipment to sustain a systems critical functions. Examples of cold sites include unused areas of a data center and unused office space (if specialized data center environments are not required). Cold sites are normally the least expensive alternate processing site solution, as the primary costs are only the lease or maintenance of the required square footage for recovery purposes. However, the recovery time is the longest, as all system equipment (including telecommunications) will need to be acquired or purchased, installed, tested, and have backup software and data loaded and tested before the system can be operational. Depending on the size and complexity of a system, recovery could take several days to weeks to complete.

Chapter 8: Business Continuity Planning & Disaster Recovery Planning

Warm Sites. Warm sites are locations that have the basic infrastructure of cold sites, but also have sufficient computer and telecommunications equipment installed and available to operate the system at the site. However, the equipment is not loaded with the software or data required to operate the system. Warm sites should have backup media readers that are compatible with the systems backup strategy. Warm sites may not have equipment to run all systems or all components of a system, but rather only enough to operate critical mission/business processes. An example of a warm site is a test or development site that is geographically separate from the production system. Equipment may be in place to operate the system, but would require reverting to the current production level of the software, loading the data from backup media, and establishing communications to users. Another example is available equipment at an alternate facility that is running noncritical systems and that could be transitioned to run a critical system during a contingency event. A warm site is more expensive than a cold site, as equipment is purchased and maintained at the warm site, with telecommunications in place. Some costs may be offset by using equipment for noncritical functions or for testing. Recovery to a warm site can take several hours

Hot Sites. Hot sites are locations with fully operational equipment and capacity to quickly take over system operations after loss of the primary system facility. A hot site has sufficient equipment and the most current version of production software installed, and adequate storage for the production system data. Hot sites should have the most recent version of backed-up data loaded, requiring only updating with data since the last backup. In many cases, hot site data and databases are updated concurrently with or soon after the primary data and databases are updated. Hot sites also need a way to quickly move system users connectivity from the primary site. One example of a hot site is two identical systems at alternate locations that are in production, serving different geographical locations or load balancing production workload. Each location is built to handle the full workload, and data is continuously synchronized between the systems. This is the most expensive option, requiring full operation of a system at an alternate location and all telecommunications capacity, with the ability to maintain or quickly update the operational data and databases. Hot sites also require having operational support nearly equal to the production The ISCP Coordinator should look at information provided in the BIA to determine what critical mission/business processes a system supports, the MTD, and the impact loss of the system would have on the business to establish what type of recovery site is needed. An information system recovery strategy may incorporate one or more of these types of alternate processing facilities. For example, some functionality of a system may be highly critical and require a hot site to minimize the downtime and impact on mission/business processes. However, other functionality of the same system, such as a reporting or batch printing process, may be able to be down for several days with little impact

Chapter 8: Business Continuity Planning & Disaster Recovery Planning

and would just need extra space in the alternate facility to place additional equipment after it is purchased.

Chapter 8: Business Continuity Planning & Disaster Recovery Planning

Chapter 8: Business Continuity Planning & Disaster Recovery Planning

Chapter 8: Business Continuity Planning & Disaster Recovery Planning

Chapter 8: Business Continuity Planning & Disaster Recovery Planning

Chapter 8: Business Continuity Planning & Disaster Recovery Planning

Chapter 8: Business Continuity Planning & Disaster Recovery Planning

Chapter 8: Business Continuity Planning & Disaster Recovery Planning

Chapter 8: Business Continuity Planning & Disaster Recovery Planning

Chapter 8: Business Continuity Planning & Disaster Recovery Planning

Chapter 8: Business Continuity Planning & Disaster Recovery Planning