caim bcpdr

7/24/2019 Caim Bcpdr

1/44

Business Continuity Planning (BCP)

& Disaster Recovery Planning (DRP)


2/44

Business Continuity Planning (BCP) &

Disaster Recovery Planning (DRP)

BCP and DR are programs done by differentorganizations and business to ensure thattheir operations will not be affected in caseof devastating events that may occur intheir area.

These two programs are now becomingessentials for businesses and large

corporations.


3/44

What is BCP ?

BCP or Business Continuity Planning is aprogram in which businesses andorganizations are planning ahead thepossible crisis and calamities that mayaffect, greatly, their operation.

This crisis is not only limited to naturalcalamities like flood or thunderstorms but

also applicable to the death or suddenresignation of important employees thathave key roles in their operations.


4/44

What is DR ?

DR or Disaster Recovery focuses on the set ofactions that businesses will take after sufferingdisaster may it be natural or man-made.

Its sole purpose is business preservation,meaning, how the businesses would cope upand be able to operate again after a disasteroccurred like loss of electricity, computerviruses, and thieves.

This Disaster Recovery program is a just a partof BCP.


5/44

Key Objective of both BCP or DR

How to preserve critical businessfunctions in the face of a disaster.

In Short : Continuity of Business(COB)


6/44

Difference between BCP and DR

1. BCP is a proactive strategywhereas DR is a reactive approach.

2. BCP helps prevent and anticipatesa disaster or unfavourable incidentin advance whereas DR is a strategy

that treats or recovers fromdisasters and the like.


7/44


8/44

The BCP domain addresses:

Continuation of critical businessprocesses when a disaster destroysdata processing capabilities

Preparation, testing andmaintenance of specific actions to

recover normal processing (theBCP)


9/44

Disasters natural, man-made

Fire, flood, hurricane, tornado,earthquake, volcanoes

Plane crashes, vandalism, terrorism,riots, sabotage, loss of personnel,etc.

Anything that diminishes or

destroys normal data processingcapabilities


10/44

Disasters are defined in terms of the

business

If it harms critical businessprocesses, it may be a disaster

Time-based definition how longcan the business stand the pain?

Probability of occurrence


11/44

Broad BCP objectives - CIA

Confidentiality

Integrity

Availability


12/44

BCP objective

Create, document, test, and updatea plan that will:

Allow timely recovery of criticalbusiness operations

Minimize loss

Meet legal and regulatory

requirements


13/44

Scope of BCP

Used to be just the data center

Now includes: Distributed operations

Personnel, networks, power

All aspects of the IT environment be it

Database servers, hardware's,telephones, servers, software's,applications etc


14/44

Creating a BCP

Is an on-going process, not aproject with a beginning and an end Creating, testing, maintaining, and

updatingCritical business functions may evolve

The BCP team must include bothbusiness and IT personnel

Requires the support of seniormanagement


15/44

The five BCP phases

Project management & initiation

Business Impact Analysis (BIA)

Recovery strategies Plan design & development

Testing, maintenance, awareness,

training


16/44

I - Project management & initiation

Establish need (risk analysis)

Get management support

Establish team (functional, technical, BCC Business Continuity Coordinator)

Create work plan (scope, goals, methods,timeline)

Initial report to management Obtain management approval to proceed


17/44

II - Business Impact Analysis (BIA)

Goal: obtain formal agreement withsenior management on the MTD foreach time-critical business resource

MTD maximum tolerabledowntime, also known as MAO

(Maximum Allowable Outage)


18/44

II - Business Impact Analysis (BIA)

Quantifies loss due to businessoutage (financial, extra cost ofrecovery, embarrassment)

Does not estimate the probability ofkinds of incidents, only quantifies

the consequences


19/44

II - BIA phases

Choose information gatheringmethods (surveys, interviews,software tools)

Select interviewees

Customize questionnaire

Analyze information

Identify time-critical businessfunctions


20/44

II - BIA phases (continued)

Assign MTDs

Rank critical business functions by

MTDs Report recovery options

Obtain management approval


21/44

III Recovery strategies

Recovery strategies are based onMTDs

Predefined Management-approved


22/44


Different technical strategies

Different costs and benefits

How to choose? Careful cost-benefit analysis

Driven by business requirements


23/44


Strategies should address recoveryof:

Business operations

Facilities & supplies

Users (workers and end-users)

Network, data center (technical)

Data (off-site backups of data andapplications)


24/44


Technical recovery strategies scope

Data center

Networks

Telecommunications


25/44


Technical recovery strategies methods

Subscription services

Mutual aid agreements

Redundant data centers

Service bureaus


26/44


Technical recovery strategies subscription service sites

Hot fully equipped

Warm missing key components

Cold empty data center

Mirror full redundancy


27/44


Technical recovery strategies redundant processing centers

Expensive

Maybe not enough spare capacity forcritical operations


28/44


Technical recovery strategies service bureaus

Many clients share facilities

Almost as expensive as a hot site

Must negotiate agreements with other

clients


29/44


Technical recovery strategies data

Backups of data and applications

Off-site vs. on-site storage of media

How fast can data be recovered?

How much data can you lose?

Security of off-site backup media

Types of backups (full, incremental,differential, etc.)


30/44

IV BCP development /

implementation

Detailed plan for recovery

Business & service recovery plans Maintenance

Awareness & training

Testing


31/44

IV BCP development /

implementation

Sample plan phases

Initial disaster response

Resume critical business ops

Resume non-critical business ops

Restoration (return to primary site)

Interacting with external groups

(customers, media, emergencyresponders)


32/44

V BCP final phase

Testing

Maintenance

Awareness Training


33/44

V BCP final phase

Until its tested, you dont have aplan

Kinds of testing Structured walk-through

Checklist

Simulation

Parallel Full interruption


34/44

V BCP final phase

Fix problems found in testing

Implement change management

Audit and address audit findings Annual review of plan

Build plan into organization


35/44

V BCP final phase

BCP team is probably the DR team

BCP training must be on-going

BCP training needs to be part of thestandard on-boarding and part ofthe corporate culture


36/44

Few scenarios of BCP/DR

Technology Breakdown

Let's assume that a large banking company runsits core business from a major city in India. One

fine afternoon its network is attacked by cyberterrorists or there's a virus outbreak. In such asituation, the data integrity is lost. The easiestway to manoeuvre this disaster would be toimmediately isolate the cyber attack on thebranch and transfer the core job to a DRdatacenter hosted at some other location. Thiswould help users to immediately connect toremote DR servers and get back to work.


37/44


Epidemic disaster

Take another scenario. One day the same city wherethe bank was operating from, encounters anepidemic. The Bird Flu virus hits the city, and being

an airborne virus, infects anybody walking out in theopen. So a city wide red alert is sounded, a curfew isenforced, and nobody can come out in the open. Insuch a scenario, all your pillars that constituteBusiness Continuity remain intact except humanresources. So your data, equipment and workplace

are intact but no one can come to the office andoperate from there. So, the strategy to overcomesuch a problem should be different. Here you musthave a DR site with not only data, but also with abackup of employees who can take over the chargeof the center and finish the tasks from some othercity.


38/44


Earthquake disaster

Now let's take another example where an earth quakedestroys the entire building, with the data center andall the equipment. Here, even though peoples' lives

might be saved, everything else would get destroyed.In such a situation, a remote DR site is required whereyou have all the necessary equipment, seatingarrangements, data and even a recreation zone, whereyou can fly in your staff and let them get back to workin as less a time as possible. Such a DR site should notbe in the same geographical location as the site in

question, so that the calamity does not affect bothsites at the same time. On the other hand, it shouldnot be too far away so that it takes a lot of time to flyout people.


39/44

So what will happen if I dont have a

BCP/DR Plan ??

The cost of not having a robust continuity solutionin place could be catastrophic lost revenues,bad press coverage, loss of customers andcompetitive mindshare to name but a few.

A web site for e-Commerce may suffer lossesfrom $10K to $100K every hour, depending onthe volume of the site. Large telesales businesses like airline reservations, catalog sales, and TV-based home shopping can easily miss salesopportunities of $100K an hour.

In financial markets, losses total several milliondollars per hour of downtime.


40/44

In Summary

Plan, Plan, Plan

Gather as much critical informationon what you will need to recover

before an event ever happens Establish procedures for recovery

Establish priorities for recovery

Keep people informed Keep a record of what happened for

a lessons learned evaluation


41/44

Strategies of Database Availability

Two attributes of database availability namely, the severity of databasedowntime and the latency of database

recovery provide a context forunderstanding general categories (likehigh availability, continuous availability,and disaster recovery), as well as specific

strategies for database availability (likemaintenance, clusters, replication, andbackup/restore).


42/44

How Sybase help in having a sound

DR in place for Databases


43/44

Sybase Solutions for Database

Availability


44/44

Sybase triple layer resilience solution

caim bcpdr

Documents