Business Continuity & Disaster Recovery Planning

Question 1

2 categories for distaster ?

Answer 1

• Natural

* Man-Made

Question 2

How does disaster affect Business ?

Answer 2

Damage to Property (the building)
Damage to business records (paper,electronic)
Damage to business equipment (computers, copiers)
Damage to communications (telephone, wireless)
Damage to Public Ulilities (power,water,gas)
Damage to transportation systems (bus,train)
Injuries and loss of life
Indirect Damage - Suppliers and customers

Question 3

What is the Goal of BCP ?

Answer 3

Business Continuity Planning deals with keeping business operations running — perhaps in another location or by using different tools and processes — after a disaster has struck.

Question 4

What is the Goal of DRP ?

Answer 4

Disaster Recovery Planning deals with restoring normal business operations after the disaster takes place.
Speed of recovery is directly proportional to cost.

Question 5

BCP / DRP Commonalities ?

Answer 5

• Identification of critical business functions (done via an assessment)
• Identification of possible disaster scenarios (disaster scenarios identified and ranked by probability.
• Experts (critical business process)

Question 6

BCP

Answer 6

This concentrates on continuing / keeping business operations running.

Question 7

DRP

Answer 7

This concentrates on restoring / recovering the original business function.

Question 8

What is COOP ?

Answer 8

Continuity of Operations - a blending of BCP and DRP into a single mission statement - keeping the organisation running after a disaster.

Question 9

BCP - Success ?

Answer 9

Areas of Concern:

Success of the BCP depends on scope definition.

Business Process (muddy waters)
Technology (muddy waters)
geographical dispersement (adds difficulty)
Politics (departments lobby claim criticality)

Question 10

What is scope creep ?

Answer 10

When a project’s scope grows beyond the original intent.

Question 11

What is scope lean ?

Answer 11

When a project’s scope changes and ‘leans’ in a certain direction.

The project team needs to find a balance between too narrow a scope, which makes the plan ineffective, and too wide a scope, which makes the plan too cumbersome.

Question 12

What is the BIA ?

Answer 12

Business Impact Analysis (BIA)

• describes the impact a disaster will have on Business Operations.
• should include qualatative and quantative impacts.
• quantative - Mostly finance.
• qualatative - delivery of goods and services.

Question 13

BIA Tasks:

Answer 13

• Perform a Vulnerability Assessment
• Carry out a Criticality Assessment
• Determine the Maximum Tolerable Downtime
• Establish recovery targets
• Determine resource requirements

Question 14

What is a vulnerability assessment ? (BIA)

Answer 14

• assesses weaknesses in business critical systems.
• identifies critical support areas which are business functions.
• quantative - Mostly finance.
• qualatative - delivery of goods and services.

Question 15

Quantitative Losses ? (Vuln Assess, BIA)

Answer 15

• Loss of revenue
• Loss of operating capital
• Loss because of personal liabilities
• Increase in expenses
• Penalties because of violations of business contracts
• Violations of laws and regulations

Question 16

Qualitative Losses ? (Vuln Assess, BIA)

Answer 16

• Service quality
• Competitive advantages
• Customer satisfaction
• Market share
• Prestige and reputation

Question 17

What is a Criticality Assessment ? (BIA)

Answer 17

• Ranked inventory of high level business functions.
• description of each affected ranked function.
• Assessement should consider time (hour vs day)
• Assessment should consider times of year (Aug v May)
• Establish Max. Tolerable Downtime. (MTD)

Question 18

Key Player identification in BIA.

Answer 18

• managers have jobs, what is theirs ?
• better view of an organisation.
• Be aware of outsourced functionality.

Question 19

What is MTD / MTPD ? (BIA)

Answer 19

This is Maximum Tolerable Downtime.

• A component of a critical assessment.
• aka Max. Tolerable Period of Downtime (MTPD)
• Max time before a business suffers long lasting damage

Question 20

Establishing Recovery Targets.

Answer 20

• established post Crit assement & MTD.

* Each business process has a recovery time and a recovery point objective.

Question 21

What is RTO ? (BIA)

Answer 21

Recovery Time Objective.
The maximum period of time in which a business process must be restored after a disaster.
Shorter RTOs = Larger investments.

Question 22

What is a RPO ? (BIA)

Answer 22

Recovery Point Objective.
The maximum period of time in which data might be lost if a disaster strikes.
* RPO is measured from last known good back up.

Question 23

What is the BIA Resource Requirement ?

Answer 23

A listing of the resources that an organization needs in order to continue operating each critical business function, resources should allocated by criticality rank.

Example: Systems, Applications, suppliers, partners, business equipment and personnel.

Question 24

What are the various elements of a BCP ?

Answer 24

Emergency Response
Damage Assessment
Personnel Safety
Personnel Notification
Backups and Off Site Storage

Question 25

What is the BCP Emergency Response ?

Answer 25

* team designation for each kind of disaster | * Documented Procedures and CheckLists

Question 26

What is the BCP Damage Assessment ?

Answer 26

Damage assessments determine whether an organization can still use buildings and equipment, whether they can use those items after some repairs, or whether they must abandon those items altogether.

Question 27

What is Personnel Safety ? (BCP)

Answer 27

In any kind of disaster, the safety of personnel is the highest priority, ahead of buildings, equipment, computers, backup tapes, and so on.

Question 28

What is Personnel Notification? (BCP)

Answer 28

* The BCP must contain provisions for communication | * This also covers tactical and status reports to key personnel throughout the incident.

Question 29

Factors to consider with regards to Back Ups and Notifications ? (BCP)

Answer 29

* The time that it takes to perform backups * The effort required to restore data * The procedures for restoring data from backups, compared with other methods for recovering the data

Question 30

What is a BCP ?

Answer 30

Backup Continuity Plan

Question 31

What is a Software Escrow Agreement ?

Answer 31

A software vendor sends a copy of its software code to a third-party escrow organization for safekeeping.

Question 32

What is the Relevance of External Communications ?

Answer 32

The Corporate Communications, External Affairs, and (if applicable) Investor Relations departments should all have plans in place for communicating the facts about a disaster to the press, customers, and public. You need contingency plans for these functions if you want the organization to continue communicating to the outside world.

Question 33

Utilities in the BCP ?

Answer 33

Data-processing facilities that support time-critical business functions must keep running in the event of a power failure. Although every situation is different, the principle remains the same: The BCP team must determine for what period of time the data-processing facility must be able to continue operating without utility power.

Question 34

Logistics and Supplies in the BCP ?

Answer 34

For companies that rely on daily / weekly / monthly shipments this step is key. Not just for the company but for suppliers as well.

Question 35

Documentation in the BCP ?

Answer 35

* All documentation for all services should be up to date. * All documentation should be centralised. * Should be available off site to avoid single points of failure.

Question 36

Data processing continuity planning

Answer 36

* Where the business will continue to sustain its data processing functions. * How the business will continue to sustain its data processing functions. Solutions: * Cold Site - empty room + hvac (least costly) * Warm Site - room + none configured equipment + hvac * Hot Site - Mirror + data sync (expensive, least down time) * Reciprocal Site - Colo with another company. * Multi Data Centres - business as usual.

Question 37

Financial Readiness

Answer 37

* Insurance - take out insurance against hardware * Cash reserves - set aside money for the inevitable * Line of credit * Pre-purchased assets * Letters of agreement: An organization may wish to establish legal agreements that would be enacted in a disaster. These may range from use of emergency work locations (such as nearby hotels), use of fleet vehicles, appropriation of computers used by lower-priority systems, and so on. *Standby assets

Question 38

Maintaining Physical Security

Answer 38

Looting and vandalism sometimes occur after significant disastrous events. The organization must be prepared to deploy additional guards, as well as erect temporary fencing and other physical barriers in order to protect its physical assets

Question 39

Personnel Safety

Answer 39

The safety of personnel needs to be addressed, as there are often personnel working in areas with damage and safety issues, usually right after a disaster, during salvage and damage assessment. An organization’s number-one priority is the safety of its personnel.

Question 40

Testing the Disaster Recovery Plan

Answer 40

Checklist - A detailed review of the steps Walkthough - team led walk through of what to do. Questions that occur are listed marked down and tackled post WalkThrough. Simulation - Practice (no action) of a disaster, team driven. Parallel - Team led DR action plan, original systems continue to run in parallel. Interruption - This is also referred to as a cut over. It is team led, and is a full simulation of a disaster.