Upload
bipin-bansal-agarwal
View
225
Download
0
Embed Size (px)
Citation preview
7/24/2019 Caim Bcpdr
1/44
Business Continuity Planning (BCP)
& Disaster Recovery Planning (DRP)
7/24/2019 Caim Bcpdr
2/44
Business Continuity Planning (BCP) &
Disaster Recovery Planning (DRP)
BCP and DR are programs done by differentorganizations and business to ensure thattheir operations will not be affected in caseof devastating events that may occur intheir area.
These two programs are now becomingessentials for businesses and large
corporations.
7/24/2019 Caim Bcpdr
3/44
What is BCP ?
BCP or Business Continuity Planning is aprogram in which businesses andorganizations are planning ahead thepossible crisis and calamities that mayaffect, greatly, their operation.
This crisis is not only limited to naturalcalamities like flood or thunderstorms but
also applicable to the death or suddenresignation of important employees thathave key roles in their operations.
7/24/2019 Caim Bcpdr
4/44
What is DR ?
DR or Disaster Recovery focuses on the set ofactions that businesses will take after sufferingdisaster may it be natural or man-made.
Its sole purpose is business preservation,meaning, how the businesses would cope upand be able to operate again after a disasteroccurred like loss of electricity, computerviruses, and thieves.
This Disaster Recovery program is a just a partof BCP.
7/24/2019 Caim Bcpdr
5/44
Key Objective of both BCP or DR
How to preserve critical businessfunctions in the face of a disaster.
In Short : Continuity of Business(COB)
7/24/2019 Caim Bcpdr
6/44
Difference between BCP and DR
1. BCP is a proactive strategywhereas DR is a reactive approach.
2. BCP helps prevent and anticipatesa disaster or unfavourable incidentin advance whereas DR is a strategy
that treats or recovers fromdisasters and the like.
7/24/2019 Caim Bcpdr
7/44
7/24/2019 Caim Bcpdr
8/44
The BCP domain addresses:
Continuation of critical businessprocesses when a disaster destroysdata processing capabilities
Preparation, testing andmaintenance of specific actions to
recover normal processing (theBCP)
7/24/2019 Caim Bcpdr
9/44
Disasters natural, man-made
Fire, flood, hurricane, tornado,earthquake, volcanoes
Plane crashes, vandalism, terrorism,riots, sabotage, loss of personnel,etc.
Anything that diminishes or
destroys normal data processingcapabilities
7/24/2019 Caim Bcpdr
10/44
Disasters are defined in terms of the
business
If it harms critical businessprocesses, it may be a disaster
Time-based definition how longcan the business stand the pain?
Probability of occurrence
7/24/2019 Caim Bcpdr
11/44
Broad BCP objectives - CIA
Confidentiality
Integrity
Availability
7/24/2019 Caim Bcpdr
12/44
BCP objective
Create, document, test, and updatea plan that will:
Allow timely recovery of criticalbusiness operations
Minimize loss
Meet legal and regulatory
requirements
7/24/2019 Caim Bcpdr
13/44
Scope of BCP
Used to be just the data center
Now includes: Distributed operations
Personnel, networks, power
All aspects of the IT environment be it
Database servers, hardware's,telephones, servers, software's,applications etc
7/24/2019 Caim Bcpdr
14/44
Creating a BCP
Is an on-going process, not aproject with a beginning and an end Creating, testing, maintaining, and
updatingCritical business functions may evolve
The BCP team must include bothbusiness and IT personnel
Requires the support of seniormanagement
7/24/2019 Caim Bcpdr
15/44
The five BCP phases
Project management & initiation
Business Impact Analysis (BIA)
Recovery strategies Plan design & development
Testing, maintenance, awareness,
training
7/24/2019 Caim Bcpdr
16/44
I - Project management & initiation
Establish need (risk analysis)
Get management support
Establish team (functional, technical, BCC Business Continuity Coordinator)
Create work plan (scope, goals, methods,timeline)
Initial report to management Obtain management approval to proceed
7/24/2019 Caim Bcpdr
17/44
II - Business Impact Analysis (BIA)
Goal: obtain formal agreement withsenior management on the MTD foreach time-critical business resource
MTD maximum tolerabledowntime, also known as MAO
(Maximum Allowable Outage)
7/24/2019 Caim Bcpdr
18/44
II - Business Impact Analysis (BIA)
Quantifies loss due to businessoutage (financial, extra cost ofrecovery, embarrassment)
Does not estimate the probability ofkinds of incidents, only quantifies
the consequences
7/24/2019 Caim Bcpdr
19/44
II - BIA phases
Choose information gatheringmethods (surveys, interviews,software tools)
Select interviewees
Customize questionnaire
Analyze information
Identify time-critical businessfunctions
7/24/2019 Caim Bcpdr
20/44
II - BIA phases (continued)
Assign MTDs
Rank critical business functions by
MTDs Report recovery options
Obtain management approval
7/24/2019 Caim Bcpdr
21/44
III Recovery strategies
Recovery strategies are based onMTDs
Predefined Management-approved
7/24/2019 Caim Bcpdr
22/44
III Recovery strategies
Different technical strategies
Different costs and benefits
How to choose? Careful cost-benefit analysis
Driven by business requirements
7/24/2019 Caim Bcpdr
23/44
III Recovery strategies
Strategies should address recoveryof:
Business operations
Facilities & supplies
Users (workers and end-users)
Network, data center (technical)
Data (off-site backups of data andapplications)
7/24/2019 Caim Bcpdr
24/44
III Recovery strategies
Technical recovery strategies scope
Data center
Networks
Telecommunications
7/24/2019 Caim Bcpdr
25/44
III Recovery strategies
Technical recovery strategies methods
Subscription services
Mutual aid agreements
Redundant data centers
Service bureaus
7/24/2019 Caim Bcpdr
26/44
III Recovery strategies
Technical recovery strategies subscription service sites
Hot fully equipped
Warm missing key components
Cold empty data center
Mirror full redundancy
7/24/2019 Caim Bcpdr
27/44
III Recovery strategies
Technical recovery strategies redundant processing centers
Expensive
Maybe not enough spare capacity forcritical operations
7/24/2019 Caim Bcpdr
28/44
III Recovery strategies
Technical recovery strategies service bureaus
Many clients share facilities
Almost as expensive as a hot site
Must negotiate agreements with other
clients
7/24/2019 Caim Bcpdr
29/44
III Recovery strategies
Technical recovery strategies data
Backups of data and applications
Off-site vs. on-site storage of media
How fast can data be recovered?
How much data can you lose?
Security of off-site backup media
Types of backups (full, incremental,differential, etc.)
7/24/2019 Caim Bcpdr
30/44
IV BCP development /
implementation
Detailed plan for recovery
Business & service recovery plans Maintenance
Awareness & training
Testing
7/24/2019 Caim Bcpdr
31/44
IV BCP development /
implementation
Sample plan phases
Initial disaster response
Resume critical business ops
Resume non-critical business ops
Restoration (return to primary site)
Interacting with external groups
(customers, media, emergencyresponders)
7/24/2019 Caim Bcpdr
32/44
V BCP final phase
Testing
Maintenance
Awareness Training
7/24/2019 Caim Bcpdr
33/44
V BCP final phase
Until its tested, you dont have aplan
Kinds of testing Structured walk-through
Checklist
Simulation
Parallel Full interruption
7/24/2019 Caim Bcpdr
34/44
V BCP final phase
Fix problems found in testing
Implement change management
Audit and address audit findings Annual review of plan
Build plan into organization
7/24/2019 Caim Bcpdr
35/44
V BCP final phase
BCP team is probably the DR team
BCP training must be on-going
BCP training needs to be part of thestandard on-boarding and part ofthe corporate culture
7/24/2019 Caim Bcpdr
36/44
Few scenarios of BCP/DR
Technology Breakdown
Let's assume that a large banking company runsits core business from a major city in India. One
fine afternoon its network is attacked by cyberterrorists or there's a virus outbreak. In such asituation, the data integrity is lost. The easiestway to manoeuvre this disaster would be toimmediately isolate the cyber attack on thebranch and transfer the core job to a DRdatacenter hosted at some other location. Thiswould help users to immediately connect toremote DR servers and get back to work.
7/24/2019 Caim Bcpdr
37/44
Few scenarios of BCP/DR
Epidemic disaster
Take another scenario. One day the same city wherethe bank was operating from, encounters anepidemic. The Bird Flu virus hits the city, and being
an airborne virus, infects anybody walking out in theopen. So a city wide red alert is sounded, a curfew isenforced, and nobody can come out in the open. Insuch a scenario, all your pillars that constituteBusiness Continuity remain intact except humanresources. So your data, equipment and workplace
are intact but no one can come to the office andoperate from there. So, the strategy to overcomesuch a problem should be different. Here you musthave a DR site with not only data, but also with abackup of employees who can take over the chargeof the center and finish the tasks from some othercity.
7/24/2019 Caim Bcpdr
38/44
Few scenarios of BCP/DR
Earthquake disaster
Now let's take another example where an earth quakedestroys the entire building, with the data center andall the equipment. Here, even though peoples' lives
might be saved, everything else would get destroyed.In such a situation, a remote DR site is required whereyou have all the necessary equipment, seatingarrangements, data and even a recreation zone, whereyou can fly in your staff and let them get back to workin as less a time as possible. Such a DR site should notbe in the same geographical location as the site in
question, so that the calamity does not affect bothsites at the same time. On the other hand, it shouldnot be too far away so that it takes a lot of time to flyout people.
7/24/2019 Caim Bcpdr
39/44
So what will happen if I dont have a
BCP/DR Plan ??
The cost of not having a robust continuity solutionin place could be catastrophic lost revenues,bad press coverage, loss of customers andcompetitive mindshare to name but a few.
A web site for e-Commerce may suffer lossesfrom $10K to $100K every hour, depending onthe volume of the site. Large telesales businesses like airline reservations, catalog sales, and TV-based home shopping can easily miss salesopportunities of $100K an hour.
In financial markets, losses total several milliondollars per hour of downtime.
7/24/2019 Caim Bcpdr
40/44
In Summary
Plan, Plan, Plan
Gather as much critical informationon what you will need to recover
before an event ever happens Establish procedures for recovery
Establish priorities for recovery
Keep people informed Keep a record of what happened for
a lessons learned evaluation
7/24/2019 Caim Bcpdr
41/44
Strategies of Database Availability
Two attributes of database availability namely, the severity of databasedowntime and the latency of database
recovery provide a context forunderstanding general categories (likehigh availability, continuous availability,and disaster recovery), as well as specific
strategies for database availability (likemaintenance, clusters, replication, andbackup/restore).
7/24/2019 Caim Bcpdr
42/44
How Sybase help in having a sound
DR in place for Databases
7/24/2019 Caim Bcpdr
43/44
Sybase Solutions for Database
Availability
7/24/2019 Caim Bcpdr
44/44
Sybase triple layer resilience solution