SlideShare ist ein Scribd-Unternehmen logo

Disaster Recovery Planning

Als PPTX, PDF herunterladen
K
Kathy Pelletier

This document discusses disaster recovery planning for healthcare organizations. It provides an overview of key disaster recovery planning concepts and terms. It also outlines considerations for developing a disaster recovery plan, including evaluating risks, defining risk tolerance, developing roles and responsibilities, scenario planning, data backup and recovery, and documentation. The document discusses how disaster recovery planning fits within broader business continuity planning and presents a methodology for a full business continuity program that incorporates disaster recovery. It also covers current trends and standards related to disaster recovery planning.

Technologie
1 von 27
DISASTER RECOVERY PLANNING FOR HEALTHCARE Ron Pelletier, CISSP, CBCP, CISA, QSA VP and Executive Manager FOR HEALTHCARE ORGANIZATIONS DISASTER RECOVERY PLANNING INMGA – August 11, 2015
DISASTER RECOVERY PLANNING FOR HEALTHCARE AGENDA • Disaster Recovery Planning Overview • General DRP Considerations • A BCM Methodology (encompasses DRP) • Trends and Standards • Questions PONDURANCE 2
DISASTER RECOVERY PLANNING FOR HEALTHCAREPONDURANCE 3 DISASTER RECOVERY PLANNING OVERVIEW
DISASTER RECOVERY PLANNING FOR HEALTHCARE SIMPLIFIED DRP TERMS PONDURANCE 4 Disaster Recovery – Planning to sustain supporting technology & data. Crisis Management – Preserving life safety and business image. Business Impact Analysis – Establish the organization’s critical path. Recovery Time Objective – When do the systems/processes need to be restored? Recovery Point Objective – How much data can you stand to lose? Maximum Tolerable Downtime – What is the point of unacceptable risk? Risk Tolerance – Collective picture of risk management and BCM. High Availability – When downtime of systems/data is not an option. Minimum Operating Requirements – What do you need, and when, to get by.
DISASTER RECOVERY PLANNING FOR HEALTHCARE WHERE DOES DRP FIT IN THE BCM LIFECYCLE? PONDURANCE 5 BCM Business Continuity Planning Disaster Recovery Planning High Availability Risk Management Incident Response Crisis Management (general, not all inclusive)
DISASTER RECOVERY PLANNING FOR HEALTHCARE TRADITIONAL THINKING ON DISASTER RECOVERY PONDURANCE 6 Disaster Recovery vs. Business Continuity PEOPLE BUSINESS PROCESSES PROCESS CONTINUITY BUSINESS PROCESSES DRPDRPDRP Disaster Recovery Business Continuity TECH/DATA RESTORE B U S I N E S S C O N T I N U I T Y B U S I E N S S C O N T I N U I T Y
DISASTER RECOVERY PLANNING FOR HEALTHCARE THE INTEGRATED PERSPECTIVE PONDURANCE 7 Defined Tolerance for Risk Program Exercising, Change Management, Maintenance (BCP) Business Continuity Planning (DRP) Disaster Recovery Planning DRP Strategies BCP Strategies DRP Documentation BCP Documentation The Risk Analysis Phase Current State Assessment Threat and Risk Assessment Business Impact Analysis CRISIS MANAGEMENT • Owns Initial and Ongoing Response • Allocates Emergency Resources • MAKES DECISIONS AS REQUIRED • Functions as Steering Committee
DISASTER RECOVERY PLANNING FOR HEALTHCAREPONDURANCE 8 GENERAL DRP CONSIDERATIONS
DISASTER RECOVERY PLANNING FOR HEALTHCARE EVALUATE YOUR OPERATING RISK PONDURANCE 9 • PREPARE TO AVOID BUT PLAN TO RESPOND!! • Human, technical, operational and strategic threats MUST be considered to formulate a viable avoidance and/or response posture • Look for single points of failure that might not have been considered (control systems, joined power junctions, shared data closets, shared passwords, single communication gateway) • Consider your level of reliance on other entities (parent organizations, shared services, external service providers, etc.) • Integrate your risk assessment process with Cyber Security efforts. According to KPMG’s BCM Survey Only 41% of Companies integrate BCM with Cyber Security • Do you have specific technologies at your site that are not typically supported by a shared services organization? • Do you have a defined owner or custodian for your Disaster Recovery Planning efforts?
DISASTER RECOVERY PLANNING FOR HEALTHCARE DEFINING RISK TOLERANCE FOR DRP PONDURANCE 10 $ and Operational Impacts Manual Processing Application ‘X’ in 72 Hours Application ‘X’ in24 Hours Management Negotiation Based on Risk Tolerance Recovery Time Objectives (RTO’s) Recovery Point Objectives (RPOs) Current Recovery Capabilities (CRC’s) Information Technology Group Current State Assessment Maximum Tolerable Downtimes (MTD’s) Business Unit Personnel Business Impact Analysis
DISASTER RECOVERY PLANNING FOR HEALTHCARE RISK TOLERANCE AND HEALTHCARE PONDURANCE 11 • Two schools of thought can muddy the water when considering technology downtime in healthcare: o “We have been treating patients for centuries without technology…we can live without it indefinitely” o “We have grown so dependent on technology that we cannot be inconvenienced by its loss for even a single hour” • How do you appropriately consider the risk to your organization, without trying to “over-engineer” a solution? • What happens if technology platforms are down for extended periods of time?
DISASTER RECOVERY PLANNING FOR HEALTHCARE RISK TOLERANCE AND HEALTHCARE PONDURANCE 12 • Consider looking at 2 key criteria to arrive at true business impact: 1. Degradation of Care (Life Safety): The degradation of care considers specific risks of patient-safety, if care professionals do not have access to all patient records that may provide insight into patient profiles (e.g., pharmaceuticals, allergies, past procedures, etc). 2. Patient Throughput (Financial and Operational): “Throughput” represents the number of patients that can be reasonably and safely treated over a given period of time. Without a level of automation and record accessibility, it’s logical to assume that hospitals will not be able to attend to, admit, or discharge the “normal” volume of patients with the same level of efficiency. This can lead to direct financial impacts, as it would likely lead to a reduced and untimely level of billing for patient care. • Use qualitative measures where they make sense, but attempt to arrive at a Recovery Time Objective for each key system (HIPAA denotes this as “addressable”)
DISASTER RECOVERY PLANNING FOR HEALTHCARE DEVELOPING DRP ROLES/RESPONSIBILITIES PONDURANCE 13 • Consider a 360 degree approach to ensure appropriate organizational coverage • Look outside the organization to determine if there are groups/entities with whom you need to coordinate your strategies and plans • If you are part of a hospital system, have you integrated with their Hospital Command? • If you have personal that you contract to facilities, do you know what their plans are if their facilities are impacted? • Break down the roles and corresponding plans to facilitate action and accountability • How do you define an incident commander? • What about facilities? Specific technologies?
DISASTER RECOVERY PLANNING FOR HEALTHCARE DEVELOPING DRP ROLES/RESPONSIBILITIES (SAMPLE ORG CHART FOR DRP) PONDURANCE 14 IT Incident Commander TBD at Time of Incident IT Customer Support Center Lead IT Hospital Command Liaison IT Safety/Security/Privacy Officer IT Command Group IT Operations Support Group Infrastructure Team Leader Applications Team Leader Facilities Director Logistics & Vendor Support Finance/Administration Hospital Command IT Facility and Technical Teams IT Facility Coordinators Applications Teams Infrastructure Teams Data Recovery Teams IT Security IT Executive(s)
DISASTER RECOVERY PLANNING FOR HEALTHCARE DRP SCENARIO PLANNING PONDURANCE 15 • Ensure your response procedures have adequate flexibility to respond to both common and unique situations • Do not get too specific or box your plans to a certain scenario, use situations that may prompt a certain response • Align your response planning with the applicable Hospital Command (if that is applicable) • Remember that disasters related to technology could take on physical form, logical form, or a combination of the 2 • While area-wide disasters are less likely to occur, they need to be at least considered (think Hurricanes Sandy, Katrina; Northeast power outage; ice storms, etc.)
DISASTER RECOVERY PLANNING FOR HEALTHCARE DRP SCENARIO PLANNING - EXAMPLE PONDURANCE 16
DISASTER RECOVERY PLANNING FOR HEALTHCARE REVIEW YOUR DATA BACKUP AND RECOVERY PONDURANCE 17 • Ensure the data backup scheme complements the Recovery Time and Recovery Point Objectives (RTOs & RPOs) • Tapes are fine, but often they are either not removed from the site or are taken offsite 1x per week • If the backups (tape or disk) are not tested periodically to verify full restoration, the capability to restore is questionable • If the backup tapes are not encrypted when removed offsite, you are introducing a whole new set of risk • Don’t blindly jump to a high availability strategy if it is not justified. It is entirely possible that even a replication strategy is not necessary, and a high availability strategy may completely over-engineer the program • BUT…only proper analysis can provide that answer
DISASTER RECOVERY PLANNING FOR HEALTHCARE DRP DOCUMENTATION CONSIDERATIONS PONDURANCE 18 • Consider segmented action plan documents that are managed by accountable person(s), but provide seamless integration and consistency in format • Have a Central Plan to drive communications and Emergency Response • Have “extracts” or job action sheets that represent specific technical procedures for rebuild, restore, recover, etc. • Assign accountability as appropriate, and add depth to preserve continuity • Ensure the procedures are fairly thorough, but do not drive inflexibility or box the responders into a single set of actions • Store the plans where they are accessible, particularly if your internal systems fail • Ensure the plan appendices have adequate reference information (key vendors and contacts, location of stored equipment, etc.)
DISASTER RECOVERY PLANNING FOR HEALTHCARE DRP DOCUMENTATION CONSIDERATIONS PONDURANCE 19
DISASTER RECOVERY PLANNING FOR HEALTHCAREPONDURANCE 20 A FULL BCM METHODOLOGY (WITH DRP CONSIDERATIONS)
DISASTER RECOVERY PLANNING FOR HEALTHCARE 6 DOMAINS TO CONSIDER FOR BUILDING BCM PONDURANCE 21 Assess the entity controls that integrate, manage, and sustain a viable BCM throughout the enterprise 1. Program Management •Program Definition – Establish the program is formally developed and integrated •Support and Accountability – Establish the program is supported at the highest level of the org •Budget Planning and Program Evaluation – The org is committed to sustaining program viability The organization has defined its recovery, restoration, and high availability requirements related to business processes, applications, infrastructure & data 2. Requirements Definition •Risk Analysis and Treatment – Establish the org has analyzed its risk posture, reasonably reduce risk •The BIA Methodology – Establish the org maintains formal method to define impacts, prioritize criticality •Data Flows and Dependencies – Establish that dependencies (internal/external) are documented •Analysis and Reporting – Establish that BIA results are aggregated, prioritized, and approved Assess the organization’s method for developing continuity and availability strategies, within its maximum tolerable downtime. 3. Strategy Selection •Staff and Support Requirements – Establish that strategies are developed based on defined requirements •Course of Action Analysis – Establish that the cost to maintain strategies in line with risk tolerance •Monitor, Evaluate for Change – Establish that strategies are periodically evaluated for change
DISASTER RECOVERY PLANNING FOR HEALTHCARE 6 DOMAINS TO CONSIDER FOR AUDIT PONDURANCE 22 Assess the sufficiency, completeness, applicability, and implementation of the organization’s documented BCP/DRP plans.4. Plan Development •Plan Components & Framework – Establish plans are documented, align with requirements •Supporting, Storing Plans – Establish plans are accessible, assigned to process owners •Plan Updates – Establish plans change as processes, technologies, people change Assess the organization’s method for vendor selection and oversight relevant to the BCM program.5. Vendor Management •Vendor Contracting – Establish vendors are screened, will meet contractual requirements •Critical Vendor Dependencies – Establish critical dependencies are known, accounted for •Vendor Integration, Testing – Establish vendors occasionally participate in tests/exercises Assess the organization’s capability to test and maintain the viability of its BCM program. 6. Implementation, Maintenance •Testing and Validation – Establish plans are valid through scheduled, ongoing testing •Change Management – Establish changes required to BCM are formalized •Workforce Awareness – Establish workforce members are aware of the BCM program
DISASTER RECOVERY PLANNING FOR HEALTHCARE CONSIDER A MATURITY MODEL APPROACH PONDURANCE 23 As of: SEPTEMBER 2012 Client: Affiliate: Maturity Rating Not Addressed Minimally Addressed Emerging Managed 1 41% 0 0 5 7 1.1 25% 0 0 1 2 1.2 45% 0 0 2 3 1.3 54% 0 0 2 2 2 46% 0 2 10 4 2.1 25% 0 1 3 0 2.2 59% 0 0 0 4 2.3 25% 0 1 3 0 2.4 75% 0 0 4 0 3 61% 0 1 6 4 3.1 56% 0 0 3 3 3.2 47% 0 1 2 0 3.3 80% 0 0 1 1 4 38% 0 0 6 5 4.1 50% 0 0 4 2 4.2 40% 0 0 0 2 4.3 25% 0 0 2 1 5 30% 0 4 2 3 5.1 25% 0 0 1 2 5.2 40% 0 3 0 1 5.3 25% 0 1 1 0 6 67% 0 0 4 7 6.1 75% 0 0 1 3 6.2 50% 0 0 3 0 6.3 75% 0 0 0 4 47% 0 7 33 30 CLIENT NAME SUB ORGANIZATION QUANTIFIED BCM FINDINGS (# of findings per maturity level) Vendor Contracting Data Flows and Dependencies Plan Updates Supporting and Storing the Plans Program Definition REQUIREMENTS DEFINITION The BIA Methodology Support and Accountability Budget Planning and Program Evaluation Risk Analysis and Treatment Analysis and Reporting STRATEGY SELECTION Change Management Workforce Awareness Enterprise BCM Principles Critical Vendor Dependencies Vendor Integration and Testing PLAN IMPLEMENTATION & MAINTENANCE Testing and Validation Scoring PROGRAM MANAGEMENT Staff and Support Requirements VENDOR MANAGEMENT Course of Action Analysis Monitor and Evaluate for Change PLAN DEVELOPMENT Plan Components and Framework • Facilitates Scalable Program • Isolates Highest Risk Areas • Accounts for areas to sustain • Incorporates All Findings from the Audit
DISASTER RECOVERY PLANNING FOR HEALTHCAREPONDURANCE 24 DRP TRENDS & STANDARDS
DISASTER RECOVERY PLANNING FOR HEALTHCARE EMERGING TRENDS IN DRP PONDURANCE 25 • Virtualization helps reduce number of overall IT assets, improves system uptime…but beware of single points of failure! • Cloud computing provides a viable outsourcing option for production technologies…but be sure your cloud vendor is capable of meeting your RTOs, RPOs! • Mobile devices provide a means of portability for documented plans, communications, and rapid response…but be sure phones are secure, encrypt if possible! • Social networking provides an effective way to broadcast incidents, particularly for crisis management…but be sure that the messages are controlled!
DISASTER RECOVERY PLANNING FOR HEALTHCARE CURRENT AND EMERGING STANDARDS PONDURANCE 26 • Business Continuity Institute - Good Practice Guideline (2010) • BS 25999 Business Continuity – BSI’s practices guideline • Disaster Recovery Institute (DRI) – Professional Practices for BCM • ISO/IEC 22301:2012 – One of the newest, aligned with the ISO27k set of standards
DISASTER RECOVERY PLANNING FOR HEALTHCARE Ron Pelletier, CISSP, CBCP, CISA, QSA VP and Executive Manager QUESTIONS ron.pelletier@pondurance.com www.pondurance.com Pondurance 3105 East 98th Street Suite 120 Indianapolis, IN 46280

Empfohlen

IT-Centric Disaster Recovery & Business Continuity
IT-Centric Disaster Recovery & Business ContinuityIT-Centric Disaster Recovery & Business Continuity
IT-Centric Disaster Recovery & Business Continuity
Steve Susina
 
Business Continuity & Disaster Recovery
Business Continuity & Disaster RecoveryBusiness Continuity & Disaster Recovery
Business Continuity & Disaster Recovery
EC-Council
 
Bcp
BcpBcp
Bcp
madunix
 
Disaster Recovery Planning PowerPoint Presentation Slides
Disaster Recovery Planning PowerPoint Presentation SlidesDisaster Recovery Planning PowerPoint Presentation Slides
Disaster Recovery Planning PowerPoint Presentation Slides
SlideTeam
 
Disaster Recovery Plan / Enterprise Continuity Plan
Disaster Recovery Plan / Enterprise Continuity PlanDisaster Recovery Plan / Enterprise Continuity Plan
Disaster Recovery Plan / Enterprise Continuity Plan
Marcelo Silva
 
An Introduction to Disaster Recovery Planning
An Introduction to Disaster Recovery PlanningAn Introduction to Disaster Recovery Planning
An Introduction to Disaster Recovery Planning
NEBizRecovery
 
Disaster Recovery Plan
Disaster Recovery PlanDisaster Recovery Plan
Disaster Recovery Plan
mhdpaknejad
 
How to write an IT DR plan
How to write an IT DR planHow to write an IT DR plan
How to write an IT DR plan
Databarracks
 

Empfohlen

IT-Centric Disaster Recovery & Business Continuity
IT-Centric Disaster Recovery & Business ContinuityIT-Centric Disaster Recovery & Business Continuity
IT-Centric Disaster Recovery & Business Continuity
Steve Susina
 
Business Continuity & Disaster Recovery
Business Continuity & Disaster RecoveryBusiness Continuity & Disaster Recovery
Business Continuity & Disaster Recovery
EC-Council
 
Bcp
BcpBcp
Bcp
madunix
 
Disaster Recovery Planning PowerPoint Presentation Slides
Disaster Recovery Planning PowerPoint Presentation SlidesDisaster Recovery Planning PowerPoint Presentation Slides
Disaster Recovery Planning PowerPoint Presentation Slides
SlideTeam
 
Disaster Recovery Plan / Enterprise Continuity Plan
Disaster Recovery Plan / Enterprise Continuity PlanDisaster Recovery Plan / Enterprise Continuity Plan
Disaster Recovery Plan / Enterprise Continuity Plan
Marcelo Silva
 
An Introduction to Disaster Recovery Planning
An Introduction to Disaster Recovery PlanningAn Introduction to Disaster Recovery Planning
An Introduction to Disaster Recovery Planning
NEBizRecovery
 
Disaster Recovery Plan
Disaster Recovery PlanDisaster Recovery Plan
Disaster Recovery Plan
mhdpaknejad
 
How to write an IT DR plan
How to write an IT DR planHow to write an IT DR plan
How to write an IT DR plan
Databarracks
 
Disaster Recovery Plan
Disaster Recovery PlanDisaster Recovery Plan
Disaster Recovery Plan
Indeevari Ramanayake
 
Disaster Recovery Planning
Disaster Recovery PlanningDisaster Recovery Planning
Disaster Recovery Planning
John Wilson
 
Business continuity planning and disaster recovery
Business continuity planning and disaster recoveryBusiness continuity planning and disaster recovery
Business continuity planning and disaster recovery
KrutiShah114
 
Business Continuity Planning Presentation Overview
Business Continuity Planning Presentation OverviewBusiness Continuity Planning Presentation Overview
Business Continuity Planning Presentation Overview
Bob Winkler
 
PECB Webinar: The importance of business impact analysis
PECB Webinar: The importance of business impact analysisPECB Webinar: The importance of business impact analysis
PECB Webinar: The importance of business impact analysis
PECB
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
alanlund
 
Bcp drp
Bcp drpBcp drp
Bcp drp
aqel aqel
 
Disaster Recovery Presentation
Disaster Recovery PresentationDisaster Recovery Presentation
Disaster Recovery Presentation
TimSchaefer
 
Best Practices in Disaster Recovery Planning and Testing
Best Practices in Disaster Recovery Planning and TestingBest Practices in Disaster Recovery Planning and Testing
Best Practices in Disaster Recovery Planning and Testing
Axcient
 
IT Disaster Recovery Readiness
IT Disaster Recovery ReadinessIT Disaster Recovery Readiness
IT Disaster Recovery Readiness
Bashar Alkhatib
 
Disaster Recovery Plan
Disaster Recovery Plan Disaster Recovery Plan
Disaster Recovery Plan
Emilie Gray
 
Business Continuity Workshop Final
Business Continuity Workshop FinalBusiness Continuity Workshop Final
Business Continuity Workshop Final
Bill Lisse
 
Information Technology Disaster Planning
Information Technology Disaster PlanningInformation Technology Disaster Planning
Information Technology Disaster Planning
guest340570
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
Dipankar Ghosh
 
Disaster Recovery Plan
Disaster Recovery PlanDisaster Recovery Plan
Disaster Recovery Plan
David Donovan
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
gcleary
 
Business Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation SlidesBusiness Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation Slides
SlideTeam
 
Business continuity planning and disaster recovery
Business continuity planning and disaster recoveryBusiness continuity planning and disaster recovery
Business continuity planning and disaster recovery
madunix
 
Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)
Narudom Roongsiriwong, CISSP
 
Disaster Recovery Plan for IT
Disaster Recovery Plan for ITDisaster Recovery Plan for IT
Disaster Recovery Plan for IT
hhuihhui
 
King Tirana Disaster Risk final - Introduction to Risk Management: Concepts, ...
King Tirana Disaster Risk final - Introduction to Risk Management: Concepts, ...King Tirana Disaster Risk final - Introduction to Risk Management: Concepts, ...
King Tirana Disaster Risk final - Introduction to Risk Management: Concepts, ...
UNESCO Venice Office
 
Disaster Recovery Planning
Disaster Recovery PlanningDisaster Recovery Planning
Disaster Recovery Planning
Soetam Rizky
 

Weitere ähnliche Inhalte

Was ist angesagt?

Disaster Recovery Presentation
Disaster Recovery PresentationDisaster Recovery Presentation
Disaster Recovery Presentation
TimSchaefer
 
Best Practices in Disaster Recovery Planning and Testing
Best Practices in Disaster Recovery Planning and TestingBest Practices in Disaster Recovery Planning and Testing
Best Practices in Disaster Recovery Planning and Testing
Axcient
 
Information Technology Disaster Planning
Information Technology Disaster PlanningInformation Technology Disaster Planning
Information Technology Disaster Planning
guest340570
 
Disaster Recovery Plan
Disaster Recovery PlanDisaster Recovery Plan
Disaster Recovery Plan
David Donovan
 
Business Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation SlidesBusiness Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation Slides
SlideTeam
 
Disaster Recovery Plan for IT
Disaster Recovery Plan for ITDisaster Recovery Plan for IT
Disaster Recovery Plan for IT
hhuihhui
 

Was ist angesagt? (20)

Disaster Recovery Plan
Disaster Recovery PlanDisaster Recovery Plan
Disaster Recovery Plan
 
Disaster Recovery Planning
Disaster Recovery PlanningDisaster Recovery Planning
Disaster Recovery Planning
 
Business continuity planning and disaster recovery
Business continuity planning and disaster recoveryBusiness continuity planning and disaster recovery
Business continuity planning and disaster recovery
 
Business Continuity Planning Presentation Overview
Business Continuity Planning Presentation OverviewBusiness Continuity Planning Presentation Overview
Business Continuity Planning Presentation Overview
 
PECB Webinar: The importance of business impact analysis
PECB Webinar: The importance of business impact analysisPECB Webinar: The importance of business impact analysis
PECB Webinar: The importance of business impact analysis
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
 
Bcp drp
Bcp drpBcp drp
Bcp drp
 
Disaster Recovery Presentation
Disaster Recovery PresentationDisaster Recovery Presentation
Disaster Recovery Presentation
 
Best Practices in Disaster Recovery Planning and Testing
Best Practices in Disaster Recovery Planning and TestingBest Practices in Disaster Recovery Planning and Testing
Best Practices in Disaster Recovery Planning and Testing
 
IT Disaster Recovery Readiness
IT Disaster Recovery ReadinessIT Disaster Recovery Readiness
IT Disaster Recovery Readiness
 
Disaster Recovery Plan
Disaster Recovery Plan Disaster Recovery Plan
Disaster Recovery Plan
 
Business Continuity Workshop Final
Business Continuity Workshop FinalBusiness Continuity Workshop Final
Business Continuity Workshop Final
 
Information Technology Disaster Planning
Information Technology Disaster PlanningInformation Technology Disaster Planning
Information Technology Disaster Planning
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
 
Disaster Recovery Plan
Disaster Recovery PlanDisaster Recovery Plan
Disaster Recovery Plan
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
 
Business Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation SlidesBusiness Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation Slides
 
Business continuity planning and disaster recovery
Business continuity planning and disaster recoveryBusiness continuity planning and disaster recovery
Business continuity planning and disaster recovery
 
Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)
 
Disaster Recovery Plan for IT
Disaster Recovery Plan for ITDisaster Recovery Plan for IT
Disaster Recovery Plan for IT
 

Andere mochten auch

Disaster Recovery Planning - Anthology 2009
Disaster Recovery Planning - Anthology 2009 Disaster Recovery Planning - Anthology 2009
Disaster Recovery Planning - Anthology 2009
Soetam Rizky
 
Disaster recovery on demand on the cloud
Disaster recovery on demand on the cloudDisaster recovery on demand on the cloud
Disaster recovery on demand on the cloud
Nati Shalom
 

Andere mochten auch (11)

King Tirana Disaster Risk final - Introduction to Risk Management: Concepts, ...
King Tirana Disaster Risk final - Introduction to Risk Management: Concepts, ...King Tirana Disaster Risk final - Introduction to Risk Management: Concepts, ...
King Tirana Disaster Risk final - Introduction to Risk Management: Concepts, ...
 
Disaster Recovery Planning
Disaster Recovery PlanningDisaster Recovery Planning
Disaster Recovery Planning
 
Disaster Recovery Planning - Anthology 2009
Disaster Recovery Planning - Anthology 2009 Disaster Recovery Planning - Anthology 2009
Disaster Recovery Planning - Anthology 2009
 
Qatar Proposal
Qatar ProposalQatar Proposal
Qatar Proposal
 
Disaster recovery on demand on the cloud
Disaster recovery on demand on the cloudDisaster recovery on demand on the cloud
Disaster recovery on demand on the cloud
 
Symantec Endpoint Protection
Symantec Endpoint ProtectionSymantec Endpoint Protection
Symantec Endpoint Protection
 
Why Software-Defined Storage Matters
Why Software-Defined Storage MattersWhy Software-Defined Storage Matters
Why Software-Defined Storage Matters
 
Symantec Endpoint Protection Enterprise Edition Best Practices Guidelines
Symantec Endpoint Protection Enterprise Edition Best Practices GuidelinesSymantec Endpoint Protection Enterprise Edition Best Practices Guidelines
Symantec Endpoint Protection Enterprise Edition Best Practices Guidelines
 
Dell EMC Spanning
Dell EMC SpanningDell EMC Spanning
Dell EMC Spanning
 
Pecha Kuch - BCP & DRP - By Balasubramanian P
Pecha Kuch - BCP & DRP - By Balasubramanian P Pecha Kuch - BCP & DRP - By Balasubramanian P
Pecha Kuch - BCP & DRP - By Balasubramanian P
 
ISO 22301: The New Standard for Business Continuity Best Practice
ISO 22301: The New Standard for Business Continuity Best PracticeISO 22301: The New Standard for Business Continuity Best Practice
ISO 22301: The New Standard for Business Continuity Best Practice
 

Ähnlich wie Disaster Recovery Planning

Practical_Guide_for_Disaster_Avoidance
Practical_Guide_for_Disaster_AvoidancePractical_Guide_for_Disaster_Avoidance
Practical_Guide_for_Disaster_Avoidance
Joe Soroka
 
Module 9 - External Crisis – What to do!.pptx
Module 9 - External Crisis – What to do!.pptxModule 9 - External Crisis – What to do!.pptx
Module 9 - External Crisis – What to do!.pptx
caniceconsulting
 
During week 6 we develop the theory and application of capital bud.docx
During week 6 we develop the theory and application of capital bud.docxDuring week 6 we develop the theory and application of capital bud.docx
During week 6 we develop the theory and application of capital bud.docx
jacksnathalie
 
Business Continuity Plan
Business Continuity PlanBusiness Continuity Plan
Business Continuity Plan
BizPlanss
 
Microsoft Navigating Incident Response [EN].pdf
Microsoft Navigating Incident Response [EN].pdfMicrosoft Navigating Incident Response [EN].pdf
Microsoft Navigating Incident Response [EN].pdf
Snarky Security
 
Running head Residency DRP Research Paper OutlineResidency DR.docx
Running head Residency DRP Research Paper OutlineResidency DR.docxRunning head Residency DRP Research Paper OutlineResidency DR.docx
Running head Residency DRP Research Paper OutlineResidency DR.docx
todd521
 
Topic Describe each of the elements of a Business Continuity Plan .docx
Topic Describe each of the elements of a Business Continuity Plan .docxTopic Describe each of the elements of a Business Continuity Plan .docx
Topic Describe each of the elements of a Business Continuity Plan .docx
juliennehar
 
JC EM Conference 2013 -Paturas
JC EM Conference 2013 -PaturasJC EM Conference 2013 -Paturas
JC EM Conference 2013 -Paturas
jpaturas
 
Business continuity & disaster recovery
Business continuity & disaster recoveryBusiness continuity & disaster recovery
Business continuity & disaster recovery
George Coutsoumbidis
 

Ähnlich wie Disaster Recovery Planning (20)

contingency planning in health care delivery
contingency planning in health care deliverycontingency planning in health care delivery
contingency planning in health care delivery
 
A Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for BusinessesA Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for Businesses
 
Practical_Guide_for_Disaster_Avoidance
Practical_Guide_for_Disaster_AvoidancePractical_Guide_for_Disaster_Avoidance
Practical_Guide_for_Disaster_Avoidance
 
Business continuity & Disaster recovery planing
Business continuity & Disaster recovery planingBusiness continuity & Disaster recovery planing
Business continuity & Disaster recovery planing
 
Module 9 - External Crisis – What to do!.pptx
Module 9 - External Crisis – What to do!.pptxModule 9 - External Crisis – What to do!.pptx
Module 9 - External Crisis – What to do!.pptx
 
SQMS_5.pptx
SQMS_5.pptxSQMS_5.pptx
SQMS_5.pptx
 
Continuity Planning 101
Continuity Planning 101Continuity Planning 101
Continuity Planning 101
 
During week 6 we develop the theory and application of capital bud.docx
During week 6 we develop the theory and application of capital bud.docxDuring week 6 we develop the theory and application of capital bud.docx
During week 6 we develop the theory and application of capital bud.docx
 
Business Continuity Plan
Business Continuity PlanBusiness Continuity Plan
Business Continuity Plan
 
Microsoft Navigating Incident Response [EN].pdf
Microsoft Navigating Incident Response [EN].pdfMicrosoft Navigating Incident Response [EN].pdf
Microsoft Navigating Incident Response [EN].pdf
 
Running head Residency DRP Research Paper OutlineResidency DR.docx
Running head Residency DRP Research Paper OutlineResidency DR.docxRunning head Residency DRP Research Paper OutlineResidency DR.docx
Running head Residency DRP Research Paper OutlineResidency DR.docx
 
Topic Describe each of the elements of a Business Continuity Plan .docx
Topic Describe each of the elements of a Business Continuity Plan .docxTopic Describe each of the elements of a Business Continuity Plan .docx
Topic Describe each of the elements of a Business Continuity Plan .docx
 
JC EM Conference 2013 -Paturas
JC EM Conference 2013 -PaturasJC EM Conference 2013 -Paturas
JC EM Conference 2013 -Paturas
 
Disaster Recovery Policy
Disaster Recovery PolicyDisaster Recovery Policy
Disaster Recovery Policy
 
Business continuity & disaster recovery
Business continuity & disaster recoveryBusiness continuity & disaster recovery
Business continuity & disaster recovery
 
Pandemic planning and implementation for business resiliency
Pandemic planning and implementation for business resiliencyPandemic planning and implementation for business resiliency
Pandemic planning and implementation for business resiliency
 
Key Features of Effective Business Continuity Plan
Key Features of Effective Business Continuity PlanKey Features of Effective Business Continuity Plan
Key Features of Effective Business Continuity Plan
 
IT Business Continuity Planning 2004
IT Business Continuity Planning 2004IT Business Continuity Planning 2004
IT Business Continuity Planning 2004
 
Irs intro unit 2 irs overview usfs ip (1)
Irs intro unit 2 irs overview usfs ip (1)Irs intro unit 2 irs overview usfs ip (1)
Irs intro unit 2 irs overview usfs ip (1)
 
Risk crisis nad management
Risk crisis nad managementRisk crisis nad management
Risk crisis nad management
 

Kürzlich hochgeladen

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Kürzlich hochgeladen (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Disaster Recovery Planning

  • 1. DISASTER RECOVERY PLANNING FOR HEALTHCARE Ron Pelletier, CISSP, CBCP, CISA, QSA VP and Executive Manager FOR HEALTHCARE ORGANIZATIONS DISASTER RECOVERY PLANNING INMGA – August 11, 2015
  • 2. DISASTER RECOVERY PLANNING FOR HEALTHCARE AGENDA • Disaster Recovery Planning Overview • General DRP Considerations • A BCM Methodology (encompasses DRP) • Trends and Standards • Questions PONDURANCE 2
  • 3. DISASTER RECOVERY PLANNING FOR HEALTHCAREPONDURANCE 3 DISASTER RECOVERY PLANNING OVERVIEW
  • 4. DISASTER RECOVERY PLANNING FOR HEALTHCARE SIMPLIFIED DRP TERMS PONDURANCE 4 Disaster Recovery – Planning to sustain supporting technology & data. Crisis Management – Preserving life safety and business image. Business Impact Analysis – Establish the organization’s critical path. Recovery Time Objective – When do the systems/processes need to be restored? Recovery Point Objective – How much data can you stand to lose? Maximum Tolerable Downtime – What is the point of unacceptable risk? Risk Tolerance – Collective picture of risk management and BCM. High Availability – When downtime of systems/data is not an option. Minimum Operating Requirements – What do you need, and when, to get by.
  • 5. DISASTER RECOVERY PLANNING FOR HEALTHCARE WHERE DOES DRP FIT IN THE BCM LIFECYCLE? PONDURANCE 5 BCM Business Continuity Planning Disaster Recovery Planning High Availability Risk Management Incident Response Crisis Management (general, not all inclusive)
  • 6. DISASTER RECOVERY PLANNING FOR HEALTHCARE TRADITIONAL THINKING ON DISASTER RECOVERY PONDURANCE 6 Disaster Recovery vs. Business Continuity PEOPLE BUSINESS PROCESSES PROCESS CONTINUITY BUSINESS PROCESSES DRPDRPDRP Disaster Recovery Business Continuity TECH/DATA RESTORE B U S I N E S S C O N T I N U I T Y B U S I E N S S C O N T I N U I T Y
  • 7. DISASTER RECOVERY PLANNING FOR HEALTHCARE THE INTEGRATED PERSPECTIVE PONDURANCE 7 Defined Tolerance for Risk Program Exercising, Change Management, Maintenance (BCP) Business Continuity Planning (DRP) Disaster Recovery Planning DRP Strategies BCP Strategies DRP Documentation BCP Documentation The Risk Analysis Phase Current State Assessment Threat and Risk Assessment Business Impact Analysis CRISIS MANAGEMENT • Owns Initial and Ongoing Response • Allocates Emergency Resources • MAKES DECISIONS AS REQUIRED • Functions as Steering Committee
  • 8. DISASTER RECOVERY PLANNING FOR HEALTHCAREPONDURANCE 8 GENERAL DRP CONSIDERATIONS
  • 9. DISASTER RECOVERY PLANNING FOR HEALTHCARE EVALUATE YOUR OPERATING RISK PONDURANCE 9 • PREPARE TO AVOID BUT PLAN TO RESPOND!! • Human, technical, operational and strategic threats MUST be considered to formulate a viable avoidance and/or response posture • Look for single points of failure that might not have been considered (control systems, joined power junctions, shared data closets, shared passwords, single communication gateway) • Consider your level of reliance on other entities (parent organizations, shared services, external service providers, etc.) • Integrate your risk assessment process with Cyber Security efforts. According to KPMG’s BCM Survey Only 41% of Companies integrate BCM with Cyber Security • Do you have specific technologies at your site that are not typically supported by a shared services organization? • Do you have a defined owner or custodian for your Disaster Recovery Planning efforts?
  • 10. DISASTER RECOVERY PLANNING FOR HEALTHCARE DEFINING RISK TOLERANCE FOR DRP PONDURANCE 10 $ and Operational Impacts Manual Processing Application ‘X’ in 72 Hours Application ‘X’ in24 Hours Management Negotiation Based on Risk Tolerance Recovery Time Objectives (RTO’s) Recovery Point Objectives (RPOs) Current Recovery Capabilities (CRC’s) Information Technology Group Current State Assessment Maximum Tolerable Downtimes (MTD’s) Business Unit Personnel Business Impact Analysis
  • 11. DISASTER RECOVERY PLANNING FOR HEALTHCARE RISK TOLERANCE AND HEALTHCARE PONDURANCE 11 • Two schools of thought can muddy the water when considering technology downtime in healthcare: o “We have been treating patients for centuries without technology…we can live without it indefinitely” o “We have grown so dependent on technology that we cannot be inconvenienced by its loss for even a single hour” • How do you appropriately consider the risk to your organization, without trying to “over-engineer” a solution? • What happens if technology platforms are down for extended periods of time?
  • 12. DISASTER RECOVERY PLANNING FOR HEALTHCARE RISK TOLERANCE AND HEALTHCARE PONDURANCE 12 • Consider looking at 2 key criteria to arrive at true business impact: 1. Degradation of Care (Life Safety): The degradation of care considers specific risks of patient-safety, if care professionals do not have access to all patient records that may provide insight into patient profiles (e.g., pharmaceuticals, allergies, past procedures, etc). 2. Patient Throughput (Financial and Operational): “Throughput” represents the number of patients that can be reasonably and safely treated over a given period of time. Without a level of automation and record accessibility, it’s logical to assume that hospitals will not be able to attend to, admit, or discharge the “normal” volume of patients with the same level of efficiency. This can lead to direct financial impacts, as it would likely lead to a reduced and untimely level of billing for patient care. • Use qualitative measures where they make sense, but attempt to arrive at a Recovery Time Objective for each key system (HIPAA denotes this as “addressable”)
  • 13. DISASTER RECOVERY PLANNING FOR HEALTHCARE DEVELOPING DRP ROLES/RESPONSIBILITIES PONDURANCE 13 • Consider a 360 degree approach to ensure appropriate organizational coverage • Look outside the organization to determine if there are groups/entities with whom you need to coordinate your strategies and plans • If you are part of a hospital system, have you integrated with their Hospital Command? • If you have personal that you contract to facilities, do you know what their plans are if their facilities are impacted? • Break down the roles and corresponding plans to facilitate action and accountability • How do you define an incident commander? • What about facilities? Specific technologies?
  • 14. DISASTER RECOVERY PLANNING FOR HEALTHCARE DEVELOPING DRP ROLES/RESPONSIBILITIES (SAMPLE ORG CHART FOR DRP) PONDURANCE 14 IT Incident Commander TBD at Time of Incident IT Customer Support Center Lead IT Hospital Command Liaison IT Safety/Security/Privacy Officer IT Command Group IT Operations Support Group Infrastructure Team Leader Applications Team Leader Facilities Director Logistics & Vendor Support Finance/Administration Hospital Command IT Facility and Technical Teams IT Facility Coordinators Applications Teams Infrastructure Teams Data Recovery Teams IT Security IT Executive(s)
  • 15. DISASTER RECOVERY PLANNING FOR HEALTHCARE DRP SCENARIO PLANNING PONDURANCE 15 • Ensure your response procedures have adequate flexibility to respond to both common and unique situations • Do not get too specific or box your plans to a certain scenario, use situations that may prompt a certain response • Align your response planning with the applicable Hospital Command (if that is applicable) • Remember that disasters related to technology could take on physical form, logical form, or a combination of the 2 • While area-wide disasters are less likely to occur, they need to be at least considered (think Hurricanes Sandy, Katrina; Northeast power outage; ice storms, etc.)
  • 16. DISASTER RECOVERY PLANNING FOR HEALTHCARE DRP SCENARIO PLANNING - EXAMPLE PONDURANCE 16
  • 17. DISASTER RECOVERY PLANNING FOR HEALTHCARE REVIEW YOUR DATA BACKUP AND RECOVERY PONDURANCE 17 • Ensure the data backup scheme complements the Recovery Time and Recovery Point Objectives (RTOs & RPOs) • Tapes are fine, but often they are either not removed from the site or are taken offsite 1x per week • If the backups (tape or disk) are not tested periodically to verify full restoration, the capability to restore is questionable • If the backup tapes are not encrypted when removed offsite, you are introducing a whole new set of risk • Don’t blindly jump to a high availability strategy if it is not justified. It is entirely possible that even a replication strategy is not necessary, and a high availability strategy may completely over-engineer the program • BUT…only proper analysis can provide that answer
  • 18. DISASTER RECOVERY PLANNING FOR HEALTHCARE DRP DOCUMENTATION CONSIDERATIONS PONDURANCE 18 • Consider segmented action plan documents that are managed by accountable person(s), but provide seamless integration and consistency in format • Have a Central Plan to drive communications and Emergency Response • Have “extracts” or job action sheets that represent specific technical procedures for rebuild, restore, recover, etc. • Assign accountability as appropriate, and add depth to preserve continuity • Ensure the procedures are fairly thorough, but do not drive inflexibility or box the responders into a single set of actions • Store the plans where they are accessible, particularly if your internal systems fail • Ensure the plan appendices have adequate reference information (key vendors and contacts, location of stored equipment, etc.)
  • 19. DISASTER RECOVERY PLANNING FOR HEALTHCARE DRP DOCUMENTATION CONSIDERATIONS PONDURANCE 19
  • 20. DISASTER RECOVERY PLANNING FOR HEALTHCAREPONDURANCE 20 A FULL BCM METHODOLOGY (WITH DRP CONSIDERATIONS)
  • 21. DISASTER RECOVERY PLANNING FOR HEALTHCARE 6 DOMAINS TO CONSIDER FOR BUILDING BCM PONDURANCE 21 Assess the entity controls that integrate, manage, and sustain a viable BCM throughout the enterprise 1. Program Management •Program Definition – Establish the program is formally developed and integrated •Support and Accountability – Establish the program is supported at the highest level of the org •Budget Planning and Program Evaluation – The org is committed to sustaining program viability The organization has defined its recovery, restoration, and high availability requirements related to business processes, applications, infrastructure & data 2. Requirements Definition •Risk Analysis and Treatment – Establish the org has analyzed its risk posture, reasonably reduce risk •The BIA Methodology – Establish the org maintains formal method to define impacts, prioritize criticality •Data Flows and Dependencies – Establish that dependencies (internal/external) are documented •Analysis and Reporting – Establish that BIA results are aggregated, prioritized, and approved Assess the organization’s method for developing continuity and availability strategies, within its maximum tolerable downtime. 3. Strategy Selection •Staff and Support Requirements – Establish that strategies are developed based on defined requirements •Course of Action Analysis – Establish that the cost to maintain strategies in line with risk tolerance •Monitor, Evaluate for Change – Establish that strategies are periodically evaluated for change
  • 22. DISASTER RECOVERY PLANNING FOR HEALTHCARE 6 DOMAINS TO CONSIDER FOR AUDIT PONDURANCE 22 Assess the sufficiency, completeness, applicability, and implementation of the organization’s documented BCP/DRP plans.4. Plan Development •Plan Components & Framework – Establish plans are documented, align with requirements •Supporting, Storing Plans – Establish plans are accessible, assigned to process owners •Plan Updates – Establish plans change as processes, technologies, people change Assess the organization’s method for vendor selection and oversight relevant to the BCM program.5. Vendor Management •Vendor Contracting – Establish vendors are screened, will meet contractual requirements •Critical Vendor Dependencies – Establish critical dependencies are known, accounted for •Vendor Integration, Testing – Establish vendors occasionally participate in tests/exercises Assess the organization’s capability to test and maintain the viability of its BCM program. 6. Implementation, Maintenance •Testing and Validation – Establish plans are valid through scheduled, ongoing testing •Change Management – Establish changes required to BCM are formalized •Workforce Awareness – Establish workforce members are aware of the BCM program
  • 23. DISASTER RECOVERY PLANNING FOR HEALTHCARE CONSIDER A MATURITY MODEL APPROACH PONDURANCE 23 As of: SEPTEMBER 2012 Client: Affiliate: Maturity Rating Not Addressed Minimally Addressed Emerging Managed 1 41% 0 0 5 7 1.1 25% 0 0 1 2 1.2 45% 0 0 2 3 1.3 54% 0 0 2 2 2 46% 0 2 10 4 2.1 25% 0 1 3 0 2.2 59% 0 0 0 4 2.3 25% 0 1 3 0 2.4 75% 0 0 4 0 3 61% 0 1 6 4 3.1 56% 0 0 3 3 3.2 47% 0 1 2 0 3.3 80% 0 0 1 1 4 38% 0 0 6 5 4.1 50% 0 0 4 2 4.2 40% 0 0 0 2 4.3 25% 0 0 2 1 5 30% 0 4 2 3 5.1 25% 0 0 1 2 5.2 40% 0 3 0 1 5.3 25% 0 1 1 0 6 67% 0 0 4 7 6.1 75% 0 0 1 3 6.2 50% 0 0 3 0 6.3 75% 0 0 0 4 47% 0 7 33 30 CLIENT NAME SUB ORGANIZATION QUANTIFIED BCM FINDINGS (# of findings per maturity level) Vendor Contracting Data Flows and Dependencies Plan Updates Supporting and Storing the Plans Program Definition REQUIREMENTS DEFINITION The BIA Methodology Support and Accountability Budget Planning and Program Evaluation Risk Analysis and Treatment Analysis and Reporting STRATEGY SELECTION Change Management Workforce Awareness Enterprise BCM Principles Critical Vendor Dependencies Vendor Integration and Testing PLAN IMPLEMENTATION & MAINTENANCE Testing and Validation Scoring PROGRAM MANAGEMENT Staff and Support Requirements VENDOR MANAGEMENT Course of Action Analysis Monitor and Evaluate for Change PLAN DEVELOPMENT Plan Components and Framework • Facilitates Scalable Program • Isolates Highest Risk Areas • Accounts for areas to sustain • Incorporates All Findings from the Audit
  • 24. DISASTER RECOVERY PLANNING FOR HEALTHCAREPONDURANCE 24 DRP TRENDS & STANDARDS
  • 25. DISASTER RECOVERY PLANNING FOR HEALTHCARE EMERGING TRENDS IN DRP PONDURANCE 25 • Virtualization helps reduce number of overall IT assets, improves system uptime…but beware of single points of failure! • Cloud computing provides a viable outsourcing option for production technologies…but be sure your cloud vendor is capable of meeting your RTOs, RPOs! • Mobile devices provide a means of portability for documented plans, communications, and rapid response…but be sure phones are secure, encrypt if possible! • Social networking provides an effective way to broadcast incidents, particularly for crisis management…but be sure that the messages are controlled!
  • 26. DISASTER RECOVERY PLANNING FOR HEALTHCARE CURRENT AND EMERGING STANDARDS PONDURANCE 26 • Business Continuity Institute - Good Practice Guideline (2010) • BS 25999 Business Continuity – BSI’s practices guideline • Disaster Recovery Institute (DRI) – Professional Practices for BCM • ISO/IEC 22301:2012 – One of the newest, aligned with the ISO27k set of standards
  • 27. DISASTER RECOVERY PLANNING FOR HEALTHCARE Ron Pelletier, CISSP, CBCP, CISA, QSA VP and Executive Manager QUESTIONS ron.pelletier@pondurance.com www.pondurance.com Pondurance 3105 East 98th Street Suite 120 Indianapolis, IN 46280