More Related Content Similar to Business Continuity Planning Similar to Business Continuity Planning (20) Business Continuity Planning1. Business Continuity Planning
What it is
Why you need it
How to do it
Last updated 18/09/2012 Slide 1
©2012 Managed Networks. The MN logo, circles device and DesktopLive logo are registered trademarks.
2. Agenda
• View from 30,000 feet
• Scary facts
• This is not a technology problem
• How to go about it
• Why backup isn’t enough
• Technologies and approaches
Last updated 18/09/2012 Slide 2
©2012 Managed Networks. The MN logo, circles device and DesktopLive logo are registered trademarks.
3. The view from 30,000 feet
Business Continuity Planning
...is about keeping your business running
...by anticipating and preventing problems
...by having planned responses to the incidents you can’t avoid
...is not just about technology
...is an ongoing process, not a one-off exercise
...needn’t be onerous, or expensive
...is required by FSA regulation
...features on public sector PQQs
...is increasingly part of your customers’ due-diligence
Last updated 18/09/2012 Slide 3
©2012 Managed Networks. The MN logo, circles device and DesktopLive logo are registered trademarks.
4. Scary facts
90% of business that lose data from a disaster are forced to shut within 2 years
80% of business without a well structured recovery plan are forced to shut within 12
months of a flood or fire
43% of companies experiencing disasters never recover
a company experiencing a computer outage lasting longer than 10 days will never
recover its full financial capacity
less than 50% of all organisations in the UK have a business continuity plan
43% of companies who have a business continuity plan do not test it
annually to ensure that it works
one out of 500 data centres experience a severe disaster every year
58% of UK organisations were disrupted by September 11th with
one in eight severely affected
83% of [London] SMEs have no written contingency plan
(sources: LCC, Gartner, BIS)
Last updated 18/09/2012 Slide 4
©2012 Managed Networks. The MN logo, circles device and DesktopLive logo are registered trademarks.
5. This is not just an IT issue
This is a management problem – get board support first!
BCP is about protecting your business
Most businesses are about people: staff, customers, suppliers
IT is an enabling technology; for most businesses, no staff = no business, even if the
technology is working
You must consider the business as a whole,
and integrate IT continuity as part of a larger plan
Think about travel restrictions, pandemics, strike risks…
Think about physical accommodation, paper records, contact info…
Think about private knowledge and skills dependencies…
Last updated 18/09/2012 Slide 5
©2012 Managed Networks. The MN logo, circles device and DesktopLive logo are registered trademarks.
6. BCP lifecycle
Policy
Business
Maintain impact
analysis
Select
Test prevention
measures
Select
Plan and
recovery
implement
strategies
Last updated 18/09/2012 Slide 6
©2012 Managed Networks. The MN logo, circles device and DesktopLive logo are registered trademarks.
7. Policy
• Get management support
• Define roles, responsibilities, scope and goals
• Understand the business context:
• Regulation
• Market
• Scale
• Priorities
• Write a continuity policy
• Integrate continuity into every
business decision, don’t retrofit
• Communicate the policy
Last updated 18/09/2012 Slide 7
©2012 Managed Networks. The MN logo, circles device and DesktopLive logo are registered trademarks.
8. Business impact analysis
StoryManager
internal and admin PSTN telephony
Understand what you are protecting Shared whiteboard
SQL Server
Newsdesk
Automated testing
Monitoring tools
Salesforce.com
Subversion
– Analyse business areas and prioritise them
IM (Skype)
Cloud financial mgmt Customer service telephony
Cloud filestore
DBManager
internet browsing
– Work out the MTD – do this collaboratively
intranet MS Office
(data processing) Card
payment
system
remote access
email
file storage
the CMS Critical 2h + 15m
– Work through RTO and RPO with the business
Client FAQ tool
TaskManager Sage accounting
Delphi
Interoffice comms
Compatibility Important 4h + 4h
testing VOIP (Skype)
Blackberry OnTime Visual Studio
Correlate people, activities and resources Knowledgebase (
Google Sites)
Marketo
Newswire feed
MS Office (general use)
Material 8wh + 8wh
YouManage (HR)
– Map your processes Desirable 3wd +
8wh
– Understand interdependencies
Look for single points of failure
what’s your weakest link?
Last updated 18/09/2012 Slide 8
©2012 Managed Networks. The MN logo, circles device and DesktopLive logo are registered trademarks.
9. Business impact analysis
Analyse the risks and threats
Specific (IT, staff, supply chain...)
What if Bob is run over?
What if the accounts system is unavailable?
What if our main supplier goes bust?
Organisational (fire, flood, burglary, loss of access...)
What if the pipes burst in the office ceiling?
What if our computers are stolen?
What if they find asbestos in the building?
General (terrorism, pandemic, weather...)
What if the transport network is shut down by a bomb or a threat of one?
What if half our staff are off sick?
What if the M62 is impassable for a week?
Try to quantify risks where possible
AV x EF = SLE; SLE x ARO = ALE should exceed annual cost of BCP
Last updated 18/09/2012 Slide 9
©2012 Managed Networks. The MN logo, circles device and DesktopLive logo are registered trademarks.
10. Prevention measures
Prevention is better than cure
– It’s usually cheaper to avoid disaster than cope with it
Build in resilience where it’s cost-effective
– IT – multiple servers, RAID, redundant connections
– staff – have an understudy programme, document procedures
– data – keep key operational information on paper as well
– facilities – enable home working, trade-off with neighbours
Look for synergies and business gains to justify cost
– multiple servers improve performance
– understudying drives career growth and develops staff
– well-designed operational reports provide KPI measurement
– home working saves office costs and improves morale
Physical
Outsource risk
– service providers will spend more than you can on resilience
– their contract will give you financial compensation in the event of failure
– they aren’t tied to your location Administrative Technical
– you can have more than one, if it’s affordable and makes sense
Last updated 18/09/2012 Slide 10
©2012 Managed Networks. The MN logo, circles device and DesktopLive logo are registered trademarks.
11. Sidenote: cost curve
Cost increases exponentially as RTO and RPO get shorter
BCP is a cost centre – expenditure must be cost-justified
∞/∞ 3d/1d 1d/1d 4wh/4h 2wh/15m 0/0
Cost £
Last updated 18/09/2012 Slide 11
©2012 Managed Networks. The MN logo, circles device and DesktopLive logo are registered trademarks.
12. Recovery strategies
• Work out what you’ll do if prevention fails
• Have different plans for different incidents
• Break recovery down into discrete areas
Understand priorities within areas (e.g. RTO vs RPO)
Stay focused on cost/benefit
• Separate interim, recovery and normal operations
• Work outwards from the people,
not inwards from the systems
Look for workarounds
Be prepared to compromise
Be clear on responsibilities
Last updated 18/09/2012 Slide 12
©2012 Managed Networks. The MN logo, circles device and DesktopLive logo are registered trademarks.
13. Plan and implement
Start with the basics
no money, no business
no logistics, no business
no staff, no business
Paper, paper, paper
paper is instant-on, needs no power, works without installation and configuration, costs pretty well
nothing per Mb, can be edited with a pencil – don’t underestimate it
Don’t be daunted
90% of BCP is common-sense
keep it simple
stick to your identified priorities
Delegate responsibility
spreading responsibility for planning improves execution
planners and leaders aren’t always the same people
Communicate and train
a plan no-one has seen before can’t be executed
Last updated 18/09/2012 Slide 13
©2012 Managed Networks. The MN logo, circles device and DesktopLive logo are registered trademarks.
14. Test
Checklist test easily achieved
What did we forget?
Structured walk-through test Check and test your assumptions
“We changed the tape every day”
“But only Bob knows the password”
Representative workshop “Where can I get one of these...NOW?”
Surprise people
Simulation test Anticipated tests only test the plan, not the
people
Change the scenario
Let’s pretend What if it’s you that’s unavailable?
Document everything you learn
Parallel test If your results aren’t written back into the
plan, they will be forgotten
Next time you might not be there
Now do it for real
If you can afford a full test, there is no substitute
Real-world test = better data
Full-interruption test Publicise your test – involve customers and
suppliers
If you dare… assured But don’t create a disaster in trying to avoid one
Last updated 18/09/2012 Slide 14
©2012 Managed Networks. The MN logo, circles device and DesktopLive logo are registered trademarks.
15. Maintain
Now do it all again
Don’t take your plan for granted
Your business will change
Build updating of the BCP into your change control process
Review the whole thing once a year
Reinforce the training
Last updated 18/09/2012 Slide 15
©2012 Managed Networks. The MN logo, circles device and DesktopLive logo are registered trademarks.
16. Backup is not enough
BCP depends on data backup, but data backup is not BCP.
BCP is about preventing interruption; since not all interruption
can be prevented, it also requires disaster recovery.
DR also depends on data backup,
but data backup is not DR either.
…why?
Last updated 18/09/2012 Slide 16
©2012 Managed Networks. The MN logo, circles device and DesktopLive logo are registered trademarks.
17. DR scenario: tape
• Fire at 5pm
Friday • How much data loss? 6 days to recover
2 days of data lost
• No Ultrium drives in PC World
Saturday • Download software at home Is the tape drive available?
Will the tape restore?
Sunday
• No progress Will the applications work?
• Order tape drive Can you survive the downtime and
Monday • Buy PC, install OS data loss?
• Install tape drive Use removable disk?
Tuesday • Install software • Have you got the hardware?
• Restore completes • Will the apps restart?
Wednesday • Restart applications
Use on-line backup?
• How long will it take to download?
• Business back on-line
Thursday • At 2Mb/s, 100Gb of data takes 142
hours to download
• Will it be usable?
Last updated 18/09/2012 Slide 17
©2012 Managed Networks. The MN logo, circles device and DesktopLive logo are registered trademarks.
18. Where backup fits in
Operations BCP
Time travel /
Item restore storage Prevention Recovery
management
Off-site Off-site
Local Backup Archiving Resilience Security Local backup
Backup Replication
Last updated 18/09/2012 Slide 18
©2012 Managed Networks. The MN logo, circles device and DesktopLive logo are registered trademarks.
19. Technologies
Operational backup Archiving Resilience
• Local live device • HSM • Clustering (physical, virtual)
• Continuous or overnight • Archive tools • Redundancy
• Snapshots / VSS • Media management (physical, logical)
Security Recovery
• Physical and logical • Local backup – single
• Layered defence system
• Off-site backup
(media, stream)
• Replication / geo-clustering
Last updated 18/09/2012 Slide 19
©2012 Managed Networks. The MN logo, circles device and DesktopLive logo are registered trademarks.
20. Recovery approaches
Cold standby Warm standby
•Tested kit with •Remote data replication
appropriate drives •Ready to go, but offline
•Wasted resource/low •How will users connect?
operating cost •Test and reversion
•What RTO can you
achieve?
Hot standby “Cloud”
•Live replication, running •Delegates the IT
loads challenge
•Expensive •BCP is people and
•Close to zero RTO/RPO processes first
•Blended functioning to •Audit the provider
reduce resource waste •How do you test their
BCP?
Last updated 18/09/2012 Slide 20
©2012 Managed Networks. The MN logo, circles device and DesktopLive logo are registered trademarks.
21. Managed Networks
0800 783 6170
info@mn.co.uk
www.mn.co.uk
Call, email or visit our website for a
free, no-obligation consultation.
Last updated 18/09/2012 Slide 21
©2012 Managed Networks. The MN logo, circles device and DesktopLive logo are registered trademarks.
Editor's Notes You have a server room fire on a Friday afternoon.Thursday night’s tape is in the drive; Wednesday night’s tape is off-site.You’ve already lost two days’ data.It’s 5pm on Friday; where are you going to get:-a tape drive, a server, a SCSI card and cable, an OS, application software, backup software and an internet connection?You buy a PC on Monday and start downloading software.The tape drive, card and cable arrive on Tuesday afternoon.By Tuesday midnight you have a working OS and tape drivers, and your backup software is installed.By close of business Wednesday your data has restored.By midnight on Wednesday you have your email back up and your database running.Business can restart on Thursday morning.5 days off-line; a week’s work lost or missed. Can you survive? You have a server room fire on a Friday afternoon.Thursday night’s tape is in the drive; Wednesday night’s tape is off-site.You’ve already lost two days’ data.It’s 5pm on Friday; where are you going to get:-a tape drive, a server, a SCSI card and cable, an OS, application software, backup software and an internet connection?You buy a PC on Monday and start downloading software.The tape drive, card and cable arrive on Tuesday afternoon.By Tuesday midnight you have a working OS and tape drivers, and your backup software is installed.By close of business Wednesday your data has restored.By midnight on Wednesday you have your email back up and your database running.Business can restart on Thursday morning.5 days off-line; a week’s work lost or missed. Can you survive? You have a server room fire on a Friday afternoon.Thursday night’s tape is in the drive; Wednesday night’s tape is off-site.You’ve already lost two days’ data.It’s 5pm on Friday; where are you going to get:-a tape drive, a server, a SCSI card and cable, an OS, application software, backup software and an internet connection?You buy a PC on Monday and start downloading software.The tape drive, card and cable arrive on Tuesday afternoon.By Tuesday midnight you have a working OS and tape drivers, and your backup software is installed.By close of business Wednesday your data has restored.By midnight on Wednesday you have your email back up and your database running.Business can restart on Thursday morning.5 days off-line; a week’s work lost or missed. Can you survive?