Weitere ähnliche Inhalte Ähnlich wie Achieving Enterprise Resiliency and Corporate Certification (20) Mehr von Thomas Bronack (12) Achieving Enterprise Resiliency and Corporate Certification1. Achieving Enterprise Resiliency
And
Corporate Certification
By
Combining Recovery Operations through a
Common Recovery Language and Recovery Tools,
While adhering to
Domestic and International Compliance Standards
Created by:
Thomas Bronack, CBCP
Bronackt@dcag.com
Phone: (718) 591-5553
Cell: (917) 673-6992
1/23/2013 Created by: Thomas Bronack 1
2. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Abstract
• Are you utilizing your recovery personnel to achieve maximum protection?
• Have you implemented a common recovery language so that personnel speak the same
language and can best communicate and respond to disaster events?
• Is your company utilizing a common recovery management toolset?
• Want to reduce disaster events, improve risk management, and insure fewer business
interruptions through automated tools and procedures?
• Does your company adhere to regulatory requirements in the countries that you do
business in?
• Can you monitor and report on security violations, both physical and data, to best
protect personnel, data access, eliminate data corruption, support failover /failback
operations, and protect company locations against workplace violence?
• Are you protecting data by using backup, vaulting, and recovery procedures?
• Can you recover operations in accordance to SLR/SLR and RTO/RPO?
• Is your supply chain able to continue to provide services and products if a disaster
event occurs through SSAE 16 (Domestic), SSAE 3402 (World)?
• Do you coordinate recovery operations with the community and government agencies
like OEM, FEMA, Homeland Security, etc.?
• Do you have appropriate insurance against disaster events?
• Can you certify that applications can recover within High Availability (2 hours – 72
hours) or Continuous Availability (immediate) guidelines?
• If not, this presentation will help you achieve the above goals.
1/23/2013 Created by: Thomas Bronack Page: 2
3. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Topics included in this presentation
1. Business Plan (Mission, Goals & Objectives, and Risk Management;
2. IT Evolution (PC, Domains, Enterprise);
3. Systems Development Life Cycle (SDLC);
4. Data Management and Information Security Management System (ISMS);
5. Enterprise Resiliency and Corporate Certification;
6. Regulations (Domestic and International);
7. Building Enterprise Resiliency on a solid foundation;
8. Business Continuity and Disaster Recovery Planning for High Availability (HA) and
Continuous Availability (CA) applications to achieve Zero Downtime;
9. Emergency Management;
10. Risk and Crisis Management;
11. Laws and Regulations;
12. Converting to a Enterprise Resiliency environment;
13. Implementing Corporate Certification (Domestic and International); and,
14. Fully Integrated Enterprise Resiliency and Corporate Certification environment.
1/23/2013 Created by: Thomas Bronack Page: 3
4. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Layout of this presentation
A. Business Plan C. Building Enterprise Resiliency
o Mission Statement o CobIT
o Goals and Objectives o ITIL
o Risk Management o Fully integrated Enterprise Resiliency
B, Direction Plan o Compliance Laws
o Building Business Recover Plans o Gramm-Leach Bliley (GLB)
o Certifying Application Recovery for High o Dodd-Frank
Availability and Continuous Availability o HIPAA, SOX,
o IT Evolution o EPA Superfund
o SDLC o Patriot Act
o Support and Maintenance o Basel II / Basel III framework
o Potential Risks and Threats o Reporting on Compliance Adherence
o Enterprise Resilience and Corporate o Eliminating Audit Exceptions
Certification o Recovery Planning
o Risk Management Guidelines o BIA / BCP / EM
o Crisis Management o Converting to Automated Recovery
o Workplace Violence Prevention Tools
o Emergency Management o Documentation, Awareness, and
o Incident Management Training
o Emergency Operations Center (EOC) o How do we get started
1/23/2013 Created by: Thomas Bronack Page: 4
5. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Mission Statement:
1. Insure Continuity of Business and Eliminate / Reduce Business Interruptions (Enterprise Resilience);
2. Assure “Corporate Certification” by complying with Regulatory Requirements for countries that you
do business in, through Risk Management and Crisis Management guidelines (CERT / COSO);
3. Adhere to Service Level Agreements (SLA) through Service Level Reporting (SLR) and the use of
Capacity and Performance Management procedures;
4. Implement Enterprise-Wide Recovery Management by combining Business Continuity Management
(BCM), Disaster Recovery Planning (DRP), and Emergency Management (EM);
5. Utilize “Best Practices” to achieve “Enterprise Resiliency” (CobIT, ITIL, etc.);
6. Protect personnel and achieve physical security through Workplace Violence Prevention principals,
laws, and procedures;
7. Guaranty data security through access controls and vital records management principals and procedures
within an Information Security Management System (ISMS) based on ISO2700;
8. Achieve Failover / Failback and data management procedures to insure RTO, RPO, and Continuity of
Business within acceptable time lines (Dedupe, VTL, Snapshots, CDP, NSS, RecoverTrak, etc.);
9. Integrate recovery management procedures within the everyday functions performed by personnel as
defined within their job descriptions and the Standards and Procedures Manual;
10. Embed Recovery Management and ISMS requirements within the Systems Development Life Cycle
(SDLC) used to Develop, Test, Quality Assure, Production Acceptance / Implement, Data Management,
Support and Problem Management, Incident Management, Recovery Management, Maintenance, and
Version and Release Management for components and supportive documentation;
11. Develop and provide educational awareness and training programs to inform personnel on how best to
achieve the corporate mission.
1/23/2013 Created by: Thomas Bronack Page: 5
6. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Goals and Objectives:
Protecting the Business
Eliminate / Reduce Business Insure Continuity of Business by Conduct Risk Management and
Interruption certifying application recovery Insurance Protection reviews
Personnel (HRM and Employee Vendors (Supply Chain Clients (Products / Services) and
Assistance) Management) SLA / SLR
Locations / Infrastructure Community / Business / Personnel Lines of Business
Physical / Data Security Compliance Recovery Management
Optimized Operations Insurance Reputation
Protecting Information Technology
Build IT Location (Safe Site, Asset Management (Asset Configuration Management /
HVAC, Water, Electrical, Raised Acquisition, Redeployment, and Version and Release Management
Floor, etc.) Termination)
Use Best Practices like CERT / Mainframe, Mid-Range, Client / Communications (Local, LAN,
COSO, CobIT, ITIL Server, and PC safeguards WAN, Internet, cloud)
System Development Life Cycle Products and Service Support Support and Maintenance for
(SDLC) optimization Development, Enhancement problems and enhancements
Data Management (Dedupe/ Information Security Management Data Sensitivity and Access
VTL / Snapshots / CDP) System via ISO2700 Controls (Userid / Pswd)
Vaulting, Backup, and Recovery Disk / File copy retrieve utilities RTO, RPO, RTC
1/23/2013 Created by: Thomas Bronack Page: 6
7. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Risk Management:
• Define Risk Management Process in accordance with COSO / CERT guidelines, including:
• Internal Environment Review;
• Objective Setting;
• Event Identification;
• Risk Assessment and Response Definitions;
• Control Activities;
• Information and Communications; and
• Monitoring and Reporting.
• Define Legal and Regulatory Requirements (Domestic and International as needed);
• Determine OCC, Tax, and Industry compliance requirements;
• Perform an IT Audit / Risk Assessment to uncover Gaps and Exceptions;
• Define Mitigations and their Costs, along with data gathering and reporting guidelines;
• Calculate cost of Mitigation against cost of Gap / Exception to prioritize responses;
• Review Vendor Agreements for primary and secondary sites to eliminate / minimize Supply
Chain interruptions;
• Obtain Insurance Quotes and select appropriate insurance protection;
• Integrate with the everyday functions performed by personnel as outlines in their job descriptions
and the Standards and Procedures Manual; and,
• Develop documentation, awareness, and training materials.
1/23/2013 Created by: Thomas Bronack Page: 7
8. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
The Goal of Disaster Recovery with Continuous Availability
(CA) and High Availability (HA)
Local Short
Primary Vault
Term
Users are
Normally connected to
Closed Primary System
CA HA
Data
Continuous High
Availability Availability Vault
Normally Data Data Vault
Open Synchronized Snapshots Management
System
Remote Long
Secondary Term
Users are switched
to Secondary
Vault
System when
disaster strikes
1/23/2013 Created by: Thomas Bronack Page: 8
9. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Achieving Recovery Time Objective (RTO) / Recovery Point
Objective (RPO) and Recovery Time Capability (RTC)
Secondary Site must contain synchronized data and infrastructure
Production
Processing CA Instantaneous Flip of Production Processing to Secondary Site
Interrupted
Primary Site recovers data and infrastructure
Reload Last
Backup
HA Recovery of Production Processing
Planned
Or Snapshot
Recovery
Time Extended Production Processing
Loss Resumed
Production Processing
Data Lost Data Time Actual Time Loss equals Actual Time needed
since Start Forward needed to needed to to Recover, costs for staff, loss of
of Day Recovery Recover Recover client productivity, and damage
to corporate reputation.
Recovery Disaster Recovery Recovery Other Terms include:
Point Event Time Time RTE – Recovery Time Expectation;
Objective Objective Capability RPE – Recovery Point Expectation; and
(RPO) (RTO) (RTC) RTC – Recovery Time Capability.
1/23/2013 Created by: Thomas Bronack Page: 9
10. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Start Creating Business Recovery Plans
Recognize the Initiate Recovery Define Goals Obtain
Management Need for Recovery Executive And Objectives Funding
Commitment Committee
Risk Compliance & Audit Supply SLA’s Gaps &
Management Regulatory Needs Controls Chain / SLR Exceptions
Insurance Mediate / Cost to
Mitigate Repair
Business
Location & Rate RTO, Rate Ability to Achieve
Impact Analysis
Applications Criticality RPO, RTC Recovery Goals
BIA
Mediate / Cost to Gaps & Impeding
Mitigate Repair Exceptions Obstacles
Select Automated BIA & Plan Train Create, Test, &
BCM Tools BCM Tool? Creation Staff Implement BCM Plans
A
1/23/2013 Created by: Thomas Bronack Page: 10
11. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
High Availability and Continuous Availability Certification
A
(This process should be performed periodically to insure recoverability after changes)
High Availability Identify Design Meeting Schedule &
Define Critical And Continuous Stakeholders and Agenda and Conduct
Applications Availability Contributors Deliverables Meetings
OK
Validate Use Artifacts to Architectural Any Gaps &
Application support criticality Assessment to Exceptions
Substantiation
Criticality and RTO / RPO locate Obstacles found?
OK Mediate / Mitigate Impeding Obstacles, Gaps &
Exceptions until application is able to be Tested
Recovery Test Applications Certify HA Recovery or Define Obstacles
Testing & Secondary Site CA Gold Standard That Impede
OK Re-Test Application until Mediate / Gaps &
Certified, if possible Mitigate Exceptions?
Mediation / Failed Obstacles & Define Mitigate /
Mitigation Applications Impediments Repair Costs Mitigate
OK Attestation Re-Test Application
Letter Until Certified
End
1/23/2013 Created by: Thomas Bronack Page: 11
12. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Testing High Availability (HA) and Continuous Availability (CA) for Recovery
Certification and ability to Flip / Flop between Primary and Secondary Sites
The Road to Successful Recovery Certification
Ready for Recovery
Testing Success
Testing Certification
Testing Failure Loop, until Successful Recovery Certification
Gaps & Exceptions Obstacles &
Failure Impediments
Mitigation Mediate
Compliance to Recovery Plans and Infrastructure & Hardware capable of Software capable of
Country Laws and Personnel Procedures Suppliers capable of supporting workload supporting workload
Regulations need improvement supporting needs processing processing
Ready for Problem
Re-Testing Repaired
1/23/2013 Created by: Thomas Bronack Page: 12
13. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
OVERALL
Implementation IMPLEMENTATION
Understanding Your
Emergency Response APPROACH
Business
Initiation Crisis Mgmt Escalation &
Notification Continual Improvement
Maturity Assessment
Life & Safety Disaster Declaration Testing & Review
Program Management
Damage Data & Record
Assessment Testing
Project Statement Recovery
Timeline Review
Plan Development
Requirements & Strategy Procedure Development Update
Policies Business Impact
Assurance
Checklist Development
Risk Assessment
Preventive
Measures Continuity Contact Information
Strategies
Building Your Team & Capabilities
Organizational Roles
Defining the Committees & Teams Defining Roles & Responsibilities Incorporate R&R into JD’s
Staff / Management Awareness & Training
Workshops / Awareness Sessions -confidential-
Short Training Sessions Training Matrix & Master Plan
1/23/2013 Created by: Thomas Bronack Page: 13
14. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Personnel Computer environment
Client Personal Workstation External • CD/ROM
• Memory Stick
Memory • Data Storage Device
• Programs, and Internal
• Data Memory • Printer
Connected
• Fax
Devices • Scanner
• Instruction Fetch,
• Instruction Execute Personal
USB • Removable Disks
Other PC’s Computer Devices • Camera
Wireless • Keyboard and others
Internal • System
Network Software • Programs
Router Modem
• Products & Services
Switch A Personal Computer is used by workers to fulfill their job functions and
responsibilities. Presently these PC’s are used in a physical office, or
privately at home, but the trend is toward virtual offices where people
WAN could work from home or at remote locations (like when traveling away
from the office), so the PC Worker will become part of a virtual office, or
virtual private network (VPN). This VPN is widely used in today’s
business environment and can be housed at a company site or at a remote
Secondary location sometimes called the “Cloud”, which is a physical site owned by
Site an outside supplier (public) or the enterprise (private).
Privately owned client
site or vendor owned Programs can be stored in the server or accessed through the server, which
sometimes referred to will result in reduced costs and greater security by limiting access to
as the “Cloud”. authorized personnel only. This will also reduce costs for data and
equipment.
1/23/2013 Created by: Thomas Bronack Page: 14
15. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Physical / Virtual Office Domains
Work Office Domain,
Internet either physical or virtual
Cloud
Server
Switch Router
Storage
Device
Printer, Fax, and
Personal Scanner
Computers
Wide Area Network
Each Domain has a name (Domain Named Server – DNS) and contains components like PC’s, printers, faxes, scanners, Storage
Devices, etc.. Domains support office environments and can be either physical or virtual. Today’s business model is moving from a
physical to a virtual domain concept and access to the domain is migrating from the WAN to the Cloud. Clouds can be privately
owned by the enterprise or owned by an outside vendor supplying services to the enterprise.
This presentation will show how products and services are created, tested, quality assured, migrated to production, supported,
maintained and accessed in compliance to domestic and regulatory requirements which must be adhered to before an enterprise can
do business in a country.
1/23/2013 Created by: Thomas Bronack Page: 15
16. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Intel Builds Dell x86
Target Environment
Chips for their Dell x86 Servers IBM AIX P7 (“Watson”)
Servers Systems using AIX
VMware vSphere 5 and
AIX Tivoli
1 million I/O per Sec.
Remote
Storage
Double-
Talk Local
Storage
Cisco Network
Equipment for remote
locations
VMware vSphere 5 Software
Supports :
NetApp NAS to support • vShield for Cloud Computing -
Remote and Cloud security, control, and compliance.
EMC SAN, supporting 2 • vCenter Site Recovery Manager 5.
Storage channels, AIX Storage Array, • vCloud Director 5 – model and
up to 2 TeraBytes of Local activate recovery and failover.
storage
1/23/2013 Created by: Thomas Bronack Page: 16
17. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Optimized Protection / Recovery Data Services
Data De-duplication eliminates
duplicate data files and network traffic
to a Virtual Tape Library (VTL)
Forward Recovery Real backup tapes can be
between Snapshots created directly from the VTL.
Snapshots
1/23/2013 Created by: Thomas Bronack Page: 17
18. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Data Protection, Maintenance, and Recovery
Maintenance Recovery
Server Server
Failover / Failback recovery operations can be
Applications can be tested by loading a
tested by loading a Snapshop from the SIR and
Snapshop from the SIR which loads like an
exercising recovery plans.
active environment.
Test results can be used to identify problems
This can support Quality Assurance and
with recovery plans which can be used to
environment maintenance without interrupting
update the recovery plan.
normal operations.
Personnel training can be achieved through this
process, thereby insuring fewer mistakes and a
reduction in problem / disaster events.
1/23/2013 Created by: Thomas Bronack Page: 18
19. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Overview of the Enterprise Information Technology Environment
Physically Transported Physical / Physical
Using Tape
Remote Cloud / Virtual
Only Encryption
Tape / Data
Customers;
Vault Remote
Credit Bureaus;
Feed-Files; and, Electronic Vaulting; Locations
Other Locations. Incremental Vaulting; and, Encrypting Data-In-
Electronic transmission to Disaster Movement will protect
Disaster Recovery Site data being transmitted to
Recovery Site remote sites
Electronic
Transmission
Local Electronic Local
Transmission
Tape / Data Tape / Data
Vault Open Network Vault
With
Multiple Access Points
Local
Local Encryption of “Data at Rest” Sites
Sites to Provide Total Protection
Production
Production Site #2
Site #1 Cloud
Company
Computing Data
IT Locations
Systems Development Life Cycle (SDLC) Send Approved
Applications
To Production
New Acceptance Problem Resolution
End User Applications
And
“Work Order” Enhancements
to create a new
Product or Testing and
Service Development Maintenance
Quality
Assurance
Business Locations Development And Maintenance Environments
1/23/2013 Created by: Thomas Bronack 19
20. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Systems Development Life Cycle (SDLC), Components and flow
Development Testing Quality Production Acceptance
Assurance
End-User Naming, Security, On-Line
Request for
Unit and
Documents, Vital Records, Data Files
New Product System
and Back-up,
Or Service Testing Recovery,
Placement
Audit. BKUP
On-Line BKUP
Data Files
Enhance Release
And And Security, Production
Repair Version Vital Records,
End-User Defines:
Control Back-up,
• Business Purpose,
• Business Data,
Recovery, BKUP
• Ownership, Audit.
• Sensitivity, Change
Maintenance
• Criticality, Management
• Usage,
On-Line
• Restrictions, Update Data Files
• Back-Up, and
• Recovery. New
Business Disaster Real-Time
End-User Recovery
Recovery Recovery Off-Site
Location Facility Facility
Periodic
Vault
Company or
Client Site Vendor Site Vendor Site
1/23/2013 Created by: Thomas Bronack 20
21. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Migrating products / services to the Production Environment
Quality Assurance and SDLC Checkpoints
Interfaces between Applications, QA, and Production Groups Testing and QA
Turnover Package Components
Service Form and results from
Assessment
Change and Release Notes.
Create Perform Perform Perform Application Application Group Testing Results
Service Technical Business Requested Group Test Scenarios and Scripts
Request Assessment Assessment Work Testing Messages, Codes, and Recoveries
Data for Regression and Normal
Testing,
Documentation
Error Loop CP
#1
No Yes
Return Successful Create QA
to Turnover
Submitter APPLICATIONS GROUP Package
CP
#2
Perform Perform QA QA Review
Schedule
Post- Requested Review And
Request
Mortem Work Meeting Accept
CP
Error Loop #3
Create PRODUCTION ACCEPTANCE
Perform
Production Submit to Turnover Package Components:
No User
Successful Acceptance Production
Yes Acceptance Explanation and Narrative;
Turnover Acceptance
Testing Files to be released;
Package
Predecessor Scheduling;
QUALITY ASSURANCE Group Special Instructions;
Risk Analysis;
Vital Records Management; and
IT Security and Authorizations.
1/23/2013 Created by: Thomas Bronack Page: 21
22. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Systems Management Controls and Workflow
Service Level Reporting, Capacity Management, Performance Management, Problem Management,
Inventory Management, Configuration Management.
Production Production
Development Testing Quality Batch and On-Line
Assurance Acceptance Management
Service Level Management, Walk Thru’s, Test Validation,
Batch,
Project Life Cycle, Unit Testing, On-Line,
Components,
System Testing, EDP Security,
Naming,
Scenarios, Operations,
Placement,
Scripts, Functionality,
Recovery, Vital
Recovery Tests, EDP Audit.
Process. Records
Regression,
Benchmarks,
Post Mortem.
Maintenance Change Management
Disaster
Off-Site
Recovery
Service Level Management,
Vault
Project Life Cycle, Project Life Cycle,
Component & Release Management,
Standards & Procedures,
User Guides & Vendor Manuals,
Training (CBT & Classroom), etc...
Disaster Recovery Facility
A Forms Management & Control System, used to originate
work requests and track work until completed, will facilitate
optimum staff productivity and efficiency. Mainframe and Office Recovery
1/23/2013 Created by: Thomas Bronack Page: 22
23. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Systems Management Organization
Systems Management Data Processing
and Controls (SMC) Environment
Service Level
Management
Application Production Contingency Change
Inventory
Development Acceptance Management Management
& Asset
(PLC)
Management
Application EDP Security Problem
Production
Configuration Management Management
Maintenance Operations
Management
Application Audit & Vital Records Emergency
Capacity
Testing Compliance Management Management
Management
Performance Quality Risk
Business Disaster
Management Assurance Management
Recovery Management
1/23/2013 Created by: Thomas Bronack Page: 23
24. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Job Documentation Requirements and Forms Automation
New Product / Service Development Request Form Life Cycle
Documents are Linked to from Date Field
Development Request Form Development:
Development Request Form Number
Phase: Date Business Need
Documentation
Application Overview
Audience (Functions and Job Descriptions)
User Information _____________ Business / Technical Review Data
Cost Justification
Business Justification _____________
Build or Buy Decision
Link to Interfaces (Predecessor / Successor)
Technical Justification _____________
Documents Request Approval
Build or Buy _____________
Testing:
Development (Build / Modify) _____________ Data Sensitivity & Access Controls
IT Security Management System
Test: _____________ Documentation Encryption
Vital Records Management
Unit Testing _____________ Data Synchronization
Backup and Recovery
System Testing _____________ Vaulting (Local / Remote)
Disaster Recovery
Regression Testing _____________ Business Recovery
Quality Assurance _____________ Quality Assurance:
Application Owner
Production Acceptance _____________ Documentation
Documentation & Training
Application Support Personnel
Production _____________ End User Coordinators
Vendors and Suppliers
Support (Problem / Change) _____________
Recovery Coordinators
Testing Results
Maintenance (Fix, Enhancement) _____________
Documentation _____________
Production Acceptance
Application Setup
Documentation Input / Process / Output
Recovery _____________
Messages and Codes
Awareness and Training _____________ Circumventions and Recovery
Recovery Site Information
Travel Instructions
Main Documentation Menu Sub-Documentation Menus
1/23/2013 Created by: Thomas Bronack Page: 24
25. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Information Accounting and Charge-Back System Concept
By utilizing Work Order (WO) and Purchase Order (PO) concepts, it is possible to track and bill clients for
their use of Information Technology services associated with development and maintenance services. This
concept is presented below:
User Name: ____________________ User Division: ___________ User Identifier _______
Work Order #: __________________ Date: ___________ For: _________________________
PO for: Development Cost: $ _____________
PO for: Testing Cost: $ _____________
PO for: Quality Assurance Cost: $ _____________
PO for: Production Acceptance Costs $ ____________
PO for: Production (on-going) Cost: $ _____________
PO for: Vital Records Management Cost: $ _____________
PO for: Asset Management (Acquisition, Redeployment, Termination) Cost: $ _____________
PO for: Inventory and Configuration Management Cost: $ _____________
PO for: Information and Security Management Cost: $ _____________
PO for: Workplace Violence Prevention Cost: $ _____________
PO for: Recovery Management Cost: $ _____________
PO for: Documentation and Training Cost: $ _____________
PO for: Support and Problem Management Cost: $ _____________
PO for: Change Management Cost: $ _____________
PO for: Version and Release Management Cost: $ _____________
Total Cost: $ _____________
Bill can be generated via Forms Management, Time Accounting, or Flat Cost for Services. This system can
be used to predict costs for future projects and help control expenses and personnel time management.
1/23/2013 Created by: Thomas Bronack Page: 25
27. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Can be sorted by: Equipment Type,
Disposition, Date, or Location
Asset Management Disciplines Pick-Up List
Equip. Type: Disp: Location:
“Dispose of Surplus equipment after Migration to PC A Bldg 3, Rm 203
Start Target Data Center(s) to reap profit from sales, PC R Bldg 1, Rm 405
return of equipment storage space, and personnel.” PC T Bldg 2, Rm 501
Disposition = ‘A’
Acquire Purchase Install Add to Master
Equipment Order Equipment Master Inventory Inventory
Equipment is being Actively used
Disposition = ‘R’ N, Exceptions List Generated
Re-deploy Work Compare to
Pick-Up Warehouse
Equipment
Master Inventory Y
Order Inventory Inventory
Equipment is moved to new location
Perform Service
Services Order
Disposition = ‘T’
Terminate Work Service Ready-to-Sell Purchase Release Finance
Equipment Order Order Inventory Order Form Form
Equipment is Sold or Disposed of
Marketing & Sales
End Archive
1/23/2013 Created by: Thomas Bronack Page: 27
28. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Problem Management and Circumvention Techniques
1/23/2013 Created by: Thomas Bronack Page: 28
29. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Help Desk / Contingency Command Center Operations
Problems are reported to Help Desk who compare critical problems to Problem Matrix and Select Recovery Plan then
call Situation Manager who assembles necessary Recovery Teams to respond to critical problems and disaster events.
Lessons learned are used to update recovery procedures.
1/23/2013 Created by: Thomas Bronack Page: 29
30. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
The Potential Risks and Threats facing a Corporation
Recovery Management plans for loss of a location,
Malicious Activity: service, vendor, or personnel due to a disaster event.
Fraud, Theft, and Blackmail;
Sabotage, Workplace Violence; and
Terrorism. Disasters can render unusable / un-accessible specific
resources (like a building) due to: flooding; water
Natural Disasters: damage; inclement weather; transportation outage;
Fire; power outage; or many other situations. Rather than
Floods and other Water Damage; write specific recovery plans for each event that could
Avian, Swine, or other Epidemic / Pandemic occurrence;
Severe Weather; render a building un-accessible, a single plan for loss
Air Contaminants; and of a building can be written and incorporated into the
Hazardous Chemical Spills. crisis management plan associated with the specific
disaster event causing the need to evacuate a building.
Technical Disasters:
Communications;
Power Failures; Disasters result from problems and problems are the
Data Failure; result of a deviation from standards. By making sure
Backup and Storage System Failure; your standards and procedures are correct and
Equipment and Software Failure; and maintained you will reduce disaster events. These
Transportation System Failure.
procedures should be included in the SDLC,
External Threats: Maintenance, and Change Control process.
Suppliers Down;
Business Partner Down; and Working with the community will allow recovery
Neighboring Business Down.
managers to become good neighbors, build
relationships with other recovery managers, and keep
Facilities:
HVAC – Heating, Ventilation, and Air Conditioning; aware of situations outside of their control.
Emergency Power / Uninterrupted Power; and
Recovery Site unavailable. Working with governmental agencies like FEMA ,
OEM, and Homeland Security will help recovery
managers to stay current with compliance needs and
recovery planning trends.
1/23/2013 Created by: Thomas Bronack Page: 30
31. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Laws and Regulations Justifying the Need for a Recovery Plan
History and Goals:
Enterprise-Wide Commitment; “For Contingency Planning to be successful,
Emergency Management and Workplace Violence a company-wide commitment, at all levels of
personnel, must be established and funded.
Prevention;
Its purpose is to protect personnel,
Disaster and Business Recovery Planning and customers, suppliers, stakeholders, and
Implementation; business operations.”
Risk Management Implementation;
Protecting Critical Information;
Safeguarding Corporate Reputation.
“Define all Regulatory, Legal, Financial, and
Laws and Regulators: Industry rules and regulations that must be
complied with and assign the duty of insuring
Controller of the Currency (OCC): that these exposures are not violated to the
Risk Manager.”
Foreign Corrupt Practices Act;
OCC-177 Contingency Recovery Plan;
OCC-187 Identifying Financial Records;
OCC-229 Access Controls; and “Have the Legal and Auditing Departments
OCC-226 End-User Computing. define the extent of Risk and Liabilities, in
terms of potential and real Civil and Criminal
Sarbanes-Oxley, Gramm-Leach-Bliley, damages that may be incurred.”
HIPAA, The Patriot Act, EPA Superfund, etc.
Penalties:
“Once you have defined your exposures,
Three times the cost of the Outage, or more; and
construct an Insurance Portfolio that protects
Jail Time is possible and becoming more probable. the business from sudden damages that
could result from a Disaster Event.”
Insurance:
Business Interruption Insurance; and
Directors and Managers Insurance.
1/23/2013 Created by: Thomas Bronack Page: 31
33. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Why Implement Enterprise Resiliency and Corporate Certification?
1/23/2013 Created by: Thomas Bronack Page: 33
34. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
The Goal of Combining Recovery Operations
Desire to most rapidly and efficiently respond to encountered disaster events, or
other emergencies by merging Emergency Management, Business Continuity,
Disaster Recovery, and Workplace Violence Prevention:
Best approach to protecting Employees, Customers, Suppliers, and Business
Operations:
Ensuring the Reputation and Integrity of the Organization;
Combining many Lines of Business into a cohesive recovery structure with a
common set of objectives, templates, tools, and a common language;
Ensuring that your recovery environment meets and exceeds industry Best
Practices;
Utilization of Automated Tools;
Integration of Best Practices like COSO, CobIT, ITIL, Six Sigma, ISO 27000,
and FFIEC to optimize personnel performance, Standards and Procedures;
Certify the business recovery environment and its components;
Staffing, Training and Certifying Recovery Personnel;
Integration with the Corporation, Customers, and Suppliers;
Interfacing with First Responders, Government, and the Community;
Working with Industry Leaders to continuously enhance recovery operations
and mitigate gaps and exceptions to current practices;
Achieve Compliance through Risk Management and Audit adherence;
Testing and Quality Assurance; and
Support and Maintenance going forward.
1/23/2013 Created by: Thomas Bronack Page: 34
35. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
What is Emergency Management and Corporate Certification?
Emergency Management Preparedness:
First Responders (Fire / Police, / EMT, etc.);
Emergency Operations Center (EOC);
Desire Department of Homeland Security (DHS); and
to most rapidly and efficiently respond to encountered disaster events, or
other emergencies by merging Emergency Management, Business Continuity,
Office of Emergency Management (OEM).
Disaster Recovery, and Workplace Violence Prevention:
Business Recovery Management:
Best approach to protecting Employees, Customers, Suppliers, and Business
Business Recovery;
Operations:
Disaster Recovery;
Risk Management; and
Ensuring the Reputation and Integrity of the Organization;
Crisis Management.
Combining many Lines of Business into a cohesive recovery structure with a
common set of objectives, templates, tools, and a common language;
Workplace Violence Prevention:
Security (Physical and Data) and Guards;
Ensuring that your recovery environment meets and exceeds industry Best
Closed Circuit Cable TV;
Practices;
Access Controls and Card Key Systems;
Utilization of Automatedand Crisis Management Procedures; and
Response Plans Tools;
Employee Assistance Programs.
Integration of Best Practices like COSO, CobIT, ITIL, Six Sigma, ISO 27000,
Supportive Agencies:
and FFIEC to optimize personnel performance, Standards and Procedures;
Disaster Recovery Institute International (DRII);
CertifyBusiness Continuity Institute (BCI);and its components;
the business recovery environment
Contingency Planning Exchange; and
Staffing, Training andContingency Planners.
Association of Certifying Recovery Personnel;
Integration with the Corporation, Customers, and Suppliers;
Supportive Tools:
Recovery Planner RPX;
Interfacing with First Responders, Government, and the Community;
Living Disaster Recovery Planning System (LDRPS);
Six Sigma or Workflow Management;
Working with Industry Leaders to continuously enhance recovery operations
and mitigate gaps and exceptions to current practices; (ITIL);
Information Technology Infrastructure Library
Company Standards and Procedures; and
Achieve ComplianceAwareness services.
Training and through Risk Management and Audit adherence;
Testing and Quality Assurance; and
Corporate Business Resiliency Certification:
Support and Maintenance going forward.(PL 110-53 Title IX Section 524);
Private Sector Preparedness Act
National Fire Prevention Association Standard 1600; and
BS25999 / ISO 22301 International Standard;
FFIEC.
1/23/2013 Created by: Thomas Bronack Page: 35
36. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Business Continuity Management Disciplines and Integration
Charter:
Contingency Eliminate Business Interruptions;
Ensure Continuity of Business;
Contingency Recovery Planning Minimize Financial Impact; and
Disciplines Adhere to Legal / Regulatory “These four Contingency Planning
Requirements Disciplines allow for logical work
separation and better controls”
Disaster Business
Recovery Recovery
Corporate Asset “Establishing interfaces with key
Information Technology
Protection departments will allow for the inclusion
Protection
of corporate-wide recovery procedures
Critical Jobs;
Risk Inventory Control (Security, Salvage, and Restoration, etc.)
Management Asset Management
Data Sensitivity and Access in department specific Recovery Plans”
Controls; Configuration
Vital Records Management; Risk Management Management
Vaulting and Data Recovery; Business Continuity; and
Recovery Time Objectives; Exposures (Gaps and Office Recovery.
Recovery Point Objectives; and Exceptions);
Mainframe, Mid-Range, and Insurance;
Servers. Legal / Regulatory
Requirements;
Cost Justification; and
Executive Information
Vendor Agreements.
Management Technology
Facilities
Company
“Contingency Planning affects every part of the Operations
organization and is separated into logical work Contingency
areas along lines of responsibility”. Personnel Recovery
Planning Auditing
General
Services
Public
Finance
Relations
1/23/2013 Created by: Thomas Bronack Page: 36
37. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Crisis Management, to Respond to / Control Disaster Events
How Problems become Disasters and
Controlling them through Crisis Management
When a problem arises and there are no formal procedures to direct
Operations personnel in the analysis and repair of the problem, then a Problem
situation can occur that may lead to a potential crisis.
Problem
Compounding a problem by taking unnecessary actions can lead to a Matrix
prolonged outage, which can effect the ability to meet deadlines. This
additional scheduling problem may result in a situation which can
lead to a crisis as well.
Situation
Problem
An example of this would be when a Data Check on a Hard Disc Resolution
Storage device occurs and there are no back-up copies of the
information. This problem would create a prolonged outage, because Crisis
the data contents on volume would have to be recreated. Additionally,
if multiple jobs are dependent upon the failed Volume the effect of the
Management
problem will be even greater. This type of crisis situation could very
easily be avoided by insuring that all Data Volumes have back-up
copies stored in the local vault, so that restores can be provided. An
additional copy of the Data Volume should also be stored in an off-site Crisis Management
vault if the data is critical. In today’s IT environment, real-time and/ Procedures document
Crisis Management
or incremental data backups are commonplace.
Procedures document
Crisis Management
The goal of Crisis Management is to determine which problem types Procedures document
can occur and their impact. To then develop recovery plans and
instruction that direct personnel to take appropriate actions when
problems occur that would eliminate a crisis situation from arising. It
is based on preparation and not response.
1/23/2013 Created by: Thomas Bronack Page: 37
38. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
NYS Workplace Violence Prevention Act
June 7, 2006 – Article 27-6 of Labor Law
Employers must perform a Workplace Evaluation or Risk Assessment at each worksite to develop and
implement programs to prevent and minimize workplace violence.
Commonly referred to as “Standard of Care” and the OSHA “General Duty Law” which must be in
place to avoid, or limit, law suites. It consists of:
1. Comprehensive policy for Workplace Violence;
2. Train employees on Workplace Violence and its impact; and
3. Use Best Practices for Physical Security and Access Controls.
Why Workplace Violence occurs and most likely reason for offence:
Number one cause is loss of job or perceived loss of job;
Presently being addressed REACTIVELY, but should become PROACTIVE;
Corporate culture must first accept importance of having a Workplace Violence policy that is
embraced and backed by Executive Management;
“Duty to Warn” - if a threat is made to a person, then they must be informed of the threat and
a company must investigate any violent acts in a potential hire’s background.
Average Jury award for Sexual Abuse if $78K, while average award for Workplace Violence
is $2.1 million – with 2.1 million incident a year, 5,500 events a day, and 17 homicides a
week.
Survey found that business dropped 15% for 250 days after event. Onsite security costs
$25K with all costs totaling $250K / year.
Offender Profile consisted of:
1. Loner (age 26-40) who was made fun of, teased, and abused by workmates;
2. Cultural change has promoted Gun usage;
3. Their identify is made up of their job, so if you fire them they are losing their
Identify / Lifestyle and will respond violently.
4. Instead of Workplace Violence, perpetrator may use computer virus, arson, or
other methods to damage / ruin business;
5. Hiring tests can be used to identify potential Workplace Violence perpetrators;
6. Does not take criticism well and does not like people in authority;
7. Employee Assistance Programs can be developed to help cope with personal life
crisis and avoid Workplace Violence situation – a range of these programs should
be developed and made available to the staff and their family.
1/23/2013 Created by: Thomas Bronack Page: 38
39. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
The Costs of Workplace Violence
The costs associated with a Workplace Violence Event
increase dramatically over time.
ts
Cos
Events
Workplace Employee Crisis Business Disaster Emergency Risk
Violence Assistance Management Continuity Recovery Response Management
Prevention Programs Plan Plan Plan Plan Plan
Response
Plan
Identify and Create Mechanisms Create Contract Guard Develop and Exercise Crisis
Document to allow Employees to Employee Service for Implement Management and
Employee Report Problems Identification Physical and Employee Recovery Plans on
Safety and and Seek Help, Badges and Perimeter Training and a Regular basis and
Security Known as Employee Implement an Protection. Use Awareness Update Plans as
Issues Assistance Access Control CCTV to scan Programs needed
Programs System environment and
document
evidence.
1/23/2013 Created by: Thomas Bronack Page: 39
40. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Target Emergency Response Environment (Logical Overview)
Emergency Response Plans and
Planning Methods used to avoid Crisis Communications
Threats Business Interruptions and Predator
threats Crisis Security
Communications Plans
Crisis
Management
Predator
Evacuation
Plans
Emergency
Business Continuity
Business Response
Management*
Interruptions Planning
Salvage
Plans
Compliance
Regulations
Workplace Violence
Restoration
Prevention and
Plans
Response Planning
* Business Continuity Management includes: OSHA
Disaster Recovery; Recovery
Supporting
Plans
Business Continuity; Annex
Emergency Response Planning; and
Risk Management. National Response Company Response
Plan (NRP) Plans
1/23/2013 Created by: Thomas Bronack Page: 40
41. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Emergency Management is
4 STEPS IN THE PLANNING PROCESS established and procedures are
STEP 1 - Establish a Planning Team
generated through the following
STEP 2 - Analyze Capabilities and Hazards process:
STEP 3 - Develop and Test the Plan
STEP 4 - Implement the Plan 1. Define the EM Planning
process, its Scope, and Team
members;
EMERGENCY MANAGEMENT CONSIDERATIONS
2. Release a Project Initiation
Executive Memo defining EM Goals,
This section describes the core operational considerations its Priority, and that Executive
of emergency management. They are: Management is behind the
• Direction and Control
development of EM and associated
• Communications procedures;
• Life Safety 3. EM team will develop project
• Property Protection
• Community Outreach plan containing EM Considerations
• Recovery and Restoration and planned direction, with time
• Administration and Logistics line, costs, deliverables, and resource
requirements;
4. Management is provided with
Executive Presentation and Written
HAZARD-SPECIFIC INFORMATION Report on EM Direction and Plan, so
This section provides information about some of the that Approval can be received and
most common hazards: any concerns corrected before
moving forward;
• Fire
• Hazardous Materials Incidents 5. EM develops procedures,
• Floods and Flash Floods trains personnel, and tests prototype
• Hurricanes action plans;
• Tornadoes
• Severe Winter Storms 6. Corrections and updates are
• Earthquakes created based on Lessons Learned;
• Technological Emergencies
HAZARD-SPECIFIC INFORMATION 7. EM Trial Project(s) are
performed and reviewed;
8. EM procedures and
documentation is finalized and
INFORMATION SOURCES
approved; and
This section provides information sources: 9. EM is Rolled Out to entire
company and people trained.
• Additional Readings from FEMA
• Ready-to-Print Brochures
• Emergency Management Offices
1/23/2013 Created by: Thomas Bronack Page: 41
42. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com
Emergency Management Planning Team Interfaces
Communications Community
Public Relations Emergency Management
Public Information Officer Fire and Police
Crisis Management First Responders
Media Release Statements Community Outreach
Emergency Response
Emergency Management Management and Personnel
Safety and Health Planning Team
Medical Line Management
Security Labor Representative
Environmental Affairs Human Resources
Workplace Violence Prevention
Support Services
Engineering / Infrastructure
Legal / Purchasing / Contracts
Asset Management
Configuration Management
Development / Maintenance
Information Technology
Business Continuity Management
Vital Records Management
1/23/2013 Created by: Thomas Bronack Page: 42