LB35: Verifying IT and Business Continuity Lucas G. Aimes & Terry DiVittorio, Project Performance Corporation (PPC)
Introductions Lucas G. Aimes Deputy Practice Lead, Verification & Verification Practice @ Project Performance Corporation (PPC) Project Management Professional (PMP) Terry DiVittorio Director, Security & Privacy Division @ Project Performance Corporation (PPC) Certified Information Systems Security Professional (CISSP)
Agenda Challenges Facing Leaders as they Manage Continuity Planning within their Business Environment Managing these Leadership Challenges Independent Verification and Validation Role Benefits of IV&V Lessons Learned September 11 th Mitigation Strategy September 11 th Lessons Learned Hurricane Katrina Mitigation Strategy Hurricane Katrina Summary
Leadership Challenges in Business Continuity - Resources (People) Who s in charge and what are they responsible for? Where does everyone go? Which staff go where? How do you inform people? Who else needs to be told? How long does this all take? Can you afford it?
Leadership Challenges in Business Continuity - Processes Which processes are affected - and what are the consequences? Which processes are truly critical? Have we identified where the dependencies are for our critical processes? Who are the process owners?
Leadership Challenges in Business Continuity - Technology How do you/we ensure critical data is available? Do employees/customers have access to data? How do you/we ensure systems and data at the backup site is/are current and accurate? Has the technology at the backup site been tested?
Managing Leadership Challenges Maximizing your Return on Investment (ROI) Do your IT investments cover the organization in the event of a disaster Business Resiliency Optimizing your planning strategy Before disaster and after disaster Driving efficiencies within your organization Smart processes and Procedures Efficient Tools, Mechanisms, and Methodologies
IV&V Role in Business Continuity Configuration Management Business Continuity Planning verification Business Continuity Planning testing Walkthroughs and desk checking Scenario testing Communications testing Disaster recovery testing Full business continuity test Business Continuity Planning consultancy Quality Assurance/Quality Control
Configuration Management Account for all IT assets Provide accurate information to support other Service Management processes Provide a sound a base for Incident, Problem, Change, and Release Management Verify records against the infrastructure Correct exceptions
Business Continuity Planning Verification Staffing changes Changes to important clients and their contact details Changes to important vendors/suppliers and their contact details Organizational changes like new, closed or fundamentally changed departments Changes in portfolio and mission statement
Business Continuity Planning Testing Virus definition distribution Application security and service patch distribution Hardware operability check Application operability check Data verification
Business Continuity Planning Consultancy Assist with addressing issues found during verification and/or testing Properly update processes and/or documentation Maintenance of changes to business continuity processes Audits and metrics Staff training
Quality Assurance/Quality Control Measure the gap between management expectations and business performance Trigger responses that ensure that management expectations and business performance remain aligned over time Investment protection to ensure that tactical recovery solutions perform as expected
IV&V Benefits to Business Continuity You know that your recovery plan works You discover problems, mistakes, and errors, and can resolve them before you have to use the procedures Your staff are educated in executing tests and managing disaster recovery situations Your recovery plan becomes a living document Members of your IT organization recognize the necessity of such a disaster recovery concept, and plan accordingly Awareness of your disaster recovery strategy is increased
Business Continuity during 9/11 Lessons Learned Plans must be updated and tested frequently All types of threats must be considered Dependencies and interdependencies should be carefully analyzed Key personnel may be unavailable Alternate sites for IT backup should not be situated close to the primary site Copies of plans should be stored at a secure off-site location \
Business Continuity during 9/11 Mitigation Strategy Create a plan to verify and validate the Business Continuity Plan and Disaster Recovery Plan on a regularly schedule basis Consider other threats outside of the natural type Document a communication plan and/or call plan with primary and secondary resources Carefully evaluate proper location of your backup and/or disaster recovery site Maintain configuration items (documentation, hardware, and software) in a shared area
Business Continuity during Hurricane Katrina Lessons Learned Communications outages made it difficult to locate missing personnel. Lack of electrical power or fuel for generators rendered computer systems inoperable. Multiple facilities were destroyed outright or sustained significant damage. Some organizations may not have anticipated or prepared for the extensive destruction and prolonged recovery period resulting from Hurricane Katrina.
Business Continuity during Hurricane Katrina Mitigation Strategy Automate the business continuity and/or disaster recovery process Plan for short-term and long-term recovery periods Test your plans based on current knowledge of potential threats Establish multiple recovery locations in anticipation of threats that shutdown of your primary site
Summary People, Processes, and Technology need to be addressed during Business Continuity Planning Threats can be traditional and non-traditional Proper planning and guidance prior to a disaster and/or threat can assist in managing/mitigating leadership challenges Past disasters and/or threats can promote more accurate planning and plan maintenance learn from mistakes