Continuity Planning and Disaster recovery

1. BCP is a methodology used for developing a plan to maintain business operations during, before and after a disruption
2. Also involves efforts to ensure primary essential functions are operational during emergencies

1. BCP are the activities that take place before a disaster happens
2. DRP are the activities which occur once a disaster happens
3. Disaster recovery is a part of BCP

1. The umbrella term for all processes that ensure business continuity (BCP) and return a business to normal following a disaster (DRP)

1. DRP
   1. DRP focuses on IT
   2. DRP aims to ensure systems recover to previous state
   3. Looks Back
   4. Emphasis the importance of recovering from a disaster from unknown threats
2. BCP
   1. BCP focuses on the business as a whole
   2. Forward looking
   3. Ensure plans in place are to improve organisation and maintain survival
   4. Emphasises the importance of preventing disasters given known threats

1. Ensure continuity of business components
2. People
   1. Consider the human component and provide training
3. Technology
   1. Technology is an integral part of BPs and system downtime causes problems
4. Business Processes
   1. Put recovery processes into place in case of a disaster
   2. Document processes for easy refferrel during disasters
5. Communication
   1. Maintain communication during an emergency for quick responses and recovery
   2. Create communication contingencies
6. Business information
   1. Enterprise wide asset and is critical for the mission of the business
   2. Need good information security
7. Customers
   1. Maintain customer satisfaction and business reputation
   2. Allow for customer service delivery even after a disaster
8. Suppliers
   1. Important part of the value chain
   2. Affected during disasters
   3. Plan to maintain supplier relationships and service

1. Risk are the factors that have the potential to halt business operations if they occur
2. Identify the likelihood of potential risks, the magnitude of the impact and the adequacy of planned measures
3. Look at internal and external factors to the business's nature, location and BPs
4. Can use a risk matrix to determine the risk levels
   1. Risk matrix helps with preventing, mitigating and controlling risks

1. Process used to identify mission critical business functions...
2. ... and calculate the effects of business functions not being operational based on their dependancies
3. Also calculates timeframe in which functions should be restored
4. Can be expressed in terms of money and hard or soft impacts
5. 3 phases
   1. 1,) Determine critical bus. functions
   2. 2.) Determine recovery time objective and recovery point objective for each function

      Annotations:

      • for technology the recovery time could be the maximum possible downtime for a technology and the acceptable loss of imformation
   3. 3.) Evaluate resources needed to support and maintain functions in the event of disaster

1. Process of identifying, assessing and responding to risks
2. Bus. impact analysis important for risk management
3. Need risk mitigation strategies
   1. When selecting a strategy consider risks, legislation, and reliability

1. Must formulate policies and procedures to address business continuity risks
2. Policies and procedures can form the framework of an effective BCP
3. Continuity practices should be embedded into the design of IS and processes

1. BCM should provide an environment and framework in which BC measures will be supported and owned
2. Building a business continuity culture should consist of
   1. Executive Management Support
   2. Identify stakeholders
   3. Formation of BCP team
   4. Employee Engagement

      Annotations:

      • employees should be driven to perform duties in the continuity team
   5. Shared vision and trust

      Annotations:

      • Shared vision and trust of bus continuity policy among all employees
   6. Communication

      Annotations:

      • communication of policy to employees
3. Should have a training and education culture
4. BCP is a continuous process that should be implemented as a business culture

Annotations:

• Regaining access to the database, hardware and software

1. Physical assets can be replaced but data can not
2. Data is a very important asset which is crucial for survival
3. Develop a contingency plan to minimise impact of a disaster
4. DRP is a legal requirement to ensure the effects of a disaster are mitigated
5. S.A. has passed legislation (POPI and King 3 Act) to cater for the risks of the pervasiveness of technology

   Annotations:

   • King 3 => states that management must demonstrate that the business has adequete business resilience arrangements in place POPI=>A responsible person must secure the integrity and confidentiality of their personal information by taking appropriate measures
6. Recovery procedure
   1. Backing up information from primary data centers to a secondary data centre
   2. Data backed up must also be the most recent copy
   3. Primary and secondary data centers must be in separate locations so that they are not both affected at the same time
   4. The disaster recovery service must detect that a disaster has occurred so that the services can be switched over to the backup site
   5. The separation of location of the two data centers causes delays in response times so the service must detect when to switch back to the primary data center
7. Critical success factors of DRP
   1. Top management committment

      Annotations:

      • Management provide funding, staffing and resources They decide when and how to implement DRP and the support
   2. Policies and goals

      Annotations:

      • Policies to define guidelines for DRP and who is accountable for planning and implementation DRP should be driven by need for a competitive advantage through resilient systems
   3. Steering committee

      Annotations:

      • Steering committee to perform risk assessments and to determine the scope and objectives of the recovery process
   4. Prioritisation

      Annotations:

      • Most important systems must be given priority
   5. Alternative site for backup
   6. Backup storage

      Annotations:

      • On- site backup, off site backup, cloud computing and personnel to recover data
   7. Recovery team
   8. Testing

      Annotations:

      • testing DRP to ensure it will be effective Develop plan for testing
   9. Training

      Annotations:

      • Employees must understand the plan and their positions to address arising issues (dealing with stress and miscommunication) when plan is implemented
   10. Documentation

       Annotations:

       • Documentation of strategies, procedures and objectives of DRP for quick reference
   11. Maintenance of DRP plan

       Annotations:

       • Updating DRP plan as business process and data change

1. Recovery time objective
   1. Maximum amount of time IT system can be down for after a disaster
   2. Likely to vary across nature of the business and the business process
   3. Generally the lower the RTO the higher the cost associated with it
2. Recovery Point Objective
   1. Measure of the data loss given the maximum amount of time the organisation is willing to lose data over
3. RTO,RPO, perfomance and availability affect which recovery strategy to implement

1. Speed of recovery affected by the type of backup mechanism and the nature of available resources
2. Backup sites
   1. Cold backup sites

      Annotations:

      • Backups on a periodic basis Long time to recover data and get servers up and working High RTO
   2. Warm backup sites

      Annotations:

      • Uses dedicated hardware to keep the organisation operating at minimal levels Recovery can take minutes to hours
   3. Hot backup sites

      Annotations:

      • Mirrored standby servers that are always available to run in case of a disaster Recovery time within seconds or minutes Real time synchronous backups
   4. Fault tolerance

      Annotations:

      • IT systems which can switch to the backup site with no loss of data or service during disaster RTO and RPO are close to zero Highest level of system automatic failover

1. Reduction in exposure to risks
2. Improved operational resilience
3. Reduced downtime through contingency plans
4. Better service delivery
5. Compliance with legislation
6. Improved BPs
7. Maintaining credibility as a business

1. Costly and complex requirements
2. Time consuming to identify critical systems that must be recovered
3. Frameworks and standards too complex for small and medium businesses
4. DRP regulations can be ambiguous