Business Continuity & Disaster Recovery Planning · 2014-05-13 · Business Continuity (BC) Plan...
Transcript of Business Continuity & Disaster Recovery Planning · 2014-05-13 · Business Continuity (BC) Plan...
Business Continuity & Disaster Recovery
Planning
Presented by Ed Goldberg, DM, CBCP
Manager, BC & DR Programs
5/22/2014
CBIA's Safety & Health Conference
Crowne Plaza Hotel, Cromwell, CT.
Disaster Planning for Small and Mid-sized Businesses
Landfall in southeast Louisiana as a
category 3 hurricane 8/29/2005.
Hurricane Katrina – Simple Case study & timeline
Entergy New Orleans filed for bankruptcy 9/23/2005.
• When a system is damaged extensively,
there’s insurance, loans, recovery of
prudent costs, etc.
• If the COMMUNITY is gone, there is no
current or future source of revenue,
therefore no loans and no resources
• The COMMUNITY is reliant on its
businesses for its very existence
• There are ~350,000 small businesses in
Connecticut (SBA).
• How many would survive a disaster?
• How many have continuity plans?
Don’t utilities plan and prepare for such things?
A tale of a power company tells an underlying story…..
What went wrong? Why bankruptcy?
For those of you with a quantitative leaning…..
9 out of 10 companies (90%) unable to resume
business operations within 5 days of a disaster are out
of business within 1 year
Nearly 4 out of 5 (78%) businesses faced with a
catastrophe without a contingency plan are out of
business within 2 years
(Original source unknown; cited in
innumerable reports – AT&T, Agility, SBA, etc.)
To make you really smart, we’ll cover:
• What are the buzzwords? So many new, similar terms….
• What kind of plan(s) do I need? What are the risks?
• How much work is it?
• How do I begin?
• Where is Jimmy Hoffa buried?
• What planning help is available?
• Will having a plan lower my insurance rates?
• How do I get my electricity for free?
• How does preparing myself and my family contribute to
preparing my business/organization?
• And we’ll answer your questions, address concerns, give
you some good resources, etc.
…because…
a) You came here today already convinced and I’ve been preaching to the choir
(so, Ed, stop it and move on!)
b) These last few slides and discussion have been SO enlightening and now you’re eager to start planning
c) You’re a little curious and willing to listen politely
Let’s proceed as if you’re convinced of the need for
contingency plans …
(What smart looks like)
Business Continuity (BC) Plan – a plan for performing your business/organization’s
critical business processes during and after a disaster
Disaster – some event or condition/environment that challenges your
business/organization’s ability to perform its critical business processes
Disaster Recovery (DR) Plan – the IT (Information Technology) piece of your BC plan
Continuity of Operations (COOP) plans, Business Resumption Plans, Business
Resiliency Plans, etc. – are often interchangeable, often used by vendors or large
organizations to indicate some “next step” above and beyond basic BC/DR plans.
Business Impact Analysis (BIA) – what large companies do to gather the necessary
information about their business processes to begin evaluating what they need in
their BC and DR plans
What are the buzzwords?
Risk! What are the risks that
would preclude your performing
crucial business processes?
• First, define what processes
NEED to continue
• Then evaluate threats/risks
What keeps you up at night? Create the BIA
(Business Impact Analysis) and get some sleep!
Risks can include….
Fire, flood, etc.
Violence
Unknown substance
Data breach & other IT attacks
Weather events & solar storms
Crime & terrorism
Regulations/compliance
Social media
Economy and other environments
Loss of personnel
Pandemic
Supply chain disruption
Chemical or nuclear accident
Sabotage, etc.
How can one plan deal with
hurricanes, pandemics, fire,
flooding, workplace violence,
unknown substances, etc.?
All-hazards approach:
• Loss of facility
• Loss of people
• Loss of systems
• Sometimes intangibles such as
reputation
For the vast majority and for
those just getting started, you need the basics – a
business continuity plan
and a disaster recovery
plan.
Old paradigm: DR plan only
What we’ve learned:
Business Continuity Plan….
• Loss of facility
Alternate worksite
Supplies
Communications, etc.
• Loss of people
Source for skilled workers
Help from others including competition
HR help
Loss of systems
Computers
Media
Services
What kind of plan do I need?
A decent BCP is probably just
a couple of hours of work up
front, and then an hour once
or twice a year to keep it
fresh. Obviously, there can
be more to the plan, but
that’s a starting point.
Business Continuity Plans –
BCP’s – are living documents.
They require a little care and
feeding or they won’t be very
useful when needed.
One piece of care and
feeding is to exercise the
plan(s) at least once per
year. A tabletop exercise –
an hour or so with everyone
involved with the plan should
be adequate.
How much work is it?
Coming here was a great first step
We can discuss what goes into a BC
plan – and we will – but let’s make it
really easy and quick…….with a free
(really) template.
Want it electronically?
http://ofb.ibhs.org/content/data/file/
OpenForBusiness_new.pdf
Or type in ibhs.org and click on the
Open For Business link, then on the picture of the cover (same as ).
How do you get started?
•Contact info for employees (either a list or a call tree);
•Key vendors & suppliers info – contact info, perhaps some procurement info
(contracts, PO numbers, etc.)
•Other key contacts such as investors and other stakeholders
•A list of critical business functions & processes
•Alternate work location, recovery location or plans to work from home, etc.
•Supplies
•Systems, machines, vehicles – depends on what you need
•Communications “stuff”
•What IT systems you need – and this becomes your IT DR plan, either in house
or 3rd party, etc.
•Backup data/systems and instructions on how to use it
What’s in a BC plan?
TRIBAL KNOWLEDGE aka Tacit
Knowledge, intuition, closely held
trade secrets, etc.
Why is this mentioned? If a reasonably
competent person with necessary
basic skills can’t perform a task or
otherwise engage in the work needed
to continue a process, the plan(s) will
fail. Remember to plan for Loss of
People!
You need to somehow provide for the
continuance of business processes,
including passing on the recipes or
other trade secrets.
It’s not likley that you would put such
detail into your BC plan, but it needs
to exist somewhere, even if only in
more than one person
What’s not in your plan?
There are lots of options to get this done, daunting as it may seem….
•Do it yourself and have it reviewed by an expert volunteer
•Become a bit of an expert or have someone in your organization do so
•Hire a consultant or otherwise outsource it
Big organizations/businesses have people on staff who are expert at BC/DR planning.
Those people are often willing to help through their professional organizations.
No organizations compete on the basis of preparedness, and so they tend to share
best practices. It’s in all of our best interests to be prepared – companies are only as
resilient as their host communities.
Where can one get educated on BC/DR, network and learn from others, and meet
others who do this professionally?
What planning help is available?
The Association of Contingency Planners (ACP)
•Not for profit 501C6;
•Connecticut chapter provides educational programs monthly October – June, plus a
¾ day conference in September (9/23/2014 – topic “Supply Chain Resiliency”)
•CL&P hosts most of ACP’s programs in Berlin
•Members share ideas, best practices, etc., freely. Take advantage of that.
•The best all-around BC/DR/EM organization, including thousands of members in 42
chapters across the US
http://ct.acp-international.com
www.acp-international.com
Preparedness begins at home –
Each of us, our coworkers and
employees need….
…. a kit
…. a plan
….a way to get information
(http://www.ct.gov/ctalert/site/
default.asp)
What good is all this if no one comes to work post-disaster?
www.ready.gov
Lots of resources available,
and it doesn’t cost much to
make a kit. Can any of us
afford not to be prepared?
Active Shooter
Guidance from DHS
Plans should be all-
hazard, but there are
specific threats for which
additional guidance is
warranted….
• Active shooter
• Pandemic
• Data Breach
• What threatens YOUR
business processes?
What Is A Data Breach?
• Many definitions:
• The exposure of data outside of its intended audience.
• The misappropriation of data.
So what?…….
• If it was exposed, does it matter whether it’s known what was done with it?
• Does it matter what the data was? Confidential, sensitive, protected, important, personal….
• Does it matter who had access to it?
• Does it matter if it was actually accessed or simply could have been?
• Does intent matter?
• Does it matter how many were affected or what the cost was?
• Regulatory definitions? HIPPA, PII, CIP, etc.
Organizations need to define “data breach” for their own purposes.
How do data breaches occur?
Unauthorized access from outside the network (hacking)
Unauthorized access from inside the network (someone with network
access, physical or virtual)
Loss of physical media with embedded data (a stolen laptop, PC, cell
phone, tablet, etc.; lost tapes, disks, memory devices, etc.)
Accidental or intentional release of otherwise secure data (programming
error, database access control miscue, publication in error, mischief and
malicious intent, social engineering, etc.)
How do we prevent data breaches?
Implementing best practices in IT security can reduce the likelihood of data breaches and reduce their adverse effects
IT Security is a great topic for another presentation on another day
The real answer, especially for the purposes of contingency planning, is that we can’t prevent data breaches.
Create guidance from a business continuity perspective
• How does the new risk challenge existing BC/DR plans?
• All hazards approach: people, facilities, systems, intangibles (i.e. reputation)
• Crisis management for a data breach will require a wide variety of the organization’s resources
• Constituency of Incident Response Team will differ for a data breach
• Timelines and roles need to reflect heavy involvement of IT, Legal and Communications (possibly HR)
Detecting that a breach has occurred • No guarantee that detection will occur in a timely manner
• Detection is usually funneled through or directly detected by IT
• Intake protocols – client calls to an IT support desk, web tickets, etc. – need to consider signs that a breach has occurred
• Internal monitoring – routine activities that might detect log irregularities, unusual movement of data, intrusion detection (routine activities given some sensitivity to what a breach might look like)
• Performance, bandwidth, database management alarms
• Keeping up with security patches and notices
• Determine what was taken (yes, it matters)
Identifying what was taken Personal Information – can be associated with an individual, such as….
• Social Security number
• Driver’s license number
• State i.d. card number
• Financial account (bank, credit union, brokerage, credit or debit card) or other PCI numbers
• Passport number
• Alien registration number
• Health insurance i.d. number or other personal health information
• Critical infrastructure information
• Proprietary and business sensitive information
Initial Response to a breach
• IT’s best people need to be involved and managing the response, not managing anything that can be deferred to others (Incident Response Team, for example)
• Activate Incident Response Team(s) to get necessary help
• IT and Information Security; HR, Health, Payroll, Customer Service/Experience, Risk Management, Insurance, Investor Relations, the internal owner of the data affected, Communications, Legal, senior management, etc.
• Contain the breach – empower IT to act a.s.a.p., including “opening the breaker”
• Escalate to the extent appropriate for what is known and what is possible
• Bring in expertise as needed – law enforcement, 3rd party experts, etc.
What needs to be communicated • The nature and extent of the breach
• What happened; when it happened and when it was discovered; why it took so long to find out about it; where it happened; why it happened, etc.
• What’s been done to contain the breach, manage the incident
• Who’s been notified including regulators and authorities
• Point of contact for additional information
What needs to be communicated • The nature and extent of the breach
• What happened; when it happened and when it was discovered; why it took so long to find out about it; where it happened; why it happened, etc.
• What’s been done to contain the breach, manage the incident
• Who’s been notified including regulators and authorities
• Point of contact for additional information
Breach legal guidance
• Fulfill notification requirements, as appropriate, to:
• Affected people
• Law enforcement
• Attorneys General
• Regulators
• Third parties
• Insurance carriers
Key points to preparing for a data breach
• Define data breach for your organization
• Be specific about the conditions for declaring a breach
• Adjust the response for the level of breach – not all breaches are the same
• Being prepared allows for swift response which is necessary
• Identify causes, contain the incident by securing data, prevent recurrence
• As for any contingency plan, don’t “hard-wire” decisions and actions
• Predefine and involve all key players to optimize your response
• Document incident, people involved, developments and actions taken
• Predetermine all potential actions to preserve rights, protect stakeholders, satisfy regulators.
You can’t. I just wanted you to stay until the end of the presentation.
How do I get my electricity for free?
Questions?
Thank you….
….for helping to make our
communities resilient and
prepared
….for your time and interest
….for your gracious
hospitality and for inviting
me here today
*** Thank you! ***
Resilient Not so resilient
Dr. Ed Goldberg, CBCP
860-665-5422
The Connecticut Light & Power Company
Berlin, Connecticut