1. Service Continuity Planning TakingITto the Next Level September 11, 2007 Infotech Consulting

2. Statistics Disaster recovery, security, and replacing existing systems are priorities.For 2007 technology-related themes, 61% of our government respondents list significant upgrades of their disaster recovery capabilities as either a priority or a critical priority. Fifty-four percent say that upgrading their organization's security environment is important, and 51% tell us that replacing or upgrading existing application systems are importantForrester , April 2007 3. Key Consideration

There are a number of industry best practice frameworks that exist for organizations to use when addressing IT continuity management including:

• National Institute of Standards (NIST);

• National Fire Protection Association (NFPA);

• Disaster Recovery International (DRI);

• International Standards Organization (ISO).

Infotech believes that the best framework for organizations to utilize is the Information Technology Infrastructure Library (ITIL) / ISO 20000. This framework allows organizations the most flexibility in the implementation and management of a robust service continuity program.

4. Drivers for Adopting Standards 5. ITSCM

ITIL defines IT Service Continuity Management (ITSCM) as:

• The goal for ITSCM is to support the overall Business Continuity Management process by ensuring that the required IT technical and services facilities (including computer systems, networks, applications, telecommunications, technical support and service desk) can be recovered within required, and agreed, business timescales.

In the broadest terms, ITSCM is defined in terms of business processes to be covered and their IT support requirements (e.g. systems, networks, communications, support staff skills, data and documentation, etc.) and risks that need to be addressed.

6. ITIL Source: Office of Government Commerce Service Support Service Delivery Security Management The Business Perspective ICT Infrastructure Management Planning to Implement Service Management Applications Management The Business The Technology 7. ITIL Service Delivery * Office of Government Commerce (OGC) 8. The Complete Service Continuity Lifecycle Phase 2 Requirements and Strategy Implementation Organization and Implementation Planning Implement Stand-by Requirements Develop Recovery Plans Implement Risk Reduction Measures Phase 3 Phase 4 Operational Management Develop Procedures ProjectKickoff Initial Testing Review and Audit Testing Change Management Training Education and Awareness Assurance Business Impact Analysis (BIA) Risk Assessment Service Continuity Strategy Phase 1 Initiate 9. Where doYOUStart ? Requirements and Strategy Business Impact Analysis (BIA) Risk Assessment Service Continuity Strategy Define Your Requirements Define How To Achieve Them 10. Where doYOUstart?

A simple analogy:

• If your home was on fire, in what order would you begin to remove the following items from harms way?

• • Family Photos;

• • Golf Clubs;

• • Big Screen TV;

• • Lock box with identification and bank information;

• • Kids;

• • Jewelry;

• • Makeup;

• • Mr. Squiggles the Hamster;

• • The complete box set of the I Love Lucy show;

• • Significant other.

11. How doYOUorganize this?

Youwalk through your house and create an inventory of your personal items;

Youthink through the possible disaster scenarios (e.g. fire, flood, wind damage, security breach, etc.); that could occur and define their likelihood of occurrence (e.g. flood threat is high, located next to a river.);

Youprioritize, rationalize and assign a criticality to your items;

Youthink throughreasonablesolutions based on the criticality and the recovery time requirements of each individual item;

Youidentify the elements and the associated costs required to implement these solutions.

12. What doYOUget?An Actionable Plan 13. Your County Context

Administration files and records;

Human Resources and Payroll Systems;

Tax Records;

Historical Records;

Court Systems;

Financial Systems;

Internet Accessible and Electronic Commerce Systems ;

Local and Wide Area Networks.

14. Requirements and Strategy: Business Impact Analysis

Business Impact Analysis:

• This is a key driver for identifying how much the organization stands to lose as a result of a disaster or other service disruption. The BIA identifies:

• • Critical Business Processes and the levels of integration between them;

• • The form that the damage or loss may take including lost income, additional costs, damaged reputation, etc.;

• • The degree of damage or loss as time progresses;

• • Staffing, skills, facilities and services required to enable critical and essential business processes to continue;

• • The time within which minimum and maximum levels of services should be recovered;

• • The time within which all required business processes should be fully recovered.

• These inputs allow for a mapping of critical service, application and infrastructure components to critical business processes.

15. Requirements and Strategy: Risk Assessment

Risk Assessment

• Understanding the likelihood that a disaster or other service disruption will actually occur. The Risk Assessment identifies:

• • Risks to particular services or processes;

• • Threat and vulnerability levels (e.g. motivation, available resources, single points of failure);

• • Levels of risk;

• • Initial risk reduction measures.

• Failure to assess all relevant risks leaves the organization open to possible disruptions;

• These inputs allow for a foundational understanding of risks and potential risk reduction measures across the entire infrastructure.

16. Requirements and Strategy: Service Continuity Strategy

Service Continuity Strategy

• Defining the appropriate risk reduction measures and continuity of operations plan:

• • Address availability management options including the elimination of single points of failure;

• • Considerations around outsourcing services to more than one provider;

• • Greater security controls;

• • Appropriate backup and recovery tools and methodologies;

• • Procedural improvements.

• Further defined recovery options:

• • Do nothing;

• • Manual work-arounds;

• • Reciprocal agreements;

• • Gradual recovery;

• • Intermediate recovery;

• • Immediate recovery.

• The plan provides for a balance between the cost of risk reduction measures and recovery options.

17. Tools

Business Impact Analysis Document

• Documents the mission critical processes that are supported by the current Information Systems, the level of disruption experienced in the event of a disaster and the overall recovery time requirements. These elements assist in defining the appropriate strategies for system recovery and resumption purposes. In addition, this document will identify the threats, risks and likelihood of a serious disruption to services.

Risk Model

• This model provides the organization with a graphical representation of the identified threats and vulnerabilities including the likelihood of occurrence. This assists in obtaining buy in from the organization in terms of setting priority and criticality to affected systems as well as the priority of remediation activities.

Service Continuity Plan

• The Service Continuity Plan defines the most appropriate methods of service recovery options and risk reduction measures. In addition, cost estimates, levels of efforts,and defined roles and responsibilities to execute are defined to implement the appropriate solutions.

Service Continuity Kick Start Templates

• Business Impact Analysis approach for future assessments;

• Systems documentation template;

• Crash kit contents;

• Communication Plans (notification procedures);

• Roles and responsibilities template;

• Risk Analysis approach.

18. Key ActivitiesBusiness Impact Analysis (BIA) Risk Assessment Service Continuity Strategy

High Level overall ITIL and ISO 17799 assessments;

Execute Systems Inventory;

Interviews with Key IT Personnel;Application Owners and Business Administrators;

Data classification;

Document findings, requirements.

Project Kick Off

Review project scope, work plan and charter;

Identify key personnel, roles and responsibilities.

Develop Risk Model;

Facilitated risk review meeting with Organization Stakeholders;

Develop preliminary list of risk reduction measures.

Develop risk reduction and recovery options for appropriate systems or IT processes;

Review strategy with Organization Stakeholders;

Review appropriate Kick Start templates with Organization IT personnel.

19. Sample Tools Outage Impacts and Allowable Outage Times Recovery Priority Business Impact Analysis Components 20. Sample Tools Impact Time 1 day 2 days 1 week 2 days 1 Month Very High High Medium Low Very Low Email Impact by length of disruption Graph Vulnerability Threat High Medium Low High Medium Low Risk Measurement Table Risk weighting and prioritization basedon threats and likelihood of occurrence Business Impact Analysis Components ERP Line of Business Web Site Custom SQL e Commerce 21. Sample Tools Business Impact Analysis Components 22. Sample Tools Service Continuity Strategy Components 23. Typical Supporting Materials and Tools

The following documentation and / or materials are being requested in advance to the start of the engagement:

• Organizational roles and responsibilities;

• Risk management plans;

• Policies, procedures, standards, and guidelines;

• General network and system documentation;

• System inventories by network segment including criticality;

• Prior security assessment findings;

• Disaster recovery invocation procedures (with decision tree);

• Application inventory with criticality;

• Backup and Recovery plans per application or service;

• Recovery testing procedures and most recent testing results;

• Crash kit contents.

24.

Questions?????

25. Contact

Harry Druck

Solutions Development

(717) 877 6957

[email_address]

Merritt Neale

Director, Security and Infrastructure Practice

(717) 319 9345

[email_address]

26.