L3- DR with BCP.pptx

Full Transcript

Disaster Recovery & High Availability Techniques

Lecture 3 – DR with BCP

Chamara Disanayake
Senior lecturer
Department of network and Security
Flash Back
High availability is fault protection against minor outages.
Outages which is not exceeding the margins defined in SLAs
Mainly discussing the “Redundancy”
Disaster recovery is fault protection against major
outages.
Exceeds the SLA and users aware of the outage.
Need to consider how the business can be continued with
reference to RTO and RPO
Both objectives are two sides of one coin: incidents and
problems happen, and we need to cope with them 
Business Continuity
2
HA and DR with BC

DR
HA Improved
Business
BC

3
BCP vs DRP
Scope

Objectives

https://www.perplexity.ai/search/what-is-the-n.aeK7z.SNqXPcwPlO4dyQ 4
Business Impact Analysis (BIA) –
Network Centric
General Scenarios
Security Breach, Product/Technology Failure, Natural
Disaster, Financial Crisis, Workplace Violence,
Environmental Crisis
Identify how business will be impacted without network
The network may be partially operational – Internal network
issue
Network may be completely down –WAN network issue
It may be under attack (DDoS, Network Flooding etc.).
Think of all scenarios for the network.

5
Identification of Critical Operation
Check the business priorities.
Take each scenario and identify how its impact.
When it is a temporary failure
When a disaster
Need to Identify the dependency.
Identify how the IT is connected with the
applications and operations.

6
Identify the Gravity of Disruption
Could be suspended, if necessary for a short
period.
Could be scaled down, if necessary for short
periods of time.
Can tolerate very short periods of disruption.
Cannot tolerate any disruption.

Source: ISO 22313

7
 Focuses on managing the IT department
and ensuring that technology supports
DR and BCP - Responsibilities internal processes and operations.
Responsible for IT infrastructure, budgeting,
and strategic planning. Typically, more
business-focused, with a focus on cost
Strategy – Choosing the Solution reduction and efficiency.

Focuses on developing and implementing new technologies to drive business growth
8
and innovation.
CIO - Responsibilities
Developing and Implementing Disaster Recovery Plans
Identifying critical IT systems and data to be recovered.
Developing procedures for data backup and damage assessment.
Establishing incident response times and improving them if
necessary
Creating Business Continuity Plans
Ensuring the organization can continue core business operations
after a disaster.
Identifying essential business functions and processes.
Developing procedures for maintaining contact with key vendors
and suppliers

9
CIO - Responsibilities
Leadership and Coordination
Providing leadership and coordination during disaster
recovery and business continuity efforts.
Ensuring that all stakeholders are working together
effectively to minimize downtime and ensure
business continuity
Overseeing IT Infrastructure to assure its
alignment with the business need and
requirements.
Developing Budgets and Resource Allocation
10
How to Develop the DR Plan and
Implement it?
Identify the Business process
business process
Operational Impact
Affordable downtime.
Identify the system Components
The system component
Dependency.
Recovery time.

11
Maximum Tolerable Downtime (MTD).
System can have an affordable down time.
This allow us to act and minimize the impact within the
time frame.
Mission critical systems needs to operate 24X7 but
it can have a downtime.
The MTD represents the total amount of time the
system owner/authorizing official is willing to accept
for a mission/business process outage or disruption
and includes all impact considerations. (NIST)
12
Develop Key Recovery Targets(RTO &
RPO)
Recovery time objective (RTO)
Period of time from disaster onset to resumption of
business process
Recovery point objective (RPO)
Maximum period of data loss from onset of disaster
counting backwards
Amount of work that will have to be done over

13
Identify resource requirements
For each scenario Identify its resource
requirement to bring back the system to
operations.
Count all physical tangibles, software, human
resources in to account.
Additional resource acquiring cost must be
consider.
For some resources it can be cover with SLA &
various contracts.
14
Identify recovery priorities
With the data from above ( RTO/RPO ,Resources ,
cost ,Etc) we can finalize the recovery priorities.
List down/rank based on the priorities.
Balancing the cost of recovery.

15
Balancing the cost

Determine Business Processes and Recovery Criticality

16
Responsibilities
Procurement

17
Responsibilities
Procurement

18
Make it Work

19
Identify the Preventive Controls/
Contingency Strategies

Its better to avoid than face it.
Since the scenarios are Identified you may find
preventive controls.
For critical ones Prevention is better.
The backups /stand by sits or equipment/fault
tolerance capabilities on critical Core elements.
This leads to topic “High Availability”.

20
Develop the DR/BCP
Once the priorities are identified, we can come
up with relevant strategy.
Build the Roles and Responsibility chart.
Everyone has a role to play.
Identify who will execute what activities in what
order.
Build the Communication Plan.
Clear indication of chain of command.
In disasters, everyone goes to panic therefore this is an important task.

21
Responsibility Chart – DR Process
Responsibilities of units/professions

22
Communication Plan
Provides procedures for disseminating internal and
external communications; means to provide critical
status information and control rumors.
Provides the channels to communicate with personnel
and the public; not information system- focused.
Crisis Communication Team
Senior executives, heads of major divisions, should be
identified to serve as the organization’s Crisis
Communications Team.
CEO will head up the team, with the top public relations
executive (or outside agency or consultant) and legal counsel
as chief advisers
23
Communication Process
Crisis Spokesperson
The pool of potential spokespersons/subject matter experts
should be identified and trained in advance, even though CEO
will make the ultimate decision about who will speak will be
made once the crisis breaks.
Consider all the different channels of communications, both
internal and external, that you may need to cover.
Stakeholders
Create a complete database of internal and external
stakeholders to guarantee that they obtain the exact messages
needs them to hear and potentially repeat to other individuals or
media outlets.

24
Communication Flow
A proper communication flow for internal staff should
also be developed to communicate effectively during a
crisis which can make a difference in determining
whether the company ultimately succeeds or fails.
It also can help employees maintain a sense of calm
and order by giving them important information they
might not have access to otherwise.
A high-level manager activates the
Call Tree  call tree, calling three front line
managers.
Each front line manager calls the
employees they are responsible for

25
Communication Platforms and
Monitoring
Set up notification systems to rapidly reach the
stakeholders.
Employing more than one type of communications platform (email plus
text for example) the chances are much greater that the message will
go through.
Monitoring what’s being said about the incident on
traditional and social media can alert you to negative
messages that could foment a crisis.
Monitoring all stakeholder feedback during a crisis
supports logical changes to strategy and tactics.

26
Training and testing
The training is a critical part of the process.
Practice reduce the time take to think & take actions.
All who will be involve must be train.
Rest of the staff must be notified about the BCP/DR
plan.
The DR drills must be done periodically.
6 month is a standard for enterprisers.

27
DR Testing Templates

28