A Business Continuity

Planning Toolkit
Security 2008 – EDUCAUSE & Internet2
Security Professionals Conference
Robert J. Block (B.J.), IT Security Analyst
University of Rochester

Beth Buse, Deputy Director of Internal Auditing

Minnesota State Colleges and Universities

Leslie Maltz, Deputy VP for IT Planning & Standards (retired)

Columbia University
 Copyright Leslie Maltz, Beth Buse,
Robert Block, 2008

This work is the intellectual property of the

authors. Permission is granted for this
material to be shared for non-commercial,
educational purposes, provided that this
copyright statement appears on the
reproduced materials and notice is given
that the copying is by permission of the
author. To disseminate otherwise or to
republish requires written permission from
the authors.
 What would your college
or university do if….
A fire destroyed your administration
building?
A tornado destroyed a resident hall?
A water pipe burst and flooded your data
center?
Half of your faculty and staff called in sick?
A bomb exploded in a classroom?
 Terminology and
Definitions
All Hazards Planning – an integrated planning approach to all
domestic terrorist attacks, major disasters, and other emergencies.
Business Continuity Planning (also referred to as Continuity of
Operations Planning and Service Continuation Planning) – process for
determining an institution's ability to maintain or restore its business and
academic services when some circumstance disrupts normal operations.
Disaster Recovery Plan – refers to the technological portions of the
business continuity plan. This plan contains the details to ensure systems
and communications are restored within a predetermined timeframe.
Business Impact Analysis - A management level analysis, which
identifies the impacts of losing resources. This analysis measures the effect
of resource loss and escalating losses over time, in order to provide senior
management with reliable data upon which to base decisions on risk
mitigation and continuity planning.
Pandemic Planning – preparation in the event that the Avian Flu virus
reaches pandemic stage.
Emergency Response Plan – this plan includes details for
responding to sudden states of danger that require immediate action.
 Importance of Preparing
Planning provides for backup
 If primary staff unavailable – who will do the
work?
 If primary system is gone – how do we
operate?
 If a specific building cannot be occupied –
where do we go?
Planning creates routines
 Routines create repetition and normalcy
 Normalcy generates calm instead of panic
 Homeland Security
Presidential Directives
HSPD-5
 Subject: Management of Domestic Incidents
 Established the National Incident Management
System (NIMS) and National Response Plan
(NRP)
HSPD-8
 Subject: National Preparedness
 Added definition to the National Response Plan
(NRP) and established the term "all-hazards
preparedness".
 Homeland Security Vision
Statement for Higher Education

“That all schools and universities are

prepared to mitigate/prevent, respond to,
and recover from all hazards, natural or
man-made by having a comprehensive,
all-hazards plan based on the key
principles of emergency management to
enhance school safety, to minimize
disruption, and to ensure continuity of the
learning environment.”
U.S. Department of Education Sector Specific Plan
 MnSCU - All Hazards Plan

MnSCU Board Policy 1A.10 Long Term

Emergency Management
“Each college, and university and the Office of the
Chancellor shall develop and maintain an All Hazards
Plan that provides guidelines in the event of long term
emergency. The plan shall be developed in
accordance with guidelines developed and
administered by the Office of the Chancellor in
accordance with state and federal directions. The All
Hazards Plan will include sections that address crisis
intervention, continuity of operations, and emergency
preparedness.”
 Minnesota State Colleges and Universities

All Hazards Planning Architecture

Minnesota State Colleges and Universities

All Hazards Plan

Emergency Crisis Continuity

Preparedness Intervention of Operations
 Minnesota State Colleges and Universities

All Hazards Planning Architecture

Continuity of Operations

Essential Services Plan Elements

Academic Functions Wind Event

Special functions:
Library and
Information Services Healthcare/Student Water Event
Public Safety Services Functions
IT System Support Fire Event
Athletics Operations Functions
Other Utilities Loss Event

Facilities Functions
IT Services Event

Communications
Functions Pandemic Event
 Where to Start?

EDUCAUSE - Business Continuity

Planning Toolkit:
https://wiki.internet2.edu/confluence/display/secguide/Business+Continuity+Planning+Toolkit

 Provides a resource of guides, examples

and templates
Need to have executive level buy-in to
succeed.
Ideal: have dedicated resources
Need to have a cross-functional team.
 Business Impact Analysis

If one of the afore mentioned disasters

were to occur, how would you know
where to focus your recovery efforts first.
 Business Impact Analysis

Definition:
A management level analysis, which
identifies the impacts of losing resources.
This analysis measures the effect of resource
loss and escalating losses over time. In order
to provide senior management with reliable
data upon which to base decisions on risk
mitigation and continuity planning.
 Goals of the
Business Impact Analysis
To establish the value of each organizational
unit or resource as they relate to the function of
the total organization
To provide the basis for identifying the critical
resources required to develop a business
recovery strategy
To establish an order or priority to restoring the
function of the organization in the event of a
disastrous event
 Considerations

Enterprise (or University) wide

Goes beyond IT
Need to have executive level buy-in
Need to have a cross-functional team
Willing to make tough decisions
A time consuming effort
 Terminology

MTTR – Mean time to Recover

MTBF – Mean Time Before Failure
Criticality Level
Tangible Impact
Intangible Impact
RPO – Recovery Point Objective
RTO – Recovery Time Objective
 Business Impact Analysis

Phases
 Project Planning
 Data Collection
 Data Analysis
 Reporting Findings
 Approval for Next Phase
 Business Impact Analysis
Project Planning
Identify
 Objectives
• Criticality of business functions
• Critical dependencies
• Impact of disruptions
• Critical resources
 Scope
• Departmental
• Facility
• Complex
• Region
• Organization
 Business Impact Analysis
Data Collection
How to collect information from the
community
 Questionnaire
 Interview
 Hybrid
 Business Impact Analysis
Data Collection
Questionnaire Approach
 Design questionnaire
 Develop data analysis
process
 Develop instructions
 Cover Letter
 Formal presentation
 Questionnaire distribution
 Questionnaire collection
Interview Approach
 Develop interview guide
 Train interviewers
 Formal Presentation
 Schedule interview
 Conduct interview
 Validate
 Business Impact Analysis
Data Collection
Topics to address
 Mission
 Service Objectives
 Dependencies
 Impacts over time
 Critical time periods
 Financial impact
 Operational impact
 Legal, regulatory, contractual requirements
 Business Impact Analysis
Data Collection
Additional items to reference
 Mission Statements
 Service Objectives
 Service Level Agreements
 Organizational Charts
 Policies and Procedures
 Business Impact Analysis
Data Analysis
Quantitative Impact
 Losses identified in quantities or percentages
that can be described in monetary terms

Qualitative Impact
 Intangible losses that can impact operationally
but that can not be quantified in monetary
terms
 Business Impact Analysis
Data Analysis
List of business functions ordered by
restoration time
Consolidation
 Simplify the process
 Create priority levels
Project lead confirms with management
 Business Impact Analysis
Report Findings
Confirm findings with end users and
functional departments
Present formal findings to executive
management
 Business Impact Analysis
Approval for Next Phase
Just when you thought it was done…

Begin moving on to the next phase

 Business Impact Analysis
Resources
EDUCAUSE website
(https://wiki.internet2.edu/confluence/display/secguide/Business+Co
ntinuity+Planning+Toolkit)

Disaster Recovery Journal website

(http://www.drj.com)
 Disaster Recovery
No Longer an Optional Activity
 Why Have a Disaster
Recovery Plan?
Natural and Man-Made emergencies
cannot be prevented
Preparedness means quick response
Part of an All Hazards response effort
Tough to function during an emergency

“It will never happen here is NOT TRUE”

 BUY-IN

Clear mandate (Senior Executives)

Facilities
Staffing (DR and Business Unit staff)
Coordination during emergencies
Authority to take actions
Funding
Testing
 Not Just for Central IT Units

Business Units must identity and prioritize

key resources and define acceptable risks
This is NOT just a technology issue
 Critical Resources

Prioritization
Dependencies/Relationships
Alternate resources
Command Centers
Coordination/Management of Response
Funding
 Disaster Recovery Plan

Gives a blueprint for reestablishing

critical business processes under
extraordinary conditions
 Disaster Recovery Planning
is NOT a One Time Activity
You Must Have Frequent:
Updates
Drills
Training
Reviews
 Identify Applications

Determine Criticality
Resources Needed
Priorities and Dependencies
 Identify Applications

Have Business Units Review and

Revise Priorities
 Contact Information

Identify (and keep current) staff

contacts and all means for
communication:
 Office
 Home
 Mobile
 Email addresses
 Compile all Required
Documentation
Operational Documentation
Emergency Recovery Action Templates
(ERAT)
Contact Info
Command Center Inventory Checklist
 Command Centers

Identify Locations
Establish and stock resources
Inventory Checklists
Schedule for inventory assessment
 Duty Managers
aka Team Leaders
Schedule and Coverage
Train
Assess Command Center Inventory
Substitution Procedure
 Drills and Testing

Table top exercises

Real tests and emergencies
Evaluate the response, procedures,
and staff
Repeat!
 Forms and Templates

ERAT Emergency Application Template

Log and Post Mortem Forms
 for use during and after emergencies and drills
Contact Information
 Office, home, mobile phones
Team Leader Training
Team Leader Responsibilities
Command Center Inventory Checklist
Business Continuity
Planning Toolkit
Questions