Dis isaster Recovery ry Pla lanning Presented by Matt Stolk - - PowerPoint PPT Presentation

Dis isaster Recovery ry Pla lanning

Presented by

Matt Stolk Associate Director Northwest Regional Data Center Florida State University

FAEDS 2015

Why are we here?

Over the last couple of years, business continuity has become more of a priority for many organizations. Understanding the needs and requirements for building a successful DR plan are just some of the struggles on the road to implementation. Major challenges in developing this plan center on the identification and classification of applications and data, developing business requirements, determining the infrastructure and software needs, as well as weighing cost against these requirements. This session will go over NWRDC’s experiences in building their DR plan and touch on lessons learned from doing this as well as working with

• ur customers in building their plans.

Why are we really here?

So what do we need to pla lan for?

What does a DR Pla lan Consist of?

According to National Institute for Standards and Technology (NIST) Special Publication 800-34, Contingency Planning for Information Technology Systems, the following summarizes the ideal structure for an IT disaster recovery plan:

• Develop the contingency planning policy statement. A formal policy provides the authority and guidance necessary to

develop an effective contingency plan.

• Conduct the business impact analysis (BIA). The business impact analysis helps to identify and prioritize critical IT

systems and components

• Identify preventive controls. These are measures that reduce the effects of system disruptions and can increase system

availability and reduce contingency life cycle costs.

• Develop recovery strategies. Thorough recovery strategies ensure that the system can be recovered quickly and

effectively following a disruption.

• Develop an IT contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a

damaged system.

• Plan testing, training and exercising. Testing the plan identifies planning gaps, whereas training prepares recovery

personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness.

• DR Plan maintenance. The plan should be a living document that is updated regularly to remain current with system

enhancements.

DR Policy Statement

Develop the contingency planning policy statement. A formal policy provides the authority and guidance necessary to develop an effective contingency plan.

• Example

XXXX shall maintain a Disaster Recovery Plan that establishes procedures for business resumption in the event of an emergency. This plan shall be reviewed yearly and updated as necessary. A copy will be located HERE…. XXX will conduct annual disaster recovery tests, at a minimum, to ensure services recoverability.

Business Im Impact Analysis

Conduct the Business Impact Analysis (BIA). The business impact analysis helps to identify and prioritize critical IT systems and components.

• Information needed from Business Units and Application Owners.
• Completed by both IT and the Business Units
• Identifies requirements for Recover Time Objective (RTO) as well as perceived

impacts to the organization as a whole

• Identifies System and Application POCs

Id Identify fy Preventative Controls

Identify preventive controls. These are measures that reduce the effects of system disruptions and can increase system availability and reduce contingency life cycle costs.

• OK, so what does this mean?
• Examples:
• Server Clustering
• GEO Replication
• Offsite backups
• Backup Replication
• Hot/Warm/Cold DR Site
• Cloud

Develop Recovery ry Strategies

Develop recovery strategies. Thorough recovery strategies ensure that the system can be recovered quickly and effectively following a disruption.

• How will things be recovered
• How will we meet the RTO defined in the BIA
• Will feed into the DR Runbook

Develop IT IT Contingency Plan

Develop an IT contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system.

• This is the DR Runbook
• Should have detailed instructions on how to recover
• Should be written in a way that anyone with

access could run through the recovery

Test the Plan

Plan testing, training and exercising. Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness.

• If everything goes as planned you are not testing hard enough
• Depending on the situation the runbook may be modified or not

completely followed

• Be sure to discuss outcome of the test
• Improve the plan, post testing is the best time to

make changes

Review and Update the Plan

Plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements.

• Be sure to keep track of revisions
• Summary of changes is sometime helpful
• Ensure that staff and vendor contacts

information is current

• Verify inventories, machine names, backup

inventories

Resources to Assist

FEMA – Business Continuity Planning Suite http://www.ready.gov/business-continuity-planning-suite Includes:

• Disaster Recovery Plan Generator for IT Recovery
• Business Impact Analysis (BIA) Forms
• Test Tools (Scenarios)
• Training
• Plan Maintenance Walk through

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

DR Pla lan Generator

After completing the wizard in the tool, you can browse to the MS Word version of the file you

• created. It is stored in the directory listed below:

‘InstallDirectory’\Business_Continuity_Planning_Suite\Business_Continuity_Planning_Suite\media \Disaster_Recovery_Plan_Extract\temp.doc

What’s Next?

Actionable Items:

• Next Week –
• Application and Server Inventories
• Identify key staff resources for planning
• Next 1 to 6 Months –
• Meet with Business Process Owners (BPO) – Get buy in!
• Determine the requirements and options
• Budget
• Next Year –
• Implement
• Test! Test! Test!
• Update, Improve, Maintain

Resources

• FEMA – Business Continuity Planning Suite

http://www.ready.gov/business-continuity-planning-suite

• NIST

http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34- rev1_errata-Nov11-2010.pdf

• Gartner

http://www.gartner.com

• Northwest Regional Data Center

http://www.nwrdc.fsu.edu Matt Stolk Matt_Stolk@nwrdc.fsu.edu (850)645-3562