Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
NEDRIX Conference
Braintree, MA
June 23, 2004
• Introduction
Em
ry
erg
• Protecting Your
ve
en
co
Employees
cy
Re
Re
• Emergency
ter
sp
Business
Response
as
Our Approach
on
Continuity
Dis
to Disaster
se
Management
• How to Build a Recovery
Robust Business
Continuity Program
• Execution Strategy Execution
• Quick Start Business Resumption
BCP
Business Impact
Emergency Response
AAA,AA,A,B,C,D????? Risks
Testing
Feeling Overwhelmed?
• Inquisitive
• Ability to think “outside the box”
• Relentless
• Doesn’t need to be “liked” by everyone
• Doesn’t get “rattled” easily
• Available 24x7
• Business knowledgeable
• Not afraid to open “Pandora’s Box”
• Enjoys challenges
• Insane!
• Setting the strategic direction and plans for all business units
to ensure business continuity and effective emergency
management.
• Integrating the contingency planning process across business
units when the nature of the business requires it.
• Providing consulting services and direction to senior
management.
• Coordinating and integrating the activation of emergency
response organizations with the business units.
• Provide period management reporting and status.
• Ensure executive management compliance with the
contingency planning program.
• Ensure the identification and maintenance of all critical
business functions and requirements.
• Develop, implement, and maintain policy and guidelines for all
business units to follow.
• Command Center
– Location set up for Management and
BCP to operate from during
emergency situation.
“Command Center”
– Maintain Contingency Plan Document
and other needed resources at
Command Center.
• Alternate Site
– A location where critical business functions can resume
processing in the event of a business interruption.
Relocation
(Primary Location)
NEDRIX Conference June 2004
(Alternate Site) 11
Business Continuity Terminology (cont’d)
• Vital Records
– All data and information required to support a business
function (i.e., historical, regulatory requirements)
– Includes:
• Policy and Procedures Manuals
• Input documents or data
• Manuals for software and other applications
• Vendor/Customer List
• Telephone/Rolodex
• Backup tape files
– Should be maintained off site at third-party vendor or
Command Center
• Access control
• Alarm monitoring
• Floor Warden program
• Evacuation drills conducted annually
• Shelter-in-Place drills conducted annually
• Background checks
• Procedures for emergency response in place
• Workplace Violence Programs
What to do if... xx
and you find it:
there is a 1) Call Corporate Security.
2) Activate the nearest building fire
FIRE alarm.
3) Follow the evacuation instructions
given by the Floor Wardens, who will
be wearing orange arm bands and
carrying flags.
What to do if...
you receive a
BOMB
THREAT
1) TAKE NOTES -- location and type of
device, time of detonation, sex and EMERGENCY
age of caller, quality of voice, accent, Numbers:
background noise(s), etc. -- this is
VERY IMPORTANT!
2) Immediately call Corporate Security.
3) Notify your supervisor/manager.
4) Wait for instructions from your
manager or the Floor Warden, or to
be broadcast over the public address
system.
What to do if there is an EVACUATION…
What to do if... 1) Prepare to evacuate, but wait for specific instructions via
the public address system, telephone, a Floor Warden or
a Security Officer. Some routes may not be safe.
EVACUATION 2) Follow the Floor Warden out of the building.
OF YOUR 3) DO NOT use elevators for emergency evacuation.
4) Walk quickly when directed to do so, but do not run.
AREA IS 5) DO NOT go back for any reason.
6) Proceed to the Evacuation Site for your building.
ANNOUNCED 7) Wait for further instructions from Corporate Security or
your company's Contingency Planner.
EMERGENCY
Numbers:
What to do if there is SEVERE WEATHER…
Where do I go?
what to do in an emergency?
I need supplies and a PC to start working again.
#8 Training &
Awareness
#4 Recovery Strategies
#2 Risk Analysis/Mitigation
Risk Corporate
Real Estate Security Enterprise BCM
Management Affairs
Dedicated/Certified
Business Continuity
Program Manager
Human
Systems Marketing Finance
Resources
• Protecting Information
• Protecting Reputation
• Mitigating Factors -
– Mitigating factors are the protection devices, safeguards, and
procedures which are in place that reduce the effects of the
threats.
– They do not reduce the threat; they only reduce the
impact of the threat.
Threat/Effect Matrix
Threat R e g io n ( Y , N ) ) Site (Y,N) Probability/Effect
(H,M,L)
Earthquake
Hurricane
Tornado
V o lc a n i c E r u p t i o n
F lo o d
Power Outage
Falling Aircraft
Transportation
M ishaps
Rail
Road
Boat
F ire
Smoke
Denial Of access
from Contamination
C ivil Disorder
W a ter Damage
Bomb Threats
Sabotage/Vandalism
Mechanical
Breakdown
Other (specify)
• Mitigating Factors -
– Mitigating factors are the protection devices, safeguards, and
procedures which are in place that reduce the effects of the
threats.
– They do not reduce the threat; they only reduce the
impact of the threat.
Threat/Effect Matrix
Threat R e g io n ( Y , N ) ) Site (Y,N) Probability/Effect
(H,M,L)
Earthquake
Hurricane
Tornado
V o lc a n i c E r u p t i o n
F lo o d
Power Outage
Falling Aircraft
Transportation
M ishaps
Rail
Road
Boat
F ire
Smoke
Denial Of access
from Contamination
C ivil Disorder
W a ter Damage
Bomb Threats
Sabotage/Vandalism
Mechanical
Breakdown
Other (specify)
Your Paycheck
• Mission-Critical:
– Defined by the business units as those functions
that are required to complete processes
– Critical to the continuity of the business
• Customer-Critical:
– Defined by the business units as those functions
that are required to complete processes
– that are critical to the customer’s perception of
the business
LDRPS Function Mailzone Risk Code Time before Customer Regulatory Financial Rating Recovery Alt. site
Function Name impact Impact Impact Impact Total Time
ID Sensitivity
F = Financial 0 = > 3 days 0 = none 0 = none 0 = none Sum of Code
C = Customer 1 thru 4
R = Regulatory 1 = 3 days 1 = Low 1 = Low 1= 0 to 10K
5 = > 1 Mil
• Do You Know:
– Where they are?
– What is included in them?
– How to get them?
– Who is authorized to retrieve them?
– How long it will take to retrieve them?
– Where to have them delivered?
– How long it will take to restore them?
– Who will restore them?
MRO
SLC
Built by Building/Business
• Teams
§ Assessment Team
§ Crisis Management Team
§ Emergency Response
Teams
• Permanent standing conference
bridge
• Event owners defined
• Escalation process defined
• Recovery Status
• Updates to Contingency Information Line
• Communication to Employees
• External Communications
• Client Communications
• Problem Management
• What to Do:
– Call everyone on your Emergency Notification List and validate their phone
numbers are accurate and that your team is prepared to respond.
• How to Do It:
– Call them at work but require a response - no voice mails
– Call them at home
– Page them. If they do not respond within a certain timeframe, try again or
try reaching the backup - require a response
– Page them and have them call into a conference bridge
• Why We Do It:
– Validate the phone numbers are accurate
– Find out how long it takes to reach everyone
– Determine what percentage of people are unavailable
– Exercise Call Notification Procedures
Scope : The scope of this exercise is limited to a site outage at the primary
site only and validating the recovery capabilities of the critical functions
performed at that site by this company
Sample Exercise Plan (cont’d)
Business Requirements:
To recover the critical functions from the primary site within a timeframe
which will allow this company to meet the business requirements of
Fidelity Investments with minimal disruption to Fidelity’s Customers and
the business units which are dependent on these functions to execute
their critical business functions.
Sample Exercise Plan (cont’d)
Contingency Planning Objectives:
1. Validate the recovery procedures for the business functions at this site can be successfully
implemented in the event of emergency at the designated alternate site.
2. Verify that the business units have full functionality in the designated alternate site
3. Verify that the business units have full connectivity in the designated alternate site.
4. Validate the ability to send and receive the identified critical inputs and outputs of these
business functions
Business Function Objectives
1. Validate that the recovery procedure for this critical function is complete.
2. Validate that all required data for recovery is stored offsite and can be retrieved at the
time of need
Telecom Objectives
1. Support the business unit in validating the site recovery.
2. Test the implementation procedures of the alternate site to support this site outage
3. Validate the full functionality and connectivity exists at the alternate
Sample Exercise Timeline
• Have final meeting with team and make final go/no-go decision for
exercise
• Conduct exercise
– Update timeline as events occur
– Conduct exercise status meetings if needed
– Manage problems as they arise
– Make list of action items to be addressed
– At conclusion of test, conduct a short debriefing session with the
team
Post - Exercise Tasks (Post-Mortem)
• Building evacuations
• Shelter-in-Place
• Severe weather protocol
• Short and long term building outages
• Employee notification procedures
• Employee contact/call in procedures
– Employee contingency information line
– Call trees
• Emergency Reference Guides
• Contingency Information Lines
• Planned Events
• Unplanned Events
• Do not assume your disaster recovery team and the rest of the
corporation survive the attack
– We were unaffected by this, but other New York based corporations lost
entire recovery teams and the documentation required to recover
– Other corporations were struggling to do required day-to-day business
functions because those responsible died in the event and the training
materials for the position were stored in the building
• Do not assume you will be able to get the required equipment from
your vendors very quickly
– This did not impact us, but the drop in the economy left many vendors
with little or no inventory. The ability to obtain required equipment quickly
was hampered.
• Do not assume you will be able to fly/transport your team members or
associates anywhere
– Airport closures, subways closures, road closures
– Develop alternate transportation plans
AA 4 hours
A Same day
B Within 24 hours
C 48-72 hours
D 72 hours or more
If you couldn’t get back in your building today, what would you do
next?
DRI International
www.drii.org
Continuity Insights
www.continuityinsights.com/conf.cfm
Em
ry
erg
ve
en
co
cy
Re
Re
ter
sp
as
Business
on
Dis
Our Approach
Continuity
se
to Disaster
Management
Recovery
Strategy Execution
Business Resumption