Preparing for the Unexpected Myrtle Beach Area Business Disaster Recovery Symposium January 30, 2015 5 Key Recovery Issues Contingency Planning Association of the Carolinas Steve Shupe, MBCP Myrtle Beach Disaster Recovery Symposium – January 30, 2015 1 1. Communications in a Disaster 2. What do your customers need to remain assured of your stability? 3. Technology and Workspace Recovery Issues • • • • Data Center Security Cloud Workspace 4. What do your business partners require to continue order fulfillment and delivery? 5. Test it to ensure you know how to do it and that it works Myrtle Beach Disaster Recovery Symposium – January 30, 2015 2 Contingency Planning Association of the Carolinas • A not for profit (501-c3) professional peer group - Shares information, education, and resources in contingency planning in North and South Carolina Second Wednesday of the Month 1pm – Once per quarter Columbia – Jan / Apr / Jul / Oct Charlotte - Feb / May / Aug / Nov • Annual CPAC Symposium – April 9-10, 2015 Charlotte • cpaccarolinas.org – CPAC Website • Send an email to [email protected] from the email address to be added to the server, with the subject line Join CPAC List Server Myrtle Beach Disaster Recovery Symposium – January 30, 2015 3 3 Recent Meetings • • • • Industries Represented Electric and Gas Universities and Colleges Financial Services Insurance Companies • Federal, State, and Local Government • Manufacturing • Retail • Healthcare • Telecommunications • Disaster Recovery Services Meeting Presentation Topics 1. Continuity and Disaster Recovery in South Carolina State Government, Tom Scott and Rick Makla, both Deputy Chief Information Security Officers, SC Division of Technology, Budget and Control Board 2. Disaster and Recovery – A look at the workplace – Nancy Grunnet, CSRA Regional VP, First Sun EAP 1. “But my Data is Backed-Up” and Nine Other Common Disaster Planning Mistakes – Josh Smith, Public Sector Manager, Agility Recovery Solutions 2. Today’s Most Pressing Backup and DR Issues – Harold Schmoecker, Unitrends 1. “Examining the Relationship Between Liability and Planning for Emergencies”, Will Moorhead, President/Owner of All Clear 2. The SC EMD will provide a brief update on Planning and the rest of the remaining time will be dedicated to an open discussion on any topic, issue and question requested by anyone attending. 1. Partnering with Emergency Management – James Bateman, SC Department of Commerce and Elizabeth Ryan, SCEMD. 2. Hurricane Program Update – Dave Harbison, SCEMD Hurricane Program 3. Prepare Before You Call for Help – Greg Sox, Blue Cross Blue Shield of SC, Business Continuity Analyst 4. Public Information and Social Networking During Disaster – Derrec Becker, SCEMD – SPEAKER: Mark Turnbull, CBCP, MBCI, CBRP, CBCV - Managing Principal of Turnbull Consulting, Inc., Wallace, NC 1. “BIA (Business Impact Analysis)” 2. “Disaster Recovery (IT) and Business Continuity Planning” 3. “Table Top Exercises” Myrtle Beach Disaster Recovery Symposium – January 30, 2015 4 Why Develop an Emergency Plan? • An estimated 25 percent of businesses do not reopen following a major disaster, according to the Institute for Business and Home Safety. • The number of declared major disasters more than doubled in the 1990s. • A business can be hurt indirectly when disaster strikes customers or another business, such as a supplier or distributor. • OSHA requires that most businesses with 10 or more employees have a written emergency plan. • The realities of a post-9/11 world and an increasing dependency on computer technology call for additional protection of business operations. • The 9/11 Commission emphasized the critical importance of preparedness in protecting business assets and safeguarding employees’ lives. Source: FEMA Ready Business Mentoring Guide Myrtle Beach Disaster Recovery Symposium – January 30, 2015 5 5 https://www.fema.gov/media-library/resources-documents/collections/357 Myrtle Beach Disaster Recovery Symposium – January 30, 2015 6 Don’t Assume You Are Immune FDIC Lessons from Katrina (with FFIEC and Conference of State Bank Supervisors): Major challenges faced by financial institutions included the following: • Communications outages made it difficult to locate missing personnel. • Access to and reliable transportation into restricted areas were not always available. • Lack of electrical power or fuel for generators rendered computer systems inoperable. • Multiple facilities were destroyed outright or sustained significant damage. • Some branches and ATMs were underwater for weeks. • Mail service was interrupted for months in some areas. Myrtle Beach Disaster Recovery Symposium – January 30, 2015 8 1. Communications: • If your office is closed – Who will answer the phone • How do you communicate closures and emergency information to employees Employee Contact Information – Home, Cell, eMail – Update it regularly • Larger firms should consider establishing a disaster notification phone number and/or website available to keep employees informed (Perhaps use a Mass Notification System) • How will your management team communicate – cell phones, conference lines? eMail? Myrtle Beach Disaster Recovery Symposium – January 30, 2015 9 2. Customer Contact • Remember that your customers are hearing news reports that may or may not be accurate. They need to hear from you as soon as possible. • Do you have emergency contact lists for your customers • What about past and future customers? – contact them • Design a plan for notification of active and non-active clients to reassure them that your disaster preparedness plan has been activated, and give them alternate contact information and expectations for restoration of functionality • When it comes to keeping good customers, there is no substitute for communication. Myrtle Beach Disaster Recovery Symposium – January 30, 2015 10 3.A Technology and Workspace Recovery • Identified Critical Systems • Data Backup – Tape / Replication / Cloud • Can you get to Backup Data – • • • • • Location of Data Center • • • • Must you restore data first Is it on tape, replicated, or in the cloud Have you tried to recover files from backup so you know how to do it Have you timed the recovery process? In your building – Same location as staff Co-Lo – Offsite but nearby Hosted Failover – Automatic / Manual / Recovery First • • • • • How far must your technical staff travel If transporting tapes, has a plan been created Must equipment be ordered and installed to keep critical apps running Are recovery instructions documented Has IT and Business Unit tested this failover Myrtle Beach Disaster Recovery Symposium – January 30, 2015 11 3.B Security Policies • Plans must ensure information security policies are maintained in a recovery situation • Making sure the recovery site has proper security, including updated antivirus and firewall protection. • Conduct proper due diligence of any disaster recovery provider and take proper precautions in a shared recovery facility. • Transmission of data for backup purposes must also be secured. • Your disaster recovery instance could be long term, maybe six months… Can you be comfortable with the decisions you make in choosing the facilities and the protections for that length of time? Myrtle Beach Disaster Recovery Symposium – January 30, 2015 12 3.C Cloud Based Backup • Before signing up with any Backup as a Service (BaaS) or Disaster Recovery as a Service (DRaaS) supplier, make sure to read the fine print in the SLA. • If you anticipate special needs or services from your backup or DR provider, tell them in advance and make sure to put it in writing. • Describing your expectations of service in advance, including response time and ticket escalation procedures, should eliminate any questions later • Consider the use of Cloud Computing resources that are located in ISO 27001-certified Data Centers that are located in regions that are low risk and which have stable power, cooling, etc. Myrtle Beach Disaster Recovery Symposium – January 30, 2015 13 m 3.D Workspace Recovery: • How many seats (based on essential staff) • How quickly do they need to be operational • Does the recovery site have network capabilities already – how fast are they • Management conference rooms may be acquired at local hotels • Fixed Recovery Space or Mobile Recovery Space Myrtle Beach Disaster Recovery Symposium – January 30, 2015 14 4. Business Partners, Suppliers and Vendors: • Communications – • • • Maintain a current list of suppliers with contact information Ensure the list is offsite but where it can be reached Update the list on a regular basis • Supplier review – • • Ask for their Business Continuity Testing Results Identify potential alternate suppliers – keep a list • Do you have emergency contact lists 3rd Party IT support; Bank contacts; Key hardware and software vendors; Property Manager; Utility Companies; Etc. Office furniture and supplies vendors; Professional restoration vendors; Snow / Debris Removal; Fire/Police; Insurance agent(s); Myrtle Beach Disaster Recovery Symposium – January 30, 2015 15 5. Test It: • You • • • • • • might have put measures in place… but will they work? Can you actually recover files from the cloud Do your managers know how to communicate Are contact lists current Have you considered the message to customers Where will your employees work as you rebuild How long can you really be out of business • Work From Home – Lots of failure points • Do your employees know what to do? • Ask questions – They often spark ah-ha moments Myrtle Beach Disaster Recovery Symposium – January 30, 2015 16 Myrtle Beach Disaster Recovery Symposium – January 30, 2015 17 1. How often should my plan be updated? 2. How far should my backup data center be from the primary? 3. Do I need recovery seats for all of my employees? 4. How do I find workspace recovery space? 5. How to you test the recovery plan? 6. Who are some vendors that could help me? Myrtle Beach Disaster Recovery Symposium – January 30, 2015 18 Resiliency Services CPAC does not endorse or recommend any of these vendors, they are suppliers in the business recovery and disaster recovery space and are presented as a service. Myrtle Beach Disaster Recovery Symposium – January 30, 2015 19