Scenario based recovery metrics
-
Upload
rod-davis -
Category
Technology
-
view
115 -
download
0
Transcript of Scenario based recovery metrics
A Method to Measure the Ability to Recover from Simple to Complex Disaster Scenarios
Rod Davis, CRISC, CBCP
SIL InternationalVersion 1.01
Thanks so much to SIL Global Technology and
Information Services for their patience and suggestions
in helping craft our disaster recovery methodology. Our
current format of disaster recovery fed directly into the
development of this presentation.
What is ‘Scenario-based Recovery Metrics’?
Benefits of this Approach
Quick Review of some Key DR Concepts
Principles to apply with this Approach
How it Works
Recovery Procedures
Exercises
Where to find this Stuff
Takeaways
Scenario-based Recovery Metrics give
continuity planners a method to measure the
business unit’s (or IT Department’s) ability to
recover from a range of scenarios, from the
simple to more complex.
Prevents unrealistic expectations by the business owners
Identifies gaps to meeting recovery requirements
Supports budgets and projects for gap remediation.
Provides a basis for exercises
It gives opportunity for continuity planners to dialogue with stakeholders and explain existing limitations
Dialogue … ‘We can meet your requirements for this set of simpler scenarios, but are (currently) unable to meet them for these more disruptive scenarios.’
Professional Practice* Three – Business Impact Analysis: Item 6.c -
Identify gaps between current recovery capabilities and requirements defined by the results of the BIA.
Current State
Desired State
Steps required for change
Action Plan____________________________________________________
*Professional Practices for Business Continuity Practitioners – DRII.org
Business Continuity Planning Cycle
Business Impact Analysis
Recovery Point Objective (RPO)
Recovery Time Objective (RTO)
Project Initiation
Risk Assessment
Business Impact
Analysis
Business Continuity Strategies
Business Continuity Plan Development
Training, Testing,
Evaluation
Business Continuity Planning is ...
project oriented
iterative
ongoing multi-phased
requires testing
The Business
Continuity
Planning Cycle
This approach touches the Business Impact Analysis.
A process designed to assess the potential quantitative
(financial) and qualitative (non-financial) impacts that
might result if an organization was to experience a
business disruption.
- Business Continuity Glossary by DRJ.com
RPO – Recovery Point Objective RTO – Recovery Time Objective
Point of last data backup Systems fully recoveredDisaster strikes!
• RPO – Recovery Point Objective• The maximum data loss that an organization will tolerate. Data and
systems must be restored to this point after a disruption.
• RTO – Recovery Time Objective• The maximum period of time that an organization accepts for recovery of
business functions, systems, and processes.
DowntimeData
Timeline
Inequality of Disasters and of Organizations
Build Recovery Plans for Simple, then Complex Scenarios
Build Recovery Metrics around ‘Scenario Themes’
Keep your Scenarios Plausible
“Start small, think big. Don’t worry about too many things at once. Take a handful of simple things to begin with, and then progress to more complex ones.” – Steve Jobs
Simple
Developing a robust disaster recovery capability requires developing the capability to recover from simple scenarios first …
Single failed server
Complex
Then you can build upon this base to develop the capability to recover from the more complex scenarios …
Server Room Fire
Scenario ThemesScenario themes
enable disaster
recovery planners to
model the various
levels of disaster
events … from less
severe to catastrophic.
• An individual (critical) component of a system fails.
Scenario Theme 1
• Multiple critical components (or a single super-critical component) of a system fails.
Scenario Theme 2
• An on-site disaster takes down multiple mission-critical systems.
Scenario Theme 3
• Regional disaster affects infrastructure, power grid and Internet services.
Scenario Theme 4
All these things are possible, but keep the scenario plausible in the context of your specific environment.
Cyb
er-Attack
Device theft
Disaster Recovery Priorities
Scenario Themes
Actual Recovery Metrics vs. Business Owner’s Requirements
Expected Outcomes
Exercises leverage scenarios already developed
Exercise step-by-step
Exercise Observations
Identify problems in system documentation or recovery procedures.
Identify problems with access of recovery documentation.
Identify any instances where critical recovery information resides only in the head of one individual.
Identify shortcomings in recovery technologies.
Identify potential problems with access to security credentials.
The tester must not be the author of the documentation or recovery procedure, but should be an individual who could perform recovery.
Tester ‘walks through’ the recovery procedure and system documentation for system being tested.
All participants encouraged to note problems in the Exercise Observations, though Scribe is responsible for this.
Go to http://missionresiliency.org/resources/
Here you can download the presentation, examples, and templates from this presentation
All disasters and business are not created equal.
Scenario based recovery metrics identifies gaps in meeting stakeholder’s recovery requirements, and supports projects for gap remediation.
They prevent unrealistic expectations by stakeholders, and provide a solid basis for exercises.
Scenario themes enable disaster recovery planners to model disaster events from less severe to catastrophic.
Scenario themes support building disaster recovery capability first for simple scenarios, then for increasingly complex scenarios.