Webinar – IT Best Practices For Community Colleges Part 2  Business Continuity

Webinar – IT Best Practices For Community Colleges Part 2 Business Continuity

August 20, 2019 0 By Stanley Isaacs


thank you and welcome today to the at one at a seminar at I T best practices for community colleges part two. this series is sponsored by CISOA. we want to thank them for offering this conference today. my name is Donald Hester. onald Hester. Today we’re going to be talking about Business continuity. we have other sessions following this as well. so today’s topic is Business continuity and the first thing we need to ask ourselves is what is it I T contingency Planning and what does it mean? basically it is our planning ahead of time to determine how we’re going to react if something bad happens. because something inevitably bad will happen. I remember recently there is a sandstorm and sand that in all the we have problems with our servers because of it. the last thing that you want to do is try to figure out what you’re going to do after something bad happens. you want to have a plan in place ahead of time so that when that happens you know what to do. most of our colleges do not tolerate a whole lot of down time especially at the end of the semester. One other interesting note and as an auditor I know about this, Anyone and receives federal funds which most colleges do receive some level of federal funds. the federal government requires that organizations that receive federal funds do have a contingency plan. unfortunately they did not really do in the chat up to make sure that you do have any checks to sometimes we say Business contingency plan and sometimes we say Business continuity planning. [on the board]. what this entails is the reestablishment of critical business operations in the event of a disaster so that operations can continue. [on the board] (reading) for example the Finance function is one thing that we need to make sure continues to function in any event. so what happens if some type of disaster renders the business or software unusable. what we do? what a lot of people will do in this situation is they will over think it. it will try to think of every possible situation that could go wrong and that is not which want to do. do not worry about how he lost the server but worry more about if the server is lost what we do to get it back. So you want to think about what you’re going to do and not necessarily what the particular clause of losing the server might be. ause of losing the server might be. coming up with a strategy is a big thing [on the board] (reading). some organizations might incorporate all of these plans together and some of them might divide them out in two separate plans. some will document them-and I highly recommend you do document them. if you have your contact information in the plan for vendors and their phone numbers and all that kind of stuff that really helps. [on the board] (reading). you need to have the planned someplace where it is accessible to you even if the server goes down. if you only have it on your computer then in the event that the server computer goes down you cannot access it so it is best to have this printed out in paper form. you can also have been saved on a separate floppy drive. but you need to have it easily accessible at all times. In incident response plan normally is implemented before anything else. this focuses in on this triage of the problem. focusing in on what is the problem and where do I need to go from here to solve it. the continuity of operations deals more with the executive end. the business recovery plan deals more with if you have to go off site for a while then how do I bring it back on site in get things running back the way they are supposed to. [on the board] this Slide deals with the interrelationship of emergency preparedness plans. The first thing we want to do is deal with our incident response plan, and then we move to the I T contingency plan, then the disaster recovery Plan, and next is the business recovery plan, next is the crisis communications plan-this deals with whom needs to be called and notified of the problems and possibly how would you handle the press any other issues that may be involved depending on your particular disaster, the next day is the occupied emergency plan-in situations such as a fire how we protect people and get them out of the college as quickly as we need to follow the system development life cycle-and this is something we should probably be following for everything that we do in I T. the first thing we need to do is determine what do we need. what is important for us in our particular atmosphere and how we need to make that happen. [on the board] (reading). we need to make sure that we think about maintenance on this process. the next slide is the seventh step continuity process. [on the step continuity process. I’m going to go through this in you can modify as necessary for your particular situation. the first step is to develop the contingency planning policy statement.identify what you currently have in place and recovery strategies. this includes actually writing the plan down and testing it and doing some exercises to test it. and keep the plant up to n up to date. the first thing we need to do is come up with a formal department or agency policy that provides the authority and guidance necessary to develop an effective contingency plan [on the board]. when you recover things you need to also make sure that your protecting them what you’re recovering them so that in the future it doesn’t happen again. First you need to identify your statutory requirements and then you need to identify organizational requirements. for example if you have online class’s those are going to be a high priority. for example if you have a high number of online class’s and you need for everyone to communicate via e-mail as a main source been that is a very important aspect of your organization is to have e-mail up and running at all times. also look at the time frame when you’re dealing with this. for example it in educational institutions downtime at the beginning and ending of semesters is simply not tolerated. next you need to look at management supports in what you need for your particular institution. Next you need to create a policy regarding this contingency plan. And finally need to publish that policy so that everyone is aware of it and knows where to find it and access it. the business impact analysis is if the tax exceeds what we do attack succeeds then what do we do then? the contingency Plan Team conducts the business impact analysis in the following stages [on the board]. your I T staff needs to continually be involved in this process as well. sometimes this is just sitting around a table and asking them questions like what are some threats that we might be facing? in California we know that earthquakes are definitely a good possibility. we can also look up some statistics as far as how often do earthquakes greater than a 7.0 happen? this way we can plan accordingly for what situation mayor may not occur at what frequency. or may not occur at what frequency. the business unit analysis involves looking at the different units like the math area of campus of the computer labs and what do they need and what could it earthquake do to their operations.for example if the building falls down in you cannot gain access What are you going to do? this actually happened recently due to a gas leak so they were not allowed into the building. there was no damage-the system was on and available but nobody could use it because they could not get into the building. city also have to think about those types of things that could happen. Next you may come up with subordinate plans. you can look at each area and come up with separate plans for each or you can put them all into one plan. this whole process helps you to identify and prioritize critical I T systems so that you are not focusing on something that is not really important to the plan as a whole. or to the college to continue operations. [on the board] we need to identify critical I T resources and dependencies-Do not forget the dependencies. Next we need to identify a maximum allowable downtime. And this is very important and something that you really need to know. you need to know what the institution expects and what their maximum allowable downtime is so that you have the correct resources and software available to them when they needed to beat. [on the board] there are three types of threats that we can think about-natural, human, and environmental. on the board are examples of each type of threat. [on the board] (reading) the likelihood of each one of these types French and we need to think about that in our planning process. equipment failure to be anything from a year air-conditioner now working in melting your servers processors. to a we need to identify preventive controls. these are measures taken to reduce the effects of system disruptions that can increase system availability and reduced cont ingency life cycle costs. [on the board] these are such thing as redundancy, backups, the Environmental-air-conditioning, and fire suppression-off site storage, generator, an earthquake racks d are your racks earthquake resistant. these are all just examples of preventive controls, you might have others in your particular situation. next he need to develop recovery strategies. a thorough recovery strategy is to insure that the system may be recovered quickly and if the following it destruction. this is anything from on-site recovery and recovery from back up to hardware replacement-you need to make sure you have vendor agreements in place regarding your hardware replacement and the vendors policies, you also need to make sure you have an alternate site and reciprocal agreements with other institutions so they can help you out in the case of a disaster. you could have anything from a cold site to let a warm site to a hot site. you may have something that we call a Mobil e site -I know of an institution that everything is set up in an RV for the case of an emergency. in addition to that you may have a mirrored sites. Soviet to campuses you could take one campus in your everything on the other and mirror everything on the other campus. >>Michael: we have a question in the chat box. how could we have enough storage and equipment to support a second school? >>MODERATOR: what you can do is buy an additional server if you get together with other campuses or institutions. however, this requires that you’re using the same software with those as those other people. this may or may not be feasible for your organization. I do know of a couple of schools that have done this and it works well for them. it it is actually five schools that got together and between all five of then they have one extra unit so it wasn’t a huge expense for each school. >>Michael: we have another question in the chat box regarding if anybody out there uses rackspac e.com or other cloud providers? Donald is asking that you use the participant window and raise your hand if you are using this. >>MODERATOR: this is definitely a viable method. I do not see that anyone is using it in this conference, but you can go to sun guard I think is the name of the company that uses rack space and they have all different levels of cold, warm, hot sites available in you can figure out what the best way for you to go is. think you, I see that there is a link posted in the chat window to check this out. please look at that. this is why is really important to document all year contact phone numbers for your vendors and and everyone that you might need to get a hold of in the case of something going down. it is important that you can reach everybody and have this information quickly at your fingertips to contact the people that you need to contact. most instances that are going to happen are going to be small instances the need to know how to handle these as well. everybody involved in the contingency plan needs to be informed so that when something does happen we’re all on the same page and everybody is moving in the same direction to get things resolved. One very important part is to plan testing, training and exercises to test the plan. it does not do any good to have a plan in a book that sits on the shelf and is never used. everyone needs to be aware of what to do when something happens and comfortable doing it. So training exercises are very important so that people are comfortable knowing what to do when something happens. [on the board] (reading) this also helps us to find weaknesses in our plan that we can change so that they are better and things run smoother when something does happen. a training exercise can be as simple as sitting around a table and saying what would you do if…and then talking through what you actually do and why are why not that may be the best thing to do or if we should change it. in this way you can find out whether your staff has the proper training to do a recovery when necessary. you’ll find that if you do this a couple of times and the staff for comfortable with it then when something does happen and they have to do recovery it goes very smoothly. train, train, train-this is so important to an effective plan. plan maintenance, again, as I said you need to update this regularly to remain current with the system enhancements. the plan must be maintained in a ready state that accurately reflects system requirements, procedures, the organizational structure, and policies. always keep a record of all changes that you make. And always update this is needed. finally, why NIST? I want to make sure that in giving you the best guidance as possible that is why recommend the National Institute of Standards and Technology guidelines. they have hundreds of guidelines for everything. the California information security strategic plan published in October 2009 states that they are adopting the National Institute of Standards and Technology guidelines for the certification and accreditation of information systems. I am now going to try to send you a link to the NIST Web site so that you can see all the things that they are currently doing. they have everything on this web site-probably more than you even need, but there are key ones in their regarding contingency plans that would be very helpful to you. you can just download one of the templates that they have for contingency plans and fill in your information and so you did not even have to write one of your own. these are generic enough that they will fit for you and you can customize them to fit your organization. here are some more resources [on the board] for you to use in creating your contingency plan. there’s also another Web site posted in the chat window by Michael. please check this out as well. Both Iso 17799 and COBIT are great, but neither is as exhaustive as NIST SP 800-34. the book entitled A Guide to disaster recovery is a great bulk and I think that your institution can probably get free of charge. the is my contact information. you can follow me on face book and I am on linkedin, so you can reach me either of those ways. >>Michael: if anyone has any questions please feel free to post them in the chat window now. while we are waiting for questions and go to go ahead and put up in the chat window a link to our evaluation survey. we really value your input so please take three or four minutes to take our survey regarding today’s seminar so that we can bring you some more great information on I T Management and topics such as this. the question from the chat window >>MODERATOR: virtual machines, what they actually do is make it very easy for you to recover things. he did not have to worry about what hardware you’re putting it on. in the past this was terrible and very hard to do. once virtual machines came aboard you can actually take a snapshot of what you have and go to another VM and bring it up right away without user’s even being aware of the fact that you did it. is it critical? I can say that it makes it so much easier. it may not be critical but it really makes things a lot easier if you do have a virtual machine. with virtualization good recovery time is a lot less. any other any other questions out there? I know it this is a lot to take again in one hour. you can always contact me afterwards that any time to. we do have another session coming up as well in a couple of weeks. you can always check for upcoming events at the at one Web site [on the board]. >>Michael: again, I just ask that you please fill out the evaluation survey. I have posted in the chat window the Web site to get to the recently archive seminars that we have. in about 48 hours you will be able to have access to this archive of this presentation. again, I would like to think everyone for coming out today. And thank you for your participation. we hope to see you at the next seminar in our series so please check out our web site so you can see exactly when the next seminar will be.have a good day and take care of yourselves and we will see you soon