April 16 18, 2012 Talking Stick Resort Scottsdale, Arizona Disaster recovery strategic planning: How achievable will it be? Prudence Marasigan Ernst & Young Advisory Services, Senior Manager prudence.marasigan@ey.com Amr Ahmed Ernst & Young Advisory Services, Executive Director amr.ahmed@ey.com Page 1 of 13
April 16 18, 2012 Talking Stick Resort Scottsdale, Arizona Resiliency touch points BCM program alignment and implementation continuity driven resiliency objective Assess phase (Risk based prioritization) Risk based Prioritization process/apps identification impact analysis Dependency analysis Risk assessment (gap analysis) Continuity strategy development Current technical capabilities Mitigation phase (Progress against plan) Technical solution acquisition and implementation Strategy implementation Incident response management continuity and disaster recovery plans Plans exercise and maintenance IT DR driven Page 2 of 13
Disaster recovery strategy approach April 16 18, 2012 Talking Stick Resort Scottsdale, Arizona The outcomes of the strategy may have more than one solution to fulfill an organization s recovery and continuity in the face of a business disruption. 1 2 3 4 5 What is to be recovered: People, business processes, application critical paths and technical services How will it be recovered: Technology and technical solution options Where will it be recovered: Technologies facilities (e.g., data center, data rooms), workplace and/or service provider(s) When will it be planned: Execute short term and long term roadmap How much it will cost: High level budget requirements Page 3 of 13
Disaster recovery strategy requisites April 16 18, 2012 Talking Stick Resort Scottsdale, Arizona Guiding principles Total cost of ownership strategy and impact Infrastructure strategy Technical dependency Enterprise risk In source Co location Outsourcing Current strategy gaps Sourcing alternatives Managed hosting Cloud services Disaster recovery strategy High level investment Roadmap and timeline constraints People constraints Technology constraints Page 4 of 13
Disaster recovery strategy requisites April 16 18, 2012 Talking Stick Resort Scottsdale, Arizona strategy and impact Understand the business direction, criticality and prioritization, and the impact that would arise if a threat became an incident and caused a business disruption. Infrastructure strategy Align disaster recovery strategy options with current infrastructure technology strategy (i.e., use the organization s existing cloud strategy as a disaster recovery options) Technical dependency Identified all dependencies relevant to the critical business processes/applications, including the underlying infrastructure technology, operational resources and suppliers, and outsource partners Enterprise risk Determine the criteria for acceptable level of risk and statutory, regulatory and contractual duties Page 5 of 13
April 16 18, 2012 Talking Stick Resort Scottsdale, Arizona Disaster recovery strategy requisites Guiding principles Total cost of ownership Guiding principles that provide a clear link to business and technical priorities and define leading practices for technology architecture and implementation Current environment cost transparency Issues and obstacles that will affect the future strategy development and disaster recovery (DR) architecture. For Example: the business s or the country s political establishment and/or regulation requires that the application and/or data be served from a specific location (e.g., state/providence, country, region) and/or by a specific sourcing service type (e.g., in house, co location, managed service) constraints People constraints Technology constraints Page 6 of 13
April 16 18, 2012 Talking Stick Resort Scottsdale, Arizona Disaster recovery sourcing options Understand your alternative service delivery models: Layers/levels of hosting In house Co location Managed hosting IaaS/ PaaS SaaS Apps Complete outsourcing process layer Application layer Application Infrastructure layer (tools layer) Operating system layer Device layer Networking layer Data center layer Client responsibility Service provider responsibility Page 7 of 13
Disaster recovery levels April 16 18, 2012 Talking Stick Resort Scottsdale, Arizona Understand your disaster recovery solutions related to business impact results Recovery time objective (RTO) solutions example Tolerance to service loss Level 1 Level 2 Level 3 Level 4 <= 4 hours >4 10 hours >10 hours 3 days >3 days 2 weeks Clustering and geodiverse Like or like and virtual servers Re purpose dev/testing and vendor drop ship Vendor drop ship Time 0 of the outage Time BIA categories Low (hours) High (hours) Vital service 0 24 Essential service >24 72 Important service >72 120 Supportive service >120 720 Page 8 of 13
Disaster recovery levels April 16 18, 2012 Talking Stick Resort Scottsdale, Arizona Understand your disaster recovery solutions related to business impact results Recovery point objective (RPO) solutions example Tolerance to data loss Level 1 Level 2 Level 3 Level 4 <= 1 hour >1 hour 12 hours >12 hours 24 hours >24 hours 72 hours SYNC/ASYNC replication and VTL backup ASYNC replication and VTL backup VTL backup VTL or tape backups Last data backup and/or replication Time BIA categories Low (hours) High (hours) Vital service 0 24 Essential service >24 72 Important service >72 120 Supportive service >120 720 Page 9 of 13
April 16 18, 2012 Talking Stick Resort Scottsdale, Arizona Disaster recovery total cost of ownership (TCO) Measure your current IT DR spending so you can effectively improve, manage and control your future DR strategy costs. Build and maintain an accurate inventory of hardware, software and appropriate licenses. Develop a TCO model that includes a combination of the following OPEX and CAPEX (recurring and non recurring) spending: o Labor; plan, build, test and run o Facilities, including in source or external data centers, data rooms and workspace o Hardware, data network and other items are for hosting hardware and applications Others Data network Facility Hardware Labor Page 10 of 13
April 16 18, 2012 Talking Stick Resort Scottsdale, Arizona Disaster recovery total cost of ownership (TCO) Comparative cost summary (in thousands) example: Page 11 of 13
Disaster recovery strategy roadmap 1. Current facilities to accommodate DR requirements (e.g., space, power, Tier III) and/or address different sourcing options. 2. Infrastructure foundation services recovery capabilities such as networks, AD, DNS, authentication, etc. 3. Service applications and collaboration tools such as email, unified communications, etc. 4. application recovery based on criticality, priority, interdependencies, etc. application Network application Active directory application April 16 18, 2012 Talking Stick Resort Scottsdale, Arizona Develop the strategy implementation roadmap based on your current maturity to address: Incident response plan Messaging application DNS application application Dependencies and sequence of applications recovery Unified comm. Service applications and collaboration tools Infrastructure foundation services application Team Desktop Mobile spaces tools services 3 Core platform services (Systems/OS, storage) 4 2 Facility (e.g., power, space, hosting service) 1 Page 12 of 13
April 16 18, 2012 Talking Stick Resort Scottsdale, Arizona Thank You! Page 13 of 13
Ernst & Young Assurance Tax Transactions Advisory About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 152,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com. 2012 EYGM Limited.. All Rights Reserved. This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor. The opinions of third parties set out in this publication are not necessarily the opinions of the global Ernst & Young organization or its member firms. Moreover, they should be viewed in the context of the time they were expressed. Page 14