You are on page 1of 22

New E-Commerce Risks

Performance/Capacity

Human Error/ Operations Risk

Planned/Unplanned Downtime Outsourced Service Providers


Security Incidents

Content/Application Links to Third Parties

E-Commerce BC: New Rules/New Realities


IT and business process management are integrated no longer solo views Production costs increase no separate budget for BCP Risk identification and management take on a matrix management focus, e.g., technology, financial, trading, operations Problems are public IT and business problem management must be integrated; root cause analysis Only as strong as your weakest link good application/bad operations Contingency plans become critical when automation isnt there every component of the business process now must have a plan

BC Components
Disaster Recovery Business Recovery Business Resumption Contingency Planning

Objective

Mission-critical applications

Mission- critical business processing (workspace)


Site outage (external) Business recovery plan

Business process workarounds

External event

Focus

Site or component outage (external) Disaster recovery plan

Application outage (internal) Alternate processing plan

External behavior forcing change to internal Business contingency plan

Deliverable

Sample Event(s)
Sample Solution

Fire at the data center; critical server failure


Recovery site in a different location

Electrical outage in the building


Recovery site in a different power grid

Credit authorization system down


Manual procedure

Main supplier cannot ship due to its own problem


25% backup of vital products; backup supplier

Crisis Management

Creating Business Continuity Plans


PROCESS Change Management Education Testing Group Plans and Procedures Testing Review Ongoing Process

Risk Reduction

Implement Standby Facilities Project

Create Planning Organization Recovery Strategy


Risk Analysis

Business Impact Analysis Policy Organization


Resources Scope

Business Continuity Planning Initiation

Obtaining Management Commitment

Catalysts

BIA & Risk Assessment

Awareness Programs

Fiduciary Responsibility

Security Incident Detection & Response

Detection

Prevention/Planning

Incident Response

Investigation

Evidence

Legal Action

Project Life Cycle


Business Req.
Identify technology and business continuity risks from a business perspective BIA/ risk analysis RTO/RPO Ensure complete cost estimate Ensure appropriatel y protected end product

System Architecture
Assess risks of new technology products Identify secure infrastructure requirements Identify secure administrative requirements Establish security responsibilities and servicelevel regulations Identify BC/DR strategies Establish security test strategy

System Design
Translate security architecture to detailed security infrastructure design Develop security baselines for new technologies/ products Develop detailed security admin. design Develop detailed BCP/DR design/ strategy Develop draft SLAs Develop security test plan

Construct
Build/code security infrastructure environment and processes Build/code security admin. environment, roles/profiles and processes Build BCP/DR environment, plans and processes Build/code security test plan, processes, scripts and test environment

Test

Implement

Post Implement

Train secure Turn over administrati secure ve, application operations, infrastructure business to production unit, staff... Implement Identify secure security administrative noncomplia roles/profiles nce issues Implement Identify new business/ security continuity exposures DR Test environment BCP/DR plans to ensure that RTO/RPO is attainable

Identify changes to tested env. Finalize secure admin. env. and processes Finalize security infrastructure environment and processes Finalize BCP/DR env., plans and processes Assess SLA accuracy Finalize risk acceptance with business Ensure that info. security policies are current

E-Commerce BC Integrated Processes


E-Biz Recovery Team

Risk Management (Financial, Technology, Operations)


OSPs/ Business Partners Business Process Owner

E-Biz Project Manager Business Manager Risk Manager

Architecture and Standards

Rules and tools

Application and Tech Design

Business Continuity Mgr. Business continuity Business Operations Continuity strategy/design Architecture and Audit Design Security Incident identification/response IT IT Recovery management design Information Security IT Operations
Business Operations

Recovery/continuity strategy/ design

Information Security

Problem, Change, Performance, DR

Legal/Compliance
HR / Public Relations

Audit Financial and EDP

Problem Management Life Cycle


Problem Prevention and Planning Problem Identification and Impact Assessment
Problem Mgmt Team Business Process Owner Customer/Partner Relationship Owner

Problem Resolution

Problem Status/ Communication

Risk Management

Business Continuity
Information Security

Root Cause Analysis

IT Technical Support

IT Applications Support
Vendors/OSPs/Third Parties

Legal/Compliance
Public Relations

Too Much Testing and Reporting Is Never Enough


Management Reporting is Critical
Location, Business Process or Department Accounts Cash Order Accounts R&D Prod. Eng. Payable Fulfillment Receivable Mmgt.

BCP Phase Impact Analysis Risk Analysis Strategy Resources Committed Last Tested

Change Mgmt.
Last Major Review Workable Solution Audit

What Is Your Cost of Downtime?


Productivity Number of employees impacted X hours out X burdened hourly rate Damaged Reputation Customers Suppliers Financial markets Banks Business partners ... Revenue Direct loss Compensatory payments Lost future revenue Billing losses Investment losses Financial Performance

Revenue recognition Cash flow Lost discounts (A/P) Payment guarantees Know your downtime Credit rating costs per hour, day, two Stock price days...

Other Expenses Temporary employees, equipment rental, overtime costs, extra shipping costs, travel expenses...

Applying High Availability to Disaster Recovery


Hot Standby or Assumes mirroring or shadowing plus Load-Balanced a complete application environment Database and/or file and/or object replication Mirroring Log/journal transfer (continuous or periodic) Shadowing net $$$+ host $$$+ Cost Database and/or file disk $$$$+ and/or object backup Electronic appl. $+ Elec. Journaling Vaulting Standard Recovery net $-$$+ net $$$+ net $ host $$+ host $$+ host $ disk $$$$+ disk $$$$+ net $ disk $ tape $ tape $ 72 48 24 12 hrs. hours hours hours Disaster Recovery Times Minutes

Designing E-Commerce Applications for No Single-Point-of-Failure


Site Load Balancer Geographic Load Balancer Web Server Clusters Site Load Balancer

Application Server Clusters

Transaction Replication

Database Clusters

Database Replication

Database Clusters Standby or Active

Data Replication for Continuous Availability


Database Clusters Host-based Disk-based Database Clusters

Replication Methods Disk-to-Disk mirroring Log-based DBMS replication


Server-based block or file replication

Examples EMC SRDF, Compaq DRM, IBM PPRC and XRC, HDS HARC and HRC Quest Shareplex, Oracle Standby Database, ENET RRDF, SQL Server 2000 Legato Octopus, NSI Doubletake, Veritas SRVM Typically implemented with message-queuing middleware

Application-based replication

Emerging Technologies/Services
Capacity on demand/emergency back-up

Wide-area clusters HP Continental Clusters


IBM Geographically Dispersed Parallel Sysplex Cascading data replication
Host High Bandwidth (fiber) Disks Disks Disks Host Host

Tape Backup/Archival

Operational Site

Metropolitan/Regional Recovery Facility

Primary Recovery Site

Disaster Recovery: Market Dynamics


Load-Balanced (2+Sites)

HighAvailabilityBased Service Warm Site and Mobile Recovery Quick Ship 2000
Warm Site and Mobile Recovery

Quick Ship 2004

Resource Internally or Externally


Internal
You have an alternative facility (50 km distant) BC vendors have insufficient capacity BC is a recognized and respected discipline You cannot economically benefit from syndication

External (shared) External You want to focus (dedicated) on core competencies


You do not have an alternate facility You desire multisite continuous availability or hot standby support RTOs/RPOs are very short
Getting management sign-off for dedicated capital is difficult Experience of supporting an invocation is important Your planning scenarios include loss of technical staff

North American Business Continuity Market


Full-Service Providers
Comdisco Recovery Services and Web Availability Services IBM Business Continuity Recovery Services and Outsourcing Services SunGard Recovery Services and E-Sourcing

Business Continuity and Internet Services


Professional services Planning software Hot/warm/cold standby Mobile/static facilities Mainframe/midrange/desktop Quick ship Peripherals Networks Work area Specialized ancillary services such as check processing and data recovery

Whats new Full-service Web-hosting with BC designed in, multisite infrastructures for continuous availability, Web site and network throttling for performance

Negotiating a Favorable BC Contract Balance Risk With Economies of Scale


Cost
Always use competitive tendering, even at renewal Keep contracts to three years Unbundle contract costs
Understand upgrade costs

Contract Terms
Include early-termination conditions Agree to a buy-out schedule

Miscellaneous
Understand the right of access: first come, first served or shared Check syndication levels, risk exposures and exclusion zones Touch the equipment. Visit the recovery center

Specify test time and additional fees


Specify occupancy/comm. fees Declaration fees are negotiable For unsyndicated equipment, check cost of self-acquisition Annual cap fees

You might also like