Business Continuity or Recovery Plan (BCP-BRP)

Companies’ business relies more and more on their information systems, for traditional activities of support or back-office but also for critical functions (just in time inventory management, online banking, etc.).
This new context implies the implementation of increasingly complex technical solutions, to secure data (for example, clients’ frameworks), but also applications whose unavailability can have a strong impact on the company’s business and image.
In this context, Prolival offers a range of services covering all BRP and BCP issues, from initial consulting to technical implementation, including risk analysis or turnkey solutions.

Definitions

The Business Continuity Plan (BCP) covers all measures taken by a company to ensure the continuity of its main business with its clients.

The Business Recovery Plan (BRP) covers measures taken by the company to ensure the recovery of its global activity, or most critical activities, in case of a major disaster on its premises.
This plan is more operational than the first one, and is a middle choice for business security, because its cost is most of the time lower than that of a complete continuity. This however means accepting a day-long delay in the recovery, in general on a distant location, for servers or backup desktops hosting.

The IT Contingency Plan covers all measures taken in order to secure IT infrastructures and services, underlying the company’s business.
It is quite a frequent mistake for companies to reduce BRP/BCP notions to IT contingency plan, and this is mainly due to the fact that IT staff bring a large added value to these plans.

Context

Current context shows a steady increase in the use of IT in our daily life, for the company (how many projects can be carried out without a computer?) as well as for the individual (smartphones, sharp increase of online sales, etc.).

This quantitative growth also comes with more and more complex technical solutions (virtualisation, ToIP, ERP based on n-tier architectures), with numerous interactions with external partners (Cloud Computing, multiplicity of technical partners and their subcontractors, etc.).

In this context, the sole implementation of an IT Contingency Plan, relying on the setting up of a few back-up servers, is not sufficient. It is now necessary to comprehend the subject through a Business-oriented vision, in order to fully understand all the issues at stake in the securing of Information Systems, and build a solution suited to real needs, mastering cost in relation to risks.

It is worth noting that the constant renewal of technical offers, but also the evolutions of business to adapt to an ever changing market, make continuity plans rapidly obsolete, thus making a constant effort of review and upgrade of BRP/BCP necessary.

A global approach

To address the BRP/BCP issue, Prolival relies on:

• A conceptual approach based on approved repositories (ITIL, ISO27001, etc.)
• But also the practical experiences gathered from its clients

Numerous experiences in IT Production and important migration projects have helped Prolival to capitalise on this subject, by observing the most efficient solutions but also by listing the possible pitfalls to be avoided. Prolival has improved this on-field experience, through an important training effort towards its staff, and a long-term conceptualisation work.

The resulting approach is based on the following phases :

• Business Phase (understand the company’s business or the solution to be secured, inventory of critical needs and identification of unavailability costs)
• Evaluation Phase (risk analysis, availability study, review of security policy, BCP audit or infrastructures audit)
• Solutions Phase (proposals of security solutions, based on tried and tested technologies)
• Implementation Phase (implementation of security solutions, writing of procedures for failover or backtracking)
• Improvement Phase (unit tests of security solutions, complete BRP tests, identification of improvement areas)

This approach is useful to differentiate three different areas of service in our offer:

• Consulting on conception
• Assistance in the technical implementation
• Security solutions through our PODS offer

These areas include offers that connect together and can be linked to build a complete “from A to Z” solution.

Conception

To help a company implement or upgrade its BCP/BRP, Prolival provides several service offers:

• Assistance in the conception of a Continuity Plan for all or part of the business (including business study, evaluation of current settings and a review of possible solutions)
• Review of Continuity Plan and proposals for improvement areas (maturity audit)
• Risk analysis (based on MEHARI – Clusif – or EBIOS – ANSII – methods)
• Study of security policy and proposals for risk mitigation
• Review of possible security solutions along two lines:
  • Rebuilding of architecture: migration towards a VDI architecture for example
  • Redundancy of current architecture: data replication, systems clustering, etc.
• Writing of procedures for backup failover and backtracking on nominal infrastructure (often forgotten in contingency plans)

Implementation

Prolival, whose core business is to implement and operate IT solutions, is well equipped to help any company implement technical solutions, for information systems security:

• Security of data:
  • Hardware replications (IBM, DELL EqualLogic arrays)
  • Software replications (DoubleTake, QuickEDD, Vision…)
  • Backup solutions (Synerway, BackupExec, BRMS…)
• High-Availability infrastructures:
  • Desktop virtualisation with redundant infrastructure (VDI Xen and VMware)
  • Servers virtualisation and clustering (VMware)
  • IBM PowerHA
  • Load-balancing (F5…)
  • Solutions for network links redundancy (Cisco…)

Hosting or “turnkey” security solutions

Prolival, thanks to its hosting and PODS offers, can provide a large range of offers, to answer clients’ needs regarding information systems’ security:

• Hosting (secure site for backup servers) or backup work desks (with virtualised desktops and telephony)
• PODS/BR: backup resources, activated if need arises (Wintel or Power servers, with associated network distribution), paired or not with software data replication

A focus on Prolival’s own BCP

Prolival’s outsourcing and hosting activities have required the implementation of an internal Business Continuity Plan, to guarantee our clients the continuity of the services provided to them.

This Continuity Plan’s special feature is to require security of Prolival’s own infrastructures, as well as interface with our clients’ specific BCPs. To achieve this, we have created an operational process, to complement relevant ITIL processes. This process is called INGRID and details all the steps required to make sure the right action is taken at the right time, and in conformity with our clients’ procedures.

The 6 phases of this process are the following:

• Identification (and classification of event)
• Notification (allows a critical path in case of identified disaster)
• Governance (by a manager, capable of initiating a crisis unit)
• Resilience (in case of high-availability)
• Instruction (if possible and beneficial)
• Decision (to failover)