- Количество слайдов: 28
Gaming the System: A Business Continuity Tabletop Exercise Simulation Christine Brisson, Ph. D. School of Arts & Sciences University of Pennsylvania Educause Security Conference May 16, 2012 Copyright Christine Brisson, 2012. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Business Continuity Planning • Planning for extended loss of services or resources that the university depends on (also called “Mission Continuity Planning”) • Related to DR planning but not the same: • DR: What is the procedure to restore services if our email server dies? • BC: How can we plan to function at the university if we lose email services for several days or longer? What actions can we take now to help ensure continuity? Cautionary tale: eg Hurricane Katrina. But smaller wins along the way: planning for personnel outages and then someone is out for an extended period.
Business Continuity Planning at the School of Arts & Sciences • Enrollment: 6500 Undergrad, 1500 Grad • 40 Academic departments in 23 buildings • A centralized BC planning team that works with individual departments to develop in-depth analysis of needs and detailed BC plans • Tackled toughest first: science departments in buildings with complex infrastructure needs • “BETH 3”: Buildings, Equipment, Technology, Human Resources, 3 rd Party providers. • Once we’d put together a plan: now what? How do we know if it would be useful?
Tabletop Exercise: who attends? • People with a role in the plan (typically a Department administrator, a building administrator, IT support, other facilities staff, at least one faculty member, sometimes the chair. ) • Other stakeholders (eg faculty) • One or two facilitators, and one or two note takers • In our case here at Educause, we will have more “actors” to give a chance for more people to participate
About the Chemistry Department Spruce St. Labs 10 th Ave. Cohen Labs Franklin • 40 faculty, most of whom have large labs of between six and 12 grad students and postdocs • Four buildings, attached, over 250, 000 square feet • Plan has several parts: Building Outage, Technology Outage, Equipment Outage, and NMR Facility Outage • Central Facilities provides most services • “Incident Response Team”
What, why, and how • A tabletop exercise (aka TTX) is a simulation of an adverse situation in an informal environment. • There are two primary benefits to doing a tabletop: • It gives people the chance to practice using the plan to respond to an emergency. • It’s one of the best ways to evaluate the plan: what works, what doesn’t, and what can be changed and improved.
What, why, and how, cont’d. • We are particularly interested in: • whether the channels of communication are working as they should, • whethere is the right amount of specificity in the plan (should it be more specific or more general? ), and • whether anything important has been left out.
What, why, and how cont’d: How will this work? • We will set the scene, and hand out cards with “triggers” on them. • Sometimes one or more individuals will be asked to step outside of the room to decide/consult on what to do. • Information you can get in a crisis is not always as complete as you might like. • Use the laptop if you decide to send email to the whole group. • Ground rules are on the table. • The last 20 minutes (or so) are for debriefing
Wednesday, May 4 2 nd day of final exams It has been warm and very rainy for the last few days.
Wednesday, May 4, 3: 00 am
Wednesday, May 4, 5: 30 am
Wednesday, May 4, 10: 00 am
Wednesday, May 4, 1: 00 pm
Wednesday, May 4, 3: 00 pm
Wednesday, May 4, 4: 00 pm
Wednesday, May 4, 8: 00 pm
Thursday, May 5, 11: 00 am
Thursday, May 5, 3: 00 pm
Thursday, May 5, 6: 00 pm
Friday, May 6, 10: 00 am
Friday, May 6, 11: 00 am
Friday, May 6, 2: 00 pm
Saturday, May 7, 3: 00 pm
Monday, May 9, 11: 00 am
Tuesday, May 10, 11: 00 pm
Wednesday, May 11? Some other date?
Discussion • Questions? Comments? • Differences between our “simulation of a simulation” and the way we do a TTX at Penn • • Fewer participants Communication issues: email, phone calls, “thinking out loud” Reserve a second room Buy lunch!
Final Points • Planning: • • Allocate several weeks Enlist ‘informants’ Make it believable Buy them lunch! • People who need to use the plan can give feedback about how to improve it • Using a plan in a TTX helps people see how the plan could be useful to them (not just paperwork)