BCP at EDS
EDS runs a tight ship when it comes to planning and executing its continuity plan. According to Al Decker, executive director of global security and privacy practice, its clients are what drive EDS' BC initiatives. "We have to prove to them that continuity is 'demonstratable' and that we are able to protect them when they outsource to us," he says. To that end, while Decker believes that DR initiatives have historically focused on events, DR isn't the crux of the matter. "In the end, anything that is going to halt your operations should be the focus," he says. "We see it as more preparing for the continuity of the business processes."
Vice President of Information Security Delivery Jim Alsop is responsible for supporting the company's 15 global service management centers and the clients who use them. "We actually do the planning for the platforms that are in those service management centers and large data centers, and also coordinate all the testing-obviously with the recovery center and with the client testing of those platforms," he explains.
"Our biggest focus and priority is clearly understanding what the critical business processes are," Alsop explains. "BC is no longer something that simply concerns the IT department-it reaches the people, systems, and processes throughout a business-which is the big picture." However, some real-life events have impacted the company's initiatives. "Naturally, we have learned from events such as September 11 and the North American blackout," Decker says. "These events redefined the word disaster and taught us that there is no end to BCP. We also learned that it is more important now than ever before to stay on top of potential threats and vulnerabilities. It also taught us about the devastating effects of not having a proper BC plan in place. BC will continue to evolve and respond to the needs of today's constantly changing environment."
Within a team of 2,500 global EDS employees, EDS's business continuity team is positioned as far up as top-tier management. The first step in formulating EDS's continuity plan was performing a business impact analysis (BIA), according to Decker. "We needed to know what processes, applications, and systems within our business would cause the business the most significant impact or risk. From there, our approach has developed over the 40 years we've been doing this. Building a plan and preparatory measures has been a part of a CIO's job for years-it's not event-triggered. It's serious business prudence and we are taking that same responsibility, as any qualified CIO would undertake with his or her own business." According to Don Bromley, global director of business continuity, EDS has always focused on continuity from the top-down. "Where other companies may have kept BC in the IT department and are now just recognizing that it needs to be at the board or senior management level, it's always been there for us as a core fabric component of our business model," Bromley says. "Evolving as business has changed and as our needs-and our clients' needs-have grown. It's been an ongoing, live planning process that has been able to change and adapt as our business model has changed." Decker adds, "Now BC has risen to the CEO/board level in many organizations. It used to be something the CIO or data processing manager was expected to take care of, and it didn'tget the proper time and attention it should have. With the unfortunate event of the trade center attacks and compounded by the worms and viruses, Northeast blackout, etc. it just seems like event after event is continuing to bring the issue up from a management perspective level. In essence, I've been in a boardroom more the past two years than in the past 10 years."
EDS centrally manages all of its processing through one delivery organization. "We are continually testing our own BC plans, as well as coordinate exercises for our clients around the world to make sure we are in compliance with the necessary policies and standards," Decker says. "When the team performs tests the first time, they focus on validating the plans.
EDS's Eight Steps for Business Disruption
- Prevention costs less than recovery and it's faster When a disaster occurs, one of the first questions asked after the smoke clears is how it could have been avoided. That's the prevention question. The issue right now for many businesses is when they want to answer that question.
- Don't put all your eggs in one basket Spread "vital" operations across more than one location to prepare for business disruption. Backups should be taken frequently and stored outside the facility. It is important to make sure the backups are useable by randomly choosing one or more sets and restoring the data. In too many instances, data thought to be safely backed up can't be accessed when needed.
- When disaster strikes, the first thing to disappear is the plan Companies should review their business continuity plan for adequacy and currency. Special attention should be paid to new technology systems and business processes that might not have been included in the original plan. Have these plans been tested recently? Can critical vendors help in a crisis?
- When disaster strikes,competitors notice If a company fails to maintain market presence and reputation after a disaster, their absence can create a vacuum in the market place. This being the case, competitors will fill that vacuum out of necessity.
- The "Three Ps" of disaster planning: People, Property, Priorities (business), and here's three more: Practice, Practice, Practice Physical security plans should be up-to-date, including instructions for contacting local fire, police, and rescue authorities. Some examples of questions to ask are: Do you have a written crisis management procedures manual and follow it? Has it been tested recently? Do you know when to call in local authorities and who has the authority to decide to do so? How (and how well) are visitors and vendors controlled in your facilities? Do your security procedures reflect what you really expect your employees to do? Are they up-to-date regarding your IT environment?
- Tailor business continuity investments to likely threats and key priorities Recent events have made us think of terrorism as a major threat, but there are other more diverse threats, such as employee or non-employee workplace violence, labor actions or disputes, cyber threats (including computer viruses and denial of service attacks), hoaxes, and industrial espionage. Focusing on employee safety will pay off during a disaster, since knowledgeable employees are an important key to recovery plans.
- Recovery is like a recipe: everything has to come together at the right time and in a useable form Companies should also consider asking critical vendors about their plans and capabilities to deal with emergencies. Relying on one or more critical vendors to keep business going can be dangerous because a crisis that affects them could spill over if they are unable to provide services. If they have no plans they should create them, looking at all elements of the supply chain. Another thing to consider is executive protection plans. Are all members of key staff aware of how and when this plan will be put into effect? Is there a well-defined succession plan in the event of an issue?
- Regional disasters have a way of mandating priorities you weren't even aware of It is a good idea for businesses to look at the immediate area surrounding each of their facilities and perform a risk assessment. Focusing on employee safety will pay off during a disaster, since knowledgeable employees are an important key to your recovery plans.
As further tests are performed, the focus shifts to adding more complexity or variables into each test exercise." Additionally, the company's corporate crisis management team-representative of all parts of the organization- convenes in times of crisis. There are constant conference calls and regularly scheduled meetings, notes Bromley. "Given EDS's global presence, the team focuses on EDS sites-including data centers and work areas-monitoring status around the globe," he says. "With a broader view of each situation, the corporate crisis management team can connect different locations, matching a problem with a solution or recognizing a successful problem solution that can be shared with other sites dealing with a similar issue."
EDS makes sure they practice their BC plan regularly to ensure operations are up and running. "We continually test," Bromley emphasizes. "Since we are a global company, we have to look at threats on a global basis. As the world goes from different degrees of yellow and orange, part of our BCP is crisis management. We stand ready at those different levels that mirror what is going on in the world-where we are at a heightened awareness and having meetings and checkpoints to make sure we are up-to-date from that perspective. Those kinds of activities we take very seriously at a corporate level and make sure that we are prepared. A sense of heightened awareness actually kills two birds with one stone: it allows you to continually update and test your plans." Roy Condon, EDS's Chief Risk Officer, points out that regional managers are in place throughout EDS's satellite offices worldwide who are responsible for maintaining relationships with government officials and local and/or federal law enforcement officials, monitoring weather Web sites, etc. "We also subscribe to services from private intelligence firms that continually alert us to new or worsening issues across the globe that could affect our business operations or the safety of employees working or traveling in that area," Condon explains. "With this information, we put together a threat assessment on a daily basis of what we think the world situation is-and that can range from anything from situations that are happening now in the Middle East and Iraq, a typhoon in the Asia-Pacific region, to possible disruptive demonstrations in the Northeast during the presidential party conventions."
Role-playing is another method employed by EDS to counter any potential hazards. Condon describes the company's tabletop crisis management exercises. "We simulate different situations that can affect us on a worldwide basis, which could be anything from what we would do in the event of an earthquake or if a hurricane was traveling up the East Coast," he says. "We focus on how it could affect our offices as well as our employees. We could also look whether a transit strike may paralyze a city we have an office in, and if our employees can get to the workplace. Do we have to put the work somewhere else for a period of time? These tabletop exercises help us to anticipate and prepare for the unfortunate real-life incidents happening in the world.
"We try to predict-or at least try to forecast-where we think an event may happen and the potential consequences to our operations, and then discuss the contingencies we must take to prepare," Condon continues. "Senior leaders from our communications, finance, legal, real estate, sales, and HR departments meet to ensure we have plans in place to handle anything that comes our way. First, we try to avoid the situation, but if we can't, we will have contemplated the implications to EDS and have plans to mitigate them." Employee Awareness One area of particular focus is EDS employees. EDS knows where all 117,000-plus employees are assigned and it also maintains an up-to-the- minute database of the potentially hundreds of EDS employees who are traveling across the globe at any given time. "This information is critically important," says Condon. "In actual situations such as the 2003 Northeast blackout and the California wildfires we were able to immediately determine who among our employee population could be impacted by these events and we knew what facilities-both EDS and customer sites-were affected as well. Having an almost immediate handle on the scope of how an event affects our employees and facilities gives our Crisis Management Team the ability to informatively proceed with the next priorities that we have rehearsed in earlier tabletop exercises." Decker adds that EDS tests its employees on an individual basis. "Employees have to complete a short online training course including a test each year as part of their educational requirements in the area of overall security, which includes BC," he notes. "The course is mandatory as annual training for each employee, which is used to keep security and BC as a top- of-mind concern. It's a form of continuous security awareness. Condon summarizes EDS's BC philosophy. "As the definition of a disaster continues to redefine itself, so has BC. It is no longer just an IT issue. BC management ensures the survival of a company-not just during or after a disaster-but during daily operations."