Business continuity and disaster recovery
This section covers the following topics:
BMC SaaS Information Systems Contingency plan
Information systems are vital to the mission for BMC and its business functions. It is therefore critical that the services provided by BMC are able to operate effectively without excessive interruption. BMC's Information Systems Contingency plan (ISCP) establishes comprehensive procedures to recover BMC Helix services quickly and effectively following a service disruption.
BMC's ISCP establishes procedures and mechanisms that obviate the need to resort to performing operational functions using manual methods. If manual methods are the only alternative, every effort will be made to continue operational and support functions and processes manually. In order to maintain a normal level of efficiency, it is important to decrease real-time process engineering by documenting notification and activation guidelines and procedures, recovery guidelines and procedures, and reconstitution guidelines and procedures prior to the occurrence of a service disruption. Upon a disaster declaration, appropriate personnel are apprised of current conditions and damage assessment begins. As part of the recovery phase, appropriate personnel take a course of action to recover the BMC SaaS components at a site other than the one that experienced the disruption. Moving into the reconstitution phase, actions are taken to restore system processing capabilities to normal operations.
BMC's ISCP supports the requirements for the Federal Risk and Authorization Management Program (FedRAMP). The ISCP denotes interim measures to recover services following an unprecedented emergency or system disruption. Interim measures include the relocation of production systems and services to an alternate site. Unless otherwise agreed in advance, alternate sites will always reside within the same country as the primary site.
In accordance with Federal Information Processing Standards (FIPS) 199, BMC follows guidelines on determining potential impact to organizational operations and assets, and individuals through a formula that examines three security objectives: confidentiality, integrity, and availability. The procedures in the ISCP have been developed for a moderate-impact system and are designed to recover BMC Helix services within the RTO targets specified below.
The following sections provide details about BMC’s disaster recovery services, an overview of the three phases of the ISCP, and a description of the roles and responsibilities of key personnel during contingency operations.
BMC's ISCP is designed to recover and reconstitute BMC Helix services using a three-phased approach. The approach ensures that system recovery and reconstitution efforts are performed in a methodical sequence to maximize the effectiveness of the recovery and reconstitution efforts and minimize system outage time due to errors and omissions. The three recovery phases consist of activation and notification, recovery, and reconstitution.
Activation and notification phase
Activation of the ISCP occurs after a disruption, outage, or disaster that may reasonably extend beyond the RTO established for a system. The outage event may result in severe damage to the facility that houses the system, severe damage or loss of equipment, or other damage that typically results in long-term loss. BMC is solely responsible for declaring a disaster.
Once the ISCP is activated, the customers' stakeholders are notified of a possible long-term outage, and a thorough outage assessment is performed for the systems. Information from the outage assessment is analyzed and may be used to modify recovery procedures specific to the cause of the outage.
The Recovery phase details the activities and procedures for recovery of the affected systems. Activities and procedures are written at a level such that an appropriately skilled technician can recover the system without intimate system knowledge. This phase includes notification and awareness escalation procedures for communication of recovery status to system stakeholders. Customers should ensure that their emergency contact list is up to date at all times. To update your contacts, notify your Customer Success Specialist.
The Reconstitution phase defines the actions taken to test and validate system capability and functionality at the original or new permanent location. This phase consists of two major activities: validating data and operational functionality followed by deactivation of the plan. During validation, the system is tested and validated as operational prior to returning operation to its normal state. Validation procedures include functionality or regression testing, concurrent processing, and/or data validation. The system is declared recovered and operational upon successful completion of validation testing.
Deactivation includes activities to notify users of their system operational status. This phase also addresses recovery effort documentation, activity log finalization, incorporation of lessons learned into plan updates, and readying resources for any future events.
Disaster recovery metrics
BMC's ISCP addresses actions required by BMC should a disaster impact a customer’s primary processing location. This plan is tested at least annually; test results are available upon request. If your company requires an isolated DR test, you may purchase the annual DR certification service. See Disaster recovery testing for details.
Disaster Recovery is measured based on these objectives:
- Recovery Point Objective (RPO) measures the maximum loss of data before the disaster occurred.
- Recovery Time Objective (RTO) measures the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources and supported mission and business processes.
During a disaster, customers will not be able to access their primary site but will regain access before the RTO target period has passed. Once this objective is met, customers will have full access to their production environment as they normally would have before the disaster occurred. Non-production environments are not guaranteed or managed during a disaster event as they may be re-purposed to support recovery efforts.
BMC offers a four hour RTO and a 15 minute RPO for all BMC Helix services.
Disaster recovery testing
For an additional fee, BMC offers an annual DR test certification service for your production environment. The test is scheduled by BMC in advance and all customers in each service location who subscribe to this service are tested simultaneously. See BMC Helix Yearly Disaster Recovery Certification service for additional information.