- Overview
- Interview with Dr. Cole
- Student Comments
- Domain 1: Access
- Domain 2: Network
- Domain 3: Management
- Domain 4: Application
- Domain 5: Cryptography
- Domain 6: Architecture
- Domain 7: Operations
- Domain 8: Planning
- Domain 9: Law
- Domain 10: Physical
- Checklist for a Successful Disaster Recovery/Business Continuity Plan
- Category: Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)
Author: Franklin Fletcher
Date Added: March 23rd, 2007
Introduction
Today, businesses exist in a highly competitive world and rely heavily on technology to provide products and essential services to their customers or, in the case of governments, their citizens. The threat of business interruption because of disaster, human error, cyber attack, terrorism, software errors, or hardware failures contributes to the need for a comprehensive Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP) to prevent or better manage an interruption. Organizations must be prepared to respond to interruptions in business because customers are less forgiving of unavailability of services and can easily move to a competitor to obtain what they need.
Recent events such as the first World Trade Center attack indicated that a large percentage of organizations that did not have a DRP/BCP in place were out of business within one year. Contingency Planning and Management Magazine indicated that 40% of companies that shut down for 3 days failed within 36 months. The cost of downtime is often difficult to calculate; it can run from thousands to millions of dollars per hour depending on the business and its reliance on technology. Costs can, of course, cascade as organizations not only need to consider lost revenue but also must take into consideration related late charges, regulatory noncompliance penalties, loss of customer goodwill, and the cost of public relations to repair any damaged reputations . Over the years, organizations developed close relationships with their customers by providing 24/7 availability to services, whether it is by phone, chat room, e-mail or a web site. Organizations maintain close relationships by providing secure and reliable services. Conversely, when those electronic connections break, relationships are severed.
Essential Elements of a DRP/BCP
The following checklist contains some of the necessary elements that you need to include in your DRP/BCP document. A DRP/BCP requires continuous maintenance. The worst thing that can happen to your plan in a disaster is that the plan is accessed and phone numbers and procedures are not correct. Everyone immediately loses confidence in the plan. The plan also must be distributed and available to multiple participants in alternate locations to ensure that it is not impacted by the outage:
- Management support—The essential element for the success of any DRP/BCP is support from senior management. The development and maintenance of the plans requires ongoing resources and financial commitments to keep it relevant.
- Staffing—Resources from both centralized (that is, IT department) and individual business units ensure the viability of the plans.
- Risk assessment—Identify and analyze potential vulnerabilities and threats of the geographic locations, security posture, hardware, software, and network design.
- Business Impact Analysis (BIA)—The BIA illustrates the organization's vital functions, impact of the outage, potential loss of revenue, essential staff, and regulatory and contractual obligations, and what is needed to allow the organization to support its critical business functions. The BIA is the cornerstone of the DRP/BCP providing information on the interdependency of systems and business functions that can help to prioritize business functions and allow the business units and the organization as a whole to develop its restoration procedure.
- Prevention—The DRP/BCP should include both deterrent and preventative controls which attempt to cover as many identifiable risks as possible. The objective is for the DRP/BCP is to cover the residual risks. Some of the controls that should be reviewed are physical security, personnel procedures, infrastructure (generators, UPS, fire suppression), software controls such as anti-virus, firewalls, intrusion detection, backup and retention processes. Change control procedures and how they will be enforced during an event should also be listed.
- Activation parameters—The DRP/BCP must clearly state the parameters for when it needs to be activated. The individuals with the authority to declare a disaster and their designees must be clearly defined in the plan.
- Incident command structure—The command structure must be clearly defined so that all people know the chain of command. No ambiguity can exist about who is in charge if a business interruption occurs. The roles and responsibilities of the members of the incident command structure need to be stated.
- Communication plan—Who is to be informed of the outage or disaster and what will be the method and frequency of the status during the event. Keeping customers, employees, and all stakeholders apprised of the recovery efforts is critical during a business interruption. Alternative communication methods must be considered and implemented based on the type of outage.
- Data—How is the data backup replicated and stored? If the data is at an offsite facility, what are the pickup times that can help determine how to calculate the recovery time if a disaster occurred?
- Staff call tree—A current, verified call tree with multiple contact numbers (office, home, cell, personal e-mail, close friends, or relatives) for all staff members. This is often a weak link during an event because normal communication channels might be affected during an outage.
- Key vendors—A current list of all vendors that might be required to provide support during and after the event. Consider all vendors that can purchase office supplies, PCs, and furniture depending on the event. Outline emergency purchasing procedures.
- Contract information—Include relevant contract information in the BCP/DRP, such as agreements with vendors for emergency services, hot site contractual information, alternate facilities, and any reciprocal agreements.
- Other support contact information—Compile phone numbers for local law enforcement, facilities management, public information, human resources, and other key corporate staff that can provide support staff in the event of a disruption to business.
- Human resource policy—Information on HR policies during an emergency should be made available prior to the emergency. Staff might need to work outside of normal hours, take on different duties, require family assistance, and travel out of town if a business interruption occurs. Easy access to HR policy is imperative.
- Identification of alternate locations—In the plans, list alternate locations designated for systems and staff. If the plan requires travel, list procedures and explicit travel directions. Staff should know in advance where they should report to if their primary work location is not available.
- System/application prioritization—Restoration priorities must allow the teams to focus their energies on the recovery of essential functions. Results of the BIA allow upper-management to arbitrate and determine which systems should be restored first.
- Detailed system restorations procedures—For each application/system that needs to be restored, detailed instructions for restoration must be included. The restoration procedures need to be exercised in advance and written in such a way that if the primary resources are not available, a person with basic knowledge of the platform can restore the system based on the written and exercised procedures.
- Test results—In the plan, document results from recent DRP/BCP exercises listing knowledge learned.
- Plan maintenance and distribution—How is the plan distributed and to whom? Detail how the plan must be maintained with associated version controls.
- Returning to normal—Procedures to restore business processes and systems to their original location.
The previous checklist can allow the organization to have the necessary information available to ensure that their DRP/BCP is available and effective if a business interruption occurs. The ability to effectively implement your DRP/BCP relies on not only technology but also the thought-out processes and the staff that carries out the necessary tasks. Some of the seemingly trivial items can often cause recovery times to be extended. A simple Map Quest map with directions to an alternate work location can help reduce confusion when stress levels are already high.
A detailed DRP/BCP can help an organization return to business as efficiently as possible. As in any emergency, every scenario cannot be thought out, but a comprehensive DRP/BCP can help to take a lot of the guesswork out of the process. The primary objective of the DCP/BCP is to maintain continuity of business so that the organization can continue to service its customers.
Summary
Due to the fallout from downtime, organizations must ensure that their DRP/BCP is well developed, exercised, and maintained to ensure reliable services if a business interruption occurs. The plan must look at potential risks and vulnerabilities and provide the steps to restore essential business functions to service customers.
References
"Business Continuity Plan Development." www.continuitycentral.com/feature0348.htm
"The Business Case for Disaster Recovery Planning: Calculating the Cost of Downtime." www.ironmountain.com
"The Future of Business Continuity." www.psgroup.com
