Security Series: Disaster Recovery Objectives and Milestones (Part 4 of 6)
- Chapter 1: Disaster Recovery Tactics that Ensure Business Continuity
- Chapter 2: Disaster Recovery Target
- Chapter 3: Formulation of the Business Continuity Plan
- Chapter 4: Disaster Recovery Objectives and Milestones
- Chapter 5: Building Preparation
- Chapter 6: Final countdown tips for Disaster Recovery and Business Continuity
To enable the Business Continuity Plan (BCP) Project Team to focus their efforts on the key issues, and to ensure that the work undertaken is applicable to the necessities of the project, the project's objectives and deliverables must be clearly defined. The following list of objectives and deliverables has been approved by the Board of Directors.
Realistic and attainable project milestones have been established to enable progress to be measured against an approved schedule. The following Project Milestones have been agreed.
The BCP Project Manager issues a monthly report to the heads of business. The BCP Project Team has prepared the following list of documents and information which are required by the BCP Process. (N.B. Where this includes documents containing sensitive information, care must be taken to ensure that confidentiality is not compromised.) Documents need to be encrypted and the decryption information needs to be documented and kept separate and offsite.
A key part of the BCP Process is the assessment of the potential risks to the business which could be caused through disasters or emergency situations. It is necessary to consider all the possible incidents and the impact each may have on the organization's ability to continue to deliver its normal business services. This section of the BCP will examine the prospect of serious situations disrupting the business operations and the potential impact of such events.
Each potential environmental disaster or emergency situation has been examined by the BCP Project Team. The focus here is on the level of business disruption which could arise from each type of disaster. It seems necessary for the BCP Project Team to review the criticality of all the organization's business processes and to determine the impact and consequences of loss of service or a reduction in normal service levels.
Suggested Wording for an Objective
The project's principle objective could be stated as: "The development and testing of a well structured and coherent plan which will enable the organization to recover as quickly and effectively as possible from an unforeseen disaster or emergency which interrupts normal business operations."
The organization could furthermore have a series of sub-objectives which could cover issues such as specialized research and development activities, the need to ensure that all employees fully understand their duties in implementing such a plan, the need to ensure that information security policies are adhered to within all planned activities or the need to ensure that the proposed contingency arrangements are cost effective.
It is important to establish realistic and achievable project milestones in order to monitor progress against an agreed schedule. It is suggested that the following Project Milestones be considered, and dates established for these activities:
- Project Approval
- Project Initiation
- Completion of Project Initiation Activities phase
- Commencement of Business Risk and Impact Analysis Plan
- Completion of Business Risk and Impact Analysis Plan
- Commencement of 'Preparations for Possible Emergency' Plan
- Completion of 'Preparations for Possible Emergency' Plan
- Commencement of 'Dealing with the Initial Emergency Situation' Plan
- Completion of 'Dealing with the Initial Emergency Situation' Plan
- Completion of Plan for Testing the BCP Process
- Completion of Plan for Training the Staff in Business Recovery Process
- Approval of the BCP
- Commencement of BCP Testing Activities
- Completion of BCP Testing Activities
- Commencement of BCP Training Activities
- Completion of BCP Training Activities
Priority to Establish IT Recovery Procedures
- A summary of the existing IT back-up and recovery procedures should be documented within the BCP (Business Continuity Plan). This information should cover both hardware and software systems in addition to data back-up and recovery processes. In the case of Thumb management emergency contact details and other pertinent information needs to be documented.
- Information should also be included on any off-site data storage arrangements.
Proposed information to be documented in BCP is as follows:
"A daily back-up of all data is taken to tape and stored in the safe. On a weekly basis, one tape containing a copy of all the data is stored at an off-site location. The system administrator reviews the system logs daily to ensure that the back-up process has executed successfully. Periodically the recovery process is tested to ensure that the recovery procedures are operational and valid.
A copy of all the original system programs is stored on site in the IT library and a further copy is stored off-site. A back-up copy of the system programs is made on a monthly basis to ensure that all relevant software patches would be included in the recovery processes. This monthly back-up copy is also periodically tested to ensure that the recovery process is valid.
The organization has an IT network and hardware maintenance agreement with the service provider who is required to respond to call-out requests within four hours. The agreement includes escalation procedures when the fault has not been fixed within 6 hours."
Business Risk Assessment
It is necessary for the BCP Project Team to assess the criticality of all the organization's business processes and to determine the impact and consequences of loss of service or a reduction in normal customer service levels.
The Business Continuity Plan will contain information on the threats to normal service levels and the impact on profitability and continued viability. This section lists the key business areas and assesses the risks that could affect each of the business processes.
A suggested wording for a Board or Governing Body statement is as follows:
"The Board or Governing Body has accepted a top priority project to formalize the organization's Disaster Recovery process. It recognizes that there are significant risks to its essential business processes through potential and unexpected disruptive events. The increasing development in technologically based processes and the related high level of reliance upon such processes in order to conduct our business makes it prudent to initiate a Disaster Recovery project with immediate effect."
Off Site Stored Materials
Copies of critical documents, computer/PC back up floppies and tapes, Contact details of pertinent personnel, critical supplies etc. may be available from a number of sources:
- Other First Bank facilities may have similar resources or copies of critical documents.
- Clients or contractors may have copies of critical documents.
- Commercial storage facilities will usually pick up back up tapes and documents and store them in a climate controlled and secure area.
Consider creating a "Recovery Box" for your business unit. This is similar to a grab dag on a yacht that is taken as the vessel goes under. This Recovery Box could contain specific items that your business unit would need if your building were not accessible. Some items that could be contained in this box include:
- Copies of forms your business unit would need right away in the event of partial or full disaster.
- Copies of Procedure Manuals, these are critical to start the recovery process.
- A small supply of unique supplies your business unit would need right away, cell phone computer plugs and power strips come in handy.
This box must, be stored at an off-site location. The box and an inventory listing its contents are both critical records and should be documented as such. It may also be necessary to store a soft copy of your documents on an internet server that is remote to your site. For example in a Gmail account. You then need to ensure you will have access to the internet at your recovery site
Critical Resources to Be Retrieved
Most disaster occurrences do not totally devastate contents of offices. Depending on the situation, it could be possible to clean and dry paper, microfilm or microfiche. Even if computer diskettes, tapes and hard drives have been water, smoke, or soot damaged, it might be possible to extract the information from them. Do not attempt to do this yourself. Contact your technical support area or facilities staff for help when the incident occurs. But do not bank on the fact that this may or may not happen. I have seen many organizations lose hundreds and thousands of hours worth or work and this in turn equates to tens of thousands if not millions of dollars worth of damage. All this loss could easily be avoided if preparation for disaster recovery was done.
Following the occurrence, if authorities and your services staff conclude your affected building is safe to enter, you may be permitted to enter your building for a short time. This could be for as little as 15 minutes or one half-hour. Create a list of the critical items that you would need to retrieve if you could get into your building. This assumes, of course, that the items are salvageable.
This is only recommended as a last resort and it is strongly recommended that offsite media be used if it is at all recoverable (Assuming the integrity of the backup media is flawless).
The designated personnel should list these items in order of importance. Items you might need to retrieve include: computer disks, computers, selected paper files and work in process, hard disk drives and other storage media. Some items are not worth the risk and it is recommend that your list should not include: family pictures, unimportant files and information that are duplicated somewhere else for this reason it is recommended that the recovery take place with the media already at hand and media that has been returned from offsite storage facilities.
In part four of the Disaster Recovery series all important project definitions are covered as this phase specifies to the organization what will be incorporated into the disaster recovery strategy as well as project milestones and materials that should be stored offsite. These parts of the puzzle form an essential element to completing the whole Business Continuity Plan document.