Business Continuity Planning

Introduction The Business Continuity Planning (BCP) domain addresses the preservation and recovery of the business in the event of outages to normal business operations.

Objectives The CISSP should: Have an understanding of the preparation of specific actions required to preserve critical business operations from the perspective of creating, implementing, and updating a continuity plan. Formulation of the BCP and DRP involve the preparation, testing, and updating of specific actions to protect critical business functions from the effect of major system and network failures/disruptions.   The CISSP candidate will be expected to know: ·       The difference between business continuity planning and disaster recovery planning. ·       Business continuity planning in terms of project scope and planning, business impact analysis, recovery strategies, recovery plan development, and implementation. ·       Disaster recovery in terms of recovery plan development, implementation, and testing and maintenance.

Section Objectives Define business continuity plan Define disaster Describe the phases of business continuity planning List restoration actions

Goals of Information Security As They Relate to BCP The common thread among good information security objectives is that they address all three core security principles. Availability Confidentiality Prevents unauthorized disclosure of systems and information. Integrity Prevents unauthorized modification of systems and information. Prevents disruption of service and productivity. The cornerstone of information Security. Which of the A-I-C triad does the BCP and DRP most prominently address? Answer: Availability We are also concerned with the other aspects, especially during a recovery process. While the system processes are in transition, the level of security may not be at a normal acceptable level. Thus, during a recovery situation a risk management decision may be needed that allows the business to recover quickly.

What is a disaster? A disaster is something that interrupts normal business process. A disaster is defined as a sudden, unplanned calamitous event that brings about great damage or loss. In the business environment, it is any event that creates an inability on an organization’s part to support critical business functions for some predetermined period of time. Organizations write BCPs and DRPs to ensure the availability of information system resources in the event of an outage.  

Potentially Disastrous Events Natural (i.e,. earthquakes, storms) System/Technical (i.e., outages, malicious code) Supply Systems (i.e., electrical power problems) Human-Made/Political (i.e., disgruntled employees, riots, vandalism) Mainly the DRP is different because it focuses on how to repair and restore the data center and information at the original or a new primary site.  

Defining a BCP An approved set of advanced arrangements and procedures that enable an organization to: Ensure the safety of people. Minimize the amount of loss. Facilitate the recovery of business operations to reduce the overall impact of an event, while at the same time resuming the critical business functions within a predetermined period of time. Repair or replace the damaged facilities as soon as possible.

Defining a BCP (cont.) Traditionally, recovery plans focused on the recovery of critical computer systems running at data centers. Today, recovery plans must also focus on the critical computer systems operating in a distributed environment involving personal computers, LANs, telecommunications, etc. Essentially, continuity plans address every critical function of an enterprise.  

Requirements of Business Continuity Planning Provide an immediate, accurate, and measured response to emergency situations, with the overall goal of ensuring the safety of individuals. Mitigate the damage you are experiencing as a result of the disaster. Ensure the survivability of the business. Provide procedures and a listing of resources to assist in the recovery process. Identify vendors that may be needed in the recovery process and put agreements in place with selected vendors.

Requirements of Business Continuity Planning (cont.) Avoid confusion experienced during a crisis by documenting, testing, and training plan procedures. Clear guidance for declaring a disaster. Provide the necessary direction to ensure the timely resumption of critical services.

Requirements of Business Continuity Planning, cont. Document storage, safeguarding, and retrieval procedures for critical systems and supporting functions. Describe the actions, resources, and materials required to restore critical operations at an alternate site in the event that the primary site(s) has suffered a serious outage. Document recovery procedures so they can be executed by knowledgeable people.

BCP Scope The BCP should cover all aspects of an organization, including: Personnel Facilities Infrastructure Support systems Information systems  

Subtopics Business Continuity Management Phases of BCP Restoration Action Example of a Recovery Process This topic area is divided into four sections. In the first section, we discuss the concept of Business Continuity Management.   In the second section, we will discuss the development of a continuity plan. The third section provides some specific restoration actions. The fourth section is an example of a recovery process.

Business Continuity Management A strategic and operational framework to review the way an organization provides its products and services while increasing its resilience to disruption, interruption or loss. Provides a framework for building resilience and the capability for an effective response which safeguards the interests of a company’s key stakeholders, reputation, brand and value creating activities. A Definition of Business Continuity Management Business Continuity Management means ensuring the continuity or uninterrupted provision of operations and services.  Business Continuity Management is an on-going process with several different but complementary elements. Planning for business continuity is a comprehensive process that includes disaster recovery, business recovery, business resumption, and contingency planning. Business Continuity Management is meant to have a very broad meaning and is often used as an all-encompassing term to describe an integrated and enterprise-wide process that should include the following in alphabetical order: Accident prevention Business impact analysis Business recovery Business resumption planning Command centers Computer security Contingency planning Crisis communication Crisis management Disaster recovery Emergency management and response Event management Exercising and training Information security Mitigation planning Project management and quality control Risk control Risk financing and insurance Risk management Safety and security Software management Business Continuity Management therefore, is a comprehensive process to ensure the continuation and improvement of business in the face of whatever challenges your firm may face. Continuity planning requires that these many processes be used together, to create a complete continuity plan. The plan must be maintained and updated as business processes change. Continuity plans must be tested.  Table top drills and functional exercises are generally used to ensure that they will work.

Stages of BCM

Subtopics Business Continuity Management Phases of BCP Restoration Action Example of a Recovery Process Next we will talk about the specific phases involved in building a BCP plan.

Phases of the BCP Project Mgmt/Initiation Business Impact Assessment Recovery Strategy Plan Design & Development Phases of Plan The typical phases of a BCP. We will discuss these in more detail over the next slides. Note how testing and maintenance are on-going activities. Implementation Maintenance Testing

Phases of the BCP Subtopics 1. Project Management and Initiation 2. Business Impact Analysis 3. Recovery Strategy 4. Plan Design and Development 5. Testing, Maintenance, Awareness, and Training It is expected that each organization will develop its own methodology to create a BCP that matches its specific needs. For example, government agencies must follow specific regulatory guidelines, while private-sector organizations will follow industry-specific standards.

Phase I: Project Management and Initiation Establish the need for a BCP. Perform a focused risk analysis to identify and document potential outages to critical systems. Obtain management support. Identify strategic internal and external resources to ensure that BCP matches overall business and technology plans. We begin with Phase One – Project Management and the Initiation of designing a BCP.  

Phase I: Project Management and Initiation (cont.) Establish the project management work plan that includes the: Scope of the project Identification of objectives Determination of methods for organizing and managing development of the BCP Identification of related tasks and responsibilities Scheduling of formal meetings and task completion dates

Phase I: Project Management and Initiation (cont.) Determine the need for automated data collection tools, including plans to provide training on how to use the software. Establish members of the BCP team, both technical and functional representatives. Prepare and present an initial report to management on how the BCP will meet the objectives. Most business contingency planning plans require more than a word processing product. To stay current, plans need to keep track of changes to personnel, operating systems, hardware, software, communications, policies, vendor contracts, and much much more. Search and replace word processing documents simply can’t keep up. In determining which package will work for you, think about Scalability, Cost, Vendor Stability, availability of training, technical support, and system requirements. Here are some of the better known BCP software packages: LDRPS by Strohl Systems Precovery by SunGuard Planning Solutions Recovery PACII by CCSI Professional Services Inc. Next we will look at the roles and responsibilities for the team members involved in developing the BCP.  

Products That Can Help “Automated” plan development can help you: Speed the process Avoid missing critical elements Organize teams Maintain the plan Contingency planning is a long process that requires a proven methodology. Automated programs can provide the methodology and ensure that critical elements are not missed. With automated tools, plan elements can be distributed to team members and re-integrated into the plan when each portion is complete.

BCP Planner/Coordinator Ensures that all elements of the plan are thoroughly addressed and an appropriate level of planning, preparation, and training have been accomplished. Serves as leader for the development team. Has direct access and authority to interact with all employees necessary to complete the plans. Is in a position within the organization to balance the needs of the organization with the needs of the individual business units that may be affected. Since the BCP coordinator is a key factor in the successful development of a BCP, we have highlighted some of the important job requirements.   The business continuity coordinator serves as the leader for the development team. Since this person will be responsible for the successful development of the BCP, it is important that care is taken when assigning this role.

BCP Planner/Coordinator (cont.) Has knowledge of the business to be able to understand how a disaster can affect the organization. Has easy access to management. Is able to review the charter, mission statement, and executive viewpoint. Has the credibility and ability to influence senior management when decisions need to be made. In most organizations, it is easier to train current employees the BCP skills, then to train BCP students about the organization.

Team Members Representatives also include, but are not limited to: Senior Management, Chief Financial Officer, etc. Legal Staff Business Unit/Functions Support Systems Recovery Team Leaders Information Security Department Data Communications Department Communications Department The slide lists the people who should be involved in the process as members of the BCP development team. The key person is the BCP planner/coordinator, who serves as the focal point during all phases of the BCP process.   Each department should send representatives that are knowledgeable about the organization. This is just a sample of who the members could be. Each organization will identify their key personnel.

Team Members (cont.) The same people who would be responsible for executing the plan in the event of an outage, must also be involved in preparing the BCP. Proven project management techniques state that having people involved and “feel ownership” ensures a higher level of success. Thus, when key critical employees are involved in the development of the plan, they will feel some ownership and responsibility for its’ success. The plan should be well written so that personnel from other geographies or consultants could execute the plan because plan writers might not be willing to support or might not be available.

Project Plan Identify and develop business continuity plan phases similar to traditional project plan phases. Including problem investigation, problem definition, feasibility study, systems description, implementation, installation, and evaluation. Establish business continuity plan project characteristics. Such as goals/objectives, tasks, resources (personnel, financial), time schedules, budget estimates, and critical success factors Once the BCP coordinator has completed the project plan, and before beginning the next phase, getting management approval in writing is very important. Once the project plan is established and approved by management, the next phase begins.  

Phases of the BCP Subtopics 1. Project Management and Initiation 2. Business Impact Analysis 3. Recovery Strategy 4. Plan Design and Development 5. Testing, Maintenance, Awareness, and Training

Phase II: Business Impact Analysis (BIA) The BIA is a functional analysis that identifies the impacts should an outage occur. Impact is measured by the following: Allowable Business Interruption – the Maximum Tolerable Downtime Financial and Operational Considerations Regulatory Requirements Organizational Reputation The BIA is the process of determining the impact on an organization should an extended outage occur. The BIA should quantify, where possible, the loss impact from both a business interruption (number of days) and a financial standpoint.

Phase II: Business Impact Analysis (BIA) The BIA sets the stage for determining a business-oriented judgment concerning the appropriation of resources for recovery planning efforts.

Eight Steps of the BIA Step 1: Select Interviewees Step 2: Determine information gathering techniques Step 3: Customize questionnaire to gather economic and operational impact information (quantitative and qualitative questions) Step 4: Analyze information Step 1: Individuals within each business unit are identified to determine business processes.   Step 2: Examples are surveys, questionnaires, interviews, and workshops. Step 3: There is no “standard” question, it will depend on the organization. Quantitative refers to financial impact, while qualitative refers to the non-financial loss, such as loss of customer confidence. Step 4: Gathered information is organized and analyzed.

Eight Steps of the BIA (cont.) Step 5: Determine time-critical business systems Step 6: Determine maximum tolerable downtimes Step 7: Prioritize critical business systems based on maximum tolerable downtimes Step 8: Document findings and report recommendations Step 5: Identify time-critical business functions – see next slide.   Step 6: See next slides. Step 7: Written document Step 8: Report results to management.

Maximum Tolerable Downtime This is just an example of a MTD scale. The business units determine what tasks are critical, urgent, etc.   The shorter the MTD, the higher on the recovery list the function will be. For example, those with a critical listing should be restored before those with an urgent listing. The MTD will eventually assist in determining the recovery strategies. That is, a shorter period of recovery will identify the priority in which the business functions will be restored.

Phases of the BCP Subtopics 1. Project Management and Initiation 2. Business Impact Analysis 3. Recovery Strategy 4. Plan Design and Development 5. Testing, Maintenance, Awareness, and Training

Phase III: Recovery Strategies Recovery strategies are a set of pre-defined and management approved actions that will be followed and implemented in response to a business interruption. Once the critical business functions and the MTD have been identified, the next step is to focus on the best strategy (or method) of assuring that the critical business function can be operational within the time frame.  

Recovery Strategies Focus Meeting the pre-determined recovery time frames. Maintaining the operation of the critical business functions. Compiling the resource requirements. Identifying alternatives that are available for recovery.

Recovery Strategies Key Element The key element of developing a recovery strategy is to base it on the recovery time for mission critical business systems -- as outlined in the Business Impact Analysis. This is the tie-in to the BIA and the recovery strategies. This is why the BIA is such an important element of the BCP.   Remember that the goal of the BCP is to restore critical business functions within a pre-determined acceptable time frame.

Recovery Strategies Development Steps 1. Document all costs with each alternative. 2. Obtain cost estimates for any outside services. 3. Develop written agreements for such services. 4. Evaluate resumption strategies based on a full loss of the facility. 5. Document recovery strategies and present to management for comments and approval. This slide outlines the five steps involved in developing recovery strategies.  

Categories of Recovery Strategies Business Recovery Facility and Supply User Operational Data

Business Recovery Focus is on the critical resources and the maximum tolerable downtime for each business/support unit system. This may include the identification of: Critical IT system hardware, software, and data Critical equipment, supplies, furniture, and office space Key personnel for each business unit and support unit, such as Operations, Facilities, Security, etc. The considerations are grouped into five main recovery categories: Business Facility and Supply User Technical Data   This slide begins with the first category – Business Recovery. The next few slides explain each of these in more detail.

Facility and Supply Recovery Focus is on restoration and recovery such as: Facility - main building, remote facilities Inventory - supplies, equipment, paper, forms Equipment - network environments, servers, mainframe, microcomputers, etc. Telecommunications - voice and data Documentation - application, technical materials Transportation - movement of equipment, personnel Supporting equipment - HVAC, safety, security This slide discusses the recovery strategies for facilities and supplies.  

User Recovery Focus is on personnel requirements such as: Manual procedures Vital record storage (i.e. Medical, Personnel) Employee transportation Critical documentation and forms User workspace and equipment Alternate site access procedures This slide focuses on the recovery strategies for personnel.

User Recovery (cont.) Procedures for the organization’s employees to follow during the outage include items such as: Team responsibilities Distribution of information Manual processing techniques Disaster policies Notification procedures High priority tasks Emergency accounting Checklists

Operational Recovery Determine the necessary equipment configurations such as: Mainframes, LANs, microcomputers, peripherals Explore opportunities for integration/consolidation Usage parameters Data communications configurations include: Switching equipment, Routers, Bridges, Gateways This (and the next two) outlines the recovery strategies for Operations.  

Operational Recovery (cont. ) Outline alternative strategies for technical capabilities, such as network infrastructure components. Options include: Hot Site, Warm Site, Cold Site, Mobile Site Reciprocal or Mutual Aid Agreements Multiple Processing Centers Service Bureaus A Hot Site is defined as a fully configured site with complete hardware and software normally provided by the client. A Warm Site is similar to a hot site, although the expensive equipment is not available on site. The site is ready in hours after the needed equipment arrives.  A Cold Site is an alternate facility that does not include any technical equipment or resources, except environmental support such as air conditioning, power, telecommunication links, raised floors, etc.  A Mobile Site is a computer-ready trailer that can be set up in a subscriber’s parking lot and linked by a trailer sleeve to create a space to suit the subscriber’s recovery needs.  Reciprocal agreements are types of agreements are arrangements between two (or more) companies to provide facilities to the other in the event of a disaster.  Multiple Processing Centers involve the capability to distribute the work requirements over two or more compatible in-house centers. Service Bureaus offer data processing services.

Operational Recovery (cont.) Alternate Site Choices COST MIRROR SITE HOT SITE WARM SITE COLD SITE Actively running identical processes in parallel Fully Operational Except data/staff Partially Prepared for Operations This slide is intended to display some of the Alternate Recovery site strategies Basic HVAC and Connections Instant Minutes-Hours Days - Week Weeks/Months Maximum Tolerable Downtime

Software and Data Recovery Focus is on the recovery of information - the data. Options include: Backing up and Off-site storage Electronic vaulting On-line tape vaulting Remote journaling Database Shadowing Standby Services Software Escrow ELECTRONIC VAULTING the bulk transfer of backup data over communications facilities, can simplify the backup process and provide more timely offsite "Operational" data protection. This process can be facilitated with a "host-to-host" or "channel extension" connection and typically serves to reduce, but not eliminate the exposure to loss of data. REMOTE JOURNALING delivers realtime data integrity by capturing and transmitting the Journal and Transaction Log data offsite as it is created. This solution utilizes a software product known as ENET1,which interacts with standard database journal and logging facilities in IMS, CICS, IDMS, CPCS and other DBMSs. DATABASE SHADOWING, which reduces recovery time by staging the database restore and roll-forward process, enabling recovery within hours. STANDBY SERVICES, which provide recovery of most critical applications in a matter of minutes and GUARANTEED access to an alternate processor. SOFTWARE ESCROW Software Escrow agreements are typically three-party arrangements under which the licensor deposits a copy of software source code with an escrow agent who agrees to release the code to a licensee in certain events. These agreements typically involve three major issues for negotiations. The first concern is the code to be deposited and whether continual updates are required, thereby requiring validation of operability. The second issue is the circumstances under which the code is released to the licensee and the potential for dispute between licensor and licensee concerning whether such release event has, in fact, occurred. Finally, the terms of use of the source code, once released, deserves intense focus. Releasing the source code, under the terms of the original object code license, is usually ill-advised for both parties simply because object code licenses are typically not drafted to address issues unique to the source code license arrangement.

Phases of the BCP Subtopics 1. Project Management and Initiation 2. Business Impact Analysis 3. Recovery Strategy 4. Plan Design and Development 5. Testing, Maintenance, Awareness, and Training

Phase IV: BCP Design and Development In this phase the team prepares and documents a detailed plan for recovery of critical business systems. End products include: Business and Service Recovery Plans Plan Maintenance Programs Employee Awareness and Training Programs Test Method Descriptions Restoration Plans Transition to Phase IV – the actual development of the plan.  

Design and Development Steps 1 - 4 1. Determine management concerns and priorities. 2. Determine planning scope such as geographical concerns, organizational issues, and the various recovery functions to be covered in the plan. 3. Establish outage assumptions. 4. Identify response procedures, such as ensuring evacuation and safety of personnel, notification of disaster, initial damage assessment, activating teams, relocating to alternate sites. The next few slides outline the 13 steps involved in developing a BCP. The damage assessment team must provide timely feedback to the Disaster Recovery Coordinator who must inform Senior Management to review the results of the assessment and ultimately make the decision to activate the BCP.

Design and Development Steps 5 - 7 5. Identify resumption strategies for mission critical- and non-mission critical-systems at alternate sites. 6. Identify the location for the emergency operations center/command center. 7. Identify restoration procedures for salvage, repair, and return to the primary site. Also, the procedures to deactivate the recovery site. Once the pre-determined acceptable time frames are established, then the priority of restoring critical business functions can be established.

Design and Development Step 8 8. Plan and implement the gathering of data required for plan completion. Personnel information Vendor services Equipment, software, forms, supplies Vital records Technical information Office space requirements

Design and Development Step 9 9. Review and outline who (and how) the organization will interface with external groups. Customers Shareholders Civic officials Community, region, and state emergency services groups Utility providers Industry group coalitions Media Dealing with the media during a disaster involves: Establishing a unified organization response. Having the public relations officer as the focal point for distributing information. This alleviates the problem of getting misleading information from various sources. Reporting your own bad news. Determining in advance the appropriate approval and clearance processes for information that is to be conveyed. Maintaining a mailing list for larger audiences. Identifying emergency press conference sites in advance. Recording events as the crisis evolves.  

Design and Development Step 10 Review and outline how the organization will cope with other complications beyond the actual disaster. Responsibility to families Coordination with human resource and legal departments Fraud opportunities Looting and vandalism Ensuring primary site is protected during disaster Safety and legal problems Expenses exceeding emergency manager authority

Design and Development Steps 11 - 13 Develop support service plans, including human resources, public relations, transportation, facilities, information processing, telecommunications, etc. 12. Develop business function plans and procedures. 13. Develop facility recovery (i.e. the building) plans.

BCP Document The final aspect of this phase is to combine all of the various steps into the organization’s BCP. This plan should then be interfaced with the organization’s other emergency plans.

Phases of the BCP Subtopics 1. Project Management and Initiation 2. Business Impact Analysis 3. Recovery Strategy 4. Plan Design and Development 5. Testing, Maintenance, Awareness, and Training

Phase V: Testing, Maintenance, Awareness and Training In this phase, plans for testing and maintaining the BCP are implemented and also awareness and training procedures are executed. The material is meant for all types of plans. Regular Drills and Testing: No demonstrated capability until plan tested Tests exercise all components of plans Tests & drills prepare personnel to carry out emergency duties Regular test schedule alerts management to changes affecting recovery capabilities Benefits of regular testing include: Demonstrates ability to actually recover Verifies compatibility of backup facilities Ensures adequacy of team procedures Identifies deficiencies in existing procedures Trains team leaders, members, & backups Provides mechanism for maintaining & updating the plan Include test results in regular management reporting

Phase V: Plan Testing Plan testing ensures that the business continuity capability remains effective, regardless of the disaster. It includes: Testing objectives Measurement criteria Test Schedules Post-test reviews Test results reported to management Testing Tips include: Should not disrupt essential work Prepare written test plans Prepare long-term testing schedule Start small Test for weaknesses Learn from test results Expect mistakes & problems Ensure multiple versions of the plan does not exist - replace older versions with updated versions

Phase V: Plan Testing The five main types of BCP testing strategies are: Checklist Structured Walk-Through Simulation Parallel Full Interruption Checklist - Copies of plan distributed to functional areas for review to ensure plan addresses all concerns and activities related to the particular organization Structured Walk-Through: Functional representatives meet to review plan to ensure it accurately reflects organization’s recovery strategy (1-2 hrs duration) Plan objectives Scope & assumptions Organizational/reporting structure Plan testing, maintenance, & training requirements Raise awareness of recovery team members Train members in recovery responsibilities Simulation - All operational and support functions meet to practice execution of the plan based on a scenario that is played out to test the reaction of all functions to various stimuli Parallel- Basically an operational test Critical systems are run at the alternate site Results are compared with actual processing results Ensure that critical systems will run at alternate site Full Interruption Normal operations shut down Processing conducted at alternate site Using materials in offsite storage Using personnel assigned to recovery team

Phase V: Plan Maintenance Goal Develop processes that maintain the currency of continuity capabilities and the BCP document in accordance with the organization's strategic direction. This includes: Changing management procedures Resolving problems found during testing Building maintenance procedures into the process Centralizing responsibility for updates Reporting results regularly to team members

Phase V: Plan Maintenance Functions Plan maintenance functions are: Receive and monitor input on needed revisions - maintain revision history Plan maintenance reviews as needed Monitor changes within business units, such as upgrades to systems Control plan maintenance distribution - who receives a copy of plan updates Ensuring version control - obsolete editions of the plan are collected and destroyed. Note that plans could be hard copy or electronic “soft copy” or stored on media (i.e. CD-ROMS, disks, etc.).  

Subtopics Business Continuity Management Phases of BCP Restoration Action Example of a Recovery Process Next we will talk about some specific recovery actions.

Damage Assessment Determine the extent of damage to the facility. Estimate the time needed to resume normal operations. Notify management of the findings. The first step in the recovery process is to assess the damage. Usually a “damage assessment team” is assembled to estimate the extent of the outage.  

Damage Assessment (cont.) If the time estimated to resume operations exceeds the Maximum Tolerable Downtime (MTD) for critical business functions, then management should consider declaring a disaster and implementing the BCP.

Restoration Actions Restoration operations involve restoring the primary site to normal operation conditions. Complete an assessment of all damage. Initiate cleanup of the primary site. Implement necessary replacement procedures.

Restoration Actions (cont.) Move unused backup materials (i.e., supplies, magnetic media, backup documentation) from the alternate site to the primary site. Do least critical work first. Perform installations and updates of programs and data. Certify and accredit the system at the primary site. Initiate normal processing.

Subtopics Business Continuity Management Phases of BCP Restoration Action Example of a Recovery Process The next slides provide a walk-through of the steps involved in a recovery process.

Example of a Recovery Process It is important to understand that many things are happening simultaneously. This requires several teams to be active at the same time. Each team might be in a separate physical location. Be careful not to put one critical person on several teams. He or she can not be in two places at once. The slide indicates the typical phases of a disaster recovery process. The line at the top of slide indicates the major phases. The lines underneath show the approximate time frames for concurrent phases.

Subtopics Example of a Recovery Process Respond to the Disaster Recover Critical Functions Recover Non-critical Functions Salvage and Repair Return to Primary Site These are the five basic steps involved in a recovery process. Each step will be discussed further in the next slides.

Disaster Activity Example Assemble emergency operations team. Contact recovery team members to participate in the initial damage assessment. Determine the extent of damage to the primary site facility, including: Building structure Damage to utilities Access to different areas within the building, including capability to secure the building. The first step is to respond to the disaster. This includes contacting the DRP coordinator and the disaster assessment team.   This team is responsible for assessing the primary location and determining the extent of damage to the facility, network equipment, etc. The Damage Assessment Team with assistance from the Salvage Assessment Team (assuming they are not the same members with both teams) may be able to salvage any equipment that may still be useful at the designated alternative site(s). Also, the risk management team may be needed to review items with insurance companies, etc.

Disaster Activity Example (cont.) Calculate the time required to resume critical and non-critical business operations. Notify management of the results. Declare a disaster and begin implementation of continuity/recovery plans. Maintain a log of all steps taken after a disaster. Be sure to note time, location, what has been done, who did it, and any expenses incurred. If necessary, the damage assessment team will recommend declaring the event a “disaster” and beginning the implementation of the business continuity plan.

Disaster Activity Example (cont.) Establish the command center to provide management control, administrative, logistic, and communications support. Move backup resources to the appropriate recovery site. Allocate the required office space and recovery resources to the recovery teams.

Disaster Activity Example (cont.) Resume critical business functions at recovery site. Go to recovery site to confirm the following: Space needs Security needs Fire protection Infrastructure requirements Obviously this should all be documented ahead of time, but a team will usually go to the recovery site.

Disaster Activity Example (cont.) Resume critical business functions at recovery site. Install, activate and test all equipment. Install & activate necessary software and data from backup. Test the system and certify it is ready for operation. Begin critical application processing in accordance with established priorities. Configure and test voice communications systems.

Disaster Activity Example (cont.) Resume critical business at recovery site. Verify that media, forms, supplies, documentation, and equipment at an off-site storage site have been transferred to the recovery site Notify users of schedule and site. Resume non-critical business at recovery site. Follow similar procedures of critical business function recovery.

Salvage & Repair Example At the primary site, complete a detailed assessment of all damage at the primary site. Initiate cleanup of the primary site. If necessary, dispose of damaged equipment and procure new equipment. Recover water soaked documents. Review insurance policies and document information as needed. A key component is documenting the necessary steps to resume critical and non-critical functioning at the primary site – whether it is the refurbished original site or a new primary site. Obtain professional specialists for equipment cleanup and document recovery. The reason is that if you attempt to recover soaked documents for example, you might damage and destroy them. A professional organization would probably freeze all critical documents to prevent mildew and enable an orderly dry out and recovery of documents.

Salvage & Repair Example (cont.) Coordinate activities to have repairs made to the damaged areas within the primary site including: Facility structure - walls, floors, ceilings, etc. Equipment Support systems - HVAC, plumbing, etc.

Return to Primary Site Example Plan for the return. Reactivate fire protection and other alarm systems. Planning is different from recovery plan - least critical work should be initiated first. Implement and test the network system. Certify and accredit the system ready for operations. When notified that normal operations have resumed at the primary site, shutdown operations at the alternate site and return backup materials to storage. When returning to the primary site, additional decisions that need to be made are: ·    Establish operations environment at the new primary site by identifying the best time to move to the primary site and developing a schedule for the move that must be approved by all parties ·    Coordinate the activities for all steps ·    Notify users and vendors ·    Backup all recovery site files ·    Transport files to primary site ·    Reload software and applications at primary site (less critical work is initiated first) Begin normal operations

Quick Quiz What is a business continuity plan? What are the phases of business continuity planning?

Section Summary A business continuity plan (BCP) is an approved set of advanced arrangements and procedures that enable an organization to facilitate the recovery of business operations to reduce the overall impact of an event, while at the same time resuming the critical business functions within a predetermined period of time. The phases of BCP are: 1)Project Management and Initiation; 2) Business Impact Analysis; 3) Recovery Strategy; 4) Plan Design; and 5) Development, and Testing, Maintenance, Awareness, and Training.

Questions?