BC & DR for IT Professionals (Snedaker)

BUSINESS CONTINUITY AND DISASTER RECOVERY FOR IT PROFESSIONALS
By Susan Snedaker


"Powerful Earthquake Triggers Tsunami in Pacific. Hurricane Katrina Makes Landfall in the
Gulf Coast. Avalanche Buries Highway in Denver. Tornado Touches Down in Georgia."

These headlines not only have caught the attention of people around the world, they have had
a significant effect on IT professionals as well. As technology continues to become more
integral to corporate operations at every level of the organization, the job of IT has expanded
to become almost all-encompassing. These days, it's difficult to find corners of a company
that technology does not touch. As a result, the need for IT professionals to plan for potential
disruptions to technology services has increased exponentially.

With distributed networks, increasing demands for confidentiality, integrity and availability of
data, and the widespread risks to the security of personal, confidential and sensitive data, no
organization can afford to ignore the need for disaster planning.

In this book you will find:
- Coverage of the 3 categories of disaster: natural hazards, human-caused hazards, and
accidental/ technical hazards.
- Information on risks from cyber attacks, rioting, protests, product tampering, bombs,
explosions, and terrorism.
- Disaster planning and readiness checklists for IT infrastructure, enterprise applications,
servers and desktops.
- Guidance on developing alternate work and computing sites and emergency facilities.
- Actionable advice on emergency readiness and response.
- Up-to-date information on the legal implications of data loss following a security breach
or disaster.

- - - - - - - -

CONTENTS

Introduction
CHAPTER 1 BUSINESS CONTINUITY AND DISASTER RECOVERY OVERVIEW
Introduction
Business Continuity and Disaster Recovery Defined
Components of Business
People in BC/DR Planning
Process in BC/DR Planning
Technology in BC/DR Planning
The Cost of Planning versus the Cost of Failure
People
Process
Technology
Types of Disasters to Consider
Natural Hazards
Cold Weather Related Hazards
Warm Weather Related Hazards
Geological Hazards
Human-Caused Hazards
Accidents and Technological Hazards
Electronic Data Threats
Personal Privacy
Privacy Standards and Legislation
Social Engineering
Fraud and Theft
Managing Access
Business Continuity and Disaster Recovery Planning Basics
Project Initiation
Risk Assessment
Business Impact Analysis
Mitigation Strategy Development
Plan Development
Training, Testing, Auditing
Plan Maintenance
Summary
Solutions Fast Track
Frequently Asked Questions
Case Study 1 Legal Obligations Regarding Data Security
Background
The ChoicePoint Incident
State Laws Regarding Data Security
Notice of Security Breach Laws
Definition of Personal Information
What Triggers Notice Requirements?
Federal Laws Regarding Data Security
U.S. House of Representatives Proposed Bill
U.S. Senate Proposed Bill
Conclusion
Footnotes
Frequently Asked Questions

CHAPTER 2 PROJECT INITIATION
Introduction
Elements of Project Success
Executive Support
User Involvement
Experienced Project Manager
Clearly Defined Project Objectives
Clearly Defined Project Requirements
Clearly Defined Scope
Shorter Schedule, Multiple Milestones
Clearly Defined Project Management Process
Project Plan Components
Project Definition
Problem and Mission Statement
Potential Solutions
Requirements and Constraints
Success Criteria
Project Proposal
Estimates
Project Sponsor
Forming the Project Team
Organizational
Technical
Logistical
Political
Project Organization
Project Objectives
Project Stakeholders
Project Requirements
Project Parameters
Project Infrastructure
Project Processes
Project Communication Plan
Project Planning
Work Breakdown Structure
Critical Path
Project Implementation
Managing Progress
Managing Change
Project Tracking
Project Close Out
Key Contributors and Responsibilities
Information Technology
Experience Working on a Cross-Departmental Team
Ability to Communicate Effectively
Ability to Work Well with a Wide Variety of People
Experience with Critical Business and Technology Systems
IT Project Management Leadership
Human Resources
Facilities/Security
Finance/Legal
Warehouse/Inventory/Manufacturing/Research
Purchasing/Logistics
Marketing and Sales
Public Relations
Project Definition
Business Requirements
Functional Requirements
Technical Requirements
Business Continuity and Disaster Recovery Project Plan
Project Definition, Risk Assessment
Business Impact Analysis
Risk Mitigation Strategies
Plan Development
Emergency Preparation
Training, Testing, Auditing
Plan Maintenance
Summary
Solutions Fast Track
Frequently Asked Questions

Case Study 2 The Financial Impact of Disasters and Disruptions
Introduction
Financial Aspects of Business Disruptions
Cash Flow
Lower Revenues
Sales Activities
Order Fulfillment
Order Shipment
Accounts Receivable
Higher Costs
Impact on Cash Flow
Impact on Valuation and Ability to Raise Capital
Summary

CHAPTER 3 RISK ASSESSMENT
Introduction
Risk Management Basics
Risk Management Process
Threat Assessment
Vulnerability Assessment
Impact Assessment
Risk Mitigation Strategy Development
People, Process, Technology, and Infrastructure in Risk Management
People
Process
Technology
Infrastructure
IT-Specific Risk Management
IT Risk Management Objectives
The System Development Lifecycle Model
Risk Assessment Components
Information Gathering Methods
Natural and Environmental Threats
Fire
Floods
Severe Winter Storms
Electrical Storms
Drought
Earthquake
Tornados
Hurricanes/Typhoons/Cyclones
Tsunamis
Volcanoes
Avian Flu/Pandemics
Human Threats
Fire
Theft, Sabotage, Vandalism
Labor Disputes
Workplace Violence
Terrorism
Chemical or Biological Hazards
War
Cyber Threats
Infrastructure Threats
Building Specific Failures
Public Transportation Disruption
Loss of Utilities
Disruption to Oil or Petroleum Supplies
Food or Water Contamination
Regulatory or Legal Changes
Threat Checklist
Threat Assessment Methodology
Quantitative Threat Assessment
Qualitative Threat Assessment
Vulnerability Assessment
People, Process, Technology, and Infrastructure
People
Process
Technology
Infrastructure
Vulnerability Assessment
Summary
Solutions Fast Track
Frequently Asked Questions

CHAPTER 4 BUSINESS IMPACT ANALYSIS
Introduction
Business Impact Analysis Overview
Upstream and Downstream Losses
Understanding the Human Impact
Key Positions
Human Needs
Understanding Impact Criticality
Criticality Categories
Mission-Critical
Vital
Important
Minor
Recovery Time Requirements
Identifying Business Functions
Facilities and Security
Finance
Human Resources
IT
Legal/Compliance
Manufacturing (Assembly)
Marketing and Sales
Operations
Research and Development
Warehouse (Inventory, Order Fulfillment, Shipping, Receiving)
Other Areas
Gathering Data for the Business Impact Analysis
Data Collection Methodologies
Questionnaires
Interviews
Workshops
Determining the Impact
Business Impact Analysis Data Points
Understanding IT Impact
Example of Business Impact Analysis For Small Business
Preparing the Business Impact Analysis Report
Summary
Solutions Fast Track
Frequently Asked Questions

CHAPTER 5 MITIGATION STRATEGY DEVELOPMENT
Introduction
Types of Risk Mitigation Strategies
Risk Acceptance
Risk Avoidance
Risk Limitation
Risk Transference
The Risk Mitigation Process
Recovery Requirements
Recovery Options
As Needed
Prearranged
Preestablished
Recovery Time of Options
Cost versus Capability of Recovery Options
Recovery Service Level Agreements
Review Existing Controls
Developing Your Risk Mitigation Strategy
Sample 1: Section from Mitigation Strategy for Critical Data
Sample 2: Section from Mitigation Strategy for Critical Data
People, Buildings, and Infrastructure
IT Risk Mitigation
Critical Data and Records
Critical Systems and Infrastructure
Reviewing Critical System Priorities
Backup and Recovery Considerations
Alternate Business Processes
IT Recovery Systems
Alternate Sites
Disk Systems
Desktop Solutions
Software and Licensing
Web Sites
Summary
Solutions Fast Track
Frequently Asked Questions

CHAPTER 6 BUSINESS CONTINUITY/DISASTER RECOVERY PLAN
Development
Introduction
Phases of the Business Continuity and Disaster Recovery
Activation Phase
Major Disaster or Disruption
Intermediate Disaster or Disruption
Minor Disaster or Disruption
Activating BC/DR Teams
Developing Triggers
Transition Trigger—Activation to Recovery
Recovery Phase
Transition Trigger—Recovery to Continuity
Business Continuity Phase
Maintenance/Review Phase
Defining BC/DR Teams and Key Personnel
Crisis Management Team
Management
Damage Assessment Team
Operations Assessment Team
IT Team
Administrative Support Team
Transportation and Relocation Team
Media Relations Team
Human Resources Team
Legal Affairs Team
Physical/Personnel Security Team
Procurement Team (Equipment and Supplies)
General Team Guidelines
BC/DR Contact Information
Defining Tasks, Assigning Resources
Alternate Site
Selection Criteria
Contractual Terms
Comparison Process
Acquisition and Testing
Contracts for BC/DR Services
Develop Clear Functional and Technical Requirements
Determine Required Service Levels
Compare Vendor Proposal/Response to Requirements
Identify Requirements Not Met by Vendor Proposal
Identify Vendor Options Not Specified in Requirements
Communications Plans
Internal
Employee
Customers and Vendors
Shareholders
The Community and the Public
Event Logs, Change Control, and Appendices
Event Logs
Change Control
Distribution
Appendices
Additional Resources
What’s Next
Summary
Solutions Fast Track
Frequently Asked Questions
Case Study 3 Crisis Communications 101
Background
Three Simple Rules for Crisis Communication
Rule #1:Always Tell the Truth
Rule #2:Appoint a Single Spokesperson
Rule #3: Provide Formatted Information
Directional Communications
Practicing Your Plan

CHAPTER 7 EMERGENCY RESPONSE AND RECOVERY
Introduction
Emergency Management Overview
Emergency Response Plans
Emergency Response Teams
Crisis Management Team
Emergency Response and Disaster Recovery
Alternate Facilities Review and Management
Communications
Human Resources
Legal
Insurance
Finance
Disaster Recovery
Activation Checklists
Recovery Checklists
IT Recovery Tasks
Computer Incident Response
CIRT Responsibilities
Business Continuity
Summary
Solutions Fast Track
Frequently Asked Questions

CHAPTER 8 TRAINING, TESTING, AND AUDITING
Introduction
Training for Disaster Recovery and Business Continuity
Emergency Response
Disaster Recovery and Business Continuity Training Overview
Training Scope, Objectives, Timelines, and Requirements
Performing Training Needs Assessment
Developing Training
Scheduling and Delivering Training
Monitoring and Measuring Training
Training and Testing for Your Business Continuity and Disaster Recovery Plan
Paper Walk-through
Develop Realistic Scenarios
Develop Evaluation Criteria
Provide Copies of the Plan
Divide Participants by Team
Use Checklists
Take Notes
Identify Training Needs
Develop Summary and Lessons Learned
Functional Exercises
Field Exercises
Full Interruption Test
Training Plan Implementers
Testing the BC/DR Plan
Understanding of Processes
Validation of Task Integration
Confirm Steps
Confirm Resources
Familiarize with Information Flow
Identify Gaps or Weaknesses
Determines Cost and Feasibility
Test Evaluation Criteria
Recommendations
Performing IT Systems and Security Audits
IT Systems and Security Audits
Summary
Solutions Fast Track
Frequently Asked Questions

CHAPTER 9 BC/DR PLAN MAINTENANCE
Introduction
BC/DR Plan Change Management
Training, Testing, and Auditing
Changes in Information Technologies
Changes in Operations
Corporate Changes
Legal, Regulatory, or Compliance Changes
Strategies for Managing Change
Monitor Change
People
Process
Technology
Evaluate and Incorporate Change
BC/DR Plan Audit
Plan Maintenance Activities
Project Close Out
Summary
Solutions Fast Track
Frequently Asked Questions

Appendix A Risk Management Checklist
Appendix B Crisis Communications Checklist
Appendix C Business Continuity and Disaster Recovery Response Checklist
Appendix D Emergency and Recovery Response Checklist
Appendix E Business Continuity Checklist
Appendix F IT Recovery Checklists
Appendix G Training, Testing, and Auditing Checklists
Appendix H BC/DR Plan Maintenance Checklist
Index

- - - - - - - - -

INCLUDES:

- A comprehensive FAQ page that consolidates all of the key points of this book into
an easy-to-search Web page.
- “From the Author” forum where the authors post timely updates and links to related
sites.

- - - - - - - - -

EXCERPT FROM THE INTRODUCTION

“Let’s start with the obvious. Business continuity and disaster (BC/DR) planning is not the
most uplifting topic.

“Few people want to spend their day (or even an hour) in BC/DR planning, but like brushing or
flossing your teeth, the payoff far exceeds the investment of time and effort. In today’s
environment, where technology reaches into every corner of almost every organization,
BC/DR planning has become imperative. Unfortunately, it falls very low on a long list of IT
priorities. By the time BC/DR hits the radar screen, most IT staff are already overutilized and
overwhelmed.

“The one statistic that should remind you of the importance of creating and maintaining a
BC/DR plan is this: In a study of companies that experienced a major data loss without
having a solid BC/DR plan in place, 43% never reopened, 51% closed within two years, and
only 6% survived long-term. (see Chapter 1 for more on this). Let’s repeat that: 6% survive
long-term. If you’re reading this foreword, it means you’ve at least thought about this. The
good news is that you can dramatically improve your odds of your company surviving a major
disaster by creating a BC/DR plan.The purpose of this book is to provide a framework within
which you can develop an effective BC/DR plan for your company. It’s targeted at small and
medium-sized businesses, though it can easily be used in larger companies.

“We’ll cover the important elements of BC/DR, point you to additional resources and provide
some real-world advice that you can put to use immediately. The book is intended to be
scalable to fit your needs. If you’ve avoided creating a BC/DR plan because your organization
tends toward “just-in-time planning” (also known as “seat of your pants planning”), this book
will help you by giving you the bottom line and the minimum requirements, whenever
possible. If you and your organization are very detail-oriented and you were looking for the
right framework to use, this book will help you develop one suited to the unique needs of your
company.

“This book adheres to industry standards and best practices, but it will not prepare you for a
formal certification in business continuity or disaster recovery planning. It’s not exhaustive on
any of the BC/DR topics, either. If you’re looking for an extremely detailed, comprehensive,
exhaustive (and exhausting) look at BC/DR, look elsewhere. If you’re looking for a fast,
effective framework that you can actually use, this book is for you. It is a roll-up-your-
sleeves-and-get-your-hands-dirty kind of book meant to be used to quickly step you through
the process of creating an effective BC/DR plan with the least effort.

“If you’ve created a plan in the past, you can use this book to make sure your plan is
comprehensive and up-to-date. If you don’t yet have a plan, you can use this to get going. In
either case, you will find this book to be a great resource that you pick up time and again or
that you hand over, dog-eared and highlighted, to your successor (as you move up the career
ladder).”

- - - - - - - - -

ABOUT THE AUTHOR

SUSAN SNEDAKER is Principal Consultant and founder of Virtual Team Consulting, LLC has
over 20 years’ experience working in IT in both technical and executive positions including
with Microsoft, Honeywell, and Logical Solutions. Her experience in executive roles at both
Keane, Inc. and Apta Software, Inc. provided extensive strategic and operational experience
in managing hardware, software and other IT projects involving both small and large teams.
As a consultant, she and her team work with companies of all sizes to improve operations,
which often entails auditing IT functions and building stronger project management skills, both
in the IT department and company-wide. She has developed customized project management
training for a number of clients and has taught project management in a variety of settings.
Ms. Snedaker holds a Master’s degree in Business Administration (MBA) and a Bachelor’s
degree in Management. She is a Microsoft Certified Systems Engineer (MCSE), a Microsoft
Certified Trainer (MCT), and has a certificate in Advanced Project Management from Stanford
University.

- - - - - - - - -
June, 1997, 456 Pages. Order #DR819
- - - - - - - - -

4 Arapaho Rd.

Brookfield, CT 06804-3104 USA

1-888-ROTHSTEin; (888.768.4783)

Telephone: 203.740.7444; 888.768.4783

Fax: 203.740.7401

"Keep Me Posted" Business Survival Newsletter