Business Continuity Planning by Fulmer, Kenneth L. -- Read -- Imperial Library of Trantor

Log In

Or create an account ->

Imperial Library

Home
About
News
Upload
Forum

Help

Login/SignUp

Index

Chapter 1: Why Should Your Business Prepare for a Disaster? OVERVIEW This chapter contains a description of the types of disasters your company might experience and the potential financial and legal ramifications that could follow. By the end of this chapter you will: Understand the importance of Business Continuity Planning Become aware of the potential interruptions that could effect your company's bottom line Understand what's at stake if you do not plan Understand the potential legal consequences of not planning This book subscribes to the well known rule, BE PREPARED! By planning ahead for an emergency you can help defend your business against irreparable damage or even total business failure. The time taken to plan for an emergency could be the best investment your company ever made. Chapter 1: Why Should Your Business Prepare for a Disaster? WHAT DISASTER MIGHT HIT YOU?Disasters may occur at any time for many reasons. A Business Continuity Plan (BCP) must be in place to prevent or reduce the effects of disasters. According to The Disaster Recovery Institute International (www.drii.org), 93% of companies who experience a disaster without a recovery plan close within five years. Fifty percent of companies that lose critical business functions for more than ten days never recover. For Fortune 500 companies, business and system downtime costs an average of $96,000 per minute! There are many types of disasters that can affect your company's bottom line. Do you have a Business Continuity Plan to manage your way through these? Equipment Failure Windstorms Biological/Radiological Incident Flooding Cyber Crime Denied Access Fire Civil Disturbance Water Pipe Breakage Earthquake Loss of Key Employees, Supplier or Customer Network failure Hazardous Material Incident Extended Power Outage Communications Failure Explosion Transportation IT'S TOO MUCH WORK! WHY SHOULDN'T WE JUST TAKE THE RISK?Company management too often neglects disaster planning. The most common reasons are: lack of time and resources, lack of top management support, lack of money, too many causes of disasters to plan for effectively, little awareness of potential hazards, and lack of knowledge in developing a plan. We have all heard at least one of these reasons for not having a plan, but are any really good enough to risk the consequences of not being prepared? Here's a simple test. Can you answer "yes" to all the following questions? If not, how would the repercussions affect your company's ability to remain in business? Are you confident that you will manage through a disaster better than your competition? If not, how much business are you likely to lose? Are you ensuring the safety of your personnel and customers? If not, could your legal liability put the company under? Are you prepared to deal with the media, your stockholders and your employe LEGAL REASONS FOR HAVING A PLANProtecting the confidentiality, integrity and availability of a patient's medical information is no longer just a best practice for healthcare entities, but a legal requirement. As passed by the United States Congress, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) - PL 104-191 Standards for Privacy of Individually Identifiable Health Information - 45 CFR Parts 160 and 164, institutes administrative reforms that have been phased in over the period from 2000 through 2003. Of major importance in the HIPAA legislation is the issue of data and transaction standardization — a mandate very few healthcare providers can circumvent if they bill third parties for services provided to patients. The HIPAA regulations apply to "covered entities," groups that include health plans, health care clearinghouses, and health care providers that transmit any health information in electronic form. The law also changes the way the "covered entities" hav Chapter 2: Getting Started This chapter discusses the basic considerations required to ensure a successful recovery, the different types of plans, and then introduces you to the beginning activities of the planning process. By the end of this chapter you will: Understand the basic requirements needed to ensure business continuity Understand the difference between plan types and ultimately what your plan should accomplish Have completed Steps 1 thru 3: Writing the Purpose, Objectives, Scope and Assumptions; Identifying the plan Coordinator and Development Team; Assigning Action Items, Coordination Responsibilities and Timeframes BASIC CONSIDERATIONS As you begin to prepare your plan, keep in mind that the goal is to ensure that you have the following basics if a disaster strikes: An alternate business location; Access to vital records and resources during the recovery; Key people assigned to the recovery effort; and, A plan for a speedy recovery Chapter 2: Getting Started AN ALTERNATE BUSINESS LOCATIONIf an event occurs preventing access to your facility, or if it is totally destroyed, your company must have an alternate location in which it can function, such as a vacant room or facility that could be easily equipped for your needs. If your business is so dependent upon computers that even a few minutes of downtime affect the bottom line, consider a fully equipped and operational location somewhere else. VITAL RECORDSKeep all records necessary to restore critical department functions off-site. Although some will not be needed for days or weeks after a disaster, eventually all need to be recovered. KEY PEOPLEThe recovery process requires the necessary company staff, plus outside vendors and civil agencies. A PLANA reliable and up-to-date plan will decrease your recovery time. Should your facility be destroyed, important information regarding your vendors, recovery teams and disaster notification procedures will be critical. Waiting to make your recovery plan at the time disaster strikes can be disaster itself. HOW MANY PLANS?Some companies have just one plan for the entire organization and others have a plan for every computer system, application, or other resource. Other approaches plan for each core business, with separate plans, as needed, for critical resources. Ultimately, your Business Continuity Plan will properly prepare your response, recovery and continuity of business for disruptions affecting the data center, the business functions you support and the company's other critical processes. If you choose to develop more than one plan, there must be coordination during their development and future updates to ensure recovery efforts and supporting resources neither negate each other nor duplicate efforts. TYPES OF PLANSIn general, universally accepted definitions for disaster recovery and related planning areas have not been available. This has sometimes led to confusion regarding the actual scope and purpose of various types of plans. Therefore, the scope of your plan(s) may vary from the descriptions below. Business Continuity Plan (BCP) — The BCP focuses on sustaining an organization's business functions during and after a disruption. An example of a business function may be your payroll process or accounts receivable process. A Continuity Plan may be written for a specific business function or may address all key business functions. The data center or Information Technology (IT) is considered in the BCP in terms of its support to the larger business processes, although today, many businesses practice the further reaching process of BCP to ensure that the whole end-to-end business process can continue if a serious incident occurs. Business Recovery Plan (BRP) — also Business Resumpti THE PLANNING STEPS YOU WILL TAKE WITH THIS BOOKThis book and accompanying CD-ROM focuses on helping you develop a comprehensive Business Continuity Plan that includes: Procedures for sustaining essential business operations while recovering from a significant disruption — Business Continuity Plan (BCP). Procedures for recovering business operations immediately following a disaster — Business Recovery (or Resumption) Plan (BRP). Procedures to facilitate recovery capabilities at an alternate data site — Disaster Recovery Plan (DRP). Note The planning steps include the key elements listed below. More than one planning step may be covered within a chapter. So for ease of use and reference, the step being discussed will be shown at the bottom of each page. Planning Steps Writing the Purpose, Objectives, Scope and Assumptions Choosing Your Plan Coordinator and Development Team Assigning Action Items, Coordination Responsibilities and Time Frames Doing Your Risk Assessment Doing Your Busines THE PLANNING STEPS YOU WILL TAKE WITH THIS BOOK STEP 1: WRITING THE PURPOSE, OBJECTIVES, SCOPE AND ASSUMPTIONSIn Step 1 you will begin by writing the purpose, objectives, scope, and any assumptions you are making during plan development. Worksheets for each topic are on the CD-ROM along with sample text. Purpose of the Plan — Sample Text The purpose of this Business Continuity Plan is to provide for the continuation of critical business functions and recovery in the event of a disaster. Many potential contingencies and disasters can be averted, or the damage they cause can be reduced, if appropriate steps are taken to manage through the event. This completed Business Continuity Plan outlines the course of action to be taken in the event of an emergency and the process for each business unit to follow in their recovery to normal business operations. It is intended to: Provide an orderly and efficient transition from normal to emergency conditions. Provide specific guidelines appropriate for complex and unpredictable occurrences. Prov STEP 2: THE PLAN COORDINATOR AND DEVELOPMENT TEAM: JOB DESCRIPTIONSThis author assumes that your management has designated a Project Leader to begin developing a Business Continuity Plan. It is not uncommon for this same person to also be the Plan Coordinator. Whichever the case, it is important that the coordinator has experience in managing large projects, has an understanding of the company's business operations, and an appreciation for the interdependency between the data center and other departments. The Plan Coordinator may also be responsible for the plan's maintenance. This includes ensuring that all revisions are made, documented, and remains relative to other plans when multiple plans are developed, for example: an Occupant Emergency Plan. The Plan Development Team Having secured the commitment of senior management and department managers, selection of the team members by the Project Leader or Plan Coordinator may begin. The makeup of the team will vary depending upon the siz STEP 3: ASSIGNING ACTION ITEMS, COORDINATION OF RESPONSIBILITIES AND TIMEFRAMESHaving identified the plan development team responsible for creating the Plan (Step 2), it is now time to begin identifying the action items and coordination responsibilities for each team member. Assign each responsibility to only one person with an estimate of hours required for completion. More than one person working on a task is fine, as long as the ultimate responsibility is in the hands of only one. Note The plan's purpose, objectives, scope, and assumptions (Step 1), should be reviewed with the project team and modified as needed. If these items are not completed, finalize them during the first or second team meeting. Before beginning Step 3, select the Plan Coordinator and/or Project Leader. This can be a temporary role, but a better approach would be for this to be a permanent role even if considered a part-time responsibility once the final BCP is in place. The BCP Plan Coordinator should possess good leadership qualities, a good understand Chapter 3: Its Time to Roll up Your Sleeves and to Assess Your Current Risk This chapter explains the Risk Assessment and Analysis, and the importance of conducting it early in the planning process. The Risk Analysis section is then followed by a discussion of the Business Impact Analysis (BIA), its purpose and how to accomplish the task. The final section of this chapter provides guidelines developing recovery strategies and team selection. By the end of this chapter you will have: Identified your current capabilities and vulnerabilities Identified your critical business functions, applications and vital records Developed your Recovery Strategies and Action Plans Selected your Recovery Teams Have completed Steps 4 thru 7: Where Do You Stand Right Now? Accessing Your Risk; Doing Your Business Impact Analysis; Selecting Your Recovery Teams; and, Developing Your Recovery Strategies and Action Plans. STEP 4: WHERE DO YOU STAND RIGHT NOW? Although the exact nature of potential disasters an Chapter 3: Its Time to Roll up Your Sleeves and to Assess Your Current Risk HAZARD-SPECIFIC INFORMATIONThis section provides information about some of the most common hazards: ·Fire Hazardous Material Incidents Floods and Flash Floods Hurricanes Tornadoes Severe Winter Storms Earthquakes Technological Emergencies Fire: Fire is the most common of all the hazards. Every year fire causes thousands of deaths and injuries and billions of dollars in property damage. Planning Considerations Consider the following when developing your plan: Research fire codes and regulations required by the Occupational Safety and Health Administration (OSHA, www.osha.gov) and The National Fire Protection Association (www.nfpa.org). Meet with the fire department to talk about the community's fire response capabilities. Ask your insurance carrier to recommend fire prevention and protection measures. Your carrier may also offer training. Distribute fire safety information to employees: how to prevent fires in the workplace, how to contain a fire, how to evacuate the facility, where to STEP 5: DOING YOUR BUSINESS IMPACT ANALYSISThis report is normally based on questionnaires, interviews and the evaluation of information concerning critical business functions, computer usage, hardware and network configurations, vendors, critical applications, computer operations, site security and existing recovery procedures. If management requires, your report may also include recommendations on disaster recovery priorities, how recovery should be organized, what disaster backup options should be considered, recommendations for improving loss prevention and disaster preparedness, along with the cost and benefits of each recommendation. The Business Impact Report should provide only the information needed to perform a convincing presentation to senior management that justifies the necessary funding for the Business Continuity Plan and associated services. You can scale down your BIA if the need for a plan has already been established, its funding approved and all critical business f IDENTIFYING CRITICAL SYSTEMS, APPLICATIONS AND VITAL RECORDSCritical systems, applications and vital records are those you need to recover within one to three days for your business to survive. Although system management will dictate many data processing jobs, there should also be a list of processing job priorities that support the day-to-day operations for each department in your company. One method of setting priorities would be to document all the functions performed by each department. A logical approach to this method would be to document routine activities over a period of several weeks. This documentation would then identify those critical applications and functions that are necessary to the department. Some of the key questions to consider are: If the online system was not available, how would your department continue to operate? What office equipment is used in your department, and could you operate for a period of five days without it? What is the minimum office space and st USING YOUR BUSINESS IMPACT ANALYSISIdentifying business loss exposure may seem difficult, but it can be relatively simple. Your two biggest problems may be getting started and maintaining objectivity. But once you have developed, distributed and conducted the department interviews, you have traveled a long way towards the completion of your continuity plan. So, let's begin analyzing the information you have gathered by answering the following questions: What's Your Staying Power? First, consider what a "significant amount of money" is for your organization. At what dollar level is there only a slight concern, and therefore you would not want to invest time or money to protect against that loss? Ask senior management for their input on what they consider this number to be; a number of different answers should be expected. Second, what is a "moderate amount of money?" For one company, this may be $10,000, for another, $10,000,000. At some level, a threshold will be identified where you w Chapter 4: Putting it all Together This chapter documents the guidelines for writing your plan, testing the plan's effectiveness, and finally distributing your plan. By the end of this chapter you will: Understand the guidelines to consider before writing your plan Understand the difference between background information and instructional information Have developed a general topic outline Have chosen the key elements to be included in the appendices Understand the different types of the plan testing Understand who should be given a copy of the plan Have completed Steps 8 thru 10: Documenting your Business Continuity Plan; Testing Your Plan; and, Distributing Your Plan STEP 8: DOCUMENTING YOUR BUSINESS CONTINUITY PLAN Accurate documentation and procedures are very important in any disaster recovery plan. Poorly written procedures can be frustrating and will increase the amount of time to read and understand. Therefore, keep these guidelines in mind when documenting the plan: Be specific Chapter 4: Putting it all Together STEP 9: TESTING YOUR PLANPlan testing is essential to your continuity plan. The plan itself should be tested in detail and evaluated regularly — at least once a year. Environmental changes will occur as your organization grows, new products are purchased and new policies and procedures are developed. Time will also erode the staff's memory and critical parts of the plan may be forgotten. Other benefits of regular testing include: Verifying the compatibility of the off-site recovery location Ensuring the adequacy of action plans Identifying deficiencies in your existing procedures Training of recovery teams, managers and staff Demonstrating the ability of your company to recover Providing a method for maintaining and updating your plan Training to support critical skills that may be needed during a disaster is an important part of the testing process. These special skills include first aid; fire extinguishing; evacuation procedures; protection of assets and proprietary information; emer PREPARATION OF TESTING PROCEDURESThere are several versions of the testing process that can be performed including: Checklist testing Non-business interruption testing Parallel testing Business interruption testing. Checklist Testing This type of test determines whether adequate supplies are stored at the alternate location, telephone number listings are current, adequate forms are available, and copies of other continuity plans and operations manuals are available. Under this testing scenario, the recovery team reviews the plan and identifies key elements that should be up-to-date and available. The checklist test ensures that each department is in compliance with the requirements of the Business Continuity Plan. Non-Business-Interruption Test During this test, your company will simulate a disaster, so your normal business operations are not interrupted. A disaster test plan of this type includes the: Purpose of the test Objectives Timing, scheduling and duration of test Participants STEP 10: DISTRIBUTING YOUR PLANBecause of the sensitive nature of the information your plan will contain, it is suggested that only those persons who have been designated as members of the Disaster Recovery Team, or who otherwise play a role in the recovery effort, be given a copy of your continuity plan. Those receiving a copy of the plan will normally be those who contributed to the information gathering effort. They would most commonly be: Data Center Management, Department Managers, Senior Management and the Plan Coordinator. Other Considerations: Plan copies should be easily accessible. Several copies of the plan should be stored off-site in a secure location. Key employees may need access to the plan during non-working hours. For ease of maintenance, keep the number of copies at a minimum and number each, noting where each copy is located. If a software program has been used to assist in plan development, store copies of the planning disks and program off-site. Chapter 5: Congratulations! — But Don't Let it Collect Dust The focus of this chapter is on the importance of maintaining your plan in a constant ready state. A suggested maintenance schedule and maintenance sheets are provided. By the end of this chapter you will: Understand why it is imperative to keep your plan up-to-date Understand what should be included to ensure plan effectiveness ·Have developed a schedule of events for plan maintenance STEP 11: MAINTAINING YOUR PLAN To ensure that your plan can be used effectively in case of an emergency, continual updating is imperative and is the responsibility of the plan coordinator. To achieve this goal, the plan coordinator must ensure that: Appropriate changes are made to the plan as requested on the maintenance summary sheet; see Worksheet 16 Ongoing plan requirements are completed in accordance with the instructions defined throughout the plan (e.g., file backups). Plan testing should take place at least once a year and include: Verba Chapter 5: Congratulations! — But Don't Let it Collect Dust References Availability.com — "IT Availability Checklist" http://www.availability.com/elements/information_technology/index.cfm?fuseaction=checklist "Business Continuity Glossary," DRJ/DRI, 2003, http://www.drj.com FFIEC IT Examination Handbook, Business Continuity Planning Booklet, March 2003 Contingency Planning and Management Online. Volume VI, Number 5, September/October 2001. http://www.contingencyplanning.com Federal Emergency Management Agency, Emergency Management Guide for Business and Industry, Sponsored by a Public-Private Partnership with the Federal Emergency Management Agency, June 2002. Gartner Group, High Availability: A Perspective, September 20, 2001 National Institute of Technology and Standards, Special Publication, 800-26, Security Self Assessment Guide for Information Technology Systems, August 2001. National Institute of Technology and Standards, Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook, October 1995. University of Texas Chapter 3: Its Time to Roll up Your Sleeves and to Assess Your Current Risk Chapter 4: Putting it all Together Chapter 3: Its Time to Roll up Your Sleeves and to Assess Your Current Risk Chapter 5: Congratulations! — But Don't Let it Collect Dust Chapter 2: Getting Started Chapter 3: Its Time to Roll up Your Sleeves and to Assess Your Current Risk Chapter 4: Putting it all Together Chapter 5: Congratulations! — But Don't Let it Collect Dust

← Prev
Back
Next →

← Prev
Back
Next →

Chief Librarian: Las Zenow <zenow@riseup.net>
Fork the source code from gitlab.

This is a mirror of the Tor onion service:
http://kx5thpx2olielkihfyo4jgjqfb7zx7wxr3sd4xzt26ochei4m6f7tayd.onion