Professional Documents
Culture Documents
Management involvement: Management commitment and involvement are always needed for any major programs, and developing a disaster recovery plan is no exception. Better commitment leads to greater funding and support. All the other choices come after management commitment. The senior manager of a business unit or division should have ownership for its business continuity plan because of his broad role and responsibility in the organization. The parties mentioned in other choices do not have the same authority and power to make things happen. Continuity planning involves more than planning for a move off-site after a disaster destroys a data center. It also addresses how to keep an organization's critical functions operating in the event of disruptions, both large and small. This broader perspective on continuity planning is based on the distribution of computer use and support throughout an organization. The goal is to sustain business operations. A well-documented, well-rehearsed, well-coordinated disaster recovery plan allows businesses to focus on surprises and survival. In today's environment, a LAN failure can be as catastrophic as a natural disaster, such as a tornado. Insurance does not cover every loss. Choices (b), (c), and (d) are misconceptions. What is important is to focus on the major unexpected events and implement modifications to the plan so that it is necessary to reclaim control over the business. The key is to ensure survival in the long run Silence is guilt, especially during a disaster. How a company appears to respond to a disaster can be as important as the response itself. If the response is kept in secrecy, the press will assume there is some reason for secrecy. The company should take time to explain to the press what happened and what the response is. A corporate communications professional should be consulted instead of a lawyer due to the specialized knowledge of the former. A spokesperson should be selected to contact media, issue an initial statement, provide background information, and describe action plans, which are essential to minimize the damage. The company lawyers may add restrictions to ensure that everything is done accordingly, which may not work well in an emergency. Management approval is the cornerstone for a successful contingency plan, be it for funding or support. An independent audit and a security review of the plan can validate the soundness of the proposed contingency strategy. Similarly, a legal review can provide assurance that the plans comply with government regulations and that liabilities and exposures are being adequately addressed. Mitigation is a long-term activity aimed at eliminating or reducing the probability of an emergency or a disaster occurring. It requires "up-front" money and commitment from management. Choice (b) is incorrect because preparedness is a readiness to respond to undesirable events. It ensures effective response and minimizes damage. Choice (c) is incorrect because response is the first phase after the onset of an emergency. It enhances recovery operations. Choice (d) is incorrect because recovery involves both short- and long-term restoration of vital systems to normal operations. The degree of loss caused by a disaster or disruption is directly related to the length of time the disruption affects business operations. management commitment is always needed. Choice (c) is incorrect because adequate and clear documentation is needed for people to know how to minimize disasters. Choice (d) is incorrect because more resources may be needed to minimize disasters. The Board of Directors and senior management are responsible for establishing policies, procedures, and responsibilities for organization-wide contingency planning. The organization's contingency plan should address all critical services and operations that are provided by internal departments and external sources. The Chief Information Officer (choice a) and the Disaster Recovery Manager (choice b) are secondarily responsible for establishing organization-wide contingency planning. These employees execute what the board of Page 1 of 17
The purpose of business impact analysis (BIA) is to identify critical functions, resources, and vital records necessary for an organization to continue its critical functions. In this process, the BIA uses both quantitative and qualitative tools. Choices (a, c, and d) are examples that use qualitative tools. Anecdotal records constitute a description or narrative of a specific situation or condition. The risk analysis is usually part of the business impact analysis. It estimates both the functional and financial impact of a risk occurrence to the organization and identifies the costs to reduce the risks to an acceptable level through the establishment of effective controls. BIA is the process of identifying an organization's exposure to the sudden loss of selected business functions and/or the supporting resources (threats) and analyzing the potential disruptive impact of those exposures (risks) on key business functions and critical business operations. The BIA usually establishes a cost (impact) associated with the disruption lasting varying lengths of time. The business impact analysis examines business processes composition and priorities, business or operating cycles, service levels, and, most importantly, the business process dependency on mission-critical information systems. Physical and environmental controls help prevent contingencies. Although many of the other controls, such as logical access controls, also prevent contingencies, the major threats that a contingency plan addresses are physical and environmental threats, such as fires, loss of power, plumbing breaks, or natural disasters. The airwaves are not secure and a mobile telephone switching office can be lost during a disaster. The cellular company may need a diverse route from the cell site to another mobile switching office. Contingency planning integrates and acts on the results of the business impact analysis. The output of this process is a business continuity plan consisting of a set of contingency planswith a single plan for each core business process and infrastructure component. Each contingency plan should provide a description of the resources, staff roles, procedures, and timetables needed for its implementation. Physical and environmental controls help prevent contingencies. Although many other controls, such as logical access controls, also prevent contingencies, the major threats that a contingency plan addresses are physical and environmental threats, such as fires, loss of power, plumbing Page 2 of 17
Alternate sites: A warm site has telecommunications ready to be utilized but does not have computers. A cold site is an empty building for housing computer processors later but equipped with environmental controls (e.g., heat, air conditioning) in place. A hot site is a fully equipped building ready to operate quickly. A redundant site is configured exactly like the primary site. A cold site is an environmentally protected computer room equipped with air conditioning, wiring, and humidity control for continued processing when the equipment is shipped to the location. The cold site is the least expensive method of backup site, but the most difficult and expensive to test. All vendors, regardless of their size, need written contracts for all customers, whether commercial or Page 4 of 17
Plan document: The plan document contains only the why, what, when, where, and who, not how. The "how" deals with detailed procedures and information required to carry out the actions identified and assigned to a specific recovery team. This information should not be in the formal plan as it is too detailed and should be included in the detail reference materials as an appendix to the plan. The "why" describes the need for recovery, the "what" describes the critical processes and resource requirements, the "when" deals with critical time frames, the "where" describes recovery strategy, and the "who" indicates the recovery team members and support organizations. Keeping the "how" information in the plan document confuses people, making it hard to understand and creating a maintenance nightmare.
Backup: It is a fact that there is no recovery without a backup. A procedure is linked to a policy. There is no protection without security controls. No backup, no recovery is applicable to a contingency plan. The first step toward protecting data is a comprehensive inventory of all servers, workstations, applications, and user data throughout the organization. Once a comprehensive study of this type is completed, various backup, access, storage, availability, and retention strategies can be evaluated in order to determine which strategy best fits the needs of an organization It is true that during a disaster not all application systems have to be supported while the LAN is out of service. Some LAN applications may be handled manually (choice a), some as stand-alone PC tasks (choice d), while others need to be supported off-site (choice c). While these duties are clearly defined, it is not so clear which users must secure and backup their own data. It is important to communicate to users that they must secure and backup their own data until normal LAN operations are resumed. This is often a missing link in developing a LAN methodology for contingency planning. Normally, the primary contingency strategy for applications and data is regular backup and secure off-site storage. Important decisions to be addressed include how often the backup is performed (choice a), how often it is stored off-site (choice b), and how it is transported to storage, to an alternate processing site, or to support the resumption of normal operations (choice d). How often the backup is used is not relevant because it is hoped that it may never have to be used. Page 6 of 17
Planning: The data center should be constructed in such a way as to minimize exposure to fire, water damage, heat, or smoke from adjoining areas. Other considerations include raised floors, sprinklers, or fire detection and extinguishing systems and furniture made of noncombustible materials. All these considerations should be taken into account in a cost effective manner at the time the data (computer) center is originally built. Add-ons will not only be disruptive but also costly. There are three basic cost elements associated with alternate processing Page 7 of 17
Planning Process: The correct sequence to follow to handle disasters is to plan, test, respond, recover, and continue. Both underwriters and management are concerned about risk reduction, availability of specific insurance coverage, and its total cost. A good disaster recovery plan addresses these concerns. However, a good plan is not a guarantee for lower insurance rates in all circumstances. Insurance rates are determined based on averages obtained from loss experience, geography, management judgment, the health of the economy, and a host of other factors. Total cost of insurance depends on the specific type of coverage obtained. It could be difficult or expensive to obtain insurance in the absence of a disaster recovery plan. Insurance provides a certain level of comfort in reducing risks but it does not provide the means to ensure continuity of business operations. The business continuity planning process should safeguard an organization's ability to provide a minimum acceptable level of outputs and services in the event of failures of internal and external mission-critical information systems and services. The planning process should link risk management and risk mitigation efforts to operate the organization's core business processes. The information systems security officer should ensure that the existing contingency and disaster recovery plans are updated and incorporated into the business continuity plan. The officer should examine the worst case scenario to ensure that a feasible backup strategy can be successfully implemented. Page 9 of 17
! ! ! !
Identifying the missionor businesscritical functions Identifying the resources that support the critical functions Anticipating potential contingencies or disasters Selecting contingency planning strategies
The top-down approach involves senior management, line management, IS management, IS auditors, and end users. The bottom-up approach (choice a) is not recommended for the first time development of the plan. It is suggested for the maintenance of the plan. Calling other companies in the same industry (choice b) or calling a commercial backup service provider (choice c) first requires a top-down plan developed by the company. The health and safety of employees and general public should be the first concern during a disaster situation. The second concern should be to minimize the disaster's economic impact on the organization in terms of revenues and sales. The third concern should be to limit or contain the disaster. The fourth concern should be to reduce physical damage to property, equipment, and data. Most disaster recovery plans focus on data processing functionsnot other functions within the organization. The IS management may assume that functional users will be responsible for their areas. With increased automation of business functions, a certain amount of coordination and planning are required between the IS management and the functional user management. Roles and responsibilities of team members are often defined (choice a), threats and vulnerabilities are analyzed (choice b), and impacts are analyzed (choice d) although they may not be documented. The most important benefit of a comprehensive disaster recovery plan is to provide continuity of operations followed by protection of assets, increased security, and reduced insurance costs. Assets can be acquired if the business is operating and profitable. There is no such thing as 100% security. Self-insurance can be assumed by the company. If the business can survive without its telecommunications network for the period of time needed to restore the network, the expense of network backup may not be necessary. On the other hand, if the network backup is essential, it is worth the cost. It is a management call. relying on hard-copy reports is not a viable solution for most situations. Choice (b) is incorrect because backup for telecommunications goes beyond storing parentgeneration magnetic tapes off-site. It deals with network lines, nodes, equipment, telephone carriers, circuits, etc. Choice (c) is incorrect because backup for telecommunications goes beyond storing current generation transaction Page 10 of 17
Recovery: Human resource policies and procedures impact employees involved in the response to a disaster. Specifically, it includes extended work hours, overtime pay, compensatory time, living costs, employee evacuation, medical treatment, notifying families of injured or missing employees, emergency food, and cash during recovery. The scope covers the pre-disaster plan, emergency response during recovery, and post-recovery issues. The major reason for ignoring the human resource issues is that they encompass many items requiring extensive planning and coordination, which take a significant amount of time and effort. The goal is to capture all data points necessary to restart a process without loss of any product in the work in progress status. The recovery team should recover all applications to the actual point of the interruption. Documenting the recovery plan should be done first and be available to use during a recovery. The amount of time in developing the plan has no bearing on the recovery from a disaster. On the other hand, the amount of time spent on the other three choices and the degree of perfection attained in those choices will definitely help in reducing the recovery time after a disaster strikes. The more time spent on these three choices the better the quality of the plan. Page 11 of 17
Emergency response: Emergency response procedures are those procedures initiated immediately after an emergency occurs in order to (1) protect life, (2) protect property, and (3) minimize the impact of the emergency (loss control). Maximizing profits can be practiced during non-emergency times but not during an emergency. Reporting: The post-incident review after a disaster has occurred should focus on what happened, what should have happened, and what should happen next, but not on who caused it. Blaming people will not solve the problem. Hidden costs are not insurable expenses and include (1) unemployment compensation premiums resulting from layoffs in the work force, (2) increases in advertising expenditures necessary to rebuild the volume of business, (3) cost of training new and old employees, and (4) increased cost of production due to decline in overall operational efficiency. Generally, traditional accounting systems are not set up to accumulate and report the hidden costs. Opportunity costs are not insurable expenses. They are costs of foregone choices, and accounting systems do not capture these types of costs. Both direct and variable costs are insurable expenses and are captured by accounting systems. Costs: Manual tape processing has the tendency to cause problems at restore time. Multiple copies of files exist on different tapes. Finding the right tape to restore can become a nightmare, unless the software product has automated indexing and labeling features. Restoring files is costly due to the considerable human intervention required, causing delays. Until the software is available to automate the file restoration process, costs continue to be higher than the other choices. Backing up refers to a duplicate copy of a data set that is held in storage in case the original data are lost or damaged. Archiving refers to the process of moving infrequently accessed data to less accessible and lower cost storage media. Journaling applications post a copy of each transaction to both the local and remote storage sites when applicable.
Page 12 of 17
Power and air-conditioning requirements need to be determined in advanceto reduce the installation time frames. This includes diesel power generators, fuel, and other associated equipment. Media communications include keeping in touch with radio, television, and newspaper firms. The call tree list should be kept current all the time so that the employee and vendor notification process can begin as soon as the disaster strikes. This list includes primary and secondary employee names and phone numbers as well as escalation levels.
Focus: Discretionary expense means management can decide whether to spend money on a particular item. When revenues or profits fall, management can cut the discretionary expenses to reach their targeted profit goals. These may include advertisement, training, and disaster recovery plans. Cutting the disaster recovery expense may not be a good choice since no one knows when a disaster might strike an organization. Then, it is too late to do anything. The focus of disaster recovery planning should be on protecting the organization against the consequences of a disaster, not on the probability that it may or may not happen.
Communications: A call tree diagram shows who to contact when a required person is not available or not responding. The call tree shows the successive levels of people to contact if no response is received from the lower level of the tree. It shows the backup people when the primary person is not available. A decision tree diagram will show all the choices available with their outcomes to make a decision. An event tree diagram can be used in project management, and a parse tree diagram can be used in estimating probabilities and nature of states in software engineering. Applications: It is important to define applications into certain categories to establish processing priority. For example, the time for recovery of applications in category I is 72 hours after disaster declaration (high priority). The time Page 13 of 17
Preparation: The decision to activate a disaster recovery plan is made after damage assessment and evaluation is completed. A list of equipment, software, forms, and supplies needed to operate contingency category I (high priority) applications should be available to use as a damage assessment checklist.
Interdependencies: The primary objectives of information systems security include integrity, availability, and confidentiality. Contingency plans support system availability by restoring or recovering from a disaster as quickly as possible. The other three choices support security management practices. It is important to develop and implement a strategy for validating the business continuity plan within the time that remains. A typical strategy defines a minimum number of individual and joint exercises that combine training and testing. There are several common techniques that can be employed, including reviews, rehearsals, and quality assurance reviews. Rehearsals include test drills and team member role plays.
Triggers: It is important to document triggers for activating contingency plans. The information needed to define the implementation triggers for contingency plans is the deployment schedule for each contingency plan and the implementation schedule for the replaced mission-critical systems. Tasks: Data backup is the responsibility of system owners. The other three choices are the responsibility of contingency recovery and response teams. Processing requirements are the responsibility of system owners. Policies: A comprehensive disaster recovery plan is separate from but complementary to the security policy document. Both items go hand in hand. LAN Planning: Many physical problems in LANs are related to cables (choice a) since they can be broken or twisted. Servers (choice b) can be physically damaged due to disk head crash or power irregularities such as over or under voltage conditions. Uninterruptible power supply (choice c) provides power redundancy and protection to servers and workstations. Servers can be disk duplexed for redundancy. Redundant topologies such as star, mesh, or ring can provide a duplicate path should a main cable link fail. Hubs require physical controls such as lock and key since they are stored in wiring closets, although they can also benefit from redundancy, which can be very expensive. Given the choices, it is preferable to have redundant facilities for cables, servers, and power supplies. Controls: Page 14 of 17
Tests: Drills give disaster recovery team members the opportunity to think through their tasks without the pressure of being measured or graded. Exercises should periodically be conducted unannounced to more closely simulate the pressure of a real disaster. The other three choices do not demonstrate the ability to respond when needed. A written plan is no good if it is not tested. There are several types of testing: reviews, analyses, and simulations of disasters. Drills and exercises are examples of simulation. Skills: The disaster recovery coordinator does not need the highly technical skills of a programmer, systems analyst, hardware specialist, or network administrator. However, the coordinator should be able to communicate with technical staff and adequately interpret what they say in order to communicate it effectively and clearly to nontechnical users and management. Applications: Since application systems are designed to provide data and information to end users, they are in a better position to assess the value or usefulness of the system to their business operations. Input from the other three parties (application programmers, computer operators, and auditors) is important but not as important as that of end users. Their view is limited. An application system priority analysis should be performed to determine the business criticality for each computer application. A priority code should be assigned to each production application system that is critical to the survival of the organization. The priority code tells people how soon the application should be processed when the backup computer facility is ready. This will help in restoring the computer system following a disaster and facilitate in developing a recovery schedule. Page 15 of 17
Page 17 of 17