Disaster Planning Business Continuity Best Practices DRP and BCP are more than meets the eye. ISO 27031 COMPLIANT

DRP and BCP best practices are:
1. ISO 27031 compliant - focus on operations
2. Train everyone on how to execute the DRP and BCP
3. Define rules for declaring when to activate the DRP and BCP
4. Integrate DRP and BCP with change management
5. Focus on issues BEFORE they impact the enterprise
6. Validate that all technology is properly installed and configured
7. Monitor the processes and people to know what critical

According to an AT&T Survey of 100 firms (revenues <$10M), 81 had DR plans, but only 43% have fully tested their plans within the last 12 months and 12% admitted they have never tested their business continuity plans.

Next to personnel, data is your most irreplaceable asset.  Networks, application hosting platforms, and end user computing environments can be replaced quickly.  However, without your customer lists, product catalogs, inventory, financial records, and other operational data your business cannot recover.

A disaster recovery is a response to a declared disaster or a regional disaster. It is the restoration or recovery of an entire Agent computer. A disaster recovery plan describes how an organization is to deal with potential disasters. Just as a disaster is an event that makes the continuation of normal functions impossible, a disaster recovery plan consists of the precautions taken so that the effects of a disaster will be minimized, and the organization will be able to either maintain or quickly resume mission-critical functions. Typically, disaster recovery planning involves an analysis of business processes and continuity needs; it may also include a significant focus on disaster prevention.

Disaster Recovery Template

This Disaster Recovery Plan (DRP) Template can be used for any size of enterprise. The disaster planning template and supporting material have been updated to be Sarbanes-Oxley and HIPAA compliant.

This Disaster Recovery Plan (DRP) Template can be used for any size of enterprise. The disaster planning template and supporting material have been updated to be Sarbanes-Oxley and HIPAA compliant. The Disaster Template comes as both a Word document and a static fully indexed PDF document. The DRP/BCP Template includes:

  • Disaster Recovery Plan and Business Continuity Template (WORD and PDF)
  • Business and IT Impact Analysis Questionnaire
  • Work Plan
  • Disaster Recovery / Business Continuity Audit Program
  • Pandemic Planning Checklist

Preparation for Disaster Recovery / Business Continuity in light of mandated requirements has two primary parts. The first is putting systems in place to completely protect all financial and other data required to meet the reporting regulations and to archive the data to meet future requests for clarification of those reports. The second is to clearly and expressly document all these procedures so that in the event of a SOX audit, the auditors clearly see that the DRP exists and will appropriately protect the data.

Business and IT Impact

This Business and IT Impact Analysis Questionnaire has been designed by one of Industry's most experienced application assessment consultants.  This Questionnaire has been used in over 500 assessment, DRP and business impact projects in the past four years.  Included is a Risk Ranking definition.

Business and IT ImpactThe role of IT in many organizations has evolved from supporting the business to enabling the business - a shift that requires IT to transition from being mostly tactical and cost focused to being an enabler of the overall strategy and value focused. IT organizations that have successfully made this change have done so by among other things transitioning their culture from a reactive operationally focused caretaker of assets to a proactive strategically focused enabler of business value. This culture of performance and value ensures that IT’s human capital is aligned with the strategic goals and motivated to execute. Cultural change is typically a messy and lengthy process, but it must and can be done.

Order Risk AssessmentSample Risk Assessment

Disaster Recovery Planning Risk Assessment


Disaster Recovery Business Continuity Planning – Step 1

The first step in creating a disaster recovery plan (see Disaster Recovery Planning Template Business Continuity) is conducting a risk analysis of your business operation, (see Threat Vulnerability Assessment - Sarbanes Oxley Compliance Tool) computer applications, and your computer systems.  List all the possible risks that threaten the continuity of your business operations, system uptime, and evaluate how imminent they are in your particular IT entity. Anything that can cause a system outage is a threat, from relatively common man-made threats like virus attacks and accidental data deletions (most common occurrence) to more rare natural threats like floods and fires. Determine which of your threats are the most likely to occur and prioritize them using a simple system: rank each threat in two important categories, probability and impact. In each category, rate the risks as low, medium, or high.

For example, a small distribution company (revenues of $25,000,000) located in Florida could rate  a hurricane an high probability with a high impact, an earthquake threat as low probability and high impact, while the threat of utility failure due to a power outage could rate high probability and high impact. So in this company's risk analysis, a hurricane and power outage would be a higher risk than an earthquake and would therefore be a higher priority in the disaster recovery plan.

 

Disaster Recovery Planning Budgets

Disaster Recovery Business Continuity Planning – Step 2

Once the risk assessment (see Threat Vulnerability Assessment) is complete determine what can be done to minimize the risk and what the cost to do that will be. How does a company minimize its exposure to the threat? How does the company minimize the impact disaster event to the business? For example, our small distribution company could employ an emergency power supply to mitigate its power outage threat and have all its data backed (see Backup and Backup Retention Policy), which are stored at a remote site when the hurricane occurs. The more preventative measures you establish up-front the better. Janco Associates say, "Money spent in preparation and testing are worth more than dollars spent in recovery."

The results of risk assessment should be a comprehensive list of possible threats, each with its corresponding solution and cost. The disaster and business continuity planner must present all of these threats to the business operations management, so they can make informed decisions regarding the disaster recovery budget.  The disaster and business continuity planner needs to communicate the risks the business faces from disasters. Business operations can fail to budget funds but they must do so knowing what risk they face and accept in doing so.

How long can your business afford to be without its computer systems should one of your threats occur?

Ultimately, the business operations unit decides which threats the business can tolerate. When developing a DRP (see Disaster Planning Template), disaster and business continuity planners are shooting in the dark without those business indications. Both the disaster - business continuity planner and the business units must agree on which data and applications are most critical to the business and need to be recovered most quickly in a disaster. The management of our small distribution company, for example, may decide they can budget only for the emergency generators and the company will have to assume the risk of an minor hurricane.

Disaster recovery budgets vary from company to company but they typically run between 3% to 15% percent of the overall IT budget. Companies for which system availability is crucial usually are on the higher end of the scale, while companies that can function without it are on the lower end. However, these percentages may be too small.

 

Disaster Recovery Business Continuity Plan Creation


Disaster Recovery Business Continuity Planning – Step 3

Business units shape your disaster recovery and business continuity procedures (see Disaster Recovery Planning Template Business Continuity). If the business operating units determine that the company must be up within 48 hours of an incident, then you can plan based on the amount of time it would take to implement the recovery continuity plan to have the business back operational.

The recovery procedure should be documented in a detailed plan. Establish a Recovery Team from among the IT and business unit staff and assign specific recovery duties to each member. The manner in which your team conducts its recovery probably will be no different than its regular production procedures: the chain of command likely will not change and neither will the aspects of the network for which each member is responsible. However the plan must take into consideration that the plan may be executed by others.  For example on 9-11 the CIO and his management team were in London when the towers fell.  The plan was activated and executed by a low level operations manager.

Define how to deal with the loss of various components of the network (databases, servers, bridges/routers, communications links, etc.) and specify who arranges for repairs or reconstruction and how the data recovery process occurs. The script will also outline priorities for the recovery: What needs to be recovered first? What is the communication procedure for the initial respondents? To complement the script, create a checklist or test procedure to verify that everything is back to normal once repairs and data recovery have taken place.

 

Disaster Recovery Business Continuity Testing


Disaster Recovery Business Continuity Planning – Step 4

Once your Disaster Recovery Business Continuity Plan (see Disaster Recovery Plan Template Business Continuity - http://www.e-janco.com/DisasterPlanning.htm) is set, test it at least semi-annually. The enterprise will need to perform a component-level restoration of your largest databases to get a realistic assessment of your recovery procedure, but a periodic walk-through of the procedure with the recovery team will assure that everyone knows their roles. Test the systems you are going to use in recovery regularly to validate that all the pieces work. Always record your test results and update the Disaster Recovery Business Continuity Plan to address any shortcomings.

As your business environment changes, so should the Disaster Recovery Business Continuity Plan (DRP BCP). Reexamine the plan every year on a high level. Conduct a risk assessment annually and determine if you still need every part of the plan? Do you need to add to it? Will the budget need to be adjusted to accommodate changes to the plan? As applications, hardware, and software are added to your network, they must be brought into the plan. New employees must be trained on recovery procedures. New threats to business seem to pop up every week and a sound DRP BCP takes all of them into account.

 

Disaster Recovery Planning Linksfor additional information on Disaster Recovery and Business Continuity

Disaster PlanningDisaster Planning

Disaster Recovery Plan (DRP) can be used as a Disaster Planning template for any enterprise. The Disaster Recovery template and supporting material have been updated to be Sarbanes-Oxley and HIPAA compliant. The Disaster Planning Template comes as both a Word and static fully indexed PDF document.

DRP AuditDisaster Planning Audit

This Disaster Recovery / Business Continuity Audit program identifies control objectives that are meet by the audit program.  There are 36 specific items that the audit covers in the 13 page audit program.  Included are references to specific Janco products that directly address the areas the audit covers.

 

News feeds that keep you up to date on the latest DRP and BCP Topic

Subscribe to them and be on the top of your game: