![]() |
Disaster Recovery / Business Continuity Template
|
Experts Agree You Should Update Your Plan AnnuallySecurity is a critical concern during the recovery processIt goes without saying that every company, regardless of size, needs a concise business continuity plan in case of an emergency. If you don't have a disaster recovery plan or haven't updated yours recently, now is the time to take this critical step to protect your business. At the same time there are more security requirements that need to be met. With mandated requirements like Sarbanes-Oxley, HIPAA, PCI-DSS, and ITIL, executive management is depending on you to have the right security policies and procedures in place. We have just the download you need to create a world class plan and assure you leave no stone unturned. With these Templates we walk you through the entire process, providing all the tools you need along the way. As an added benefit you can purchase an update service which keeps these templates abreast of the latest legislated and mandated requirements. All of our documents have been updated to comply with PCI-DSS, Sarbanes-Oxley, HIPAA, the ISO 27000 (formerly ISO 17799) series - 27001 & 27002, and PCI-DSS. The Disaster Recovery / Business Continuity and Security Manual Template bundle comes in three versions - Standard, Premium, and Gold. |
Premium Edition Includes
- Disaster Recovery Business Continuity Template in MS WORD format
- Disaster Recovery Business Continuity Audit Program
- Security Manual Template in MS WORD format
- Business and IT Impact Questiononaire - 21 pages
- Threat and Vulnerability Assessment Form
- 25 Full Job Descriptions
- Chief Information Officer (CIO);
- Chief Compliance Officer (CCO);
- Chief Security Officer (CSO);
- VP Strategy and Architecture;
- Director e-Commerce;
- Database Administrator;
- Data Security Administrator;
- Manager Data Security;
- Manager Database;
- Manager Disaster Recovery;
- Manager Disaster Recovery and Business Continuity;
- Pandemic Coordinator;
- Manager Facilities and Equipment;
- Manager Media Library Support;
- Manager Network and Computing Services;
- Manager Network Services;
- Manager Site Management;
- Manager Training and Documentation;
- Manager Voice and Data Communication;
- Manager Wireless Systems;
- Capacity Planning Supervisor;
- Disaster Recovery Coordinator;
- Disaster Recovery - Special Projects Supervisor;
- Network Security Analyst;
- System Administrator - Unix;
- System Administrator - Windows
Gold Edition Includes
- Disaster Recovery Business Continuity Template in MS WORD format
- Disaster Recovery Business Continuity Audit Program
- Security Manual Template in MS WORD format
- Business and IT Impact Questiononaire - 21 pages
- Threat and Vulnerability Assessment Form
- Over 230 Full Job Descriptions which include all of the job descriptions in the premium edition -
- Chief Information Officer (CIO);
- Chief Compliance Officer (CCO);
- Chief Security Officer (CSO);
- VP Strategy and Architecture;
- Director e-Commerce;
- Database Administrator;
- Data Security Administrator;
- Manager Data Security;
- Manager Database;
- Manager Disaster Recovery;
- Manager Disaster Recovery and Business Continuity;
- Pandemic Coordinator;
- Manager Facilities and Equipment;
- Manager Media Library Support;
- Manager Network and Computing Services;
- Manager Network Services;
- Manager Site Management;
- Manager Training and Documentation;
- Manager Voice and Data Communication;
- Manager Wireless Systems;
- Capacity Planning Supervisor;
- Disaster Recovery Coordinator;
- Disaster Recovery - Special Projects Supervisor;
- Network Security Analyst;
- System Administrator - Unix;
- System Administrator - Windows
|
Disaster Recovery Plan (DRP) / Business Continuity TemplateThis Disaster Recovery Plan (DRP) can be used as a template for any enterprise. DRP download instructions are sent to you via e-mail. Included is a 21 page Business Impact Questionnaire as well as a 3 page Job Description for the Disaster Recovery Manager. The template is ISO 27000, Sarbanes-Oxley, PCI, and HIPAA Compliant. The Disaster Recovery Plan Business template includes:
The Disaster Recovery Planning PREMIUM Bundle includes 15 full job descriptions in WORD and PDF formats. They included job descriptions are:
Security Manual TemplateThe plan is over 220 pages and includes everything needed to customize the Internet and Information Technology Security Manual to fit your specific requirement. The template is ISO 27001, ISO 27002, Sarbanes-Oxley, PCI, and HIPAA Compliant. The electronic document includes proven written text and examples for the following major sections for your security plan:
The Security Management Template PREMIUM Edition includes 15 full job descriptions in WORD and PDF formats. They included job descriptions are:
|
Disaster Recovery / Business Continuity /Security News
Disaster Recovery Business Continuity for Remote Offices
Data residing outside the data center at remote and branch offices (ROBOs) accounts for a significant portion of an enterprise's information store, yet it often either is protected with inefficient backup processes or is not protected at all -- leaving companies at risk on many fronts.
In a recent research report, high priority projects for ROBOs included improving information security measures; ensuring compliance with government, industry or corporate governance mandates; and improving Disaster Recovery Business Continuity processes.
- more infoDRP and Security Plans key to compliance
Preparing for a disaster requires detailed planning, preparation and testing. Knowing what IT assets need to be recovered, where to recover them and how to recover them are the essence of IT Disaster Recovery. The most difficult challenge is mapping the prioritized business requirements to the IT assets so that recovery can be staged. The recovery strategy then evolves based on the available options which support the required recovery objectives. The resulting Disaster Recovery plans contain all of the information detailing where to go, who is to do what and the information required to rebuild servers, restore applications and data as well as restart and synchronization procedures. - more infoDRP Template
If you are new to recovery planning, make sure that you research the subject thoroughly before embarking on a disaster recovery project. Consider engaging a consultant (internal or external to your organization) to help you in your project planning effort. Disaster recovery planning is not a two-month project, neither is it a project that once completed, you can forget about. An effective recovery plan is a live recovery plan. The plan must be maintained current and tested/exercised regularly.
The primary objective of a Business Resumption Plan is to enable an organization to survive a disaster and to reestablish normal business operations. In order to survive, the organization must assure that critical operations can resume normal processing within a reasonable time frame. Therefore, the goals of the Business Resumption Plan should be to:
- Identify weaknesses and implement a disaster prevention program;
- minimize the duration of a serious disruption to business operations;
- facilitate effective co-ordination of recovery tasks; and
- reduce the complexity of the recovery effort.
Why is diaster and business continuity planning important
Federal, State and Local Governments are chartered to mitigate and control the event, provide life and safety measures, and then restore infrastructures. The Red Cross provides emergency relief in the form of food, health and shelter. If insured, an insurance company will settle damage claims and provide monetary relief. However, none of these organizations will, or can, recover your business. Your companys recovery is strictly up to you, and it commences with a solid business continuity/disaster recovery plan.
Should your company experience a disaster, the first 72 hours following the incident will be the most critical in your recovery efforts. How you respond during that period will determine if your business will survive or not. Furthermore, the most important hour is the one immediately following the event. If ever required, your Business continuity plan will enable you to respond in a systematic and organized fashion. It will guide your organization, step-by-step, from responding to the actual event all the way through to full occupancy of your repaired facility.
- more infoSimple Disaster Planning Activities
Creating a disaster recovery plan is a complex task; however there are a number of basic steps that you can follow to start thre process
- Prepare your systems, processes, and people for an organized response to disaster when it strikes.
- Identify critical IT systems and develop a long-range strategy.
- Select and train your disaster recovery team.
- Conduct a Business Impact Analysis.
- Determine risks to your business from natural or human-made causes.
- Get management support.
- Create appropriate plan documents.
- Test your plan.
Disaster Plan & Business Continuity Infrastructure
The key technology
elements of a Disaster Recovery Plan and Business Continuity Plan (DRP/BCP)
infrastructure are the primary data center, a remote site that duplicates the
resources in that primary location and the method used to get files (master and
transaction) between the two sites - such as high-bandwidth network
connections. The best DRP/BCP strategies follow a "redundant every-thing"
philosophy throughout the data center. Multiple mainframes and servers should
run in the production and backup data facilities. Then, if a component in the
production system encounters problems, it immediately fails over to the local
backup as a first line of defense.
Power supplies and communication links are one of the most critical components in a DRP/BCP strategy.
- more infoWhite House email system down for a day
High tech White House falls down when its email disaster plan does not work.
The White House Press Secretary Robert Gibbs announced at a 1:45 p.m. press briefing that he was unable to send out the customary week-ahead memo as the White House e-mail system was "not working so well." D.C. reporters got their next e-mail from the White House around 8:30 the following morning indicating that the outage lasted most of a day.
- more infoHow to calculate the cost of downtime
One overlooked truth is that downtime costs accelerate in a non-linear fashion every hour. If a system fails for five minutes, the costs are fairly low because manual methods (paper and pencil) of making records or communicating by telephone instead of e-mails can suffice to conduct business. Over an extended period, however, the volume of work overwhelms the manual processes. Yet some businesses - such as Amazon or e-Bay - cannot run at all on manual processes. Business and financial operations increasingly deteriorate, and the rate of dollar losses grows - sometimes to the point of fatally damaging the business.
In addition, when assessing the financial impact of downtime, you need to consider factors such as potential lost revenue, reductions in worker productivity, and damaged market reputation. In some cases, downtime can even reduce shareholder confidence, which can create unnecessary and unplanned costs. Financial analysts and accountants at your company can help you come up with the factors at your company that are affected by downtime and contribute to its costs.
- more infoDisaster Planning Considerations
Many enterprises have taken a segmented approach to
Business Continuity and Availability, adding
point technology and reactive services to address disaster recovery. This
approach can be very complex, time-consuming and
costly. The task becomes much easier when a single vendor takes responsibility for architecting, implementing, testing
and supporting the solution.
There is an increase in the number of companies and organizations
requiring 24 x 365 days of IT uptime. In fact, ESG research indicates that 36%
of enterprises indicate they will incur significant revenue loss or other
adverse business impact if they have even an hour or less of downtime on their
mission-critical applications. Almost 15% indicate they cannot tolerate any
downtime.
Many Businesses Fail After a Disaster
Businesses'
reliance on IT systems and digital data has never been greater. The 2007 Best's
Underwriting Guide found that only 6% of companies that suffer catastrophic data
loss survive while 43% never reopen and 51% close within 2 years of the
disaster. Best's Underwriting Guide 2007 also found that 93% of the companies
that did not have their data backed up in the event of a disaster went out of
business. An analysis of SMBs' prioritization of disaster recovery, backup and
high availability for 2008 shows that businesses understand the risks to their
business and the value of protection. However, many organizations still think
that backup is a sufficient disaster recovery plan. However, mid-sized
enterprises are at the most risk to disaster and are more likely to rely
strictly on backup as a disaster recovery plan.
The needs and resources of mid-market
firms are unique. Midsized companies must work with limited finances
infrastructure and human resources. Robust disaster recovery used to be
affordable and manageable only by large enterprises. Mid-sized enterprises
relied more on backup than on a formal disaster recovery plan. As businesses'
reliance on IT has grown, backup has increasingly shown its weaknesses. However,
the introduction and maturation of several key technologies, such as
virtualization, have brought affordable and easily implementable Disaster Recovery and Business
Continuity to small and mid-sized companies. SMBs do not always equate
virtualization with Disaster Recovery and Business Continuity because
awareness of the many virtualization applications is just starting to
grow.
Number of Mission Critical Applications Increases
More processes are "mission-critical" as up to 60% of all applications in US-based medium-to-large enterprises are considered business-critical today (including email, collaboration, and intranet applications and data). This evolution demands that more systems, in more locations, that rely on more timely and sensitive data, be covered by Disaster Recovery and Business Continuity planning, and requires that datacenter operations teams provide tier-1 application support and data protection for a growing percentage of applications. - more infoThreats drive need for disaster and business continuity plans
With the ever changing economic climate and security threats, downtime and data loss pose intolerable risks to every business today. From CIOs to the Executive Suite, managers have seen the importance of business uptime and data protection to continued success, productivity and profitability. The Disaster Planning Template provides a road map to the most effective strategies and technologies to protect data and provide fast recovery should data be lost or corrupted due to accident or malicious action.
Planning for recovery - designing and implementing a solution to reduce the amount of recovery time needed after an interruption -is a pressing requirement for businesses of all sizes. In implementing an operational plan that ensures that both data and applications can be recovered quickly, IT managers are generally confronted with several challenges:
- How can we ensure our applications and data are recoverable without impacting business operations?
- Do we have data protection strategies available to us that meet my recovery point and recovery time objectives?
- Can we afford to implement a comprehensive plan that covers both local and remote (disaster) recovery requirements?
- Are there cost-effective alternatives that meet our requirements?
Disaster Recovery Planning International Standard Set by Janco
Disaster Recovery Business Continuity Template Now Accepted as
the International Standard
Update to the Disaster Recovery Business Continuity Template has just been released by Janco Associates..
Park City,
UT - The Disaster Recovery Business Continuity Planning template
has been sold to enterprise in over 65 countries around the globe. With
the release the latest verison of the template it is in complete
compliance with Sarbanes-Oxley, HIPAA, ITIL (Ver 3), ISO 17799, and PCI
DSS.
M V Janulaitis the CEO of Janco said, "Our DRP /BCP Template has
been accepted by enterprise around the globe as the standard for disaster
recovery plan and business continuity plan creation." In response to that need
Janco has updated its "Disaster Recovery / Business Continuity Template" by
increasing the content of the template as well as updating the entire document
to be compliant with Sarbanes-Oxley, HIPAA, ITIL (Ver. 3), ISO 17799, and PCI
DSS.
The Disaster Recovery Business Continuity Plan has been purchased for use in over 65 countries around the globe including:
|
|
|
|
The Disaster Recovery Business Continuity Plan has been purchased for use in government, public, and private enterprises in almost all industries including:
|
|
|
|
Outsouring Can Help in Disaster Recovery Planning
Between hackers, natural disasters, or even a pipe breaking in the office above yours, every business needs a contingency plan. It could mean the difference between riding out a problem and going out of business. For this reason, most businesses are concerned about the safety of their backups. Data loss is a significant concern for any business - and in healthcare and other industries can have huge financial consequences. Solutions typically require that you spend more money on a third party backup solution. Outsourcing is one solution that should not be overlooked. Solutions typically require that you spend more money on a third party backup solution. Outsourcing is one solution that should not be overlooked. - more infoGuidelines for Disaster Recovery and Business Continuity Planning
Disaster
recovery and business continuity are important business issues that require
awareness and planning. Guidelines
that can be used in this process are:
-
Look at the big picture - your business processes, systems, networks, data, and people all need to be considered when planning and implementing these processes.
-
Understand your levels of tolerance for lost work, missing data, and unproductive time.
-
Document and test your plans, and update them when business needs change.
-
Configure your environment to minimize the likelihood of a failure escalating into a disaster.
-
When evaluating technology solutions, take into account meeting your recovery objectives, kinds of disasters you're likely to face, and levels of cost, complexity, and disruption involved.
-
Know the advantages and limitations of each technology, and adjust your expectations accordingly.
-
Remember that backing up your data is the most reliable form of protection, without which your business is vulnerable.
Budget cuts impact disaster plans
IT staff cuts spurred by the economy are likely to continue throughout the remainder of the year. According to a survey of 300 IT center managers last year, half of all data centers were planning to cut 2010 budgets by an average of 15%. Respondents at 14% of those companies said the cuts would include layoffs of IT staffers.
The PayPal electronic payment system is one of many
Internet-based services that have been hit with outages. And based on news
reports, the number of such incidents appears to have been increasing in recent
months, analysts said. They cited shutdowns of the Google Apps software hosted
by Google Inc., outages at data centers run by Rackspace Hosting Inc. and a
distributed denial-of-service attack on Twitter.
Observers pointed to several possible reasons for the apparent uptick in online outages, including IT budget and personnel cutbacks, increasing corporate dependence on hosted applications -- and bad luck. Companies are not doing the maintenance we should be doing, and when you do not do maintenance, they increase the probability of catastrophic failure.
- more infoWhich Files Need to be backed up
Hard
drives often contain hundreds of thousands of files. Many of them should be
backed up every day, others only occasionally, and still others - including temp
files, the hibernation file, and your browser cache--not at all.
- Documents: You should back up your word processing files, spreadsheets, and similar documents every day. Most basic backup program perform incremental backups, in which the program copies only the files that have changed since the most recent previous backup. (Several backup programs also perform versioning; they keep several iterations of the same file on hand and enable you to choose which version to restore.)
- Recent Documents: If your backup program can handle incremental backups, you don't have to worry about recent documents as separate entities. But if you often work on these files on other people's computers, you may want to carry a copy of them on a flash drive or store a copy of them online.
- Application Data: Applications create and maintain data files such as e-mail messages, browser favorites, calendar entries, and contacts that require daily backing up. Many programs store them in a hidden folder inside your user folder (in XP, C:\Documents and Settings\your name\Application Data; in Vista, C:\Users\your name\AppData). Also, in XP, Microsoft stores Outlook and Outlook Express data in C:\Documents and Settings\your name\Local Settings\Application Data). Fortunately, any well-designed backup program intended for everyday, nonexpert users (as opposed to IT departments) knows where to look for Outlook data.
- Operating System: You can always reinstall Windows and your apps, if you have the original discs or can download the programs. But if Windows becomes unusable or your hard drive crashes, switching to a system backup (also called a disaster recovery backup) that you create a couple of times a year can get your machine up and running smoothly without much effort.
- Media: These large files require a separate backup strategy because of the amount of storage space they require..
- Heirlooms: Files that you want to keep forever need backing up and extra protection.
Cost of email downtime is high
In today's economy, the importance of e-mail takes on new meaning. Recovery time and recovery point objectives (RTOs and RPOs) are no longer general rules. The Exchange administrator's ability to meet or exceed the proverbial lines in the sand, in terms of time to recover and the age of the data recovered, can mean the difference between gainful employment and prepping for a job interview. In fact, average yearly cost of Exchange downtime for a 500-person corporation, according to data derived from the Contingency Planning Association and Strategic Research, is over $1.5 million.
Disaster Recovery Planning Template Business Continuity Plan
Sarbanes - Oxley - ISO 27000 (27001 & 27002) - HIPAA - PCI- Compliant
Disaster Recovery Planning (DRP) template can be used by any size enterprise. The template and supporting material have been updated to be Sarbanes-Oxley compliant. The Disaster Recovery Planning Documentation comes as a Word document and includes:
- Disaster Recovery Plan Template
- Business and IT Impact Analysis Questionnaire
- Work Plan
- Disaster Recovery & Business Continuity Audit Program
Included in the template is Business Impact Questionnaire as
well as a full Job Description for the Disaster Recovery Manager. The
premium edition contains 11 full job descriptions.
Communication during a recovery process often is not well planned
Disaster recovery
and emergency team members status communication and news have distinct
audiences with different needs when a crisis occurs.
- Employees/General Populace: Need access to 'basic information' such as where to go, when to return to work, and how to locate general information about the crisis situation
- Disaster Recovery Team Members: Need to account for all employees/constituents safety and assess the state of business operations; need the ability to communicate in real time, disseminate information, track recovery efforts, assign tasks and provision supplies, power, etc.; need the ability to have real time status of the situation
- Executives/Leaders: Need to know that their employees and constituents are safe; need to know the status of their business and access a high level, real-time status of the recovery efforts; need to be able to communicate with customers, investors, and people external to their business about the crisis.
Effective crisis communication requires technology to provide a unified solution for communicating information to all involved constituents and should provide a single source of accurate and up-todate information that can be accessed.
- more infoContinuous Data Protection can be used as a backup strategy for DRP amd BCP
Continuous Data Protection (CDP) is an increasingly popular disk-based backup strategy. It is replication with an Undo button. Every time a block of data changes on the system being backed up, it is transferred to the CDP system. However, unlike replication, CDP stores changes in a log, so you can undo those changes at a very granular level. In fact, you can recover the system to literally any point in time at which data was stored within the CDP system.
A near-CDP system works in similar fashion except that it has
discrete points in time to which it can recover. To put it another way, near-CDP
combines snapshots with replication. Typically, a snapshot is taken on the
system being backed up, whereupon that snapshot is replicated to another system
that holds the backup.
Why take the snapshot on the source before
replication? Because only at the source can you typically quiesce the
application writing to the storage so that the snapshot will be a meaningful
one.
Consolidation and Disaster Planning
Most organizations today are faced with conflicting goals and challenges. They have geographically distributed workforces, with headquarters, datacenters, branch offices, and mobile workers scattered widely. Everyone needs to access email, file shares, and mission critical applications, and the speed of access directly ties to employee productivity. So computing resources have been widely deployed in many locations to give the local workers the best possible service delivery. However, this approach is now seen as wasteful and expensive with extra hardware and software to buy and maintain for many locations, and often few local IT staff to support the systems. As budgets get tighter, organizations are looking for solutions to handle this burden. IT consolidation is the number one approach today, taking infrastructure out of remote offices and into the main data center as a way to cut costs and boost IT staff productivity. The trick is how to consolidate without hurting the performance for the end users.
While consolidation can certainly bring a number of benefits to
organizations, it will take more than just a Friday afternoon to
ensure that
your consolidation, disaster recovery, and business continuity projects are
truly successful. As far too many IT managers will tell you, a poorly planned
project will have your executives screaming, users threatening mutiny, and IT in
the hot seat to quickly undo all the effort that went into the project in the
first place.
- Lay out a change and risk management strategy
- Develop a plan for resiliency
- Test (and improve) branch office performance & local consolidation
- Architect a forward-looking infrastructure & support plan
- Plan a phased roll-out
Lack of disaster planning led to present crisis
Everyone came to the same conclusion: A lack of disaster planning was a key component to the extent of the damage and loss of life.Seventeen charity and civil society organizations met at the Jeddah Chamber of Commerce and Industry (JCCI) to organize their efforts after a few days of spontaneous but much appreciated mobilized work to collect and distribute donations in the affected areas. This followed a warning issued by the Governorate cautioning individuals and groups against donating haphazardly and instead directed them to give their donations through registered charity organizations, which are supposed to coordinate their distribution work with the Jeddah Governorate to ensure that the donations reach those who need them.
Discussions quickly revealed a lack of coordination among the charities and with the relevant government offices, namely the Civil Defense and the governorate. While several charities focused on the hardest hit areas, which needed every parcel of assistance it could get, other areas that were also hit hard were almost neglected. It turns out that Al-Sawaed, which has become a ghost town with only ruins, and all the Kilo areas and Mahameed were in bad shape. Poor neighborhoods in downtown Jeddah such as Ghulail and Karantina were also stricken with residents living in knee-high stinking sewage with barely the essentials to live by. Other areas hit hard include Um Alsalam, Bahra, Jamaa, Al-Musaid.
- more infoRecovery time is focus of 57% of Business Continuity Managers
In a recent survey it was found that 57 percent of IT organizations see reducing recovery time in the event of IT failure and cutting the cost of backup as the two biggest pain-points for backup and disaster recovery. The next most significant difficulties were the ability to roll back to any point in time when recovering workloads and recovery testing.
Virtualization is already in place with the majority of those surveyed, with 86 percent of those questioned having a virtual infrastructure in place within their organizations.
Other findings are:
- Tape backup is the most popular technology involved for recovery of virtual machines, with 60 percent of organizations relying on tape to protect their virtualization implementations. 53 percent of organizations are using disk-to-disk backup products, while proprietary virtualization products are used by 23 percent;
- 17 percent of organizations are only using tape backup for the backup / recovery of their virtual machines;
- The number of respondents that were able to judge their recovery point objectives (RPO) when it came to virtualized environments was much lower than those able to define their recovery time objectives (RTO) - only 45 percent of those surveyed were able to state their satisfaction level around their RPOs.
DVDs Last Only Two to Five Years
The National Archives warns - "CD/DVD experiential life expectancy is 2 to 5 years even though published life expectancies are often cited as 10 years, 25 years, or longer. However, a variety of factors discussed in the sources cited in FAQ 15, below, may result in a much shorter life span for CDs/DVDs. Life expectancies are statistically based; any specific medium may experience a critical failure before its life expectancy is reached. Additionally, the quality of your storage environment may increase or decrease the life expectancy of the media. We recommend testing your media at least every two years to assure your records are still readable."
Busines continuity planning is impacted by this. However there may be a solution. Start-up claims its DVDs last 1,000 years - The DiamonDisc uses standard DVD players and burn software and Cranberry's DiamonDisc product holds a standard 4.7GB of data, which roughly amounts to 2,000 photos, or 1,200 songs, or three hours of video, but the media is unharmed by heat as high as 176 degrees Fahrenheit, ultraviolet rays or normal material deterioration, according to the company. DiamonDiscs contain no dye layers, adhesive layers or reflective materials that could deteriorate.
- more infoTesting and training models for a disaster recovery and business continuity plan
After you created your disaster
recovery and business continuity plan you are not done. In reality your disaster
recovery and business continuity plan are useless until you test them and train
your staff in how to activate and use them. The key is to incorporate testing
and training as part of the overall disaster recovery and business continuity
management process.
In a plan review, the disaster recovery and
business continuity plan owner and team discuss the disaster recovery and
business continuity plan. They look for missing elements and inconsistencies
within the plan or with the organization. This type of exercise is comparable to
plan auditing, and is useful to train new members of a team, including the
business function owner.
Walk-Thru
In a walk-thru exercise, participants
gather in a room to execute documented plan activities in a stress-free
environment. Walk-thru exercises can effectively demonstrate whether team
members know their duties in an emergency and if they need training.
Documentation errors, missing information and inconsistencies across disaster
recovery and business continuity plan can be identified in a walk-thru
exercise.
Simulation
To determine if disaster recovery and
business continuity management procedures and resources work in a realistic
situation, a simulation exercise helps. This exercise uses established disaster
recovery and business continuity resources, such as the recovery site, backup
equipment, services from recovery vendors and transportation. It can require
sending teams to alternate sites to restart technology as well as business
functions. Errors, omissions, missing or insufficient resources, incomplete
coverage, and limited vendor capabilities may surface in this exercise.
Simulations may also uncover staff issues regarding the nature and the size of
their tasks. The use of a scenario is highly recommended for
simulations.
Objectives
Why exercise in the first place? The
primary objective is to ensure that the plan works when it is needed. But it is not enough to exercise parts of
a plan. Ideally all elements of disaster recovery and business continuity plans
should be exercised at least once a year if not quarterly. Each exercise may
have different objectives, beside the primary one.
Main exercise objectives include
identifying weaknesses and shortcomings, verifying recovery objectives and
procedures, validating global efficiency of plans, verifying the adequacy of
emergency operations centers (EOCs) and alternate sites, and achieving specific
recovery time objectives (RTOs) and recovery point objectives
(RPO).
How much should you
test?
Tests can be simple or complex. A
table-top exercise can establish a plan performance baseline. A specialized
test, such as one which focuses on crisis management procedures at an EOC,
provides valuable information about specific activities. At a higher level, an
integrated exercise can address multiple disaster recovery and business
continuity plans or plan components. Finally, an entire plan, with all
components, can be exercised. It is far better to err on the side of exercising
too much, rather than not enough.
Managing human
resources
Tests present human resource issues.
Tests are important for validating team member expertise and identifying
training opportunities. Conversely, people could refuse to work overnight,
weekends or be away from home even a few days. Be sure to discuss and resolve
these issues with human resources management.
During disaster recovery and business
continuity plan tests, it is good practice to treat team members well,
especially when they are away from home or working difficult hours. Be sure to
budget for appropriate hotel accommodations and food, while managing
costs.
Effective test
strategies
The test options will help improve
disaster recovery and business continuity plans and train staff. But no matter
how often you exercise plans, when reality strikes, your response capability
could be much different than in the exercises.
Key strategies for testing include
starting simple; raising the bar in terms of difficulty; involving vendors and
stakeholders in exercises; making objectives increasingly difficult to achieve;
and launching surprise exercises. When launching an exercise program, start with
plan reviews and walk-thrus. This will help staff get comfortable with the
exercise process. As they improve, increase the level of exercise complexity.
Remember that if an exercise fails, it is not a failure; rather, it is a
success. It is far better to identify systems and procedures that may fail, and
rectify them, before a real incident occurs. Finally, a true test is to launch a
surprise incident. This will truly test how well prepared the organization is to
address a real incident.
What is a successful
test?
The primary reason to exercise is to
identify limitations of disaster recovery and business continuity plans.
Recognizing that most organizations change frequently, even mature business
continuity plans may be inappropriate in a given situation or at a given time.
Tests that appear to be successful and uncover no problem should be suspect.
Maybe the objectives were too easy or the situation was unrealistic. Exercises
present opportunities to fix problems before a disaster
happens.
A successful test uncovers and
documents problems. Once the problems have been fixed, consider running a
follow-up test to ensure the repairs work. Measuring the success of disaster
recovery and business continuity tests means having relevant objectives that
will help uncover problems. Testing is your chance to push your disaster
recovery and business continuity plans increasingly closer to the reality of a
disaster.
























