B

838 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
838
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

B

  1. 1. State of Oregon Business Continuity Training Academy Desk Reference Workshop #1 Prepared by: DigitalCare, Inc. 427 N. Weber St Colorado Springs, CO 80903 719-477-9477 Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 0 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  2. 2. Table of Contents Contents Page Introduction/Welcome Letter Chapter 1: Course Overview Course Overview and Schedule Detailed Workshop 1 Schedule Chapter 2: The What and Why of BCP Introduction to Disasters and Events Business Continuity Planning: Preliminary Risk Assessment Worksheet BCP Mandates, Directives and Legislation BCP Overview – Additional Reading Material Chapter 3: Planning for BCP Business Continuity Planning Phases Business Continuity Planning Checklist Establishing and Defining BCP Goals Worksheet BCP Overview Quiz Chapter 4: Planning and Managing a BCP Project A Planner‘s Role Budget Considerations Initial Project Planning Worksheet Planning Team‘s Responsibilities Planning Team‘s Documentation Planning Team‘s Checklist Response Team‘s Responsibilities Response Team‘s Checklist Chapter 5: Workshop 2 Topics Business Function Statement Agency Critical Business Function (CBF) Worksheet Risk Information Checklist Chapter 6: Glossary of Terms Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 1 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  3. 3. Dear Course Attendee: Welcome to the State of Oregon‘s Business Continuity Training Academy. This course is designed to give you a working understanding of BCP, and how it applies to your various work functions. This course will cover topics including: The What and Why of BCP Business Impact Analysis and Risk Assessments Business Continuity Planning and Strategies Continuation of Operation Plan (COOP), Emergency Response and Crisis Communications Plan Maintenance and Training At the end of this course, you will have a greater awareness of the importance of disaster mitigation and BC plans. You will have a developed understanding of the business continuity process and how it applies to your job functions. Ultimately, this course will enable you to write a complete plan for your own business processes and in turn, create a more secure government BCP infrastructure for the State of Oregon. The State of Oregon‘s Business Continuity Training Academy consists of five workshops. Each workshop will focus on one specific aspect of Business Continuity, and each workshop will contain two, one-day sessions. In total, the course contains ten one-day sessions over the course of a five month period. Please feel free to contact us at anytime with questions, issues or concerns. Thanks, Jennifer Collins Doug Landolfi Partner President DigitalCare, Inc. DigitalCare, Inc. Phone: 402-328-0058 Phone: 719-477-9477 Email: jcollins@digitalcare.com Email: dlandolfi@digitalcare.com Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 2 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  4. 4. Chapter 1: Course Overview Course Overview and Schedule Workshop Session Date Outline Workshop #1: What Session #1 June 13 - Course Goals, Format and and Why of BCP Outcomes - Course Overview - Business Continuity Plan Structure - The Oregon BCP Tool Session #2 June 14 - Planning and Managing a BCP Project Workshop #2: Session #3 July 12 - Business Impact Analysis Business Impact Analysis and Risk Assessment Session #4 July 13 - Risk Management and Risk Assessment Workshop #3: Session #5 August 15 - Mapping and Prioritizing Business Continuity Business Functions Planning and - Mitigation and Recovery Strategies Strategies Session #6 August 16 - Bringing a Plan Together Workshop #4: Session #7 September 19 - Continuation of Operation Continuation of Plan Operation Plan - Emergency Response (COOP), Emergency Response and Crisis Communications Session #8 September 20 - Crisis Communications Workshop #5: Session #9 October 10 - Final Work Product Plan Maintenance and Reviews Training - Maintenance - Testing Methodologies - Writing a Testing Plan Session #10 October 11 - Training and Awareness - Writing a Training Plan Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 3 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  5. 5. Detailed Workshop #1 Schedule Workshop #1: The What and Why of BCP Session 1 Time Topic Curriculum Detail 8:30am Course Goals, Format and This section will include a PowerPoint Presentation on the Outcomes following topics: - Welcome - Course Overview - Course Schedule - Workshop Outline - Workshop Schedule and Topics - Expected Course Outcomes - Expected Workshop 1 Outcomes Course Overview - Why You are Here (How this Course is directly relevant to you, your responsibilities and your agency) 1. The Why of BCP This section will include a PowerPoint Presentation on the following topics: - Directives, Legislation and Regulations - Disasters in Oregon - Event Likelihood - Vulnerability and Survivability In addition, this section will include BCP Case Studies possibly presented via video clips. Discussion and Questions - Designated time for students to ask questions. Approximately MORNING BREAK 10:15am – 10:30am Approximately 2. Introduction to and This section will include a PowerPoint Presentation on the 10:30am General Principles of following topics: BCP - What is a Business Continuity Plan and why is it important? - Motivation for Business Continuity Planning - BCP Approaches - All Disasters Approach - Business Continuity Planning Goals 3. Breakout Session/Group - Establishing and Defining BCP Goals Worksheet Exercise Discussion and Questions - Designated time for students to ask questions. 4. Defining BCP Language This section will include a PowerPoint Presentation on the following topics: - Explanation and Definition of key BCP terms and language. Examples include: Disaster Recovery, Emergency Operations and Incident Management Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 4 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  6. 6. 12:00pm – LUNCH BREAK 1:00pm 1:00pm 5. Business Continuity Plan This section will include a PowerPoint Presentation on the Structure following topics: 6. Elements of a Plan - Business Continuity Planning Phases 7. BCP Phases - Elements of the Business Continuity Plan - Best Practices and Case Studies in BCP Approximately AFTERNOON BREAK 3:00pm Approximately Discussion and Questions - Designated time for students to ask questions. 3:15pm The Oregon BCP Tool - TBD based upon selected tool 8. Vendor 9. What the tool does and doesn‘t do 10. How it fits into the overall structure Discussion and Questions - Designated time for students to ask questions. 4:30PM Conclusion for the Day - Instructor(s) will be available for Follow-On discussion and individual questions, as desired Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 5 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  7. 7. Session 2 Time Topic Curriculum Detail 8:30am Planning and Managing a BCP This section will include a PowerPoint Project Presentation on the following topics: 11. A Planner‘s Role - Coordination and Project Management - Budget Planning - Project Schedule - Success Factors - Pitfalls - Best Practices and Case Studies 12. Breakout Session/Group - Initial Project Planning Exercise Discussion and Questions - Designated time for students to ask questions. Approximately MORNING BREAK 10:15am – 10:30am Approximately 13. Establishing Teams and This section will include a PowerPoint 10:30am Roles and Responsibilities Presentation on the following topics: - Importance of teams - Types of Teams o Planning Teams - BCP Steering Committee - BCP Development - Disaster Recovery - Crisis Management and/or Emergency Response o Response Teams - Damage Assessment/ Salvage Team - Transportation Team - Physical Security Team - Public Information Team - Insurance Team - Telecommunication Team - Who should participate? - Functions and Roles for each Team - Documenting Teams and their Roles and Responsibilities 14. Breakout Session/Group - Project Team Documentation Worksheet Exercise Discussion and Questions - Designated time for students to ask questions. 12:00pm – LUNCH BREAK 1:00pm 1:00pm 15. Executive Commitment This section will include a PowerPoint Presentation on the following topics: Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 6 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  8. 8. - The Politics of BCP - Executive Responsibilities - Why Should Management Care? o Legal Requirements o Vulnerability - Meeting with Senior Management o Agenda, Questions and Issues o Selling BCP to Management o Success Factors o Failure Factors - A BCP Manager‘s Desired Results o Overall Buy-in and Commitment o Funding/Budget approval o Scope approval o Approval of Draft Schedule - Follow-up and Additional Communication Discussion and Questions - Designated time for students to ask questions. Introduction to Workshop 2 Topics This section will include a PowerPoint Presentation on the following topics: - What are ―Business Functions‖? o Identification of Business Functions - Risk Assessment Overview o Data Gathering for Risk Assessment - Business Impact Analysis o Data Gathering for Business Impact Analysis Approximately AFTERNOON BREAK 3:00pm Approximately Review, Discussion and Questions - Review of Workshop 1 information 3:15pm - Designated time for students to ask questions. Working Time and Homework - Homework assignments will be given - Designated time for students to complete course worksheets and other assigned homework. Evaluations - Designated time for students to fill out evaluation forms 4:30PM Conclusion for the Day - Instructor(s) will be available for Follow-On discussion and individual questions, as desired Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 7 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  9. 9. Chapter 2: The What and Why of BCP Introduction to Disasters and Events While bombs, fires and floods capture the headlines, almost 90% of crises are nowhere near as dramatic. It is these quiet catastrophes that have the potential to damage your organization‘s most valuable assets and reputation. These can be destroyed very quickly unless strongly defended at times when the speed and scale of events can overwhelm normal operational and management systems. Today, Business Continuity Plans (BCP) are no longer a luxury, but an essential element of the organization‘s risk management program. For many organizations, the decision to invest in a business continuity plan is being forced upon them through change in accountability by legislation, third parties, a disaster or near disaster. Recent research has suggested that on average 20% of all organizations will experience some form of unplanned event once every five years. While it is unlikely to be as catastrophic as 9/11, there is still the need to think about how you would cope with the more mundane events, such as power cuts or transport problems. The fact that organizations are now so dependant on their IT systems has meant that during the last 20 years the IT department has led the way in planning how to recover from an unplanned event. But restoring data and system access is not enough when there is nowhere for employees to answer the phones or suppliers cannot deliver critical components. Incidents as simple and common as an extended power loss, telecoms failure or the loss of building heating may cause critical business functions to be disabled. The reasons for creating an effective BCP are many. With the ever increasing dependency on technology in today‘s workplace, companies must plan ahead in order to survive unexpected problems. When companies lose computer data in a disaster, 50% never regain it and 60-90% go out of business within two years. 90% of computer outages are the result of power failures, water-pipe leaks, loose cables, and user mistakes. 50% of businesses experiencing a computer outage will be forced to close within 5 years. Online systems fail on an average of nine times per year, with an average of four hours per failure. There are over 200 telecommunications cables cut every day in the U.S. Major systems downtime costs 15% of organizations over $50,000 per hour. Although a clear organizational boundary exists between the two areas, data security and BC/DR strategies and tactics represent a shared concern because information security risks might well cause an organization to execute its BC/DR plan. Thus, even if a regulation does not specify the kind of business continuity plan (BCP) or how often it must be tested, an organization remains accountable for its systems and processes related to data. The bottom line is that laws and Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 8 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  10. 10. regulations, as well as shareholders, expect organizations to exercise due care to ensure that necessary data is available. Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 9 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  11. 11. Business Continuity Planning: Preliminary Risk Assessment Worksheet Agency: ____________________________________________________ Individual Completing Survey: __________________________________ Please describe any business continuity events experienced by your organization. (Please note: these could include both large and small events.) Examples include: - Technology Issues such as equipment failure, disruption of power supply or telecommunications equipment, application failure or corruption of database, malicious software (viruses, worms, Trojan horses), hacking or other Internet attacks. - Human/Workforce issues such as strikes, sabotage or human error that resulted in system downtime. - Physical/Building Issues such as pipes bursting. - Natural Disasters such as flood, earthquake and hurricanes. - Health/Illness Outbreaks. Event Business Service Data Loss (Yes / Financial Loss Other Types of Downtime (Yes / No) (Yes / No) If yes, Loss (Yes / No) If No) If yes, please please explain yes, please If yes, please explain explain explain Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 10 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  12. 12. BCP Mandates, Directives and Legislation Below you will find a list of laws, mandates and directives that directly or indirectly mandate the use of business continuity planning. This table includes specific examples from the healthcare, government, finance and utilities sectors. Industry Significant Laws and Impact on BCP Comments Sector Regulations Healthcare Health Insurance Requires data backup Requires increased Portability and plan, DR plan and budgets, new job Accountability Act emergency mode descriptions, as well as (HIPAA) of 1996 operation plan. additional staff and Requires reasonable infrastructure. and appropriate Typically an IT measures relative to the responsibility but may also size, complexity and be the province of the resources of the compliance officer or organization. CFO. Food and Drug Establishes the Acceptability of electronic Administration (FDA) requirements for records and signatures may Code of Federal electronic records and require that some Regulations (CFR), Title electronic signatures. organizations update their XXI, 1999 BC measures to ensure the availability of information. Government Federal Information Mostly emphasizes data By and large, state and Security Act (FISMA) of security rather than BC local governments are free 2002, Title III of the E- and DR. to make their own Government Act of 2002 An important need to be decisions on data security, (PL 107-347, 17 addressed is the BR and continuity of December 2002) requirement that operations (COOP). Executive Order on government is open and Critical Infrastructure running during a crisis. Protection in the Information Age, 16 October 2001 COOP and Continuity of Establishes minimum BCP must be maintained Government (COG). planning considerations at a high level of readiness. Federal Preparedness for federal government BCP must be capable of Circular 69, 26 July 1999 operations. implementation with or without warning. BCP must be operational no more than 12 hours after activation. BCP must maintain sustained operations for up Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 11 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  13. 13. to 30 days. BCP should take maximum advantage of existing agency field infrastructures. National Institute of Defines detailed Joins the NIST SP 800 Standards and recommendations from series (Parts 3, 4, 12, 14, Technology (NIST) NIST, requiring 16, 18 and now 34) in Special Publication (SP) contingency, DR and stating these requirements. 800-34, Contingency COOP plans. Focuses on planning. Planning Guide for Information Technology Systems, June 2002 NIST 800-53, Mandatory security Gives specific Recommended Security controls will become a requirements for: Controls for Federal federal standard by the - Contingency planning Information Systems, end of 2005. NIST 800- policy and procedures February 2005 53A will provide - Contingency plan assessment guidelines - Contingency training that are closely aligned - Contingency plan testing to the controls listed in - Contingency plan update NIST 800-53. Finance Federal Financial Specifies that directors This chapter — on an Institutions Examination and managers are operational level — Council (FFIEC) accountable for supplants many other BCP Handbook, 2003-2004 organizationwide guidelines. It covers (Chapter 10) contingency planning examination requirements and for "timely for all companies regulated resumption of by the Federal Deposit operations in the event Insurance Corp. (FDIC), of a disaster." Federal Reserve Bank (FRB), Treasury Department, U.S. Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS) and National Credit Union Administration (NCUA). Basel II, Basel Committee Requires that banks put After 2007, influence of on Banking Supervision, in place BC and DR Basel II will be limited to Sound Practices for plans to ensure about 30 U.S. banks but Management and continuous operation will spread as a best Supervision, 2003 and to limit losses. practice via "audit creep." Interagency Paper on More focused on Influences companies that Sound Practices to systemic risk than are regulated by Securities Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 12 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  14. 14. Strengthen the Resilience individual enterprise and Exchange of the U.S. Financial recovery. Requires Commission (SEC), OCC System, 2003 BCPs to be upgraded and Board of Governors of and tested to the Federal Reserve incorporate risks System (FRS). Authorizes discovered as a result of the OCC to take action the World Trade Center against banks that fail to disaster. comply with requirements for DR by the U.S. financial system. Expedited Funds Requires federally Availability (EFA) Act, chartered financial 1989 institutions to have a demonstrable BCP to ensure prompt availability of funds. Utilities Governmental Requires a BCP to Applies to all government Accounting Standards ensure that agency entities that operate Board (GASB) Statement mission continues in utilities. No. 34, June 1999 time of crisis. North American Electric Recovery plans Mandatory obligations Reliability Council currently voluntary. pending in the energy bill. (NERC) 1200 (1216.1), NERC 1200 due to be 2003 replaced by NERC 1300 by the end of 2005. Federal Energy Mandates recovery Does not apply to Rural Regulatory Commission plans. Utilities Service (RUS) (FERC) RM01-12-00 borrowers and limited (Appendix G), 2003 distribution cooperatives. RUS 7 CFR Part 1730, Emergency restoration Applies to all rural utilities 2005 plan required as borrowers. condition of continued borrowing. Telecommunications Act Requires the Federal While it recognizes the of 1996, Section 256, Communications need for DR plans, it also Coordination for Commission (FCC) to acknowledges the Interconnectivity establish procedures to existence of inadequate oversee coordinated testing because of the rapid network planning by deployment of new carriers and other technologies. providers. NERC Security Includes BC in Guidelines for the information security Electricity Sector, June standards for the 2001 industry-government Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 13 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  15. 15. partnership (guided by Critical Infrastructure Protection Committee [CIPC]). Source: Gartner (July 2005) Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 14 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  16. 16. BCP Overview – Additional Reading Material What Is Business Continuity Planning? By JOHN GLENN John Glenn is a certified business continuity/disaster recovery planner. He has been involved with business continuity planning since 1994. http://www.drj.com/articles/win02/1501-14.html There are many articles addressing how to create a business continuity plan, but few actually describe the purpose of business continuity planning. This then is my biased attempt to explain what business continuity is and what it is intended to accomplish; it is not intended to describe a business continuity plan or how a to create a business continuity plan. Business Continuity Defined Business continuity – emphasis on ―continuity‖ – is the ability of a business to continue operations in the face of a disaster condition. This means a business with a viable business continuity plan will be better able to continue doing what it did before a disaster event while assets damaged by the disaster event are recovered – until ―business as usual‖ is resumed. Business continuity means: • identifying critical business functions • identifying risks to critical functions • identifying ways to avoid or mitigate the risks • having a plan to continue business in the event of a disaster condition • having a plan to quickly restore operations to ―business as usual.‖ Disaster recovery is an integral part of business continuity. Business continuity does not replace insurance. It is a form of insurance, and should include insurance for life, health, facilities, product and business interruption. Disasters vs. Disaster Conditions A disaster, according to this planner, is any event that results in death or serious injury, or a business going out of business as a result of an event. A disaster condition is an inconvenience from which everyone and everything can be recovered – not necessarily exactly as before the event, but restored to an equal, or better footing. ―Inconvenience‖ may be too mild a term for some who experienced a disaster condition, but consider this scenario: A tornado roars through and flattens the business. If the business has a continuity plan that includes an alternate site, plans to rapidly transfer operations to the site, and includes support services to relieve its employees of worry about their families and possessions, the business can Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 15 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  17. 17. be doing business within an acceptable time, meeting its customers‘ needs and fending off competitors while restoring the operation to ―business as usual‖ condition. There is an interruption. There most certainly is an inconvenience. There usually is added cost – overtime, rental facilities, expedited ordering and shipping, additional services such as catered meals – but, and this is the critical issue, business continues, income continues – perhaps at a slightly reduced level, but it continues nonetheless. Competitors won‘t succeed in stealing the business‘ customers due to missed commitments. Was the event – regardless of type: fire, flood, wind, etc. – a disaster? No. Was it a disaster condition? Yes. Critical Business Functions Critical business functions are functions a business must perform in order to stay in business. That means different things to different organizations. If the business‘ primary function – the one that generates income – is to produce valves, then a disruption to valve production puts the business at risk. There may be IT concerns such as CAD/CAM, customer lists, accounts receivable and accounts payable, but the primary function of the business is to make valves. If the production line is down, if raw material cannot be accepted and finished goods cannot be shipped, the company shuts down. For the valve company, the production line is the critical business and any risks associated with production – no matter how far removed from the actual production line – are legitimate concerns for the planner. Non-profits and governments need business continuity to assure that they can perform their mandated functions. When an assistance payment fails to arrive, there is a ripple effect – the person can‘t buy necessities, the business selling the necessities either loses business (and product stays in stock) or sells on credit, the wholesaler loses sales to the retailer (or sells on credit), the manufacturer loses an order from the wholesaler, and on and on. Avoid, Mitigate, Absorb Once critical functions and risks to those functions are identified, planners have three options: • Avoid a risk, typically through redundancy. • Mitigate a risk by implementation of ―work-arounds.‖ • Absorb the risk. The decision to avoid, mitigate, or absorb is a management decision. The planner makes recommendations based on cost vs. effectiveness and efficiency. Is it really necessary to have a very expensive hot site for a valve manufacturing production line? Probably not. Is it really necessary to have a very expensive hot site for a 24 hour-a-day data intensive operation (such as Web-based securities sales)? Most assuredly. Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 16 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  18. 18. In some cases, the decision to avoid, mitigate, or absorb is made for the planner and management by regulatory bodies which demand certain performance levels. In all cases, ―fiduciary responsibility‖ plays a major role in management‘s decision. Management is liable if it fails to take reasonable and prudent measures to protect investors and employees. Avoiding a risk is a fairly obvious option. It usually is the most expensive and requires the most readiness. Mitigation options may be fairly obvious; if the business is located in a flood plain, move all critical operations to floors above the 100-year flood level. Absorbing a risk is another matter. Letting an event take its toll seems counter to business continuity‘s purpose, but consider a company with obsolete equipment – from ―AT‖ class computers to inefficient furnaces. If the obsolete equipment is insured, replacing it with modern equipment might improve the bottom line. Since insurance, an integral part of a business continuity plan, is footing at least part of the replacement cost, the business can buy replacement gear at a ―discount.‖ Business Continuity For The Small Business Everyone – small business, big business, non-profits, government, even the individual family – needs a business continuity plan, a way to continue their business or personal lives in face of a disaster condition. Business continuity is as much – perhaps more – for the small business as it is for the giant corporation. Unlike giant corporations, smaller enterprises typically are less able to survive a disaster (condition); they lack the financial clout and personnel resources of a Fortune 100. The small business does have some special financial assistance available from federal and state sources. These sources normally look more favorably on an enterprise with a business plan that includes a business continuity plan. Some insurance companies may offer discounts to businesses which implemented planner recommendations. Business Continuity For The Community The Federal Emergency Management Agency (FEMA) under former director James Watt made a strategic change following Hurricane Andrew. FEMA went from a ―disaster recovery‖ agency to a ―disaster avoidance and mitigation‖ agency – in other words, FEMA got into business continuity. FEMA created ―Project IMPACT‖ to help municipalities expand their federally-mandated emergency preparedness operations to include protection of the commercial and residential tax base through what effectively amounts to business continuity planning. Project IMPACT makes a number of resources available to both the small business and to the community‘s residents to identify risks (will a facility withstand high winds?) and to implement preventive measures. Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 17 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  19. 19. The Differences In Business Continuity, Disaster Recovery & Contingency Planning A person builds a house on an ocean beach. A storm washes away the beach. The house collapses. Business continuity would suggest building a barrier reef or moving the house farther inland. Disaster recovery rebuilds the house in time for the next storm. Contingency planning takes the same scenario and says: ―A storm will come ashore and damage the house; make sure there is someplace to live while the house is rebuilt.‖ What To Expect In A Business Continuity Plan Business Continuity planning typically is a multi-stage (deliverable) process. Phase 1 – BIA The minimum expectation from a business continuity plan is a business impact analysis, a ―BIA.‖ The BIA: • identifies business functions critical to the business‘ survival • identifies risks to those functions • rates (prioritizes) risks by probability of occurrence and impact on the business • identifies ways to avoid or mitigate identified risks • prioritizes recommended avoidance and mitigation options. The plan may include suggested vendors, available financial resources, and other resources which may prove beneficial to implementation of avoidance and mitigation measures. The availability of this supplemental information is determined before planning commences and is in large measure dependent on how much time the planner has for research. (Resources constantly change and a planner should not be held to what was known ―yesterday.‖) The business continuity process normally is suspended for a brief period while management reviews its options. The shorter the break the better since, as with most planning operations, momentum is a valuable asset. Phase 2 – Disaster Recovery Plan The disaster recovery plan includes: • reporting hierarchy, including executive management • identifying primary and alternate disaster recovery team members; these are the people responsible to sustain the business operations and to restore or replace physical assets • detailed description of each team member‘s responsibilities during a disaster condition • a list of internal and external vendors and contact information • a list of regulatory agencies and contact information • a list of public service agencies and contact information • appendix of control forms (report forms, expenses, etc.) • minimum resources required to sustain the business operation while physical assets are restored or replaced. Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 18 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  20. 20. Phase 3 – Disaster Recovery Team Training & Testing This phase includes: • development of a test methodology and scenarios • training disaster recovery team personnel to respond to a disaster condition with confidence • revision of Business Continuity Plan as deficiencies are discovered during plan testing. No plan is perfect the first time out; if it is, there is something wrong with the test. Phase 4 – Plan Maintenance Plan maintenance is in two parts: • develop a maintenance policy and procedure • maintain the plan. Plan maintenance is by both calendar and by ―trigger‖ events. Calendar events are regularly scheduled reviews to assure all minor changes to the business are incorporated into the revised plan. Review frequency depends upon the business‘ dynamics. Trigger events are events which ―trigger‖ plan maintenance. Such events include equipment, personnel, policy, procedural, product, and vendor changes. A Few Quick Words About Vendors All businesses depend on vendors. If a critical business function depends directly or indirectly on a vendor, make certain the vendor has a tested and maintained business continuity plan. The plan for your business is defective if the: - vendor lacks a plan - vendor‘s plan has never been tested - vendor‘s plan was updated more than a year ago. - The vendor‘s client is responsible to assure the vendor has a viable (tested and maintained) plan. Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 19 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  21. 21. Chapter 3: Planning for BCP Business Continuity Planning Phases 1. Project Initiation - Define Business Continuity Objective and Scope of coverage. - Establish a Business Continuity Steering Committee. - Draw up Business Continuity Policies. 2. Business Analysis - Perform Risk Analysis and Business Impact Analysis. - Consider Alternative Business Continuity Strategies. - Carry out Cost-Benefit Analysis and select a Strategy. - Develop a Business Continuity Budget. 3. Design and Development (Designing the Plan) - Set up a Business Recovery Team and assign responsibility to the members. - Identify Plan Structure and major components - Develop Backup and Recovery Strategies. - Develop Scenario to Execute Plan. - Develop Escalation, Notification and Plan Activation Criteria. - Develop General Plan Administration Policy. 4. Implementation (Creating the Plan) - Prepare Emergency Response Procedures. - Prepare Command Center Activation Procedures. - Prepare Detailed Recovery Procedures. - Prepare Vendors Contracts and Purchase of Recovery Resources. - Ensure everything necessary is in place. - Ensure Recovery Team members know their Duties and Responsibilities. 5. Testing - Exercise Plan based on selected Scenario. - Produce Test Report and Evaluate the Result. - Provide Training and Awareness to all Personnel. 6. Maintenance (Updating the Plan) - Review the Plan periodically. - Update the Plan with any Changes or Improvement. - Distribute the Plan to Recovery Team members. Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 20 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  22. 22. Business Continuity Planning Checklist  STEPS & ITEMS Duration START Finish (MODIFY, DELETE OR ADD AS NEEDED) (days or hrs) (DATE) (date) Step One: Initiation Prepare for meeting with Senior Management Review any existing policies & procedures. Research local events with negative effect. Prepare to discuss project funding. Research necessary training. Access to PCs for team leaders. BCP software? Draft the Project Schedule. Conduct Kickoff Meeting with Management Form the Project Team – delineate roles. Finalize the Detailed Project Schedule Prepare BIA questionnaire IS support for resumption of operations. Select BIA questionnaire recipients Distribute BIA Questionnaire to Recipients Step Two: Business Impact Analysis Gather & review BIA analysis data Conduct BIA interviews Identify time-sensitive processes. Step Three: Disaster Readiness Strategies Define & cost Business Continuity Alternatives Recommend DR Strategy - business needs. Prepare Management Report and Presentation Obtain Disaster Readiness Strategy Approval Obtain approval for funding components. Step Four: Develop and Implement the Plan Define the scope and number of BCPs Develop alternate site RFP Define the BCP teams, conduct meetings Organize plan data Resources lists: people, places & things. Schedule BCP team meetings. Identify team tasks and procedures Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 21 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  23. 23. Emergency response Identify problem escalation Identify resumption & recovery operations Identify restoration of facilities and contents Conduct plan document reviews Step Five: Maintenance and Testing Establish a Plan Exercise Program Establish training requirements Prepare and run sample exercises Update and refine the plan regularly Develop plan maintenance procedures Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 22 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  24. 24. Establishing and Defining BCP Goals Worksheet Step Goal Timeframe Step One: Initiation Step Two: Business Impact Analysis Step Three: Disaster Readiness Strategies Step Four: Develop and Implement the Plan Step Five: Maintenance and Testing Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 23 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  25. 25. BCP Overview Quiz 1. Disaster Probability describes: A) How an event or disaster will affect the organization or agency, how much damage is likely to be caused B) The chances of an event taking place, how likely it is to occur C) The cost of the damage after a disaster has taken place D) How many people will be affected by a disaster 2. Disaster Vulnerability describes: A) The amount of preparation made for a specific disaster B) The plan of action when a disaster occurs C) The cost of the damage after a disaster takes place D) How an event or disaster will affect the organization or agency, how much damage is likely to be caused 3. BCP is: A) High-level disaster mitigation and recovery planning B) Lower-level planning, process for returning business conditions to normal function C) Low-level plan for what to do when a disaster is occurring D) A plan to respond to a specific systems failure or disruption of operations 4. Emergency Management is: A) High-level disaster mitigation and recovery planning B) Lower-level planning, process for returning business conditions to normal function C) Low-level plan for what to do when a disaster is occurring D) A plan to respond to a specific systems failure or disruption of operations 5. Disaster Recovery is: A) High-level disaster mitigation and recovery planning B) Lower-level planning, process for returning business conditions to normal function C) Low-level plan for what to do when a disaster is occurring D) A plan to respond to a specific systems failure or disruption of operations 6. Contingency Planning is: A) High-level disaster mitigation and recovery planning B) Lower-level planning, process for returning business conditions to normal function C) Low-level plan for what to do when a disaster is occurring D) A plan to respond to a specific systems failure or disruption of operations Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 24 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  26. 26. 7. Which describes a type of event or disaster? A) Natural B) Man Made C) Technological D) Disease E) All of the above 8. The most risk from a disaster occurs when there is: A) Low Probability and High Vulnerability B) High Probability and Low Vulnerability C) Low Probability and Low Vulnerability D) High Probability and High Vulnerability 9. Which is NOT one of the ‗Five R‘s of Continuity‘? A) Response B) Resume C) Replace D) Recover E) Restore 10. How many organizations will suffer fire, flood or storm, power failures, terrorism, hardware or software disaster? A) One in fifty B) One in twenty C) One in ten D) One in five Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 25 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  27. 27. Chapter 4: Planning and Managing a BCP Project A Planner’s Role – Sample Job Description 1. The primary focus of the Business Continuity Planner is to maintain a viable and rehearsed recovery plan that demonstrates to management the organization's ability to continue business operations and computer related processes, following a disruption of agency services. Maintenance of the plan is ongoing to reflect both changes that occur within the computer center and changes to the company. A rehearsal is conducted regularly to ensure the viability of the plan. Training also occurs on a regular basis to assure an organization- wide awareness of the recovery function. 2. Identify and review the critical tasks which are essential during a recovery effort. 3. Establish a timetable for regular review and updating of all tasks, resources and procedures outlined in the plan. 4. Coordinate monthly, quarterly, semi-annual, and annual rehearsals of the plan as outlined in the project plan; report results to management and update the plan as required. 5. Establish an ongoing training program, which ensures employee awareness of the functioning of the plan. 6. Distribute plan materials as appropriate. 7. Establish a standards program, which ensures that changes to critical procedures, functions, and documentation are reflected in the plan. 8. Maintain contact with associates to assure that recovery support considerations are current. 9. Maintain contact with vendors to assure their support during a recovery effort. 10. Act as a liaison between divisions and support areas, including auditing, concerning recovery issues. 11. Meet regularly with recovery teams to review responsibilities required during a recovery effort. 12. Maintain contact with city, county, state, and federal emergency organizations that may be involved during a recovery effort. 13. Provide input and support, as required, to other departmental areas for projects that relate to contingency planning (e.g., updating documentation, creating procedures, and evaluating Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 26 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  28. 28. security systems). 14. Research, evaluate, and recommend internal and external solutions to recovery problems. 15. Maintain contracts for alternate facilities and/or services. Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 27 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  29. 29. Budget Considerations The budget for a viable, regularly Rehearsed and maintained recovery program must be carefully allocated. Consideration should be given to the following areas concerning budget planning: 1. Alternate Site(s): The monthly subscription cost for contracts with alternate site(s) 2. Rehearsing: The costs for in-house rehearsing (e.g., associates, computer time, supplies, food, special materials, off-hour access to files stored off-site) and the costs for alternate site rehearsal (e.g., transportation of associates and supplies to the alternate site, food, lodging, computer time, employee overtime) 3. Off-site Storage of Data Files: The cost for maintaining off-site storage of critical files 4. Off-site Storage of Documentation and Supplies: The cost for duplicating and/or purchasing documentation and supplies and storing them off-site 5. Training: The cost for ongoing employee training (e.g., supplies, printing) 6. Recovery Plan Printing: The cost for printing updates to the plan 7. Declaration of a Disaster: The disaster declaration fee (this should be covered by extra expense insurance) 8. Recovery Coordinator: Compensation for the Recovery Coordinator and recovery staff members 9. Recovery and Contingency Planning Seminars/Conferences: Allotment for seminars and conferences pertaining to recovery and contingency planning Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 28 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  30. 30. Initial Project Planning Worksheet Task Name Duration Start Finish % Predecessor Resources Complete Project Approval Executive Team Project Initiation Appoint BCP Project Manager Executive Team Select BCP Project Team Project Manager, Management Project Kick-off Meeting Project Manager, Project Team Review Existing BCP Project Manager Project Team, Management Business Risk & Impact Analysis Project Manager, Project Team, Management Business Risk Assessment Project Manager, Project Team, Management IT & Communications Project Manager, Project Team, IT Management Other Existing Disaster Recovery Procedures Project Manager, Project Team, Management Premises Issues Project Manager, Project Team, Facilities Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 29 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  31. 31. Management Prepare Emergency Plan Project Manager, Project Team, Management Develop Back-up & Recovery Strategies Project Manager, Project Team, Management Identify Key BCP Personnel & Supplies Project Manager, Project Team, Management, Staff Identify Key Documents & Procedures Project Manager, Project Team, Management Develop Disaster Recovery Plan Project Manager, Project Team, Management, Staff Develop Plan for Handling Emergency Situation Notification & Reporting During the Disaster Recovery Phase Develop Business Recovery Plan Project Manager Project Team, Management, Staff Managing the Business Recovery Phase Project Manager Project Team Develop Business Recovery Activities Project Manager Project Team, Management Develop Plan for Testing the BCP Process Project Manager Project Team Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 30 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  32. 32. Planning the Tests Project Manager Project Team Conducting the Tests Project Manager Project Team, Management, Staff Develop Plan for Training Staff in Business Project Manager Recovery Process Project Team Managing the Training Process Project Manager Project Team, Management Assessing the Training Project Manager Project Team, Management Approval of BCP Project Manager, Executive Team Maintaining the Plan Project Manager Project Team Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 31 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  33. 33. Planning Team Responsibilities 1. Analyze your business. Working with the full support of senior management, you need to understand your business and the way it works, including which functions are essential and where vulnerabilities lie. 2. Assess the risks. You need to understand what emergencies might affect your business and what impact they would have. By focusing on impacts rather than causes, you will make sure your plan allows you to deal effectively with an incident, no matter what the source. 3. Develop your strategy. You will need to agree with senior management the organization‘s appetite for risk. You can then decide which risks can be accepted, which risks can be reduced and which risks should be managed using business continuity planning. 4. Develop your plan. You should then develop a business continuity plan covering the agreed areas. All plans look different, but they should be clear about roles and responsibilities, easy to understand and open for consultation and review around your organization. 5. Rehearse your plan. Rehearsal helps you to confirm that your plan will be connected and robust if ever you need it. Rehearsals are also a good way to train staff that have business continuity management responsibilities. Lessons from exercises can be used to refine your decisions in steps one to four. Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 32 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  34. 34. Planning Teams Documentation Team Name: BCP Steering Committee Team Leader Name: Assistant Team Leader Name: Team Members Agency Role Rationale 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 33 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  35. 35. Team Name: BCP Development Team Team Leader Name: Assistant Team Leader Name: Team Members Agency Role Rationale 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 34 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  36. 36. Team Name: Disaster Recovery Team Team Leader Name: Assistant Team Leader Name: Team Members Agency Role Rationale 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 35 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  37. 37. Team Name: Crisis Management/Emergency Response Team Team Leader Name: Assistant Team Leader Name: Team Members Agency Role Rationale 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 36 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  38. 38. Planning Teams Checklist Planning Team Checklist Yes No 1 Have team members been selected to represent each area of the agency? 2 Have all needed personnel been assigned to project? Has this been confirmed by management? 3 Has a contact list been developed for the project team? 4 Has a team organization chart been developed? 5 Have individuals provided schedule constraints and other input to help determine best fit of work to personnel? 6 Have work requirements and personnel been reviewed to determine the need for additional personnel or changes in the assignments? 7 Have support resources been identified? 8 Are the necessary planning documents available? (see attached list) 9 Have the task lists from the WBS, effort, and personnel assignments all been input to a project planning tool? 10 Have initial schedules been generated with the planning tool and results been reviewed to see that they meets project goals? 11 Have adjustments been made to order of work, assignments, or WBS to meet project goals? 12 Have changes been negotiated as needed to modify project requirements to meet the project goals, given any resource constraints? 13 Have changes been negotiated to modify personnel commitments to meet the project goals, given any requirements constraints? 14 Has the complete initial schedule been reviewed with Senior Management and all effected parties? 15 Has the resulting schedule been documented in the project plan? 16 Has the project team completed a technical review of the plans? Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 37 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  39. 39. Response Teams Responsibilities 1. The Damage Assessment/Salvage Team is responsible for the damage assessment of the company‘s location and advising the Executive Management Team of the results. Works with the Facilities/Security Team to verify the building can be occupied after a disaster. After damage assessment is completed, this team will also be responsible for coordinating salvage operations as required. 2. The Transportation Team is responsible for making emergency arrangements for personnel transportation, lodging, and dining at the Alternate Site. Also is responsible for ordering and ensuring the delivery of offsite storage items and Supplies. 3. The Physical Security Team is responsible for the facility and its security. In a disaster, this team is also responsible for providing security to the Alternate Site if required. 4. The Public Information Team is responsible for all Public Relations (Public Relations and Crisis Communications) and other communications (e.g., Coordination with Public Authorities) 5. The Insurance Team is responsible for assuring that insurance policies are sufficient and also responsible for submitting insurance claims. 6. The Telecommunications Team is responsible for the restoration and maintenance of all Voice Communications and Data Communications. Also responsible for ensuring telephones are operational at the Alternate Site. Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 38 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  40. 40. Response Teams Checklist Response Teams Checklist Yes No 1. Has a Response Plan been:  Developed?  Updated within the last 6 months? 2. Has a Response Plan been:  Documented?  Maintained? 3. Does the Response Plan include the following sections:  Identification?  Incident Management?  Responsible organization officer?  Personnel responsible for updates?  Response?  Recovery?  Restoration?  Plan Exercise?  Plan Maintenance?  Business Recovery Teams and Contact Information? 4. Does the Response Plan identify hardware and software critical to recover the Business and/or Functions? 5. Does the Response Plan identify necessary support equipment (forms, spare parts, office equipment, etc.) to recover the Business and/or Functions? 6. Does the Response Plan require an alternate site for recovery? Does the Response Plan provide for mail service to be forwarded to the alternate facility? Does the Response Plan provide for other vital support functions? 7. Are all critical or important data required to support the business being backed up? Are they being stored in a protected location (offsite)? 8. Do you conduct a walk-through exercise of your Plan at least annually? (This should include a full walk-through as well as "elements" of your plan (i.e. accounts payable, receivable, shipping and receiving, etc). 9. Does the walk-through element exercises have a prepared plan which includes:  Description  Scope  Objective 10. Is a current copy of the Response Plan maintained off-site? Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 39 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.
  41. 41. 11. Do all users of the Response Plan have ready access to a current copy at all times? 12. Is there an audit trail of the changes made to the Response Plan? 13. Do all employees responsible for the execution of the Response Plan received training in Disaster Recovery and Emergency Management? Copyright 2006 – DigitalCare, Inc. – All Rights Reserved 40 No part of these materials may be reproduced, distributed or transmitted in any form without the prior written consent of DigitalCare, Inc. This document and the accompanying educational seminar are intended to provide guidance and direction. The information contained in this document is not intended as legal advice.

×