This document discusses disaster management and disaster recovery planning. It begins with defining what constitutes a disaster and provides examples of past disasters. It then discusses what a disaster recovery plan is and the key components of developing a plan, including assessing risks, developing recovery strategies, creating detailed recovery plans, and testing plans through training and exercises. The overall approach involves scoping, planning, implementing, and maintaining a disaster recovery plan on an ongoing basis.

1. Disaster Management
(i.e. Business Continuity)
Josef C. Mueller
Associate Partner

2. Objective
To discuss information systems
disaster management and the
formation of backup and disaster
recovery plans

3. Agenda
• Introduction
• Disaster Recovery Approach
• DR Team Organization
• Case Study
• Example Disaster Recovery Services
• Open discussion

4. What is a Disaster?
Any unplanned event that requires immediate
redeployment of limited resources
Any unplanned event that requires immediate
redeployment of limited resources
Natural Forces
 Fire
 Environmental
Hazards
 Flood / Water
Damage
 Extreme Weather
Technical Failure
 Power Outage
 Equipment Failure
 Network Failure
 Software Failure
Human Interference
 Criminal Act
 Human Error
 Loss of Users
 Explosions
Sample Disasters
Introduction

5. Some Examples of Disasters
The Chicago Flood
The underground flood of Chicago on Monday April 13, 1992 proved to be one of
the worst business disasters ever. 230 buildings lost power because water
threatened their underground power sources.
The World Trade Center Explosion
Businesses were forced to evacuate the World Trade Center in February 26, 1993.
When a bomb exploded in the underground parking garage. Companies that
were effected by the disruption were unable to remove critical equipment and
documents.
The San Francisco Earthquake
The Oct 18, 1989 quake measured 7.0 on the Richter Scale. The Bay bridge had
collapsed. The city had lost the main business section due to the collapse of
buildings and electricity.
Introduction

6. Some Examples of Disasters (Cont’d)
Hurricane Andrew
August 22, 1992, Hurricane Andrew hit the South Florida area. Many businesses
suffered physical and financial losses from the hurricane, the valuation of destroyed
property was the largest in US history.
The Kobe Quake
The devastation on January 17, 1995 was the worst in the port city of Kobe where
the 7.2 magnitude quake toppled roadways, wrecked docks, severed
communication lines and kept the city in flames into the next day.
Oklahoma City Bombing
On April 19, 1995, a terrorist bomb exploded in front of the nine-story Alfred P.
Murrah Federal Building in downtown Oklahoma City. The blast destroyed one-
third of the building from roof to ground, leaving a crater eight feet deep, and 30
feet wide.
Introduction

7. What is a Disaster Recovery Plan?
A management document for how and when to utilize
resources needed to maintain selected functions when
disrupted by agreed upon incidents
A management document for how and when to utilize
resources needed to maintain selected functions when
disrupted by agreed upon incidents
 Business Continuity Plan
 Contingency Plans
 Continuity Plans
 Emergency Response Plans
 Business Recovery Plans
 Recovery Plans
Other names commonly used:
Introduction

8. Assess
Damage
Restore
Primary
Site
Prepare
New Site
Confirm
Response
Strategy
Execute
Required
Functions
Transfer &
Execute at
New Site
Transfer to
Alternate
Location
Incident
Return to
Normal Operations
Transfer &
Execute at
Primary Site
Generate
Change
Requests
Assess DRP
Effectiveness
When an incident occurs, the Disaster Recovery response
activities are likely to be the following (at a high level).
Introduction

9.  Regional Area
 Local Area
 Within 3 Blocks
 To The Building
 Within 3 Floors
 On The Floor
 Within The Room
What is the magnitude of an incident?
Depending upon the magnitude of an incident, possible
alternative sites include:
Introduction
 Within The Room
 Within the Building
 Within the Region
 Outside the Region

10. Integrity Controls
 Policy
 Methodology
 Staffing
 Education
 Division of
Responsibility
 Audit
 Error and Change
Control
 Reporting and
Resolution
 Test
 Quality Assurance
Confidentiality Controls
 Proprietary Information
Policy
 Ethics Statement
 “Need to Know”, “Need to
Withhold”
 Classification Scheme
 Records Management
 Handling Procedures
 Physical & Electronic
 Security Measures
Availability Controls
 Asset Identification
 Interruption Analysis
 Controls Review
 Impact Analysis
 Data Backup
 Off-site Storage
 Avoidance Strategies
 Mitigation Strategies
 Early Detection &
Notification
 Recovery Strategies
 Alternate Locations
 Plans and Procedures
 Vendor Relationships
 Training
 Testing
Types of Controls
Introduction

11. Avoidance Strategy
 Redundant
configuration to avoid
incidents
 Site harden facilities to
resist incidents
 Redundant utilities
and hardware
 Automated operation
recovery plan
Mitigation Strategy
 Early warning detection
 Contractual agreements
with vendors
 Mirrored data and
documents
 Detailed migration
recovery plan
Recovery Strategy
 High level recovery plan
 Off-site data storage
 Very responsive vendor
relationships
 Very knowledgeable
employees
Types of Strategy Options
 Hot site
 Cold site
 Self Backup
 Service Bureau
 Reciprocal Agreement
Introduction
Types of Strategies

12. What is a Critical Business Function?
A specific entity management has decided is so significant to the
business mission, that without it, the organization cannot successfully o
perate after an identified time period.
A specific entity management has decided is so significant to the
business mission, that without it, the organization cannot successfully o
perate after an identified time period.
Financial Loss
 Lost Revenue
 Lost Sales
 Lost Market Share
 Lost Opportunity
Extra Expense
 Labor Cost
—Recreate Lost
Business
—Recreate Lost Data
—Use Manual Process
 Equipment Cost
—Hardware /
software
—Telephones
 Money Cost
—Delayed Receivable
—Delayed Orders
—New Interest
—New Investments
Human Interference
 Management Control
 Employee Relations
 Stockholder Relations
 Public Image
 Legal Exposure
 Contractual Liability
 Competitive Advantage
Types of Impact
Introduction

13. Timing Requirements
 Minutes
 Hours
 Days
 Weeks
 Quarters
 Special Situations
Interdependencies
 Inputs and Outputs
Criteria for a Critical Business Function
Cost of
Impact $
Impact
Cost
Cost of
Control $
Cost of Control vs. Impact
Introduction

14. Implementing Recovery Plans is not an easy task!
 Recovery prevention techniques are inadequate
 Increase the level of user security awareness and education
 No recovery plan at all
 Plan is stored on the “ultimate” computer (in IT directors’ head)
 Establish short-term alternate processing procedures
 Removal of systems running on obsolete machines
 Recovery plans are too theoretical and not geared to the organization’s
needs
 Plans are unwieldy
 Recovery plans are in a written format and/or are not updated
 Backup not tested
 Plans not tested
 Plans are located in the computer room or the building
 Plans are too grandiose (EXPENSIVE)
 Plan does not address PCs / workstations
 “People Factors” are not taken into account
Introduction

15. Planning Activities
Maintenance
Activities
Changes
Changes
from
tests
Up-to-Date
DRP
Recovery Activities
Changes
from
event
Normal
Operations
The following Life Cycle model is useful when
thinking about Disaster Recovery.
Disaster Recovery Approach

16. Planning
The primary objective for the Planning Phase is to gain management
consensus on the focus areas and scope of a Disaster Recovery Plan that
will address major business risks
Implementation
Scoping &
Risk
Assessment
Planning
Recovery
Strategy
Development
Disaster
Recovery
Plan
Approval
Training
&
Testing
Implementation
The primary objective for the Implementation Phase is to develop, test,
and rollout a Disaster Recovery plan. The implementation phase could be l
onger or shorter, depending upon scope, approach, and staffing defined d
uring the Scoping and Risk Assessment phase
Disaster Recovery Approach

17. Activities
• Management Briefing
• Questionnaires
• Interviews
• Focus Groups
• Workshop
Determine the focus areas and scope
for the Disaster Recovery Plan
implementation phase
Scoping &
Risk
Assessment
Recovery
Strategy
Development
Disaster
Recovery
Plan
Approval
Training
&
Testing
Key Deliverables
• Scoping and Risk Assessment
Report
• Requirements Summary
• Current Capability Summary
• Critical Business Functions
Matrix
• Critical Systems Matrix
Disaster Recovery Approach

18. Develop strategies for each of the
most critical systems based upon the
outcome of the Scoping and Risk As
sessment phase
Disaster Recovery Approach
Activities
• Develop Strategies
• Select Spinoff Projects
Key Deliverables
• The Recovery Strategy Report
• Alternatives and
recommendations
Scoping &
Risk
Assessment
Recovery
Strategy
Development
Disaster
Recovery
Plan
Approval
Training
&
Testing

19. Develop detailed plans for business
continuity based upon the specific st
rategy identified for each critical sys
tem
Disaster Recovery Approach
Activities
• Develop Recovery Plan
Key Deliverable
• Recovery plan includes
• Assessment Plan & Procedures
• Notification Procedure
• Recovery center Procedure
• Migration Plan (facilities, data,
people)
• Team Organization ( Roles &
Responsibilities)
Scoping &
Risk
Assessment
Recovery
Strategy
Development
Disaster
Recovery
Plan
Approval
Training
&
Testing

20. Disaster Recovery Approach
Develop detailed plans for business
continuity based upon the specific st
rategy identified for each critical sys
tem (continue)
Key Deliverable
• Maintenance Procedures include
• Responsibility matrix for
maintenance
• Testing strategy
• How to update the Recovery
Procedure
• Ongoing Center recovery training
schedule
Activities
• Develop Maintenance
Procedures
• Prepare facilities and
Infrastructure
• Recovery Center Location, facilities
and required component
Scoping &
Risk
Assessment
Recovery
Strategy
Development
Disaster
Recovery
Plan
Approval
Training
&
Testing

21. Provide training to the recovery team
and conduct the testing based upon the
testing approach documented in the
Maintenance procedure
Disaster Recovery Approach
Activities
• Prepare training materials
• Conduct & Evaluate
Training
Key Deliverables
• Training material
• Trained staff
Scoping &
Risk
Assessment
Recovery
Strategy
Development
Disaster
Recovery
Plan
Approval
Training
&
Testing

22. Get the Disaster Recovery Plan
approved and rollout to the organiza
tion
Disaster Recovery Approach
Activities
• Revise plan (if necessary)
• Approve the Disaster
Recovery Plan
Key Deliverable
• Management Sign-off
• Publication & Distribution of the
disaster recovery
Scoping &
Risk
Assessment
Recovery
Strategy
Development
Disaster
Recovery
Plan
Approval
Training
&
Testing

23. An Example of Disaster Recovery Team
Administrative
Support
Customer
Liaison
System Software
and Database
Administration
Security
Computer
Operation and
Off-site Storage
Network
Delivery
Application
Support
Services
Delivery
Production
Application
Support
Disaster
Recovery
Coordinator
Site Restoration
Disaster Recovery
Director
DRP Management
Team
DR Team Organization

24. Examples of Data Center Roles & Responsibilities
Title Roles Responsibilities
Disaster Recovery
Director
Act as an advisor to the
DR management team.
Administrative
Support
Provide administration
support to the DR team
DR management
Team
Act as the steering committee
of the DR Team
• Provide overall management support to DR
team
• Responsible for strategic decision and key
requirements or changes on DRP
• Make key decisions according to DRP
DR Team Organization
• Oversee the activities of the DR team
• Budget for future DR requirements
• Communicate with other management to
deal with the business process and recovery
procedures
• Provide the DR team with administrative
resources and facilities
• Co-ordinate with lawyers for court cases and
handle legal documents
• Responsible for accounting matters on DR’s
expenses
• Investigate the amount of damaged resources
and insurance claims

25. Disaster Recovery
Coordinator
Centralized coordination
for the entire DR team
•Declare a disaster for each critical system
component or for an entire site
•Inform the DR team of the decision
•Execute DR procedures and recovery
strategies
•Ensure that the DRP is updated and test on a
regular basis
Site Restoration Co-ordinate the recovery
operations should a site be
destroyed
•Organize security control for the disaster site
and alternate processing site as required
System Software
and Database
Administration
Prepare recovery and
restoration of software
and databases
Customer Liaison Coordinate and coordinate
with users and customers
on any recovery issue
•Notify users and clients of the disaster
•Issue updates of recovery progress and
expected time of recovery
•Help on data center migration issues and
work re-allocation
•Responsible for the restoration of Hosts,
Servers, DB, synchronize data, etc.
DR Team Organization
Examples of Data Center Roles & Responsibilities
Title Roles Responsibilities

26. Computer
Operations and off
site storage
Manage storage of the
backups
•Provide ready access to the required backups
•Ensure the backups are stored in a secure
environment
DR Team Organization
Examples of Data Center Roles & Responsibilities
Title Roles Responsibilities
Application
Support
Manage applications with
regard to DRP
•Manage application changes to ensure they
are compliant with the DRP and vice versa
Network Delivery Manage and monitor
voice and data network
•Oversee the recovery of the communication
environment
•Switch users to use the alternate network
•Co-ordinate with the communication service
providers for WAN service recovery
Security Review and monitor DR
procedures
•Ensure the DR procedures comply with the
firm security and audit policies

27. DR Team Organization
Examples of Data Center Roles & Responsibilities
Title Roles Responsibilities
Service Delivery Manage IT service
delivery
•Oversee the service management recovery
•Provide helpdesk and end-user support as in
DRP
•Work closely with Customer Liaison and
Disaster Recovery Coordinator to ensure
synchronization of communication channel to
the users and the DR team activities.

28. The Chicago Flood : Impact
• One of the worst business disasters
• 230 buildings lost power for a couple of days
• Valuable government records were in jeopardy
• Extensive impact on electrical and computing systems
• The greatest financial impact on the CBOT, losing 25 billion in trading of
36 products
Case Study

29. • Using Alternate Site Services approach
• Providing the alternate site nearly identical to the customer’s damaged
site
• Implemented by Comdisco Continuity Service
The Chicago Flood : Disaster Recovery
• Helped 2 Chicago banks resume operation within hours of evacuation
• 17 customers from the financial, brokerage, government and service/
distribution industries, were supported at their hot sites within half a day
The Chicago Flood : Recovery Result
Case Study

30. • Building-wide power outage
• Structural damaged and employee trauma, Businesses were down
• Water problem due to pipes were severed
• Injured and Dead reports, the building was considered a crime scene
The World Trade Center Explosion : Impact
• Fiduciary Trust, a banking and financial institute’s Recovery Plan
• The data center switched automatically to their secondary power system
• Moved the operation to their alternate site in NJ which equipped with a
computer network nearly identical to that of the bank
The World Trade Center Explosion : Recovery
Case Study

31. • System was down for Friday afternoon and was up and running by
Monday morning as if nothing had happened
• Employees retained their usual telephone numbers
• Transactions went through the same as always
• Customers couldn’t even detect that the bank was no longer operating
from the World Trade Center
The World Trade Center Explosion : Recovery Result
Case Study

32. Examples of Disaster Recovery Services
Alternate Sites
Provide alternate site nearly identical to the customer’s damaged site
Business Impact Analysis
Provide services such as defining disaster plans and addressing
exposures to business and recovery administrators
Certification
Provide services such as certifying qualified individuals in the discipline
and promoting the credibility and professionalism of certified
individuals
Example Disaster Recovery
Services

33. Education Classes
Creating a base of common knowledge for the business
continuity/disaster recovery planning industry through education,
assistance, and the promotion of international standards
On-Site Recovery Facilities
Manage the mobilization of an on-call response team, prepare pre-
designated site, erect temporary pre-engineered structures, install
mechanical and electrical systems and coordinate move-in activities
Satellite Communication
Provide satellite telecommunications products and services
Example Disaster Recovery
Services
Examples of Disaster Recovery Services

34. Service Providers : Consulting Services
Andersen Consulting
www.ac.com
Bell Atlantic Federal CommGuard
www.commguard.com
Comdisco
www.comdisco.com
Computer Security Consultants, Inc.
www.crciweb.com
GSA Disaster and Business Recovery
www.gsa-gsa.com
Intessera Technologies Group
www. intessera.com
Example Disaster Recovery
Services

35. Service Providers : Alternate Site Services
ARC Disaster Recovery Services
www.arcdrs.com
Comdisco
www.comdisco.com
HP Business Recovery Services
www.hp.com
IBM Business Recovery Services
www.brs.ibm.com
SunGard Recovery Services, Inc. recovery.sungard.com
Example Disaster Recovery
Services

36. El Camino
www.elcamino.com
Providers : Computer Quick-ship , Hardware
Replacement
Example Disaster Recovery
Services

37. Open discussion
Q & A
Disaster Management
(i.e., Business Continuity)