Business Continuity Detailed Plan

BusinessContinuityandDisasterRecovery Page1of20
AllRightsReservedITEssentialsFZE2009
Business Continuity Management
and IT Disaster Recovery
For IT Essentials FZE
Written and Compiled by: WISSAM ABDUL BAKI
info@itessentials.me
Participants: IT Group Members
Version: 1.0
Date: November 2009

A. Table of Contents
A. TABLE OF CONTENTS __________________________________________________________ 2
B. PLAN REVISION HISTORY ______________________________________________________ 3
C. ABOUT THE BUSINESS CONTINUITY PLAN__________________________________________ 4
D. COMPONENTS ________________________________________________________________ 5
E. FUNDING/BUDGETING OPTIONS FOR BUSINESS CONTINUITY__________________________ 6
CORPORATE FUNDING: ____________________________________________________________ 6
BUSINESS UNIT FUNDING: __________________________________________________________ 6
INFORMATION TECHNOLOGY FUNDING: __________________________________________________ 6
F. KEY EMERGENCY CONTACT INFORMATION _________________________________________ 7
IT PERSONNEL _________________________________________________________________ 7
EMERGENCY SERVICES ____________________________________________________________ 7
G. KEY IT SUPPLIERS AND MAINTENANCE ENGINEERS __________________________________ 8
H. COORDINATOR FOR EACH FUNCTIONAL AREA_______________________________________ 9
I. BUSINESS RISK ASSESSMENT / IMPACT ANALYSIS _________________________________ 10
J. IT DISASTER RISK ASSESSMENT AND SCENARIOS __________________________________ 11
K. IT ESSENTIALS FZE EXISTING IT RECOVERY AND SAFETY PROCEDURES _________________ 12
L. IT SYSTEMS CONTINUITY STRATEGY _____________________________________________ 13
M. EXISTING BACKUP PLAN INFORMATION __________________________________________ 14
N. IT SUPPLIES AND SUPPLIERS FOR THE HOT SITE ___________________________________ 15
O. DISASTER RECOVERY PHASE ___________________________________________________ 16
P. OVERVIEW OF THE SPECIFICATIONS OF IT & COMMUNICATION SYSTEMS________________ 17
Q. RECOVERY ACTIVITIES _______________________________________________________ 18
OVERVIEW OF THE RESPONSIBILITIES OF EACH TEAM ________________________________________________ 18
1.DISASTER MANAGEMENT TEAM ____________________________________________________________ 18
2.OPERATIONS TEAM ____________________________________________________________________ 18
3.FACILITIES TEAM _____________________________________________________________________ 18
4.COMMUNICATIONS TEAM ________________________________________________________________ 18
R. KEEPING THE PLAN UP-TO-DATE ________________________________________________ 19
CHANGE CONTROLS FOR UPDATING THE PLAN ____________________________________________________ 19
RESPONSIBILITIES FOR MAINTENANCE OF EACH PART OF THE PLAN ______________________________________ 19
TEST ALL CHANGES TO PLAN _______________________________________________________________ 19
ADVISE PERSON RESPONSIBLE FOR BCP TRAINING_________________________________________________ 19
S. CONCLUSION _______________________________________________________________ 20

B. Plan Revision History
It is the responsibility of the IT Manager to ensure that procedures are in place to keep this plan up-to-date. If,
whilst using the plan, you find any information which is incorrect, missing or if you have a problem in
understanding any part of this plan please inform IT Manager so that it may be corrected. It is important that
everyone understands their role as described in this plan.
Updated versions of the plan are distributed to the authorized recipients listed under the section: Coordinator
for each Functional Area.
Version Date Issued Reason for Update
1.0 Nov-2009 Original

C. About the Business Continuity Plan
Business continuity plan (BCP) refers to the process of developing advance arrangements and procedures that
enable an organization to respond to an event in such a manner that critical business functions continue with
planned levels of interruption or essential change. In simpler terms, BCP is the act of proactively strategizing a
method to prevent, if possible, and manage the consequences of a disaster, limiting the consequences to the
extent that a business can absorb the impact.
The BCP defines the roles and responsibilities and identifies the critical information technology application
programs, operating systems, networks, personnel, facilities, data files, hardware and time frames needed to
assure high availability and system reliability based on the business impact analysis (BIA).
Benefits of documenting a BCP
A. Increased dependency by the business over recent years on computerized production and sales delivery
mechanisms, thereby creating increased risk of loss of normal services
B. Increased dependency by the business over recent years on computerized information systems
C. Increased likelihood of inadequate IT and information security safeguards
D. Increased recognition of the impact that a serious incident could have on the business
E. Need to establish a formal process to be followed when a disaster occurs
F. Need to develop effective back up and recovery strategies to mitigate the impact of disruptive events
G. An intention to lower costs or losses arising from serious incidents
H. Avoidance of business failure from disruptive incidents
Defining a disaster
A disaster is defined as an incident which results in the
loss of computer processing at the IT Essentials FZE
site at Al Qurm Head Office, to the extent that relocation
to a Standby Facility must be considered.
A Disaster can be classified in two broad categories.
1- Natural disasters: Preventing a natural disaster is
very difficult, but it is possible to take precautions to
avoid losses. These disasters include flood, fire,
earthquake, hurricane, smog, etc
2- Man made disasters: These disasters are major
reasons for failure. Human error and intervention
may be intentional or unintentional which can cause
massive failures such as loss of communication and
utility. These disasters include walkout, sabotage,
burglary, virus, intrusion, etc.

D. Components
BCP is a self-sustaining executable recovery process that assures the reintegration of procedures, applications,
operations, systems, networks and facilities
that are critical to resumption of business.
BCP components include the following:
 Prevention: Prevent or minimize the
probability of the incident.
 Detection: Identify the circumstances
under which the organization determines
entering contingency status.
 Declaration: Specify the conditions on
which contingency is declared and
identify the person(s) who can declare it.
 Escalation: Specify the conditions on which contingency is escalated and identify the person(s) and order of
escalation in the event of contingency.
 Containment: Specify the immediate action required to contain or minimize the effect of the incident on
customers, suppliers, service providers, stakeholders, employees, assets, public affairs and the business
process.
 Implementation: Specify the complete list of actions to be followed to declare contingency status (such as
offsite processing, backup recovery, offsite media and manuals, employee transportation, and distribution
and provider contracts).
 Recovery: Disaster recovery plan (DRP), a key component of BCP, refers to the technological aspect of the
plan, while BCP addresses the overall operational and business aspect. It highlights the advance planning
and preparations which are necessary to minimize adverse business impact (such as financial loss and
image damage) and facilitate faster recovery and ensure continuity of the critical business functions of an
organization in the event of disaster within an acceptable timeframe.

E. Funding/Budgeting Options for Business Continuity
Funding the disaster recovery and business continuity plan is to be decided by high management. We hereby
provided three options of funding/budgeting with our recommendations of each.
Corporate funding:
For many organizations, the funding decision is simple. As business continuity is viewed as an organizational
responsibility and part of the cost of being in business, funding is provided at a corporate level. The benefit of
this strategy is that business continuity will have a strong and continuous commitment from executive
management. Further, it can be seen as proof that the executive management of the organization have carried
out their fiduciary duties and in the event of a disaster would be protected from any legal action.
Business unit funding:
Many organizations view business continuity funding as a business unit expense and therefore each business
unit must fund the cost of its business continuity planning. The disadvantage with this strategy is that the
business unit managers, who often are under pressure to control costs, will target business continuity as a
candidate for cost cutting as it is seen as an easy target. Although cost-effective (i.e., saves funds) in the short
term, this decision may also expose the organization's management to criticism from third parties, such as
shareholders or external auditors, and in the event of a disaster may expose executive management to legal
action for failing to carry out their fiduciary duties.
Information technology funding:
A number of organizations view business continuity as an information technology issue, rather than a corporate
or business unit issue. Therefore, funding is provided through the IT department budget. The advantage with
this approach is that IT departments historically have a good understanding of the need to have a business
continuity plan. The disadvantage with this approach is that it focuses only on the IT dependency of the
organization and not on other critical business processes and dependencies that are outside of IT.

F. Key Emergency Contact Information
IT Personnel
IT Personnel Office Phone
Mobile
(If available)
Email Address
Emergency Services
Service Phone
Police
Fire
Ambulance
Electricity
Water
Weather Forecast:
Municipality
International Airport
Coast Guard:
Directory Enquiry Services

G. Key IT Suppliers and Maintenance Engineers
This section lists all the key IT Suppliers and Maintenance Engineers who need to be contacted following a
disaster.
Requirement Contact/ Company Office Phone
Mobile
(If available)
Contract no.
(If Any)
Hardware o o o o
Data
communications
o o
Voice
communications
o o o
Wide Area Network
Equipment
o o
Software o o o
Magnetic Media o o o
Kyocera / Xerox o o o
Attendance and
CCTV
o o o
Insurance Company o o
Offsite Storage
Supplier
o o o
Transport
(Car/Truck hire)
o o
Courier Services o o

H. Coordinator for Each Functional Area
This chart includes a list of all employees subject to interviews for assessing the Impact on Functional Units
in case of Disaster.
Each interviewee represents a division and the answers collected for each division apply on the division’s
users as a whole.
Functional Area Coordinator Position
IT Department IT Manager
Internal Auditor Head of Internal Audit
Marketing Acting Marketing Manager
HR HR Manager
MSD DMD of Strategy & Performance
Management, HR & Marketing Deps.
Admin Administration Manager
Projects Chief Projects Officer
CEO Office Projects Monitoring Manager
Chairman Office Executive Secretary
Finance Senior finance Manager
Investor Relations Assistant Registry Manager
Collections
Contracts
Legal Legal Advisor
United Cool

I. Business Risk Assessment / Impact Analysis
The purpose of the business impact analysis (BIA) is to help IT Essentials FZE identify which business units,
operations and processes are essential to the survival of the business. The BIA will facilitate the identification of
how quickly essential business units and/or processes have to return to full operation following a disaster
situation. It will describe the business impact of disaster impact scenarios on the ability to deliver product or to
support mission-critical services. The BIA will also facilitate the identification of the resources required to resume
business operations to a survival level.
Business impacts are identified based on a worst-case scenario that assumes that the physical infrastructure
supporting each respective business unit has been destroyed and all records, equipment, etc. are not
accessible within a significant amount of time.
We have developed a questionnaire (Appendix A: Business Impact Questionnaire) to interview department
heads and gather their feedback, after which the result will be consolidated in the Business Impact Analysis
Report.
The objectives of the business impact analysis (BIA) are as follows:
 Estimate the financial impacts for each major business unit at IT Essentials FZE, assuming a worst-
case scenario.
 Estimate the intangible (operational) impacts for each major business unit, assuming a worst-case
scenario.
 Identify the organization’s business unit critical records and libraries as well as their locations and
alternatives if any.
 Identify the maximum downtime and the maximum data loss accepted for each business unit.
At IT Essentials FZE, we, the IT Department, have met with all department heads who answered a Business
Impact Questionnaire, based on which we developed this report.
The impact of a disaster on each department is unique, and differs in terms of Man Hours, Cash Flow,
Competitive Advantage, Shareholder Confidence, Financial Reporting, Industry Image, Employee Morale,
Customer Service and other factors.
For more information, access the Business Impact Analysis Report.

J. IT Disaster Risk Assessment and Scenarios
This BCP/DRP is prepared to overcome Information Technology and Systems related disaster for IT
Essentials FZE. Therefore, it will focus mainly on continuity of IT Services, recovering from a Technology
disaster, and overcoming future Technology tragedies.
To access the Risk assessment and Scenarios Chart, visit Appendix H

K. IT Essentials FZE Existing IT Recovery and Safety
Procedures
IT Essentials FZE IT Department has up to this point in time and since 2007, deployed the following services to
protect IT services, and mitigate common risks to technology equipment and systems.
Safety and Control Measures (2007, 2008, 2009)
 Deployed Uninterruptible power supply (UPS) to keep systems going in the event of a power failure in
the server room
 Physical controls to server room (Automatic Door Lock, Finger Print Access, CCTV)
 Temperature Alert in Server room to detect AC breakdown
 Fire Detection and Extinguisher in Server room
 A Local Anti-Theft Safe in the 3
rd
floor to store documents, tapes and other vital material
 Antivirus software (Servers and Machines)
 Antispam appliance
 Firewalls
 Intrusion Detection System
 Redundancy in Switches, Routers and IP Telephony call manager (Dual Components)
 Implemented an Information Security Policy
 Implemented a Password Policy
Backup and Recovery (2008, Off-site Storage 2009)
 Deployed a 24 Tapes Loader to backup ALL servers on a daily, weekly and monthly basis
 Carry out Daily check for Backup performance and log
 Purchased all servers with RAID 5 technology (Local mirroring of systems)
 As of October 2009, the IT department in IT Essentials FZE signed an SLA with a major service
provider, to collect backup tapes each week and store them remotely in an alternative safe
location. More information on offsite storage SLA is available in Appendix G.
Insurance Coverage
 Refer to Policy number:
 Insured Name: IT Essentials FZE
 Period of Insurance:
 Insured on a total of the following:
o Building Value / Furniture, Fixtures and Decoration
o Lifts / Air Conditioner Center
o Computers and Software

L. IT Systems Continuity Strategy
One of the most important aspects of Business Continuity Planning for the majority of organizations is in
choosing an appropriate strategy for the back-up and recovery of the IT based systems.
The two most important factors to be considered are the criticality of the IT systems to the business
processes (the speed of recovery needed), and the amount of money available for IT backup and recovery
strategies.
In IT Essentials FZE, we have been backing up our data since day one. After one year of operations, and
after our data center increased in size, a change in the backup strategy had to be done.
The IT department deployed a 24-Tape loader in the data center and performed since 1-7-2008 backup to
all services on a Daily, Weekly and Monthly basis.
Currently our weekly backup is being stored remotely as part of an SLA IT Essentials FZE signed, to collect
our tapes every Mondays at 10:00 am.
Of course, what we mentioned above is missing one major factor: zero downtime in case of a disaster. To
maintain the zero downtime factor, one option is to be considered, and that would be a Hot Live Disaster
Recovery (DR) site.
In general, DR sites options vary based on speed, and cost. Some of the common used DR site options are
listed in the table below, however based on the feedback included in our Business Impact Analysis Report,
departments cannot afford more than 4 hours of downtime for the services Exchange and Fileserver, and
therefore a fully mirrored hot site is the only recommended option.
FULLY MIRRORED
RECOVERY SITE
(HOT SITE)
This strategy entails the maintenance of
a fully mirrored duplicate site which
would enable instantaneous switching
between the live site and the back up
site.
Live Site with
automatic
switching
These sites provide the highest
degree of availability, because the
data are processed and stored at the
primary and alternate site
simultaneously.
MOBILE SITE Mobile sites are self-contained,
transportable shells custom-fitted with
specific telecommunications and IT
equipment necessary to meet system
requirements.
< 1 Day This facility is not being provided by
the listed vendors in the meantime.
COLD SITE This strategy requires building a site in a
remote location with one difference from
the hot site which is replication. The cold
site will not be Live, and therefore in the
time of disaster, the IT team will have to
install services, and restore backups
before employees can log on.
2-3 Days This option is to be considered with
accepting 2-3 days downtime.
In addition of the downtime, this option
does not save cost in comparison to
the Hot Site.
Only the replication software will not
be available.
RELOCATE &
RESTORE
This strategy involves the identification of
a suitable location, hardware and
peripherals and re-installing the systems
and backed up software and data after
an emergency has occurred. This
strategy is considered to be inadequate
for the needs of today's business.
> 2 weeks This option is not recommended, as a
downtime of more than 2 weeks is not
at all feasible, considering the loss of
man days incurred for all IT Essentials
FZE’s employees.
NO STRATEGY This is the cheapest strategy. This also
carries the highest risk and will involve
no off-site back up of system or data.
This option usually ends up with the
organization going out of business
This as well is an option, where IT
Essentials FZE accepts the risk of
disaster, and the cost of downtime
incurred.
The data center in this case will have
to be rebuilt and tested, all with no
access to IT services.

M. Existing Backup Plan Information
The following chart describes the available backup and restore plan, and sets up the expectations of the
time needed in case a restore has to be applied for all services.
Applications Server ID
/ Name
Database (s) Full
Backup
Freq
Off-Site
Yes/No
Incremental
Backup
Frequency
Off-Site
Yes/No
Backup
Media
Estimated
Recovery
Time (day)
Estimated
Size (GB)
Exchange
Server
Weekly +
Monthly
Yes Daily No 1.6TB Media
Tape Drive
1 – 2
Working
Day/s
132 GB
GP Server Weekly +
Monthly
Tape Drive
1 Working
Day
10 GB
Database
Server
Weekly +
Monthly
Tape Drive
1 Working
Day
14 GB
File Server Weekly +
Monthly
Tape Drive
1 Working
Day
1011 GB
Customer
Relationship
Management
Weekly +
Monthly
Tape Drive
1 Working
Day
1 GB
Weekly +
Monthly
Tape Drive
1 Working
Day
2 GB
WFS: Windows File System
TB: Terabyte = 1000 GB = 1,000,000 MB
For more information about IT Essentials FZE’s existing backup policy, visit IT-20- IT Servers Backup and
Tapes Policy.

N. IT Supplies and Suppliers for the Hot Site
This section contains a list of all supplies and equipment we need to obtain for the Hot Site
In addition, the three budgetary proposals of suppliers contacted, as well as the proposal regarding renting the
Hot Site at their premises, will be included herein.
Once the BCP/DRP is approved by management, official tendering will have to take place to decide on which
supplier will perform the needed site building and connection.
Attached in Appendix C, the 3 budgetary proposals in addition to ISP proposal.
Attached in Appendix F, IT Supplier for Hot Site that includes all needed software and hardware to operate
the Hot Site.
Hot Site design

O. Disaster Recovery Phase
After the continuity is taken care of in the previous sections, a critical part of handling any serious
emergency situation is in the management of the Disaster Recovery Phase.
By definition, the Disaster Recovery Phase is likely to involve, to a significant degree, external emergency
services. In addition to the emergency services, the Disaster Recovery Phase may involve different
personnel depending upon the type of emergency, each with a specific task in a specific time frame.
Review Appendix B, Detailed Outline of Responsibilities and Tasks of Each Team, for further
information.
On completion of the Initial Disaster Recovery Phase the Team Leader should prepare a report on the
activities undertaken. The report should contain information on the emergency, who was notified and when,
action taken by members of the DRT together with outcomes arising from those actions. The report must
also contain an assessment of the impact to normal business operations.
The report should be given to the Senior Management, with copies as appropriate.

P. Overview of the Specifications of IT &
Communication Systems
In IT Essentials FZE, after conducting the Business Impact review and based on departments’ feedback, the
most critical servers to store data in, existing in the Server Room, are as follows:
Server Name Description Reliability Contents Libraries & Folders
The Exchange
Server
Which stores and regulates all
incoming and outgoing IT
Essentials FZE Emails
Highly used
by All
Departments
The exchange server contains all employee
emails, contacts, calendar items, journals,
notes and tasks.
The Domain
Controller
Is the controller of all users on
the domain. The domain
controller manages authorities
on all folders, emails, and
libraries though out the IT
Essentials FZE Domain
Very Critical -
Not used by
departments
IT Essentials FZE domain. It is a backend
server connected to all servers and services
though out the company.
The File Server
Which stores all documents
worked on or is being worked on
by the employee or his/her
corresponding department.
Highly used
by All
Departments
The fileserver is divided into two main sections:
1- The Departments Folder which includes a
high level folder for each department, with
proper access rights defined.
2- The Users Folder which includes a folder for
each employee, with proper access rights
defined.
PCs and Laptops
Employee utilized PCs and
Laptops
Highly used
by All
Departments
IP Telephony CISCO IP telephony Medium
The ERP Server
(Great Plains)
Which stores all the data related
to the ERP system in the
finance department
Low
This server includes all databases of all
companies defined within IT Essentials FZE
financial system.
It also contains a high level folder containing all
work done by consultant plus latest releases.
Investor Relations
System
Low
For a detailed report including the technology critical equipment, data libraries, critical folders,
communication channels and machinery, refer to Appendix I Critical Data Contents and Infrastructure.

Q. Recovery Activities
This section contains a list of tasks for each of the recovery teams. Sensible judgment must be exercised to
determine what activities are appropriate based on the nature and extent of the disruption.
Overview of the Responsibilities of Each Team
1. Disaster Management Team
The Disaster Management Team is responsible for the following:
 Making decisions about restoring the computer processing environment in order to provide the
identified level of operational service to users.
 Managing all the recovery teams and liaising with IT Essentials FZE‘s management, company
headquarters and users, as appropriate.
 Maintaining audit and security control during the recovery from disaster.
 Controlling and recording emergency costs and expenditure.
2. Operations Team
The Operations Team is responsible for the computer and communications environment (computer room
and other vital computer locations) and for performing tasks within those environments.
This team is responsible for restoring computer processing and for performing computer room activities.
3. Facilities Team
The Facilities Team is responsible for the general environment including buildings, services and all
environmental issues outside of the computer rooms.
This team has responsibility for security, health and safety and for replacement building facilities.
4. Communications Team
The Communications Team is responsible for obtaining communications directives from the Disaster
Management Team, and communicating information during the disaster and restoration phases to
employees, suppliers, customers, and shareholders.
The following table provides an overview of the main responsibilities of each recovery team during the
lifecycle of the disaster recovery process. The detailed tasks for each team are listed in the following
sections.
Outline of Responsibilities of Each Team is available in Appendix B.

AllRightsReservedManazel2009
R. Keeping the plan up-to-date
Change Controls for Updating the Plan
It is recommended that formal change controls are implemented to cover any changes required to the BCP.
This is necessary due to the level of complexity contained within the BCP. A Change request Form / Change
Order form is to be prepared and approved in respect of each proposed change to the BCP.
This section of the BCP will contain a Change Request Form / Change Order to be used for all such changes
to the BCP.
Responsibilities for Maintenance of Each Part of the Plan
Each part of the plan will be allocated to a member of the BCP Team or a Senior Manager with the
organization who will be charged with responsibility for updating and maintaining the plan. The BCP Team
Leader will remain in overall control of the BCP but business unit heads will need to keep their own sections
of the BCP up to date at all times. Similarly, HRM Department will be responsible to ensure that all
emergency contact numbers for staff are kept up to date. It is important that the relevant BCP coordinator and
the Business Recovery Team are kept fully informed regarding any approved changes to the plan.
Test All Changes to Plan
The BCP Team will nominate one or more persons who will be responsible for coordinating all the testing
processes and for ensuring that all changes to the plan are properly tested. Whenever changes are made or
proposed to the BCP, the BCP Testing coordinator will be notified. The BCP Testing coordinator will then be
responsible for notifying all affected units and for arranging for any further testing activities.
This section of the BCP contains a draft communication from the BCP coordinator to affected business units
and contains information about the changes which require testing or re-testing.
Advise Person Responsible for BCP Training
A member of the BCP Team will be given responsibility for coordinating all training activities (BCP Training
coordinator). The BCP Team Leader will notify the BCP Training coordinator of all approved changes to the
BCP in order that the training materials can be updated. An assessment should be made on whether the
change necessitates any re-training activities.

AllRightsReservedManazel2009
S. Conclusion
Business continuity is a business survival strategy for an organization. Executive managers who fail to take
action to protect their organization will be held accountable by the shareholders, strategic business partners,
regulatory authorities or other interested parties.
Business continuity is an integral part of the organization's day-to-day business processes. Without this
integration, the organization's risks relating to a disaster significantly increase as the organization continues to
change to meet the dynamic requirements of today's business environment.
A strong business continuity environment provides assurance to the organization's executive management
that in the event of a disaster, the organization is in a superior position to survive.
Continuity and Recovery Priority Recommendations
Priority Action Decision Description
1
2
3
4
5
6
7
8

Business Continuity Detailed Plan

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Business Continuity Detailed Plan

Similar to Business Continuity Detailed Plan (20)

Recently uploaded

Recently uploaded (20)

Business Continuity Detailed Plan