Section 1 describe the process (steps) you would use in any organiz

1. Section 1: Describe the process (steps) you would use in any
organization to develop and deploy a business continuity and
disaster recovery plan.
In order to define processes for an organization to develop and
deploy a Business Continuity and Disaster recovery plan, we
have to consider many factors and evaluate how this process and
procedure can help organization to quickly recover back and
continue with the Business with minimal disruption. BC & DR
plan are done in phases, starting with planning for Business
Continuity Planning for disaster recovery In event of Disaster
Implement Disaster Recovery- followed by Business Continuity
Implementation to bring business to normalcy and at the
final stage revise the plan and updating both BC & DR plan
accordingly.
As BC & DR requires organization to continuously perform any
risk analysis, vulnerability assessments and evaluating their
impact on the business. Based on these study and their impact
on business, it could have able to clearly documented and
categories risk as High, Moderate and low and develop
mitigation strategies , identifying tools and resources to
mitigate such risks.
There are seven progressive steps of contingency planning
processes to develop and maintain a viable contingency
planning program for BC & DR as defined in "Contingency
Planning Guide for Federal Information Systems". These steps
are designed to be integrated into each stage of the SDLC cycle.
These steps are
1. Develop the contingency planning policy statement.
2. Conduct the business impact Analysis (BIA).
3. Identify Preventive Control.
4. Create Contingency strategies.
5. Develop an information system contingency plan.

2. 6. Ensure plan testing, training and exercise.
7. Ensure plan maintenance.
Considering all the above factors, I would have started with
contingency planning overview to develop a framework [a
framework that can develop by People using technologies,
Infrastructure and Process] (Susan Snedakar, 2013) for business
continuity and document it based on clearly defined policies.
This policy should clearly define process and procedure for DR
plan. Once we laid down this process and procedure, we can
then associate them with DR team.
I would have also conducted Business Impact analysis (BIA)
which is the vital part for contingency planning and for initial
framework built-up. These BIA is also a part of initial SDLC
process. While doing BIA I would have considered mainly three
factors
i. Identify system/applications which are mission critical and
what is the impact on these in event of any outage and how long
will it take before these will be available for business. This help
me to prioritize the resources and estimate the cost associated
with the downtime and analysis any other impacts on business.
ii. Identify resources, which include facilities, personnel,
equipment, data files, system components and any vital records.
iii. Identify recovery priorities for this mission critical system.
After doing BIA, I would have follow up with BC plan creation
defining the organization’s critical business processes and keep
on redefining this processes and procedure as part of ongoing
improvement to Business continuity. As we have seen that
people are the main players and contributor for laying out
processes and technologies for BC & DR (Susan Snedakar,
2013). I would work with all respective business units and other

3. keys peoples to understand the risks that are associated with
business continuity planning and their probability of occurrence
and based on that I would have developed mitigation plan to
avoid those risk.
In addition, in some cases outage impacts identified in the BIA
may be mitigated or eliminated through preventive measures
(NIST Special Publication 800-34 Rev. 1). I will also consider
these factors while planning DR plan.
While taking BIA and BC Plans as a basic for DR plan
development. I would have built DR plan through phases
defined in Business Continuity and Disaster Recover (Susan
Snedakar, 2013) by following KPMG guidelines (KPMG LLP,
2001).
I would have clearly defined in the BC&DR plan which action
or activities will be the trigger for DR plan activation and
categories their severity. In DR plan, roles and responsibities of
DR team members are clearly defined to avoid any confusion.
Transition from disaster recovery to business continuity needs
to be well defined so that we can begin to resume business
activities.
Once we have all the plan and process in place and budget to
support this plan. In event of DR I would have setup command
center , so that all stakeholders can able to communicate and
keep on providing the status update right from DR event
initialization making DR site operational till checking that
all application are working as expected and switching back to
the normal operation. (KPMG LLP, 2001).
At the end during the entire process, we will keep tracking all
events and revise our BC & DR plan to include all changing
organization and system requirements.
Section 2: Critically review the Texas A&M plan provided and
suggest ways to improve, note any missing elements, and

4. provide any other suggestions you have for the development
team.
Disaster Recovery plan guide for Texas A&M University –
Central Texas (TAMUCT) Information Technology Services
(ITS) management is mainly having below components for DR
plan.
· Plan overview.
· Plan Objectives and Disaster Recovery Phases.
· Sequential list of disaster recovery tasks.
· Description of recovery of infrastructure and application
components.
· DR Plan testing.
· Personnel and vendor reference.
· Emergency telephone numbers.
Primarily this seems to be well thought DR plan , while going
through the establish checklist [Business Recovery Checklist-
KPMG] , I see that below point should be included in the plan
to further enchancing DR Plan for TAMUCT Information
Technology Services.
1. Missing Contingency Planning Policy:
Texas A&M University DR plan does not reference any business
continuity and contingency planning policies. I would suggest
providing references to BIA and BC plan within the DR plan for
the DR teams to understand the specifics of critical systems and
address them in case a disaster. This will helpful in defining
and prioritizing BC & DR based on business criticality.
2. Critical Business Processes Description:
There is no reference or any description on critical business
processes or systems has been given in the plan. As per BC &
DR, we should have given reference or description about the
critical system, which might have help DR team to understand

5. the scope of applications.
3. Research Time Objective (RTO) time are based on estimate:
Page-13 = “These RTO’s should be considered best-case
estimates. Currently, TAMUCT does not have computer
hardware available for recovery nor contracts or agreements in
place to obtain hardware on a priority basis”. General overview
of the RTO given in the plan is based on assumption and it
seems there is no real time testing ever done for this RTO.
4. Research Point Objective (RPO) Criticality of Business not
defined:
There is no timeline given based on the application criticality.
General assumption of 7 days is given in the plan.
RPO timeline must match with BCP requirements and
criticality.
5. DR Team structure not defined:
On page 18- “It say that MGMT will be responsible for the
overall coordination of the disaster recovery process, but there
is no information how the team would be formed or who will
make the team. I suggest specifying key personnel information
along with their set of assigned roles and responsibilities.
6. No Mitigation plan or any Alternate strategies are defined:
In the entire plan there is no alternate strategies defined to
mitigate any risk associated with disasters.
References
KPMG LLP (2001): ‘Business Recovery Checklist’
Snedakar, Susan. Business continuity and disaster recovery
planning for IT professionals. Newnes, 2013.
Swanson M., Bowen P., Wohl Phillips A., Gallup D., Lynes D.,

6. (2010) ‘Contingency Planning Guide for Federal Information
Systems’ NIST Special Publication 800-34 Rev. 1
Texas A&M University, Central Texas (2012) ‘Information
Technology Disaster Recovery Plan – Public Version