Business Continuity and

Disaster Recovery

The very least you should be doing…By Mike Wade, GOUSER Member

Adjunct Professor, Southern Polytechnic State Universitymwade2@spsu.edu

Business Continuity

• Business Continuity is the enterprise-wide proactive BUSINESS process by which we manage the risks we operate within.

• It addresses all aspects of the business: People, Processes, Resources and Technology (PPRT)

• The goal is: preventing or mitigating the risks we can and preparing for recovery from those we cannot, or choose not to prevent.

• Preparation is the key: You fight like you train!

Business Continuity consists of:

• Chartering of BC activity• Establishment of Cross-Functional Team(s)• Inventory of People, Processes, Resources and

Technology (PPRT)• Risk/Threat Identification and Categorization• Impact Analysis and Loss Estimation• Prevention, Mitigation and Recovery Strategizing• Gap Analysis and Resolution Planning• Resolution Preparation, and Implementation• Documenting, Communicating and Training• Testing and Revision: Ad-nauseam

Disaster Recovery

• Disaster Recovery is but one component of Business Continuity

• It consists of the response steps we take in the face of an impending disaster or in the aftermath of an actual disaster.

• It too addresses all aspects of the business: People, Processes, Resources and Technology (PPRT)

• The goal is: Preparing for recovery from those risks we cannot prevent or mitigate.

• Drilling is the key: You have to work your plan to know your plan works!

Disaster Recovery consists of:

• Development of a plan to appropriately address each category of Risk/Threat

• Including: – Establishment of the Recovery Team(s)– Development of Recovery Procedures– Training of the Recovery Team(s)– Change Management to keep plan current

• Provision of Necessary Resources (Beans, Bombs and Bubbas…)

• Arrangement for alternate technology platform, and retrieval of backup data

Some Terminology

• Charter, Plan, Recovery Procedures• PPRT – People, Process, Resources, Technology• Classification: Type, Scope, Duration, Impact• Declaration: Legal and Financial Implications• Likelihood, Frequency, MTBF• RTO: Recovery Time Objective• Hot, Warm, and Cold Recovery• On-Site versus Off-Site, (and Escrow)• Failover versus Recovery

The Disaster Event Lifecycle

• Vigilance, and Advanced Event Prediction• Event Detection, Identification and Categorization• Declaration of Disaster and Invocation of DR Plan• Implementation of Appropriate DR Response Activities• Operation under DR Plan• Recovery or Replacement of Impacted Assets• Return to Normal Operations• Stand-Down of DR Response• Reset of DR Arrangements – Restock Supplies, etc…• Review of Response, Revision of DR Plan

Sample DR Plan Organization• Section 1 Introduction• Section 2 Document Control• Section 3 Recovery Phase 1 Vigilance, Identification, Categorization and Declaration• Section 3 Recovery Phase 2 Initial Recovery – Partial Capacity• Section 3 Recovery Phase 3 Full Recovery – Full or Required Capacity• Section 3 Recovery Phase 4 Stand Down – Return to Normal Operations, Deactivation of Recovery• Section 3 Recovery Phase 5 After Action Review and Plan Revision• Section 4 References and Resources• Section 5 Directory of Appendices• Section 5-1 Appendix 1 Staff Contact List – and Kris-Cross Calling Tree• Section 5-2 Appendix 2 Vendor Contacts• Section 5-3 Appendix 3 Communication Plan• Section 5-4 Appendix 4 Platform Specifications and Vendor Re-Order Forms• Section 5-5a Appendix 5a Platform Description – Install and Configuration• Section 5-5b Appendix 5b 2K3 Server – Install and Configuration• Section 5-5c Appendix 5c DB Server – Install and Configuration• Section 5-5d Appendix 5d Web Server – Install and Configuration• Section 5-5e Appendix 5e Rpt Server – Install and Configuration• Section 5-5f Appendix 5f Application – Install and Configuration• Section 5-6 Appendix 6 Back Up and Restore Schema• Section 5-7 Appendix 7 Network Schema

So, let’s look at a sample DR Plan:

A Few Grey Beard Items:

• The person or asset you need most will become unavailable to you! Have a succession plan for every role, a plan B’s for every asset or resource, and default instructions for everyone

• What if Atlanta went away? Think extra-regionally!• You may have to live with your recovery platform

longer than you think!• Have arrangements for everything you’ll need – in

the event of a real emergency, you will be in competition for the stuff you need with every other business and organization impacted

In Summary:• Real BC/DR is a methodical process for identifying and managing

risks and threats to your organization• It is primarily a business question, not a technical one• Your BC/DR Plan must address People, Process, Resources, then

Technology – what good is it to have a system and no one to use it?• Your Plan should be based on a rational assessment of risks and

impacts – and you may choose skip some risks• Test, Drill, and then Test again – it builds confidence that your plan

might work and helps people learn their role• Build your plan iteratively – don’t wait until you have boiled the

ocean before you make that first cup of tea• And last, but certainly not least: Your business does not stand still –

so neither can your BC/DR Plan – Review and Revise, and integrate with your Change Management organization if you have one.

Bibliography

Books I Own and Use• Business Continuity Planning: A Step-by-Step Guide with Planning Forms on CD-ROM, Third

Edition by Kenneth L. Fulmer, Philip Jan Rothstein (Editor) (Paperback - October 2004) [ Excellent book with lots of practical examples ]

• Disaster Recovery Planning: For Computers and Communication Resouces by Jon William Toigo (Paperback - December 21, 1995) [ Excellent book with example forms on disk ]

• Writing Disaster Recovery Plans for Telecommunications Networks and Lans (Artech House Telecommunications Library) by Leo A. Wrobel

• Computer Control and Audit Rev. ed., Mair, William C., Donald R. Wood and Keagle W. Davis, Altamonte Springs, FL: The Institute of Internal Auditors, 1978.

• Donald A. A. Watne Peter B. B. Tunney Peter B. Turney: Auditing Edp Systems (2nd ed) Prentice Hall Professional Technical Reference, 1990. 2nd

• Backup and Restore Practices for the Enterprise (Paperback) by Stan Stringfellow, Miroslav Klivansky, Michael Barto Publisher: Prentice Hall PTR; 1st edition (August, 2000)[ Good reference models for tape/volume rotation ]

Books on Backup and Recovery

• Implementing Backup and Recovery: The Readiness Guide for the Enterprise (Paperback) by David B Little, David A. Chapa, David B Little, David A. Chapa Publisher: Wiley; 1st edition (May 16, 2003)

• The Backup Book: Disaster Recovery from Desktop to Data Center (Paperback)by Dorian Cougias Publisher: Schaser-Vartan Books; Third edition edition (July 1, 2003)

• UNIX Backup and Recovery (Paperback)by W. Curtis Preston Publisher: O'Reilly; 1 edition (December 15, 1999)

Books on Computer SystemAudit and Control

• Computer Audit, Control, and Security (The Wiley/Institute of Internal Auditors professional book series) by Robert R. Moeller

• Computer control & audit guide by J. Efrim Boritz

• Computer Control and Audit by John G. Burch, Joseph L. Sardinas

• Computer Control and Audit by William Mair

• Computer Audit and Control Handbook by I. J. Douglas, I.J. Douglas (Hardcover - May 1, 1995)

• Audit and Control of Computer Networks by I.J. Douglas, P.J. Olson

• Audit and control of computer systems by Elise G Jancura

Books on BC and DR pg 1 of 4

• Disaster Recovery Handbook, The: A Step-by-Step Plan to Ensure Business Continuity and Protect Vital Operations, Facilities, and Assets by Michael Wallace, Lawrence Webber (Hardcover - July 2004)

• Disaster Recovery and Business Continuity (Version 2.1) by Steven Weil, et al (Paperback - April 2004)

• Business Continuity, Disaster Recovery, and Incident Management Planning: A Resource for Ensuring Ongoing Enterprise Operations by Albert J. Marcella (Paperback - January 2004)

• Disaster Recovery and Business Continuity: Step-by-Step by Mark T. Edmead (Editor) (Paperback)

• Contingency Planning and Disaster Recovery : A Small Business Guide by Donna R. Childs, Stefan Dietrich (Hardcover)

• Business Continuity Planning Methodology by Akhtar Syed, Afsar Syed (Paperback - November 2003)

• A Primer for Disaster Recovery Planning in an IT Environment by Charlotte J. Hiatt (Paperback)

• Business Continuity: Best Practices--World-Class Business Continuity Management, Second Edition by Andrew Hiles (Paperback - December 2003)

Books on BC and DR pg 2 of 4

• Disaster Recovery Planning: For Computers and Communication Resouces by Jon William Toigo (Paperback - December 21, 1995)

• A Guide to Business Continuity Planning by James C. Barnes (Hardcover - June 27, 2001)

• The Definitive Handbook of Business Continuity Management by Andrew Hiles (Editor), Peter Barnes (Editor) (Paperback - April 18, 2001)

• Business Continuity by Martin Wieczorek (Editor), et al (Paperback - June 15, 2002)

• PC Disaster and Recovery by Kate J. Chase (Paperback - December 30, 2002)

• Disaster Planning and Recovery : A Guide for Facility Professionals by Alan M. Levitt (Hardcover - April 4, 1997)

• The Backup Book: Disaster Recovery from Desktop to Data Center by Dorian Cougias (Foreword), et al (Paperback - July 1, 2003)

• Business Continuity Planning and HIPAA: Business Continuity Management in the Health Care Environment by James C. Barnes, et al (Paperback - August 2004)

• Disaster Survival Guide for Business Communications Networks by Richard Grigonis (Paperback - April 2002)

Books on BC and DR pg 3 of 4

• Disaster & Recovery Planning:: A Guide for Facility Managers by Joseph F. Gustin (Hardcover - July 1, 2004)

• Integrated Business Continuity: Maintaining Resilience in Uncertain Times by Geary W. Sikich (Hardcover - January 1, 2003)

• Avoiding Disaster: How to Keep Your Business Going When Catastrophe Strikes by John Laye (Hardcover - August 16, 2002)

• Building a Comprehensive Disaster Recovery Plan by Info-Tech Research Group (Spiral-bound - September 2003)

• Disaster recovery testing: Exercising your contingency plan by Philip Jan Rothstein (Paperback - October 1, 1995)

• Business Continuity Planning: Protecting Your Organization's Life by Ken Doughty (Editor) (Hardcover - September 11, 2000)

• Disaster Recovery (Networking) by Mathew Varghese (Paperback - October 7, 2002)

• Business Continuity Management by Dominic Elliott (Editor), et al (Paperback - December 15, 2001)

Books on BC and DR pg 4 of 4

• Practical Guide To Business Continuity Assurance (Artech House Technology Management Library) by Andrew McCrackan (Hardcover - October 31, 2004)

• Manager's Guide to Contingency Planning for Disasters : Protecting Vital Facilities and Critical Operations by Kenneth N. Myers (Hardcover - August 27, 1999)

• Administrator's Guide to Disaster Planning and Recovery, Volume 2 (includes CD-ROM) by TechRepublic

• Surviving PC Disasters, Mishaps, and Blunders by Jesse Torres, Peter Sideris (Paperback - January 24, 2005)

• Call Center Continuity Planning by Jim Rowan, Sharon Rowan (Paperback - December 8, 1998)

• Disaster Proofing Information Systems : A Complete Methodology for Eliminating Single Points of Failure by Robert W. Buchanan (Paperback - November 26, 2002)

• Disaster Management and Preparedness by Thomas D. Schneid, Larry Collins (Hardcover - November 22, 2000)