Business resumption planning

II–4 The Recovery Headquarters Team Section of the DCRP 252 II–15 Evaluating the Recovery Headquarters Team Following an Actual Recovery Operation 551 II–16 Evaluating the Comp

BUSINESS RESUMPTION

PLANNING

EDWARD S.DEVLIN COLE H.EMERSON LEO A.WROBEL, JR

MARK B.DESMAN

Boca Raton London New York Washington, D.C

Copyright © 1994, 1995, 1996, 1997, 1998, 1999, 2000 CRC Press LLC

ISBN 0-203-99762-X Master e-book ISBN

ISBN 0-8493-9945-9 (Print Edition) ISBN 0-8493-9835-5 (Print Edition) All rights reserved No part of this text covered by the copyright hereon may be reproduced or used in any form or by any means—graphic, electronic, or mechanical, including photocopying, recording, taping, or information storage and retrieval systems—without the written permission of

the publisher

Auerbach CRC Press LLC 2000 Corporate Blvd., N.W Boca Raton, FL 33431 This edition published in the Taylor & Francis e-Library, 2006

“ To purchase your own copy of this or any of Taylor & Francis or Routledge’s collection of

thousands of eBooks please go to http://www.ebookstore.tandf.co.uk/.”

About the Authors

Edward S.Devlin is a leading consultant, author, instructor, and speaker in the field of

Business Continuity and Business Resumption Planning Ed is often called “The Father

of Disaster Recovery Planning,” and he has recently been honored by being chosen an

inaugural member of Contingency Planning & Management magazine’s Hall of Fame

He is a CBCP (Certified Business Contingency Planner) and holds an honorary certification from the FCBI Ed is the Principal for Edward S.Devlin & Associates and can be reached at (610) 436–5786

Cole H.Emerson is president of Cole Emerson & Associates A recognized leader in

the field of business resumption planning, he has assisted companies throughout the world in recovery planning Emerson has written and spoken at numerous domestic and international conferences He is a founder of the Information Systems Security Association and a charter member of the Disaster Recovery Institute certification board

He can be reached at (916) 729–6055

Leo A.Wrobel Jr., president of Premiere Network Services, Inc., has more than two

decades of experience in emerging network technology, disaster recovery planning, and technical training An active author and lecturer, he has published nine books and dozens

of trade articles on a wide variety of technical subjects He can be reached at Premiere’s web site (http://www.dallas.net/-premiere) or by calling (972) 228–8881

Mark B.Desman has been a practitioner in information security and contingency

planning for the past 19 years His background includes being one of the first information security managers for American Savings of California as well as CalFed Bank (now NationsBank) and Gibraltar Savings in Southern California Most recently, he was manager of information security, contingency planning, and the technical help desk for a multistate bank holding company in New England Currently, Mr Desman is Manager of Information Security at Micron Technology, Inc

© 2000 by CRC Press LLC

I–1 Obtaining Senior Management Sponsorship 7

I–3 Conducting the Business Impact Analysis 33

I–4 Identifying and Documenting Critical Business Processes 53

I–5 Identifying and Documenting Resource Requirements 74

I–6 Organizing the Business Operations Recovery Teams 94

I–7 Recovery Planning for Microcomputers and LANs 121

I–8

Business Operations Recovery Plan Testing, Maintenance, and Training 131

I–9 Disaster Mitigation Controls for Microcomputer Systems 144

II–4 The Recovery Headquarters Team Section of the DCRP 252

II–15

Evaluating the Recovery Headquarters Team Following an Actual Recovery Operation 551

II–16

Evaluating the Computer Operations Recovery Team Following an

II–17

Evaluating the Disaster Site Recovery Team Following an Actual

III–7

Communications Recovery Plan Testing, Maintenance, and

III–11

Conducting a Technical Vulnerability Analysis of the Physical

WORKPAPERS

I1.01 Sample Risk Assessment Report

I1.02 Business Case Support Document

I2.01 Resumption Plan Objectives

I2.02 Assignment of Tasks and Responsibilities

I3.01 Business Impact Analysis Questionnaires

I4.01 Operating Strategy Questionnaire

I5.01 Personnel Requirements—Data Collection Instrument

I5.02 Interface Analysis—Data Collection Instrument

I5.03 Adjacency Requirements—Data Collection Instrument

I5.04 Office Equipment—Data Collection Instrument

I5.05 Voice Communications—Data Collection Instrument

I5.06 Vital Records—Data Collection Instrument

I5.07 Critical Forms—Data Collection Instrument

I6.01 Emergency Operations Center Guidebook

I7.02 LAN Recovery Plan

I8.01 Test Evaluation Criteria

I8.02 Test Assessment Form

I9.01 Policies and Program Management

I9.02 Business Impact Analysis

I9.04 Information Backup Program and Facilities

II2.01

Scope Statement

II2.02

Objectives Statement

II2.03

Premise Statement

II2.04

Single, Isolated, Best-Case Disaster Scenario

II2.05

Single, Isolated, Worst-Case Disaster Scenario

II2.06

Wide-Area, Regional Disaster Scenario

II2.07

Level of Detail—Simple Method

II2.08

Level of Detail—Detailed Method

II2.09

Recovery Procedure Overview

II2.10

Initial Response Actions

II2.11

Recovery Actions

II2.12

Administrative Actions

II3.03

Senior Management Notification Information

II3.04

Staff Department Management Notification

II3.05

Computer Equipment Inventory

II3.06

Computer Equipment Vendor Notification

II3.07

Request Letter to Equipment Vendor

II3.08

Computer Forms Inventory

II3.11

Computer Supplies Inventory

II3.12

Computer Supplies Vendor Notification

II3.13

Request Letter to Supplies Vendor

II3.14

External Support Companies Notification

II3.15

Temporary Location Requirements

II4.01

Building Services Support Checklist

II4.02

Finance Support Checklist

II4.03

Human Resources Support Checklist

II4.04

Insurance Support Checklist

II4.05

Internal Audit Support Checklis

II4.06

Legal Support Checklist

II4.07

Public Relations Support Checklist

II4.08

Purchasing Support Checklist

II4.09

Security Support Checklist

II4.10

Transportation Support Checklist

II4.11

Initial News Media Statement

II4.12

Recovery Chairperson—Procedure

II4.13

Personnel Location Control Form

II4.14

Recovery Status Report Form

II4.15

Travel and Expense Report Form

II4.16

Disaster Recovery Time Record Form

II4.17

Personnel Notification Procedure

II4.18

Personnel Notification Information Checklist

II4.19

Recovery Headquarters Team Manager’s Recovery Procedures

II4.20

Reserved Telephone Numbers List Form

II4.21

Incoming Telephone Call Procedure and Form

II4.22

Notification and Communications Team Leader Responsibilities

II4.23

Travel Itinerary Form

II4.24

Administration Team Leader Responsibilities

II5.01

Computer Operations Team Manager’s Recovery Procedures

II5.02

Backup Site Notification Checklist

II5.03

Critical Application Checklist

II5.04

Computer Operations Team Leader’s Recovery Procedures

II5.05

End-User Contact Checklist

II5.06

End-User Log Book Form

II5.07

Application Recovery Checklist

II5.08

Computer Backup Site Travel Guidelines

II5.09

Systems Software Recovery Team Leader Recovery Procedures

II5.10

Systems Software Vendor Notification Checklist

II5.11

Systems Software Inventory Checklist

II5.12

Operating System Recovery Procedure

II5.13

Tape Operations Team Leader Recovery Procedures

II5.14

Storage Location Notification Checklist

II5.15

Applications Recovery Team Leader Recovery Procedures

II5.16

Applications Software Vendor Notification Checklist

II5.17

Applications Software Inventory Checklist

II5.18

Data Base Recovery Team Leader Recovery Checklist

II5.19

Data Base Software Vendor Notification Checklist

II5.20

Data Base Software Inventory Checklist

II6.01

Disaster Site Recovery Team Manager Recovery Procedures

II6.02

Computer Equipment Vendor Notification Checklist

II6.03

Computer Supplies Vendor Notification Checklist

II6.04

Computer Forms Vendor Notification Checklist

II6.05

Recovery Services Companies Notification Checklist

II6.06

Facility Damage Assessment and Restoration Team Leader Recovery Procedures

II6.07

Disaster Site Damage Assessment Form

II6.08

Temporary Location Facilities Requirements Checklist

II6.09

Temporary Computer Site Facilities Review Form

II6.10

Equipment Damage Assessment and Salvage Team Leader Recovery Procedures

II6.11

Computer Equipment Inventory Checklist

II6.12

Computer Supplies Inventory Checklist

II6.13

Computer Forms Inventory Checklist

II7.01

First-Alert Step

II7.02

Disaster Verification Step

II7.04

DCRP Activation Step

II7.05

DCRP Recovery Team Alert Checklist

II8.01

Applications and Business Functions Data Gathering Form

II8.02

Application Impact Analysis Interview and Questionnaire

II9.01

Recovery Processing Strategy Matrix

II11.01

Data Center Recovery Plan—Performance Schedule

II11.02

Data Center Recovery Plan—Performance History

II11.03

Data Center Recovery Plan Exercise Planning Form

II15.01

Used in the Evaluation of the IS DCRP Recovery Chairperson Activities

II15.02

Used in the Evaluation of the Recovery Headquarters Manager

II15.03

Used in the Evaluation of the Notification and Communications Team

II15.04

Used in the Evaluation of the Administrative Team

II16.01

Used in the Evaluation of the Computer Operations Recovery Team Manager

II16.02

Used in the Evaluation of the Computer Operations Recovery Team Leader

II16.03

Used in the Evaluation of the Systems Software Team

II16.04

Used in the Evaluation of the Tape Operations Recovery Team

II16.05

Used in the Evaluation of the Applications Recovery Team

II16.06

Used in the Evaluation of the Database Recovery Team Leader

II17.01

Used in the Evaluation of the Disaster Site Recovery Team Manager

II17.02

Used in the Evaluation of the Facility Damage Assessment and Restoration Team Leader

II17.03

Used in the Evaluation of the Equipment Damage Assessment Team

III2.01

Sales Interview Questions

III2.02

Marketing Interview Questions

III2.03

Operations Interview Questions

III2.04

Facilities Interview Questions

III2.05

General Counsel Interview Questions

III2.06

Information Systems Interview Questions

III2.07

Communications Interview Questions

III2.08

Finance Interview Questions

III2.09

Communications Standards and Practices Questionnaire

III2.10

Management Funding Request Form

III3.01

Equipment Colocation Checklist

III3.02

Communications Recovery Team Member Recovery Procedures

III4.01

Checklist for Evaluating Tier 1 Installations

III4.02

Checklist for Evaluating Equipment Area Access

III4.03

Checklist for Evaluating Equipment Room Housekeeping

III4.04

Checklist for Evaluating Equipment Room Electrical Power

III4.05

Checklist for Evaluating Network Software Security and Change Control Management

III4.06

Checklist for Evaluating Remote System Access to Equipment Rooms

III4.07

Checklist for Evaluating LAN Connectivity Standards

III4.08

Checklist for Evaluating Fire and Water Protection Systems

III5.01

Sample Organizationwide Recovery Procedures

III5.02

Damage Assessment Procedures for a Company-Wide Disaster

III5.03

Activation Procedures for a Company-Wide Disaster

III6.01

Communications-Specific Recovery Procedures

III6.02

Redirection of Phone Numbers

III6.03

Redirection of Inbound 800 Numbers

III6.04

Reconfiguration of Equipment and Redirection of T1 Circuits

III6.05

Redirection of Dial-In Ports

III6.06

Emergency Circuit Recovery Priorities

III6.07

Recovery from Software-Induced Disaster

III6.08

Recovery from Equipment Failure

III6.09

Carrier Override Procedures

III6.10

Telecommunications Recovery Plan (Initial EMT Damage Report)

III6.11

Equipment Damage Report

III6.12

Support Activities Provided by the Telecommunications and Communications Departments

III6.13

Support Activities Provided by the Human Resources Department

III6.14

Support Activities Provided by the Facilities Department

III6.15

Support Activities Provided by the Finance Department

III6.16

Support Activities Provided by the Risk Management Department

III6.17

Support Activities Provided by the Internal Audit Department

III6.18

Support Activities Provided by the Legal Department

III6.19

Support Activities Provided by the Medical Department

III6.20

Support Activities Provided by the Office Services Department

III6.21

Support Activities Provided by the Public Affairs Department

III6.22

Support Activities Provided by the Purchasing Department

III6.23

Support Activities Provided by the Transportation Department

III6.24

Sample Communications Equipment Inventory Form

III6.25

Sample Communications Software Inventory Form

III7.01

Communications Plan Testing and Maintenance

III7.02

Personnel Change Notification Form

III9.01

Priority and Redirection Form for Incoming 800 Service

III9.02

Priority and Redirection Form for Incoming Telephone Service

III9.03

Priority and Redirection Form for Private Line Service

III9.04

Checklist for Evaluating Fiber Optic-Based Long-Haul Carriers

III9.05

Checklist for Evaluating Local Access Carriers

III9.06

Software and Traffic Management Disruptions

III10.01

Financial Summary

III10.02

Man Hours of Outage—Mainframe Systems Part 1

III10.03

Man Hours of Outage—Mainframe Systems Part 2

III10.04

Man Hours of Outage—Mainframe Systems Part 3

III10.05

Man Hours of Outage—Mainframe Systems Part 4

III10.06

Man Hours of Outage—Mainframe Systems Part 5

III10.07

Man Hours of Outage—Telecommunications Systems Part 1

III10.08

Man Hours of Outage—Telecommunications Systems Part 2

III10.09

Man Hours of Outage—Telecommunications Systems Part 3

III10.10

Man Hours of Outage—Telecommunications Systems Part 4

III10.11

Man Hours of Outage—Telecommunications Systems Part 5

III10.12

Man Hours of Outage—LAN Systems Part 1

III10.13

Man Hours of Outage—LAN Systems Part 2

III10.14

Man Hours of Outage—LAN Systems Part 3

III10.15

Man Hours of Outage—LAN Systems Part 4

III10.16

Man Hours of Outage—LAN Systems Part 5

III10.17

Man Hours of Outage—Other Systems Part 1

III10.18

Man Hours of Outage—Other Systems Part 2

III10.19

Man Hours of Outage—Other Systems Part 3

III10.20

Man Hours of Outage—Other Systems Part 4

III10.21

Man Hours of Outage—Other Systems Part 5

III10.22

Example: Technology Cost vs Need

III10.23

Technology Cost vs Need: Mainframe

III10.24

Technology Cost vs Need: Telecommunications

III10.25

Technology Cost vs Need: LAN

III10.26

Technology Cost vs Need: Other

III10.27

Evaluation Criteria for Network Vulnerability: Mainframe

III10.28

Evaluation Criteria for Network Vulnerability: Telecommunications

III10.29

Evaluation Criteria for Network Vulnerability: LAN

III10.30

Evaluation Criteria for Network Vulnerability: Other

III10.31

Focus on: (division)

III10.32

Dynamics of (division)

III10.33

Cost of Executive Complaints Flow Chart

III11.01

FMEA Worksheet #1: Severity

III11.02

FMEA Worksheet #2: Occurrences

III11.03

FMEA Worksheet #3: Detection/Repair

III11.04

FMEA Worksheet #4: Computing RPN

III11.05

Focus on Firewalls

III11.06

Firewall Hardware Concerns

III12.03

Today’s Question

III12.04

Tomorrow’s Answers

III12.05

Seamless Solution

III12.06

Supported Software and Hardware (Workstation)

III12.07

Supported Software and Hardware (Notebook)

III12.08

Example: The Need for Controls

III12.09

The Need for Controls

III12.10

Recovery Team

III12.11

Example: Maintaining Critical Databases by Object Linking

III12.12

Maintaining Critical Databases by Object Linking

III12.13

Mainframe Equipment Inventory Lists