|
Front Cover |
1 |
|
|
Business Continuity and Disaster Recovery Planning for IT Professionals |
4 |
|
|
Copyright |
5 |
|
|
Contents |
6 |
|
|
Acknowledgments |
20 |
|
|
About the Authors |
22 |
|
|
Introduction |
24 |
|
|
Chapter 1: Business Continuity and Disaster Recovery Overview |
26 |
|
|
Introduction |
26 |
|
|
Business continuity and disaster recovery defined |
28 |
|
|
Components of business |
29 |
|
|
People in BC/DR planning |
31 |
|
|
Process in BC/DR planning |
33 |
|
|
Technology in BC/DR planning |
35 |
|
|
The cost of planning versus the cost of failure |
36 |
|
|
People |
40 |
|
|
Process |
41 |
|
|
Technology |
42 |
|
|
Types of disasters to consider |
43 |
|
|
Business continuity and disaster recovery planning basics |
44 |
|
|
Project initiation |
46 |
|
|
Risk assessment |
47 |
|
|
Business impact analysis |
47 |
|
|
Mitigation strategy development |
47 |
|
|
Plan development |
48 |
|
|
Training, testing, and auditing |
48 |
|
|
Plan maintenance |
48 |
|
|
Summary |
49 |
|
|
Key concepts |
50 |
|
|
BC/DR defined |
50 |
|
|
Components of business |
51 |
|
|
The cost of planning versus the cost of failure |
51 |
|
|
Types of disasters to consider |
52 |
|
|
BC/DR planning basics |
52 |
|
|
References |
52 |
|
|
Chapter 2: Legal and Regulatory Obligations Regarding Data and Information Security |
54 |
|
|
Introduction |
54 |
|
|
Impact of recent history |
56 |
|
|
Current regulatory environment |
58 |
|
|
Source of legal obligations |
58 |
|
|
Scope of legal obligations |
60 |
|
|
Provide ``reasonable security´´ |
60 |
|
|
Provide security breach notification |
61 |
|
|
Information security management |
62 |
|
|
Responsibility lies at the top |
62 |
|
|
Written Information Security Program (WISP) |
63 |
|
|
Categories that must be addressed |
64 |
|
|
Third-party service provider arrangements |
64 |
|
|
Education |
64 |
|
|
Did you know? |
65 |
|
|
Summary |
65 |
|
|
Key concepts |
66 |
|
|
Impact of recent history |
66 |
|
|
Current regulatory environment |
66 |
|
|
Information security management |
66 |
|
|
References |
67 |
|
|
Case Study: Legal Obligations Regarding Data Security |
68 |
|
|
Contributor profile |
68 |
|
|
Deanna Conn, Partner, Quarles & Brady, LLP |
68 |
|
|
Background |
69 |
|
|
The Sony PlayStation incident |
69 |
|
|
State laws regarding data security |
70 |
|
|
Notice of security breach laws |
70 |
|
|
Definition of personal information |
70 |
|
|
Notification procedure |
71 |
|
|
Penalties |
71 |
|
|
Safeguarding personal data state laws |
72 |
|
|
Federal laws regarding data security |
72 |
|
|
U.S. House of representatives proposed bill |
73 |
|
|
U.S. Senate response |
74 |
|
|
Executive order-improving critical infrastructure cyber security |
74 |
|
|
Conclusion |
74 |
|
|
References |
75 |
|
|
Chapter 3: Project Initiation |
76 |
|
|
Introduction |
76 |
|
|
Elements of project success |
77 |
|
|
Executive support |
78 |
|
|
User involvement |
81 |
|
|
Experienced project manager |
81 |
|
|
Clearly defined project objectives |
82 |
|
|
Clearly defined project requirements |
83 |
|
|
Clearly defined scope |
84 |
|
|
Shorter schedule, multiple milestones |
86 |
|
|
Clearly defined project management process |
86 |
|
|
Project plan components |
88 |
|
|
Project initiation or project definition |
89 |
|
|
Problem and mission statement |
90 |
|
|
Potential solutions |
91 |
|
|
Requirements and constraints |
91 |
|
|
Success criteria |
92 |
|
|
Project proposal |
93 |
|
|
Estimates |
94 |
|
|
Project sponsor |
95 |
|
|
Forming the project team |
96 |
|
|
Organizational |
97 |
|
|
Technical |
97 |
|
|
Logistical |
98 |
|
|
Political |
98 |
|
|
Project organization |
99 |
|
|
Project objectives |
99 |
|
|
Business continuity plan |
99 |
|
|
Continuity of operations plan |
100 |
|
|
Disaster recovery plan |
100 |
|
|
Crisis communication plan |
100 |
|
|
Cyber incident response plan |
101 |
|
|
Occupant emergency plan |
101 |
|
|
Project stakeholders |
102 |
|
|
Project requirements |
103 |
|
|
Project parameters |
105 |
|
|
Project infrastructure |
109 |
|
|
Project processes |
110 |
|
|
Team meetings |
111 |
|
|
Reporting |
111 |
|
|
Escalation |
112 |
|
|
Project progress |
113 |
|
|
Change control |
113 |
|
|
Quality control |
114 |
|
|
Project communication plan |
114 |
|
|
Project planning |
116 |
|
|
Work breakdown structure |
116 |
|
|
Critical path |
116 |
|
|
Project implementation |
117 |
|
|
Managing progress |
118 |
|
|
Managing change |
119 |
|
|
Project tracking |
119 |
|
|
Project close out |
120 |
|
|
Key contributors and responsibilities |
121 |
|
|
Information technology |
121 |
|
|
Experience working on a cross-departmental team |
122 |
|
|
Ability to communicate effectively |
122 |
|
|
Ability to work well with a wide variety of people |
122 |
|
|
Experience with critical business and technology systems |
123 |
|
|
IT project management leadership |
124 |
|
|
Human resources |
124 |
|
|
Facilities/security |
124 |
|
|
Finance/legal |
125 |
|
|
Warehouse/inventory/manufacturing/research |
126 |
|
|
Purchasing/logistics |
127 |
|
|
Marketing and sales |
127 |
|
|
Public relations |
128 |
|
|
Operations |
130 |
|
|
Project definition |
131 |
|
|
Business requirements |
132 |
|
|
Functional requirements |
134 |
|
|
Technical requirements |
136 |
|
|
Business continuity and disaster recovery project plan |
137 |
|
|
Project definition, risk assessment |
138 |
|
|
Business impact analysis |
138 |
|
|
Risk mitigation strategies |
139 |
|
|
Plan development |
139 |
|
|
Emergency preparation |
139 |
|
|
Training, testing, auditing |
139 |
|
|
Plan maintenance |
140 |
|
|
Summary |
140 |
|
|
Key concepts |
142 |
|
|
Elements of project success |
142 |
|
|
Project plan components |
142 |
|
|
Key contributors and responsibilities |
143 |
|
|
Project definition |
143 |
|
|
Business continuity and disaster recovery plan |
144 |
|
|
References |
144 |
|
|
Business Continuity and Disaster Recovery in Energy/Utilities |
146 |
|
|
Introduction |
146 |
|
|
Integrating BC/DR requirements into IT governance |
148 |
|
|
BC/DR requirements definition |
149 |
|
|
IT service level definition |
150 |
|
|
Application recovery procedures |
151 |
|
|
Summary of integrating BC/DR requirements into IT governance |
152 |
|
|
Improving BC/DR recovery and risk mitigation strategies |
153 |
|
|
Ensuring access to BC/DR documentation in a disaster |
153 |
|
|
Change approval board and technical change review committees |
155 |
|
|
Security control testing |
156 |
|
|
Separation of duties |
157 |
|
|
Centralized security vulnerability assessment |
157 |
|
|
IT network vulnerability assessment |
158 |
|
|
Security control baselines and change detection |
159 |
|
|
Data center and network |
159 |
|
|
Compute and data |
160 |
|
|
Self-service application failover and failback |
164 |
|
|
Industrial control systems |
165 |
|
|
Summary of improving BC/DR recovery and risk mitigation strategies |
167 |
|
|
Improving BC/DR testing |
168 |
|
|
Recovery from actual incidents: Postmortems and documenting lessons learned |
168 |
|
|
Scheduled BC/DR tests |
169 |
|
|
Corporate data center redundancy testing |
170 |
|
|
EMS SCADA EOC testing |
171 |
|
|
SOx 404 application recovery testing |
172 |
|
|
NERC CIP-009 recovery testing |
173 |
|
|
Enterprise business continuity testing |
174 |
|
|
Summary of scheduled BC/DR testing |
174 |
|
|
Summary of best practices and key concepts |
175 |
|
|
References |
175 |
|
|
Chapter 4: Risk Assessment |
176 |
|
|
Introduction |
176 |
|
|
Risk management basics |
178 |
|
|
Risk management process |
180 |
|
|
Threat assessment |
181 |
|
|
Vulnerability assessment |
182 |
|
|
Impact assessment |
183 |
|
|
Risk mitigation strategy development |
183 |
|
|
People, process, technology, and infrastructure in risk management |
184 |
|
|
People |
184 |
|
|
Process |
185 |
|
|
Technology |
185 |
|
|
Infrastructure |
186 |
|
|
IT-Specific risk management |
186 |
|
|
IT Risk management objectives |
187 |
|
|
The system development lifecycle model |
188 |
|
|
Risk assessment components |
191 |
|
|
Information gathering methods |
193 |
|
|
Natural and environmental threats |
194 |
|
|
Fire |
194 |
|
|
Floods |
196 |
|
|
Severe winter storms |
198 |
|
|
Electrical storms |
200 |
|
|
Drought |
202 |
|
|
Earthquake |
203 |
|
|
Tornados |
205 |
|
|
Hurricanes/typhoons/cyclones |
205 |
|
|
Tsunamis |
207 |
|
|
Volcanoes |
207 |
|
|
Avian Flu/pandemics |
208 |
|
|
Human threats |
210 |
|
|
Fire |
210 |
|
|
Theft, sabotage, and vandalism |
211 |
|
|
Labor disputes |
212 |
|
|
Workplace violence |
212 |
|
|
Terrorism |
213 |
|
|
Chemical or biological hazards |
214 |
|
|
War |
215 |
|
|
Cyber threats |
215 |
|
|
Cyber crime |
217 |
|
|
Loss of records or data-theft, sabotage, vandalism |
219 |
|
|
IT system failure-theft, sabotage, vandalism |
220 |
|
|
Infrastructure threats |
220 |
|
|
Building-specific failures |
220 |
|
|
Public transportation disruption |
221 |
|
|
Loss of utilities |
221 |
|
|
Disruption to oil or petroleum supplies |
222 |
|
|
Food or water contamination |
222 |
|
|
Regulatory or legal changes |
223 |
|
|
Threat checklist |
224 |
|
|
Threat assessment methodology |
227 |
|
|
Quantitative threat assessment |
228 |
|
|
Qualitative threat assessment |
232 |
|
|
Vulnerability assessment |
236 |
|
|
People, process, technology, and infrastructure |
239 |
|
|
People |
239 |
|
|
Process |
240 |
|
|
Technology |
241 |
|
|
Infrastructure |
241 |
|
|
Vulnerability assessment |
241 |
|
|
Summary |
244 |
|
|
Key concepts |
246 |
|
|
Risk management basics |
246 |
|
|
Risk assessment components |
247 |
|
|
Threat assessment methodology |
247 |
|
|
Vulnerability assessment |
248 |
|
|
References |
248 |
|
|
Business Continuity and Disaster Recovery in Healthcare |
300 |
|
|
Introduction to healthcare IT |
300 |
|
|
Types of healthcare organizations |
302 |
|
|
Hospitals |
303 |
|
|
Skilled nursing facility |
303 |
|
|
Physician offices |
303 |
|
|
Ambulatory clinics |
304 |
|
|
Pharmacies |
304 |
|
|
Other types of organizations |
305 |
|
|
Summary of healthcare organizations |
305 |
|
|
The rising cost of healthcare |
305 |
|
|
Governmental incentives and penalties |
306 |
|
|
HIEs and Accountable Care Organizations |
308 |
|
|
Health information exchanges |
308 |
|
|
Accountable Care Organizations |
309 |
|
|
Integration of healthcare IT and medical equipment |
310 |
|
|
Consumer-driven healthcare |
311 |
|
|
Real-time data |
312 |
|
|
Summary |
313 |
|
|
Regulatory environment |
314 |
|
|
Centers for Medicare and Medicaid Services/Joint Commission on Accreditation of Healthcare Organizations |
314 |
|
|
U.S. Food and Drug Administration |
315 |
|
|
Health Insurance Portability and Accountability Act |
317 |
|
|
Health Information Technology for Economic and Clinical Health |
319 |
|
|
Payment Card Industry |
320 |
|
|
State and local requirements |
321 |
|
|
Healthcare IT risk management |
321 |
|
|
Patient safety |
322 |
|
|
Patient care |
323 |
|
|
Organizational solvency |
323 |
|
|
Facility management |
324 |
|
|
Technical needs-Healthcare IT architecture |
324 |
|
|
Clinical systems |
325 |
|
|
Business systems |
326 |
|
|
Types of data |
327 |
|
|
Structured |
328 |
|
|
Unstructured |
328 |
|
|
Semi-structured |
328 |
|
|
Types of systems and storage |
329 |
|
|
Network core, medical network, and guest network |
330 |
|
|
Wireless/RFID |
332 |
|
|
Security infrastructure |
333 |
|
|
End user devices |
334 |
|
|
Healthcare operational needs |
335 |
|
|
Admitting |
335 |
|
|
Insurance verification and billing services |
336 |
|
|
Clinical care |
338 |
|
|
Physician |
338 |
|
|
Nursing |
339 |
|
|
Support services |
339 |
|
|
Interoperability among disparate systems |
340 |
|
|
Electronic medical record |
340 |
|
|
Diagnostic imaging |
341 |
|
|
Medical equipment |
341 |
|
|
Food services |
341 |
|
|
Environmental services |
341 |
|
|
Billing and payment systems |
342 |
|
|
Payroll |
342 |
|
|
Human resources |
343 |
|
|
Current environment and new technology |
343 |
|
|
Advances in data storage and replication |
343 |
|
|
Mobile devices |
344 |
|
|
Virtualization and cloud computing |
345 |
|
|
Communication systems |
347 |
|
|
Current environment and new technology summary |
348 |
|
|
Healthcare IT BC/DR best practices |
348 |
|
|
Security frameworks |
348 |
|
|
National Institute of Standards and Technology |
349 |
|
|
ISO/IEC 27000 series |
349 |
|
|
HITRUST common security framework |
349 |
|
|
Information Technology Information Library |
350 |
|
|
Best practices |
351 |
|
|
Summary |
353 |
|
|
Overview of healthcare IT |
353 |
|
|
Regulatory requirements |
353 |
|
|
Healthcare IT risk management |
354 |
|
|
Technical needs-Healthcare IT architecture |
354 |
|
|
Healthcare operational needs |
355 |
|
|
Interoperability among disparate systems-Integration in healthcare IT |
355 |
|
|
Current environment and new technology |
356 |
|
|
Healthcare IT BC/DR best practices |
356 |
|
|
Key concepts |
357 |
|
|
References |
360 |
|
|
Chapter 6: Risk Mitigation Strategy Development |
362 |
|
|
Introduction |
362 |
|
|
Types of risk mitigation strategies |
364 |
|
|
Risk acceptance |
365 |
|
|
Risk avoidance |
365 |
|
|
Risk limitation |
366 |
|
|
Risk transference |
366 |
|
|
The risk mitigation process |
368 |
|
|
Recovery requirements |
368 |
|
|
Recovery options |
368 |
|
|
As needed |
370 |
|
|
Prearranged |
370 |
|
|
Preestablished |
370 |
|
|
Recovery time of options |
371 |
|
|
Cost versus capability of recovery options |
372 |
|
|
Recovery service level agreements |
372 |
|
|
Review existing controls |
374 |
|
|
Developing your risk mitigation strategy |
375 |
|
|
Sample 1: Section from Mitigation Strategy for Critical Data |
376 |
|
|
Sample 2: Section from Mitigation Strategy for Critical Data |
377 |
|
|
People, buildings, and infrastructure |
379 |
|
|
IT risk mitigation |
380 |
|
|
Critical data and records |
381 |
|
|
Critical systems and infrastructure |
381 |
|
|
Reviewing critical system priorities |
382 |
|
|
Backup and recovery considerations |
383 |
|
|
Alternate business processes |
383 |
|
|
IT recovery systems |
384 |
|
|
Alternate sites |
384 |
|
|
Fully mirrored site |
384 |
|
|
Hot site |
385 |
|
|
Warm site |
385 |
|
|
Mobile site |
385 |
|
|
Cold site |
386 |
|
|
Reciprocal site |
386 |
|
|
Storage and disk systems |
386 |
|
|
Desktop solutions |
387 |
|
|
Software and licensing |
388 |
|
|
Web sites |
388 |
|
|
Documenting Your Risk Mitigation Strategy |
389 |
|
|
Summary |
390 |
|
|
Key concepts |
390 |
|
|
Types of risk mitigation strategies |
390 |
|
|
Risk mitigation process |
391 |
|
|
IT risk mitigation |
392 |
|
|
Backup and recovery considerations |
392 |
|
|
References |
392 |
|
|
Chapter 7: Business Continuity/Disaster Recovery Plan Development |
394 |
|
|
Introduction |
394 |
|
|
Implement risk mitigation strategies |
396 |
|
|
Phases of business continuity and disaster |
400 |
|
|
Activation phase |
400 |
|
|
Minor disaster or disruption |
401 |
|
|
Intermediate disaster or disruption |
402 |
|
|
Major disaster or disruption |
403 |
|
|
Activating BC/DR teams |
403 |
|
|
Developing triggers |
404 |
|
|
Transition trigger-Activation to recovery |
405 |
|
|
Recovery phase |
406 |
|
|
Transition trigger-Recovery to continuity |
406 |
|
|
Business continuity phase |
407 |
|
|
Maintenance/review phase |
408 |
|
|
Defining BC/DR teams and key personnel |
408 |
|
|
Crisis management team |
409 |
|
|
Management |
410 |
|
|
Damage assessment team |
410 |
|
|
Operations assessment team |
410 |
|
|
IT team |
411 |
|
|
Administrative support team |
411 |
|
|
Transportation and relocation team |
411 |
|
|
Media relations team |
412 |
|
|
Human resources team |
412 |
|
|
Legal affairs team |
412 |
|
|
Physical/personnel security team |
413 |
|
|
Procurement team (equipment and supplies) |
413 |
|
|
General team guidelines |
414 |
|
|
BC/DR contact information |
415 |
|
|
Defining tasks and assigning resources |
417 |
|
|
Alternate site |
418 |
|
|
Selection criteria |
418 |
|
|
Contractual terms |
419 |
|
|
Comparison process |
419 |
|
|
Acquisition and testing |
419 |
|
|
Cloud services |
420 |
|
|
Contracts for BC/DR services |
422 |
|
|
Develop clear functional and technical requirements |
422 |
|
|
Determine required service levels |
422 |
|
|
Compare vendor proposal/response to requirements |
423 |
|
|
Identify requirements not met by vendor proposal |
423 |
|
|
Identify vendor options not specified in requirements |
424 |
|
|
Communications plans |
425 |
|
|
Internal |
425 |
|
|
Employee |
425 |
|
|
Customers and vendors |
426 |
|
|
Shareholders |
426 |
|
|
The community and the public |
426 |
|
|
Event logs, change control, and appendices |
427 |
|
|
Event logs |
428 |
|
|
Change control |
429 |
|
|
Distribution |
430 |
|
|
Appendices |
431 |
|
|
Additional resources |
432 |
|
|
What's next |
432 |
|
|
Summary |
433 |
|
|
Key concepts |
434 |
|
|
Phases of business continuity and disaster recovery |
434 |
|
|
Defining BC/DR teams and key personnel |
434 |
|
|
Defining tasks and assigning resources |
435 |
|
|
Communications plans |
435 |
|
|
Event logs and change control |
436 |
|
|
Appendices |
436 |
|
|
References |
436 |
|
|
Business Continuity and Disaster Recovery in Financial Services |
438 |
|
|
Overview |
438 |
|
|
Finance industry regulation overview |
438 |
|
|
United States financial regulation |
439 |
|
|
European financial regulation |
440 |
|
|
Other regions financial regulation |
440 |
|
|
Finance industry requirements for business continuity |
441 |
|
|
Industry impact-September 11 attacks |
441 |
|
|
Industry impact-Hurricane Sandy |
445 |
|
|
Industry impact-Cyber threats |
447 |
|
|
Looking forward |
449 |
|
|
Summary |
450 |
|
|
References |
450 |
|
|
Chapter 8: Emergency Response and Recovery |
452 |
|
|
Introduction |
452 |
|
|
Emergency management overview |
453 |
|
|
Emergency response plans |
453 |
|
|
Emergency response teams |
455 |
|
|
Crisis management team |
457 |
|
|
Emergency response and disaster recovery |
458 |
|
|
Alternate facilities review and management |
458 |
|
|
Crisis communications |
458 |
|
|
Human resources |
460 |
|
|
Legal |
461 |
|
|
Insurance |
461 |
|
|
Finance |
461 |
|
|
Disaster recovery |
461 |
|
|
Activation and emergency response checklists |
462 |
|
|
Recovery checklists |
462 |
|
|
IT recovery tasks |
463 |
|
|
Computer incident response |
466 |
|
|
CIRT responsibilities |
467 |
|
|
Monitor |
467 |
|
|
Alert and mobilize |
467 |
|
|
Assess and stabilize |
468 |
|
|
Resolve |
468 |
|
|
Review |
468 |
|
|
Business continuity |
469 |
|
|
Summary |
471 |
|
|
Key concepts |
472 |
|
|
Emergency management overview |
472 |
|
|
Emergency response plans |
472 |
|
|
Crisis management team |
473 |
|
|
Disaster recovery |
473 |
|
|
IT recovery |
473 |
|
|
Business continuity |
474 |
|
|
References |
474 |
|
|
Business Continuity and Disaster Recovery for Small- and Medium-Sized Businesses |
476 |
|
|
Overview of SMB disaster recovery |
476 |
|
|
SMB disaster preparedness: Survey results |
478 |
|
|
On-Premise disaster recovery |
478 |
|
|
SMB case studies |
480 |
|
|
High availability at 24 Seven Talent |
480 |
|
|
Affigent fails over before the storm |
481 |
|
|
Using a Co-location data center for disaster recovery |
481 |
|
|
The value of co-location data centers in a disaster |
482 |
|
|
Tips for selecting a co-location provider |
482 |
|
|
What does a co-location center cost? |
483 |
|
|
SMB case study: Balancing internal capability and cost with co-location data centers for DR |
484 |
|
|
Disaster recovery in the cloud |
485 |
|
|
Disaster recovery in the cloud options |
487 |
|
|
Managed applications and managed DR |
489 |
|
|
Back up to and restore from the cloud |
489 |
|
|
Back up to and restore to the cloud |
490 |
|
|
Replication to VMs in the cloud |
490 |
|
|
Protecting branch offices with cloud disaster recovery |
490 |
|
|
Virtualize and consolidate servers |
491 |
|
|
Virtualize and streamline data storage and backup |
491 |
|
|
Virtualize applications and desktops |
492 |
|
|
Deploy application acceleration and WAN optimization |
493 |
|
|
SMB case studies |
494 |
|
|
Snowmaggedon and Snowpocalypse |
494 |
|
|
Amazon Web Services to the rescue |
494 |
|
|
LAUSD implements snapshot-based cloud backup |
495 |
|
|
Psomas moves DR to the cloud |
496 |
|
|
Private cloud DR plans help BUMI |
496 |
|
|
Sprott switches course to cloud DR service provider |
497 |
|
|
University turns to cloud backup for data protection |
498 |
|
|
Summary |
499 |
|
|
Key concepts |
499 |
|
|
Overview of SMB disaster recovery |
499 |
|
|
SMB disaster preparedness: Survey results |
500 |
|
|
On-premise disaster recovery |
500 |
|
|
Using a co-location data center for disaster recovery |
501 |
|
|
Disaster recovery in the cloud |
501 |
|
|
References |
502 |
|
|
Chapter 9: Training, Testing, and Auditing |
504 |
|
|
Introduction |
504 |
|
|
Training for disaster recovery and business continuity |
504 |
|
|
Emergency response |
505 |
|
|
Disaster recovery and business continuity training overview |
506 |
|
|
Training scope, objectives, timelines, and requirements |
506 |
|
|
Performing training needs assessment |
507 |
|
|
Developing training |
508 |
|
|
Scheduling and delivering training |
509 |
|
|
Monitoring and measuring training |
510 |
|
|
Training and testing for your business continuity and disaster recovery plan |
510 |
|
|
Paper walk-through |
512 |
|
|
Develop realistic scenarios |
513 |
|
|
Develop evaluation criteria |
513 |
|
|
Provide copies of the plan |
514 |
|
|
Divide participants by team |
515 |
|
|
Use checklists |
515 |
|
|
Take notes |
515 |
|
|
Identify training needs |
515 |
|
|
Develop summary and lessons learned |
515 |
|
|
Functional exercises |
516 |
|
|
Field exercises |
517 |
|
|
Full interruption test |
517 |
|
|
Training plan implementers |
518 |
|
|
Testing the BC/DR plan |
518 |
|
|
Understanding of processes |
519 |
|
|
Validation of task integration |
520 |
|
|
Confirm steps |
520 |
|
|
Confirm resources |
520 |
|
|
Familiarize with information flow |
520 |
|
|
Identify gaps or weaknesses |
521 |
|
|
Determine cost and feasibility |
521 |
|
|
Test evaluation criteria |
523 |
|
|
Recommendations |
524 |
|
|
Performing IT systems and security audits |
524 |
|
|
IT systems and security audits |
524 |
|
|
Summary |
526 |
|
|
Key concepts |
528 |
|
|
Training for emergency response, disaster recovery, and business continuity |
528 |
|
|
Testing your business continuity and disaster recovery plan |
528 |
|
|
Performing IT systems audits |
529 |
|
|
References |
529 |
|
|
Chapter 10: BC/DR Plan Maintenance |
530 |
|
|
Introduction |
530 |
|
|
BC/DR plan change management |
531 |
|
|
Training, testing, and auditing |
532 |
|
|
Changes in information technologies |
532 |
|
|
Changes in operations |
533 |
|
|
Corporate changes |
534 |
|
|
Legal, regulatory, or compliance changes |
535 |
|
|
Strategies for managing change |
535 |
|
|
Monitor change |
536 |
|
|
People |
536 |
|
|
Process |
536 |
|
|
Technology |
536 |
|
|
Evaluate and incorporate change |
537 |
|
|
BC/DR plan audit |
538 |
|
|
Plan maintenance activities |
539 |
|
|
Project close out |
540 |
|
|
Summary |
541 |
|
|
Key concepts |
543 |
|
|
BC/DR plan change management |
543 |
|
|
Strategies for managing change |
543 |
|
|
BC/DR plan audit |
544 |
|
|
Plan maintenance activities |
544 |
|
|
Project close out |
544 |
|
|
Appendix A: Risk Management Checklist |
546 |
|
|
Risk assessment |
546 |
|
|
Threat and vulnerability checklist |
546 |
|
|
Natural hazards |
546 |
|
|
Cold weather-related hazards |
546 |
|
|
Warm weather-related hazards |
546 |
|
|
Geological hazards |
547 |
|
|
Human-caused hazards |
547 |
|
|
Accidents and technological hazards |
548 |
|
|
Threat and vulnerability assessment |
549 |
|
|
Business impact analysis |
549 |
|
|
Mitigation strategies |
549 |
|
|
Appendix B: Crisis Communications Checklist |
552 |
|
|
Communication checklist |
552 |
|
|
Message content |
553 |
|
|
Appendix C: Emergency Response and Recovery Checklists |
554 |
|
|
High-level checklist |
554 |
|
|
Activation checklists |
555 |
|
|
Initial response |
555 |
|
|
Damage and situation assessment |
555 |
|
|
Disaster declaration and notification |
556 |
|
|
Emergency response checklists |
556 |
|
|
Emergency checklist one: General emergency response |
556 |
|
|
Emergency checklist two: Evacuation or shelter-in-place response |
557 |
|
|
Emergency checklist three: Specific emergency responses |
557 |
|
|
Emergency checklist four: Emergency response contact list, maps, and floor plans |
557 |
|
|
Emergency checklist five: Emergency supplies and equipment |
558 |
|
|
Recovery checklists |
558 |
|
|
Recovery checklist one: General |
558 |
|
|
Recovery checklist two: Inspection, assessment, and salvage |
559 |
|
|
Appendix D: Business Continuity Checklist |
562 |
|
|
Resuming work |
562 |
|
|
Resuming operations |
562 |
|
|
Human resources |
563 |
|
|
Insurance and legal |
563 |
|
|
Manufacturing, warehouse, production, and operations |
564 |
|
|
Resuming normal operations |
564 |
|
|
Existing facility |
565 |
|
|
New facility |
565 |
|
|
Transition to normalized activities |
566 |
|
|
Appendix E: IT Recovery Checklists |
568 |
|
|
IT recovery checklist one: Infrastructure |
568 |
|
|
Recovery checklist two: Applications |
569 |
|
|
Recovery checklist three: Office area and end-user recovery |
569 |
|
|
Recovery checklist four: Business process recovery |
570 |
|
|
Recovery checklist five: Manufacturing, production, and operations recovery |
570 |
|
|
Appendix F: Training, Testing, and Auditing Checklists |
572 |
|
|
Training and testing |
572 |
|
|
IT auditing |
572 |
|
|
Appendix G: BC/DR Plain Maintenance Checklist |
574 |
|
|
Change management |
574 |
|
|
Glossary of Terms |
576 |
|
|
Index |
590 |
|