| |
Front Cover |
1 |
|
| |
Business Continuity and Disaster Recovery Planning for IT Professionals |
4 |
|
| |
Copyright |
5 |
|
| |
Contents |
6 |
|
| |
Acknowledgments |
20 |
|
| |
About the Authors |
22 |
|
| |
Introduction |
24 |
|
| |
Chapter 1: Business Continuity and Disaster Recovery Overview |
26 |
|
| |
Introduction |
26 |
|
| |
Business continuity and disaster recovery defined |
28 |
|
| |
Components of business |
29 |
|
| |
People in BC/DR planning |
31 |
|
| |
Process in BC/DR planning |
33 |
|
| |
Technology in BC/DR planning |
35 |
|
| |
The cost of planning versus the cost of failure |
36 |
|
| |
People |
40 |
|
| |
Process |
41 |
|
| |
Technology |
42 |
|
| |
Types of disasters to consider |
43 |
|
| |
Business continuity and disaster recovery planning basics |
44 |
|
| |
Project initiation |
46 |
|
| |
Risk assessment |
47 |
|
| |
Business impact analysis |
47 |
|
| |
Mitigation strategy development |
47 |
|
| |
Plan development |
48 |
|
| |
Training, testing, and auditing |
48 |
|
| |
Plan maintenance |
48 |
|
| |
Summary |
49 |
|
| |
Key concepts |
50 |
|
| |
BC/DR defined |
50 |
|
| |
Components of business |
51 |
|
| |
The cost of planning versus the cost of failure |
51 |
|
| |
Types of disasters to consider |
52 |
|
| |
BC/DR planning basics |
52 |
|
| |
References |
52 |
|
| |
Chapter 2: Legal and Regulatory Obligations Regarding Data and Information Security |
54 |
|
| |
Introduction |
54 |
|
| |
Impact of recent history |
56 |
|
| |
Current regulatory environment |
58 |
|
| |
Source of legal obligations |
58 |
|
| |
Scope of legal obligations |
60 |
|
| |
Provide ``reasonable security´´ |
60 |
|
| |
Provide security breach notification |
61 |
|
| |
Information security management |
62 |
|
| |
Responsibility lies at the top |
62 |
|
| |
Written Information Security Program (WISP) |
63 |
|
| |
Categories that must be addressed |
64 |
|
| |
Third-party service provider arrangements |
64 |
|
| |
Education |
64 |
|
| |
Did you know? |
65 |
|
| |
Summary |
65 |
|
| |
Key concepts |
66 |
|
| |
Impact of recent history |
66 |
|
| |
Current regulatory environment |
66 |
|
| |
Information security management |
66 |
|
| |
References |
67 |
|
| |
Case Study: Legal Obligations Regarding Data Security |
68 |
|
| |
Contributor profile |
68 |
|
| |
Deanna Conn, Partner, Quarles & Brady, LLP |
68 |
|
| |
Background |
69 |
|
| |
The Sony PlayStation incident |
69 |
|
| |
State laws regarding data security |
70 |
|
| |
Notice of security breach laws |
70 |
|
| |
Definition of personal information |
70 |
|
| |
Notification procedure |
71 |
|
| |
Penalties |
71 |
|
| |
Safeguarding personal data state laws |
72 |
|
| |
Federal laws regarding data security |
72 |
|
| |
U.S. House of representatives proposed bill |
73 |
|
| |
U.S. Senate response |
74 |
|
| |
Executive order-improving critical infrastructure cyber security |
74 |
|
| |
Conclusion |
74 |
|
| |
References |
75 |
|
| |
Chapter 3: Project Initiation |
76 |
|
| |
Introduction |
76 |
|
| |
Elements of project success |
77 |
|
| |
Executive support |
78 |
|
| |
User involvement |
81 |
|
| |
Experienced project manager |
81 |
|
| |
Clearly defined project objectives |
82 |
|
| |
Clearly defined project requirements |
83 |
|
| |
Clearly defined scope |
84 |
|
| |
Shorter schedule, multiple milestones |
86 |
|
| |
Clearly defined project management process |
86 |
|
| |
Project plan components |
88 |
|
| |
Project initiation or project definition |
89 |
|
| |
Problem and mission statement |
90 |
|
| |
Potential solutions |
91 |
|
| |
Requirements and constraints |
91 |
|
| |
Success criteria |
92 |
|
| |
Project proposal |
93 |
|
| |
Estimates |
94 |
|
| |
Project sponsor |
95 |
|
| |
Forming the project team |
96 |
|
| |
Organizational |
97 |
|
| |
Technical |
97 |
|
| |
Logistical |
98 |
|
| |
Political |
98 |
|
| |
Project organization |
99 |
|
| |
Project objectives |
99 |
|
| |
Business continuity plan |
99 |
|
| |
Continuity of operations plan |
100 |
|
| |
Disaster recovery plan |
100 |
|
| |
Crisis communication plan |
100 |
|
| |
Cyber incident response plan |
101 |
|
| |
Occupant emergency plan |
101 |
|
| |
Project stakeholders |
102 |
|
| |
Project requirements |
103 |
|
| |
Project parameters |
105 |
|
| |
Project infrastructure |
109 |
|
| |
Project processes |
110 |
|
| |
Team meetings |
111 |
|
| |
Reporting |
111 |
|
| |
Escalation |
112 |
|
| |
Project progress |
113 |
|
| |
Change control |
113 |
|
| |
Quality control |
114 |
|
| |
Project communication plan |
114 |
|
| |
Project planning |
116 |
|
| |
Work breakdown structure |
116 |
|
| |
Critical path |
116 |
|
| |
Project implementation |
117 |
|
| |
Managing progress |
118 |
|
| |
Managing change |
119 |
|
| |
Project tracking |
119 |
|
| |
Project close out |
120 |
|
| |
Key contributors and responsibilities |
121 |
|
| |
Information technology |
121 |
|
| |
Experience working on a cross-departmental team |
122 |
|
| |
Ability to communicate effectively |
122 |
|
| |
Ability to work well with a wide variety of people |
122 |
|
| |
Experience with critical business and technology systems |
123 |
|
| |
IT project management leadership |
124 |
|
| |
Human resources |
124 |
|
| |
Facilities/security |
124 |
|
| |
Finance/legal |
125 |
|
| |
Warehouse/inventory/manufacturing/research |
126 |
|
| |
Purchasing/logistics |
127 |
|
| |
Marketing and sales |
127 |
|
| |
Public relations |
128 |
|
| |
Operations |
130 |
|
| |
Project definition |
131 |
|
| |
Business requirements |
132 |
|
| |
Functional requirements |
134 |
|
| |
Technical requirements |
136 |
|
| |
Business continuity and disaster recovery project plan |
137 |
|
| |
Project definition, risk assessment |
138 |
|
| |
Business impact analysis |
138 |
|
| |
Risk mitigation strategies |
139 |
|
| |
Plan development |
139 |
|
| |
Emergency preparation |
139 |
|
| |
Training, testing, auditing |
139 |
|
| |
Plan maintenance |
140 |
|
| |
Summary |
140 |
|
| |
Key concepts |
142 |
|
| |
Elements of project success |
142 |
|
| |
Project plan components |
142 |
|
| |
Key contributors and responsibilities |
143 |
|
| |
Project definition |
143 |
|
| |
Business continuity and disaster recovery plan |
144 |
|
| |
References |
144 |
|
| |
Business Continuity and Disaster Recovery in Energy/Utilities |
146 |
|
| |
Introduction |
146 |
|
| |
Integrating BC/DR requirements into IT governance |
148 |
|
| |
BC/DR requirements definition |
149 |
|
| |
IT service level definition |
150 |
|
| |
Application recovery procedures |
151 |
|
| |
Summary of integrating BC/DR requirements into IT governance |
152 |
|
| |
Improving BC/DR recovery and risk mitigation strategies |
153 |
|
| |
Ensuring access to BC/DR documentation in a disaster |
153 |
|
| |
Change approval board and technical change review committees |
155 |
|
| |
Security control testing |
156 |
|
| |
Separation of duties |
157 |
|
| |
Centralized security vulnerability assessment |
157 |
|
| |
IT network vulnerability assessment |
158 |
|
| |
Security control baselines and change detection |
159 |
|
| |
Data center and network |
159 |
|
| |
Compute and data |
160 |
|
| |
Self-service application failover and failback |
164 |
|
| |
Industrial control systems |
165 |
|
| |
Summary of improving BC/DR recovery and risk mitigation strategies |
167 |
|
| |
Improving BC/DR testing |
168 |
|
| |
Recovery from actual incidents: Postmortems and documenting lessons learned |
168 |
|
| |
Scheduled BC/DR tests |
169 |
|
| |
Corporate data center redundancy testing |
170 |
|
| |
EMS SCADA EOC testing |
171 |
|
| |
SOx 404 application recovery testing |
172 |
|
| |
NERC CIP-009 recovery testing |
173 |
|
| |
Enterprise business continuity testing |
174 |
|
| |
Summary of scheduled BC/DR testing |
174 |
|
| |
Summary of best practices and key concepts |
175 |
|
| |
References |
175 |
|
| |
Chapter 4: Risk Assessment |
176 |
|
| |
Introduction |
176 |
|
| |
Risk management basics |
178 |
|
| |
Risk management process |
180 |
|
| |
Threat assessment |
181 |
|
| |
Vulnerability assessment |
182 |
|
| |
Impact assessment |
183 |
|
| |
Risk mitigation strategy development |
183 |
|
| |
People, process, technology, and infrastructure in risk management |
184 |
|
| |
People |
184 |
|
| |
Process |
185 |
|
| |
Technology |
185 |
|
| |
Infrastructure |
186 |
|
| |
IT-Specific risk management |
186 |
|
| |
IT Risk management objectives |
187 |
|
| |
The system development lifecycle model |
188 |
|
| |
Risk assessment components |
191 |
|
| |
Information gathering methods |
193 |
|
| |
Natural and environmental threats |
194 |
|
| |
Fire |
194 |
|
| |
Floods |
196 |
|
| |
Severe winter storms |
198 |
|
| |
Electrical storms |
200 |
|
| |
Drought |
202 |
|
| |
Earthquake |
203 |
|
| |
Tornados |
205 |
|
| |
Hurricanes/typhoons/cyclones |
205 |
|
| |
Tsunamis |
207 |
|
| |
Volcanoes |
207 |
|
| |
Avian Flu/pandemics |
208 |
|
| |
Human threats |
210 |
|
| |
Fire |
210 |
|
| |
Theft, sabotage, and vandalism |
211 |
|
| |
Labor disputes |
212 |
|
| |
Workplace violence |
212 |
|
| |
Terrorism |
213 |
|
| |
Chemical or biological hazards |
214 |
|
| |
War |
215 |
|
| |
Cyber threats |
215 |
|
| |
Cyber crime |
217 |
|
| |
Loss of records or data-theft, sabotage, vandalism |
219 |
|
| |
IT system failure-theft, sabotage, vandalism |
220 |
|
| |
Infrastructure threats |
220 |
|
| |
Building-specific failures |
220 |
|
| |
Public transportation disruption |
221 |
|
| |
Loss of utilities |
221 |
|
| |
Disruption to oil or petroleum supplies |
222 |
|
| |
Food or water contamination |
222 |
|
| |
Regulatory or legal changes |
223 |
|
| |
Threat checklist |
224 |
|
| |
Threat assessment methodology |
227 |
|
| |
Quantitative threat assessment |
228 |
|
| |
Qualitative threat assessment |
232 |
|
| |
Vulnerability assessment |
236 |
|
| |
People, process, technology, and infrastructure |
239 |
|
| |
People |
239 |
|
| |
Process |
240 |
|
| |
Technology |
241 |
|
| |
Infrastructure |
241 |
|
| |
Vulnerability assessment |
241 |
|
| |
Summary |
244 |
|
| |
Key concepts |
246 |
|
| |
Risk management basics |
246 |
|
| |
Risk assessment components |
247 |
|
| |
Threat assessment methodology |
247 |
|
| |
Vulnerability assessment |
248 |
|
| |
References |
248 |
|
| |
Business Continuity and Disaster Recovery in Healthcare |
300 |
|
| |
Introduction to healthcare IT |
300 |
|
| |
Types of healthcare organizations |
302 |
|
| |
Hospitals |
303 |
|
| |
Skilled nursing facility |
303 |
|
| |
Physician offices |
303 |
|
| |
Ambulatory clinics |
304 |
|
| |
Pharmacies |
304 |
|
| |
Other types of organizations |
305 |
|
| |
Summary of healthcare organizations |
305 |
|
| |
The rising cost of healthcare |
305 |
|
| |
Governmental incentives and penalties |
306 |
|
| |
HIEs and Accountable Care Organizations |
308 |
|
| |
Health information exchanges |
308 |
|
| |
Accountable Care Organizations |
309 |
|
| |
Integration of healthcare IT and medical equipment |
310 |
|
| |
Consumer-driven healthcare |
311 |
|
| |
Real-time data |
312 |
|
| |
Summary |
313 |
|
| |
Regulatory environment |
314 |
|
| |
Centers for Medicare and Medicaid Services/Joint Commission on Accreditation of Healthcare Organizations |
314 |
|
| |
U.S. Food and Drug Administration |
315 |
|
| |
Health Insurance Portability and Accountability Act |
317 |
|
| |
Health Information Technology for Economic and Clinical Health |
319 |
|
| |
Payment Card Industry |
320 |
|
| |
State and local requirements |
321 |
|
| |
Healthcare IT risk management |
321 |
|
| |
Patient safety |
322 |
|
| |
Patient care |
323 |
|
| |
Organizational solvency |
323 |
|
| |
Facility management |
324 |
|
| |
Technical needs-Healthcare IT architecture |
324 |
|
| |
Clinical systems |
325 |
|
| |
Business systems |
326 |
|
| |
Types of data |
327 |
|
| |
Structured |
328 |
|
| |
Unstructured |
328 |
|
| |
Semi-structured |
328 |
|
| |
Types of systems and storage |
329 |
|
| |
Network core, medical network, and guest network |
330 |
|
| |
Wireless/RFID |
332 |
|
| |
Security infrastructure |
333 |
|
| |
End user devices |
334 |
|
| |
Healthcare operational needs |
335 |
|
| |
Admitting |
335 |
|
| |
Insurance verification and billing services |
336 |
|
| |
Clinical care |
338 |
|
| |
Physician |
338 |
|
| |
Nursing |
339 |
|
| |
Support services |
339 |
|
| |
Interoperability among disparate systems |
340 |
|
| |
Electronic medical record |
340 |
|
| |
Diagnostic imaging |
341 |
|
| |
Medical equipment |
341 |
|
| |
Food services |
341 |
|
| |
Environmental services |
341 |
|
| |
Billing and payment systems |
342 |
|
| |
Payroll |
342 |
|
| |
Human resources |
343 |
|
| |
Current environment and new technology |
343 |
|
| |
Advances in data storage and replication |
343 |
|
| |
Mobile devices |
344 |
|
| |
Virtualization and cloud computing |
345 |
|
| |
Communication systems |
347 |
|
| |
Current environment and new technology summary |
348 |
|
| |
Healthcare IT BC/DR best practices |
348 |
|
| |
Security frameworks |
348 |
|
| |
National Institute of Standards and Technology |
349 |
|
| |
ISO/IEC 27000 series |
349 |
|
| |
HITRUST common security framework |
349 |
|
| |
Information Technology Information Library |
350 |
|
| |
Best practices |
351 |
|
| |
Summary |
353 |
|
| |
Overview of healthcare IT |
353 |
|
| |
Regulatory requirements |
353 |
|
| |
Healthcare IT risk management |
354 |
|
| |
Technical needs-Healthcare IT architecture |
354 |
|
| |
Healthcare operational needs |
355 |
|
| |
Interoperability among disparate systems-Integration in healthcare IT |
355 |
|
| |
Current environment and new technology |
356 |
|
| |
Healthcare IT BC/DR best practices |
356 |
|
| |
Key concepts |
357 |
|
| |
References |
360 |
|
| |
Chapter 6: Risk Mitigation Strategy Development |
362 |
|
| |
Introduction |
362 |
|
| |
Types of risk mitigation strategies |
364 |
|
| |
Risk acceptance |
365 |
|
| |
Risk avoidance |
365 |
|
| |
Risk limitation |
366 |
|
| |
Risk transference |
366 |
|
| |
The risk mitigation process |
368 |
|
| |
Recovery requirements |
368 |
|
| |
Recovery options |
368 |
|
| |
As needed |
370 |
|
| |
Prearranged |
370 |
|
| |
Preestablished |
370 |
|
| |
Recovery time of options |
371 |
|
| |
Cost versus capability of recovery options |
372 |
|
| |
Recovery service level agreements |
372 |
|
| |
Review existing controls |
374 |
|
| |
Developing your risk mitigation strategy |
375 |
|
| |
Sample 1: Section from Mitigation Strategy for Critical Data |
376 |
|
| |
Sample 2: Section from Mitigation Strategy for Critical Data |
377 |
|
| |
People, buildings, and infrastructure |
379 |
|
| |
IT risk mitigation |
380 |
|
| |
Critical data and records |
381 |
|
| |
Critical systems and infrastructure |
381 |
|
| |
Reviewing critical system priorities |
382 |
|
| |
Backup and recovery considerations |
383 |
|
| |
Alternate business processes |
383 |
|
| |
IT recovery systems |
384 |
|
| |
Alternate sites |
384 |
|
| |
Fully mirrored site |
384 |
|
| |
Hot site |
385 |
|
| |
Warm site |
385 |
|
| |
Mobile site |
385 |
|
| |
Cold site |
386 |
|
| |
Reciprocal site |
386 |
|
| |
Storage and disk systems |
386 |
|
| |
Desktop solutions |
387 |
|
| |
Software and licensing |
388 |
|
| |
Web sites |
388 |
|
| |
Documenting Your Risk Mitigation Strategy |
389 |
|
| |
Summary |
390 |
|
| |
Key concepts |
390 |
|
| |
Types of risk mitigation strategies |
390 |
|
| |
Risk mitigation process |
391 |
|
| |
IT risk mitigation |
392 |
|
| |
Backup and recovery considerations |
392 |
|
| |
References |
392 |
|
| |
Chapter 7: Business Continuity/Disaster Recovery Plan Development |
394 |
|
| |
Introduction |
394 |
|
| |
Implement risk mitigation strategies |
396 |
|
| |
Phases of business continuity and disaster |
400 |
|
| |
Activation phase |
400 |
|
| |
Minor disaster or disruption |
401 |
|
| |
Intermediate disaster or disruption |
402 |
|
| |
Major disaster or disruption |
403 |
|
| |
Activating BC/DR teams |
403 |
|
| |
Developing triggers |
404 |
|
| |
Transition trigger-Activation to recovery |
405 |
|
| |
Recovery phase |
406 |
|
| |
Transition trigger-Recovery to continuity |
406 |
|
| |
Business continuity phase |
407 |
|
| |
Maintenance/review phase |
408 |
|
| |
Defining BC/DR teams and key personnel |
408 |
|
| |
Crisis management team |
409 |
|
| |
Management |
410 |
|
| |
Damage assessment team |
410 |
|
| |
Operations assessment team |
410 |
|
| |
IT team |
411 |
|
| |
Administrative support team |
411 |
|
| |
Transportation and relocation team |
411 |
|
| |
Media relations team |
412 |
|
| |
Human resources team |
412 |
|
| |
Legal affairs team |
412 |
|
| |
Physical/personnel security team |
413 |
|
| |
Procurement team (equipment and supplies) |
413 |
|
| |
General team guidelines |
414 |
|
| |
BC/DR contact information |
415 |
|
| |
Defining tasks and assigning resources |
417 |
|
| |
Alternate site |
418 |
|
| |
Selection criteria |
418 |
|
| |
Contractual terms |
419 |
|
| |
Comparison process |
419 |
|
| |
Acquisition and testing |
419 |
|
| |
Cloud services |
420 |
|
| |
Contracts for BC/DR services |
422 |
|
| |
Develop clear functional and technical requirements |
422 |
|
| |
Determine required service levels |
422 |
|
| |
Compare vendor proposal/response to requirements |
423 |
|
| |
Identify requirements not met by vendor proposal |
423 |
|
| |
Identify vendor options not specified in requirements |
424 |
|
| |
Communications plans |
425 |
|
| |
Internal |
425 |
|
| |
Employee |
425 |
|
| |
Customers and vendors |
426 |
|
| |
Shareholders |
426 |
|
| |
The community and the public |
426 |
|
| |
Event logs, change control, and appendices |
427 |
|
| |
Event logs |
428 |
|
| |
Change control |
429 |
|
| |
Distribution |
430 |
|
| |
Appendices |
431 |
|
| |
Additional resources |
432 |
|
| |
What's next |
432 |
|
| |
Summary |
433 |
|
| |
Key concepts |
434 |
|
| |
Phases of business continuity and disaster recovery |
434 |
|
| |
Defining BC/DR teams and key personnel |
434 |
|
| |
Defining tasks and assigning resources |
435 |
|
| |
Communications plans |
435 |
|
| |
Event logs and change control |
436 |
|
| |
Appendices |
436 |
|
| |
References |
436 |
|
| |
Business Continuity and Disaster Recovery in Financial Services |
438 |
|
| |
Overview |
438 |
|
| |
Finance industry regulation overview |
438 |
|
| |
United States financial regulation |
439 |
|
| |
European financial regulation |
440 |
|
| |
Other regions financial regulation |
440 |
|
| |
Finance industry requirements for business continuity |
441 |
|
| |
Industry impact-September 11 attacks |
441 |
|
| |
Industry impact-Hurricane Sandy |
445 |
|
| |
Industry impact-Cyber threats |
447 |
|
| |
Looking forward |
449 |
|
| |
Summary |
450 |
|
| |
References |
450 |
|
| |
Chapter 8: Emergency Response and Recovery |
452 |
|
| |
Introduction |
452 |
|
| |
Emergency management overview |
453 |
|
| |
Emergency response plans |
453 |
|
| |
Emergency response teams |
455 |
|
| |
Crisis management team |
457 |
|
| |
Emergency response and disaster recovery |
458 |
|
| |
Alternate facilities review and management |
458 |
|
| |
Crisis communications |
458 |
|
| |
Human resources |
460 |
|
| |
Legal |
461 |
|
| |
Insurance |
461 |
|
| |
Finance |
461 |
|
| |
Disaster recovery |
461 |
|
| |
Activation and emergency response checklists |
462 |
|
| |
Recovery checklists |
462 |
|
| |
IT recovery tasks |
463 |
|
| |
Computer incident response |
466 |
|
| |
CIRT responsibilities |
467 |
|
| |
Monitor |
467 |
|
| |
Alert and mobilize |
467 |
|
| |
Assess and stabilize |
468 |
|
| |
Resolve |
468 |
|
| |
Review |
468 |
|
| |
Business continuity |
469 |
|
| |
Summary |
471 |
|
| |
Key concepts |
472 |
|
| |
Emergency management overview |
472 |
|
| |
Emergency response plans |
472 |
|
| |
Crisis management team |
473 |
|
| |
Disaster recovery |
473 |
|
| |
IT recovery |
473 |
|
| |
Business continuity |
474 |
|
| |
References |
474 |
|
| |
Business Continuity and Disaster Recovery for Small- and Medium-Sized Businesses |
476 |
|
| |
Overview of SMB disaster recovery |
476 |
|
| |
SMB disaster preparedness: Survey results |
478 |
|
| |
On-Premise disaster recovery |
478 |
|
| |
SMB case studies |
480 |
|
| |
High availability at 24 Seven Talent |
480 |
|
| |
Affigent fails over before the storm |
481 |
|
| |
Using a Co-location data center for disaster recovery |
481 |
|
| |
The value of co-location data centers in a disaster |
482 |
|
| |
Tips for selecting a co-location provider |
482 |
|
| |
What does a co-location center cost? |
483 |
|
| |
SMB case study: Balancing internal capability and cost with co-location data centers for DR |
484 |
|
| |
Disaster recovery in the cloud |
485 |
|
| |
Disaster recovery in the cloud options |
487 |
|
| |
Managed applications and managed DR |
489 |
|
| |
Back up to and restore from the cloud |
489 |
|
| |
Back up to and restore to the cloud |
490 |
|
| |
Replication to VMs in the cloud |
490 |
|
| |
Protecting branch offices with cloud disaster recovery |
490 |
|
| |
Virtualize and consolidate servers |
491 |
|
| |
Virtualize and streamline data storage and backup |
491 |
|
| |
Virtualize applications and desktops |
492 |
|
| |
Deploy application acceleration and WAN optimization |
493 |
|
| |
SMB case studies |
494 |
|
| |
Snowmaggedon and Snowpocalypse |
494 |
|
| |
Amazon Web Services to the rescue |
494 |
|
| |
LAUSD implements snapshot-based cloud backup |
495 |
|
| |
Psomas moves DR to the cloud |
496 |
|
| |
Private cloud DR plans help BUMI |
496 |
|
| |
Sprott switches course to cloud DR service provider |
497 |
|
| |
University turns to cloud backup for data protection |
498 |
|
| |
Summary |
499 |
|
| |
Key concepts |
499 |
|
| |
Overview of SMB disaster recovery |
499 |
|
| |
SMB disaster preparedness: Survey results |
500 |
|
| |
On-premise disaster recovery |
500 |
|
| |
Using a co-location data center for disaster recovery |
501 |
|
| |
Disaster recovery in the cloud |
501 |
|
| |
References |
502 |
|
| |
Chapter 9: Training, Testing, and Auditing |
504 |
|
| |
Introduction |
504 |
|
| |
Training for disaster recovery and business continuity |
504 |
|
| |
Emergency response |
505 |
|
| |
Disaster recovery and business continuity training overview |
506 |
|
| |
Training scope, objectives, timelines, and requirements |
506 |
|
| |
Performing training needs assessment |
507 |
|
| |
Developing training |
508 |
|
| |
Scheduling and delivering training |
509 |
|
| |
Monitoring and measuring training |
510 |
|
| |
Training and testing for your business continuity and disaster recovery plan |
510 |
|
| |
Paper walk-through |
512 |
|
| |
Develop realistic scenarios |
513 |
|
| |
Develop evaluation criteria |
513 |
|
| |
Provide copies of the plan |
514 |
|
| |
Divide participants by team |
515 |
|
| |
Use checklists |
515 |
|
| |
Take notes |
515 |
|
| |
Identify training needs |
515 |
|
| |
Develop summary and lessons learned |
515 |
|
| |
Functional exercises |
516 |
|
| |
Field exercises |
517 |
|
| |
Full interruption test |
517 |
|
| |
Training plan implementers |
518 |
|
| |
Testing the BC/DR plan |
518 |
|
| |
Understanding of processes |
519 |
|
| |
Validation of task integration |
520 |
|
| |
Confirm steps |
520 |
|
| |
Confirm resources |
520 |
|
| |
Familiarize with information flow |
520 |
|
| |
Identify gaps or weaknesses |
521 |
|
| |
Determine cost and feasibility |
521 |
|
| |
Test evaluation criteria |
523 |
|
| |
Recommendations |
524 |
|
| |
Performing IT systems and security audits |
524 |
|
| |
IT systems and security audits |
524 |
|
| |
Summary |
526 |
|
| |
Key concepts |
528 |
|
| |
Training for emergency response, disaster recovery, and business continuity |
528 |
|
| |
Testing your business continuity and disaster recovery plan |
528 |
|
| |
Performing IT systems audits |
529 |
|
| |
References |
529 |
|
| |
Chapter 10: BC/DR Plan Maintenance |
530 |
|
| |
Introduction |
530 |
|
| |
BC/DR plan change management |
531 |
|
| |
Training, testing, and auditing |
532 |
|
| |
Changes in information technologies |
532 |
|
| |
Changes in operations |
533 |
|
| |
Corporate changes |
534 |
|
| |
Legal, regulatory, or compliance changes |
535 |
|
| |
Strategies for managing change |
535 |
|
| |
Monitor change |
536 |
|
| |
People |
536 |
|
| |
Process |
536 |
|
| |
Technology |
536 |
|
| |
Evaluate and incorporate change |
537 |
|
| |
BC/DR plan audit |
538 |
|
| |
Plan maintenance activities |
539 |
|
| |
Project close out |
540 |
|
| |
Summary |
541 |
|
| |
Key concepts |
543 |
|
| |
BC/DR plan change management |
543 |
|
| |
Strategies for managing change |
543 |
|
| |
BC/DR plan audit |
544 |
|
| |
Plan maintenance activities |
544 |
|
| |
Project close out |
544 |
|
| |
Appendix A: Risk Management Checklist |
546 |
|
| |
Risk assessment |
546 |
|
| |
Threat and vulnerability checklist |
546 |
|
| |
Natural hazards |
546 |
|
| |
Cold weather-related hazards |
546 |
|
| |
Warm weather-related hazards |
546 |
|
| |
Geological hazards |
547 |
|
| |
Human-caused hazards |
547 |
|
| |
Accidents and technological hazards |
548 |
|
| |
Threat and vulnerability assessment |
549 |
|
| |
Business impact analysis |
549 |
|
| |
Mitigation strategies |
549 |
|
| |
Appendix B: Crisis Communications Checklist |
552 |
|
| |
Communication checklist |
552 |
|
| |
Message content |
553 |
|
| |
Appendix C: Emergency Response and Recovery Checklists |
554 |
|
| |
High-level checklist |
554 |
|
| |
Activation checklists |
555 |
|
| |
Initial response |
555 |
|
| |
Damage and situation assessment |
555 |
|
| |
Disaster declaration and notification |
556 |
|
| |
Emergency response checklists |
556 |
|
| |
Emergency checklist one: General emergency response |
556 |
|
| |
Emergency checklist two: Evacuation or shelter-in-place response |
557 |
|
| |
Emergency checklist three: Specific emergency responses |
557 |
|
| |
Emergency checklist four: Emergency response contact list, maps, and floor plans |
557 |
|
| |
Emergency checklist five: Emergency supplies and equipment |
558 |
|
| |
Recovery checklists |
558 |
|
| |
Recovery checklist one: General |
558 |
|
| |
Recovery checklist two: Inspection, assessment, and salvage |
559 |
|
| |
Appendix D: Business Continuity Checklist |
562 |
|
| |
Resuming work |
562 |
|
| |
Resuming operations |
562 |
|
| |
Human resources |
563 |
|
| |
Insurance and legal |
563 |
|
| |
Manufacturing, warehouse, production, and operations |
564 |
|
| |
Resuming normal operations |
564 |
|
| |
Existing facility |
565 |
|
| |
New facility |
565 |
|
| |
Transition to normalized activities |
566 |
|
| |
Appendix E: IT Recovery Checklists |
568 |
|
| |
IT recovery checklist one: Infrastructure |
568 |
|
| |
Recovery checklist two: Applications |
569 |
|
| |
Recovery checklist three: Office area and end-user recovery |
569 |
|
| |
Recovery checklist four: Business process recovery |
570 |
|
| |
Recovery checklist five: Manufacturing, production, and operations recovery |
570 |
|
| |
Appendix F: Training, Testing, and Auditing Checklists |
572 |
|
| |
Training and testing |
572 |
|
| |
IT auditing |
572 |
|
| |
Appendix G: BC/DR Plain Maintenance Checklist |
574 |
|
| |
Change management |
574 |
|
| |
Glossary of Terms |
576 |
|
| |
Index |
590 |
|
