158 5.2 Planning for Handling the Emergency
revised every two years and can be acquired through any of the agencies
listed above.
Other examples include the Federal Computer Security Act, which cov-
ers instances of computer fraud, abuse, and the misappropriation of com-
puterized assets. The IRS Records Retention Requirements is an example of
a Vital Records Management Statute. All of these various statutes are based
on the precept of Standard of Care, which is described [4] as “. . . directors
and officers owe a duty to the corporation to be vigilant and to exercise
ordinary or reasonable care and diligence and the utmost good faith and
fidelity to conserve the corporate property; and, if a loss or depletion of
assets results from their willful or negligent failure to perform their duties,
or to a willful or fraudulent abuse of their trust, they are liable, provided
such losses were the natural and necessary consequences of omission on
their part . . .”
Courts will assess liability by determining the probability of loss, multi-
plied by the magnitude of the harm, balanced against the cost of preven-
tion. Should your company ever end up in court, the burden of proof
would be on your company to prove that all reasonable measures had been
taken to mitigate the harm caused by the disaster. There are clearly enough
legal precedents for the courts to draw on in determining whether a “Stan-
dard of Care” was maintained or whether “Due Diligence” was exercised in
mitigating the effects of the disaster on your company’s critical business
operations. As a result of these statutes, information technology profession-
als are now held to a standard of reasonable care, and can breach that stan-
dard simply by not diligently pursuing the development of a disaster
recovery plan.
5.2 Planning for Handling the Emergency
The first stage of handling an emergency involves an assessment of the situ-
ation. The assessment must determine whether the disaster recovery team
(DRT) is required to be involved. This section explains how the process of
identification of the emergency situation should occur, when it is necessary
to call in the DRT, and how to determine the scale of the emergency.
If a disaster recovery plan does not already exist, it will be necessary to
initiate the preparation of the first version of such a plan. In order to initiate
a planning project, the Board and/or top-level management would nor-
mally receive a proposal. Projects as important as DRP development should
be approved at the highest level to ensure the required level of commit-
ment, resources, and management attention are applied to the process. The
5.2 Planning for Handling the Emergency 159
Chapter 5
proposal should present the reasons for undertaking the project, and could
include some or all of the following:
Increased dependency by the business over recent years on computer-
ized production and sales delivery mechanisms, thereby creating
increased risk of loss of normal services
Increased dependency by the business over recent years on computer-
ized information systems
Increased recognition of the impact that a serious incident could have
on the business
Necessity of establishing a formal process to be followed when a
disaster occurs
Intention of reducing costs and losses arising from serious incidents
Increased likelihood of inadequate IT and information security safe-
guards
Necessity of developing effective backup and recovery strategies to
mitigate the impact of disruptive events
Avoidance of business failure from disruptive incidents
5.2.1 Planning and Insurance Considerations
Consider making contractual arrangements with vendors for such post-
emergency services as records preservation, equipment repair, earthmoving
or engineering. Meet with your insurance carriers to discuss your property
and business resumptions policies. Most companies discover that they are
not properly insured only after they have suffered a loss. The lack of appro-
priate insurance can be financially devastating. Discuss the following topics
with your insurance advisor to determine your individual needs:
How will my property be valued?
Does my policy cover the cost of required upgrades to code?
How much insurance am I required to carry to avoid becoming a co-
insurer?
What perils or causes of loss does my policy cover?
What are my deductibles?
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
