158 5.2 Planning for Handling the Emergency
revised every two years and can be acquired through any of the agencies
listed above.
Other examples include the Federal Computer Security Act, which cov-
ers instances of computer fraud, abuse, and the misappropriation of com-
puterized assets. The IRS Records Retention Requirements is an example of
a Vital Records Management Statute. All of these various statutes are based
on the precept of Standard of Care, which is described [4] as “. . . directors
and officers owe a duty to the corporation to be vigilant and to exercise
ordinary or reasonable care and diligence and the utmost good faith and
fidelity to conserve the corporate property; and, if a loss or depletion of
assets results from their willful or negligent failure to perform their duties,
or to a willful or fraudulent abuse of their trust, they are liable, provided
such losses were the natural and necessary consequences of omission on
their part . . .”
Courts will assess liability by determining the probability of loss, multi-
plied by the magnitude of the harm, balanced against the cost of preven-
tion. Should your company ever end up in court, the burden of proof
would be on your company to prove that all reasonable measures had been
taken to mitigate the harm caused by the disaster. There are clearly enough
legal precedents for the courts to draw on in determining whether a “Stan-
dard of Care” was maintained or whether “Due Diligence” was exercised in
mitigating the effects of the disaster on your company’s critical business
operations. As a result of these statutes, information technology profession-
als are now held to a standard of reasonable care, and can breach that stan-
dard simply by not diligently pursuing the development of a disaster
recovery plan.
5.2 Planning for Handling the Emergency
The first stage of handling an emergency involves an assessment of the situ-
ation. The assessment must determine whether the disaster recovery team
(DRT) is required to be involved. This section explains how the process of
identification of the emergency situation should occur, when it is necessary
to call in the DRT, and how to determine the scale of the emergency.
If a disaster recovery plan does not already exist, it will be necessary to
initiate the preparation of the first version of such a plan. In order to initiate
a planning project, the Board and/or top-level management would nor-
mally receive a proposal. Projects as important as DRP development should
be approved at the highest level to ensure the required level of commit-
ment, resources, and management attention are applied to the process. The