You are previewing Business Continuity & Disaster Recovery for IT Professionals.
O'Reilly logo
Business Continuity & Disaster Recovery for IT Professionals

Book Description

Increase Your Company's Odds of Surviving a Major Disaster Powerful Earthquake Triggers Tsunami in Pacific. Hurricane Katrina Makes Landfall in the Gulf Coast. Avalanche Buries Highway in Denver. Tornado Touches Down in Georgia... These headlines not only have caught the attention of people around the world, they have had a significant effect on IT professionals as well. As technology continues to become more integral to corporate operations at every level of the organization, the job of IT has expanded to become almost all-encompassing. These days, it's difficult to find corners of a company that technology does not touch. As a result, the need to plan for potential disruptions to technology services has increased exponentially. Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) are emerging as the 'next big thing' in corporate IT circles. With distributed networks, increasing demands for confidentiality, integrity and availability of data, and the widespread risks to the security of personal, confidential and sensitive data, no organization can afford to ignore the need for disaster planning. The British Standards Institute is releasing a new standard for BCP this year, the Disaster Recovery Institute has developed a certification for DRP/BCP professionals in conjunction with the British Standards Institute, trade shows are popping up on this topic and the news is filled with companies facing disasters from all sides. In this book you will find: * Complete coverage of the 3 categories of disaster: natural hazards, human-caused hazards, and accidental/ technical hazards. * Updated information on risks from cyber attacks, rioting, protests, product tampering, bombs, explosions, and terrorism. * Extensive disaster planning and readiness checkli

Table of Contents

  1. Copyright
  2. Visit us at www.syngress.com
  3. Acknowledgments
  4. About the Author
  5. Introduction
  6. 1. Business Continuity and Disaster Recovery Overview
    1. Introduction
    2. Business Continuity and Disaster Recovery Defined
    3. Components of Business
      1. People in BC/DR Planning
      2. Process in BC/DR Planning
      3. Technology in BC/DR Planning
    4. The Cost of Planning versus the Cost of Failure
      1. People
      2. Process
      3. Technology
    5. Types of Disasters to Consider
      1. Natural Hazards
      2. Cold Weather Related Hazards
      3. Warm Weather Related Hazards
      4. Geological Hazards
      5. Human-Caused Hazards
      6. Accidents and Technological Hazards
      7. Electronic Data Threats
        1. Personal Privacy
        2. Privacy Standards and Legislation
          1. Gramm-Leach-Bliley Act (GLBA)
          2. Health Insurance Portability and Accountability Act (HIPAA)
        3. Social Engineering
        4. Fraud and Theft
          1. General Business Fraud
        5. Managing Access
    6. Business Continuity and Disaster Recovery Planning Basics
      1. Project Initiation
      2. Risk Assessment
      3. Business Impact Analysis
      4. Mitigation Strategy Development
      5. Plan Development
      6. Training, Testing, Auditing
      7. Plan Maintenance
    7. Summary
    8. Solutions Fast Track
      1. Business Continuity and Disaster Recovery Defined
      2. Components of Business
      3. The Cost of Planning versus the Cost of Failure
      4. Types of Disasters to Consider
      5. Business Continuity and Disaster Recovery Planning Basics
    9. Frequently Asked Questions
  7. 1. Legal Obligations Regarding Data Security
    1. Background
      1. The ChoicePoint Incident
    2. State Laws Regarding Data Security
      1. Notice of Security Breach Laws
        1. Definition of Personal Information
        2. What Triggers Notice Requirements?
          1. Notification Procedure
          2. Penalties
          3. Safeguarding Personal Data State Laws
    3. Federal Laws Regarding Data Security
      1. U.S. House of Representatives Proposed Bill
      2. U.S. Senate Proposed Bill
    4. Conclusion
    5. Footnotes
    6. Frequently Asked Questions
  8. 2. Project Initiation
    1. Introduction
    2. Elements of Project Success
      1. Executive Support
      2. User Involvement
      3. Experienced Project Manager
      4. Clearly Defined Project Objectives
      5. Clearly Defined Project Requirements
      6. Clearly Defined Scope
      7. Shorter Schedule, Multiple Milestones
      8. Clearly Defined Project Management Process
    3. Project Plan Components
      1. Project Definition
        1. Problem and Mission Statement
        2. Potential Solutions
        3. Requirements and Constraints
        4. Success Criteria
        5. Project Proposal
        6. Estimates
        7. Project Sponsor
      2. Forming the Project Team
        1. Organizational
        2. Technical
        3. Logistical
        4. Political
      3. Project Organization
        1. Project Objectives
          1. Business Continuity Plan
          2. Continuity of Operations Plan
          3. Disaster Recovery Plan
          4. Crisis Communication Plan
          5. Cyber Incident Response Plan (CIRP)
          6. Occupant Emergency Plan
        2. Project Stakeholders
        3. Project Requirements
        4. Project Parameters
        5. Project Infrastructure
        6. Project Processes
          1. Team Meetings
          2. Reporting
          3. Escalation
          4. Project Progress
          5. Change Control
          6. Quality Control
          7. Project Communication Plan
      4. Project Planning
        1. Work Breakdown Structure
        2. Critical Path
      5. Project Implementation
        1. Managing Progress
        2. Managing Change
      6. Project Tracking
      7. Project Close Out
    4. Key Contributors and Responsibilities
      1. Information Technology
        1. Experience Working on a Cross-Departmental Team
        2. Ability to Communicate Effectively
        3. Ability to Work Well with a Wide Variety of People
        4. Experience with Critical Business and Technology Systems
        5. IT Project Management Leadership
      2. Human Resources
      3. Facilities/Security
      4. Finance/Legal
      5. Warehouse/Inventory/Manufacturing/Research
      6. Purchasing/Logistics
      7. Marketing and Sales
      8. Public Relations
    5. Project Definition
      1. Business Requirements
      2. Functional Requirements
      3. Technical Requirements
    6. Business Continuity and Disaster Recovery Project Plan
      1. Project Definition, Risk Assessment
      2. Business Impact Analysis
      3. Risk Mitigation Strategies
      4. Plan Development
      5. Emergency Preparation
      6. Training, Testing, Auditing
      7. Plan Maintenance
    7. Summary
    8. Solutions Fast Track
      1. Elements of Project Success
      2. Project Plan Components
      3. Key Contributors and Responsibilities
      4. Project Definition
      5. Business Continuity and Disaster Recovery Plan
    9. Frequently Asked Questions
  9. 2. The Financial Impact of Disasters and Disruptions
    1. Introduction
    2. Financial Aspects of Business Disruptions
      1. Cash Flow
      2. Lower Revenues
        1. Sales Activities
        2. Order Fulfillment
        3. Order Shipment
        4. Accounts Receivable
      3. Higher Costs
      4. Impact on Cash Flow
      5. Impact on Valuation and Ability to Raise Capital
    3. Summary
  10. 3. Risk Assessment
    1. Introduction
    2. Risk Management Basics
      1. Risk Management Process
        1. Threat Assessment
        2. Vulnerability Assessment
        3. Impact Assessment
        4. Risk Mitigation Strategy Development
      2. People, Process, Technology, and Infrastructure in Risk Management
        1. People
        2. Process
        3. Technology
        4. Infrastructure
      3. IT-Specific Risk Management
        1. IT Risk Management Objectives
        2. The System Development Lifecycle Model
    3. Risk Assessment Components
      1. Information Gathering Methods
      2. Natural and Environmental Threats
        1. Fire
        2. Floods
        3. Severe Winter Storms
        4. Electrical Storms
        5. Drought
        6. Earthquake
        7. Tornados
        8. Hurricanes/Typhoons/Cyclones
        9. Tsunamis
        10. Volcanoes
        11. Avian Flu/Pandemics
      3. Human Threats
        1. Fire
        2. Theft, Sabotage, Vandalism
        3. Labor Disputes
        4. Workplace Violence
        5. Terrorism
        6. Chemical or Biological Hazards
        7. War
        8. Cyber Threats
          1. Cyber Crime
          2. Loss of Records or Data-Theft, Sabotage, Vandalism
          3. IT System Failure-Theft, Sabotage, Vandalism
      4. Infrastructure Threats
        1. Building Specific Failures
        2. Public Transportation Disruption
        3. Loss of Utilities
        4. Disruption to Oil or Petroleum Supplies
        5. Food or Water Contamination
        6. Regulatory or Legal Changes
      5. Threat Checklist
    4. Threat Assessment Methodology
      1. Quantitative Threat Assessment
      2. Qualitative Threat Assessment
    5. Vulnerability Assessment
      1. People, Process, Technology, and Infrastructure
        1. People
        2. Process
        3. Technology
        4. Infrastructure
      2. Vulnerability Assessment
    6. Summary
    7. Solutions Fast Track
      1. Risk Management Basics
      2. Risk Assessment Components
      3. Threat Assessment Methodology
      4. Vulnerability Assessment
    8. Frequently Asked Questions
  11. 4. Business Impact Analysis
    1. Introduction
    2. Business Impact Analysis Overview
      1. Upstream and Downstream Losses
      2. Understanding the Human Impact
        1. Key Positions
        2. Human Needs
    3. Understanding Impact Criticality
      1. Criticality Categories
        1. Mission-Critical
        2. Vital
        3. Important
        4. Minor
      2. Recovery Time Requirements
    4. Identifying Business Functions
      1. Facilities and Security
      2. Finance
      3. Human Resources
      4. IT
      5. Legal/Compliance
      6. Manufacturing (Assembly)
      7. Marketing and Sales
      8. Operations
      9. Research and Development
      10. Warehouse (Inventory, Order Fulfillment, Shipping, Receiving)
      11. Other Areas
    5. Gathering Data for the Business Impact Analysis
      1. Data Collection Methodologies
        1. Questionnaires
        2. Interviews
        3. Workshops
    6. Determining the Impact
    7. Business Impact Analysis Data Points
      1. Understanding IT Impact
      2. Example of Business Impact Analysis For Small Business
    8. Preparing the Business Impact Analysis Report
    9. Summary
    10. Solutions Fast Track
      1. Business Impact Analysis Overview
      2. Understanding Impact Criticality
      3. Identifying Business Functions
      4. Gathering Impact Data
      5. Determining Impact
      6. Business Impact Analysis Data Points
    11. Frequently Asked Questions
  12. 5. Mitigation Strategy Development
    1. Introduction
    2. Types of Risk Mitigation Strategies
      1. Risk Acceptance
      2. Risk Avoidance
      3. Risk Limitation
      4. Risk Transference
    3. The Risk Mitigation Process
      1. Recovery Requirements
      2. Recovery Options
        1. As Needed
        2. Prearranged
        3. Preestablished
      3. Recovery Time of Options
      4. Cost versus Capability of Recovery Options
      5. Recovery Service Level Agreements
      6. Review Existing Controls
    4. Developing Your Risk Mitigation Strategy
      1. Sample 1: Section from Mitigation Strategy for Critical Data
      2. Sample 2: Section from Mitigation Strategy for Critical Data
    5. People, Buildings, and Infrastructure
    6. IT Risk Mitigation
      1. Critical Data and Records
      2. Critical Systems and Infrastructure
      3. Reviewing Critical System Priorities
    7. Backup and Recovery Considerations
      1. Alternate Business Processes
      2. IT Recovery Systems
        1. Alternate Sites
          1. Fully Mirrored Site
          2. Hot Site
          3. Warm Site
          4. Mobile Site
          5. Cold Site
          6. Reciprocal Site
        2. Disk Systems
          1. RAID
          2. Remote Journaling
          3. Replication
          4. Electronic Vaulting
          5. Standby Operating Systems
          6. Network-Attached Storage (NAS)
          7. Storage Area Network (SAN)
        3. Desktop Solutions
        4. Software and Licensing
        5. Web Sites
    8. Summary
    9. Solutions Fast Track
      1. Types of Risk Mitigation Strategies
      2. Risk Mitigation Process
      3. IT Risk Mitigation
      4. Backup and Recovery Considerations
    10. Frequently Asked Questions
  13. 6. Business Continuity/Disaster Recovery Plan Development
    1. Introduction
    2. Phases of the Business Continuity and Disaster Recovery
      1. Activation Phase
        1. Major Disaster or Disruption
        2. Intermediate Disaster or Disruption
        3. Minor Disaster or Disruption
        4. Activating BC/DR Teams
        5. Developing Triggers
        6. Transition Trigger—Activation to Recovery
      2. Recovery Phase
        1. Transition Trigger—Recovery to Continuity
      3. Business Continuity Phase
      4. Maintenance/Review Phase
    3. Defining BC/DR Teams and Key Personnel
      1. Crisis Management Team
      2. Management
      3. Damage Assessment Team
      4. Operations Assessment Team
      5. IT Team
      6. Administrative Support Team
      7. Transportation and Relocation Team
      8. Media Relations Team
      9. Human Resources Team
      10. Legal Affairs Team
      11. Physical/Personnel Security Team
      12. Procurement Team (Equipment and Supplies)
      13. General Team Guidelines
      14. BC/DR Contact Information
    4. Defining Tasks, Assigning Resources
      1. Alternate Site
        1. Selection Criteria
        2. Contractual Terms
        3. Comparison Process
        4. Acquisition and Testing
      2. Contracts for BC/DR Services
        1. Develop Clear Functional and Technical Requirements
        2. Determine Required Service Levels
        3. Compare Vendor Proposal/Response to Requirements
        4. Identify Requirements Not Met by Vendor Proposal
        5. Identify Vendor Options Not Specified in Requirements
    5. Communications Plans
      1. Internal
      2. Employee
      3. Customers and Vendors
      4. Shareholders
      5. The Community and the Public
    6. Event Logs, Change Control, and Appendices
      1. Event Logs
      2. Change Control
      3. Distribution
      4. Appendices
      5. Additional Resources
    7. What’s Next
    8. Summary
    9. Solutions Fast Track
      1. Phases of Business Continuity and Disaster Recovery
      2. Defining BC/DR Teams and Key Personnel
      3. Defining Tasks, Assigning Resources
      4. Communications Plans
      5. Event Logs, Change Control
      6. Appendices
    10. Frequently Asked Questions
  14. 3. Crisis Communications 101
    1. Background
    2. Three Simple Rules for Crisis Communication
      1. Rule #1: Always Tell the Truth
      2. Rule #2: Appoint a Single Spokesperson
      3. Rule #3: Provide Formatted Information
    3. Directional Communications
    4. Practicing Your Plan
  15. 7. Emergency Response and Recovery
    1. Introduction
    2. Emergency Management Overview
    3. Emergency Response Plans
      1. Emergency Response Teams
    4. Crisis Management Team
      1. Emergency Response and Disaster Recovery
      2. Alternate Facilities Review and Management
      3. Communications
      4. Human Resources
      5. Legal
      6. Insurance
      7. Finance
    5. Disaster Recovery
      1. Activation Checklists
      2. Recovery Checklists
    6. IT Recovery Tasks
      1. Computer Incident Response
        1. CIRT Responsibilities
          1. Monitor
          2. Alert and Mobilize
          3. Assess and Stabilize
          4. Resolve
          5. Review
    7. Business Continuity
    8. Summary
    9. Solutions Fast Track
      1. Emergency Management Overview
      2. Emergency Response Plans
      3. Crisis Management Team
      4. Disaster Recovery
      5. IT Recovery
      6. Business Continuity
    10. Frequently Asked Questions
  16. 8. Training, Testing, and Auditing
    1. Introduction
    2. Training for Disaster Recovery and Business Continuity
      1. Emergency Response
      2. Disaster Recovery and Business Continuity Training Overview
        1. Training Scope, Objectives, Timelines, and Requirements
        2. Performing Training Needs Assessment
        3. Developing Training
        4. Scheduling and Delivering Training
        5. Monitoring and Measuring Training
      3. Training and Testing for Your Business Continuity and Disaster Recovery Plan
      4. Paper Walk-through
        1. Develop Realistic Scenarios
        2. Develop Evaluation Criteria
        3. Provide Copies of the Plan
        4. Divide Participants by Team
        5. Use Checklists
        6. Take Notes
        7. Identify Training Needs
        8. Develop Summary and Lessons Learned
      5. Functional Exercises
      6. Field Exercises
      7. Full Interruption Test
      8. Training Plan Implementers
    3. Testing the BC/DR Plan
      1. Understanding of Processes
      2. Validation of Task Integration
      3. Confirm Steps
      4. Confirm Resources
      5. Familiarize with Information Flow
      6. Identify Gaps or Weaknesses
      7. Determines Cost and Feasibility
      8. Test Evaluation Criteria
      9. Recommendations
    4. Performing IT Systems and Security Audits
      1. IT Systems and Security Audits
    5. Summary
    6. Solutions Fast Track
      1. Training for Emergency Response, Disaster Recovery, and Business Continuity
      2. Testing Your Business Continuity and Disaster Recovery Plan
      3. Performing IT Systems Audits
    7. Frequently Asked Questions
  17. 9. BC/DR Plan Maintenance
    1. Introduction
    2. BC/DR Plan Change Management
      1. Training, Testing, and Auditing
      2. Changes in Information Technologies
      3. Changes in Operations
      4. Corporate Changes
      5. Legal, Regulatory, or Compliance Changes
    3. Strategies for Managing Change
      1. Monitor Change
        1. People
        2. Process
        3. Technology
      2. Evaluate and Incorporate Change
    4. BC/DR Plan Audit
    5. Plan Maintenance Activities
    6. Project Close Out
    7. Summary
    8. Solutions Fast Track
      1. BC/DR Plan Change Management
      2. Strategies for Managing Change
      3. BC/DR Plan Audit
      4. Plan Maintenance Activities
      5. Project Close Out
    9. Frequently Asked Questions
  18. A. Risk Management Checklist
    1. Risk Assessment
      1. Threat and Vulnerability Assessment
      2. Business Impact Analysis
    2. Mitigation Strategies
  19. B. Crisis Communications Checklist
    1. Communication Checklist
    2. Message Content
  20. C. Business Continuity and Disaster Recovery Response Checklist
  21. D. Emergency and Recovery Response Checklist
    1. Activation Checklists
      1. Initial Response
      2. Damage and Situation Assessment
      3. Disaster Declaration and Notification
    2. Emergency Response Checklists
      1. Emergency Checklist One—General Emergency Response
      2. Emergency Checklist Two—Evacuation or Shelter-in-Place Response
      3. Emergency Checklist Three—Specific Emergency Responses
      4. Emergency Checklist Four—Emergency Response Contact List, Maps, Floor Plans
      5. Emergency Checklist Five—Emergency Supplies and Equipment
    3. Recovery Checklists
      1. Recovery Checklist One—General
      2. Recovery Checklist Two—Inspection, Assessment, and Salvage
  22. E. Business Continuity Checklist
    1. Resuming Work
      1. Resuming Work
      2. Human Resources
      3. Insurance and Legal
    2. Manufacturing, Warehouse, Production, and Operations
    3. Resuming Normal Operations
      1. Existing Facility
      2. New Facility
    4. Transition to Normalized Activities
  23. F. IT Recovery Checklists
    1. IT Recovery Checklist One—Infrastructure
    2. Recovery Checklist Two—Applications
    3. Recovery Checklist Three—Office Area and End-User Recovery
    4. Recovery Checklist Four—Business Process Recovery
    5. Recovery Checklist Five—Manufacturing, Production, and Operations Recovery
  24. G. Training, Testing, and Auditing Checklists
    1. Training and Testing
    2. IT Auditing
  25. H. BC/DR Plan Maintenance Checklist
    1. Change Management