Site hosted by Angelfire.com: Build your free website today!

Home Contents Search Feedback Download

Disaster Recovery
PC Fundamentals Systems Controls DBMS Programming Networking SDLC E-commerce Audit in MIS Disaster Recovery Compiled by Muhammad Ahsan Shahzad

Intrusion Detection
Next Page

CONTINGENCY PLANNING AND DISASTER RECOVERY GUIDE

CONTINGENCY PLANNING FOR THE SMALL ENTERPRISE

Every business and organization can experience a serious incident that can prevent it from continuing normal operations. This can range from a flood or fire to a serious computer malfunction or Information Security incident.

The management of the organization have a responsibility to recover from such incidents in the minimum amount of time, with minimum disruption and at minimum cost. This requires careful preparation and planning.

By outlining the most common steps in contingency planning and disaster recovery, as well as identifying popular tools and solutions, hopefully this web site will help make this process far less daunting.

The Starting Point
Impact Assessment
Developing the Plan
It is vital that the organization takes the development and maintenance of the disaster recovery or business continuity plan seriously. It is not one of those tasks that can be left until everyone has time to deal with it. A serious incident can affect the organization at any time and this includes the next 24 hours!

The contingency plan needs to be developed by a team representing all functional areas of the organization. If the organization is large enough, a formal project needs to be established, which must have approval and support from the very top of the enterprise.

One of the first contingency planning tasks to be undertaken is to prepare a comprehensive list of the potentially serious incidents that could affect the normal operations of the business. This list should include all possible incidents no matter how remote the likelihood of their occurrence.

Against each item listed the project team or manager should note a probability rating. Each incident should also be rated for potential impact severity level. From this information, it will become much easier to frame the plan in the context of the real needs of the organization.

Once the assessment stage has been completed, the structure of the plan can be established. The plan will contain a range of milestones to move the organization from its disrupted status towards a return to normal operations.

The first important milestone is the process which deals with the immediate aftermath of the disaster. This may involve the emergency services or other specialists who are trained to deal with extreme situations.

The next stage is to determine which critical business functions need to be resumed and in what order. The plan will of necessity be detailed, and will identify key individuals who should be familiar with their duties under the plan.


 

Testing the Plan
Personnel Training
Maintaining the Plan
Once this plan has been developed it must be subjected to rigorous testing. The testing process itself must be properly planned and should be carried out in a suitable environment to reproduce authentic conditions in so far as this is feasible.

The Plan must be tested by those persons who would undertake those activities if the situation being tested occurred in reality. The test procedures should be documented and the results recorded. This is important to ensure that feedback is obtained for fine tuning the Plan.

Equally, it is important to audit both the plan itself, and the contingency and back up arrangements supporting it. No short cut can be made here.

This stage is dependent upon the development of the plan and the successful testing and audit of the plans activities. It is necessary that all personnel must be made aware of the plan and be aware of its contents and their own related duties and responsibilities.

Again, it is important that all personnel take the disaster recovery planning seriously, even if the events which would trigger the Plan seem remote and unlikely. Obtain feedback from staff in order to ensure that responsibilities and duties are understood, particularly those which require close dependency on actions being taken by others.

The plan must always be kept up to date and applicable to current business circumstances. This means that any changes to the business process or changes to the relative importance of each part of the business process must be properly reflected within the plan.

Someone must be assigned responsibility for ensuring that the plan is maintained and updated regularly and should therefore ensure that information concerning changes to the business process are properly communicated.

Any changes or amendments made to the plan must be fully tested. Personnel should also be kept abreast of such changes in so far as they affect their duties and responsibilities. .

Building a Disaster Recovery Plan

By Matthew D. Sarrel
 
 
Having a clearly documented and tested plan is just as important as having the right disaster recovery equipment. And yes, it is crucial to write down the plan in advance and review it with your employees. Don't wait until disaster strikes to instruct employees to perform nightly backups or to call your ISP and attempt to provision a redundant link.
 

There are eight important steps you should take to create a disaster recovery plan.

1. Secure support from senior management. A successful disaster recovery plan requires funding, coordination across departments, and the authority to carry out the plan. Depending on the size of your organization, you may also want to establish an interdepartmental planning committee.

2. Conduct a risk assessment. Prepare a business impact analysis that covers a range of potential disasters. Analyze major business units and attempt to determine the impact of different disaster scenarios. Evaluate the safety of critical documents as they are stored, in either print or electronic format. Make sure to include a worst-case scenario, such as complete destruction of your company's facility. Assign cost estimates to each disaster scenario; this will be helpful in justifying your budget.

3. Assign priorities to operations. Determine how users utilize network resources and the importance of those resources. This will allow you to make an informed decision regarding an acceptable amount of downtime. Understanding the business value of every network component will lead you toward more intelligent decisions. Begin planning by assigning priorities to network and data components.

4. Explore all options for disaster recovery strategies. Research and evaluate the most practical solutions. Budget for all equipment and services required to carry out each strategy. Potential options will be dictated by the priorities assigned in step 3. For example, you'll need a much different solution for an e-commerce site—where you can't afford to miss a single transaction—than on your print server. Typically, complexity and cost increase as the acceptable amount of downtime decreases. Don't fall into the money pit of trying to guarantee 100 percent uptime for every network resource.

5. Collect data. Conduct a detailed inventory of all network resources, from user workstations to routers. Collect as much information as is feasible. Physical details, such as make, model, serial number, and purchase date, will be important for filing insurance claims. Configuration information is important to design redundancy into your network and to prepare for any potential replacements. Make a list of information such as memory, disk, OS, and applications. It's important to keep the inventory current, so specify the documents' creation and revision dates. Pay attention to the human aspect of your business, and be sure to include contact information for all users, vendors, and service providers.

6. Create a comprehensive written plan. Construct a full outline and use it to gain initial approval. Make a road map of the final plan and divide the work among multiple departments (if you are part of a large organization). The plan must contain detailed procedures for before, during, and after a disaster. One procedure should address maintaining and updating the plan itself as systems and workflows change.

7. Develop test procedures. What good is a detailed plan if you don't know whether it will work? It is imperative to test and evaluate the plan thoroughly on a regular basis (at least annually). The more thorough the test plan, the more certain you'll be that you've addressed every contingency.

8. Test the plan. Instruct, train, and prepare! Each training exercise will assure fellow employees that the company will survive a disaster. Update the plan to correct any problems you notice during training. Initially, test the plan in small components and after business hours to minimize disruption to business operations.

 
 
 
 

Notice: These notes are intended to be a supplement, not a substitute, to attending class.

 

 

Home ] Intrusion Detection ] Next Page ]

Send mail to webmaster@it4castudents.cjb.net with questions or comments about this web site.
Copyright © 2003 Muhammad Ahsan Shahzad
Last modified: 05/17/03