BUSINESS SURVIVAL

A Guide to Disaster Recovery And Business Continuity Planning
   

   

David Davis FCCA
   
   

Limits of Liability / Disclaimer of Authority

Limits of Liability / Disclaimer of Warranty:

The authors and publisher of this book and accompanying materials have used their best efforts in preparing this program. The authors and publisher make no representation or warranties with respect to the accuracy, applicability, fitness, or completeness of the contents of this program. They disclaim any warranties (expressed or implied), merchantability, or fitness for any particular purpose. The authors and publisher shall in no event be held liable for any loss or other damages, including but not limited to special, incidental, consequential, or other damages. As always, the advice of a competent legal, tax, accounting or other professional should be sought. The authors and publisher do not warrant the performance, effectiveness or applicability of any sites listed in this book. All links are for information purposes only and are not warranted for content, accuracy or any other implied or explicit purpose.

This manual contains material protected under International and European Copyright Laws and Treaties. Any unauthorized reprint or use of this material is strictly prohibited. The authors and publisher will bring to bear the full force of the law on anyone that breaches the copyright protection afforded to this manual.  

About The Authors  

David Davis FCCA

David is a Chartered Certified Accountant and entrepreneur. He has worked in both the public and private sectors for diverse organisations that include: the BBC, QE2 Conference Centre, UK Sports Council, HSBC, Standard Chartered Bank, Marsh McClelland Inc, Tyco Inc, Shell Plc and many small businesses.

He is an executive associate of the Institute for Independent Business (IIB) a not-for-profit research, training and accreditation organization. Since 1984 the Institute has been providing invaluable information and access to assistance to meet the needs of independent businesses.

Now the leading global organization, the IIB has provided independent businesses with access to over 3,000 Executive Associates throughout 21 countries that include the United Kingdom, Unit States of America, Australia, Germany, and China.

David has being running his own business since 1995 as consultant and Finance Director to both large and small companies. He is skilled in risk and change management and has worked on Sarbanes and Oxley (SOX) projects for many global organizations.

In the last four years he has combined his entrepreneurial passion and corporate know how to helping small business owners develop ideas and to access the resources they need to build profitable and sustainable businesses.

David has combined his experience and skills gained in risk and change management to develop this practical and comprehensive business disaster recovery and business continuity manual and software package to help small to medium size businesses mitigate their operational and financial risk arising from natural disasters, terrorism and information technology.

David is working on many projects targeted at the small to medium size businesses. One such project that will be launched in 2006 is a financial management system that will transform the way businesses manage their finances.

Michelle Sollicito/s

Michelle Sollicito is an Ebusiness Consultant with Exceptiona.com in Atlanta Georgia.  She has 16 years IT and Ebusiness experience gained with many organizations across the world, having lived in the UK, New Zealand and now in the USA. 

CONTENTS
1 What is Business Continuity Planning? 4
1.1 Business Continuity Planning Defined 4
1.2 Disaster Recovery Defined 5
1.3 Overall Steps 5
1.3.1 Get Board approval 5
1.3.2 Determine scope 5
1.3.3 Carry out risk analysis / management (Business Impact Analysis) 5
1.3.4 Create a project plan and budget 5
1.3.5 Create the plan (overall document) 5
1.3.6 Gather / Create supporting documentation 5
1.3.7 Test / review /audit the plan and the process. 5
1.3.8 Change Manage any changes made to the plan / process / documentation 5
1.3.9 Formally approve the plan 5
1.3.10 Return to 6 5
2 Convincing the Board 6
2.1 The Importance of Support from the Top 6
2.2 Explaining Why it’s so Important 7
3 Defining Scope 10
3.1 Which Sites? 10
3.2 Which Systems? 10
3.3 Which Departments/Business Functions? 11
3.4 Which Personnel? 13
3.5 Business Partner Relationships 13
3.6 Which Types of Disasters and Risks? 15
3.7 Which Legislation/Standards need to be considered? 15
3.8 Interaction with Other Organizations 15
3.9 Gap Analysis 15
3.10 Questionnaires 16
4 Risk Management 21
  Identify Risks 22
  Quantify Risks (Probability and Impact) 22
  Risk Tolerance Levels 22
  Allocate Risks to Appropriate Personnel 22
  Risk Mitigation, Reduction and Response 23
  Evaluation of Effectiveness 23
4.1 Benefits of Risk Assessment / Management 23
4.1.1 Cost Justification. 23
4.1.2 Facilitation of Communication between all departments in the Business 23
4.1.3 Business Responsibility 23
4.1.4 Business Continuity Awareness 23
4.2 Risk Identification 23
4.2.1 Environmental Disasters 26
4.2.2 Equipment/System Failure 26
4.2.3 Serious Information Security Incidents 26
4.2.4 Organized/Deliberate Disruption 26
4.2.5 Loss of Utilities/Services 26
4.2.6 Business Partners 26
4.2.7 Other Emergency Situations 27
4.3 Risk Assessment 29
4.3.1 Cost Impact 29
4.3.2 Vulnerability Factors 31
4.3.3 Likely Loss 32
4.3.4 Probability 34
4.4 Calculations 40
4.5 Risk Mitigation / Risk Response 42
4.5.1 Controls 43
4.5.2 Risk Appetite 48
4.6 Risk Allocation 49
4.7 Scenario Grouping of Risks 49
4.8 More on Risk Management 50
5 Creating the plan 51
5.1 Documents to use as Inputs to the Plan 53
5.2 Purpose 54
5.3 Scope 55
5.4 Objectives 55
5.4.1 Category I - Critical Functions – Recovery Objective 2 hours 56
5.4.2 Category II - Essential Functions – Recovery Objective 5 hours 56
5.4.3 Category III - Necessary Functions – Recovery Objective 24 hours 56
5.4.4 Category IV - Desirable Functions - Recovery Objective 48 hours 56
5.5 Distribution List 56
5.6 Version Control 57
5.7 Review Process 57
5.8 Strategies 58
5.8.1 Dual Site Method / Alternate Site Method 58
5.8.2 Bilateral Aid Agreement Method / Reciprocal Agreement Method 59
5.8.3 Dispersal Method 59
5.8.4 Deference Method 59
5.9 Functions, Responsibilities and Personnel Contact Info 59
5.10 Lists 60
5.10.1 IT Systems and Components 60
5.10.2 List of key Documents 62
5.10.3 Info about all buildings/sites 62
5.10.4 Key Personnel During Emergencies 62
5.10.5 Emergency Services Contact information 63
5.10.6 Roles and Responsibilities 63
5.11 Policies and Procedures 64
5.11.1 Notification Procedures, to include 64
5.11.2 Emergency Procedures And Information, to include 64
5.12 Contingency options/Redundancy 66
5.13 Key Timeframes 66
5.14 Legal Requirements 67
5.15 Best Business Practices (Standards) Requirements 67
5.16 Communications 67
5.16.1 Internal Communications 67
5.16.2 Communications Plan 68
5.16.3 Stakeholder communications 69
5.17 Action Task Lists 69
5.18 Plan Testing and Maintenance 69
5.19 IT-specific Considerations 69
5.19.1 Perform backups regularly 69
5.19.2 Increase physical security 69
5.19.3 Antivirus software 69
5.19.4 Patch update and management 70
5.19.5 Change Management and Configuration Management 70
5.19.6 Internet facing systems 70
5.19.7 Remote access 70
5.19.8 Verify backups 70
5.19.9 Offsite backup storage 70
5.19.10 Replicate critical data 70
5.19.11 Redundancy 70
5.19.12 Physical protection 70
5.19.13 Standardize 70
5.19.14 Document 70
5.19.15 Backup power 70
5.19.16 IDS/IPS 70
5.20 People-specific Considerations 70
5.20.1 Reducing Impact of Personnel Loss 71
5.20.2 Reducing Impact of Perceived Events 71
5.21 Third Party Considerations 72
5.22 Sample Plans 73
6 Maintaining, Testing and Auditing your Plan 74
6.1 Testing Plan 74
6.1.1 Planning 74
6.1.2 Test Execution 75
6.1.3 Evaluating testing 75
6.1.4 Frequency of testing 75
6.2 Proposed Testing Scenarios 75
6.2.1 Scenario 1 75
6.2.2 Scenario 2 76
6.2.3 Scenario 3 76
6.2.4 Scenario 4 76
6.3 Auditing/Testing Documentation 76
6.3.1 Evaluating Backup and Recovery Strategy Documentation 77
6.3.2 Evaluating SLAs 78
6.4 Training 80
6.5 Review / Maintenance Process 80
6.6 Change Control/Version Control 82
7 Frameworks, Methodologies, Tools and Services 83
7.1 Why use a Framework/Methodology? 83
7.2 Which Framework/Methodology? 83
7.2.1 ITIL 83
7.2.2 COBRA 84
7.2.3 NIST Risk Management Guide for IT Systems 84
7.2.4 OCTAVE 84
7.2.5 Six Sigma 84
7.2.6 FISCAM (Federal Information System Controls Audit Manual) 84
7.2.7 Other Methodologies and Frameworks 84
7.3 Why use Tools? 85
7.4 Which Tools? 85
7.4.1 Risk Evaluation Tools 85
7.4.2 Self-Assessment Tools 85
7.4.3 Change Management Tools 85
7.4.4 Documentation Generators 85
7.4.4.a Policy and Procedure Generators 85
7.4.4.b SLA Generators 85
7.4.4.c Questionnaire/Survey Generators  
7.5 Which Services are Available? 86
7.5.1 Web-based Services 86
7.5.2 Consultancy Services 86
7.5.3 Audits 86
8 Legislation, External Standards and their Effects 87
8.1 Legislation and Regulations in the US 87
8.1.1 Sarbanes Oxley Act 87
8.1.2 HIPAA 88
8.1.3 NASD 88
8.1.4 GLBA 88
8.1.5 Federal Information Security Act 2002 (FISM) 88
8.1.6 OSHA 1970 (Occupational Safety and Health Administration) 88
8.1.7 Other relevant US legislation and regulations 89
8.2 Legislation in the UK 91
8.2.1 The UK Civil Contingencies Bill 91
8.2.2 Data Protection Legislation 92
8.3 Other Legislation and Directives 92
8.3.1 EU Data Protection Directive 1995 92
8.3.2 WTO Government Procurement Agreement 92
8.3.3 PIPEDA (Canada) 92
8.3.4 Singapore BC/DR Standard 92
8.4 External Standards 93
8.4.1 ISO 93
8.4.2 BSI PAS 56 93
8.4.3 BSI5000 93
8.4.4 FIPS-PUB-87 Guidelines for Automated Data Processing Contingency Planning 93
8.4.5 ISF Standard for Information Security 94
8.4.6 Visa CISP (Cardholder Information Security Program) and PCI (Payment Card Industry) requirements 94
8.4.7 Other Standards 95
9 Useful Resources 96
9.1 Websites 96
9.1.1 General 96
9.1.2 Guides and Templates 97
9.1.3 Risk Management/Impact Analysis 98
9.1.4 Training and Certification 98
9.1.5 Change Management 99
9.1.6 Methodologies 99
9.1.7 Tools 99
9.1.8 Standards and Legislation 100
9.1.9 Useful Other Sites 100
9.2 Papers 101
9.3 Books 101
10 Specific References 103
10.1 Retail / Supply Chain BCP 103
10.2 Banking / Finance Industry BCP 103
10.3 Human Security Issues 103
10.4 IT Security Issues 103
10.5 Database Recovery 104