Home

Search

Templates Kits

Salary Survey

HandiGuides

Job Descriptions

Policies

Compliance

White Papers

Update Service

Bundles

CIO Infrastructure

Promotions

 

 

Disaster Plan Risk Assessment

What is Disaster
Recovery?

Disaster Planning

Are You Prepared
for a Disaster?

Disaster Clean up
How To

What to do after an explosion, terrorist
attack, or random
act of violence

Disaster Planning
for a Pandemic

Disaster Recovery and Business Continuity

Disaster Recovery
Buiness Continuity
Metrics

Disaster Recovery Business Continuity Funding

Defining Maximum Tolerable Period of Disruption

Disaster Recovery Guide

 

Disaster Planning

Business Continuity Planning

ISO 27000, SOX, PCI-DSS & HIPAA Compliant

The Standard for Business Continuity and Disaster Planning

Janco's Disaster Recovery Planning (DRP) Template can be used for any size of enterprise. The Disaster Recovery template and supporting material have been updated to be Sarbanes-Oxley and HIPAA compliant. The Disaster Planning Template comes as both a Word document and a static fully indexed PDF document and includes:

• Disaster Recovery Planning and Business Continuity Planning Template
• Business and IT Impact Analysis Questionnaire
• Work Plan
• Disaster Recovery / Business Continuity Audit Program
• Pandemic Planning Checklist

Preparation for Disaster Recovery / Business Continuity in light of SOX has two primary parts. The first is putting systems in place to completely protect all financial and other data required to meet the reporting regulations and to archive the data to meet future requests for clarification of those reports. The second is to clearly and expressly document all these procedures so that in the event of a SOX audit, the auditors clearly see that the DRP exists and will appropriately protect the data.

New are (Version History):

• Backup & Backup Retention Policy
• Disaster Recovery Audit Program
• Compliance with the ISO 27000 Series Standards (formerly ISO 17799 now ISO 27001 & ISO 27002), Sarbanes-Oxley, PCI-DSS, and HIPAA
• Web Site Disaster Recovery Planning Form
• Project Status Report Form
• Personnel Location Repor
• Department Disaster Recovery Activation Workbook
  • Quick Reference Guide
  • Team Alert List (Form)
  • DRP Team Responsibilities
  • DRP Team Checklist
  • Critical Function(s) Definition
  • Normal Business Hour Response Procedures
  • After Hours Response Procedures
  • DRP Location(s) Definition
  • DRP Recovery Procedures
  • Notification Procedures
  • Notification Call List (Form)
• Updated Business and IT Impact Analysis Questionnaire
• Vendor Disaster Recovery Questionnaire
• Vendor Phone List Form Updated
• Key Customer Notification Form
• Critical Resources to be Retrieved Form
• Business Continuity Off-Site Materials Form
• Business Continuity Audit Program

The premium edition contains 15 full job descriptions. They are:

• Chief Information Officer
• Chief Security Officer
• Chief Compliance Officer
• VP Strategy and Architecture
• Director Disaster Recovery and Business Continuity
• Director e-Commerce
• Manager Disaster Recovery
• Manager Disaster Recovery and Business Continuity
• Disaster Recovery Coordinator
• Disaster Recovery - Special Projects Supervisor
• Manager Database
• Capacity Planning Supervisor
• Manager Media Library Support
• Manager Site Management
• Pandemic Coordinator

 

 

 

 

Disaster Planning / Business Continuity Planning News

Disaster Recovery Business Continuity for Remote Offices

Data residing outside the data center at remote and branch offices (ROBOs) accounts for a significant portion of an enterprise's information store, yet it often either is protected with inefficient backup processes or is not protected at all -- leaving companies at risk on many fronts.

In a recent research report, high priority projects for ROBOs included improving information security measures; ensuring compliance with government, industry or corporate governance mandates; and improving Disaster Recovery Business Continuity processes.

- more info

Disaster Plan & Business Continuity Infrastructure

The key technology elements of a Disaster Recovery Plan and Business Continuity Plan (DRP/BCP) infrastructure are the primary data center, a remote site that duplicates the resources in that primary location and the method used to get files (master and transaction) between the two sites - such as high-bandwidth network connections. The best DRP/BCP strategies follow a "redundant every-thing" philosophy throughout the data center. Multiple mainframes and servers should run in the production and backup data facilities. Then, if a component in the production system encounters problems, it immediately fails over to the local backup as a first line of defense.

Power supplies and communication links are one of the most critical components in a DRP/BCP strategy.

- more info

Maximum Tolerable Period of Disruption (MTPOD) is an issue

The concept of Maximum Tolerable Period of Disruption (MTPOD) is an issue with the introduction of British Standard 25999-2.  When applied appropriately, MTPOD will improve management's understanding of your disaster recovery business continuity program and clarifies your enterprise's recovery priorities.

BS 25999-2, Section 4 says that the goal of a business impact analysis is to "determine the impact of any disruption of the activities that support the organization's key products and services." A key aspect of determining the impact of a disruption is identifying what BS 25999 calls the "Maximum Tolerable Period of Disruption," or MTPOD. BS 25999 defines MTPOD as the "duration after which an organization's viability will be irrevocably threatened if product and service delivery cannot be resumed."  MTPOD is the maximum amount of time that the organization's key products or services can be unavailable or undeliverable before its stakeholders realize unacceptable consequences.

The full application of this concept can mean rethinking how a business impact analysis  is approached. While many DRP / BCP professionals start a business impact analysis   by gathering data from individual departments, MTPOD forces them to first look at products and services. Disaster Recovery and Business continuity professionals should understand downtime tolerance, taking into account:

• Customer expectations
• Regulatory requirements
• Reputational issues
• Financial and operational impairment
• Strategic consequences.

Based on management input, disaster recovery / business continuity professionals can propose preliminary Maximum Tolerable Periods of Disruption for key products or services within the scope of the business continuity program.

Once MTPOD is established for key products and services, the traditional business impact analysis  or service. From there, the business impact analysis  can either validate or disagree with preliminary MTPOD conclusions. In addition, the business impact analysis  does identify the department, function and process details that are needed to achieve the MTPOD.

Perhaps most importantly, the disaster recovery / business continuity professional must understand the amount of time required to perform the process or activity in order to deliver the product or service to its key stakeholders (internal or external). This is referred to as cycle time. For example, in a manufacturing company, cycle time would be how long it takes to obtain the necessary stock, manufacture the product, and deliver it to the customer.

With an understanding of MTPOD and cycle time, the business continuity professional can identify what is commonly accepted as the core output of the business impact analysis   - the recovery time objective, or RTO. RTO is the point in time following a disruption when operations must resume (at a minimum level) in order to meet downtime tolerances.

- more info

Defining a Functional Disaster Recovery Business Continuity Plan

What makes a truly functional disaster recovery business continuity solution is the ability to restore full systems and enterprise operations quickly, in a matter of hours or even minutes, using available computing resources, which may be local, but may also be remote.

True disaster recovery and business continuity plans must allow for recovery from site-wide disasters, such as a hurricane. The primary site may be completely down, due to a lack of power and network connectivity. The secondary site located in a non-affected area would be used to restore services until the primary site comes back online.

Many enterprises opt for remote Disaster Recovery Business Continuity site(s) for such scenarios. Many system administrators opt for virtual servers, which use asynchronous replication to replicate both the data and virtual machines to the secondary site, which has several standby servers. That way if they need to activate the secondary site, they just direct the activity to the virtual machines and all the systems are back up and running with the latest data.

- more info

Template Tools for CIOs

Disaster planning is an essential component of preserving your institution’s collections. With a written disaster plan, libraries, archives, museums, historical societies, and other collection-holding institutions can reduce the risk of disaster and minimize losses. dPlan is perfect for small and medium-sized institutions that do not have in-house preservation staff. dPlan is also valuable for large library systems or museum campuses that need to develop separate but related plans for multiple buildings, locations, or branches.

 

The Janco Disaster Recovery / Business Continuity Plan Template can help you create a plan for disaster prevention and response. This template will help you:

• Prepare for the most likely emergencies,
• Respond quickly to minimize damage if disaster strikes, and
• Recover effectively from disaster while continuing to provide services to your community.

- more info

Google flops on its conversion to IPv6 from IPv4

Google flops on its conversion to IPv6 from IPv4. Widespread outages involving several Google services--including search, Google Docs, and Gmail--were caused by an upgrade gone awry inside of Google, according McAfee.  The outage began at 8:13 a.m. PDT, according to McAfee's data, and was fixed by 9:14 a.m. PDT.  A senior manager at McAfee said that Google attempted to make changes to key Internet routing numbers--known as autonomous system numbers--as part of its ongoing transition from an older networking standard (IPv4) to a newer one called IPv6. An unknown "bug" inside Google's network prevented Internet service providers from finding Google's new ASNs on the Internet--effectively blocking its services.

Not all Internet users were affected, but some that use larger providers--such as AT&T or Verizon--appeared to be disproportionately hurt because large ISPs "peer" with Google, or interconnect their networks with Google's networks in order to improve speed and reduce bandwidth costs. Not all customers at those providers were affected, and smaller ISPs that did not interconnect their networks were able to route around the problem.

- more info

Mid-Sized Firms are at Risk When Disasters Occur

Many firms are inadequately protected and mistakenly think that a disaster is rare and won't happen to them anytime soon.

SMBs’ prioritization of disaster recovery, backup and high availability for 2008 shows that businesses understand the risks to their business and the value of protection. However, many organizations still errantly think that backup is a sufficient disaster recovery plan. But, mid-sized enterprises are at the most risk to disaster and are more likely to rely strictly on backup as a disaster recovery plan.

The needs and resources of mid-market firms are unique. Midsized companies must work with limited finances infrastructure and human resources. Robust disaster recovery used to be affordable and manageable only by large enterprises. Mid-sized enterprises relied more on backup than on a formal disaster recovery plan. As businesses' reliance on IT has grown, backup has increasingly shown its weaknesses. However, the introduction and maturation of several key technologies, such as virtualization, have brought affordable and easily implementable disaster recovery  to small and mid-sized companies. SMBs do not always equate virtualization with disaster recovery  because awareness of the many virtualization applications is just starting to grow.

- more info

Project plan for developing and maintaining a Disaster Plan

There are a number of approaches that have been used by Janco’s clients to create a Disaster Recovery / Business Continuity Plan.  One, which several have used, is to start with the Janco Disaster Recovery Business Continuity Template and implement a seven-step process (a subset of the project plan which is included in the template) using the tools included with the template.  The process is as follows:

1. Develop the contingency planning policy statement. A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan.
2. Conduct the business impact analysis (BIA). The BIA helps to identify and prioritize critical IT systems and components.
3. Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.
4. Develop recovery strategies. Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption.
5. Develop an IT contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system.
6. Plan testing, training and exercises. Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness.
7. Plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements.

- more info

Backup Service Providers May Not Be Enough

Your data is only as safe as its most recent backup.  But what happens when you have worked on your laptop with enterprise critical data and it is lost or damaged.  You data is only as redundant as the integrity of the data that you have stored on your servers, but in this case you may have a compliance issue that you have not addressed. For companies that service customers in the cloud, if they cannot offer 99.9999% uptime and absolutely ensure data backup and restoration, they might as well not be in business.

There are a few issues at hand here. Not only must the backup provider ensure that the data is accurately and securely backed up whereby every packet and byte is accounted for, but you must also ensure that when the time comes, the data is "clean" enough to be plugged back into the system without a hiccup. It's the hiccup that companies need to avoid which is why they look for ways to backup their data to begin with, however they aren't always as proactive as the results they were expecting.

- more info

Encryption and Disaster Recovery Planning

Common data encryption rules are a requirement and represent interoperability when developing your backup strategy for your disaster recovery business continuity plan.  When enterprise protect data at rest such as when a USB drive is unplugged, or when a laptop is powered down, or when an administrator pulls a drive from a server, it cannot be brought back up and read without first giving a cryptographically-strong password. If you do not have that, the media is a brick and you cannot even sell it on eBay.

For enterprises rolling out security across PCs, laptops and servers, standardized hardware encryption translates into minimum-security configuration at installation, along with higher performance with low overhead. The specifications enable support for strong access control and, once set at the management level, the encryption cannot be turned off by end-users.

Required Processes	Recommended Solution	Cost
Implement formalized security policies and procedures	Security Manual Template
Audit access to databases and network	Security Audit Program
Monitor network activity to identify unusual activity	Network Event Viewer
Monitor user activity to identify unusual activity	Smart Disk Monitor
Archive logs to meet compliance requirements	Text Log Monitor
Automate monitoring	Network Event Viewer Smart Disk Monitor Text Log Monitor Internet Service Monitor

- more info