Business and IT Impact Analysis Questionnaire
ISO 27000 Series, Sarbanes Oxley, and HIPAA Compliant
The role of IT in many organizations has evolved from supporting the business to enabling the business - a shift that requires IT to transition from being mostly tactical and cost focused to being an enabler of the overall strategy and value focused. IT organizations that have successfully made this change have done so by among other things transitioning their culture from a reactive operationally focused caretaker of assets to a proactive strategically focused enabler of business value. This culture of performance and value ensures that IT’s human capital is aligned with the strategic goals and motivated to execute. Cultural change is typically a messy and lengthy process, but it must and can be done.
This Business and IT Impact Analysis Questionnaire has been designed by one of Industry's most experienced application assessment consultants. This Questionnaire has been used in over 500 assessment, DRP and business impact projects in the past four years. Included is a Risk Ranking definition. The Word version of the questionnaire is automated with check boxes that can be updated in Word.
The Questionnaire (Form) is a 23 pages in length and contains the following:
- Facilities / Business Function / Application
- Sarbanes-Oxley Compliance
- ISO 27000 series (formerly) 17799 Compliance
- HIPAA Compliance
- System of Internal Controls
- User Environment
- Processing Environment
- Historical Information
- Operating Environment
- Criticality of Application
- Database / File Name
- Documentation
- Security
- Application Support and Maintenance
- Resource Usage
- Hardware Requirements by Department
- Backups
Business & IT Impact Risk Assessment News
Business continuity planning for a Pandemic
Larger corporations typically can continue business as usual even while many employees are out sick in a Pandemic. However Business Continuity Planning at small firms rely heavily on key individuals and find themselves nearly incapacitated if several of those key people get sick, must stay home with sick children, or are in areas put under quarantine.
-
Phone Trees
At
a minimum, small business owners should update employees' contact information to
include current home phone numbers and addresses, e-mail addresses, and cell
phone numbers. Some employers establish phone trees so they can efficiently
contact all their employees to check on and alert them during an emergency.
Another
vital component to a business continuity plan is to collect contact information,
including cell phone numbers, for their suppliers, vendors, and key customers.
Keep this information in print and online, and store copies off-site in case you
can't get into your office.
A
host of legal and medical questions may arise for small business owners if swine
flu roars back with a vengeance this fall.
Imagine
you run a small business like a day-care center, where vulnerable children
congregate and colds and flu are prevalent. Do you close and send your entire
staff and all children home at the first sign of any flu? Do you send home only
sick children and sick staff? When? When do you reopen or allow them to return?
What information and medical clearance would you need to send staff or children
home, allow them to return, close, or reopen the center? These are not easy
questions.
-
Backup Staff
Janco
recommends that companies prepare for operational disruptions by doing employee
cross training or lining up backup staff now. Employers should review and
enhance existing emergency disaster plans to ensure business continuity.
Employers that are just getting started should develop a plan that includes
pandemic preparedness, and review it and conduct drills regularly. A checklist
for flu policy is posted at the government's flu awareness Web site.
Aside
from preparing and practicing for pandemic, small business owners may want to
check with their attorneys for advice on unusual situations -- What do you do
with employees who are medically vulnerable to the flu or those with young
children or elderly relatives at home? Do you send them home? When and for how
long? With pay?
-
Paid Sick Leave?
The
federal Family Medical Leave Act provides eligible employees with up to 12 weeks
of unpaid leave to care for themselves or sick family members. Generally, FMLA
regulations do not cover flu absences unless complications arise, but courts
recently have interpreted the FMLA to mandate leave for the flu and other viral
infections.
However,
the federal law does not cover firms with fewer than 50 employees. Small
employers usually do not have to provide sick leave, so it is a surprise to many
employees that they are not entitled to any sick leave, much less any paid sick
leave.
Another
question for your human resources manager and/or attorney is what communications
responsibility you have as a business owner if one of your employees is
diagnosed with swine flu. There are health confidentiality and privacy issues
for employees, so employers should not disclose personal health information. But
employers do not want a modern day Typhoid Mary spreading swine flu at work. If
there is an employee with confirmed swine flu, some employers are alerting
employees that there may be swine flu exposure at work without identifying the
involved employee.
You might need to think about giving an infected person's immediate co-workers enhanced sick leave to protect themselves or family members, particularly if they have particular medical vulnerability to the illness, he says. Some employers bring in cleaning crews to disinfect an office where swine flu has been found. Providing hand disinfectant for employees is not a bad idea.
- more infoCloud Recovery Not Easy - Disaster Recovery Not Under User Control
Microsoft officials still have not provided many details about what caused the outage, other than to say it was a core system failure. The failure is unrelated to Microsoft's cloud infrastructure and/or Microsoft's Azure datacenters, as the company has continued to run the Sidekick back-end on the same infrastructure it has been running on before Microsoft acquired the company in 2008.
The Microsoft/Danger team apologized for the amount of time they are taking to restore contacts, photos, e-mail and other Sidekick services to which users lost access at the start of the month. The team said they were taking their time "to make sure we are doing everything possible to maintain the integrity of your data."
The team still is not committing to an exact recovery timetable, but is saying restoration should begin this week. Microsoft said, "We continue to make steady progress, and we hope to be able to begin restoring personal contacts for affected users this week, with the remainder of the content (photographs, notes, to-do-lists, marketplace data, and high scores) shortly thereafter."
After telling users that they likely had lost all of their personal data, the Microsoft/Danger team then said they expected to be able to recover some of their data. Mid-weeklast week, they said they expected to recover "most if not all" of the missing user data.
What is a Disaster Recovery and Business Continuity Plan
Disaster recovery and business continuity planning are processes that help organizations prepare for disruptive events - whether those event might include a hurricane or simply a power outage caused by a backhoe in the parking lot. The CIO's involvement in this process can range from overseeing the plan, to providing input and support, to putting the plan into action during an emergency.
- more infoCloud is not as secure as many thought
T-Mobile and Microsoft Sidekick is a set of exterior shells (for
mobile phones) that can be personalized and provides the capability
to record, play and share videos: record videos using the camera; receive video
attachments from e-mail, picture messaging, or side load videos to the microSD
card; play video using the built-in media player; share videos via e-mail,
Bluetooth or picture messaging.
Sidekick failed and lost user data. On the face of it, there are some obvious lessons to be learned from the Sidekick snafu, even as Microsoft Corp. reported today that most of the data that was missing will be recovered from servers at its Danger Inc. subsidiary.
- Back up your mobile phone's critical data independently - on a laptop, a desktop or a thumb drive.
- Raise questions about cloud computing and related services.
- Find out how your mobile device stores data, and
make sure you understand it.
The Sidekick incident should serve as a reminder to users to back up critical data. You cannot rely on cloud services to be 100% available all the time.
Not only is a backup of critical data imperative, users need to
have a way to retrieve the backed-up data. CIOs need to think about the value of
the data and what happens if the service is not available. There are many
Internet-based services that can be a second backup version to the original
backup, such as Plaxo. Having the second one drastically reduces the odds of
total loss.
At larger companies, data backups are commonplace and often include information contained on wireless phones as well as desktop computers, analysts said. The issue becomes more difficult when IT shops trust users who put critical company data on personally-owned wireless phones that aren't backed up.
Despite urging users to back up critical data, Staten joined three other analysts in remaining faithful to the mobile phone industry's strong push for cloud computing services, noting that the Sidekick case was relatively isolated.
Nearly every major smartphone provider is working on some version of cloud computing to back up data from smartphones and other cell phones. All those services could be vulnerable to data loss, and the Sidekick example is likely to prompt a broad re-examination of internal server backup procedures.
One added is risk is that backend services open enterprisees up to having data potentially lost, stolen or replicated somewhere that enterprises do not have knowledge of.
Imagine if this happened across an entire carrier's servers. For Verizon Wireless that could be 90 million people. Everybody should think twice if these services could really save your data up in the cloud.
- more infoImprove your RTO and RPO
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this question. Download this outline learn how the Janco Disaster Recovery Business Continuity Template can reduce RPOs and RTOs even more.
Disaster Recovery Guide
Business
Continuity Planning
ISO 27001, ISO 27002, ISO 17799, Sarbanes-Oxley, and HIPAA Compliant
What is Disaster Recovery and how does the Disaster Recovery Planning Template help?
This DRP Template can be used for any sized enterprise.
The template and supporting material have been updated to be Sarbanes-Oxley compliant. The complete package includes:
- Disaster Recovery Planning and Business Continuity Template
- Business and IT Impact Analysis Questionnaire
- Work Plan
- Disaster Recovery / Business Continuity Audit Program
With lost data being a competitive liability, there is no room for downtime in today's business world.
- more infoHuge Waves - Office Buildings and Businesses Demolished
A series of tsunamis smashed into the Pacific island nations of American and Western Samoa killing possibly more than 100 people, some washed out to sea, destroying office buildings and homes, and injuring hundreds. Television images showed offices and homes ripped apart, cars submerged in the sea or lodged in trees and large fishing boats hurled ashore by the waves generated by a 8.0 magnitude quake southwest of American Samoa.
A second 7.9 magnitude earthquake hit the Indonesian island of Sumatra late.
Disaster officials said the toll may reach 100 as rescuers search for bodies in flattened villages along the southern shore of the island of Upolu. Twenty villages on Upolu's south side were reportedly destroyed, including Lepa, the home of Samoa's prime minister. The area is also the main tourist area, and the waves destroyed some resorts. In neighboring American Samoa at least 24 people were killed and 50 injured with the southern portion of the main Tutuila island "devastated". The death toll there may also rise, said officials.
Huge Waves, Buildings Demolished
The waves that hit Pago Pago village were about 20 feet high. Some buildings were demolished by the waves, you know, there are no buildings anymore except the foundation. In addition, the island of Tonga was hit by a 13-foot wave on its northern coast. Tongan officials confirmed seven people were killed, while three were missing late on Wednesday.
Small tsunamis also reached New Zealand, Hawaii, and Japan.
Some areas have been flattened and the tsunami brought a lot of sand onshore. The Samoan resort Sea Breeze on the Southside of Upolu was destroyed when the waves hit it. The restaurant just floated out to sea complete, until it was smashed up in the water.
- more infoDisater Plan Manual - CIO and CSO conflict
When the task of disaster recovery
planning (DRP) is dropped in the laps of information security managers and
IT staff, DRP becomes a security problem. If the disaster plan is handed off to an organization's
information security officer or IT director with little or no support, the
result is usually either a set of a few policies and procedures without a solid
foundation in risk assessment, or a long-winded document that overreaches and
focuses on the wrong issues.
When this happens, the disaster recovery plan
often does more harm than good. Thinking that disaster recovery is assured
by a novice's tape backup rotation plan and off-site storage in a cabinet down
the hall could lead to overconfidence, false statements during audits or
contract negotiations, or even encourage risky data, network, and service
management behavior. Mixing up a data, recovery procedure for a full-blown plan
or inflated data-focused plan into a management policy and standards is
dangerous stuff for the livelihood of a business.
Worse, there is the possibility that minimal action on the part of the CIO and IT to protect information assets will cause senior management to cool its support for enterprise risk management, disaster recovery and business continuity. Organizations making the transition from small to medium size occasionally check disaster recovery off the list when they have information asset-preservation policies, and neglect to scale up disaster response decisions and processes where they concern human safety.
- more infoA disaster occurs -- now what?
A disaster or business interruption occurs, what do you do? A quick roadmap to follow is:
-
Do not panic and remain calm! When a disaster or business interruption occurs the first priority number is to ensure the safety of the employees.
-
Evaluate the disaster! Determine the impact on your personnel and enterprise operations, this evaluation the event is critical in making the decision to activate the disaster recovery business continuity procedures.
-
Communicate with everyone that can be impacted! Communicate with your team, managers, affiliates, and vendors frequently. Even if there is no status to report, do not leave anyone guessing or letting them draw their own conclusions.
-
Know the disaster recovery business continuity plan! Testing the Business Continuity Plan regularly helps everyone in becoming familiar with what will happen and how it will be done.
-
Be decisive! Once you have determined the level of disaster and everyone is safe to operate, it is time to make the decision if you need to implement the business continuity procedures or if the downtime for recovery acceptable.
-
Start the process! Start with recovering the most business critical systems first to restore business operations to a functional level. There should not be any question, which order which applications need to be restored first.
-
Lock down all backups and critical documentation! The first step to the recovery is having a set of data to recover from. This could be anything from archived tape, local disk copy, and a co-location or disaster recovery data center.
-
Use multiple solution paths! Assume that nothing will work and have alternatives in place
-
Reactivate normal operations! Once the systems are operational, the disaster is over and systems are repaired it is time to move the workloads back to where they were originally.
Disasters can occur any where at any time
Disasters are unpredictable by nature and can strike anywhere at anytime with little or no warning. Recovering from one is expensive and time consuming, particularly for those who have not taken the time to think ahead and prepare for such possibilities.
Janco has found that 80% of all enterprises that do not have a disaster recovery / business continuity plan in place before a disaster occurs never reopen. However, when disaster strikes, those who have prepared and made recovery plans survive with comparatively minimal loss and/or disruption of productivity.
Disasters can take several different forms. Some primarily impact individuals -- e.g., hard drive meltdowns -- while others have a larger, collective impact. Disasters can occur such as power outages, floods, fires, storms, equipment failure, sabotage, terrorism, or even epidemic illness. Each of these can at the very least cause short-term disruptions in normal business operation. But recovering from the impact of many of the aforementioned disasters can take much longer, especially if organizations have not made preparations in advance.
Most of us recognize that these potential problems as possibilities. Unfortunately the randomness of some of these disasters lulls some organizations into a sense of false security-"that's not likely to happen here." However, if proper preparations have been made, the disaster recovery process does not have to be exceedingly stressful. Instead the process can be streamlined, but this facilitation of recovery will only happen where preparations have been made. Organizations that take the time to implement disaster recovery plans ahead of time often ride out catastrophes with minimal or no loss of data, hardware, or business revenue. This in turn allows them to maintain the faith and confidence of their customers and investors.
Disaster Recovery Planning is the factor that makes the critical difference between the organizations that can successfully manage crises with minimal cost and effort and maximum speed, and those that are left picking up the pieces for untold lengths of time and at whatever cost providers decide to charge; organizations forced to make decision out of desperation.
- more infoNetwork Disaster Recovery and Business Continuity CIO's Concern
In addition to the lack of a consolidated disaster recovery
/ business continuity plan for the network management system, network operations
are plagued by other problems:
-
Network recovery plans are impacted by unanticipated traffic growth, configuration issues; link overloads due to traffic rerouted around failed network elements, and more.
-
Changes may lead to undocumented side effects, so understanding the impact of changes before making them is essential for reliable network operations.
-
The monotonous work of making simple changes to hundreds or thousands of devices or objects is error prone and often difficult to reproduce in the recovery mode.
To
add to the pressure, network operations teams are expected to run larger
networks that have become many times more important to the business, and to do
so with fewer staff members.
These conditions exacerbate the problems associated with disparate disaster
recovery and business continuity plans.
State of Texas disaster recovery plan in jeopardy
Disaster planning for the State of Texas has been put in jeopardy with the delay in the signing of contracts for seven of the states agencies. The 7-year contract, signed in 2007, calls for data-center operations for 27 separate state agencies to be consolidated into two new facilities with the objectives being enhanced security and lower costs, according to the Austin American-Statesman.
In addition, high-profile data breaches involving state systems last year led to the suspension of the data-center consolidation project until IBM could prove to the state that necessary security measures were in place. As a result, seven of the state's 27 agencies have still not signed off on IBM's proposed plan for managing data backup, which could lead to additional delays.
Adding to IBM's challenge on this project are the results of a survey of the IT directors for the state agencies: 88% said they are dissatisfied with the services IBM has been providing.
- more infoA network outage is a disaster
As businesses rely more heavily on the
internet to transact business and link together branch offices, remote workers,
customers and business partners, the WAN connection becomes more important than
ever. A single pipe may be a company's only link to the outside world. If this
pipe goes down, crucial networking functions come to a crashing halt. Although
most business lines are reliable, outages are not very common. A software
company that has over 25 branch offices, each with a T-1, in several
3rd world locations has frequent outages. About once a month, they have a T-1
outage in one of the offices, lasting from 4 to 20 hours. During that time, that
remote office is effectively cut-off. Without the WAN line, you cannot make
phone calls, get e-mails or do any kind of electronic transaction. They are
unable to communicate with the outside world and effectively dead in the
water.
DRP Backup Solutions
To plan your data protection solution appropriately, you must
first understand the type of technology environment that you are running.
Consider the following:
-
Direct attached storage (DAS): The simplest backup and restore environment, DAS usually consists of a standalone tape drive or an autoloader attached directly to the server that it is protecting. Businesses that operate DAS usually require backups only daily and/or weekly, maintain only a few (one or two) networked servers on each network and do not use online business-critical operations.
-
Network backup: LAN/SAN-based backup storage uses devices that are managed centrally from a single console through a single backup server, reducing hardware costs, and management time. Businesses that operate LAN/SAN-based backup usually require continuous, business-critical operations as well as hourly or daily backups; have multiple networked servers; and can run multiple operating systems.
Backup is the primary Disaster Plan for Many SMBs
Mid-sized
businesses (SMB) have long struggled to protect their IT systems. Many firms are
inadequately protected and mistakenly think that a disaster is rare and will not
happen to them anytime soon. Experience shows there is a lot of confusion and
misunderstanding regarding what disaster recovery encompasses and how to
implement it effectively.
SMBs must
work with limited finances infrastructure and human resources. Robust disaster
recovery used to be affordable and manageable only by large enterprises. SMBs
rely more on backup than on a formal disaster recovery plan. As businesses'
reliance on IT has grown, backup has increasingly shown its weaknesses. However,
the introduction and maturation of several key technologies, such as
virtualization, have brought affordable and easily implementable DRP to small
and mid-sized companies. SMBs do not always equate virtualization with DR
because awareness of the many virtualization applications is just starting to
grow.
Organizations that ensure survival following a disaster understand the basics of creating a good plan; however, there are many obstacles and pitfalls that they can easily avoid. Based on working with thousands of customers, Janco Associates has developed a Disaster Recovery and Business Continuity Template that includes everything that you need to create a custom Disaster Plan.
You can download a full copy of the table of contents by going to http://www.e-janco.com/Register_drp.asp.
- more infoDisaster Plan Common Failures
Disaster Recovery Business Continuity - Common Failures
Most common mistakes made in Disaster Recovery and Business Continuity Planning are eliminated by implementing the Janco Disaster Recovery and Business Continuity Template. Problems that are avoided are:
-
Failure to identify every potential event that can jeopardize the infrastructure and data that your enterprise depends
-
Failure to cross-train personnel in disaster recovery and business continuity
-
Failure to create a communication processes which will work when your communication infrastructure is lost
-
Failure to have adequate backup power
-
Failure to know which resources need to be restored first
-
Failure to have adequate physical documentation of your Disaster Recovery and Business Continuity plan
-
Failure to validate the adequacy of your back ups
-
Failure to test your Disaster Recovery and Business Continuity plan
-
Failure to have passwords available to the Disaster Recovery and Business Continuity team
-
Failure to keep your Disaster Recovery and Business Continuity plan up to date
Minimun and Standard Power Protection for Workstations for DRP and BCP
Personal computers and remote servers often are damaged by
subtle anomalies that users never see, such as sags, surges, spikes, brownouts,
line noise, frequency variation, switching transients and harmonic distortion. A
business on typical utility power is subjected to these hidden power problems
every day and complete outages several times a year. Solutions that you should
implement for all such equipment include:
-
Minimum - Surge suppressors address the power surges, but have no effect on the under-voltage and variance conditions that can erode equipment health over time or zap it in an instant.
-
Standard - Uninterruptible Power Systems (UPSs) protect your IT systems by conditioning incoming power to smooth out the sags and spikes that are all too common on the grid and other primary sources of power Providing ride-through power to cover for sags or short-term outages (30 60 minutes, typically).
Disaster planning, emergency preparedness, or business continuity
Disaster planning, emergency preparedness, or business continuity (and experts note that there are differences) - the goals are ultimately the same: to get an organization back up and running in the event of an interruption. The problem causing the interruption could be one computer crashing or an entire network crashing. Or it could be an electrical outage or the result of a terrorist activity. The goal is to have some contingency plans in the event of a problem. A disaster recovery plan exists to preserve the organization so that it can continue to offer its services.
A disaster recovery plan is a users' guide - the documentation - for how to preserve an organization. In order for a plan to be useful, it must be created before an interruption occurs. Business continuity is disaster recovery. Lost revenue is a driving force in business continuity. The reason to do a recovery plan is essentially to keep the funding coming in and the services going, and the clients being served.
-
Emergency planning are those procedures and steps done immediately after an interruption to business.
-
Disaster recovery are the steps taken to restore some functions so that some level of services can be offered.
-
Business continuity is restoration planning, completing the full circle to get your organization back to where it was before an interruption.
In order to write your plan, you have to do some planning. This planning is the process that will get you to the step where you then commit your plan to paper - you cant write a plan until you do the preparation. The most difficult thing is getting started; the second most difficult task is keeping the plan current.
- more infoThe Difference Between Disaster Recovery Planning and Business Continuity Planning Defined
Disaster Recovery Planning (DRP) is the process by which you resume business after a disruptive event. This typically means that you can get the enterprise computers, networks, and data base operational. The event might be something huge-like an earthquake or the terrorist attacks on the World Trade Center-or something small, like malfunctioning software caused by a computer virus.
Given the human tendency to look on the bright side, many business executives are prone to ignoring "disaster recovery" because disaster seems an unlikely event. However Janco has found that over one third of all enterprises have had to activate their Disaster Plans in the last few years.
Business Continuity Planning (BCP) suggests a more comprehensive approach to making sure you can keep the enterprise going and meet it business objectives. This goes beyond the enterprise computers, networks and data bases. However, the two terms are married under the acronym DR/BC or DRP/BCP. At any rate, Disaster Recovery Planning and/or Business Continuity Planning facilitate how a company will keep functioning after a disruptive event until its normal facilities are restored.
- more infoDisaster Recovery Business Continuity Scope
Recognizing the scope of the requirements, Janco suggests that you purchase the Disaster Recovery Business Continuity Template and the do the following:
- Conduct a business impact assessment. This involved a crossfunctional team to evaluate the business requirements and tier data based on the importance to our business operations.
- Protect data and
applications. It was important to back up data frequently to
ensure records are kept, so we needed to upgrade
our backup equipment to a faster version to reduce the time it took to complete a backup cycle. - Review power and connectivity options. We needed to add uninterrupted power supplies (UPS) and connectivity for critical servers, network connections and selected personal computers to keep the most essential applications running in case of a power outage.
- Document, test and update the disaster preparedness plan. Part of the Janco Disaster Recovery and Business Continuity Template plan needs you to include updated configuration diagrams of the hardware, software and network components to be used in the recovery. The plan also needed to include logistical details, such as travel to backup sites and spending authorization for emergency needs.
- Consider telecommunications alternatives. Often taken for granted, telecommunications backup involving redundancy and alternatives needed to be in place - and in the case of spot outages, redundancy may be enough. For larger outages, alternative communications vehicles, including wireless phones, wireless data cards and satellite phones, had to be considered.
Testing is Critical to Disaster Recovery Planning
Importance of testing is critical to the disaster recovery and business continuity planning.
All good disaster recovery and contingency plans start with having a good solid backup of data. Although systems and applications can be reinstalled and reconfigured, data cannot be rebuilt out of thin air. The key to having a good backup is to make sure the data is correct and can be successfully restored. This is not always as easy as it seems. One company had such an issue. Their backup administrator did not correctly follow procedures and when he thought he was doing a backup, he actually was not writing anything. When they tried to restore a database, they found out all the tapes were blank.
- more infoCost of Disaster Recovery Backup Is High For Many Enterprises
The need for de-duplication is increasing for many organizations as they gather ever-growing volumes of data. At the same time, they are looking for ways to reduce storage costs, improve efficiencies and provide adequate disaster recovery capabilities. The key benefit is the ability to lessen the Total Cost of Ownership (TCO) of storage hardware by eliminating redundant blocks of data and then allowing organizations to replicate that data -- if required -- to a second system for offsite storage. That can remove the need for tape. Data de-duplication not only allows companies to reduce the disk space needed for backup and restore, but it can increase performance and reliability while reducing demands for rack space, power and cooling. Further, it can reduce the bandwidth requirements for data transfer by 90 percent or more. - more infoPandemic Alert Level 5 Requires DRP/BCP Plans be Activated
The World Health Organization has raised the pandemic alert over the spread of swine flu to phase 5.
WHO says that based on assessment of all available information and following several expert consultations raised the current level of influenza pandemic alert from phase 4 to 5.
While making the annoucement, WHO stated that all countries should immediately activate their pandemic preparedness plans. At this stage, effective and essential measures include heightened surveillance, early detection and treatment of cases, and infection control in all health facilities.
- more infoDisaster Planning for a Pandemic
In disaster planning when a pandemic occurs the data center exists but people are in separate locations. The Disaster Planning and Business Continuity Planning processes need to make the user and business operating experience as similar as possible so that the work environment is the same in the remote site (often home) as in the office. A key requirement is to increase remote access capabilities in addition before the pandemic occurs the following planning needs to take place:
- Define necessary staff levels for critical business processes
- Identify who can work remotely and who has to be in the office
- Validation of vaccinations for key staff members
- Identify the lights out processing issues for computer operations staff
- Identify the network and remote access capacity requirements - what percent of workers do you need to be on the system for the enterprise to continue to operate
- Train and test of users and IT staffs in how to operate from remote locations Require key employees to work from remote site at least once a month
- Validate broadband capacity to remote sites (home users)
- Have copies of disaster plan available in remote site
- Put in place process for the synchronization of OS system patches and VPN updates - if the workstations are not used frequently disable the auto update features for security updates but maintain a process to see that they workstations are up-to-date.
- Define specific requirements for security and PCI-DSS when the disaster plan is activated for a pandemic.
- Define change management and version control processes to be used and how they will be controlled during the pandemic.
How to get started with a Disaster Planning process
Getting started with a disaster recovery / business continuity plan may seem daunting, but is not. The process starts by addressing the needs of the business - not the IT department.
-
Access the enterprise's operating environment - Identify critical business functions and then determine which systems, applications and data must be available to keep each function running smoothly.
-
Conduct an IT business impact analysis - Develop a hierarchy of business functions and processes based on their importance to operations. You will most likely find that, although some systems need to be up and running as soon as possible after a disaster, other systems can wait.
-
Establish a team with enterprise wide management experience and responsibility - Gather representatives from across the business, from IT to human resources and facilities management. Each member should contribute to both the development of the disaster recovery plan and its execution. Be sure to define their responsibilities and the reporting hierarchy in the event of a disaster and to equip them with mobile technology, so they can make decisions spontaneously.
-
Develop budgets and funding sources - A disaster recovery plan is only as effective as the resources that are committed to it. Once you have determined what it will require to support your business recovery objectives, you need to identify the tools and procedures needed to meet them. Be specific about the cost of these mechanisms, as well as the financial risk of disaster, so you can build a realistic business case.
-
Define specific responsibilities and tasks - Spell out tasks, responsibilities and roles - not only to revive systems, but also to provide access to users and enable operations to continue even under compromised circumstances.
-
Re-evaluate what has been created and keep it up to date - Test it, reexamine it and update it regularly - once a year, twice a year or even quarterly. Also, remember that there are continuing advancements in disaster recovery technology. Keep revisiting your options to take advantage of faster, more-cost-effective solutions.
Google Designs its Servers With DRP and BCP in Mind
Most companies buy servers from the likes of Dell, Hewlett-Packard, IBM, or Sun Microsystems. But Google, which has hundreds of thousands of servers and considers running them part of its core expertise, designs and builds its own. Google has designed its own servers and each server has its own 12-volt battery to supply power if there's a problem with the main source of electricity. Since 2005 Google's data centers have been composed of standard shipping containers--each with 1,160 servers and a power consumption that can reach 250 kilowatts.
- more infoDisaster Recovery Business Continuity in a Mixed Vendor Environment
How do you create a unified Disaster Recovery Business Continuity Plan when you IT services are outsourced to multiple vendors and some of their facilities are in the same geographical area? Some vendors are now starting to offer services that are designed to help enterprises get a converged view with which to manage and monitor their entire IT infrastructures, regardless of whether services are delivered by in-house resources or by third-party service providers.
These service providers recognize that enterprises are moving services to specialty vendors such as security providers, network providers or computing services providers, rather than to a single services provider.
















