Home

Search

Templates Kits

Salary Survey

HandiGuides

Job Descriptions

Policies

Compliance

White Papers

Update Service

Bundles

CIO Infrastructure

Promotions

 

 

Disaster Plan Risk Assessment

What is Disaster
Recovery?

Disaster Planning

Are You Prepared
for a Disaster?

Disaster Clean up
How To

What to do after an explosion, terrorist
attack, or random
act of violence

Disaster Planning
for a Pandemic

Disaster Recovery and Business Continuity

Disaster Recovery
Buiness Continuity
Metrics

Disaster Recovery Business Continuity Funding

Defining Maximum Tolerable Period of Disruption

Disaster Recovery Guide

 

 Outsourcing Policy

The outsourcing policy is eighteen page in length and defines everything that is needed for a function, department, or area to be outsourced. 

The policy comes as a Microsoft Word document (Word 2003 & Word 2007) that can be modified as needed.  The template has been updated to include a HIPAA audit program definition:

• Outsourcing Management Standard
  • Service Level Agreement
  • Responsibility
• Outsourcing Policy
  • Policy Statement
  • Goal
• Approval Standard
  • BaseCase
  • Responsibilities

Note: Look at the Practical Guide for Outsourcing over 110 page template for a more extensive process for outsourcing which includes a sample contract with a sample service level agreement

 

 

Other Policies

All of the policies that are provided here are contained within one or more of the templates that are on this site. These policies have been added as individual documents in WORD format for those clients who just need this particular policy.  All policies are Sarbanes-Oxley compliant

 

Internet, e-Mail, Mobile Device,
Electronic Communications, and
Record Retention Policy

This policy is is compliant with all recent legislation (SOX, HIPAA, Patriot Act, and Sensitive information), and covers:

• Appropriate Use of Equipment
• Mobile Devices
• Internet Access
• Electronic Mail
• Retention of Email on Personal Systems
• E-mail and Business Records Retention
• Copyrighted Materials
• Banned Activities
• Ownership of Information
• Security
• Sarbanes-Oxley
• Abuse

Included with the policy are forms that can be used to facilitate the implementation of the policy. Included are these ready to use forms:

• Internet & Electronic Communication Employee Acknowledgement
• E-Mail - Employee Acknowledgement
• Internet Use Approval Form
• Internet Access Request Form
• Security Access Application Form

 

 

Sensitive Information Policy

Includes HIPAA Audit Program Guide and a PCI Audit Program

This policy is easily modified and defines how to treat Credit Card, Social Security, Employee, and Customer Data.  The template is 29 pages in length and complies with Sarbanes Oxley Section 404, ISO 27000 (17799), and HIPAA.  The PCI Audit Program that is included is an additional 50 plus pages in length.

This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and co-location providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals). 

The HIPAA Audit Program Guide provides you with a checklist of the must be implemented items which HIPAA mandates. 

You can download the Table of Contents and some sample pages by clicking on the link below.

 

 

Travel and Off-Site Meeting Policy

Travel and Off-Site Meeting Policy - Protection of data and software is often is complicated by the fact that it can be accessed from remote locations. As individuals travel and attend off-site meetings with other  employees, contractors, suppliers and customers data and software can be compromised.  This policy is four page in length and covers:

• Data and application security
• Minimize attention
• Shared public resources
• Off-site meeting special considerations

 

 

 

 

 

 

 

Outsourcing Policies and Procedures News

Metrics for Organizations with no Disaster Recovery Business Continuity Plan

According to Janco Associates, an International Disaster Recovery - Business Continuity consultancy the most common form of enterprise wide disaster is related to power outages.  Janco has found that in disaster recovery and business continuity cases it has reviewed the following is true:

• Over one third companies take more than a day to recover from a major power outage caused by events like hurricanes and extensive disasters.
• Over eleven percent of companies take more than a week to recover from these events.
• The typical time to reconfigure a network that has not been planned for can take up to 72 hours - if the resources are available.
• Data that is lost (not backup up electronically) can take weeks to re-enter if there is paper trail and if there is none the data can be lost forever.
• Over 85 percent of companies that experience a computer disaster and do not have a Disaster Recovery - Business Continuity Plan go out of business within 18 months.

- more info

Disaster Recovery Planning Scope

All Disaster Recovery Planning and Business Continuity Planning need to encompass how employees will communicate, where they will go and how they will keep doing their jobs. The details can vary greatly, depending on the size and scope of a company and the way it does business. For some businesses, issues such as supply chain logistics are most crucial and are the focus on the plan. For others, information technology may play a more pivotal role, and the Disaster Recovery and Business Continuity plan may have more of a focus on systems recovery.

But the critical point is that neither element can be ignored, and physical, IT and human resources plans cannot be developed in isolation from each other. At its heart, BC/DR is about constant communication. Business leaders and IT leaders should work together to determine what kind of plan is necessary and which systems and business units are most crucial to the company. Together, they should decide which people are responsible for declaring a disruptive event and mitigating its effects. Most importantly, the plan should establish a process for locating and communicating with employees after such an event. In a catastrophic event (Hurricane Katrina being a recent example), the plan will also need to take into account that many of those employees will have more pressing concerns than getting back to work.

- more info

Disaster Recovery Metric Defined

A proposed overall metric for Disaster Recovery is Total Time to Disaster Recovery (TTDR), which is the time it takes to backup the data, deduplication of the data, replication of the data at remote DR site, and then finally recovery of the data so it is in an operational state. This metric is all-inclusive as it takes into consideration every aspect of the backup and recovery environment into account when performing a true disaster recovery.

Recovery and data replication are the much more important ones issues that need to be considered. It is great to backup data fast, but if it takes three times as long to recover it, try to explain that to your CIO when a major application goes out and he is standing over your shoulder waiting for the data to be recovered.

TTDR includes:

• Backing up the data
• De-duplicating the data, and
• Replicating the data to the remote disaster recovery site
• Setting the data and the applications to an operational state

- more info

Backup For Disaster Recovery and Business Continuity Now Easier

Quantum Corp. a global specialist in backup, recovery and archive, announced two new product releases designed to help end users solve the challenges of data backup and recovery across distributed environments by improving local data protection and disaster recovery (DR) while streamlining management and reducing costs. The latest addition of disk backup solutions with deduplication and replication, the appliance is optimized for remote and branch office environments that are part of a distributed enterprise. The other software product release provides new centralized, multi-tier management and reporting capabilities for unifying backup resources, including disk and tape.

- more info

Disaster Recovery Business Continuity Basics

The basics of a Disaster Recovery Business Continuity Plan are defined in the Janco Disaster Recovery Business Continuity Template. They are:

• Develop the contingency planning policy statement. A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan.
• Conduct the business impact analysis (BIA). The BIA helps to identify and prioritize critical IT systems and components.
• Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.
• Develop recovery strategies. Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption.
• Develop an IT contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system.
• Plan testing, training and exercises. Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness.
• Plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements.

- more info

New Devices Make Backup Easier to Implement

Backup and recovery while complex may be easier as media vendors release new advanced products. While many external drives now come with a physical push-button backup option, a new genre of backup devices is emerging one-touch USB flash drives that combine the convenience of small size with relatively sophisticated backup applications for data protection.

The latest to arrive is the SanDisk Ultra Backup USB Flash Drive, which combines push-button backups with SanDisk's U3 smart-drive technology that allows a user to store Windows PC user preferences, profiles and settings as well as download and launch a limited number of applications from the flash drive.

- more info

Disaster Recovery Business Continuity Templates Addresses Mid-sized Requirement

Mid-sized businesses have long struggled to protect their IT systems. Many firms are inadequately protected and mistakenly think that a disaster is rare and will not happen to them anytime soon.  There is a lot of confusion and misunderstanding regarding what disaster recovery encompasses and how to implement it effectively. The Janco Disaster Recovery / Business Continuity Temple provides CIO and CFO with tools that address minor and major disaster scenarios. This template also clarifies what true disaster recovery means and how backup and high availability are not true DR solutions. Janco studies the newest technology trends, such as virtualization and storage replication, which make powerful DR solutions attainable and affordable even for mid-sized businesses.

- more info

What is critical in creating a DRP BCP that works?

Good disaster recovery planning is about identifying those processes and resources that are truly critical, developing realistic recovery objectives for them and then developing a plan that can achieve those objectives as simply and cost-effectively as possible.

The reality is that a sophisticated DR plan that is too complex or expensive to properly maintain and test is worse than a plan that only does the minimum because it gives a false sense of security.

CIOs must make the right decisions in order to develop an effective, executable plan that allows their organization to create a process which will help them to recover critical enterprise functions after a disaster.

- more info

Backup Service Providers May Not Be Enough

Your data is only as safe as its most recent backup.  But what happens when you have worked on your laptop with enterprise critical data and it is lost or damaged.  You data is only as redundant as the integrity of the data that you have stored on your servers, but in this case you may have a compliance issue that you have not addressed. For companies that service customers in the cloud, if they cannot offer 99.9999% uptime and absolutely ensure data backup and restoration, they might as well not be in business.

There are a few issues at hand here. Not only must the backup provider ensure that the data is accurately and securely backed up whereby every packet and byte is accounted for, but you must also ensure that when the time comes, the data is "clean" enough to be plugged back into the system without a hiccup. It's the hiccup that companies need to avoid which is why they look for ways to backup their data to begin with, however they aren't always as proactive as the results they were expecting.

- more info

CIOs see Disaster Recovery and Business Continuity Budgets Slashed

Many CIOs have seen their disaster recovery budget for 2009 slashed and are wondering how they can recover when a disaster occurs.  CIOs are now looking for solution that that will not cost any money upfront. CIOs feel they can get money to recover if they have solution in place. CIOs cannot sit idly by while they roll out critical services without the safety net of Disaster Recovery / Business Continuity Plan in place - that is like skiing without a helmet or driving a car with no seat belt. For most, there is a very good chance that nothing bad will happen, but if something does go wrong, the consequences can be so severe that the overall risk is unacceptable.

- more info

Recovery Time Objective (RTO) Defined

The two most common metrics for business continuity solutions are Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO measures the window of time when service is unavailable and RPO represents the amount of data lost as measured in time before the failure.

For example, organizations that use tape backup for Exchange recovery typically perform a full backup weekly and a differential backup nightly. If the introduction of a new software patch destabilizes an application server and it takes 2 hours to restore the server from the differential backup and put it back into operation, an RTO of 2 hours is achieved. However, it is likely that some hours of log files will need to be replayed to bring the RPO down to zero from the time of the last backup.

- more info

How a CIO should chose a backup site

 Disasters cost money, interrupt business operations and may cause the enterprise or government agency to fail, which makes planning a business continuity issue. Disasters can interfere with or even terminate IT and communications services. It does not matter whether the disaster affects the enterprise, government or service provider. Floods, fire, volcanoes, earthquakes and other events can destroy a primary and backup site if they are too close together.

Telecom service providers can offer expert advice on where to locate a backup facility and should position themselves with CIOs to offer both consulting and services. After all, they have experience planning for their own primary and backup facilities, as well.

A CIO's selection of the backup site location will always have risks and liabilities attached to the decision. Adequate and reliable communications to the backup site and communications between the primary and backup sites are what most service providers can successfully offer to the CIO.

      

In choosing a backup site, CIO's must first determine how big a disaster plan for and budget for it. The level of disaster planning increases as you goes down the following list:

• Building closed/evacuated
• Loss of power
• Loss of communications
• Facility damaged/destroyed
• Community disaster (10-to-30 mile range)
• Regional disaster (30-to100 mile range)

- more info

Overlooked items in many Business Continuity Plans

Traditional business continuity and disaster recovery address issues related to preparing the IT department and the office infrastructure to function. The typical policies, procedures, and process that deal with data backup and recovery, distributed data centers with redundant capacity, and preparedness plans for the technical staff.  Are that are often overlooked are:

• Surge in remote connections - As employees and contractor turn into mobile workers, the volume of remote connections increases sharply placing more demand on the IT infrastructure. The support group must have ways to set up new mobile users quickly and give them access rights to the proper resources within the enterprise network.
• First-time mobile users support - Technical support and IT staffs will be called upon to assist employees whose only experience has been using computers on a corporate LAN. Support staffs should trained and implement tools that make remote support easier.

- more info

Disaster Recover Process Defined

Preparation for Disaster Recovery / Business Continuity in light of SOX has two primary parts. The first is putting systems in place to completely protect all financial and other data required to meet the reporting regulations and to archive the data to meet future requests for clarification of those reports. The second is to clearly and expressly document all these procedures so that in the event of a SOX audit, the auditors clearly see that the DRP exists and will appropriately protect the data.

 

  

 

Analize

• Define business continuity and what it means to your enterprise
• Understand the impact of a potential disaster
• Differentiate location vs. data destruction disasters
• Calculate the cost of downtime

Document

• Know your recovery objectives; define the parts of the plan
• Outline what your business needs to get back up and running

Evaluate

• Continuous vs. Periodic Replication
• Weigh the complexities, the costs of replication technology
• Improve the backup process with a formal backup and retention policy

Implement

• Pick the technology that best meets your enterprise’s objectives
• Test rigorously

- more info

Security When Business Continuity Plan is Turned On

Have you tested to see if your company's information protected by the security policy and solutions you have in place now work when you execute your disaster recovery business continuity plan ? Are you in full compliance with PCI-DSS, SOX, GLBA and HIPAA regulations, while also complying with your state's information security laws?

 

Federal and state rules enforcing the electronic security of personal information are becoming stricter and more complicated. As a result, companies are reexamining the way they deal with sensitive information to avoid the lawsuits, fines and loss of business reputation associated with a security breach.

Still, despite business's efforts to step up their security protocols, in 2007:

• More than 79 million personal electronic records containing data such as Social Security numbers and credit-card numbers were compromised in the U.S.
• This was nearly four times the number reported in 2006. (Source: New State Laws Enforcing Encryption, MessageLabs Whitepaper, Nov. 2008)

- more info

Alternative Disaster Recovery and Business Continuity Solutions

An alternative to traditional disaster recovery and business continuity planning solutions is needed to meet a number of new and growing business requirements including:

• Workers increasingly need to collaborate to get their work done
• Data must be protected from identity theft and to meet new privacy laws
• Security software needs updat­ing to parry evolving security threats

- more info

High Availability and Disaster Recovery Business continuity Planning

High availability of enterprise systems is a prerequisite for business continuity and or sustaining services to an organization’s end users and end customers. Achieving high availability during a period of rapid technology change or economic downturn can be challenging for many enterprises, which see too many obstacles to ensuring high availability across many servers and across the enterprise.

 

The process of IT transformation brings new opportunities to improve high availability, especially for end-to-end applications that span the enterprise and that leverage the computing power of many servers across the network. That is because IT transformation opens the door to doing things differently breaking down the information silos that prevented a deeper integration across business units and a unified view of all networked servers. In so doing, there is also an opportunity to reduce server footprints via workload consolidation resulting in more efficient computing and in reduced power/cooling costs. In the process of IT transformation, IT infrastructure is optimized so that workloads run on the platforms that support them with the best performance and the greatest efficiency.

Enterprises that want to ensure that end users are able to access key enterprise systems on a 24 x 7 x 365 basis, with little or no perceptible downtime, are studying ways to protect important applications by applying reliable server hardware and high availability software to the workloads being deployed. Efficiency in operating these systems is essential to holding down operational costs associated with IT staff time, system downtime, and power/cooling for deployed systems.

- more info

Tape Backup Hinders Many Disaster Plans

Effective disaster planning and business continuity planning has historically been out of reach for many small and medium sized businesses because it was too costly and complicated. While large companies could afford expensive hardware solutions, the highly trained staff to manage them, duplicate data centers, channel extenders, and expensive replication software, small and medium sized businesses are often limited to making backup tapes and carting them to the storage administrator’s basement for safe keeping.

While tape backup remains a good long-term archiving method for many organizations, numerous problems limit its usefulness including:

• Backup windows are shrinking – due to the huge growth in data volumes, requirements for longer retention and faster access, and generally greater reliance on data and technology.
• Backup is not easy or quick, many organizations cannot backup often enough to adequately protect themselves – backing up once a week leaves a lot of data vulnerable.
• Tape is not the most reliable medium – hardware failures, media failures, and human errors are common. Tape management is a constant IT headache and administrative costs are high.

- more info

What You Need to Know Before Creating Your Disaster Recovery / Business Continuity Plan

There are a number of standard answers that are needed before your create a Disaster Recovery / Business Continuity Plan.  They are:

• Current critical business processes
• Specific recovery time and recovery point objectives
• List of key personnel involved in the D/R process
• List of personnel needing information access after the disaster
• How personnel will access information – from home, from a secondary data center, from a leased facility
• What systems, applications, and data will be required, and for how long
• Chronologically, how far back you need data to conduct business as if the disaster never occurred

- more info

Water Damage Is the Most Frequent Form of Disaster

While water damage is the most common form of disaster, every enterprise with assets of  needs a good fire-protection system. Since most emergencies seem to happen outside normal working hours, reliable fire detection systems on professional, twenty-four-hour monitors are a wise investment. Wherever possible, assets should also be protected by a fire-suppression system. The use of halon is no longer recommended. Professionals now recommend wet-pipe sprinklers for most enterprise record archives. In addition, water misting suppression systems have become available within the last several years; these can provide fire suppression using much less water than conventional sprinkler systems. Before choosing a fire-protection system, be sure to contact a professional or a fire-protection consultant for information about the latest developments in fire protection and for advice appropriate to your enterprise.

All fire-protection systems should be designed and installed by professionals with experience in servicing enterprise of your type, because the needs of your type of business differ from the needs for others.

- more info

How the credit crunch has impacted the Disaster Planning and Business Continuity Process in Enterprises

In a survey of our Janco’s clients 67 percent said that the financial crisis and the credit crunch has had an impact on business continuity planning in their organizations. Over one third of our clients reported that it had had a negative impact.

Medium sized organizations reported the most impact on business continuity activities, with over forty percent reporting a negative impact. While only one third of large organizations reported a negative impact and one fifth of small organizations did.

 Large organizations were most likely to state that the global financial crisis and the credit crunch had had a positive impact on business continuity activities.

Regional differences were quite striking, those located in the United States were the most badly impacted and Western Europe-based organizations apparently being least affected, closely followed by UK organizations.

The following shows the percentage of regional respondents who said that the global financial crisis and the credit crunch was having a negative impact on business continuity planning in their organization:

• United States: 52 percent
• Western Europe: 28 percent
• United Kingdom: 35 percent
• South East Asia: 47 percent
• Canada: 48 percent
• Pacific (Including Australia): 49 percent

- more info

Disaster Recovery Planning

Every business and organization can experience a serious incident which can prevent it from continuing normal operations. This this can happen any day at any time. The potential causes are many and varied: flood, explosion, computer malfunction, accident, grievious act... the list is endless.  The Disaster Recovery Planning Template is designed to help you plan for these scenarios. They will help you reduce both the risk and impact should the worst occur.  The Disaster Recovery Planning Template  is intended to be a launch pad for those seeking help with the business continuity planning process. It offers information, guidance, tips, and links to a range of resources.

Creating a disaster recovery plan is considerably simplified by use of this template. Using detailed questionnaires and checklists, this MS-Word toolkit will help you create and review both your contingency practices and recovery arrangements.

- more info

After Disaster Recovery and Business Continuity Plan Completed Testing is Critical

Once your Disaster Recovery Business Continuity Plan (see Disaster Recovery Plan Template Business Continuity - http://www.e-janco.com/DisasterPlanning.htm) is set, test it at least semi-annually. The enterprise will need to perform a component-level restoration of your largest databases to get a realistic assessment of your recovery procedure, but a periodic walk-through of the procedure with the recovery team will assure that everyone knows their roles. Test the systems you are going to use in recovery regularly to validate that all the pieces work. Always record your test results and update the Disaster Recovery Business Continuity Plan to address any shortcomings.

As your business environment changes, so should the Disaster Recovery Business Continuity Plan. Reexamine the plan every year on a high level. Conduct a risk assessment annually and determine if you still need every part of the plan? Do you need to add to it? Will the budget need to be adjusted to accommodate changes to the plan? As applications, hardware, and software are added to your network, they must be brought into the plan. New employees must be trained on recovery procedures. New threats to business seem to pop up every week and a sound DRP takes all of them into account.

- more info

IRS Systems Lack DRP and Security

An audit report of IRS systems states that the IRS fails to implement systems with adequate security built in.  Since 1997, the IRS has designated computer security as a material weakness. The IRS continues to struggle with addressing security vulnerabilities on its modernized systems.  Until security control vulnerabilities are corrected, the IRS is jeopardizing the confidentiality, integrity, and availability of the massive volume of taxpayer data processed and stored by the IRS.

The IRS deployed two new systems with known security vulnerabilities relating to the protection of sensitive data, system access, monitoring of system access, and disaster recovery. These vulnerabilities increase the risks that

• An unscrupulous person, with little chance of detection, could gain unauthorized access to the vast amount of taxpayer information the IRS processes, and
• The systems could not be recovered effectively and efficiently during an emergency.

The IRS' processes for ensuring that security controls are implemented before systems are deployed failed because the IRS did not consider the known security vulnerabilities to be significant, which affected vulnerability resolution and system deployment decisions.

The Customer Service Executive Steering Committee, which had final milestone approval;

• Did not provide sufficient oversight to ensure that security controls were implemented, and
• Signed off project milestones despite the existence of weaknesses repeatedly reported to the Committee.

In addition the IRS' accepted major risks for these security vulnerabilities, including the inabilities to successfully recover the systems and their data in the event of a disaster and to detect malicious security events and unauthorized accesses to taxpayer data.

To see the report go to (http://www.treas.gov/tigta/auditreports/2008reports/200820163fr.pdf).

 

- more info

Disaster Rcovery / Business Continuity is the International Standard

Disaster Recovery Business Continuity Template in WORD 2003 and WORD 2007 (Office 2003 and Office 2007) Formats

Park City, UT   The Disaster Recovery Business Continuity template has been sold to enterprise in over 65 countries around the globe.  With the release a of version 4.4 of the template it is in complete compliance with Sarbanes-Oxley, HIPAA, ITIL (Ver 3), ISO 17799, and PCI DSS.

M V Janulaitis the CEO of Janco said, "Our DRP /BCP Template has been accepted by enterprise around the globe as the standard for disaster recovery plan and business continuity plan creation." In response to that need Janco has updated its "Disaster Recovery / Business Continuity Template" by increasing the content of the template as well as updating the entire document to be compliant with Sarbanes-Oxley, HIPAA, ITIL (Ver. 3), ISO 17799, and PCI DSS.

The Disaster Recovery Business Continuity Plan has been purchased for use in over 65 countries around the globe including:

Angola Australia Austria Bahamas Barbados Belgium Belize Bermuda Brazil Bulgaria Canada Cayman Islands Columbia Croatia Czech Republic Denmark Egypt

Finland France Germany Greece Honduras Hungary Iceland India Indonesia Israel Italy Jamaica Japan Jordan Kenya Lebanon Lithuania

Macao Malta Mexico Mozambique Namibia Netherlands New Zealand Nigeria Norway Panama Philippines Poland Portugal Puerto Rico Qatar Republic of Ireland Romania

Russia Saudi Arabia Singapore South Africa South Korea Spain Sri Lanka Swaziland Switzerland Taiwan Thailand Trinidad & Tobago Uganda United Kingdom United States Venezuela Zambia

The Disaster Recovery Business Continuity Plan has been purchased for use in  government, public, and private enterprises in almost all industries including:

Federal Government State Governments Local Governments Law Firms Think Tanks Chemical Telecommunication Real Estate Manufacturing

Universities School Districts Consulting Firms Banks Financial Service Investment Banks Credit Unions Outsourcers Property Mgt

Heavy Industry Light Industry Distribution Retail Hospitality Energy Insurance Medical ISPs

Application Development Construction Graphics Entertainment Paper Products Defense Aerospace Media

- more info