Disaster Recovery Planning

(1)

1

Micky Hogue, CRM Sandia National Laboratories

Albuquerque, New Mexico [email protected]

Disaster Recovery Planning

Presented by

(2)

4

If that happened to your

business...

Would your business be

able to survive???

5

Agenda

z

Business Disaster Recovery Planning

z

Analyzing your company & it’s needs

z

Regulations, Recovery, & Risks

z

Testing the plan

z

Mutual Aid & Pre-disaster Agreements

6

Business Disaster

Recovery Planning

Disasters happen...

If your company is here today,

and gone tomorrow...

Will it matter?

(3)

7

Focus on the Organization’s

most Critical Functions

These Need to be

Recovered First.

8

Definitions

zDisaster Planning--determines risks & potential

impacts

zDisaster Prevention--steps to prevent or lessen

impacts

zContingency Planning--develop records

program, recovery strategies, and procedures, coordinated written plans, make assignments, list resources, do training and testing.

Definitions...

(continued)(continued)

zDisaster Response & Recovery--Implementing your

Plan, dedicate resources to priority “critical function areas” - retrieve/restore all vital records for these areas.

zBusiness Resumption--retrieve/restore all vital

records & information for the rest of the company’s work areas -- finally return to normal business.

(4)

10

Levels of Disasters

z

Individual – loss of file, diskette, hard drive

z

Loss of office – fire, water

z

Local (loss of building) – fire, earthquake,

bomb, biological hazard

z

Region Wide – flood, storm, earthquake, fire,

bio/chemical hazards

z

Nationwide – terrorism, massive computer

failure, bio/chemical hazards,war

11

An Information Disaster is...

a sudden event that results in the loss

of records essential to an

organization’s continued operation.

zDestruction--fire, water, earthquake, etc.

zStolen--industrial espionage, theft for profit or

sabotage

zInaccessible--toxic contaminates, earthquake

12

Is Your Company Unique?

z

Sole provider of your services/function?

z

How fast must you resume

services--immediately? 24 hrs? 48 hrs? 1 wk?...

z

Who is harmed if you cannot function?

z

Are special skills/knowledge required?

z

Will your employees be available?

z

Are special records or equipment required?

z

If so, will they be available in time?

(5)

13

What are Your Company’s

Post

-

Disaster Needs?

z

Your building is gone -- Where will you go?

z

Transportation? Housing? Food?

z

Will employees leave home & family?

z

Alternate work site established & contracted?

z

Equipment, supplies, telecom -- in place?

z

Current Vital Records Plan & backups?

z

Do you have a plan now? Does staff know of

it, and what they are supposed to do?

14

Will the Disaster Change Your

Responsibilities, Functions, or Direction in

Any Way?

z

What will be new or different during the

response and recovery?

z

Do business as usual? Or address

specific response & recovery services?

z

Do you have procedures for these

response & recovery function?

z

Have your employees been trained &

rehearsed?

Why Should I Develop a

Company Disaster Recovery Plan?

z

How can I justify? What are the Benefits?

»Meet regulatory requirements »Ensures continuation of services »Increase employee confidence & morale »Insure job security

»Identifies the vital parts of the agency & helps to focus and streamline procedures & strategies »Minimizes liability and lawsuits

(6)

16

Regulations & Statutes for

Recovery Planning

z

Contingency Planning Regulations

z

Liability Laws

z

Life/Safety Guidelines

z

Risk Reduction Statutes

z

Security Acts

z

Vital Records Statutes

17

Risks

z

Impact if records are lost? To company,

customers, or public?

z

Which type of disasters can happen most

often?

z

How quickly must you resume business?

z

How tough is your competition?

z

How soon will you lose market share?

18

Risks

z

Will customer sue you if they suffer

losses?

z

What if the disaster involves your

off-site storage or archives?

z

What are legal, IRS, and other

implications?

(7)

19

Where to Begin?

z

Get management agreement for a plan,

and the extent of the plan

z

Set up a Contingency Planning Group

z

Select a disaster recovery team

z

Get every department working on a

disaster plan and vital records plan

20

Four Phases of Disaster

Recovery

--

S, S, R, and R

z

S = Survival

»Immediate response to threats to life safety, equipment, buildings, or area.

z

S = Stabilize

»Take sensible steps to regain control of situation

z

R = Recover

»Take necessary steps to recover critical & essential functions & facilities

z

R = Resume

»Transition from recovery to normal business

Business Disaster Recovery

Plan Strategies

z

All work units develop disaster recovery plans

& test them at least twice each year

z

Recovery Priority Level is based on the

impact to customer, regulatory requirements,

and financial stability:

»1. CRITICAL -- recovery within 48 hours

»2. ESSENTIAL -- recovery within 1 week

»3. SUPPORT -- assist recovery of other units

(8)

22

Business Disaster Recovery

Plan Strategies

z

Standard Disaster Plan Format:

»corporate policy, response & recovery strategies, plan assumptions

»explains changes during a recovery period »ensures all essential information & decisions are

included in the plan

»information is in a logical sequence

»information is easily referenced during a disaster

23

Business Disaster Recovery

Plan Strategies

z

Standard Disaster Plan Format:

»planning process efficient for managers »allows DRP to easily read & critique every plan »allows DRP to compare strategies of business

units

»allows another manager to implement a plan other than their own

24

Basic Steps in Developing a

Disaster Recovery Plan

(cont...)(cont...)

zInform all function areas of the priority status and

your recovery plans for them

zDevelop a Standard Disaster Recovery Plan to be

completed, & updated annually by all business units.

zCopies of the plan to be kept in the managers’

offices and homes

zPlan to include standard emergency response

(9)

25

Basic Steps in Developing a

Disaster Recovery Plan

z

Do a Risk Analysis (building/regional)

z

Do Business Impact Analysis (types of

disasters on business functions)

z

Do Human Impact Analysis

z

Ensure Adequate Business Interruption

Insurance

z

Ensure frequent off-site backups of all vital

records, data, software, etc.

26

Basic Steps in Developing a

Disaster Recovery Plan

(cont...)(cont...)

z

Develop Hotsite/Warmsite/Coldsite

Plan--implement and do tests

z

Plan Communication after a Disaster

»Where will key managers meet?

»What should staff do when they hear of disaster? »How to keep everyone up-to-date & informed?

z

Determine what your critical functions are,

and if any are independent of location

Basic Steps in Developing a

Disaster Recovery

Plan

(cont...)(cont...)

zCritical functions that must resume operations in

less than 1 week must develop, equip, install telecommunications and mainframe connectivity, supply, and test an alternative worksite

zDetermine what order “Critical” functions should be

recovered

zDetermine how to best use staff & resources of your

(10)

28

Basic Steps in Developing a

Disaster Recovery Plan

(cont...)(cont...)

zDo a 1-page summary of key information for every

“Critical” function’s dept’s. plan--these summaries must be immediately available to the corporation’s “Recovery Management Team”

zPrepare a Work Unit Location Analysis for every

multi-store building--which units, # of people, criticality status, square footage, equipment needed, etc

.

29

Basic Steps in Developing a

Disaster Recovery Plan

(cont...)(cont...)

z

Develop a multi-room Emergency Operations

Center (EOC)

»Develop rolls/responsibilities and basic procedures

»Have key managers/staff practice activating and using it

z

Interview major restoration companies

»Consider pre-signed service agreements for emergency evaluation and priority service

30

Basic Steps in Developing a

Disaster Recovery Plan

(cont...)(cont...)

zBeyond your fire warden program, develop an

Emergency Response and Life Safety Program based on a severe regional emergency or disaster.

zFocus on your ability to survive up to 1 week without

any outside assistance--fire, injuries, deaths, search & rescue, water, food, sanitation, communications, & evacuations

(11)

31

The Only Certain Thing

About an Untested Plan...

Is That the Plan Won’t Work.

32

Types of Tests

z

Notification Tests

z

Table Top Tests

z

Walk Through Tests

z

Operational Tests of Emergency

Voice Communications

z

Operational Tests of Hotsite

Types of Tests

z

Triage Tests

z

Mini - Simulations

z

Major - Simulations

z

Coordinated Partnership Response

Test of a Major Disaster Simulation

(12)

34

Pre

-

Disaster Agreements, Service

Contracts, & Mutual Aid

z

What should you do?

z

What can you do?

35

Pre

-

Disaster Agreements, Service

Contracts, and Mutual Aid

Can You Recover All By Yourself?

Generally speaking, if your business or

agency is going to have a realistic

chance of recovering in time, you are

going to need the help of others. And in

order for them to recover, they may need

your help.

36

Mutual Aid & Pre

-

Disaster Agreements

“Helping Each Other” Philosophy

“Helping Each Other” Philosophy ----Volunteering to AssistVolunteering to Assist z

Mutual Aid and Pre-Disaster Agreements:

»Are voluntary

»Do not bind or obligate the signers; they will only assist if possible

»Define the general types of assistance that may be required

»Identify the chain of command for activating the agreement

(13)

37

Service Contracts

--

How to Ensure

Essential Services Will Continue

z

Service Contracts:

»Are legal and binding contracts

»Stipulate how, when, and where specific services are to resume

»Are negotiated and signed by the vendors owners or high-level managers

»Define 24-hour communications procedures

38

Public & Private

Partnerships

z

Mutual Aid and Pre-Disaster Agreements:

»Are voluntary

»Do not bind or obligate the signers; they will only assist if possible

»Define the general types of assistance that may be required

»Define 24-hour communications procedures

There are no Permanent

Answers....

Only Evolving Solutions

(14)

40