WATTERS DISASTER RECOVERY, CRISIS RESPONSE, D I & BUSINESS CONTINUITY S A S T E A Management Desk Reference R R E C You’re in charge of IT, facilities, or core operations for your organization when a hurricane or a fast-moving O wildfire hits. What do you do? V Simple. You follow your business continuity/disaster recovery plan. If you’ve prepared in advance, E your operation or your company can continue to conduct business while competitors stumble and fall. R Even if your building goes up in smoke, or the power is out for ten days, or cyber warriors cripple your IT Y systems, you know you will survive. , But only if you have a plan. You don’t have one? Then Disaster Recovery, Crisis Response, and C Business Continuity: A Management Desk Reference, which explains the principles of business R continuity and disaster recovery in plain English, might be the most important book you’ll read in years. I S Business continuity is a necessity for all businesses as emerging regulations, best practices, and I customer expectations force organizations to develop and put into place business continuity plans, S resilience features, incident-management processes, and recovery strategies. In larger organizations, R responsibility for business continuity falls to specialist practitioners dedicated to continuity and the related E disciplines of crisis management and IT service continuity. In smaller or less mature organizations, it can S fall to almost anyone to prepare contingency plans, ensure that the critical infrastructure and systems are P protected, and give the organization the greatest chance to survive events that can–and do–bankrupt O businesses. N A practical how-to guide, this book explains exactly what you need to do to set up and run a successful S business continuity program. Written by an experienced consultant with 25 years industry experience in E disaster recovery and business continuity, it contains tools and techniques to make business continuity, , & crisis management, and IT service continuity much easier. If you need to prepare plans and test and maintain them, then this book is written for you. You will learn: B • How to complete a business impact assessment U • How to write plans that are easy to implement in a disaster S I • How to test so that you know your plans will work N • How to make sure that your suppliers won’t fail you in a disaster E • How to meet customer, audit, and regulatory expectations S S Disaster Recovery, Crisis Response, and Business Continuity: A Management Desk Reference will pro- vide the tools, techniques, and templates that will make your life easier, give you peace of mind, and turn C O you into a local hero when disaster strikes. N T I N U I T Y ISBN 978-1-4302-6406-4 54499 Companion eBook Shelve in: 9 781430 264064 Business/Management www.apress.com For your convenience Apress has placed some of the front matter material after the index. Please use the Bookmarks and Contents at a Glance links to access them. Contents About the Author ix Acknowledgments xi Introduction xiii Part I: Introduction to Business continuity and Disaster Recovery 1 chapter 1: Business continuity Management 3 chapter 2: essentials of Business continuity Management 21 Part II: Plan for Business continuity and Disaster Recovery 33 chapter 3: getting started 35 chapter 4: Planning 49 chapter 5: It Disaster Recovery 57 chapter 6: Business Recovery strategies 81 chapter 7: supply chain 99 chapter 8: continuity suppliers 105 chapter 9: education and Awareness 115 chapter 10: governance and Reporting 123 Part III: test and Maintain Your continuity and Recovery Plans 131 chapter 11: testing Principles 133 chapter 12: It Disaster Recovery testing 147 chapter 13: Business Recovery testing 163 chapter 14: crisis Management exercising 177 chapter 15: Maintenance 191 viii Contents Part IV: execute the Plan 197 chapter 16: Manage a Disaster 199 chapter 17: Post event 215 Part V: Appendices 221 Appendix A: criticality Levels 223 Appendix B: Roles and Responsibility Matrix 225 Appendix c: suggested Business continuity Management timetable 229 Appendix D: Useful Resources and contacts 231 Appendix e: continuity Assessment Questionnaire 235 Appendix f: crisis Management team Roles and Responsibilities 247 Appendix g: call cascade 253 Appendix H: Basic Business continuity Plan template 255 Appendix I: Business Impact Analysis Questionnaire 265 Appendix J: Business continuity Management standards 273 Appendix k: severity Levels 285 Appendix L: Mapping severity Levels to criticalities 287 Index 289 Introduction Business continuity and disaster recovery have emerged as critical aspects of business planning in the past few years. it was born in high-risk and highly regulated industries but is now spreading rapidly into all sectors and every type of organization. Why? More and more businesses are affected by natural and manmade disasters, more regulators expect to see recovery plans in place for industries beyond health and finance, more organizations expect to see continuity policies in place at vendor sites, and insurers drop rates for businesses showing greater awareness of security protocols. More important, in the age of 24/7 business, customers expect to be able to do business with you when it’s convenient for them. never mind that your city just flooded; just send me my goods or complete my transaction. originally, business continuity and recovery planning were the domain of a few elite consultants. Historically, consultants charged a premium for their skills and knowledge to organizations. these companies had no choice but to pay for custom consultancy engagements. now, with increased need for continuity planning and more practitioners embedded inside organizations, business continuity has effectively been commoditized—every business needs to plan for unexpected events or pay the consequences. this commoditization is a good thing because organizations need continuity plans in place quickly, at the lowest cost and with the least pain. this book covers the key aspects of business continuity and disaster recovery. it is written so anyone can pick it up, read it, then go and do it. it tells you what you need to do, gives you simple tools to use, and tells you what questions you need to ask and from whom you should seek the answers. Just as important, it provides checklists and templates that will help you put a credible plan in quick order. Why read this Book? you have a job to do protecting your company from disasters, hackers, supply problems, and anything else that might keep you from fulfilling your mission. i want you to learn from my mistakes and quickly acquire the necessary knowledge to get the job done. i want you to avoid the trial-and-error journey that my peers and i had to suffer as we learned the hard way. xiv Introduction so if you want to learn all the essential aspects of business continuity while avoiding the pain, then this book is for you. there are lots of excellent books that tell you what you’ve got to do. this book is for people who want to know how to do it. the aim of this book is to explain (in simple terms) all the key elements of business continuity and disaster recovery for people who need to: • Learn the basics of business continuity fast • Get something in place today so they’ll have a chance if disaster strikes tomorrow • avoid the principal mistakes people in your position often make • prepare solid plans that people find easy to use and maintain • identify and fix security and continuity gaps in your sys- tems, processes, or people • test your continuity plans and the people, suppliers, and technology that your organization depends on • Make sure your staff knows what to expect from the organization if disaster strikes—and what the organiza- tion should expect from you • Become compliant with the demands of internal auditors, external regulators, and business partners that expect them to have solid, demonstrable continuity plans in place • extend the principles of continuity into supplier organiza- tions and business partners so that third parties are able to meet your needs • Keep all the plans, scripts, solutions, and other functions up to date without making it into a full-time job if it’s your job to accomplish any of these things, read on. t his book is for you! Introduction xv Who should read this Book this book is relevant to anyone who is in anyway involved in business continuity, crisis management, and disaster recovery (Dr). this list includes: • Business continuity managers • Business continuity coordinators—people who look after local plans and do the day-to-day administration and test- ing for their department • it staff and technicians who support business continuity or Dr solutions and are involved in testing or have responsi- bility for some element of the recovery of their business • it architects and developers who are responsible for including resilience into their designs and the solutions they deliver • executives accountable for the continued smooth running of their businesses, funding business continuity efforts, and making sure it meets underlying business needs • staff who have a role to play in preparing plans, testing, or have responsibilities in disaster recovery situation • auditors who are responsible for making sure that the org ani- zation’s continuity arrangements meet business needs • suppliers that need to meet their customers’ needs in regard to business continuity and Dr • suppliers that sell business continuity or Dr services practices to underpin Frameworks there are many excellent business continuity management (BcM) frameworks. Bs259991 and as/nZs 50502 are two good examples. each sets out what you have to do and to some extent what you should learn. they also provide a common vocabulary for you to use. the problem with standards and frameworks, however, is that in general they don’t tell you how to do anything. How do you assess a business impact analysis? How do you plan and deliver a Dr test? How do you keep your staff informed? How do you keep your plans updated? 1http://en.wikipedia.org/wiki/BS_25999 2http://en.wikipedia.org/wiki/Business_continuity xvi Introduction in this book, i mean to plug such gaps by sharing my experience and describing what i and other experienced Bc/Dr people actually do. For some people, BcM is an emotive subject; many practitioners are exacting and fussy in what they do. to be frank, i’m not overly attached to what we do. continuity planning is simply something that must be done in our day and age. But i do care about getting results efficiently and effectively. i also like to do that without upsetting or distracting too many other people! But it’s possible to get bogged down in detail and perfectionism. to avoid that, do what i do and keep your mind on the practical. For this reason, if you read anything in this book and can think of a better way of doing things, don’t think badly about me. instead think, “i should send this idea to Jamie!”3 take the time to gather your thoughts and let me know so i can improve what i do and then improve this book! Why Listen to Me? First, i’ve spent most of the past 25 years working in business continuity and it disaster recovery–related roles, much of it in the financial services and banking industry, and should have learned most of what there is to know. so, what i’m offering you is the chance to exploit my mistakes and gain my insight in days—not months or years! one of the key issues i’ve faced, and an issue that will probably concern you too, is how to deliver business continuity through people who have other full-time roles that have nothing to do with business continuity—people for whom business continuity is a pain and a distraction from their main role. if that describes you, you’ve come to the right book. My overarching goal is to make your job easier, something i can do by telling you how things play out in the real world. When creating a business continuity program, i’ve also come to realize it’s essential to build it with the following principle in mind: the program must address the deeper technical issues but without needing full-time experts to make it work. in short, i believe my job is to make business continuity simple and suitable for people who only look at their business continuity/Dr plans once or twice a year. so wherever possible i will aim to demystify business continuity, so that when people come back to their plans nine months down the line, it’ll be fairly easy to understand or implement. if you want to learn to make it simple, then i’m your man. 3reach me through www.bcmdeskreference.com/ Introduction xvii structure of the Book the chapters are written so that you can either dip in as you need to or you can read it section by section. the sections are organized as you should ideally approach business continuity, so unless you have a specific need it’s best to read the book in chapter order. However, if sections or chapters don’t apply—for example, you don’t have any third-parties contractors—you might want to skip them. i’ve tried to highlight the relevance of each chapter at the beginning so you can decide in a few moments if it’s worth reading on. the book is organized in the following five parts: • Part One: Introduction to Business continuity and Disaster Recovery. introduces the basic concepts and provides you with the who, what, when, where—and a high-level how—of business continuity, crisis management, and disaster recovery. • Part two: Plan for Business continuity and Disaster Recovery. explains how to plan for business continuity. the section looks at both business continuity plans and it disaster recovery plans. • Part three: test and Maintain Your continuity and Recovery Plans. examines all the testing and mainte- nance that is relevant to business continuity with chap- ters on it testing, business testing, and maintenance. • Part four: execute the Plan. there’s no point in hav- ing plans and solutions if you can’t deploy them at a time of crisis. this section explains what you need to do to make sure you steer your organization though whatever disruption comes your way. More than that, it also covers the return from contingency to normal operations. • Part five: Appendices. Here you’ll find copies of use- ful things like checklists, templates, and processes that i describe in the book. you can use them to get your own business continuity up and running. the appendices also include some useful reference information and links to other useful resources. Let’s get started! P A R T I Introduction to Business Continuity and Disaster Recovery