Let’s elaborate a little. As I said before, the procedure needn’t be overly daunting - just well thought out.
Assemble a Team – Most planners are not usually members of the recovery team. Planners need to be organized. The main goal of the planners is to identify key roles and personnel to carry out the recovery procedures they will create later.
Inventory – How can you protect what you don’t know you have? Many organizations suffer from poor inventory. Keeping track of equipment and people can be time consuming without the right tools and processes. Not only are tangible assets included but services that are critical to the companies well being need to be included. Each inventoried item will need to have a priority assigned to it for rating purposes. For example the company may decide to use a numbering scheme and list that 5 is absolutely critical and 1 is negligible. Each item will then be ranked.
Determine Threats – What is the worst that could happen? Many companies outsource this to professionals to have a risk analysis performed to ensure all of the bases are covered. Each threat is then assigned a rating based on impact to the company and the likelihood of the event occurring.
Disaster Recovery Plan – Who does what when? This part of the process directly involves the security personnel of your organization, whether they are security guards or IT staff. The plan will include determining and testing recovery strategies. Once the steps have been identified, the plan will need to be practiced to ensure all are familiar with the plan and that the plan actually works. Every item must be documented. If one of the senior members of your company is run over at a café by a rogue elephant, the procedure must allow for others to action the plan. Once the plan is written, it will be in a constant case of flux as new threats are identified and added to the plan. Think of it as a living document.
Notification – I tell two friends and they tell two friends. The company must have an established fan out list with rules of who to contact and under what circumstances. How will clients be notified if your email system is down? What if a hurricane takes out the phone lines?
Review – Again? We just read it. The document will continue to grow as the business does. New threats will need to be added and non existent ones retired as deemed necessary by the planning committee.
So what does the plan comprise of?
Lastly, the plan itself will need to be drawn up. The plan should include a number of elements including the following:
Contact Information – How can you contact people if you don’t know how to get a hold of them List cell phones, land lines and email to cover all the bases.
Disaster Recovery plan – What do we do when the end of the world is near. This plan lists the procedures to react to the threat. This is the bulk of the plan and will never be complete as the environment will always be changing.
Short Term Business Model – This outlines the steps the company will need to take to immediately combat the threat. Survival mode. Once the threat has passed, the next phase can take place.
Long Term Business Model – May involve moving locations, hiring staff, new phones, new equipment, different ISP. This step involves keeping your company up and running.
Backup Strategy – If the data is worth having, it should always be at least two places. How often the backups are performed? To what media and where is it stored? These are cases for the planning committee. However, ensure backups are completed in accordance with the plan and stored off site.
Finally, the organization will want to identify a timetable to keep the disaster recovery process updated as required.
With all that said, you now have a better understanding of the Business Continuity Planning. A well thought out process that can easily be adopted in the face of adversity is worth it’s weight in gold when the time comes.
Never think "That can’t happen to me".
