Go Beyond The Cloud STEP-BY-STEP DISASTER PREPAREDNESS Guide & Template WHITEPAPER BY XVAND TECHNOLOGY CORPORATION Xvand Technology Corporation 832.204.4909 questions@xvand.com www.isutility.com
Disaster Preparedness Plan Provided by: 1
Step 1: Determine Goals of Your Disaster Recovery Plan: Understand: The difference between business continuity vs. disaster recovery. The 7 Ps Guidelines of Business Continuity (Business Continuity Institute) The first 24 hours is for saving lives; second 24 hours is for saving data; third 24 hours is for ensuring accessibility to data. Key objectives: To limit the extent of disruption and damage. To minimize the financial impact of the interruption. To minimize interruptions to business operations. To establish alternative locations and means of operation. To train management on emergency procedures. To provide for smooth, secure and rapid restoration of business operations. Step 2: Create an Emergency Response Team & Leadership Name Title Role Address (Physical) Address (Email) Phone Alternate Communication Note: Attach copies of your organization chart and complete contact information of employees, clients, vendors, and distribution channel partners here. Create laminated copies of contact list(s) for each employee to keep in his/her wallet or purse. 2
Step 3: Assess and & Manage Risk of Disaster A. Identify & categorize disaster risk for your business. Factor impact on revenue, productivity and clients/reputation. Business Risk Assessment Affected Business Area Impact Probability of Failure Single Event Loss Expectancy Estimated # of Incidents/Year Estimated Cost of Mitigation Note Comments: Sample: Business Risk Assessment Affected Business Area Impact Probability of Failure Single Event Loss Expectancy Estimated # of Incidents/Year Estimated Cost of Mitigation Note Company-wide High Low $500,000 0.1 $10,000 Shipping Dept. High Low $100,000 0.2 $15,000 Marketing/Sales Moderate High $3,000 2 $6,000 No redundant UPS for phones No backup server CRM not redundant Comments: 3
B. List of all critical systems and applications involved in daily business operations, like payroll, accounts payable/receivable, orders and CRM. Systems & Applications Application/System Critical? Weighted Value Inaccessibility Cost/Hour Replacement Cost Affected Business Area Note Comments: Sample: Application/System Critical? Systems & Applications Weighted Value Inaccessibility Cost/Hour Replacement Cost Affected Business Area Phone System Critical 9 $24,000 $45,000 Company ERP System Critical 7 $17,000 $45,000 Sales/Acctg. Adobe Reader No 2 $250 $5,000 Marketing/Sales Note Comments: 4
Step 4: Take Inventory Take physical inventory of all equipment and supplies. This list should be updated frequently and should include all critical components of your business. This list may include the following: Servers Workstations Routers/Switches Spare workstations Telephones Software applications General office supplies (*Include maintenance agreement for aforementioned.) Backup power supply Air conditioner/ heater Physical files Humidifier or dehumidifier General data communication External disks/drives Item Manufacturer/Model Quantity Hardware Inventory Serial # Own/Lease Receipt Support Phone # Cost Software Miscellaneous Office Supplies Comments: 5
Step 5: Establish Offsite Data Backup Procedures All company data servers, workstations, laptops should be regularly backed up at a secure, offsite location at least once per day to protect against disasters that could potentially wipe out critical business information. Backups should be regularly documented and tested on a quarterly basis. Data Backup System Component (Server, desktop, etc.) Location of backup Frequency of backup Backup performed by: Frequency of backup testing Frequency of recovery testing Comments Comments: Outsourcing Disaster Recovery 5 Questions to Ask Your Prospective DR or Data Backup Provider 1 What is your recovery interval? 2 Who's responsible for data restoration post disaster? 3 Do you document your backup procedures? 4 How often do you test your backup plan? 5 What are staffing levels in an emergency? 6
Step 6: Arrange Alternate Means of Operation Follow the steps on the checklist below to ensure continuance of operations: Alternate Means of Operation Checklist: Create, distribute, and review employee safety and evacuation routes and procedures. Have an alternate workplace and living arrangements established well in advance of disaster. Determine which applications will be remotely accessed during and immediately after disaster. Establish remote access capabilities utilizing browser access for data & applications. Arrange transportation to and from alternate workplace. Setup the delivery and the receipt of mail. Establish emergency office supplies. Set arrangements for rented or purchased equipment, as needed. Identify number of remote / backup workstations needed. Establish means of communication once operations are temporarily shut down or relocated. Arrange for alternate means of communication at temporary workplace. (Land lines, cellphones, Internet access, etc.) Compile, update and verify contact list of employees, clients, vendors, and distribution channel partners (Cell Phone Numbers, Email, Social Media, such as Twitter.) Create laminated copies of contact list(s) for each employee. Protect against lost laptops and mobile devices Record all serial and model numbers of all mobile devices. Install laptop tracking and remote data deletion capabilities to protect company assets and data. In the event laptop data must be remotely destroyed: Ensure your organization is in compliance with appropriate data destruction policies. Request a certificate of destruction to ensure the data are properly disposed. Use best practices for securing wireless networks. 7
Step 7: Test Disaster Preparedness Plan In Advance. According to Microsoft, nearly three fourths of companies that test their tape backups found backup failures. Should be regularly tested on a quarterly basis. Testing Procedures Test the Following on a Quarterly Basis Data restoration - Define recovery and test recovery interval times. Where will the restore occur? How long will it take to restore? Are the backups up-to-date and good? Is the data accurate? Is the offsite data backup compatible with new hardware and software? Can the data be remotely accessed? Are software versions the same as your production system? Backup power supply. Questions to ask about your current systems. What is the estimated time needed to replace or repair a duplicate system? Are software licenses tied to the CPU serial number? Is software media with proper versions available for building a new system? Step 8: Plan Execution 8
Disaster Plan Implementation Checklist: Declare the emergency and implementation of plan (Emergency response leader) Assemble disaster recovery team and review tasks of each member Classify the nature and degree of disaster Make decision to stay or temporarily relocate to predetermined alternate workspace Review and distribute alternate communication plans Notify all lists (clients, employees, vendors & suppliers) of emergency declaration and plan Notify primary vendors for assistance with problems incurred during emergency Notify insurance companies Activate user participation plan List and keep track of all company devices that are moved to alternate workspace Take copies of operational and procedural documentation Maintain constant communication with all lists during and immediately following disaster on: Extent of damage Telephones, facilities, power, systems, networks Other human resource-related events Declaration of emergency "conclusion" Restoration of normal business operations Step 9: Post Mortem - Debrief & Document 9
Disaster preparedness plan should be systematically reviewed and tested, especially postdisaster. Post Mortem Grading Report List Item Overall Grade Notes Ability to recover individual applications and systems from off-site location. Ability to restore backup data and systems to pre-disaster levels. (Servers and individual workstations) Ability of management to determine priority of human resource actions. Ability of management to determine priority of applications. Ability to recover and process successfully without key people. Ability of the plan to clarify areas of responsibility and chain of command. Productivity and efficiency of work produced at alternate workplace. Effectiveness of security procedures during the disaster and recovery period. Ability to accomplish emergency evacuation and first-aid responses. Ability to quickly communicate with key personnel or assigned alternates. Ability of employees to work effectively with a temporary loss of on-line information. Ability of employees to continue day-to-day operations without non-critical applications or tasks. Availability of peripheral equipment, such as copiers, printers and scanners. Availability of important forms and paper stock. Availability of other supplies equipment, such as air conditioners. Availability of supplies, transportation, and communication. Ability to adapt plan to lessen disasters effect. Step 10: Maintain Records of Plan Changes 10
Keep your plan current. Keep records of changes to your configuration, your applications, and your backup schedules and procedures. Complimentary Disaster and Security Assessment to Get You Started: It is critical to determine what technology is right for your organization and which services or products should be outsourced. Whether or not you choose to engage with IsUtility, we d like offer you the following tools to get you on the road to successful disaster preparedness. This personalized and confidential IT assessment will uncover potential security risks and vulnerabilities. Includes a comprehensive report on how to best optimize your IT assets and protect your organization from IT disasters. Schedule your free audit at http://info.isutility.com/securityassessment. 11