In the previous article we begin to gather information on critical dependencies and processes. In order to fully document these items, there are several additional data items that will be helpful to us as we plan for action should these dependencies and processes have issues. It is important that during our data gathering we also document these additional pieces of information. We will need all this information to be centralized in our Disaster Recovery Plan (DR) and for that information to available to the disaster response team, which we will also designate in later steps.
Additional Details Needed for Critical Processes
I use an Excel Spread Sheet with several linked tabs and fields to store all my information. This spread sheet becomes the Disaster Recovery Plan. I will go through that spread sheet’s tabs as they become relevant. The first tab I will share is the Instructions Tab. In the Instructions Tab, I created a linked Table of Contents that takes the user through each tab of the Disaster Recovery Plan. I add or delete tabs and fields as appropriate to the business to which the Disaster Recovery Plan applies. You may need to click on the screen shots as in the body of the article they may be hard to read.
The additional information for critical processes needed provides us details for mitigation actions. Some sample additional information related to the critical processes is as follows. If your organization has business units or departments, which business unit is responsible for the items, who is the supervisor or manager, what employees are involved, who else can do this job? What are the physical space requirements, the equipment requirements, software requirements, and records required? If there is an assigned backup facility, how are the backups conducted, if it is a fail-over system where is it located and how is the fail-over triggered?
In addition, information also needs to be gathered and documented for dealing with the dependencies. We will need a list of emergency contacts (fire, police, etc.) and contact methods. A listing of all employees and their work contact information as well as alternate contact methods is needed. Remember if a disaster impacts your normal building facilities you may not be able to use your normal contact mechanisms. You will need a full listing of vendors the contacts and contact mechanisms, phone, email and alternate phones if possible. You will need the same information for your business suppliers. I store the critical processes in a separate spread sheet tab see below.
Threat Assessment
There various ways to perform Threat Assessment. For the purposes of formulating a DR, I focus on high level threats. These are typically physical, or digital in nature and pervasive in their impact. For each threat we will need to provide some high-level assessments (High, Medium, or Low) for probability (how likely is the threat to occur), and severity (how much of an impact we project it could have on our business). I also like to add a duration of anticipated impact (1-2 Day, 1-2 weeks, greater than 2 weeks) and loss criteria for how critical processes are impacted (at least two items, loss in productivity, loss in reputation and public confidence, three or more items).
The following are the guidelines I use:
1-2 Day Disruption – An emergency or disaster that exceeds the capabilities and capacities of a city and/or county government response but has a short duration such as a service outage, building outage, major fire, or site utility failure. May affect a large number of people for a short amount of time. All operations resume on-site in < 48 hrs.
1-2 Week Disruption – A crisis moderate to severe in scope. May have partial access to facility and/or primary IT systems. Examples include service loss, building access loss or local utility failure. May also include a regional event such as terrorism, contagious diseases or weather- related disaster. Some business operations moved off-site. Small-scale work-from- home/alternate site and remote access. All operations resume on-site in < 14 days.
2 Week Disruption – A disaster including a complete loss of facility and/or primary IT systems. Regional utility failure. All critical business operations moved off-site. Large-scale work-from-home/alternate site and remote access. All operations resume on-site in < 30 days or a new site is required.
Some high level threats that I use are: Earthquake, Hurricane, Denial of service attack, Pervasive Malware Attack, Server Failure (equipment malfunction or unavailable), Unavailable utilities (HVAC, power, communication lines), Unavailable Facility (your building), Software or data corruption, Pandemic Disease, Stolen Confidential Information (digital documents), Malicious Intruder, Critical personnel unavailable, Vendor and service providers unavailable, Fire, Flood, Water Damage, Bomb Threat, Terrorist Attack, Social Engineering Attack, Loss of Key Digital Files and/or Databases. Each business has its own potential threats which may be different from the above. Below is a screen shot of the Threat Matrix Tab. Please note that in the Response column fields, I link to another spread sheet tab where I place the customized response procedure details for each threat. See sample below.
In my next article I will cover: Declaring Emergency or Disaster, Evacuation of Facility and the Incident Response Team.