Project – BIA-BCP-DRP-CIRT
Attached is the template that you must download, complete
you need to complete the s final document, All pdf attached are the references
ISOL533 – InfoSecurity & Risk Management Computer Incident Response Team Plan
University of The Cumberlands
Purpose
This plan was developed for Health Network, Inc. (Health Network) and it is classified as the confidential
property of that entity. Due to the sensitive nature of the information contained herein, this plan is
available only to those persons who have been designated as members of one or more incident
management teams, or who otherwise play a direct role in the incident response and recovery processes.
Policy
This document discusses the steps taken by the Computer Incident Response Team during an incident.
1) The person who discovers the incident will call the IT Incident Response department.
2) The IT Incident Response department will create a ticket in the Incident Response database and
document:
a) The name of the caller.
b) Time of the call.
c) Contact information about the caller.
d) The nature of the incident.
e) What equipment or persons were involved?
f) Location of equipment or persons involved.
g) How the incident was detected.
h) When the event was first noticed that supported the idea that the incident occurred.
Incidents will be classified as either Physical or Electronic. The security department will
handle all Physical incidents. The IT department will handle all Electronic incidents.
3) If the incident is validated, the IT Incident Response department will contact the following offices,
as appropriate, with details from the Incident Response database, to ensure they are aware of the
incident:
a) Incident Response manager (via both email and phone messages)
b) The security department (via both email and phone messages)
c) LAN/WAN and Intrusion detection monitoring personnel (via phone)
d) Affected system administrator (via phone)
e) Affected database administrator (via phone)
4) The Incident Response department will research the Incident knowledge-base and add the
following to the Incident Response ticket:
a) Is the equipment affected classified as business critical?
b) The Risk Factor/Impact and RTO of the systems affected?
c) Name of system being targeted, along with operating system, IP address, and location.
d) IP address and any information about the origin of the attack.
ISOL 533 – InfoSecurity & Risk Management Computer Incident Response Team Plan
University of The Cumberlands
5) The Incident Response manager will determine which response teams will be mobilized and
contact the IT Incident Response department to have them contact the team members.
6) The contacted Response Team members will meet or discuss the situation over the telephone
and determine a response strategy.
a) Is the incident real or perceived?
b) Is the incident still in progress?
c) What data or property is threatened and how critical is it?
d) What is the impact on the business should the attack succeed? Critical, Major, Minor?
e) What system or systems are targeted, where are they located physically and on the
network?
f) Is the incident inside the trusted network?
g) Is the response urgent?
h) Can the incident be quickly contained?
i) Will the response alert the attacker and if so, how will the response proceed?
j) What type of incident is this? Example: virus, worm, intrusion, abuse, damage.
7) The Response Team lead will update the Incident Response ticket. The incident will be
categorized into the highest applicable level of one of the following categories:
a) Category one – A threat to public safety or life.
b) Category two – A threat to sensitive data
c) Category three – A threat to computer systems
d) Category four – A disruption of services
8) Response Team members will follow one of the established Incident Response procedures (if a
procedure does not exist, the Response Team will develop and document the new procedure).
The following procedures are currently active.
a) Worm response procedure
b) Virus response procedure
c) System failure procedure
d) Active intrusion response procedure – Is critical data at risk?
e) Inactive Intrusion response procedure
f) System abuse procedure
g) Property theft response procedure
h) Website denial of service response procedure
i) Database or file denial of service response procedure
j) Spyware response procedure.
If a new procedure is developed, it will be forwarded to the Incident Response manager once the
incident is resolved so the manager may add it to this document.
ISOL 533 – InfoSecurity & Risk Management Computer Incident Response Team Plan
University of The Cumberlands
9) Response Team members will use forensic techniques, including reviewing system logs, looking
for gaps in logs, reviewing intrusion detection logs, and interviewing witnesses and the incident
victim to determine how the incident was caused. Only authorized personnel should be
performing interviews or examining evidence, and the authorized personnel may vary by situation
and the organization.
10) Response Team members will recommend changes to the Response Team manager to prevent
the occurrence from happening again or infecting other systems.
11) Response Team members will restore the affected system(s) to the uninfected state. They may
do any or more of the following:
a) Re-install the affected system(s) from scratch and restore data from backups if
necessary. Preserve evidence before doing this.
b) Make users change passwords if passwords may have been sniffed.
c) Be sure the system has been hardened by turning off or uninstalling unused services.
d) Be sure the system is fully patched.
e) Be sure real time virus protection and intrusion detection is running.
f) Be sure the system is logging the correct events and to the proper level.
12) Response Team members will update the ticket with the following:
a) How the incident was discovered.
b) The category of the incident.
c) How the incident occurred, whether through email, firewall, etc.
d) Where the attack came from, such as IP addresses and other related information about
the attacker.
e) What the response plan was.
f) What was done in response?
g) Whether the response was effective.
13) Response Team members will:
a) Make copies of logs, email, and other communication
b) Update the ticket with a list of all witnesses
c) Will keep evidence as long as necessary to complete prosecution and beyond in case of
an appeal.
14) The Response Team manager will notify the police and other appropriate agencies if prosecution
of the intruder is possible.
15) The Response Team manager will assess the damage to the organization and estimate both the
damage cost and the cost of the containment efforts.
16) The Response Team manager will review the response, update policies, and take preventative
steps so the intrusion can’t happen again.
a) Consider whether an additional policy could have prevented the intrusion.
ISOL 533 – InfoSecurity & Risk Management Computer Incident Response Team Plan
University of The Cumberlands
b) Consider whether a procedure or policy was not followed which allowed the intrusion, and
then consider what could be changed to ensure that the procedure or policy is followed in
the future.
c) Was the incident response appropriate? How could it be improved?
d) Was every appropriate party informed in a timely manner?
e) Were the incident-response procedures detailed and did they cover the entire situation?
How can they be improved?
f) Have changes been made to prevent a re-infection? Have all systems been patched,
systems locked down, passwords changed, anti-virus updated, email policies set, etc.?
g) Have changes been made to prevent a new and similar infection?
h) Should any security policies be updated?
i) What lessons have been learned from this experience?
ISOL 533 – InfoSecurity & Risk Management Computer Incident Response Team Plan
University of The Cumberlands
Appendix A – Incident Response Worksheet
Complete this worksheet for any reported incidents
Preparation:
What tools, applications, laptops, and communication devices were needed to address the Computer
Incident Response for this specific breach?
Identification: When an incident is reported, it must be identified, classified, and documented. During
this step, the following information is needed:
Identify the nature of the incident
o What Business Process was impacted
o What threat was identified
o What weakness was identified
o What risk was identified
o What was the Risk Factor/Impact of the incident
o What was the RTO, MTD and RPO assigned to the business process
o What hardware, software, database and other resource were impacted
Containment: The immediate objective is to limit the scope and magnitude of the computer/security-
related incident as quickly as possible, rather than allow the incident to continue to gain evidence for
identifying and/or prosecuting the perpetrator.
What needed to be done to limit the scope of the incident
Eradication: The next priority is to remove the computer/security-related incident or breach’s effects.
What was done to mitigate the risk of the incident
Recovery: Recovery is specific to bringing back into production those IT systems, applications, and
assets that were affected by the security-related incident.
What was done to recover the IT systems
o What procedures were used and were they covered in the Disaster Recovery Plan
o Was the Business Continuity Plan executed in response to this incident
o Were any issues identified that would lead to updates to the BIA, BCP or DR plans.
ISOL 533 – Information Security and Risk Management University of the Cumberlands
NOTE: BEFORE TURNING THIS IN, REMOVE THE HIGHLIGHTED TEXT.
Task 1. Complete the BIA table below and use it for the remainder of the assignment. You may want to review your Lab #07 assignment where you developed a BIA table. Information needed to create the Business Functions and Processes below are in the “Project Management Plan” scenario and the “Project Health Network Visual”. Hint: look at the processes that go from the customers and into the systems/applications in the “Project Health Network Visual”.
Business Function or Process |
Business Impact Factor |
Recovery Time Objective |
IT Systems/Apps Infrastructure Impacts |
Task 1: Business Impact Analysis – extracts from the Boiler Plate
1. Overview
This Business Impact Analysis (BIA) is developed as part of the contingency planning process for the HNetExchange Message system, HNetConnect Directory system and HNetPay Payment system. It was prepared for Health Network, Inc (Health Network).
2. System Description
3.1.1 Identify Outage Impacts and Estimated Downtime
Estimated Downtime
The table below identifies the MTD, RTO, and RPO for the organizational business processes that rely on the HNetExchange Message system, HNetConnect Directory system and HNetPay Payment system.
Mission/Business Process For HNetExchange |
MTD |
RTO |
RPO |
Mission/Business Process
For HNetConnect |
Mission/Business Process
For HNetPay |
Task 2: Business Continuity Plan – extracts from the Boiler Plate
Modify the statements below to reflect this decision. FAILURE TO MODIFY THIS SECTION WILL RESULT IN DEDUCTED POINTS!!!!>
Emergency management standards
Data backup policy
Full and incremental backups preserve corporate information assets and should be performed on a regular basis for audit logs and files that are irreplaceable, have a high replacement cost, or are considered critical. Backup media should be stored in a secure, geographically separate location from the original and isolated from environmental hazards.
Department-specific data and document retention policies specify what records must be retained and for how long. All organizations are accountable for carrying out the provisions of the instruction for records in their organization.
IT follows these standards for its data backup and archiving:
Tape retention policy
Backup media is stored at locations that are secure, isolated from environmental hazards, and geographically separate from the location housing the system.
Billing tapes
· Tapes greater than three years old are destroyed every six months.
· Tapes less than three years old must be stored locally off-site.
· The system supervisor is responsible for the transition cycle of tapes.
System image tapes
· A copy of the most current image files must be made at least once per week.
· This backup must be stored offsite.
· The system supervisor is responsible for this activity.
Off-site storage procedures
· Tapes and disks, and other suitable media are stored in environmentally secure facilities.
· Tape or disk rotation occurs on a regular schedule coordinated with the storage vendor.
Access to backup databases and other data is tested annually
Task 3: Disaster Recovery Plan – extracts from the Boiler Plate
Disaster Recovery Plan for OVERVIEW PRODUCTION SERVER Location: Enter location IT INFRASTRUCTURE Provide details on what systems, applications, databases and equipment are involved. BACKUP STRATEGY FOR SYSTEM ONE Daily / Monthly / Quarterly Choose which strategy on the left is use. <
For each Risk below, 1. Explain how the risk impacts the critical IT Infrastructure, 2. Explain how the Loss impacts the company, and 3. Explain the steps needed to resolve the problem>
DISASTER RECOVERY PROCEDURE Risk #1: Loss of company data due to HNetPay hardware removed from production systems. Provide details Risk #2: Loss of customers due to production outages. Provide details Disaster Recovery Plan for OVERVIEW PRODUCTION SERVER Location: Enter location IT INFRASTRUCTURE Provide details on what systems, applications, databases and equipment are involved. BACKUP STRATEGY FOR SYSTEM ONE Daily / Monthly / Quarterly Choose which strategy on the left is use. <
For each Risk below, 1. Explain how the risk impacts the critical IT Infrastructure, 2. Explain how the Loss impacts the company, and 3. Explain the steps needed to resolve the problem> DISASTER RECOVERY PROCEDURE Risk #1: Loss of company data due to HNetConnect hardware removed from production systems. Provide details Risk #2: Loss of customers due to production outages. Provide details Disaster Recovery Plan for OVERVIEW PRODUCTION SERVER Location: Enter location IT INFRASTRUCTURE Provide details on what systems, applications, databases and equipment are involved. BACKUP STRATEGY FOR SYSTEM ONE Daily / Monthly / Quarterly Choose which strategy on the left is use. <
For each Risk below, 1. Explain how the risk impacts the critical IT Infrastructure, 2. Explain how the Loss impacts the company, and 3. Explain the steps needed to resolve the problem> SYSTEM DISASTER RECOVERY PROCEDURE Risk #1: Loss of company data due to HNetExchange hardware removed from production systems. Provide details Risk #2: Loss of customers due to production outages. Provide details
Task 4: Computer Incident Response Team Plan – extracts from the Boiler Plate
Complete all HIGHLIGHTED areas below.
Appendix A – Incident Response Worksheet
Preparation What tools, applications, laptops, and communication devices were needed to address the Computer Incident Response for this specific breach?
Identification · Identify the nature of the incident · What Business Process was impacted · What threat was identified · What weakness was identified · What risk was identified · What was the Risk Factor/Impact of the incident · What was the RTO, MTD and RPO assigned to the business process · What hardware, software, database and other resource were impacted
Containment · What needs to be done to limit the scope of the incident
Eradication · What needs to be done to mitigate the risk of the incident
Recovery · What needs to be done to recover the IT systems · What procedures need to be used and are they covered in the Disaster Recovery Plan · Would the Business Continuity Plan be executed in response to this incident · Would any issues be identified that would lead to updates to the BIA, BCP or DR plans.
>
:
: When an incident is reported, it must be identified, classified, and documented. During this step, the following information is needed:
: The immediate objective is to limit the scope and magnitude of the computer/security-related incident as quickly as possible, rather than allow the incident to continue to gain evidence for identifying and/or prosecuting the perpetrator.
: The next priority is to remove the computer/security-related incident or breach’s effects.
: Recovery is specific to bringing back into production those IT systems, applications, and assets that were affected by the security-related incident.
ISOL
533 – Information Security and Risk Management
DISASTER RECOVERY PLAN
University of the Cumberlands
Information Technology Statement of Intent
This document delineates Health Network, Inc. (Health Network) policies and procedures for
technology disaster recovery, as well as our process-level plans for recovering critical technology
platforms and the telecommunications infrastructure. This document summarizes our
recommended procedures. In the event of an actual emergency situation, modifications to this
document may be made to ensure physical safety of our people, our systems, and our data.
Our mission is to ensure information system uptime, data integrity and availability, and
business continuity.
Policy Statement
Corporate management has approved the following policy statement:
The company shall develop a comprehensive IT disaster recovery plan.
A formal risk assessment shall be undertaken to determine the requirements for the disaster
recovery plan.
The disaster recovery plan should cover all essential and critical infrastructure elements,
systems and networks, in accordance with key business activities.
The disaster recovery plan should be periodically tested in a simulated environment to ensure
that it can be implemented in emergency situations and that the management and staff
understand how it is to be executed.
All staff must be made aware of the disaster recovery plan and their own respective roles.
The disaster recovery plan is to be kept up to date to take into account changing
circumstances.
Objectives
The principal objective of the disaster recovery program is to develop, test and document a well-
structured and easily understood plan which will help the company recover as quickly and
effectively as possible from an unforeseen disaster or emergency which interrupts information
systems and business operations. Additional objectives include the following:
• The need to ensure that all employees fully understand their duties in implementing such a
plan
• The need to ensure that operational policies are adhered to within all planned activities
• The need to ensure that proposed contingency arrangements are cost-effective
• The need to consider implications on other company sites
• Disaster recovery capabilities as applicable to key customers, vendors and others
2
Key Personnel Contact Info
Name, Title Contact Option Contact Number
Work
Alternate
Mobile
Home
Email Address
Alternate Email
Work
Alternate
Mobile
Home
Email Address
Alternate Email
Work
Alternate
Mobile
Home
Email Address
Alternate Email
Work
Alternate
Mobile
Home
Email Address
Alternate Email
Work
Alternate
Mobile
Home
Email Address
Alternate Email
Work
Alternate
Mobile
Home
Email Address
Alternate Email
3
Notification Calling Tree
Person
Identifying
Incident
4
External Contacts
Name, Title Contact Option Contact Number
Landlord / Property Manager
Account Number None
Work
Mobile
Home
Email Address
Power Company
Account Number Work
Mobile
Home
Email Address
Telecom Carrier 1
Account Number Work
Mobile
Fax
Home
Email Address
Telecom Carrier 2
Account Number Work
Mobile
Home
Email Address
Hardware Supplier 1
Account Number Work
Mobile
Emergency Reporting
Email Address
Server Supplier 1
Account Number. Work
Mobile
Fax
Email Address
Workstation Supplier 1
Account Number Work
Mobile
Home
Email Address
Office Supplies 1
Account Number C3095783 Work
Mobile
Home
Email Address
Insurance – Name
5
Name, Title Contact Option Contact Number
Account Number Work
Mobile
Home
Email Address
Site Security –
Account Number Work
Mobile
Home
Email Address
Off-Site Storage 1
Account Number Work
Mobile
Home
Email Address
Off-Site Storage 2
Account Number User ID
Password
Home
Email Address
HVAC –
Account Number Work
Mobile
Home
Email Address
Power Generator –
Account Number Work
Mobile
Home
Email Address
Other –
Account Number Work
Mobile
Home
Email Address
6
External Contacts Calling Tree
7
1 Plan Overview
1.1 Plan Updating
It is necessary for the DRP updating process to be properly structured and controlled. Whenever
changes are made to the plan they are to be fully tested and appropriate amendments should be
made to the training materials. This will involve the use of formalized change control procedures
under the control of the IT Director.
1.2 Plan Documentation Storage
Copies of this Plan, CD, and hard copies will be stored in secure locations to be defined by the
company. Each member of senior management will be issued a CD and hard copy of this plan to
be filed at home. Each member of the Disaster Recovery Team and the Business Recovery
Team will be issued a CD and hard copy of this plan. A master protected copy will be stored on
specific resources established for this purpose.
1.3 Backup Strategy
Key business processes and the agreed backup strategy for each are listed below. The strategy
chosen is for a fully mirrored recovery site at the company’s alternate sites. This strategy entails
the maintenance of a fully mirrored duplicate site which will enable instantaneous switching
between the live site (headquarters) and the backup site.
KEY BUSINESS PROCESS BACKUP STRATEGY
IT Operations Fully mirrored recovery site
Tech Support – Hardware Fully mirrored recovery site
Tech Support – Software Fully mirrored recovery site
Facilities Management Fully mirrored recovery site
Email Fully mirrored recovery site
Purchasing Fully mirrored recovery site
Disaster Recovery Fully mirrored recovery site
Finance Fully mirrored recovery site
Contracts Admin Fully mirrored recovery site
Warehouse & Inventory Fully mirrored recovery site
Product Sales Fully mirrored recovery site
Maintenance Sales Fully mirrored recovery site
Human Resources Off-site data storage facility
Testing Fully Mirrored Recovery site – Fully mirrored recovery site
Workshop Fully Mirrored Recovery site – Fully mirrored recovery site
Call Center Fully mirrored recovery site
Web Site Fully mirrored recovery site
1.4 Risk Management
There are many potential disruptive threats which can occur at any time and affect the normal
business process. We have considered a wide range of potential threats and the results of our
deliberations are included in this section. Each potential environmental disaster or emergency
situation has been examined. The focus here is on the level of business disruption which could
arise from each type of disaster.
8
Potential disasters have been assessed as follows:
Potential Disaster Probability Rating Impact Rating
Brief Description Of Potential
Consequences & Remedial
Actions
Probability: 1=Very High, 5=Very Low Impact: 1=Total destruction, 5=Minor annoyance
2 Emergency Response
2.1 Alert, escalation and plan invocation
2.1.1 Plan Triggering Events
Key trigger issues at headquarters that would lead to activation of the DRP are:
• Total loss of all communications
• Total loss of power
• Flooding of the premises
• Loss of the building
2.1.2 Assembly Points
Where the premises need to be evacuated, the DRP invocation plan identifies two evacuation
assembly points:
• Primary – Far end of main parking lot;
• Alternate – Parking lot of company across the street
2.1.3 Activation of Emergency Response Team
When an incident occurs the Emergency Response Team (ERT) must be activated. The ERT will
then decide the extent to which the DRP must be invoked. All employees must be issued a
Quick Reference card containing ERT contact details to be used in the event of a disaster.
Responsibilities of the ERT are to:
• Respond immediately to a potential disaster and call emergency services;
• Assess the extent of the disaster and its impact on the business, data center, etc.;
• Decide which elements of the DR Plan should be activated;
• Establish and manage disaster recovery team to maintain vital services and return to normal
operation;
• Ensure employees are notified and allocate responsibilities and activities as required.
2.2 Disaster Recovery Team
The team will be contacted and assembled by the ERT. The team’s responsibilities include:
• Establish facilities for an emergency level of service within 2.0 business hours;
• Restore key services within 4.0 business hours of the incident;
• Recover to business as usual within 8.0 to 24.0 hours after the incident;
9
• Coordinate activities with disaster recovery team, first responders, etc.
• Report to the emergency response team.
2.3 Emergency Alert, Escalation and DRP Activation
This policy and procedure has been established to ensure that in the event of a disaster or crisis,
personnel will have a clear understanding of who should be contacted. Procedures have been
addressed to ensure that communications can be quickly established while activating disaster
recovery.
The DR plan will rely principally on key members of management and staff who will provide the
technical and management skills necessary to achieve a smooth technology and business
recovery. Suppliers of critical goods and services will continue to support recovery of business
operations as the company returns to normal operating mode.
2.3.1 Emergency Alert
The person discovering the incident calls a member of the Emergency Response Team in the
order listed:
Emergency Response Team
• <_________>
• <_________>
• <_________>
If not available try:
• <_________>
• <_________>
The Emergency Response Team (ERT) is responsible for activating the DRP for disasters
identified in this plan, as well as in the event of any other occurrence that affects the company’s
capability to perform normally.
One of the tasks during the early stages of the emergency is to notify the Disaster Recovery
Team (DRT) that an emergency has occurred. The notification will request DRT members to
assemble at the site of the problem and will involve sufficient information to have this request
effectively communicated. The Business Recovery Team (BRT) will consist of senior
representatives from the main business departments. The BRT Leader will be a senior member of
the company’s management team, and will be responsible for taking overall charge of the
process and ensuring that the company returns to normal working operations as early as
possible.
2.3.2 DR Procedures for Management
Members of the management team will keep a hard copy of the names and contact numbers of
each employee in their departments. In addition, management team members will have a hard
copy of the company’s disaster recovery and business continuity plans on file in their homes in
the event that the headquarters building is inaccessible, unusable, or destroyed.
2.3.3 Contact with Employees
Managers will serve as the focal points for their departments, while designated employees will
call other employees to discuss the crisis/disaster and the company’s immediate plans.
Employees who cannot reach staff on their call list are advised to call the staff member’s
emergency contact to relay information on the disaster.
10
2.3.4 Backup Staff
If a manager or staff member designated to contact other staff members is unavailable or
incapacitated, the designated backup staff member will perform notification duties.
2.3.5 Recorded Messages / Updates
For the latest information on the disaster and the organization’s response, staff members can call
a toll-free hotline listed in the DRP wallet card. Included in messages will be data on the nature
of the disaster, assembly sites, and updates on work resumption.
2.3.7 Alternate Recovery Facilities / Hot Site
If necessary, the hot site at SunGard will be activated and notification will be given via recorded
messages or through communications with managers. Hot site staffing will consist of members of
the disaster recovery team only for the first 24 hours, with other staff members joining at the hot
site as necessary.
2.3.8 Personnel and Family Notification
If the incident has resulted in a situation which would cause concern to an employee’s immediate
family such as hospitalization of injured persons, it will be necessary to notify their immediate
family members quickly.
3 Media
3.1 Media Contact
Assigned staff will coordinate with the media, working according to guidelines that have been
previously approved and issued for dealing with post-disaster communications.
3.2 Media Strategies
1. Avoiding adverse publicity
2. Take advantage of opportunities for useful publicity
3. Have answers to the following basic questions:
What happened?
How did it happen?
What are you going to do about it?
3.3 Media Team
• <____________________________________________>
• <____________________________________________>
• <____________________________________________>
3.4 Rules for Dealing with Media
Only the media team is permitted direct contact with the media; anyone else contacted should
refer callers or in-person media representatives to the media team.
4 Insurance
As part of the company’s disaster recovery and business continuity strategies a number of
insurance policies have been put in place. These include errors and omissions, directors &
officers liability, general liability, and business interruption insurance.
11
If insurance-related assistance is required following an emergency out of normal business hours,
please contact: <___________________________________________>
Policy Name
Coverage
Type
Coverage
Period
Amount Of
Coverage
Person
Responsible
For Coverage
Next Renewal
Date
5 Financial and Legal Issues
5.1 Financial Assessment
The emergency response team shall prepare an initial assessment of the impact of the incident
on the financial affairs of the company. The assessment should include:
Loss of financial documents
Loss of revenue
Theft of check books, credit cards, etc.
Loss of cash
5.2 Financial Requirements
The immediate financial needs of the company must be addressed. These can include:
Cash flow position
Temporary borrowing capability
Upcoming payments for taxes, payroll taxes, Social Security, etc.
Availability of company credit cards to pay for supplies and services required post-disaster
5.3 Legal Actions
The company legal department and ERT will jointly review the aftermath of the incident and
decide whether there may be legal actions resulting from the event; in particular, the possibility of
claims by or against the company for regulatory violations, etc.
6 DRP Exercising
Disaster recovery plan exercises are an essential part of the plan development process. In a
DRP exercise no one passes or fails; everyone who participates learns from exercises – what
needs to be improved, and how the improvements can be implemented. Plan exercising ensures
that emergency teams are familiar with their assignments and, more importantly, are confident in
their capabilities.
Successful DR plans launch into action smoothly and effectively when they are needed. This will
only happen if everyone with a role to play in the plan has rehearsed the role one or more times.
The plan should also be validated by simulating the circumstances within which it has to work and
seeing what happens.
12
Appendix A – Technology Disaster Recovery Plan Templates
Disaster Recovery Plan for
SYSTEM
OVERVIEW
PRODUCTION SERVER Location: Enter location
Server Model: Operating System: CPUs: Memory: Total Disk:
System Handle: System Serial #: DNS Entry: IP Address:
Other:
HOT SITE SERVER
APPLICATIONS
(Use bold for Hot Site)
ASSOCIATED SERVERS
KEY
CONTACTS
Hardware Vendor
System Owners
Database Owner
Application Owners
Software Vendors
Offsite Storage
BACKUP STRATEGY FOR
SYSTEM ONE
Daily / Monthly / Quarterly Choose which strategy on the left you would use and provide
details on why.
SYSTEM ONE
DISASTER RECOVERY
PROCEDURE
Scenario 1
Total Loss of Data
Provide details
Scenario 2
Total Loss of HW
Provide details
13
Database/File Systems
File System as of
Minimal file systems to be
backed-up and restored:
Filesystem kbytes Used Avail %used
Mounted on
Other critical files to
modify
Necessary directories to
create
Critical files to restore
Secondary files to restore
Other files to restore
14
Disaster Recovery Plan for Local Area Network (LAN)
SYSTEM
OVERVIEW
SERVER Location:
Server Model: Operating System: CPUs:
Memory: Total Disk: System Handle: System Serial #:
DNS Entry: IP Address:
Other:
HOT SITE SERVER Provide details
APPLICATIONS
(Use bold for Hot Site)
ASSOCIATED SERVERS
KEY CONTACTS
Hardware Vendor Provide details
System Owners Provide details
Database Owner Provide details
Application Owners Provide details
Software Vendors Provide details
Offsite Storage Provide details
BACKUP STRATEGY for
SYSTEM TWO
Daily Provide details
Monthly Provide details
Quarterly Provide details
SYSTEM TWO
DISASTER RECOVERY
PROCEDURE
Scenario 1
Total Loss of Data
Provide details
Scenario 2
Total Loss of HW
Provide details
15
ADDENDUM
CONTACTS
File Systems
File System as of
Minimal file systems
to be created and
restored from
backup:
Filesystem kbytes Used Avail %used
Mounted on
Other critical files to
modify
Necessary directories
to create
Critical files to restore
Secondary files to
restore
Other files to restore
16
Disaster Recovery Plan for Wide Area Network (WAN)
SYSTEM
OVERVIEW
EQUIPMENT Location:
Device Type: Model No.: Technical Specifications:
Network Interfaces: Power Requirements;
System Serial #: DNS Entry: IP Address:
Other:
HOT SITE EQUIPMENT Provide details
SPECIAL APPLICATIONS
ASSOCIATED DEVICES
KEY CONTACTS
Hardware Vendor Provide details
System Owners Provide details
Database Owner Provide details
Application Owners Provide details
Software Vendors Provide details
Offsite Storage Provide details
Network Services Provide details
BACKUP STRATEGY for
SYSTEM TWO
Daily Provide details
Monthly Provide details
Quarterly Provide details
SYSTEM TWO
DISASTER RECOVERY
PROCEDURE
Scenario 1
Total Loss of Network
Provide details
Scenario 2
Total Loss of HW
Provide details
17
ADDENDUM
CONTACTS
Support Systems
Support system
Critical network
assets
Critical interfaces
Critical files to restore
Critical network
services to restore
Other services
18
Disaster Recovery Plan for Remote Connectivity
SYSTEM
OVERVIEW
EQUIPMENT Location:
Device Type: Model No.:
Technical Specifications: Network Interfaces:
Power Requirements; System Serial #:
DNS Entry: IP Address:
Other:
HOT SITE EQUIPMENT Provide details
SPECIAL APPLICATIONS
ASSOCIATED DEVICES
KEY CONTACTS
Hardware Vendor Provide details
System Owners Provide details
Database Owner Provide details
Application Owners Provide details
Software Vendors Provide details
Offsite Storage Provide details
Network Services Provide details
BACKUP STRATEGY for
SYSTEM TWO
Daily Provide details
Monthly Provide details
Quarterly Provide details
SYSTEM TWO
DISASTER RECOVERY
PROCEDURE
Scenario 1
Total Loss of Network
Provide details
Scenario 2
Total Loss of HW
Provide details
19
ADDENDUM
CONTACTS
Support Systems
Support system
Critical network
assets
Critical interfaces
Critical files to restore
Critical network
services to restore
Other services
20
Disaster Recovery Plan for Voice Communications
SYSTEM
OVERVIEW
EQUIPMENT Location:
Device Type: Model No.:
Technical Specifications: Network Interfaces:
Power Requirements; System Serial #:
DNS Entry: IP Address:
Other:
HOT SITE EQUIPMENT Provide details
SPECIAL APPLICATIONS
ASSOCIATED DEVICES
KEY CONTACTS
Hardware Vendor Provide details
System Owners Provide details
Database Owner Provide details
Application Owners Provide details
Software Vendors Provide details
Offsite Storage Provide details
Network Services Provide details
BACKUP STRATEGY for
SYSTEM TWO
Daily Provide details
Monthly Provide details
Quarterly Provide details
SYSTEM TWO
DISASTER RECOVERY
PROCEDURE
Scenario 1
Total Loss of Switch
Provide details
Scenario 2
Total Loss of Network
Provide details
21
ADDENDUM
CONTACTS
Support Systems
Support system
Critical network
assets
Critical interfaces
Critical files to restore
Critical network
services to restore
Other services
22
Appendix B – Suggested Forms
Damage Assessment Form
Key Business
Process Affected
Description Of Problem Extent Of Damage
_____________
Management of DR Activities Form
• During the disaster recovery process all activities will be determined using a standard
structure;
• Where practical, this plan will need to be updated on a regular basis throughout the disaster
recovery period;
• All actions that occur during this phase will need to be recorded.
Activity Name:
Reference Number:
Brief Description:
Commencement
Date/Time
Completion
Date/Time
Resources Involved In Charge
_
______
___________
23
Disaster Recovery Event Recording Form
• All key events that occur during the disaster recovery phase must be recorded.
• An event log shall be maintained by the disaster recovery team leader.
• This event log should be started at the commencement of the emergency and a copy of the
log passed on to the business recovery team once the initial dangers have been controlled.
• The following event log should be completed by the disaster recovery team leader to record
all key events during disaster recovery, until such time as responsibility is handed over to the
business recovery team.
Description of Disaster:
Commencement Date:
Date/Time DR Team Mobilized:
Activities Undertaken by DR
Team
Date and
Time
Outcome
Follow-On Action
Required
Disaster Recovery Team’s Work Completed:
Event Log Passed to Business Recovery Team:
_____
____________
24
Disaster Recovery Activity Report Form
• On completion of the initial disaster recovery response the DRT leader should prepare a
report on the activities undertaken.
• The report should contain information on the emergency, who was notified and when, action
taken by members of the DRT together with outcomes arising from those actions.
• The report will also contain an assessment of the impact to normal business operations.
• The report should be given to business recovery team leader, with a copy to senior
management, as appropriate.
• A disaster recovery report will be prepared by the DRT leader on completion of the initial
disaster recovery response.
• In addition to the business recovery team leader, the report will be distributed to senior
management
The report will include:
• A description of the emergency or incident
• Those people notified of the emergency (including dates)
• Action taken by members of the DRT
• Outcomes arising from actions taken
• An assessment of the impact to normal business operations
• Assessment of the effectiveness of the BCP and lessons learned
• Lessons learned
__________
Mobilizing the Disaster Recovery Team Form
• Following an emergency requiring recovery of technology infrastructure assets, the disaster
recovery team should be notified of the situation and placed on standby.
• The format shown below can be used for recording the activation of the DR team once the
work of the damage assessment and emergency response teams has been completed.
Description of Emergency:
Date Occurred:
Date Work of Disaster Recovery Team Completed:
Name of
Team Member
Contact
Details
Contacted On
(Time / Date)
By Whom Response
Start Date
Required
Relevant Comments (e.g., Specific Instructions Issued)
___________
25
Mobilizing the Business Recovery Team Form
Following an emergency requiring activation of the disaster recovery team, the business
recovery team should be notified of the situation and placed on standby.
The format shown below will be used for recording the activation of the business recovery
team once the work of the disaster recovery team has been completed.
Description of Emergency:
Date Occurred:
Date Work of Business Recovery Team Completed:
Name of
Team Member
Contact
Details
Contacted On
(Time / Date)
By Whom Response
Start Date
Required
Relevant Comments (e.g., Specific Instructions Issued)
____________
Monitoring Business Recovery Task Progress Form
• The progress of technology and business recovery tasks must be closely monitored during
this period of time.
• Since difficulties experienced by one group could significantly affect other dependent tasks it
is important to ensure that each task is adequately resourced and that the efforts required to
restore normal business operations have not been underestimated.
Note: A priority sequence must be identified although, where possible, activities will be carried out
simultaneously.
Recovery Tasks
(Order of Priority)
Person(s)
Responsible
Completion Date Milestones
Identified
Other Relevant
Information Estimated Actual
1.
2.
3.
4.
5.
6.
7.
___________
26
Preparing the Business Recovery Report Form
On completion of business recovery activities the BRT leader should prepare a report on the
activities undertaken and completed.
The report should contain information on the disruptive event, who was notified and when,
action taken by members of the BRT together with outcomes arising from those actions.
The report will also contain an assessment of the impact to normal business operations.
The report should be distributed to senior management, as appropriate.
The contents of the report shall include:
A description of the incident
People notified of the emergency (including dates)
Action taken by the business recovery team
Outcomes arising from actions taken
An assessment of the impact to normal business operations
Problems identified
Suggestions for enhancing the disaster recovery and/or business continuity plan
Lessons learned
Communications Form
It is very important during the disaster recovery and business recovery activities that all
affected persons and organizations are kept properly informed.
The information given to all parties must be accurate and timely.
In particular, any estimate of the timing to return to normal working operations should be
announced with care.
It is also very important that only authorized personnel deal with media queries.
Groups of Persons or
Organizations Affected
by Disruption
Persons Selected To Coordinate Communications
to Affected Persons / Organizations
Name Position Contact Details
Customers
Management & Staff
Suppliers
Media
Stakeholders
Others
____________
27
Returning Recovered Business Operations to Business Unit
Leadership
Once normal business operations have been restored it will be necessary to return the
responsibility for specific operations to the appropriate business unit leader.
This process should be formalized in order to ensure that all parties understand the change in
overall responsibility, and the transition to business-as-usual.
It is likely that during the recovery process, overall responsibility may have been assigned to
the business recovery process lead.
It is assumed that business unit management will be fully involved throughout the recovery,
but in order for the recovery process to be fully effective, overall responsibility during the
recovery period should probably be with a business recovery process team.
____________
Business Process/Function Recovery Completion Form
The following transition form should be completed and signed by the business recovery team
leader and the responsible business unit leader, for each process recovered.
A separate form should be used for each recovered business process.
Name Of Business Process
Completion Date of Work Provided by Business Recovery Team
Date of Transition Back to Business Unit Management
(If different than completion date)
I confirm that the work of the business recovery team has been completed in accordance with
the disaster recovery plan for the above process, and that normal business operations have
been effectively restored.
Business Recovery Team Leader Name: ________________________________________
Signature: ________________________________________________________________
Date: __________________________
(Any relevant comments by the BRT leader in connection with the return of this business
process should be made here.)
I confirm that above business process is now acceptable for normal working conditions.
Name: ___________________________________________________________________
Title: ____________________________________________________________________
Signature: ________________________________________________________________
Date: __________________________
ISOL 533 – Information Security and Risk Management
BUSINESS CONTINUITY PLAN
University of The Cumberlands
1
Purpose
The purpose of this business continuity plan is to prepare Health Network, Inc. (Health Network)
in the event of extended service outages caused by factors beyond our control (e.g., natural
disasters, man-made events), and to restore services to the widest extent possible in a minimum
time frame. All Health Network, Inc. (Health Network) sites are expected to implement
preventive measures whenever possible to minimize operational disruptions and to recover as
rapidly as possible when an incident occurs.
The plan identifies vulnerabilities and recommends necessary measures to prevent extended
voice communications service outages. It is a plan that encompasses all Health Network, Inc.
(Health Network) system sites and operations facilities.
Scope
The scope of this plan is limited to the three major systems used by Health Network, Inc. (Health
Network); the HNetExchange Message system, HNetConnect Directory system and HNetPay
Payment system. This is a business continuity plan, not a daily problem resolution procedures
document.
Plan objectives
Serves as a guide for the Health Network, Inc. (Health Network) recovery teams.
References and points to the location of critical data.
Provides procedures and resources needed to assist in recovery.
Identifies vendors and customers that must be notified in the event of a disaster.
Assists in avoiding confusion experienced during a crisis by documenting, testing and
reviewing recovery procedures.
Identifies alternate sources for supplies, resources and locations.
Documents storage, safeguarding and retrieval procedures for vital records.
Assumptions
Key people (team leaders or alternates) will be available following a disaster.
A national disaster such as nuclear war is beyond the scope of this plan.
This document and all vital records are stored in a secure off-site location and not only
survive the disaster but are accessible immediately following the disaster.
Each support organization will have its own plan consisting of unique recovery procedures,
critical resource information and procedures.
Disaster definition
Any loss of utility service (power, water), connectivity (system sites), or catastrophic event
(weather, natural disaster, vandalism) that causes an interruption in the service provided by
Health Network, Inc. (Health Network) operations. The plan identifies vulnerabilities and
recommends measures to prevent extended service outages.
ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands
2
Recovery teams
Emergency management team (EMT)
Disaster recovery team (DRT)
IT technical services (IT)
Team member responsibilities
Each team member will designate an alternate
All of the members should keep an updated calling list of their work team members’ work,
home, and cell phone numbers both at home and at work.
All team members should keep this plan for reference at home in case the disaster happens
after normal work hours. All team members should familiarize themselves with the contents
of this plan.
Instructions for using the business continuity plan
Invoking the plan
This plan becomes effective when a disaster occurs. Normal problem management procedures
will initiate the plan, and remain in effect until operations are resumed at the original location or
a replacement location and control is returned to the appropriate functional management.
Disaster declaration
The senior management team, with input from the EMT, DRT and IT, is responsible for
declaring a disaster and activating the various recovery teams as outlined in this plan.
In a major disaster situation affecting multiple business units, the decision to declare a disaster
will be determined by
on the directives specified by senior management.
Notification
Regardless of the disaster circumstances, or the identity of the person(s) first made aware of the
disaster, the EMT and DRT must be activated immediately in the following cases:
Two or more critical systems and/or sites are down concurrently for three of more hours
Any critical or major systems are down concurrently for eight or more hours
Any problem at any system or network facility that would cause the above conditions to be
present or there is certain indication that either of the conditions are about to occur
ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands
3
External communications
Corporate public relations personnel are designated as the principal contacts with the media
(radio, television, and print), regulatory agency, government agencies, and other external
organizations following a formal disaster declaration.
Emergency management standards
Data backup policy
Full and incremental backups preserve corporate information assets and should be performed on
a regular basis for audit logs and files that are irreplaceable, have a high replacement cost, or are
considered critical. Backup media should be stored in a secure, geographically separate location
from the original and isolated from environmental hazards.
Department-specific data and document retention policies specify what records must be retained
and for how long. All organizations are accountable for carrying out the provisions of the
instruction for records in their organization.
IT follows these standards for its data backup and archiving:
Tape retention policy
Backup media is stored at locations that are secure, isolated from environmental hazards, and
geographically separate from the location housing the system.
Billing tapes
Tapes greater than three years old are destroyed every six months.
Tapes less than three years old must be stored locally off-site.
The system supervisor is responsible for the transition cycle of tapes.
System image tapes
A copy of the most current image files must be made at least once per week.
This backup must be stored offsite.
The system supervisor is responsible for this activity.
Off-site storage procedures
Tapes and disks, and other suitable media are stored in environmentally secure facilities.
Tape or disk rotation occurs on a regular schedule coordinated with the storage vendor.
Access to backup databases and other data is tested annually.
Emergency management procedures
ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands
4
The following procedures are to be followed by system operations personnel and other
designated organizational personnel in the event of an emergency. Where uncertainty exists, the
more reactive action should be followed to provide maximum protection and personnel safety.
Note: Anyone not recognized by the IT staff as normally having business in the area must be
challenged by the staff who should then notify security personnel.
These procedures are furnished to management personnel to take home for reference. Several
pages have been included to supply emergency contacts.
In the event of any situation where access to a building housing a system is denied, personnel
should report to alternate locations. Primary and secondary locations are listed below.
Alternate locations Workplace:
Attempt to contact your immediate supervisor or management
via telephone. Home and cell phone numbers are included in
this document
Workplace:
Attempt to contact your immediate supervisor or management
via telephone. Home and cell phone numbers are included in
this document
In the event of a natural disaster
In the event of a major catastrophe affecting company facility, immediately notify the BCP
Project Manager.
Procedure
STEP ACTION
1
Notify EMT and DRT of pending event, if time permits.
ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands
5
2
If the impending natural disaster can be tracked, begin
preparation of site within 48 hours as follows:
Deploy portable generators with fuel within 100 miles.
Deploy support personnel, tower crews, and engineering
within 100 miles.
Deploy tractor trailers with replacement work space,
antennas, power, computers and phones.
Facilities department on standby for replacement
shelters
Basic necessities are acquired by support personnel
when deployed:
Cash for one week
Food and water for one week
Gasoline and other fuels
Supplies, including chainsaws, batteries, rope,
flashlights, medical supplies, etc.
3
24 hours prior to event:
Create an image of the system and files
Back up critical system elements
Verify backup generator fuel status and operation
Create backups of e-mail, file servers, etc.
Fuel vehicles and emergency trailers
Notify senior management
ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands
6
In the event of a fire
If fire or smoke is present in the facility, evaluate the situation, determine the severity, categorize
the fire as major or minor and take the appropriate action as defined in this section. Call 9-1-1 as
soon as possible if the situation warrants it.
Personnel are to attempt to extinguish minor fires (e.g., single hardware component or paper
fires) using hand-held fire extinguishers located throughout the facility. Any other fire or
smoke situation will be handled by qualified building personnel until the local fire
department arrives.
In the event of a major fire, call 9-1-1 and immediately evacuate the area.
In the event of any emergency situation, system security, site security and personal safety are
the major concerns. If possible, the operations supervisor should remain present at the facility
until the fire department has arrived.
In the event of a major catastrophe affecting the facility, immediately notify senior
management.
Procedure STEP ACTION
1
Dial 9-1-1 to contact the fire department.
2
Immediately notify all other personnel in the facility of the
situation and evacuate the area.
3 Alert emergency personnel on:
Provide them with your name, extension where you can be
reached, building and room number, and the nature of the
emergency. Follow all instructions given.
4
Alert the EMT and DRT.
Note: During non-staffed hours, security personnel will
notify the Senior Executive responsible for the location
directly.
5
Notify Building Security.
Local security personnel will establish security at the
location and not allow access to the site unless notified by
the Senior Executive or his/her designated representative.
6 Contact appropriate vendor personnel to aid in the decision
regarding the protection of equipment if time and
circumstance permit.
ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands
7
7 All personnel evacuating the facilities will meet at their
assigned outside location (assembly point) and follow
instructions given by the designed authority. Under no
circumstances may any personnel leave without the
consent of supervision.
In the event of a network services provider outage
In the event of a network service provider outage to any location, the guidelines and
procedures in this section are to be followed.
Procedure STEP ACTION
1
Notify senior management of outage.
Determine cause of outage and timeframe for its recovery.
2
If outage will be greater than one hour, route all calls via
alternate services.
If it is a major outage and all carriers are down and
downtime will be greater than 12 hours, deploy satellite
phones, if available.
ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands
8
In the event of a flood or water damage
In the event of a flood or broken water pipe within any computing facilities, the guidelines
and procedures in this section are to be followed.
Procedure
STEP ACTION
1
Assess the situation and determine if outside assistance is
needed; if this is the case, dial 9-1-1 immediately.
2
Immediately notify all other personnel in the facility of the
situation and be prepared to cease voice operations
accordingly.
3
Immediately notify all other personnel in the facility of the
situation and be prepared to cease operations accordingly.
4
Water detected below the raised floor may have different
causes:
If water is slowly dripping from an air conditioning
unit and not endangering equipment, contact repair
personnel immediately.
If water is of a major quantity and flooding beneath the
floor (water main break), immediately implement
power-down procedures. While power-down
procedures are in progress, evacuate the area and
follow management’s instructions.
Plan review and maintenance
This plan must be reviewed semiannually and exercised on an annual basis. The test may be in
the form of a walk-through, mock disaster, or component testing. Additionally, with the dynamic
environment present within the organization, it is important to review the listing of personnel and
phone numbers contained within the plan regularly.
The hard-copy version of the plan will be stored in a common location where it can be viewed by
site personnel and the EMT and DRT. Electronic versions will be available via the organization’s
network resources as provided by IT. Each recovery team will have its own directory with
change management limited to the recovery plan coordinator.
ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands
9
Notification of incident affecting the site
On-duty personnel responsibilities
If in-hours:
Upon observation or notification of a potentially serious situation during working hours at a
system/facility, ensure that personnel on site have enacted standard emergency and evacuation
procedures if appropriate and notify the EMT and DRT.
If outside hours:
IT personnel should contact the EMT and DRT.
Provide status to EMT and DRT
Contact EMT and/or DRT and provide the following information when any of the following
conditions exist: (See Appendix B for contact list.)
Two or more facilities are down concurrently for three or more hours.
Any problem at any system or location that would cause the above condition to be present or
there is certain indication that the above condition is about to occur.
The EMT will provide the following information:
Location of disaster
Type of disaster (e.g., fire, hurricane, flood)
Summarize the damage (e.g., minimal, heavy, total destruction)
Meeting location that is a safe distance from the disaster scene
An estimated timeframe of when a damage assessment group can enter the facility (if
possible)
The EMT will contact the respective market team leader and report that a disaster involving
voice communications has taken place.
The EMT and/or DRT will contact the respective
disaster has taken place.
Decide course of action
Based on the information obtained, the EMT and/or DRT need to decide how to respond to the
event: mobilize IT, repair/rebuild existing site (s) with location staff, or relocate to a new facility.
ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands
10
Inform team members of decision
If a disaster is not declared, the location response team will continue to address and manage the
situation through its resolution and provide periodic status updates to the EMT/DRT.
If a disaster is declared, the EMT and/or DRT will notify IT Tech Services immediately for
deployment.
Declare a disaster if the situation is not likely to be resolved within predefined time frames.
The person who is authorized to declare a disaster must also have at least one backup person who
is also authorized to declare a disaster in the event the primary person is unavailable.
Contact general vendors
Disaster declared: Mobilize incident response/Technical services teams/Report to
command center
Once a disaster is declared, the DRT is mobilized. This team will initiate and coordinate the
appropriate recovery actions. Members assemble at the designated location as quickly as
possible. See Appendix E for emergency locations.
Conduct detailed damage assessment (This may also be performed prior to
declaring a disaster.)
1. Under the direction of local authorities and/or EMT/DRT, assess the damage to
the affected location and/or assets. Include vendors/providers of installed
equipment to ensure that their expert opinion regarding the condition of the
equipment is determined ASAP.
A. Participate in a briefing on assessment requirements, reviewing:
(1) Assessment procedures
(2) Gather requirements
(3) Safety and security issues
NOTE: Access to the facility following a fire or potential chemical
contamination will likely be denied for 24 hours or longer.
B. Document assessment results using assessment and evaluation forms
contained in Appendix G.
Building access permitting:
ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands
11
Conduct an on-site inspection of affected areas to assess damage to
essential hardcopy records (files, manuals, contracts,
documentation, etc.) and electronic data.
Obtain information regarding damage to the facility (s) (e.g.,
environmental conditions, physical structure integrity, furniture,
and fixtures) from the DRT.
2. Develop a restoration priority list, identifying facilities, vital records and
equipment needed for resumption activities that could be operationally restored
and retrieved quickly.
3. Recommendations for required resources.
Contact DRT: Decide whether to continue to business recovery phase
The EMT and DRT gather information regarding the event; contacts senior management and
provides them with detailed information on status.
Based on the information obtained, senior management decides whether to continue to the
business recovery phase of this plan. If the situation does not warrant this action, continue to
address the situation at the affected site(s).
Business recovery phase (xx hours – full recovery)
This section documents the steps necessary to activate business recovery plans to support full
restoration of systems or facility functionality at an alternate/recovery site that would be used for
an extended period of time. Coordinate resources to reconstruct business operations at the
temporary/permanent system location, and to deactivate recovery teams upon return to normal
business operations.
The system and facility configurations for each location are important to re-establish normal
operations. A list for each location will be included in Appendix F.
ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands
12
Notify IT staff/Coordinate relocation to new facility
See Appendix A for IT staff associated with a new location being set up as a permanent location
(replacement for site).
Secure funding for relocation
Make arrangements in advance with suitable backup location resources. Make arrangements in
advance with local banks, credit card companies, hotels, office suppliers, food suppliers and
others for emergency support.
Notify EMT and corporate business units of recovery startup
Using the call list in Appendix B, notify the appropriate company personnel. Inform them of any
changes to processes or procedures, contact information, hours of operation, etc. (This may be
used for media information.)
Operations recovered
Assuming all relevant operations have been recovered to an alternate site, and employees are in
place to support operations, the company can declare that it is functioning in a normal manner at
the recovery location.
ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands
13
Appendixes
Appendix A:
Emergency management team (EMT)
Note: See Appendix B for contact list. Suggested members to include: senior
management, human resources, corporate public relations, legal, IT services, risk
management and operations
Charter:
Responsible for overall coordination of the disaster recovery effort; evaluation and determining
disaster declaration; and communications with senior management.
Support activities:
The EMT:
Evaluate which recovery actions should be invoked and activate the recovery teams
Evaluate damage assessment findings
Set restoration priority based on the damage assessment reports
Provide senior management with ongoing status information
Act as a communication channel to corporate teams and major customers
Work with vendors and IRT to develop a rebuild/repair schedule
Disaster recovery team
Note: See Appendix B for contact list
Charter:
Responsible for overall coordination of the disaster recovery effort; establishment of the
emergency command area; and communications with senior management and the EMT.
Support activities:
Coordinate with EMT and senior management
Determine recovery needs
Establish command center and assembly areas
Notify all company department heads and advise them to activate their plan(s) if applicable,
based upon the disaster situation
If no disaster is declared, take appropriate action to return to normal operations using regular
staff
Determine if vendors or other teams are needed to assist with detailed damage assessment
Prepare post-disaster debriefing report
Coordinate the development of site-specific recovery plans and ensure they are updated semi-
annually
ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands
14
IT technical services (IT)
Charter
IT will facilitate technology restoration activities.
Support activities
Upon notification of disaster declaration, review and provide support as follows:
1. Facilitate technology recovery and restoration activities, providing guidance on
replacement equipment and systems, as required
2. Coordinate removal of salvageable equipment at disaster site that may be used for
alternate site operations
Appendix B: Recovery team contact lists
Emergency management team (EMT)
Name Address Home Mobile/Cell Phone
Disaster recovery team (DRT)
Name Address Home Mobile/Cell Phone
IT technical services
Name Address Home Mobile/Cell Phone
ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands
15
Appendix C: Emergency numbers
First responders, public utility companies, others
Name Contact Name Phone
Appendix D: Contact list
Name Address Home Mobile/Cell Phone
ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands
16
Appendix E: Emergency command center (ECC) locations
Emergency command center –
Primary: Address
Room XXXX
City, State
Contact: “coordinator of rooms/space – (xxx) xxx-xxxx
Alternate: Address
Room XXX
City, State
Contact: “coordinator of rooms/space – (xxx) xxx-xxxx
Emergency command center –
Primary: Address
Room XXXX
City, State
Contact: “coordinator of rooms/space – (xxx) xxx-xxxx
Alternate: Address
Room XXX
City, State
Contact: “coordinator of rooms/space – (xxx) xxx-xxxx
ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands
17
Appendix F: Forms
Incident/disaster form
Upon notification of an incident/disaster situation the on-duty personnel will make the initial
entries into this form. It will then be forwarded to the ECC, where it will be continually updated.
This document will be the running log until the incident/disaster has ended and “normal
business” has resumed.
TIME AND DATE
________________________________________________________________________
TYPE OF EVENT
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
LOCATION
________________________________________________________________________
________________________________________________________________________
BUILDING ACCESS ISSUES
________________________________________________________________________
________________________________________________________________________
ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands
18
PROJECTED IMPACT TO OPERATIONS
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
RUNNING LOG (ongoing events)
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands
19
Critical equipment status form
CRITICAL EQUIPMENT STATUS
ASSESSMENT AND EVALUATION FORM
Recovery team: __________________________________________
[———-STATUS———]
Equipment Condition Salvage Comments
1. ___________________ ______________ ______ _________________________
2. ___________________ ______________ ______ _________________________
3. ___________________ ______________ ______ _________________________
4. ___________________ ______________ ______ _________________________
5. ___________________ ______________ ______ _________________________
6. ___________________ ______________ ______ _________________________
7. ___________________ ______________ ______ _________________________
8. ___________________ ______________ ______ _________________________
9. ___________________ ______________ ______ _________________________
10. __________________ ______________ ______ _________________________
11. __________________ ______________ ______ _________________________
12. __________________ ______________ ______ _________________________
13. __________________ ______________ ______ _________________________
14. __________________ ______________ ______ _________________________
15. __________________ ______________ ______ _________________________
Legend
Condition: OK – Undamaged
DBU – Damaged, but usable
DS – Damaged, requires salvage before use
D – Destroyed, requires reconstruction
ISOL 533 – Information Security and Risk Management BUSINESS CONTINUITY PLAN
University of The Cumberlands
20
Appendix G: Building evacuation information
Appendix H: Inventory of primary equipment and
network services
Appendix I: Inventory of backup equipment and systems
Appendix J: Approved vendor list
Server and computer equipment suppliers
Company Name Contact Work Mobile phone
Communications and network services suppliers
Company Name Contact Work Mobile phone
Provide evacuation procedures
Provide list of equipment
and
network services
Provide list of equipment
ISOL533 – Information Security and Risk Management
BUSINESS IMPACT ANALYSIS
University of the Cumberlands
1. Overview
This Business Impact Analysis (BIA) is developed as part of the contingency planning process for the
HNetExchange Message system, HNetConnect Directory system and HNetPay Payment system. It was
prepared on Health Network, Inc (Health Network).
1.1 Purpose
The purpose of the BIA is to identify and prioritize system components by correlating them to the
mission/business process(es) the system supports, and using this information to characterize the impact
on the process(es) if the system were unavailable.
The BIA is composed of the following three steps:
1. Determine mission/business processes and recovery criticality. Mission/business processes
supported by the system are identified and the impact of a system disruption to those processes
is determined along with outage impacts and estimated downtime. The downtime should
reflect the maximum that an organization can tolerate while still maintaining the mission.
2. Identify resource requirements. Realistic recovery efforts require a thorough evaluation of the
resources required to resume mission/business processes and related interdependencies as
quickly as possible. Examples of resources that should be identified include facilities, personnel,
equipment, software, data files, system components, and vital records.
3. Identify recovery priorities for system resources. Based upon the results from the previous
activities, system resources can more clearly be linked to critical mission/business processes.
Priority levels can be established for sequencing recovery activities and resources.
This document is used to build the HNetExchange Message system, HNetConnect Directory system and
HNetPay Payment system Business Contingency Plan (BCP) and is included as a key component of the
BCP. It also may be used to support the development of other contingency plans associated with the
system, including, but not limited to, the Disaster Recovery Plan (DRP).
2. System Description
{Provide a general description of system architecture and functionality as provided in the scenario
instructions. Indicate the operating environment, physical location, general location of users, and
partnerships with external organizations/systems. Include information regarding any other technical
considerations that are important for recovery purposes, such as backup procedures. Provide a diagram,
as an appendix, of the architecture, including inputs and outputs and telecommunications connections.}
ISOL 533 – Information Security and Risk Management BUSINESS IMPACT ANALYSIS
University of the Cumberlands
3. BIA Data Collection
{Normally data collection can be accomplished through individual/group interviews, workshops, email,
questionnaires, or any combination of these. For this assignment, review the scenario and include
information you would expect to obtain during the normal data collection process}
3.1 Determine Process and System Criticality
Step one of the BIA process – Working with input from users, managers, mission/business process
owners, and other internal or external points of contact (POC), identify the specific mission/business
processes that depend on or support the information
system.
Mission/Business Process Description
3.1.1 Identify Outage Impacts and
Estimated Downtime
Outage Impacts
The following impact categories represent important areas for consideration in the event of a disruption
or impact.
Values for assessing category Risk Factors/Impact:
Critical = “1”
Major = “2”
Minor = “3”
Values for assessing category Recovery Time Objectives (RTO):
Critical-1 = 4 hours
Critical-2 = 8 hours
Critical-3 = 24 hours
Major-1 = 36 hours
Major-2 = 48 hours
Minor = 1 week
The table(s) below summarizes the impact on each mission/business process if the HNetExchange
Message system, HNetConnect Directory system and HNetPay Payment system were unavailable.
ISOL 533 – Information Security and Risk Management BUSINESS IMPACT ANALYSIS
University of the Cumberlands
Mission/Business Process
for HNetExchange
Impact Category
Risk Factor RTO Describe the Impact if unavailable
Mission/Business Process
for HNetConnect
Impact Category
Risk Factor RTO Describe the Impact if unavailable
Mission/Business Process
for HNetPay
Impact Category
Risk Factor RTO Describe the Impact if unavailable
Estimated Downtime
Working directly with mission/business process owners, departmental staff, managers, and other
stakeholders, estimate the downtime factors for consideration as a result of a disruptive event.
Maximum Tolerable Downtime (MTD). The MTD represents the total amount of time
leaders/managers are willing to accept for a mission/business process outage or disruption and
includes all impact considerations. Determining MTD is important because it could leave
continuity planners with imprecise direction on (1) selection of an appropriate recovery method,
and (2) the depth of detail which will be required when developing recovery procedures,
including their scope and content.
Recovery Time Objective (RTO). RTO defines the maximum amount of time that a system
resource can remain unavailable before there is an unacceptable impact on other system
resources, supported mission/business processes, and the MTD. Determining the information
ISOL 533 – Information Security and Risk Management BUSINESS IMPACT ANALYSIS
University of the Cumberlands
system resource RTO is important for selecting appropriate technologies that are best suited for
meeting the MTD.
Recovery Point Objective (RPO). The RPO represents the point in time, prior to a disruption or
system outage, to which mission/business process data must be recovered (given the most
recent backup copy of the data) after an outage.
The table below identifies the MTD, RTO, and RPO for the organizational mission/business processes
that rely on the HNetExchange Message system, HNetConnect Directory system and HNetPay Payment
system.
Mission/Business Process
For HNetExchange
MTD RTO RPO
Mission/Business Process
For HNetConnect
MTD RTO RPO
Mission/Business Process
For HNetPay
MTD RTO RPO
3.2 Identify Resource Requirements
The following table identifies the resources that compose the HNetExchange Message system,
HNetConnect Directory system and HNetPay Payment system including hardware, software, and other
resources such as data files.
System Resource/Component Description
It is assumed that all identified resources support the mission/business processes identified in Section 3.1
unless otherwise stated.
ISOL 533 – Information Security and Risk Management BUSINESS IMPACT ANALYSIS
University of the Cumberlands
3.3 Identify Recovery Priorities for System Resources
The table below lists the order of recovery for
expected time for recovering the resource following a “worst case” (complete rebuild/repair or
replacement) disruption.
Recovery Time Objective (RTO) – RTO defines the maximum amount of time that a system
resource can remain unavailable before there is an unacceptable impact on other system
resources, supported mission/business processes, and the MTD. Determining the information
system resource RTO is important for selecting appropriate technologies that are best suited for
meeting the MTD.
Priority # System Resource/Component
Recovery Time
Objective
ISOL 533 – Information Security and Risk Management BUSINESS IMPACT ANALYSIS
University of the Cumberlands
Table 1 – BIA worksheet
Business Function or Process
Business
Impact
Factor
Recovery
Time
Objective
IT Systems/Apps
Infrastructure Impacts
Top-quality papers guaranteed
100% original papers
We sell only unique pieces of writing completed according to your demands.
Confidential service
We use security encryption to keep your personal data protected.
Money-back guarantee
We can give your money back if something goes wrong with your order.
Enjoy the free features we offer to everyone
-
Title page
Get a free title page formatted according to the specifics of your particular style.
-
Custom formatting
Request us to use APA, MLA, Harvard, Chicago, or any other style for your essay.
-
Bibliography page
Don’t pay extra for a list of references that perfectly fits your academic needs.
-
24/7 support assistance
Ask us a question anytime you need to—we don’t charge extra for supporting you!
Calculate how much your essay costs
What we are popular for
- English 101
- History
- Business Studies
- Management
- Literature
- Composition
- Psychology
- Philosophy
- Marketing
- Economics