Following the impact of a hurricane or any natural or even daily disaster, it's important to remember that it's not a normal situation. Employees may have suffered the loss of their home or family members, but the return to work can often be therapeutic and provide a sense of normalcy.
Current disasters have dramatically elevated the importance of disaster planning beyond computerized systems. The issue was not just keeping the computers running, but how to communicate to customers, employees, and others who interact with an enterprise that suddenly vacates its premises. Once vacated, where will business be transacted the next business day? What will be the source of cash flows for rental of temporary facilities, computers, and phone equipment? Many dislocated businesses gave thanks to cellular phone technology, which allows communication without phone lines.
Store copies of key forms and hard copy documents you use in day-to-day operations at a safe location. Scan key documents such as insurance forms into the computer for electronic storage, and store photos of major building and manufacturing sites in protected watertight storage containers and in a fire-proof safe, in case you need to present them to your insurers. You’ll want to have these materials available to help keep your business functioning.
Truth be told, companies have very different views about which business processes and applications are the most critical. Take, for example, three power companies: the first thinks that its customer service system is its critical application. To the second, payroll is the most critical because of their contracts with unions. The third might think that the meter reading system is most important because it determines where the power bills are to be sent.
The truth about hurricanes is that they avail themselves of advanced preparation. You know a storm is coming long before it makes landfall. Once the National Weather Service starts to project a storm track that might come anywhere near your shop, you need to start taking more frequent backups. When a voluntary evacuation order is issued, take a full backup of your critical applications and begin spreading the word to employees about the strategies you will follow to keep in communication before, during and after the emergency. When and if the mandatory evacuation order comes, don’t queue. Power down your equipment, turn out the lights, lock the doors and leave. Take your last minute backups with you. Be able to remotely shut things down as a last resort.
Plan ahead
· How disasters will be avoided and mitigated
· Which risks have been identified
· How various scenarios will be handled
· How people will be evacuated and to where
· How medical emergencies will be handled
· Alternate site locations and how they will be used. Communications/notification procedures. Do you have multiple methods for accessing internet, dial up, cable, etc...? Communications Alternatives. Communications would also be part of the comprehensive plan. There will be the need to notify employees and customers about the new business location. The firm should maintain a listing of all employees including their home addresses and telephone numbers. The list should be periodically updated to ensure its accuracy. With this information, employees can be informed of the new location.
· People want and need information. Tell everyone who the reliable information sources are, update your website often, have a backup information line 800 number, do not believe any other information whether it is a media outlet, co-worker, etc....
· How will you pay your employees? If they cannot be paid, morale will dissipate. Direct deposit is the best option. Post offices will not be open, people are not in their homes.
· Do you have separate lighting, flashlights, lamps in key operation locations?
· Do you have access to a natural gas generator as regular gasoline is at a shortage?
· Have you used a fiber network, underground, not effected by wind and hurricanes?
· Do you have emergency contact numbers and addresses? Where are they kept? Who has copies? Are they laminated?
· How the business continuity plan will be tested, updated, reviewed, and approved?
· Establish a vital record recovery plan.
· Establish guidelines to evacuate disabled employees when elevators are inoperable.
· Do not rely on only one supplier. Establish alternate sources of supplies.
· Provide housing arrangements for the firm's recovery team.
· Provide for food service at the backup recovery site.
· Establish travel arrangements for recovery personnel stationed at the recovery site.
· Establish guides for relocation of paper, film, and magnetic records.
· Notify employees when and where to return to work after a disaster strikes.
· Provide contractual arrangements with clean-up crews to remove debris.
· Finally, the firm should periodically evaluate its insurance to replace destroyed assets, provide necessary cash flows, and compensate for lost revenues from downtime. The first two are essential, while the last can be minimized, or even eliminated, depending on the vitality of the disaster recovery plan.
· Are key systems backed up regularly enough (and are they able to be restored quickly enough) to ensure that availability of data meets specific business, legislation, and standards requirements? For example, VISA makes very specific requirements of VISA merchants about the availability of credit card data after an incident; HIPAA requires 100% availability of some critical "life safety data." Have you partnered offsite where your internal security is a factor and will the 3rd party hosting company keep your information confidential. Back it up or take it, who is taking what, who is going to be responsible for protecting what? What is the process for getting things back online?
· Are key systems' availability ensured using uninterruptible power supplies (UPS), failover/hot-standby facilities, or other contingency measures?
· Is the organization able to operate effectively without key personnel? Is it clear who is the "second in command" in each department? Are there at least two members of staff who know how to carry out each key job? Who is responsible for which aspects of the business continuity procedures and plans?
· Is the organization able to operate effectively without key systems (not just IT systems—telecommunications systems, manual systems, etc.)? Are contingency manual processes in place in case key systems fail?
· Temporary Facilities. Is the organization able to operate effectively without key locations? Are contingency locations available in which business can temporarily be carried out if a site/location is unavailable? Effective disaster planning will consider several options for temporary relocation and facilities: First, a company may have a branch or division close by the disrupted location that can be used as the hub for resuming business activity. This was the solution for Deloitte & Touche, and news reports indicated this arrangement was used by a number of New York City area firms affected by the World Trade Center bombing. If this arrangement is not possible, perhaps a reciprocal agreement could be arranged with another business to share its business location for a brief period of time. A new breed of business has recently sprung up that provides back-up facilities to dislocated operations. The space may be a warehouse-like facility in a lower rent district, but it can quickly accommodate staff and employees working with temporary equipment. Another option is to acquire and maintain a back-up site to serve as the center of business activity. However, the cost of this final option may be excessive. Additional phone lines may be necessary if a location is shared with another firm. If a new location is leased or purchased, telephone service must be established. Office equipment, furniture and fixtures may be needed. Various types of material and supplies also will be required. Considerations should be given to 800 lines, WATS, special circuits and software defined networks, and other special call-handling equipment. As noted earlier, portable cellular equipment is a possible quick fix.
· Are all important prevention mechanisms in place to avoid or reduce the effects of system failures or damage caused by floods, fires, terrorist attacks, and so forth? Particularly, this area should take into account firewalls, intrusion prevention/detection mechanisms, auditing/logging, sprinkler systems, closed-circuit TV cameras, security staff, physical security mechanisms (passcodes, keycards, receptionists, keys and locks, security fences, building design, and so on).
· A similar approach could be used to advise customers about a new business location. However, for many companies, the size of their client listing might prevent this approach. In that case, the media could be used to aid in the notification of clients. Radio and newspaper advertisements should be considered. If notification is extremely critical, television ads are another option.
· Security Services is designated with the responsibility for communicating with external public safety and security agencies such as police, fire, and other public safety officials.
· Decide how external notifications and communications with sponsoring agencies, financial institutions, insurance institutions, and governmental entities shall be conducted. These departments shall have the sole franchise to speak about the disaster or its implications with all non-media external authorities.
· Who shall be the sole source of providing the news media with information concerning the crisis or disaster? All press releases and media interviews about the crisis, its impact on the enterprise, related recovery operations, the current status of recovery, estimates of damage, and the outlook for future operations shall be conducted.
· Who will be able to control the accuracy of the information being released and is able to provide an institutionally sanctioned perspective, and will minimize unwarranted speculation and sensationalism? Having the media communications focused through this an official channel also helps to minimize any interference with the ongoing crisis management actions and prevents undesired disruptions to the crisis recovery operations.
· Build solid contact lists and keep the information updated and accessible for your employees. Include key vendors and suppliers, and emergency service organizations like the local fire and police departments, hospital and ambulance services, building services and government relief agencies. Make sure your contact lists include alternate phone numbers in case one is not accessible.
· Organize supplies: Make sure your business has access to cash, generators, batteries and supplies such as first aid kits, water, food and personal care items.
· Provide employee assistance by training staff in CPR and first aid. Create family disaster kits for employees, which provide the essential resources for employees to help them through the event.
· Develop knowledge of contractor capabilities and prices by identifying commodities and services and establishing vendor relationships before they are needed;
· Establishing a scalable operations plan to adjust the level of capacity required to effectively respond to needs;
· Formally assigning and communicating disaster-related responsibilities, with joint training for government and contractor personnel; and
· Providing sufficient numbers of field-level contracting staff with the authority needed to meet mission requirements.
Develop Crisis Designations
Plan for the worst case scenario don't plan for the mild case because you will not have the resources available (people, power, trucks, telecommunications, etc...) to go back later when you realize it is going to be the worst case. The following are potential crisis classifications that the you may designate:
Level 3 - A major disruption in service affecting a subset of users or systems deemed to be non-critical for alternate site recovery. The determination is that the disaster recovery plan provisions should not be implemented because the presenting problem(s) were determined to fall within existing operational resolution capabilities. Although, the presenting problem(s) may still warrant special management attention and user communications. Within this classification routine management and user communication channels would be utilized.
Level 2 - Major disruption to one or more entities. Recovery of services at prime location is more than 24 hours. Restoration at alternate site is more lengthy than repairing at primary location. Such damage as occasioned by water, smoke, fire, vandalism, terrorism, lightning, or any other causes that bring about an estimated period of technology services disruption deemed to be more than 24 hours in duration.
Under this classification the disaster response action plan, described elsewhere in this document, should be initiated only when there exist coincident critical processing turnaround needs. Such needs will be defined by the Director of Hopkins - Information Technology Services Operations and will be based on knowledge of processing schedules, and the status of work in progress.
The recovery actions shall be directed primarily to reactivating processing within the facility.
Level 1 - A Total system(s) outage affecting multiple entities, systems, and customers. Anticipated recovery at prime location is impossible or expected to exceed 24 hours. Recovery at alternate site is more rapid than at primary location. Such damage as occasioned by water, smoke, fire, vandalism, terrorism, lightning, or an estimate of a protracted period of equipment downtime that renders a major portion of the facility unusable for more than 24 hours.
Laws governing Disasters
The gist of these laws, regulations, and standards in terms of business continuity and disaster recovery is the same in all cases: The organization must ensure that critical data and systems are available at all times, even in the event of a crisis situation, and various penalties will be imposed on the organizations if such systems and data are not available. However, compliance is a moving target, with requirements increasing constantly; accordingly, the BCP process must be changed in the light of changing requirements.
Federal Regulations effecting Disaster Planning
· The Gramm-Leach Bliley Act (GLBA) affects financial institutions and their storage of personal financial data. Such data must be kept secure even in the event of disaster, of course.
· The Federal Information Security Management Act (FISA) affects all federal computer systems.
· The Occupational Safety and Health Act (OSH Act) dictates organizations' need to be prepared for emergencies.
· The California Security Breach Notification Act requires organizations to provide strong security for personal information as well as notification of breaches to security of personal information (social security numbers, drivers' licenses, credit card info) to all those affected.
· The National Association of Security Dealers (NASD) rules 3510 and 3520 require that all members have a BCP in place and provide emergency contact information.
· FDA regulations (such as FDA 21 CFR 11) require backup power and backup software for key systems.
· SEC regulations (for example, SEC 17 CFR 240) require that financial transaction histories be maintained for all electronic securities transactions, and backup power be in place to maintain continuity.
· Basel II requires accurate maintenance of historical transaction data and continuous availability of all components of distributed financial systems involved in the Bank of International Settlements (BIS) systems. RIPA in the UK and COB in France are precursors to this requirement in their respective countries.
· Office of Management and Budget (OMB) Circulars (for instance, A-130, dated November 2000) require disaster recovery plans to be in place.
· ISO 17799 (the code of practice for IT security management) compliance requires business continuity and disaster recovery plans to be in place.
· COBIT audits require a BCP to be in place and to be effective in order to meet compliance requirements.
· Business continuity and disaster recovery plans are a key component of any ISACA audit.
· Many organizations are voluntarily adhering to IT Infrastructure Library (ITIL), a set of best practices in IT service management. ITIL has strong guidelines for the business continuity planning process and documentation.