 |
| |
 |
| |
 |
| |
 |
| |
 |
| |
 |
| |
 |
| |
 |
| |
 |
| |
 |
| |
 |
Business Continuity Planning (BCP) - continued from page 3
Recovery requirement documentation
After the completion of the analysis phase, the business and technical plan requirements are documented in
order to commence the implementation phase. A good asset management program can be of great
assistance here and allow for quick identification of available and re-allocatable resources.[5] For an office-
based, IT intensive business, the plan requirements may cover the following elements which may be classed
as ICE (In Case of Emergency) Data:
The numbers and types of disks, whether dedicated or shared, required outside of the primary business
location in the secondary location
The individuals involved in the recovery effort along with their contact and technical details
The applications and application data required from the secondary location desks for critical business
functions
The manual workaround solutions
The maximum outage allowed for the applications
The peripheral requirements like printers, copier, fax machine, calculators, paper, pens etc.
Other business environments, such as production, distribution, warehousing etc will need to cover these
elements, but are likely to have additional issues to manage following a disruptive event.
Solution design
The goal of the solution design phase is to identify the most cost effective disaster recovery solution that
meets two main requirements from the impact analysis stage. For IT applications, this is commonly
expressed as:
The minimum application and application data requirements
The time frame in which the minimum application and application data must be available
Disaster recovery plans may also be required outside the IT applications domain, for example in
preservation of information in hard copy format, or restoration of embedded technology in process plant.
This BCP phase overlaps with Disaster recovery planning methodology. The solution phase determines:
the crisis management command structure
the location of a secondary work site (where necessary)
telecommunication architecture between primary and secondary work sites
data replication methodology between primary and secondary work sites
the application and software required at the secondary work site, and
the type of physical data requirements at the secondary work site.
Implementation
The implementation phase, quite simply, is the execution of the design elements identified in the solution
design phase. Work package testing may take place during the implementation of the solution, however;
work package testing does not take the place of organizational testing.
Testing and organizational acceptance
The purpose of testing is to achieve organizational acceptance that the business continuity solution satisfies
the organization's recovery requirements. Plans may fail to meet expectations due to insufficient or
inaccurate recovery requirements, solution design flaws, or solution implementation errors. Testing may
include:
Crisis command team call-out testing
Technical swing test from primary to secondary work locations
Technical swing test from secondary to primary work locations
Application test
Business process test
At minimum, testing is generally conducted on a biannual or annual schedule. Problems identified in the
initial testing phase may be rolled up into the maintenance phase and retested during the next test cycle.
Maintenance
Maintenance of a BCP manual is broken down into three periodic activities. The first activity is the
confirmation of information in the manual, role out to ALL staff for awareness and specific training for
individuals who's roles are identified as critical in response and recovery. The second activity is the testing
and verification of technical solutions established for recovery operations. The third activity is the testing
and verification of documented organization recovery procedures. A biannual or annual maintenance cycle is
typical.
Information update and testing
All organizations change over time, therefore a BCP manual must change to stay relevant to the
organization. Once data accuracy is verified, normally a call tree test is conducted to evaluate the
notification plan's efficiency as well as the accuracy of the contact data. Some types of changes that should
be identified and updated in the manual include:
Testing and verification of technical solutions
As a part of ongoing maintenance, any specialized technical deployments must be checked for functionality.
Some checks include:
Virus definition distribution
Application security and service patch distribution
Hardware operability check
Application operability check
Data verification
Testing and verification of organization recovery procedures
As work processes change over time, the previously documented organizational recovery procedures may
no longer be suitable. Some checks include:
Are all work processes for critical functions documented?
Have the systems used in the execution of critical functions changed?
Are the documented work checklists meaningful and accurate for staff?
Do the documented work process recovery tasks and supporting disaster recovery infrastructure allow
staff to recover within the predetermined recovery time objective?
Treatment of test failures
As suggested by the diagram included in this article, there is a direct relationship between the test and
maintenance phases and the impact phase. When establishing a BCP manual and recovery infrastructure
from scratch, issues found during the testing phase often must be reintroduced to the analysis phase.
Recovery requirement documentation
After the completion of the analysis phase, the business and technical plan requirements are documented in
order to commence the implementation phase. A good asset management program can be of great
assistance here and allow for quick identification of available and re-allocatable resources.[5] For an office-
based, IT intensive business, the plan requirements may cover the following elements which may be classed
as ICE (In Case of Emergency) Data:
The numbers and types of disks, whether dedicated or shared, required outside of the primary business
location in the secondary location
The individuals involved in the recovery effort along with their contact and technical details
The applications and application data required from the secondary location desks for critical business
functions
The manual workaround solutions
The maximum outage allowed for the applications
The peripheral requirements like printers, copier, fax machine, calculators, paper, pens etc.
Other business environments, such as production, distribution, warehousing etc will need to cover these
elements, but are likely to have additional issues to manage following a disruptive event.
Solution design
The goal of the solution design phase is to identify the most cost effective disaster recovery solution that
meets two main requirements from the impact analysis stage. For IT applications, this is commonly
expressed as:
The minimum application and application data requirements
The time frame in which the minimum application and application data must be available
Disaster recovery plans may also be required outside the IT applications domain, for example in
preservation of information in hard copy format, or restoration of embedded technology in process plant.
This BCP phase overlaps with Disaster recovery planning methodology. The solution phase determines:
the crisis management command structure
the location of a secondary work site (where necessary)
telecommunication architecture between primary and secondary work sites
data replication methodology between primary and secondary work sites
the application and software required at the secondary work site, and
the type of physical data requirements at the secondary work site.
Implementation
The implementation phase, quite simply, is the execution of the design elements identified in the solution
design phase. Work package testing may take place during the implementation of the solution, however;
work package testing does not take the place of organizational testing.
Testing and organizational acceptance
The purpose of testing is to achieve organizational acceptance that the business continuity solution satisfies
the organization's recovery requirements. Plans may fail to meet expectations due to insufficient or
inaccurate recovery requirements, solution design flaws, or solution implementation errors. Testing may
include:
Crisis command team call-out testing
Technical swing test from primary to secondary work locations
Technical swing test from secondary to primary work locations
Application test
Business process test
At minimum, testing is generally conducted on a biannual or annual schedule. Problems identified in the
initial testing phase may be rolled up into the maintenance phase and retested during the next test cycle.
Maintenance
Maintenance of a BCP manual is broken down into three periodic activities. The first activity is the
confirmation of information in the manual, role out to ALL staff for awareness and specific training for
individuals who's roles are identified as critical in response and recovery. The second activity is the testing
and verification of technical solutions established for recovery operations. The third activity is the testing
and verification of documented organization recovery procedures. A biannual or annual maintenance cycle is
typical.
Information update and testing
All organizations change over time, therefore a BCP manual must change to stay relevant to the
organization. Once data accuracy is verified, normally a call tree test is conducted to evaluate the
notification plan's efficiency as well as the accuracy of the contact data. Some types of changes that should
be identified and updated in the manual include:
- Staffing changes
Staffing persona
Changes to important clients and their contact details
Changes to important vendors/suppliers and their contact details
Departmental changes like new, closed or fundamentally changed departments.
Testing and verification of technical solutions
As a part of ongoing maintenance, any specialized technical deployments must be checked for functionality.
Some checks include:
Virus definition distribution
Application security and service patch distribution
Hardware operability check
Application operability check
Data verification
Testing and verification of organization recovery procedures
As work processes change over time, the previously documented organizational recovery procedures may
no longer be suitable. Some checks include:
Are all work processes for critical functions documented?
Have the systems used in the execution of critical functions changed?
Are the documented work checklists meaningful and accurate for staff?
Do the documented work process recovery tasks and supporting disaster recovery infrastructure allow
staff to recover within the predetermined recovery time objective?
Treatment of test failures
As suggested by the diagram included in this article, there is a direct relationship between the test and
maintenance phases and the impact phase. When establishing a BCP manual and recovery infrastructure
from scratch, issues found during the testing phase often must be reintroduced to the analysis phase.
| 691 Trade Center Blvd, Chesterfield, MO 63005 636-527-7627 • Fax 636-489-4733 • www.DaleyGroup.org © 2006 Daley Group, LLC |
| Daley Group, LLC A Daley Global Enterprises Company |