Automation Disaster Recovery Course (ppt)

Disaster RecoveryDisaster Recovery

Business Continuity Planning to reduce your organization’s

IT Risk Profile

“prepare, organize, execute” Best Practices

Presented ByPresented By

Tim WoodcockTim Woodcock

22

33

Covered TopicsCovered Topics Statistics, Definitions and Dangerous ExcusesStatistics, Definitions and Dangerous Excuses

5 Phases of Business Continuity Planning “BCP” 5 Phases of Business Continuity Planning “BCP” (also referred to as Disaster Recovery Planning “DRP”)(also referred to as Disaster Recovery Planning “DRP”)

IT Risks & Counter measures IT Risks & Counter measures (follow the BCP) (group (follow the BCP) (group participation)participation)

Key Considerations in Disaster Planning & Key Considerations in Disaster Planning & ManagementManagement

Tips for Preventative MaintenanceTips for Preventative Maintenance

Q&AQ&A

44

Areas of RiskAreas of Risk

Hackers Hackers –– hurricanes hurricanes –– fires fires –– flooding flooding –– power outages power outages –– denial of service attacks denial of service attacks –– telecommunication outages telecommunication outages –– loss of internet access loss of internet access –– hardware hardware failures failures –– application failures application failures –– employee error employee error –– virus attacks virus attacks –– sabotage sabotage –– terrorism terrorismCan you think of other areas of risk?

55

StatisticsStatistics

75%75% of all incidences are caused by of all incidences are caused by system & hardware malfunctions system & hardware malfunctions (MTBF)(MTBF)…… and human error. and human error. “Did I just format “Did I just format my hard drive?”my hard drive?”

78%78% of businesses have data backup of businesses have data backup systems, but very few have a plan to systems, but very few have a plan to access that data if and when a disaster access that data if and when a disaster occurs… occurs… “what do you mean, “what do you mean, there is nothing on the tape?”there is nothing on the tape?”

66

StatisticsStatistics 80%80% of all businesses do not have a of all businesses do not have a

Disaster Recovery Plan (Business Disaster Recovery Plan (Business Continuity Plan) in place.Continuity Plan) in place.

50%50% of companies that experience a of companies that experience a computer outage lasting more that 10 computer outage lasting more that 10 days go out of business within five years days go out of business within five years and that most never fully recover and that most never fully recover financially. (Gartner Group)financially. (Gartner Group)

77

Disaster Recovery PlanningDisaster Recovery Planning(DRP)(DRP)

Is now referred to as:Is now referred to as:

Business Continuity Planning

(BCP)

Since 911Since 911

88

Certified Disaster Recovery Planner(CDRP)

formally

Certified Business Continuity Professional(CDRP)

DRII Certification ChangesDRII Certification Changeswww.drii.orgwww.drii.org

99

What is Business Continuity Planning (BCP)?What is Business Continuity Planning (BCP)?

Planning ahead to avoid problemsPlanning ahead to avoid problems(plan for the worst; hope for the best)(plan for the worst; hope for the best)

andand

Being prepared in the event of a problemBeing prepared in the event of a problem..

(some every day examples)(some every day examples) Spare tire in the trunk of the carSpare tire in the trunk of the car Yearly flu shotYearly flu shot Emergency exit signsEmergency exit signs 911 Emergency support services911 Emergency support services Business Continuance InsuranceBusiness Continuance Insurance

1010

BCP Focuses on: BCP Focuses on: Realizing what processes are needed to Realizing what processes are needed to

keep the organization running.keep the organization running.

Realizing and prioritizing the risks, Realizing and prioritizing the risks, if the processes are disrupted.if the processes are disrupted.

Implementing solutions designed to Implementing solutions designed to minimize the risks and keep the minimize the risks and keep the organization functioning… organization functioning…

1111

BCP GoalsBCP Goals Protect YourProtect Your

• PeoplePeople• DataData• vital communicationsvital communications• AssetsAssets• brand and reputation.brand and reputation.

Minimize threats, impacts and Minimize threats, impacts and downtime.downtime.

Mitigate any losses.Mitigate any losses. To ensure your organization To ensure your organization

continues to operate and to do it in a continues to operate and to do it in a cost-effective way.cost-effective way.

1212

Dangerous Excuses for not implementing a BCPDangerous Excuses for not implementing a BCP

It costs too much money to implement.It costs too much money to implement.

Not enough time or resources.Not enough time or resources.

It will never happen to our company.It will never happen to our company.

Why bother? We have good data Why bother? We have good data backups.backups.

We “plan” on implementing one next We “plan” on implementing one next year.year.

Fill in your lousy excuse here ___________Fill in your lousy excuse here ___________

1313

The BCP is a catalog of The BCP is a catalog of countermeasures for your countermeasures for your

business, in order of occurrence business, in order of occurrence probability.probability.

Most importantMost important processes addressed processes addressed FIRSTFIRST

Least importantLeast important Processes addressed Processes addressed LASTLAST

1414

Everyone must participate for BCP to succeedEveryone must participate for BCP to succeed Executive management must be onboard.Executive management must be onboard. Assign a Business Continuity Planner” to head Assign a Business Continuity Planner” to head

up discovery & implementation.up discovery & implementation. Assemble an Assemble an EEmergency mergency MManagement anagement TTeameam

(cross-functional team must represent all (cross-functional team must represent all departments)departments)

– customer service – human resources– public relations– membership

– Management– IT /

telecommunications – facilities and power – accounting

The Starting PointThe Starting Point

1515

The 5 Phases of the The 5 Phases of the Business Continuity Planning ProcessBusiness Continuity Planning Process

Risk Evaluation

Business ImpactAnalysis

(BIA)

Alternative Strategies &

Recommendations

DevelopDocument

Implement BCP

Monitor - Testand Adjust

1616

Risks Evaluation (utilizing the BCP)(utilizing the BCP)

1717

Risk EvaluationRisk Evaluation

Risk Evaluation

Prioritize Probable Threats

VulnerabilityAnalysis

Identify Key Risks

Return BusinessImpact Analysis


Recommendations

Develop DocumentImplement

BCP

MonitorTest

Adjust

1818

Identify Key IT RisksIdentify Key IT Risks (Risk Evaluation)(Risk Evaluation)

Data Loss / CorruptData Loss / Corrupt Security BreachSecurity Breach Loss of Key personnelLoss of Key personnel Virus – SPAM - Spyware AttacksVirus – SPAM - Spyware Attacks File Server / Network DownFile Server / Network Down Power OutagePower Outage Loss of Phones / FaxLoss of Phones / Fax Loss of InternetLoss of Internet

Other IT Risks?Other IT Risks?

1919

Risk EvaluationRisk Evaluation

Risk Evaluation



Identify Key Risks



Recommendations


BCP

MonitorTest

Adjust

2020

Vulnerability AnalysisVulnerability Analysis (Risk Evaluation)(Risk Evaluation)

Data Loss / Corrupt -Data Loss / Corrupt - (backup procedures)(backup procedures)

Security Breach -Security Breach - (internal / external security risk (internal / external security risk analysis)analysis)

Virus Attack-Virus Attack- (software-updates-verification)(software-updates-verification)

SPAM Attack-SPAM Attack- (filter process-updates)(filter process-updates)

File Server / Network Down -File Server / Network Down - (PM-MTBF)(PM-MTBF)

Power Outage -Power Outage - (UPS – power generator – location- (UPS – power generator – location- seasonal)seasonal)

Loss of Phones / Fax -Loss of Phones / Fax - (Telco – spares - SLA)(Telco – spares - SLA)

Loss of Internet –Loss of Internet – (ISP - data line – equipment)(ISP - data line – equipment)

““inventory & review everything”inventory & review everything”(hardware-software-policies-procedures-responsibilities, etc.) (hardware-software-policies-procedures-responsibilities, etc.)

2121

Risk EvaluationRisk EvaluationAlways ask ‘what if?’Always ask ‘what if?’

Risk Evaluation



Identify Key Risks



Recommendations


BCP

MonitorTest

Adjust

There are various ways to Prioritize. One of the most effective ways is the 1-2-3 (tic-tack-toe) method

2222

Prioritize Probable ThreatsPrioritize Probable Threats (Risk Evaluation)(Risk Evaluation) (Probability of occurrence) 1=low, 2=medium, (Probability of occurrence) 1=low, 2=medium,

3=high3=high Data Loss / CorruptData Loss / Corrupt Security BreachSecurity Breach Virus AttackVirus Attack Loss of key personnelLoss of key personnel File Server / Network File Server / Network

DownDown Power OutagePower Outage Loss of Phones / FaxLoss of Phones / Fax Loss of InternetLoss of Internet

33 33 11 22 3 3

22 22 33

2323

Business Impact Analysis (BCP) (utilizing the BCP)(utilizing the BCP)

2424

Business Impact Analysis (BIA)Business Impact Analysis (BIA)

Return

Determine Dollar Value

Exposure

Cost Benefit Analysis

PrioritizeRisk XImpact

Profitability Analysis

EvaluateSecurity &Controls

Risk Evaluation


BCP


Alternative Strategies

&Recommendations

Monitor Test

Adjust

EstablishRecovery Times

Prioritize Critical Bus.

Functions

Personnel, Workplace,

Customer Service, Billing,

IT infrastructure, etc.

2525


Return


Functions Determine Dollar Value

Exposure





Risk Evaluation


BCP



&Recommendations

Monitor Test

Adjust


Immediate, up to 4 hours,

Same day, 24-48-72 hours,

or greater

2626


Return


Functions





Risk Evaluation


BCP



&Recommendations

Monitor Test

Adjust

EstablishRecovery Times Determine

Dollar ValueExposure

Play the ‘what if’ game

Explore cost of downtime/hr for each area of concern.

$28- >$350 per man-hour

2727

Cost of ExposureCost of Exposure

A monetary value must be place on all key processes. This will help determine the importance of restoring that process

2828


Return



Exposure




Risk Evaluation


BCP



&Recommendations

Monitor Test

Adjust



•Each dept. is a business unit•Analyze all aspects of the unit•Determine its profitability•Determine necessities for operational status

2929

Business Impact Analysis Business Impact Analysis (BIA)(BIA)

Return



Exposure





Risk Evaluation


BCP



&Recommendations

Monitor Test

Adjust


Very important phase in Risk Reduction

Perform a security risk analysis

3030

Evaluate Security and ControlsEvaluate Security and Controls Perform a Security Risk AnalysisPerform a Security Risk Analysis

• Performed by:Performed by: Experienced internal IT staffExperienced internal IT staff Outside professional firmOutside professional firm

Review all potential risk exposuresReview all potential risk exposures• Network vulnerabilitiesNetwork vulnerabilities• Router & firewall vulnerabilitiesRouter & firewall vulnerabilities• Current password and data access policiesCurrent password and data access policies• Remote access to networkRemote access to network• Virus / SPAM protection & E-mail policiesVirus / SPAM protection & E-mail policies• Operating system security patches and updatesOperating system security patches and updates

• Other security Risks? _________________Other security Risks? _________________

3131

The BenefitsThe Benefits

Expose existing system and policy Expose existing system and policy vulnerabilities.vulnerabilities.

Strengthen existing security policies & Strengthen existing security policies & procedures.procedures.

Creation of non-existing policies & Creation of non-existing policies & procedures.procedures.

Thereby mitigating your risk.Thereby mitigating your risk.

3232


Return



Exposure




Risk Evaluation


BCP



&Recommendations

Monitor Test

Adjust



Helps justify need for implementing solutions, to lower exposed risks.

i.e. Tape backup hdwr/sftwr or secondary archiving/HA solution

3333


Return



Exposure




Risk Evaluation


BCP



&Recommendations

Monitor Test

Adjust



Values assigned to each risk & process

Prioritized according to importance

Helps determine order of restoration

3434

Prioritize Risk X ImpactPrioritize Risk X Impact (BIA)(BIA)

Impact on BusinessImpact on Business (Cost and Impact on business) 1=low, 2=medium, 3=high(Cost and Impact on business) 1=low, 2=medium, 3=high

Data Loss / CorruptData Loss / Corrupt Security BreachSecurity Breach Absent ProducersAbsent Producers SPAM AttackSPAM Attack File Server / Network File Server / Network

DownDown Power OutagePower Outage Loss of Phones / FaxLoss of Phones / Fax Loss of InternetLoss of Internet

33 33 11 11 3 3 33 33 33 33

3535

Determine the order of Risk Avoidance & MitigationDetermine the order of Risk Avoidance & Mitigation

Smart planners keep a coin handy to resolve equal-number risks…Smart planners keep a coin handy to resolve equal-number risks…

Risk evaluation= Server down=3BIA Impact on Business= Server down=3

3636


Recommendations

(utilizing the BCP)(utilizing the BCP)

3737

Develop Alternative StrategiesDevelop Alternative Strategies

Return

IdentifyStrategy

Needs ReduceRisk

Profile

Alternate Sites &Storage

Business Interruption

Insurance

Focus onQuick

Recovery

Focus on MitigatingDamages

DevelopDocumentImplement

BCP

Risk Evaluation

Business Impact Analysis


Recommendations

MonitorTest

Adjust

BIA info used to determine necessary changes

Example: tape archive too long, multiple tapes, dip into production time… new solution needs to be implemented

3838


Return

IdentifyStrategy

Needs ReduceRisk

Profile



Insurance

Focus onQuick

Recovery



BCP

Risk Evaluation



Recommendations

MonitorTest

Adjust

New vs. upgrade equipment (mtbf)

Employee training program, Increased security & awareness

Think ‘out of box’, minimum down-time

3939


Return

IdentifyStrategy

Needs ReduceRisk

Profile



Insurance

Focus onQuick

Recovery



BCP

Risk Evaluation


MonitorTest

Adjust

Cross training of employees

Software, hardware, vendor services availability

All possible scenarios should be considered and prepared for


Recommendations

4040


Return

IdentifyStrategy

Needs ReduceRisk

Profile



Insurance

Focus onQuick

Recovery



BCP

Risk Evaluation


MonitorTest

Adjust

Preventative maintenance

Cross training personnel

Test data restore & system fail-over programs regularly

Continued Awareness meetings


Recommendations

4141


Return

IdentifyStrategy

Needs ReduceRisk

Profile



Insurance

Focus onQuick

Recovery



BCP

Risk Evaluation


MonitorTest

Adjust

multiple storage & HA technologies (replicate server, multiple site utilization, SAN, Online, etc.)


Recommendations

4242


Return

IdentifyStrategy

Needs ReduceRisk

Profile



Insurance

Focus onQuick

Recovery



BCP

Risk Evaluation


MonitorTest

Adjust

Business continuance insurance, based on total risk discovered during the BIA phase.

Helps mitigate costs incurred to rebuild and continue business immediately following a disaster


Recommendations

4343

Develop, Document & Implement BCP

(utilizing the BCP)(utilizing the BCP)

4444

Develop, Document & Implement BCPDevelop, Document & Implement BCP

Return

People


BCP

RiskEvaluation



&Recommendations

Monitor Test

AdjustProcesses

Data

Create with confidence your BCP, protecting your people first

Establish responsibilities & emergency workflows for each risk scenario

Ensure communication & availability of key personnel (and cross-train)

List & hand out cell phone, home phone, contact info, hot site location, etc

4545

People

Processes


Return


BCP

RiskEvaluation



&Recommendations

Monitor Test

Adjust

Data

Document the who-where-how for all possible scenarios (Examples:

Who is responsible for ensuring the tape backups are working & available?

Who is the ‘alternate person’, and how will they have access to the tapes?

Who is in charge of a replacement server & correct backup device

4646

Data

Processes

People


Return


BCP

RiskEvaluation



&Recommendations

Monitor Test

Adjust

Both Preventative & Emergency procedures must be documented and agreed to by all parties responsible for ensuring the security & expedient restoration of company data

‘PM’ is less expensive than the aftermath of an unnecessary disaster

(i.e. test restores, off-site backup, SAN, High Availability solutions)

4747

Monitor Test & AdjustMonitor Test & Adjust

Return

Train

ImplementTestingProgram

Audit& Adjust

RiskEvaluation

BusinessImpact

Analysis

AlternativeStrategies

&Recommendations

DesignDocumentImplement

BCP

MonitorTest

Adjust

Initial training

Annual training

Cross-training

4848


Return

Train

ImplementTesting

Program

Audit& Adjust

RiskEvaluation

BusinessImpact

Analysis


&Recommendations


BCP

MonitorTest

Adjust

•Initial testing

•Annual testing

•Find weaknesses

Sftw-Hrdw changes

Vendor & utilities

External changes

New personnel

Policy changes

4949


Return

Train

ImplementTestingProgram

Audit& Adjust

RiskEvaluation

BusinessImpact

Analysis


&Recommendations


BCP

MonitorTest

Adjust

•Find weaknesses

•Formulate solutions

•Regularly reviewed

•Continued positive effect

5050

Key Considerations in Disaster Planning & Management

For Independent Agencies & Brokerage Firms

An Agents Council for Technology Report

March 15, 2005

5151

Key ConsiderationsKey ConsiderationsAgendaAgenda

Steps to take well before a disasterSteps to take well before a disaster

Steps to take when a disaster is Steps to take when a disaster is imminentimminent

Steps to take after a disaster strikesSteps to take after a disaster strikes

Some final thoughtsSome final thoughts

5252

Steps to Take Well Before a DisasterSteps to Take Well Before a Disaster

5353

Developing, Instilling, & Practicing the Disaster PlanDeveloping, Instilling, & Practicing the Disaster Plan Staff ‘ERT’ develop disaster plan that assigns roles to Staff ‘ERT’ develop disaster plan that assigns roles to

each staff member.each staff member.

Team coordinator reports to president/CEOTeam coordinator reports to president/CEO

Plan reinforced regularly in staff meetingsPlan reinforced regularly in staff meetings• Brainstorm possible disasters and steps to take for eachBrainstorm possible disasters and steps to take for each

Plan reviewed and updated at least annually.Plan reviewed and updated at least annually.

When staff member leaves agency, reassign dutiesWhen staff member leaves agency, reassign duties

5454

Developing, Instilling, & Practicing the Disaster PlanDeveloping, Instilling, & Practicing the Disaster Plan

Prepare employee contact listPrepare employee contact list

include work assignments related to disaster include work assignments related to disaster (i.e.producers greet clients)(i.e.producers greet clients)

Develop a phone tree system of employeesDevelop a phone tree system of employees• Make sure all employees know their roleMake sure all employees know their role• Update your call list regularlyUpdate your call list regularly

Investigate available services for assisting agencyInvestigate available services for assisting agency• User group, vendors, association, computer consultantUser group, vendors, association, computer consultant• Plan should spell out where agency will turn for help to get Plan should spell out where agency will turn for help to get

each aspect of the business operations back up and runningeach aspect of the business operations back up and running

5555


Hard copy of disaster plan (including employee, Hard copy of disaster plan (including employee, carrier, vendor, emergency contact info) kept in carrier, vendor, emergency contact info) kept in location known by all employeeslocation known by all employees

Employees keep copy at homeEmployees keep copy at home

Different aspects of the disaster plan regularly testedDifferent aspects of the disaster plan regularly tested

Plan should foresee and deal with lost servicesPlan should foresee and deal with lost services

Plan to be flexible and ready to adapt to unique Plan to be flexible and ready to adapt to unique situations. situations.

5656


Make a list of all active clients and include:Make a list of all active clients and include:• Active policies, policy number, billing and issuing company, Active policies, policy number, billing and issuing company,

expiration date of policyexpiration date of policy• Expiration list of policies to be processed for next six monthsExpiration list of policies to be processed for next six months

Make list of all vendors to help get you up and goingMake list of all vendors to help get you up and going• Computers, software, phone systems, phone & internet linesComputers, software, phone systems, phone & internet lines

Print these lists as well as export to portable storagePrint these lists as well as export to portable storage• Obtained by appropriate senior staffObtained by appropriate senior staff• Appropriate steps to ensure security of this vital dataAppropriate steps to ensure security of this vital data• Stored off-siteStored off-site

5757


Incorporate information to be communicated to policy Incorporate information to be communicated to policy holders on what they are to do, in the event of a holders on what they are to do, in the event of a disaster & whom they should contactdisaster & whom they should contact

Be prepared to communicate with your policyholdersBe prepared to communicate with your policyholders• NewspapersNewspapers• Radio ads with pre-designed adsRadio ads with pre-designed ads• Redirect them to a new phone numberRedirect them to a new phone number• Redirect them to a specific locationRedirect them to a specific location

Automated outward bound calling service ‘reverse Automated outward bound calling service ‘reverse 911 technology’. 911 technology’.

5858


Contingency plan to access additional staff resources Contingency plan to access additional staff resources to relieve regular staff.to relieve regular staff.

Consider a financial disaster reserve to deal with Consider a financial disaster reserve to deal with added costs that may be encountered, as well as added costs that may be encountered, as well as possible losses due to business interruptionspossible losses due to business interruptions

find what insurance companies will provide drafting find what insurance companies will provide drafting authority for claims. Set up the workflows for that authority for claims. Set up the workflows for that processing.processing.

5959

Protecting Agency Data & Systems Protecting Agency Data & Systems

& Preparing to Access Them After the Disaster& Preparing to Access Them After the Disaster Ensure that you have remote access to your Ensure that you have remote access to your

management system, after a disastermanagement system, after a disaster

Develop relationship with agency management Develop relationship with agency management system vendor or third party to back-up your data out system vendor or third party to back-up your data out of your region where you can access it from a secure of your region where you can access it from a secure internet site.internet site.

Assign passwords and train staff on accessing Assign passwords and train staff on accessing policyholder info remotely from this off-site sourcepolicyholder info remotely from this off-site source

Ensure third party vendor has authority to act on Ensure third party vendor has authority to act on agent’s behalf, agency notification before certain agent’s behalf, agency notification before certain actions are taken, and privacy & security protections actions are taken, and privacy & security protections are in place to safeguard client and agency info.are in place to safeguard client and agency info.

6060

Protecting Agency Data & Systems Protecting Agency Data & Systems

& Preparing to Access Them After the Disaster& Preparing to Access Them After the Disaster If possible, load your management system on one or If possible, load your management system on one or

more office laptops since these are easier to power up more office laptops since these are easier to power up or recharge than a desktopor recharge than a desktop

Consider a relationship with a technology firm that Consider a relationship with a technology firm that has the capability to provide the agency with has the capability to provide the agency with emergency service to help agency get back up and emergency service to help agency get back up and running after a disaster:running after a disaster:• Help deskHelp desk• On-site assistanceOn-site assistance• EquipmentEquipment

6161

Protecting Internet AccessProtecting Internet Access If you use an ASP over the Internet, find out If you use an ASP over the Internet, find out

what they can do for you in the event you what they can do for you in the event you have no Internet connection.have no Internet connection.

If resources allow it, consider having a If resources allow it, consider having a redundant Internet connection. For example, if redundant Internet connection. For example, if you use DSL, get satellite or an Internet you use DSL, get satellite or an Internet wireless service (WAN). Using a combination wireless service (WAN). Using a combination of WAN and satellite, the Florida Association of of WAN and satellite, the Florida Association of Insurance Agents was able to keep Internet Insurance Agents was able to keep Internet access most of the time as it set up in areas access most of the time as it set up in areas affected by the hurricanes in 2004.affected by the hurricanes in 2004.

6262

Protecting Equipment Protecting Equipment & Providing for Continued Electrical Power& Providing for Continued Electrical Power

Have a UPS on all equipmentHave a UPS on all equipment• Controlled shutdown, conditioned electrical circuitControlled shutdown, conditioned electrical circuit• Configure shutdown software and cableConfigure shutdown software and cable

Never connect computer directly to generatorNever connect computer directly to generator

UPS power rating to provide minimum 15 minutes on UPS power rating to provide minimum 15 minutes on workstations, 30 minutes on servers and critical workstations, 30 minutes on servers and critical equipmentequipment

Test UPS quarterly Test UPS quarterly • Equipment idleEquipment idle• Record total up timeRecord total up time• Replace battery or entire unit, if expectations are not metReplace battery or entire unit, if expectations are not met

6363


Purchase generator to run all mission critical Purchase generator to run all mission critical equipmentequipment

Carefully assess power needs for winter/summerCarefully assess power needs for winter/summer

Contract with firm to deliver generators to officeContract with firm to deliver generators to office

Test generator (fuel, oil, output, etc.) quarterlyTest generator (fuel, oil, output, etc.) quarterly

Test under an electrical load to assure proper Test under an electrical load to assure proper electrical outputelectrical output

Licensed electrician wire electric panel for clean cross-Licensed electrician wire electric panel for clean cross-over to generator.over to generator.

6464


Make sure the generator is located out of the building and away from its windows and doors, since fumes and carbon monoxide can make staff ill or be lethal. Also consider the impact of the elements on the generator, since you may be experiencing a lot of rain after a storm or ice conditions.

If the agency has a rented office, find out what plans the landlord has made to power the building in the event of a disaster.

6565

Alternative CommunicationsAlternative Communications

Understand the phone company’s procedures to give Understand the phone company’s procedures to give priority to businesses such as insurance agencies.priority to businesses such as insurance agencies.

Follow recommended back-up procedures of your Follow recommended back-up procedures of your computerized phone systemcomputerized phone system

Store the backups both on-site and off-siteStore the backups both on-site and off-site

Know in advance how to switch incoming calls to Know in advance how to switch incoming calls to another line, both at the switch in your office and via another line, both at the switch in your office and via your telecommunications provider remotelyyour telecommunications provider remotely

Have the vendor who installed your phone system Have the vendor who installed your phone system develop a crossover for your regular phones to an develop a crossover for your regular phones to an alternative phone line. Document and test it.alternative phone line. Document and test it.

6666

Alternative CommunicationsAlternative Communications

Consider having an alternative telephone answering Consider having an alternative telephone answering service (call center, branch location) to handle calls service (call center, branch location) to handle calls during emergencies and after hours.during emergencies and after hours.

If so authorized, many of these vendors have access If so authorized, many of these vendors have access to agency data to answer questions and provide to agency data to answer questions and provide referrals to carrier claims centers.referrals to carrier claims centers.

Ensure scripts and contact info are updated for call Ensure scripts and contact info are updated for call center vendorscenter vendors

Cell phones may not be reliable as alternative sourceCell phones may not be reliable as alternative source

Buy inexpensive phones for bypassing PBXBuy inexpensive phones for bypassing PBX

6767

Provisions to Have On HandProvisions to Have On Hand Fans, extension cords, surge strips, batteries, Fans, extension cords, surge strips, batteries,

flashlights, battery-powered lamps and radios, and flashlights, battery-powered lamps and radios, and low heat, low-energy lighting available to use with low heat, low-energy lighting available to use with your generator.your generator.

Sufficient bottled water to handle employees’ needs Sufficient bottled water to handle employees’ needs for two weeks.for two weeks.

Canned or dry food goods that do not require Canned or dry food goods that do not require refrigeration or cooking.refrigeration or cooking.

Can openers, paper/plastic utensils, plates and cups, Can openers, paper/plastic utensils, plates and cups, trash bags, bleach, paper towels and cleaning trash bags, bleach, paper towels and cleaning supplies, and hand wipes.supplies, and hand wipes.

First aid supplies and blankets.First aid supplies and blankets.

6868

Steps to Take When a Disaster is ImminentSteps to Take When a Disaster is Imminent

6969

Implement Disaster PlanImplement Disaster Plan

Do not delay, if triggers to activate the disaster plan Do not delay, if triggers to activate the disaster plan are metare met

Disaster during work day, and have warningDisaster during work day, and have warning• Assure the safety of your employees and officeAssure the safety of your employees and office• Confirm employees know their roleConfirm employees know their role

Disaster after-hours or employees who telecommute Disaster after-hours or employees who telecommute or work from remote locationsor work from remote locations• Use your phone tree.Use your phone tree.

Activate the central number employees can call after Activate the central number employees can call after disaster to get instructions and learn about next stepsdisaster to get instructions and learn about next steps• Recorded message, ‘backup’ number, what staff should do if Recorded message, ‘backup’ number, what staff should do if

they are unable to meet their assignmentthey are unable to meet their assignment

7070

Protecting Agency Data & Preparing to Access It After the Protecting Agency Data & Preparing to Access It After the DisasterDisaster

Be sure your data is backed-up and secureBe sure your data is backed-up and secure

Make sure your data is properly backed-up with your Make sure your data is properly backed-up with your agency management system vendor or third party agency management system vendor or third party you developed a relationship with prior to the disasteryou developed a relationship with prior to the disaster

Have at least two backups that are kept securely in Have at least two backups that are kept securely in separate off-site locations.separate off-site locations.

Be sure your list of active clients is complete and Be sure your list of active clients is complete and printed. printed.

Run an expiration list of policies to be processed for Run an expiration list of policies to be processed for the next six months and contact those renewals that the next six months and contact those renewals that are coming up for action around the time of the are coming up for action around the time of the predicted disasterpredicted disaster

7171


Staff complete processing of all work that is Staff complete processing of all work that is outstanding, especially that which relates to the outstanding, especially that which relates to the coverage for the disaster.coverage for the disaster.• outstanding endorsement requestsoutstanding endorsement requests• any policies that are not an ‘automatic’ renewal such as E&S any policies that are not an ‘automatic’ renewal such as E&S

placementsplacements• following up on any policies that are pending cancellation due following up on any policies that are pending cancellation due

to non-paymentto non-payment

Update insurance company addresses, phone Update insurance company addresses, phone numbers and fax numbersnumbers and fax numbers

Be sure vendor list is current for assisting you after Be sure vendor list is current for assisting you after the disasterthe disaster

7272


Print all the lists as well as export them to portable Print all the lists as well as export them to portable storage devices (one or more senior staff)storage devices (one or more senior staff)

Load info and management software onto laptop, and Load info and management software onto laptop, and safeguard the laptopsafeguard the laptop

Disconnect all electrical equipmentDisconnect all electrical equipment

Make sure all surfaces are clear of paper and all work Make sure all surfaces are clear of paper and all work in progress is wrapped in plastic, and that all in progress is wrapped in plastic, and that all outstanding work relating to the disaster has been outstanding work relating to the disaster has been processed and sent.processed and sent.

Place in boxes bearing the employee’s name. put in Place in boxes bearing the employee’s name. put in safe location. safe location.

7373

Alternative CommunicationsAlternative Communications Redirect phone numbers. Do this before the disasterRedirect phone numbers. Do this before the disaster

Call your phone vendor and internet provider to Call your phone vendor and internet provider to advise them that they should put your agency on the advise them that they should put your agency on the priority list.priority list.

7474

Provisions to Have On HandProvisions to Have On Hand Prepare office to be without power & phone servicePrepare office to be without power & phone service Strategically place lighting and fans around officeStrategically place lighting and fans around office

• Include stairwells and entry/exit areas.Include stairwells and entry/exit areas. Fill coolers with ice, water, Gatorade-type productsFill coolers with ice, water, Gatorade-type products Have plenty of non-perishable food and snacks for Have plenty of non-perishable food and snacks for

staffstaff Sweets work well for immediate energy, as fresh fruitSweets work well for immediate energy, as fresh fruit Provide method to make hot coffee or tea, if possibleProvide method to make hot coffee or tea, if possible Check first aid supplies and blanketsCheck first aid supplies and blankets Have enough cash on hand to meet needs for a few Have enough cash on hand to meet needs for a few

weeks (no power to ATMs or banking services)weeks (no power to ATMs or banking services) Review your disaster plan as a checklist for other Review your disaster plan as a checklist for other

supplies that may need replenishing or purchasedsupplies that may need replenishing or purchased

7575

Steps to Take Steps to Take After a Disaster StrikesAfter a Disaster Strikes

7676

Implementing the Disaster PlanImplementing the Disaster Plan

Do an assessment of the damage to your office to see Do an assessment of the damage to your office to see what will be needed to bring it back on-linewhat will be needed to bring it back on-line

Assess the personal and financial impact of the Assess the personal and financial impact of the disaster on your employees, and make sure their disaster on your employees, and make sure their needs are being met, so they can focus on agency needs are being met, so they can focus on agency operationsoperations

Assist them in any way that you are able, since they Assist them in any way that you are able, since they are your number one asset!are your number one asset!

Make your office area as safe as possible to Make your office area as safe as possible to accommodate walk-in trafficaccommodate walk-in traffic

7777

Implementing the Disaster PlanImplementing the Disaster Plan

If not possible to make office safe, identify another If not possible to make office safe, identify another location to meet policyholders and post a sign to location to meet policyholders and post a sign to direct themdirect them

Post alternative location on your website and include Post alternative location on your website and include on a message callers hearon a message callers hear

Set aside area in office to greet clients and start Set aside area in office to greet clients and start information gatheringinformation gathering

Small children may be present. Small children may be present. • Have toys/activities/snacks to keep them occupied and Have toys/activities/snacks to keep them occupied and

comfortablecomfortable

7878

ProvisionsProvisions

Have things in place for your policyholders such as Have things in place for your policyholders such as water and other beverages, snacks, and most of all…water and other beverages, snacks, and most of all…friendly faces. friendly faces.

They want you to help them and are there to make a They want you to help them and are there to make a claim. claim.

Treat each policyholder as if this were the only claim Treat each policyholder as if this were the only claim you received that day because it is their only one. you received that day because it is their only one.

Ask your staff to put on their game face to focus on Ask your staff to put on their game face to focus on the policyholder’s needs, even though they too are the policyholder’s needs, even though they too are likely to have been affected by the disaster in some likely to have been affected by the disaster in some way.way.

7979

ProvisionsProvisions

Have things in place for your policyholders such as Have things in place for your policyholders such as water and other beverages, snacks, and most of all…water and other beverages, snacks, and most of all…friendly faces. friendly faces.

They want you to help them and are there to make a They want you to help them and are there to make a claim. claim.

Treat each policyholder as if this were the only claim Treat each policyholder as if this were the only claim you received that day because it is their only one. you received that day because it is their only one.

Ask your staff to put on their game face to focus on Ask your staff to put on their game face to focus on the policyholder’s needs, even though they too are the policyholder’s needs, even though they too are likely to have been affected by the disaster in some likely to have been affected by the disaster in some way.way.

8080

Some Final ThoughtsSome Final Thoughts

8181

Some Final ThoughtsSome Final Thoughts

Be sensitive to the pressures on your staff in the Be sensitive to the pressures on your staff in the aftermath of a disasteraftermath of a disaster

Schedule shifts that will give your staff time to rest, Schedule shifts that will give your staff time to rest, take care of their personal needs, and rejuvenate take care of their personal needs, and rejuvenate themselves. themselves.

Unfortunately, disasters can strike in many different Unfortunately, disasters can strike in many different forms and levels of magnitudeforms and levels of magnitude

Some people can handle them, others cannotSome people can handle them, others cannot

8282

The KeyThe Key

Do not be complacent, because disasters do Do not be complacent, because disasters do happen.happen.

If you plan for the possibility, work your plan, If you plan for the possibility, work your plan, monitor it, and modify it when you need to, monitor it, and modify it when you need to, you will be prepared, both personally and you will be prepared, both personally and professionally, and you will guide your agency professionally, and you will guide your agency through the disaster successfully.through the disaster successfully.

8383

Tips for Preventative Maintenance

8484

PowerPower

Power Backup solutionsPower Backup solutions

• UPSUPS

• GeneratorGenerator

• Dual Power GridDual Power Grid

8585

Data Risks and SolutionsData Risks and Solutions TapeTape

Redundant Servers & Storage devicesRedundant Servers & Storage devices

Off-site / On-line backup solutions Off-site / On-line backup solutions (i.e.Courtesy Care (i.e.Courtesy Care Online Data Backup Service, LiveVault) Online Data Backup Service, LiveVault)

High Availability solutions High Availability solutions (HA… Server replication at (HA… Server replication at alternative secured location or data center)alternative secured location or data center)

Redundant Telco / Data connections Redundant Telco / Data connections (different providers)(different providers)

Other types of data backup Other types of data backup (USB2, portable hd, mem (USB2, portable hd, mem stick, SAN)stick, SAN)

8686

System Preventative MaintenanceSystem Preventative Maintenance

• Monthly defrags

• Scheduled UPS & Generator test

• Data Test Restore, and configuration, updates

• OS Security Updates (server, wkstation, router, firewall)

• Monitoring of System and hardware utilization

• IDS / IPS solutions

8787

Hidden Software Security Issues

•Firewall

•Router

•Anti-Virus

•SPAM

•Monitoring Tools

•Spyware / Malware

•Social Engineering

8888

Helpful SuggestionsHelpful Suggestions Ensure you have the right generator for Ensure you have the right generator for

the jobthe job(and know how to safely utilize them)(and know how to safely utilize them)

Secure access to Satellite phonesSecure access to Satellite phones Diversified carriers for mobile phonesDiversified carriers for mobile phones Digital cameras (phone cameras)Digital cameras (phone cameras) Portable fax or copier (car / motel)Portable fax or copier (car / motel) Laptops (with remote wireless access) Laptops (with remote wireless access) Sprint, Sprint,

AT&T, etc.AT&T, etc.

Hardware ‘ready spares’Hardware ‘ready spares’ Security Policies and Procedures (enforced)Security Policies and Procedures (enforced)

8989

Additional ResourcesAdditional Resources

IIABA has released the IIABA has released the Best Practices of Crisis Best Practices of Crisis Management—A Step-By-Step Business Management—A Step-By-Step Business Recovery Planner. Recovery Planner.

This tool includes both a written manual and an This tool includes both a written manual and an interactive CD designed to enable you to create an in-interactive CD designed to enable you to create an in-house, fully customized plan to lead your agency step-house, fully customized plan to lead your agency step-by-step through the disaster recovery process. This by-step through the disaster recovery process. This guide is available for $99.95—shipping and handling guide is available for $99.95—shipping and handling included. (www.independentagent.com, click on Best included. (www.independentagent.com, click on Best Practices, then click on Best Practices Product Practices, then click on Best Practices Product Catalog.)Catalog.)

9090


The Institute for Business and Home Safety The Institute for Business and Home Safety (IBHS) has a free “Disaster Planning Toolkit (IBHS) has a free “Disaster Planning Toolkit for the Small Business Owner” on its web site for the Small Business Owner” on its web site which includes a lot of helpful forms. which includes a lot of helpful forms.

In addition, free single copies of a “Disaster Recovery In addition, free single copies of a “Disaster Recovery Folder” are available from IBHS. This tool contains Folder” are available from IBHS. This tool contains planning advice and can hold the agency’s important planning advice and can hold the agency’s important papers. These tools also make good hand-outs for papers. These tools also make good hand-outs for the agency’s policyholders. To access the tools, go the agency’s policyholders. To access the tools, go to www.ibhs.org and click on “Open for Business.”to www.ibhs.org and click on “Open for Business.”

9191


The National Institute for Occupational Safety The National Institute for Occupational Safety and Health (NIOSH) web site contains an and Health (NIOSH) web site contains an excellent list of emergency preparedness excellent list of emergency preparedness resources and emergency contact information resources and emergency contact information at: http://www.cdc.gov/niosh/topics/prepared/.at: http://www.cdc.gov/niosh/topics/prepared/.

9292


A search of “Insurance Agent Disaster Planning” A search of “Insurance Agent Disaster Planning” and “Small Business Disaster Planning” on and “Small Business Disaster Planning” on www.google.com displays several additional www.google.com displays several additional resources to consider.resources to consider.

9393


Disaster Recovery International Disaster Recovery International • www.drii.orgwww.drii.org

Certified Business Continuity Professional Certified Business Continuity Professional CBCPCBCP• www.drii.orgwww.drii.org

The SANS Institute (SysAdmin, Audit, Networking, & The SANS Institute (SysAdmin, Audit, Networking, & Security) Security) • www.sans.orgwww.sans.org

9494


IIABA/ACT IIABA/ACT • (www.iiaba.org/act)(www.iiaba.org/act)

Disaster Recovery Journal Disaster Recovery Journal • (www.drj.com)(www.drj.com)

Global Continuity Global Continuity • (www.globalcontinuity.com)(www.globalcontinuity.com)

CPM CPM • ((www.contingencyplanning.comwww.contingencyplanning.com))

9595

Disaster RecoveryDisaster RecoveryQuestions and AnswersQuestions and Answers

Tim Woodcock

Courtesy Computers, Inc.

6700 Griffin Road

Davie, Florida 33314

954-321-8605

www.courtesycomputers.com

[email protected]

Documents

Automation Disaster Recovery Course (ppt)