Upload
timothy212
View
1.911
Download
0
Embed Size (px)
DESCRIPTION
Citation preview
Disaster RecoveryDisaster Recovery
Business Continuity Planning to reduce your organization’s
IT Risk Profile
“prepare, organize, execute” Best Practices
Presented ByPresented By
Tim WoodcockTim Woodcock
22
33
Covered TopicsCovered Topics Statistics, Definitions and Dangerous ExcusesStatistics, Definitions and Dangerous Excuses
5 Phases of Business Continuity Planning “BCP” 5 Phases of Business Continuity Planning “BCP” (also referred to as Disaster Recovery Planning “DRP”)(also referred to as Disaster Recovery Planning “DRP”)
IT Risks & Counter measures IT Risks & Counter measures (follow the BCP) (group (follow the BCP) (group participation)participation)
Key Considerations in Disaster Planning & Key Considerations in Disaster Planning & ManagementManagement
Tips for Preventative MaintenanceTips for Preventative Maintenance
Q&AQ&A
44
Areas of RiskAreas of Risk
Hackers Hackers –– hurricanes hurricanes –– fires fires –– flooding flooding –– power outages power outages –– denial of service attacks denial of service attacks –– telecommunication outages telecommunication outages –– loss of internet access loss of internet access –– hardware hardware failures failures –– application failures application failures –– employee error employee error –– virus attacks virus attacks –– sabotage sabotage –– terrorism terrorismCan you think of other areas of risk?
55
StatisticsStatistics
75%75% of all incidences are caused by of all incidences are caused by system & hardware malfunctions system & hardware malfunctions (MTBF)(MTBF)…… and human error. and human error. “Did I just format “Did I just format my hard drive?”my hard drive?”
78%78% of businesses have data backup of businesses have data backup systems, but very few have a plan to systems, but very few have a plan to access that data if and when a disaster access that data if and when a disaster occurs… occurs… “what do you mean, “what do you mean, there is nothing on the tape?”there is nothing on the tape?”
66
StatisticsStatistics 80%80% of all businesses do not have a of all businesses do not have a
Disaster Recovery Plan (Business Disaster Recovery Plan (Business Continuity Plan) in place.Continuity Plan) in place.
50%50% of companies that experience a of companies that experience a computer outage lasting more that 10 computer outage lasting more that 10 days go out of business within five years days go out of business within five years and that most never fully recover and that most never fully recover financially. (Gartner Group)financially. (Gartner Group)
77
Disaster Recovery PlanningDisaster Recovery Planning(DRP)(DRP)
Is now referred to as:Is now referred to as:
Business Continuity Planning
(BCP)
Since 911Since 911
88
Certified Disaster Recovery Planner(CDRP)
formally
Certified Business Continuity Professional(CDRP)
DRII Certification ChangesDRII Certification Changeswww.drii.orgwww.drii.org
99
What is Business Continuity Planning (BCP)?What is Business Continuity Planning (BCP)?
Planning ahead to avoid problemsPlanning ahead to avoid problems(plan for the worst; hope for the best)(plan for the worst; hope for the best)
andand
Being prepared in the event of a problemBeing prepared in the event of a problem..
(some every day examples)(some every day examples) Spare tire in the trunk of the carSpare tire in the trunk of the car Yearly flu shotYearly flu shot Emergency exit signsEmergency exit signs 911 Emergency support services911 Emergency support services Business Continuance InsuranceBusiness Continuance Insurance
1010
BCP Focuses on: BCP Focuses on: Realizing what processes are needed to Realizing what processes are needed to
keep the organization running.keep the organization running.
Realizing and prioritizing the risks, Realizing and prioritizing the risks, if the processes are disrupted.if the processes are disrupted.
Implementing solutions designed to Implementing solutions designed to minimize the risks and keep the minimize the risks and keep the organization functioning… organization functioning…
1111
BCP GoalsBCP Goals Protect YourProtect Your
• PeoplePeople• DataData• vital communicationsvital communications• AssetsAssets• brand and reputation.brand and reputation.
Minimize threats, impacts and Minimize threats, impacts and downtime.downtime.
Mitigate any losses.Mitigate any losses. To ensure your organization To ensure your organization
continues to operate and to do it in a continues to operate and to do it in a cost-effective way.cost-effective way.
1212
Dangerous Excuses for not implementing a BCPDangerous Excuses for not implementing a BCP
It costs too much money to implement.It costs too much money to implement.
Not enough time or resources.Not enough time or resources.
It will never happen to our company.It will never happen to our company.
Why bother? We have good data Why bother? We have good data backups.backups.
We “plan” on implementing one next We “plan” on implementing one next year.year.
Fill in your lousy excuse here ___________Fill in your lousy excuse here ___________
1313
The BCP is a catalog of The BCP is a catalog of countermeasures for your countermeasures for your
business, in order of occurrence business, in order of occurrence probability.probability.
Most importantMost important processes addressed processes addressed FIRSTFIRST
Least importantLeast important Processes addressed Processes addressed LASTLAST
1414
Everyone must participate for BCP to succeedEveryone must participate for BCP to succeed Executive management must be onboard.Executive management must be onboard. Assign a Business Continuity Planner” to head Assign a Business Continuity Planner” to head
up discovery & implementation.up discovery & implementation. Assemble an Assemble an EEmergency mergency MManagement anagement TTeameam
(cross-functional team must represent all (cross-functional team must represent all departments)departments)
– customer service – human resources– public relations– membership
– Management– IT /
telecommunications – facilities and power – accounting
The Starting PointThe Starting Point
1515
The 5 Phases of the The 5 Phases of the Business Continuity Planning ProcessBusiness Continuity Planning Process
Risk Evaluation
Business ImpactAnalysis
(BIA)
Alternative Strategies &
Recommendations
DevelopDocument
Implement BCP
Monitor - Testand Adjust
1616
Risks Evaluation (utilizing the BCP)(utilizing the BCP)
1717
Risk EvaluationRisk Evaluation
Risk Evaluation
Prioritize Probable Threats
VulnerabilityAnalysis
Identify Key Risks
Return BusinessImpact Analysis
Alternative Strategies &
Recommendations
Develop DocumentImplement
BCP
MonitorTest
Adjust
1818
Identify Key IT RisksIdentify Key IT Risks (Risk Evaluation)(Risk Evaluation)
Data Loss / CorruptData Loss / Corrupt Security BreachSecurity Breach Loss of Key personnelLoss of Key personnel Virus – SPAM - Spyware AttacksVirus – SPAM - Spyware Attacks File Server / Network DownFile Server / Network Down Power OutagePower Outage Loss of Phones / FaxLoss of Phones / Fax Loss of InternetLoss of Internet
Other IT Risks?Other IT Risks?
1919
Risk EvaluationRisk Evaluation
Risk Evaluation
Prioritize Probable Threats
VulnerabilityAnalysis
Identify Key Risks
Return BusinessImpact Analysis
Alternative Strategies &
Recommendations
Develop DocumentImplement
BCP
MonitorTest
Adjust
2020
Vulnerability AnalysisVulnerability Analysis (Risk Evaluation)(Risk Evaluation)
Data Loss / Corrupt -Data Loss / Corrupt - (backup procedures)(backup procedures)
Security Breach -Security Breach - (internal / external security risk (internal / external security risk analysis)analysis)
Virus Attack-Virus Attack- (software-updates-verification)(software-updates-verification)
SPAM Attack-SPAM Attack- (filter process-updates)(filter process-updates)
File Server / Network Down -File Server / Network Down - (PM-MTBF)(PM-MTBF)
Power Outage -Power Outage - (UPS – power generator – location- (UPS – power generator – location- seasonal)seasonal)
Loss of Phones / Fax -Loss of Phones / Fax - (Telco – spares - SLA)(Telco – spares - SLA)
Loss of Internet –Loss of Internet – (ISP - data line – equipment)(ISP - data line – equipment)
““inventory & review everything”inventory & review everything”(hardware-software-policies-procedures-responsibilities, etc.) (hardware-software-policies-procedures-responsibilities, etc.)
2121
Risk EvaluationRisk EvaluationAlways ask ‘what if?’Always ask ‘what if?’
Risk Evaluation
Prioritize Probable Threats
VulnerabilityAnalysis
Identify Key Risks
Return BusinessImpact Analysis
Alternative Strategies &
Recommendations
Develop DocumentImplement
BCP
MonitorTest
Adjust
There are various ways to Prioritize. One of the most effective ways is the 1-2-3 (tic-tack-toe) method
2222
Prioritize Probable ThreatsPrioritize Probable Threats (Risk Evaluation)(Risk Evaluation) (Probability of occurrence) 1=low, 2=medium, (Probability of occurrence) 1=low, 2=medium,
3=high3=high Data Loss / CorruptData Loss / Corrupt Security BreachSecurity Breach Virus AttackVirus Attack Loss of key personnelLoss of key personnel File Server / Network File Server / Network
DownDown Power OutagePower Outage Loss of Phones / FaxLoss of Phones / Fax Loss of InternetLoss of Internet
33 33 11 22 3 3
22 22 33
2323
Business Impact Analysis (BCP) (utilizing the BCP)(utilizing the BCP)
2424
Business Impact Analysis (BIA)Business Impact Analysis (BIA)
Return
Determine Dollar Value
Exposure
Cost Benefit Analysis
PrioritizeRisk XImpact
Profitability Analysis
EvaluateSecurity &Controls
Risk Evaluation
Develop DocumentImplement
BCP
Business ImpactAnalysis
Alternative Strategies
&Recommendations
Monitor Test
Adjust
EstablishRecovery Times
Prioritize Critical Bus.
Functions
Personnel, Workplace,
Customer Service, Billing,
IT infrastructure, etc.
2525
Business Impact Analysis (BIA)Business Impact Analysis (BIA)
Return
Prioritize Critical Bus.
Functions Determine Dollar Value
Exposure
Cost Benefit Analysis
PrioritizeRisk XImpact
Profitability Analysis
EvaluateSecurity &Controls
Risk Evaluation
Develop DocumentImplement
BCP
Business ImpactAnalysis
Alternative Strategies
&Recommendations
Monitor Test
Adjust
EstablishRecovery Times
Immediate, up to 4 hours,
Same day, 24-48-72 hours,
or greater
2626
Business Impact Analysis (BIA)Business Impact Analysis (BIA)
Return
Prioritize Critical Bus.
Functions
Cost Benefit Analysis
PrioritizeRisk XImpact
Profitability Analysis
EvaluateSecurity &Controls
Risk Evaluation
Develop DocumentImplement
BCP
Business ImpactAnalysis
Alternative Strategies
&Recommendations
Monitor Test
Adjust
EstablishRecovery Times Determine
Dollar ValueExposure
Play the ‘what if’ game
Explore cost of downtime/hr for each area of concern.
$28- >$350 per man-hour
2727
Cost of ExposureCost of Exposure
A monetary value must be place on all key processes. This will help determine the importance of restoring that process
2828
Business Impact Analysis (BIA)Business Impact Analysis (BIA)
Return
Prioritize Critical Bus.
Functions Determine Dollar Value
Exposure
Cost Benefit Analysis
PrioritizeRisk XImpact
EvaluateSecurity &Controls
Risk Evaluation
Develop DocumentImplement
BCP
Business ImpactAnalysis
Alternative Strategies
&Recommendations
Monitor Test
Adjust
EstablishRecovery Times
Profitability Analysis
•Each dept. is a business unit•Analyze all aspects of the unit•Determine its profitability•Determine necessities for operational status
2929
Business Impact Analysis Business Impact Analysis (BIA)(BIA)
Return
Prioritize Critical Bus.
Functions Determine Dollar Value
Exposure
Cost Benefit Analysis
PrioritizeRisk XImpact
Profitability Analysis
EvaluateSecurity &Controls
Risk Evaluation
Develop DocumentImplement
BCP
Business ImpactAnalysis
Alternative Strategies
&Recommendations
Monitor Test
Adjust
EstablishRecovery Times
Very important phase in Risk Reduction
Perform a security risk analysis
3030
Evaluate Security and ControlsEvaluate Security and Controls Perform a Security Risk AnalysisPerform a Security Risk Analysis
• Performed by:Performed by: Experienced internal IT staffExperienced internal IT staff Outside professional firmOutside professional firm
Review all potential risk exposuresReview all potential risk exposures• Network vulnerabilitiesNetwork vulnerabilities• Router & firewall vulnerabilitiesRouter & firewall vulnerabilities• Current password and data access policiesCurrent password and data access policies• Remote access to networkRemote access to network• Virus / SPAM protection & E-mail policiesVirus / SPAM protection & E-mail policies• Operating system security patches and updatesOperating system security patches and updates
• Other security Risks? _________________Other security Risks? _________________
3131
The BenefitsThe Benefits
Expose existing system and policy Expose existing system and policy vulnerabilities.vulnerabilities.
Strengthen existing security policies & Strengthen existing security policies & procedures.procedures.
Creation of non-existing policies & Creation of non-existing policies & procedures.procedures.
Thereby mitigating your risk.Thereby mitigating your risk.
3232
Business Impact Analysis (BIA)Business Impact Analysis (BIA)
Return
Prioritize Critical Bus.
Functions Determine Dollar Value
Exposure
PrioritizeRisk XImpact
Profitability Analysis
EvaluateSecurity &Controls
Risk Evaluation
Develop DocumentImplement
BCP
Business ImpactAnalysis
Alternative Strategies
&Recommendations
Monitor Test
Adjust
EstablishRecovery Times
Cost Benefit Analysis
Helps justify need for implementing solutions, to lower exposed risks.
i.e. Tape backup hdwr/sftwr or secondary archiving/HA solution
3333
Business Impact Analysis (BIA)Business Impact Analysis (BIA)
Return
Prioritize Critical Bus.
Functions Determine Dollar Value
Exposure
Cost Benefit Analysis
Profitability Analysis
EvaluateSecurity &Controls
Risk Evaluation
Develop DocumentImplement
BCP
Business ImpactAnalysis
Alternative Strategies
&Recommendations
Monitor Test
Adjust
EstablishRecovery Times
PrioritizeRisk XImpact
Values assigned to each risk & process
Prioritized according to importance
Helps determine order of restoration
3434
Prioritize Risk X ImpactPrioritize Risk X Impact (BIA)(BIA)
Impact on BusinessImpact on Business (Cost and Impact on business) 1=low, 2=medium, 3=high(Cost and Impact on business) 1=low, 2=medium, 3=high
Data Loss / CorruptData Loss / Corrupt Security BreachSecurity Breach Absent ProducersAbsent Producers SPAM AttackSPAM Attack File Server / Network File Server / Network
DownDown Power OutagePower Outage Loss of Phones / FaxLoss of Phones / Fax Loss of InternetLoss of Internet
33 33 11 11 3 3 33 33 33 33
3535
Determine the order of Risk Avoidance & MitigationDetermine the order of Risk Avoidance & Mitigation
Smart planners keep a coin handy to resolve equal-number risks…Smart planners keep a coin handy to resolve equal-number risks…
Risk evaluation= Server down=3BIA Impact on Business= Server down=3
3636
Alternative Strategies &
Recommendations
(utilizing the BCP)(utilizing the BCP)
3737
Develop Alternative StrategiesDevelop Alternative Strategies
Return
IdentifyStrategy
Needs ReduceRisk
Profile
Alternate Sites &Storage
Business Interruption
Insurance
Focus onQuick
Recovery
Focus on MitigatingDamages
DevelopDocumentImplement
BCP
Risk Evaluation
Business Impact Analysis
Alternative Strategies &
Recommendations
MonitorTest
Adjust
BIA info used to determine necessary changes
Example: tape archive too long, multiple tapes, dip into production time… new solution needs to be implemented
3838
Develop Alternative StrategiesDevelop Alternative Strategies
Return
IdentifyStrategy
Needs ReduceRisk
Profile
Alternate Sites &Storage
Business Interruption
Insurance
Focus onQuick
Recovery
Focus on MitigatingDamages
DevelopDocumentImplement
BCP
Risk Evaluation
Business Impact Analysis
Alternative Strategies &
Recommendations
MonitorTest
Adjust
New vs. upgrade equipment (mtbf)
Employee training program, Increased security & awareness
Think ‘out of box’, minimum down-time
3939
Develop Alternative StrategiesDevelop Alternative Strategies
Return
IdentifyStrategy
Needs ReduceRisk
Profile
Alternate Sites &Storage
Business Interruption
Insurance
Focus onQuick
Recovery
Focus on MitigatingDamages
DevelopDocumentImplement
BCP
Risk Evaluation
Business Impact Analysis
MonitorTest
Adjust
Cross training of employees
Software, hardware, vendor services availability
All possible scenarios should be considered and prepared for
Alternative Strategies &
Recommendations
4040
Develop Alternative StrategiesDevelop Alternative Strategies
Return
IdentifyStrategy
Needs ReduceRisk
Profile
Alternate Sites &Storage
Business Interruption
Insurance
Focus onQuick
Recovery
Focus on MitigatingDamages
DevelopDocumentImplement
BCP
Risk Evaluation
Business Impact Analysis
MonitorTest
Adjust
Preventative maintenance
Cross training personnel
Test data restore & system fail-over programs regularly
Continued Awareness meetings
Alternative Strategies &
Recommendations
4141
Develop Alternative StrategiesDevelop Alternative Strategies
Return
IdentifyStrategy
Needs ReduceRisk
Profile
Alternate Sites &Storage
Business Interruption
Insurance
Focus onQuick
Recovery
Focus on MitigatingDamages
DevelopDocumentImplement
BCP
Risk Evaluation
Business Impact Analysis
MonitorTest
Adjust
multiple storage & HA technologies (replicate server, multiple site utilization, SAN, Online, etc.)
Alternative Strategies &
Recommendations
4242
Develop Alternative StrategiesDevelop Alternative Strategies
Return
IdentifyStrategy
Needs ReduceRisk
Profile
Alternate Sites &Storage
Business Interruption
Insurance
Focus onQuick
Recovery
Focus on MitigatingDamages
DevelopDocumentImplement
BCP
Risk Evaluation
Business Impact Analysis
MonitorTest
Adjust
Business continuance insurance, based on total risk discovered during the BIA phase.
Helps mitigate costs incurred to rebuild and continue business immediately following a disaster
Alternative Strategies &
Recommendations
4343
Develop, Document & Implement BCP
(utilizing the BCP)(utilizing the BCP)
4444
Develop, Document & Implement BCPDevelop, Document & Implement BCP
Return
People
DevelopDocumentImplement
BCP
RiskEvaluation
Business ImpactAnalysis
Alternative Strategies
&Recommendations
Monitor Test
AdjustProcesses
Data
Create with confidence your BCP, protecting your people first
Establish responsibilities & emergency workflows for each risk scenario
Ensure communication & availability of key personnel (and cross-train)
List & hand out cell phone, home phone, contact info, hot site location, etc
4545
People
Processes
Develop, Document & Implement BCPDevelop, Document & Implement BCP
Return
DevelopDocumentImplement
BCP
RiskEvaluation
Business ImpactAnalysis
Alternative Strategies
&Recommendations
Monitor Test
Adjust
Data
Document the who-where-how for all possible scenarios (Examples:
Who is responsible for ensuring the tape backups are working & available?
Who is the ‘alternate person’, and how will they have access to the tapes?
Who is in charge of a replacement server & correct backup device
4646
Data
Processes
People
Develop, Document & Implement BCPDevelop, Document & Implement BCP
Return
DevelopDocumentImplement
BCP
RiskEvaluation
Business ImpactAnalysis
Alternative Strategies
&Recommendations
Monitor Test
Adjust
Both Preventative & Emergency procedures must be documented and agreed to by all parties responsible for ensuring the security & expedient restoration of company data
‘PM’ is less expensive than the aftermath of an unnecessary disaster
(i.e. test restores, off-site backup, SAN, High Availability solutions)
4747
Monitor Test & AdjustMonitor Test & Adjust
Return
Train
ImplementTestingProgram
Audit& Adjust
RiskEvaluation
BusinessImpact
Analysis
AlternativeStrategies
&Recommendations
DesignDocumentImplement
BCP
MonitorTest
Adjust
Initial training
Annual training
Cross-training
4848
Monitor Test & AdjustMonitor Test & Adjust
Return
Train
ImplementTesting
Program
Audit& Adjust
RiskEvaluation
BusinessImpact
Analysis
AlternativeStrategies
&Recommendations
DesignDocumentImplement
BCP
MonitorTest
Adjust
•Initial testing
•Annual testing
•Find weaknesses
Sftw-Hrdw changes
Vendor & utilities
External changes
New personnel
Policy changes
4949
Monitor Test & AdjustMonitor Test & Adjust
Return
Train
ImplementTestingProgram
Audit& Adjust
RiskEvaluation
BusinessImpact
Analysis
AlternativeStrategies
&Recommendations
DesignDocumentImplement
BCP
MonitorTest
Adjust
•Find weaknesses
•Formulate solutions
•Regularly reviewed
•Continued positive effect
5050
Key Considerations in Disaster Planning & Management
For Independent Agencies & Brokerage Firms
An Agents Council for Technology Report
March 15, 2005
5151
Key ConsiderationsKey ConsiderationsAgendaAgenda
Steps to take well before a disasterSteps to take well before a disaster
Steps to take when a disaster is Steps to take when a disaster is imminentimminent
Steps to take after a disaster strikesSteps to take after a disaster strikes
Some final thoughtsSome final thoughts
5252
Steps to Take Well Before a DisasterSteps to Take Well Before a Disaster
5353
Developing, Instilling, & Practicing the Disaster PlanDeveloping, Instilling, & Practicing the Disaster Plan Staff ‘ERT’ develop disaster plan that assigns roles to Staff ‘ERT’ develop disaster plan that assigns roles to
each staff member.each staff member.
Team coordinator reports to president/CEOTeam coordinator reports to president/CEO
Plan reinforced regularly in staff meetingsPlan reinforced regularly in staff meetings• Brainstorm possible disasters and steps to take for eachBrainstorm possible disasters and steps to take for each
Plan reviewed and updated at least annually.Plan reviewed and updated at least annually.
When staff member leaves agency, reassign dutiesWhen staff member leaves agency, reassign duties
5454
Developing, Instilling, & Practicing the Disaster PlanDeveloping, Instilling, & Practicing the Disaster Plan
Prepare employee contact listPrepare employee contact list
include work assignments related to disaster include work assignments related to disaster (i.e.producers greet clients)(i.e.producers greet clients)
Develop a phone tree system of employeesDevelop a phone tree system of employees• Make sure all employees know their roleMake sure all employees know their role• Update your call list regularlyUpdate your call list regularly
Investigate available services for assisting agencyInvestigate available services for assisting agency• User group, vendors, association, computer consultantUser group, vendors, association, computer consultant• Plan should spell out where agency will turn for help to get Plan should spell out where agency will turn for help to get
each aspect of the business operations back up and runningeach aspect of the business operations back up and running
5555
Developing, Instilling, & Practicing the Disaster PlanDeveloping, Instilling, & Practicing the Disaster Plan
Hard copy of disaster plan (including employee, Hard copy of disaster plan (including employee, carrier, vendor, emergency contact info) kept in carrier, vendor, emergency contact info) kept in location known by all employeeslocation known by all employees
Employees keep copy at homeEmployees keep copy at home
Different aspects of the disaster plan regularly testedDifferent aspects of the disaster plan regularly tested
Plan should foresee and deal with lost servicesPlan should foresee and deal with lost services
Plan to be flexible and ready to adapt to unique Plan to be flexible and ready to adapt to unique situations. situations.
5656
Developing, Instilling, & Practicing the Disaster PlanDeveloping, Instilling, & Practicing the Disaster Plan
Make a list of all active clients and include:Make a list of all active clients and include:• Active policies, policy number, billing and issuing company, Active policies, policy number, billing and issuing company,
expiration date of policyexpiration date of policy• Expiration list of policies to be processed for next six monthsExpiration list of policies to be processed for next six months
Make list of all vendors to help get you up and goingMake list of all vendors to help get you up and going• Computers, software, phone systems, phone & internet linesComputers, software, phone systems, phone & internet lines
Print these lists as well as export to portable storagePrint these lists as well as export to portable storage• Obtained by appropriate senior staffObtained by appropriate senior staff• Appropriate steps to ensure security of this vital dataAppropriate steps to ensure security of this vital data• Stored off-siteStored off-site
5757
Developing, Instilling, & Practicing the Disaster PlanDeveloping, Instilling, & Practicing the Disaster Plan
Incorporate information to be communicated to policy Incorporate information to be communicated to policy holders on what they are to do, in the event of a holders on what they are to do, in the event of a disaster & whom they should contactdisaster & whom they should contact
Be prepared to communicate with your policyholdersBe prepared to communicate with your policyholders• NewspapersNewspapers• Radio ads with pre-designed adsRadio ads with pre-designed ads• Redirect them to a new phone numberRedirect them to a new phone number• Redirect them to a specific locationRedirect them to a specific location
Automated outward bound calling service ‘reverse Automated outward bound calling service ‘reverse 911 technology’. 911 technology’.
5858
Developing, Instilling, & Practicing the Disaster PlanDeveloping, Instilling, & Practicing the Disaster Plan
Contingency plan to access additional staff resources Contingency plan to access additional staff resources to relieve regular staff.to relieve regular staff.
Consider a financial disaster reserve to deal with Consider a financial disaster reserve to deal with added costs that may be encountered, as well as added costs that may be encountered, as well as possible losses due to business interruptionspossible losses due to business interruptions
find what insurance companies will provide drafting find what insurance companies will provide drafting authority for claims. Set up the workflows for that authority for claims. Set up the workflows for that processing.processing.
5959
Protecting Agency Data & Systems Protecting Agency Data & Systems
& Preparing to Access Them After the Disaster& Preparing to Access Them After the Disaster Ensure that you have remote access to your Ensure that you have remote access to your
management system, after a disastermanagement system, after a disaster
Develop relationship with agency management Develop relationship with agency management system vendor or third party to back-up your data out system vendor or third party to back-up your data out of your region where you can access it from a secure of your region where you can access it from a secure internet site.internet site.
Assign passwords and train staff on accessing Assign passwords and train staff on accessing policyholder info remotely from this off-site sourcepolicyholder info remotely from this off-site source
Ensure third party vendor has authority to act on Ensure third party vendor has authority to act on agent’s behalf, agency notification before certain agent’s behalf, agency notification before certain actions are taken, and privacy & security protections actions are taken, and privacy & security protections are in place to safeguard client and agency info.are in place to safeguard client and agency info.
6060
Protecting Agency Data & Systems Protecting Agency Data & Systems
& Preparing to Access Them After the Disaster& Preparing to Access Them After the Disaster If possible, load your management system on one or If possible, load your management system on one or
more office laptops since these are easier to power up more office laptops since these are easier to power up or recharge than a desktopor recharge than a desktop
Consider a relationship with a technology firm that Consider a relationship with a technology firm that has the capability to provide the agency with has the capability to provide the agency with emergency service to help agency get back up and emergency service to help agency get back up and running after a disaster:running after a disaster:• Help deskHelp desk• On-site assistanceOn-site assistance• EquipmentEquipment
6161
Protecting Internet AccessProtecting Internet Access If you use an ASP over the Internet, find out If you use an ASP over the Internet, find out
what they can do for you in the event you what they can do for you in the event you have no Internet connection.have no Internet connection.
If resources allow it, consider having a If resources allow it, consider having a redundant Internet connection. For example, if redundant Internet connection. For example, if you use DSL, get satellite or an Internet you use DSL, get satellite or an Internet wireless service (WAN). Using a combination wireless service (WAN). Using a combination of WAN and satellite, the Florida Association of of WAN and satellite, the Florida Association of Insurance Agents was able to keep Internet Insurance Agents was able to keep Internet access most of the time as it set up in areas access most of the time as it set up in areas affected by the hurricanes in 2004.affected by the hurricanes in 2004.
6262
Protecting Equipment Protecting Equipment & Providing for Continued Electrical Power& Providing for Continued Electrical Power
Have a UPS on all equipmentHave a UPS on all equipment• Controlled shutdown, conditioned electrical circuitControlled shutdown, conditioned electrical circuit• Configure shutdown software and cableConfigure shutdown software and cable
Never connect computer directly to generatorNever connect computer directly to generator
UPS power rating to provide minimum 15 minutes on UPS power rating to provide minimum 15 minutes on workstations, 30 minutes on servers and critical workstations, 30 minutes on servers and critical equipmentequipment
Test UPS quarterly Test UPS quarterly • Equipment idleEquipment idle• Record total up timeRecord total up time• Replace battery or entire unit, if expectations are not metReplace battery or entire unit, if expectations are not met
6363
Protecting Equipment Protecting Equipment & Providing for Continued Electrical Power& Providing for Continued Electrical Power
Purchase generator to run all mission critical Purchase generator to run all mission critical equipmentequipment
Carefully assess power needs for winter/summerCarefully assess power needs for winter/summer
Contract with firm to deliver generators to officeContract with firm to deliver generators to office
Test generator (fuel, oil, output, etc.) quarterlyTest generator (fuel, oil, output, etc.) quarterly
Test under an electrical load to assure proper Test under an electrical load to assure proper electrical outputelectrical output
Licensed electrician wire electric panel for clean cross-Licensed electrician wire electric panel for clean cross-over to generator.over to generator.
6464
Protecting Equipment Protecting Equipment & Providing for Continued Electrical Power& Providing for Continued Electrical Power
Make sure the generator is located out of the building and away from its windows and doors, since fumes and carbon monoxide can make staff ill or be lethal. Also consider the impact of the elements on the generator, since you may be experiencing a lot of rain after a storm or ice conditions.
If the agency has a rented office, find out what plans the landlord has made to power the building in the event of a disaster.
6565
Alternative CommunicationsAlternative Communications
Understand the phone company’s procedures to give Understand the phone company’s procedures to give priority to businesses such as insurance agencies.priority to businesses such as insurance agencies.
Follow recommended back-up procedures of your Follow recommended back-up procedures of your computerized phone systemcomputerized phone system
Store the backups both on-site and off-siteStore the backups both on-site and off-site
Know in advance how to switch incoming calls to Know in advance how to switch incoming calls to another line, both at the switch in your office and via another line, both at the switch in your office and via your telecommunications provider remotelyyour telecommunications provider remotely
Have the vendor who installed your phone system Have the vendor who installed your phone system develop a crossover for your regular phones to an develop a crossover for your regular phones to an alternative phone line. Document and test it.alternative phone line. Document and test it.
6666
Alternative CommunicationsAlternative Communications
Consider having an alternative telephone answering Consider having an alternative telephone answering service (call center, branch location) to handle calls service (call center, branch location) to handle calls during emergencies and after hours.during emergencies and after hours.
If so authorized, many of these vendors have access If so authorized, many of these vendors have access to agency data to answer questions and provide to agency data to answer questions and provide referrals to carrier claims centers.referrals to carrier claims centers.
Ensure scripts and contact info are updated for call Ensure scripts and contact info are updated for call center vendorscenter vendors
Cell phones may not be reliable as alternative sourceCell phones may not be reliable as alternative source
Buy inexpensive phones for bypassing PBXBuy inexpensive phones for bypassing PBX
6767
Provisions to Have On HandProvisions to Have On Hand Fans, extension cords, surge strips, batteries, Fans, extension cords, surge strips, batteries,
flashlights, battery-powered lamps and radios, and flashlights, battery-powered lamps and radios, and low heat, low-energy lighting available to use with low heat, low-energy lighting available to use with your generator.your generator.
Sufficient bottled water to handle employees’ needs Sufficient bottled water to handle employees’ needs for two weeks.for two weeks.
Canned or dry food goods that do not require Canned or dry food goods that do not require refrigeration or cooking.refrigeration or cooking.
Can openers, paper/plastic utensils, plates and cups, Can openers, paper/plastic utensils, plates and cups, trash bags, bleach, paper towels and cleaning trash bags, bleach, paper towels and cleaning supplies, and hand wipes.supplies, and hand wipes.
First aid supplies and blankets.First aid supplies and blankets.
6868
Steps to Take When a Disaster is ImminentSteps to Take When a Disaster is Imminent
6969
Implement Disaster PlanImplement Disaster Plan
Do not delay, if triggers to activate the disaster plan Do not delay, if triggers to activate the disaster plan are metare met
Disaster during work day, and have warningDisaster during work day, and have warning• Assure the safety of your employees and officeAssure the safety of your employees and office• Confirm employees know their roleConfirm employees know their role
Disaster after-hours or employees who telecommute Disaster after-hours or employees who telecommute or work from remote locationsor work from remote locations• Use your phone tree.Use your phone tree.
Activate the central number employees can call after Activate the central number employees can call after disaster to get instructions and learn about next stepsdisaster to get instructions and learn about next steps• Recorded message, ‘backup’ number, what staff should do if Recorded message, ‘backup’ number, what staff should do if
they are unable to meet their assignmentthey are unable to meet their assignment
7070
Protecting Agency Data & Preparing to Access It After the Protecting Agency Data & Preparing to Access It After the DisasterDisaster
Be sure your data is backed-up and secureBe sure your data is backed-up and secure
Make sure your data is properly backed-up with your Make sure your data is properly backed-up with your agency management system vendor or third party agency management system vendor or third party you developed a relationship with prior to the disasteryou developed a relationship with prior to the disaster
Have at least two backups that are kept securely in Have at least two backups that are kept securely in separate off-site locations.separate off-site locations.
Be sure your list of active clients is complete and Be sure your list of active clients is complete and printed. printed.
Run an expiration list of policies to be processed for Run an expiration list of policies to be processed for the next six months and contact those renewals that the next six months and contact those renewals that are coming up for action around the time of the are coming up for action around the time of the predicted disasterpredicted disaster
7171
Protecting Agency Data & Preparing to Access It After the Protecting Agency Data & Preparing to Access It After the DisasterDisaster
Staff complete processing of all work that is Staff complete processing of all work that is outstanding, especially that which relates to the outstanding, especially that which relates to the coverage for the disaster.coverage for the disaster.• outstanding endorsement requestsoutstanding endorsement requests• any policies that are not an ‘automatic’ renewal such as E&S any policies that are not an ‘automatic’ renewal such as E&S
placementsplacements• following up on any policies that are pending cancellation due following up on any policies that are pending cancellation due
to non-paymentto non-payment
Update insurance company addresses, phone Update insurance company addresses, phone numbers and fax numbersnumbers and fax numbers
Be sure vendor list is current for assisting you after Be sure vendor list is current for assisting you after the disasterthe disaster
7272
Protecting Agency Data & Preparing to Access It After the Protecting Agency Data & Preparing to Access It After the DisasterDisaster
Print all the lists as well as export them to portable Print all the lists as well as export them to portable storage devices (one or more senior staff)storage devices (one or more senior staff)
Load info and management software onto laptop, and Load info and management software onto laptop, and safeguard the laptopsafeguard the laptop
Disconnect all electrical equipmentDisconnect all electrical equipment
Make sure all surfaces are clear of paper and all work Make sure all surfaces are clear of paper and all work in progress is wrapped in plastic, and that all in progress is wrapped in plastic, and that all outstanding work relating to the disaster has been outstanding work relating to the disaster has been processed and sent.processed and sent.
Place in boxes bearing the employee’s name. put in Place in boxes bearing the employee’s name. put in safe location. safe location.
7373
Alternative CommunicationsAlternative Communications Redirect phone numbers. Do this before the disasterRedirect phone numbers. Do this before the disaster
Call your phone vendor and internet provider to Call your phone vendor and internet provider to advise them that they should put your agency on the advise them that they should put your agency on the priority list.priority list.
7474
Provisions to Have On HandProvisions to Have On Hand Prepare office to be without power & phone servicePrepare office to be without power & phone service Strategically place lighting and fans around officeStrategically place lighting and fans around office
• Include stairwells and entry/exit areas.Include stairwells and entry/exit areas. Fill coolers with ice, water, Gatorade-type productsFill coolers with ice, water, Gatorade-type products Have plenty of non-perishable food and snacks for Have plenty of non-perishable food and snacks for
staffstaff Sweets work well for immediate energy, as fresh fruitSweets work well for immediate energy, as fresh fruit Provide method to make hot coffee or tea, if possibleProvide method to make hot coffee or tea, if possible Check first aid supplies and blanketsCheck first aid supplies and blankets Have enough cash on hand to meet needs for a few Have enough cash on hand to meet needs for a few
weeks (no power to ATMs or banking services)weeks (no power to ATMs or banking services) Review your disaster plan as a checklist for other Review your disaster plan as a checklist for other
supplies that may need replenishing or purchasedsupplies that may need replenishing or purchased
7575
Steps to Take Steps to Take After a Disaster StrikesAfter a Disaster Strikes
7676
Implementing the Disaster PlanImplementing the Disaster Plan
Do an assessment of the damage to your office to see Do an assessment of the damage to your office to see what will be needed to bring it back on-linewhat will be needed to bring it back on-line
Assess the personal and financial impact of the Assess the personal and financial impact of the disaster on your employees, and make sure their disaster on your employees, and make sure their needs are being met, so they can focus on agency needs are being met, so they can focus on agency operationsoperations
Assist them in any way that you are able, since they Assist them in any way that you are able, since they are your number one asset!are your number one asset!
Make your office area as safe as possible to Make your office area as safe as possible to accommodate walk-in trafficaccommodate walk-in traffic
7777
Implementing the Disaster PlanImplementing the Disaster Plan
If not possible to make office safe, identify another If not possible to make office safe, identify another location to meet policyholders and post a sign to location to meet policyholders and post a sign to direct themdirect them
Post alternative location on your website and include Post alternative location on your website and include on a message callers hearon a message callers hear
Set aside area in office to greet clients and start Set aside area in office to greet clients and start information gatheringinformation gathering
Small children may be present. Small children may be present. • Have toys/activities/snacks to keep them occupied and Have toys/activities/snacks to keep them occupied and
comfortablecomfortable
7878
ProvisionsProvisions
Have things in place for your policyholders such as Have things in place for your policyholders such as water and other beverages, snacks, and most of all…water and other beverages, snacks, and most of all…friendly faces. friendly faces.
They want you to help them and are there to make a They want you to help them and are there to make a claim. claim.
Treat each policyholder as if this were the only claim Treat each policyholder as if this were the only claim you received that day because it is their only one. you received that day because it is their only one.
Ask your staff to put on their game face to focus on Ask your staff to put on their game face to focus on the policyholder’s needs, even though they too are the policyholder’s needs, even though they too are likely to have been affected by the disaster in some likely to have been affected by the disaster in some way.way.
7979
ProvisionsProvisions
Have things in place for your policyholders such as Have things in place for your policyholders such as water and other beverages, snacks, and most of all…water and other beverages, snacks, and most of all…friendly faces. friendly faces.
They want you to help them and are there to make a They want you to help them and are there to make a claim. claim.
Treat each policyholder as if this were the only claim Treat each policyholder as if this were the only claim you received that day because it is their only one. you received that day because it is their only one.
Ask your staff to put on their game face to focus on Ask your staff to put on their game face to focus on the policyholder’s needs, even though they too are the policyholder’s needs, even though they too are likely to have been affected by the disaster in some likely to have been affected by the disaster in some way.way.
8080
Some Final ThoughtsSome Final Thoughts
8181
Some Final ThoughtsSome Final Thoughts
Be sensitive to the pressures on your staff in the Be sensitive to the pressures on your staff in the aftermath of a disasteraftermath of a disaster
Schedule shifts that will give your staff time to rest, Schedule shifts that will give your staff time to rest, take care of their personal needs, and rejuvenate take care of their personal needs, and rejuvenate themselves. themselves.
Unfortunately, disasters can strike in many different Unfortunately, disasters can strike in many different forms and levels of magnitudeforms and levels of magnitude
Some people can handle them, others cannotSome people can handle them, others cannot
8282
The KeyThe Key
Do not be complacent, because disasters do Do not be complacent, because disasters do happen.happen.
If you plan for the possibility, work your plan, If you plan for the possibility, work your plan, monitor it, and modify it when you need to, monitor it, and modify it when you need to, you will be prepared, both personally and you will be prepared, both personally and professionally, and you will guide your agency professionally, and you will guide your agency through the disaster successfully.through the disaster successfully.
8383
Tips for Preventative Maintenance
8484
PowerPower
Power Backup solutionsPower Backup solutions
• UPSUPS
• GeneratorGenerator
• Dual Power GridDual Power Grid
8585
Data Risks and SolutionsData Risks and Solutions TapeTape
Redundant Servers & Storage devicesRedundant Servers & Storage devices
Off-site / On-line backup solutions Off-site / On-line backup solutions (i.e.Courtesy Care (i.e.Courtesy Care Online Data Backup Service, LiveVault) Online Data Backup Service, LiveVault)
High Availability solutions High Availability solutions (HA… Server replication at (HA… Server replication at alternative secured location or data center)alternative secured location or data center)
Redundant Telco / Data connections Redundant Telco / Data connections (different providers)(different providers)
Other types of data backup Other types of data backup (USB2, portable hd, mem (USB2, portable hd, mem stick, SAN)stick, SAN)
8686
System Preventative MaintenanceSystem Preventative Maintenance
• Monthly defrags
• Scheduled UPS & Generator test
• Data Test Restore, and configuration, updates
• OS Security Updates (server, wkstation, router, firewall)
• Monitoring of System and hardware utilization
• IDS / IPS solutions
8787
Hidden Software Security Issues
•Firewall
•Router
•Anti-Virus
•SPAM
•Monitoring Tools
•Spyware / Malware
•Social Engineering
8888
Helpful SuggestionsHelpful Suggestions Ensure you have the right generator for Ensure you have the right generator for
the jobthe job(and know how to safely utilize them)(and know how to safely utilize them)
Secure access to Satellite phonesSecure access to Satellite phones Diversified carriers for mobile phonesDiversified carriers for mobile phones Digital cameras (phone cameras)Digital cameras (phone cameras) Portable fax or copier (car / motel)Portable fax or copier (car / motel) Laptops (with remote wireless access) Laptops (with remote wireless access) Sprint, Sprint,
AT&T, etc.AT&T, etc.
Hardware ‘ready spares’Hardware ‘ready spares’ Security Policies and Procedures (enforced)Security Policies and Procedures (enforced)
8989
Additional ResourcesAdditional Resources
IIABA has released the IIABA has released the Best Practices of Crisis Best Practices of Crisis Management—A Step-By-Step Business Management—A Step-By-Step Business Recovery Planner. Recovery Planner.
This tool includes both a written manual and an This tool includes both a written manual and an interactive CD designed to enable you to create an in-interactive CD designed to enable you to create an in-house, fully customized plan to lead your agency step-house, fully customized plan to lead your agency step-by-step through the disaster recovery process. This by-step through the disaster recovery process. This guide is available for $99.95—shipping and handling guide is available for $99.95—shipping and handling included. (www.independentagent.com, click on Best included. (www.independentagent.com, click on Best Practices, then click on Best Practices Product Practices, then click on Best Practices Product Catalog.)Catalog.)
9090
Additional ResourcesAdditional Resources
The Institute for Business and Home Safety The Institute for Business and Home Safety (IBHS) has a free “Disaster Planning Toolkit (IBHS) has a free “Disaster Planning Toolkit for the Small Business Owner” on its web site for the Small Business Owner” on its web site which includes a lot of helpful forms. which includes a lot of helpful forms.
In addition, free single copies of a “Disaster Recovery In addition, free single copies of a “Disaster Recovery Folder” are available from IBHS. This tool contains Folder” are available from IBHS. This tool contains planning advice and can hold the agency’s important planning advice and can hold the agency’s important papers. These tools also make good hand-outs for papers. These tools also make good hand-outs for the agency’s policyholders. To access the tools, go the agency’s policyholders. To access the tools, go to www.ibhs.org and click on “Open for Business.”to www.ibhs.org and click on “Open for Business.”
9191
Additional ResourcesAdditional Resources
The National Institute for Occupational Safety The National Institute for Occupational Safety and Health (NIOSH) web site contains an and Health (NIOSH) web site contains an excellent list of emergency preparedness excellent list of emergency preparedness resources and emergency contact information resources and emergency contact information at: http://www.cdc.gov/niosh/topics/prepared/.at: http://www.cdc.gov/niosh/topics/prepared/.
9292
Additional ResourcesAdditional Resources
A search of “Insurance Agent Disaster Planning” A search of “Insurance Agent Disaster Planning” and “Small Business Disaster Planning” on and “Small Business Disaster Planning” on www.google.com displays several additional www.google.com displays several additional resources to consider.resources to consider.
9393
Additional ResourcesAdditional Resources
Disaster Recovery International Disaster Recovery International • www.drii.orgwww.drii.org
Certified Business Continuity Professional Certified Business Continuity Professional CBCPCBCP• www.drii.orgwww.drii.org
The SANS Institute (SysAdmin, Audit, Networking, & The SANS Institute (SysAdmin, Audit, Networking, & Security) Security) • www.sans.orgwww.sans.org
9494
Additional ResourcesAdditional Resources
IIABA/ACT IIABA/ACT • (www.iiaba.org/act)(www.iiaba.org/act)
Disaster Recovery Journal Disaster Recovery Journal • (www.drj.com)(www.drj.com)
Global Continuity Global Continuity • (www.globalcontinuity.com)(www.globalcontinuity.com)
CPM CPM • ((www.contingencyplanning.comwww.contingencyplanning.com))
9595
Disaster RecoveryDisaster RecoveryQuestions and AnswersQuestions and Answers
Tim Woodcock
Courtesy Computers, Inc.
6700 Griffin Road
Davie, Florida 33314
954-321-8605
www.courtesycomputers.com