Implementing DisasterRecovery Plans

Chapter 9

You Will Learn How To…

Develop an implementation plan Assign responsibilities for implementation Establish an implementation schedule Distribute the disaster recovery documentation Assess the value and effectiveness of mitigation

steps Manage internal and external awareness

campaigns Launch a training program for disaster recovery

Developing an Implementation Plan

Implementation plan affects all the departments in an organization The plan must be managed step by step, and progress must be evaluated

on a scheduled basis Implementation plan requires training for all employees, and might require

new equipment and procedures Events occurring during implementation

Responsibilities for implementation are assigned to members of the disaster recovery planning team and departmental groups

An implementation schedule is developed, with timelines and planned progress evaluations

Disaster recovery documentation is distributed to everyone who needs copies, or online access is provided

The value and effectiveness of mitigation steps are assessed. New mitigation steps could be put into place, and existing steps may be modified

The organization plans and launches internal and external awareness campaigns The organization develops and launches employee training programs for disaster

recovery procedure

Developing and Implementation Plan

Organization wide activities may include raising awareness and training

Deployment of equipment and other like actions may need to occur at the facility level

The departments and work groups affected by new or changed procedures must make these changes or additions

Organizational levels for implementing parts of the plan

Assigning Responsibilities for Implementation

The disaster recovery planning coordinator and planning team assign responsibilities for implementing the plan

The coordinator takes the lead in monitoring and evaluating the progress of implementation

The activities involved in implementation include directing management to establish liaisons with law enforcement and emergency services

Managers need to assign activities to employees Department work groups implement the aspects of the

plan that impact their department Activities include changing existing procedures and evaluating

mitigation steps, as well as developing new mitigation procedures to support recovery priorities in the plan

Assigning Responsibilities for Implementation

The Purchasing Department takes the lead in processing all paperwork necessary to acquire equipment necessary to implement the plan

If the new equipment is used only in one department, that department may install the equipment

New contracts needed for the recovery must be developed by the department with the Purchasing Department, and ensures fees and retainers are paid

Solid liaisons must be established with law enforcement, emergency services organizations, and contractors Disaster recovery coordinator, facility managers, and disaster

response team work to establish these liaisons, as well as maintain the relationships over the long term

Implementation activities

Implementation tasks

Many activities may be broken down into specific tasks assigned to employees or departments that are not part of the planning team

Establishing an Implementation Schedule

Disaster recovery planning team establishes an implementation schedule for completing each activity in the plan

Available resources, geography, and other factors will influence the speed of this schedule

The disaster recovery planning coordinator and planning team must monitor the progress of the implementation

A monthly report of accomplishments and activities that are behind schedule should be compiled by the coordinator

The team may modify the schedule as conditions warrant, or suggest acceleration to various departments

The planning team should bring obstacles to the attention of executives so that the obstacles can be cleared by the influence of the executive

Sample implementation schedule

Distributing the Disaster Recovery Documentation

The plan must be distributed during the implementation, rehearsal and testing phases

Disaster recovery plan documents include all the written analyses, policies, and procedures that employees and contractors should follow when responding to a disaster

Organizations should not rely on just one method to make documents available to response teams

As long as the intranet web servers function, they are acceptable for distributing disaster recovery plan documents

Each distribution method has unique advantages and disadvantages

Distribution alternatives

Assessing the Value and Effectiveness of Mitigation Steps

Mitigation steps are used to reduce the impact of system failure or disruption of operations

Many of these steps are common practices for managing assets or business processes

Such steps include backing up computer files to mitigate the consequences of disk or system failure

The exposure inventory and risk assessments collected information on mitigating and avoiding business disruptions

All mitigation steps must have a sound economic value Table 9-6 illustrates that if power is lost nine times per year, the

return on investment (ROI) for using a UPS to protect the server is about 15 months

Analysis of the value of UPS

Assessing the Value and Effectiveness of Mitigation Steps

Determining what kind of data back-up systems an organization should use is more difficult than analyzing the benefits of a UPS

System backups are certainly necessary to preserve computer files and databases

The selection of particular back-up systems depends on a number of factors

Analysis of the value of data backup systems

Assessing the Value and Effectiveness of Mitigation Steps

After determining how much money could be saved The planning team can examine what types of data back-up systems to

put in place How much the organization should spend for them

The planning team should address several questions before selecting a back-up system How resilient to failure is the back-up system? Can it be used for more than one system or application, thus improving

ROI? What level of disaster does the back-up system help mitigate (e.g.,

catastrophic, major, or minor)? How much does it cost to deploy the back-up system? How much IT staff time is needed to maintain the back-up system?

The planning team should use ROI analyses to evaluate mitigation steps that make economic sense

Managing Internal and External Awareness Campaigns

As an organization develops and implements a disaster recovery plan, it needs to make employees highly aware of the plan

During training, employees should learn the details of the plan and learn their roles and responsibilities during disaster response

The goal of the awareness program is to indoctrinate employees about the importance of disaster response and recovery

Depending on an organization’s resources, there are several ways to increase awareness during plan implementation

Using Existing Channels of Communication

Organizations often have employee relations programs, customer relations management systems, and business partner communications that can help build awareness

Some forms of communication include Employee newsletters Bulletin boards Motivational posters Intranets with employee information sections E-mail announcement lists Customer relations e-mail newsletters and bulletins Business partner Web sites Corporate Web portals with sections for employees, customers,

and business partners

Building Awareness Among Employees

Organizations can use regularly scheduled department or work group meetings to call attention to disaster recovery planning efforts

A series of announcements that department managers and supervisors can use in their meetings may include A basic description of disaster recovery planning The mission statement of the planning team The status of disaster recovery planning The status of implementing the recovery plan The schedule for disaster recovery training The schedule for testing recovery procedures

Building Awareness Among Customers and Business

Partners Managers of the Customer Relations Department can build

awareness among customers through newsletter articles, e-mail bulletins, or announcements at meetings

Channel managers or product managers can build similar awareness among business partners

Bulletins and announcements to both customers and business partners should include the following materials Basic description of disaster recovery planning How the organization works with customers or business partners to

develop recovery procedures How the disaster recovery plan can benefit customers or business

partners What customers or business partners can expect when a disaster

strikes Basic steps for customers or business partners to follow in a disaster

Launching a Training Program for Disaster Recovery

The scope and depth of the training program depend on the size and type of the organization

Training must be developed for several levels of employee involvement

Training with local emergency organizations is also advisable General broad training should be developed from the overall plan,

for managers, supervisors, or all employees More specific training modules directed toward middle managers,

supervisors, and disaster response teams These modules include training on how teams should be organized,

along with activities that require managers and employees to be involved

Some specialized training may also be necessary for certain special procedures

General disaster recovery training modules

Specialized training modules

Training modules for special disaster recovery procedures

Elements of Disaster Recovery Training Modules

Most of the material required to develop a training program should already be included in the disaster recovery plan

The plan documentation may not always be easy to convert to training material

The training modules should contain several elements that are presented in different formats

Elements of disaster recovery training modules

Launching a Training Program for Disaster Recovery

The disaster recovery planning team should watch and approve training presentations before they are given to the entire organization

Overheads and slides used during disaster recovery training should look professional and be easy to read from all parts of the training rooms

When trainers use sections of the disaster recovery plan in their training, they should organize the sections separately for each training module

An evaluation form should inquire about the overall quality of the training, as well as the quality of materials used during training

The overview of the recovery plan is designed for all employees, and should be included in all training modules

The overview should last about one hour; it should focus on what is expected from employees during a disaster, and how they should report to supervisors or middle managers

Training for Executives

Training modules designed for executives should be tightly structured

It should include only as much detail as necessary to explain what is expected of them during a disaster

Table 9-12 shows a recommended training session for executives

The training is designed so that sessions can be held independently, grouped for the convenience of executives, or delivered in a single day

Disaster recovery training for executives

Training for Middle Managers

Middle managers generally have far more extensive roles in disaster response and recovery than executives

Their recovery training needs to cover topics in greater depth

Table 9-13 shows a recommended training session for middle managers

Sessions can be held independently, grouped for the managers’ convenience, or delivered in a three-day training session

Disaster recovery training for middle managers

Training for Supervisors

Supervisors generally have more extensive roles in disaster response and recovery than executives

They work under the direction of middle managers to implement procedures or support a specific response team

Disaster recovery training for supervisors needs to cover the same topics as that for executives, but not in as much depth as the training for middle managers

Table 9-14 shows a recommended training session for supervisors

Sessions can be held independently, grouped for the supervisors’ convenience, or delivered in a one-day training session

Disaster recovery training for supervisors

Training for Disaster Response Teams

Training specific response teams is the most complicated aspect of disaster response and recovery training

Response teams must be trained on much of the same material as executives and middle managers

They must be extremely well trained in their own roles to ensure that disaster response proceeds smoothly

Training modules for specific response teams should provide in-depth coverage of procedures, so that team members fully understand their responsibilities in a disaster

All response team members should attend disaster recovery training for middle managers, as well as specialized training designed for their team

Table 9-15 shows recommended training sessions for specific disaster response teams

Training sessions for specific response teams

Training for Employees

All employees should be required to attend training that is appropriate for their management level and participation on response teams

Disaster recovery coordinators should work with the Human Resources and Training departments to ensure that trainers receive a list of all employees who are scheduled to attend specific modules

Trainers should record attendance on a class roster and return it to the office that schedules training

Chapter Summary

The implementation plan affects all the departments in an organization

The plan must be managed step by step, and progress must be evaluated on a scheduled basis

The activities required to implement a disaster recovery plan range from directing management to establishing liaisons with local law enforcement and emergency services

The disaster recovery planning coordinator and the planning team assign responsibilities for implementing the plan

The coordinator takes the lead role in monitoring and evaluating the progress of implementation

Chapter Summary

Once responsibilities have been assigned for specific activities and tasks, the disaster recovery planning team needs to establish an implementation schedule for completing each activity in the recovery plan

The disaster recovery plan must be distributed and made available during implementation, test and rehearsal steps, and thereafter

Organizations should not rely on just one method to make documents available to response teams

Chapter Summary

All mitigation steps must have sound economic value As an organization develops and implements a disaster

recovery plan, it needs to make employees highly aware of the plan

The disaster recovery training plan is an essential element of being prepared for a disaster

The scope and depth of the training program depend on the size and type of the organization

Training must be developed for several levels of employee involvement

Training with local emergency organizations is also advisable