Upload
rodney-west
View
217
Download
0
Tags:
Embed Size (px)
Citation preview
Implementing DisasterRecovery Plans
Chapter 9
You Will Learn How To…
Develop an implementation plan Assign responsibilities for implementation Establish an implementation schedule Distribute the disaster recovery documentation Assess the value and effectiveness of mitigation
steps Manage internal and external awareness
campaigns Launch a training program for disaster recovery
Developing an Implementation Plan
Implementation plan affects all the departments in an organization The plan must be managed step by step, and progress must be evaluated
on a scheduled basis Implementation plan requires training for all employees, and might require
new equipment and procedures Events occurring during implementation
Responsibilities for implementation are assigned to members of the disaster recovery planning team and departmental groups
An implementation schedule is developed, with timelines and planned progress evaluations
Disaster recovery documentation is distributed to everyone who needs copies, or online access is provided
The value and effectiveness of mitigation steps are assessed. New mitigation steps could be put into place, and existing steps may be modified
The organization plans and launches internal and external awareness campaigns The organization develops and launches employee training programs for disaster
recovery procedure
Developing and Implementation Plan
Organization wide activities may include raising awareness and training
Deployment of equipment and other like actions may need to occur at the facility level
The departments and work groups affected by new or changed procedures must make these changes or additions
Organizational levels for implementing parts of the plan
Assigning Responsibilities for Implementation
The disaster recovery planning coordinator and planning team assign responsibilities for implementing the plan
The coordinator takes the lead in monitoring and evaluating the progress of implementation
The activities involved in implementation include directing management to establish liaisons with law enforcement and emergency services
Managers need to assign activities to employees Department work groups implement the aspects of the
plan that impact their department Activities include changing existing procedures and evaluating
mitigation steps, as well as developing new mitigation procedures to support recovery priorities in the plan
Assigning Responsibilities for Implementation
The Purchasing Department takes the lead in processing all paperwork necessary to acquire equipment necessary to implement the plan
If the new equipment is used only in one department, that department may install the equipment
New contracts needed for the recovery must be developed by the department with the Purchasing Department, and ensures fees and retainers are paid
Solid liaisons must be established with law enforcement, emergency services organizations, and contractors Disaster recovery coordinator, facility managers, and disaster
response team work to establish these liaisons, as well as maintain the relationships over the long term
Implementation activities
Implementation tasks
Many activities may be broken down into specific tasks assigned to employees or departments that are not part of the planning team
Establishing an Implementation Schedule
Disaster recovery planning team establishes an implementation schedule for completing each activity in the plan
Available resources, geography, and other factors will influence the speed of this schedule
The disaster recovery planning coordinator and planning team must monitor the progress of the implementation
A monthly report of accomplishments and activities that are behind schedule should be compiled by the coordinator
The team may modify the schedule as conditions warrant, or suggest acceleration to various departments
The planning team should bring obstacles to the attention of executives so that the obstacles can be cleared by the influence of the executive
Sample implementation schedule
Distributing the Disaster Recovery Documentation
The plan must be distributed during the implementation, rehearsal and testing phases
Disaster recovery plan documents include all the written analyses, policies, and procedures that employees and contractors should follow when responding to a disaster
Organizations should not rely on just one method to make documents available to response teams
As long as the intranet web servers function, they are acceptable for distributing disaster recovery plan documents
Each distribution method has unique advantages and disadvantages
Distribution alternatives
Assessing the Value and Effectiveness of Mitigation Steps
Mitigation steps are used to reduce the impact of system failure or disruption of operations
Many of these steps are common practices for managing assets or business processes
Such steps include backing up computer files to mitigate the consequences of disk or system failure
The exposure inventory and risk assessments collected information on mitigating and avoiding business disruptions
All mitigation steps must have a sound economic value Table 9-6 illustrates that if power is lost nine times per year, the
return on investment (ROI) for using a UPS to protect the server is about 15 months
Analysis of the value of UPS
Assessing the Value and Effectiveness of Mitigation Steps
Determining what kind of data back-up systems an organization should use is more difficult than analyzing the benefits of a UPS
System backups are certainly necessary to preserve computer files and databases
The selection of particular back-up systems depends on a number of factors
Analysis of the value of data backup systems
Assessing the Value and Effectiveness of Mitigation Steps
After determining how much money could be saved The planning team can examine what types of data back-up systems to
put in place How much the organization should spend for them
The planning team should address several questions before selecting a back-up system How resilient to failure is the back-up system? Can it be used for more than one system or application, thus improving
ROI? What level of disaster does the back-up system help mitigate (e.g.,
catastrophic, major, or minor)? How much does it cost to deploy the back-up system? How much IT staff time is needed to maintain the back-up system?
The planning team should use ROI analyses to evaluate mitigation steps that make economic sense
Managing Internal and External Awareness Campaigns
As an organization develops and implements a disaster recovery plan, it needs to make employees highly aware of the plan
During training, employees should learn the details of the plan and learn their roles and responsibilities during disaster response
The goal of the awareness program is to indoctrinate employees about the importance of disaster response and recovery
Depending on an organization’s resources, there are several ways to increase awareness during plan implementation
Using Existing Channels of Communication
Organizations often have employee relations programs, customer relations management systems, and business partner communications that can help build awareness
Some forms of communication include Employee newsletters Bulletin boards Motivational posters Intranets with employee information sections E-mail announcement lists Customer relations e-mail newsletters and bulletins Business partner Web sites Corporate Web portals with sections for employees, customers,
and business partners
Building Awareness Among Employees
Organizations can use regularly scheduled department or work group meetings to call attention to disaster recovery planning efforts
A series of announcements that department managers and supervisors can use in their meetings may include A basic description of disaster recovery planning The mission statement of the planning team The status of disaster recovery planning The status of implementing the recovery plan The schedule for disaster recovery training The schedule for testing recovery procedures
Building Awareness Among Customers and Business
Partners Managers of the Customer Relations Department can build
awareness among customers through newsletter articles, e-mail bulletins, or announcements at meetings
Channel managers or product managers can build similar awareness among business partners
Bulletins and announcements to both customers and business partners should include the following materials Basic description of disaster recovery planning How the organization works with customers or business partners to
develop recovery procedures How the disaster recovery plan can benefit customers or business
partners What customers or business partners can expect when a disaster
strikes Basic steps for customers or business partners to follow in a disaster
Launching a Training Program for Disaster Recovery
The scope and depth of the training program depend on the size and type of the organization
Training must be developed for several levels of employee involvement
Training with local emergency organizations is also advisable General broad training should be developed from the overall plan,
for managers, supervisors, or all employees More specific training modules directed toward middle managers,
supervisors, and disaster response teams These modules include training on how teams should be organized,
along with activities that require managers and employees to be involved
Some specialized training may also be necessary for certain special procedures
General disaster recovery training modules
Specialized training modules
Training modules for special disaster recovery procedures
Elements of Disaster Recovery Training Modules
Most of the material required to develop a training program should already be included in the disaster recovery plan
The plan documentation may not always be easy to convert to training material
The training modules should contain several elements that are presented in different formats
Elements of disaster recovery training modules
Launching a Training Program for Disaster Recovery
The disaster recovery planning team should watch and approve training presentations before they are given to the entire organization
Overheads and slides used during disaster recovery training should look professional and be easy to read from all parts of the training rooms
When trainers use sections of the disaster recovery plan in their training, they should organize the sections separately for each training module
An evaluation form should inquire about the overall quality of the training, as well as the quality of materials used during training
The overview of the recovery plan is designed for all employees, and should be included in all training modules
The overview should last about one hour; it should focus on what is expected from employees during a disaster, and how they should report to supervisors or middle managers
Training for Executives
Training modules designed for executives should be tightly structured
It should include only as much detail as necessary to explain what is expected of them during a disaster
Table 9-12 shows a recommended training session for executives
The training is designed so that sessions can be held independently, grouped for the convenience of executives, or delivered in a single day
Disaster recovery training for executives
Training for Middle Managers
Middle managers generally have far more extensive roles in disaster response and recovery than executives
Their recovery training needs to cover topics in greater depth
Table 9-13 shows a recommended training session for middle managers
Sessions can be held independently, grouped for the managers’ convenience, or delivered in a three-day training session
Disaster recovery training for middle managers
Training for Supervisors
Supervisors generally have more extensive roles in disaster response and recovery than executives
They work under the direction of middle managers to implement procedures or support a specific response team
Disaster recovery training for supervisors needs to cover the same topics as that for executives, but not in as much depth as the training for middle managers
Table 9-14 shows a recommended training session for supervisors
Sessions can be held independently, grouped for the supervisors’ convenience, or delivered in a one-day training session
Disaster recovery training for supervisors
Training for Disaster Response Teams
Training specific response teams is the most complicated aspect of disaster response and recovery training
Response teams must be trained on much of the same material as executives and middle managers
They must be extremely well trained in their own roles to ensure that disaster response proceeds smoothly
Training modules for specific response teams should provide in-depth coverage of procedures, so that team members fully understand their responsibilities in a disaster
All response team members should attend disaster recovery training for middle managers, as well as specialized training designed for their team
Table 9-15 shows recommended training sessions for specific disaster response teams
Training sessions for specific response teams
Training for Employees
All employees should be required to attend training that is appropriate for their management level and participation on response teams
Disaster recovery coordinators should work with the Human Resources and Training departments to ensure that trainers receive a list of all employees who are scheduled to attend specific modules
Trainers should record attendance on a class roster and return it to the office that schedules training
Chapter Summary
The implementation plan affects all the departments in an organization
The plan must be managed step by step, and progress must be evaluated on a scheduled basis
The activities required to implement a disaster recovery plan range from directing management to establishing liaisons with local law enforcement and emergency services
The disaster recovery planning coordinator and the planning team assign responsibilities for implementing the plan
The coordinator takes the lead role in monitoring and evaluating the progress of implementation
Chapter Summary
Once responsibilities have been assigned for specific activities and tasks, the disaster recovery planning team needs to establish an implementation schedule for completing each activity in the recovery plan
The disaster recovery plan must be distributed and made available during implementation, test and rehearsal steps, and thereafter
Organizations should not rely on just one method to make documents available to response teams
Chapter Summary
All mitigation steps must have sound economic value As an organization develops and implements a disaster
recovery plan, it needs to make employees highly aware of the plan
The disaster recovery training plan is an essential element of being prepared for a disaster
The scope and depth of the training program depend on the size and type of the organization
Training must be developed for several levels of employee involvement
Training with local emergency organizations is also advisable