A Professional’s Guide To The Contents Of A Business .

Transcription

A Professional’s Guideto the Contents of aBusiness Continuity Planby William M. AdneyInfoSolutions, Inc.3642 Racquet Club DriveGrand Prairie, TX 75052-6107Phone: 972-642-4549Email: billadney@compuserve.comReviewed by:Kelley Goggins, MBCP

A Professional’s Guide to the Contents of a Business Continuity PlanTABLE OF CONTENTSEXECUTIVE SUMMARY .1Objectives.1Business Continuity Plan (BCP) Overview.1Chapter 1 – Overview and General Information .2Chapter 2 – Critical Business Continuity Plan Information .2Chapter 3 – Plan Administration and Maintenance .2Chapter 4 – Plan Testing and Test Reports.2Chapter 5 – Appendices.3The Crisis Management Plan (CMP) and the BCP .3About the Author .3Contents of a Business Continuity Plan .5Chapter 1 – Overview and General Information .51.0Before You Begin .51.0.1Cover page .61.0.2Confidentiality Statement .61.0.3Distribution/Update List .61.0.4Table of Contents .61.1Business Continuity Plan Overview .71.1.1Objectives .71.1.2Scope .71.2Business Continuity Plan Policy .81.3Business Continuity Plan Assumptions.81.4Business Impact Analysis (BIA) Summary .91.5Business Continuity Strategy .91.5.1Emergency Operations Center (EOC) Locations/Contacts91.5.2Alternate Site Locations and Contacts .101.6BCP Team Description and Organization Chart .101.6.1BCP Team Responsibilities.101.6.2BCP Team Organization Chart .12Chapter 2 – Critical Business Continuity Plan Information .132.1Executive Management Team .132.1.1Executive Management Team Call List .132.1.2Executive Management Team Task List .132.1.3Executive Management Team Customer List .132.1.4Executive Management Team Equipment List.132.1.5Executive Management Team Software List .14ITPol A135-Disaster Recovery Plan ExamplePage ii

A Professional’s Guide to the Contents of a Business Continuity Plan2.1.6Executive Management Team Supplies List .142.1.7Executive Management Team Telecommunications List142.1.8Executive Management Team Vendor List .142.1.9Executive Management Team Vital Records List .142.2Business Continuity Coordinator (BCC) .142.3Damage Assessment/Salvage Team .142.4Logistics/Transportation Team .142.5PR/Communications Team .142.6Facilities/Security Team .142.7Accounting Team .142.8Telecommunications Team.142.9Information Technology Team .142.10 Marketing Team.14Chapter 3 – Plan Administration and Maintenance .153.1Business Continuity Coordinator (BCC) .153.1.1Responsibilities .153.2Business Continuity Plan Administrators (BCA) .163.2.1Responsibilities .173.3Business Continuity Plan Administration .173.3.1BCP Awareness and Training .173.3.2Exercising (Testing) the BCP .173.4Business Continuity Plan Maintenance .183.4.1When and How to Update the BCP .183.4.2Business Impact Analysis (BIA) Maintenance .183.5BCP Approvals .193.5.1Senior Management Approval .193.5.2Board of Directors Approval (if applicable).20Chapter 4 – Plan Exercises and Exercise Reports .214.1BCP Exercise (Testing) Methodology .214.2When to Exercise (Test) the BCP .214.3Developing the Exercise (Test) Scenario or Plan .224.4Exercise (Test) Evaluation .234.5Exercise (Test) Reports .23Chapter 5 – Appendixes .24APPENDIX A – GLOSSARY .25APPENDIX B – HOT SITE INFORMATION (Sample) .34APPENDIX C – JCN Model 00 Server Recovery Procedure (Sample) .35List of TablesTable 1 – BCP Distribution/Update List. 6Table 2 – BIA Summary Example . 9ITPol A135-Disaster Recovery Plan ExamplePage iii

A Professional’s Guide to the Contents of a Business Continuity PlanList of FiguresFigure 1 – BCP Team Organization Chart . 12ITPol A135-Disaster Recovery Plan ExamplePage iv

A Professional’s Guide to the Contents of a Business Continuity PlanEXECUTIVE SUMMARYObjectivesIf you have never created a Business Continuity Plan (BCP), it seems to be one of the most difficulttasks based on my observations and experience, and there always seems to be a lot of questionsabout what should and should not be included in the BCP.This document will help you determine and structure the basic information that should be in aneffective and viable BCP. Information in this document is based on DRI International’sProfessional Practices for Business Continuity Planners (see www.drii.org for the latestversion) and other references as documented in the footnotes.The objectives of A Professional’s Guide to the Contents of a Business Continuity Plan are to: Document a structure for your Business Continuity Plan. Describe the general contents of each section and subsection. Provide guidelines, recommendations, and some examples of items that you may need inyour Business Continuity Plan. Suggest a structure to integrate a Crisis Management Plan (CMP) with your BusinessContinuity Plan.Business Continuity Plan (BCP) OverviewThe Business Continuity Plan (BCP) is generally organized so that information required during arecovery operation is closer to the beginning of the document, except for detailed recoveryprocedures (e.g., Recovery Procedures for the Windows 2000 Server). The Table of Contentscontains five chapters as shown in the following sections.One other important point: this document is intended as a guide, not an absolute requirement, tohelp you determine the contents of a BCP that is most appropriate for your organization. Forexample, I have shown five (5) chapters because it is easy to obtain 5-tab indexes, but I havewritten BCPs that contain twenty (20) or more chapters. In general, how you organize your BCPis not as important as being certain that you have all of the information required to effectivelyimplement your plan.ITPol A135-Disaster Recovery Plan ExamplePage 1

A Professional’s Guide to the Contents of a Business Continuity PlanChapter 1 – Overview and General InformationChapter 1 contains an overview of the BCP including the purpose, scope, objectives, andassumptions made for the plan. Additional sections and subsections include, but are not limitedto, a company’s BCP Policy, BIA1 Summary, recovery strategy, EOC location(s), damageassessment, escalation plans/procedures, and general information about the Crisis ManagementTeam in this chapter. The BCP team organization chart are also included in this chapter.Chapter 2 – Critical Business Continuity Plan InformationChapter 2 contains the call lists, task lists, and various resource inventories by team to make iteasier to execute the BCP, as well as improving the ease of distribution and updating.Inventories include lists of Customers, Equipment, Software, Supplies, Telecommunications,Vendors, and Vital Records that are required to support the BCP.Chapter 3 – Plan Administration and MaintenanceChapter 3 contains a variety of information related to administering and maintaining the BCP. Itincludes sections and subsections on administration, training, maintenance, awareness programs,education, and auditing the BCP. While most of this information is the responsibility of theBusiness Continuity Coordinator, it also documents important procedures such as the Board ofDirectors’ annual approval of the BCP for bank and other financial institution operations asrequired by the Federal Financial Institutions Examination Council (FFIEC).2 This policy appliesto all FFIEC agencies including the Federal Deposit Insurance Corporation (FDIC), the NationalCredit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and theOffice of Thrift Supervision (OTS).Chapter 4 – Plan Testing and Test ReportsChapter 4 contains information on the various types and frequency of plan testing. New termswill be added to the Glossary as required, such as tactical exercise (“war game”), etc. Thischapter also provides a repository for test reports, although some Business ContinuityCoordinators prefer to place test reports in an appendix.12DRII Professional Practices – Subject Area 3: Business Impact AnalysisFFIEC Corporate Business Resumption and Contingency Planning Policy Revised March 1997ITPol A135-Disaster Recovery Plan ExamplePage 2

A Professional’s Guide to the Contents of a Business Continuity PlanChapter 5 – AppendicesChapter 5 contains various appendixes, including detailed procedures, that support the BCP. Forexample:A GlossaryB Recovery Site Information (e.g., directions, maps, contract copies, etc.)Other appendixes (for detailed procedures, etc.) as required.Appendix A includes a glossary which is a substantial revision of the current DRII terminologyplus some new terminology, such as Business Continuity Coordinator, Business Continuity Plan,and Business Continuity Planner. Some of the current terms are not consistent with DRIIProfessional Practices and will be replaced in the glossary.The Crisis Management Plan (CMP) and the BCPEvery organization has a variety of crises which may range from a simple building evacuation forsome reason (e.g., a bomb threat) to full-scale, easily recognized disaster. The objective of theCrisis Management Plan (CMP) is to manage these crises, and provide a framework and structurefor activating the Business Continuity Plan (BCP).For example, I normally include three essential teams in the CMP: Damage Assessment/Salvage TeamLogistics/Transportation TeamPublic Relations/Communications TeamAlso, I include an Escalation Plan in the CMP to provide the Crisis Management Team (CMT)with a guideline on when a disaster declaration may be appropriate. A guideline is just that – aguideline, and it is up to an organization’s most senior management (i.e., the CMT) to determinewhat is appropriate based on the circumstances at the time of the specific event.For purposes of this paper, all teams shown above and the Escalation Plan will be shown as partof the BCP; however, you may need to adjust these teams and names for consistency in your ownBCP and/or CMP.About the AuthorBill Adney has over 35 years’ experience in data processing and over 25 years’ experience inITPol A135-Disaster Recovery Plan ExamplePage 3

A Professional’s Guide to the Contents of a Business Continuity PlanBusiness Continuity Planning.Mr. Adney is currently president and owner of InfoSolutions, Inc. He has performed a widevariety of disaster recovery, information/physical security, and programming consultingassignments for major firms in the retail, insurance, financial, manufacturing, and aerospaceindustries, involving work with a wide variety of system configurations, including IBMmainframes, minicomputers, LAN/WAN networks, and personal computers. These assignmentshave included responsibility for large project management, business continuity/disaster recoveryproject planning and implementation/testing, and information security project planning andimplementation, and have required knowledge of data center security and operations,applications development and implementation, and programming.As Manager of Security and Contingency Programs for a large West Coast oil company, he wasdirectly responsible for the planning and implementation of the corporate disaster recovery planand user recovery procedures for the critical financial systems. His overall data processing datesexperience dates back to 1967, and he has actively developed a wide variety of disaster recoveryand business continuity plans since 1977. Mr. Adney has successfully developed DRPs andBCPs for companies such as Texas Instruments, McDonnell Douglas, Household International,E-Systems, Chief Auto Parts, FootActionUSA, Metropolitan Life, Texas Department of CriminalJustice, Sunbeam Corporation, The Associates, PEMCO Financial Services, The South FinancialGroup, Washington Mutual, and the Veterans Administration – Financial Services Center.ITPol A135-Disaster Recovery Plan ExamplePage 4

A Professional’s Guide to the Contents of a Business Continuity PlanContents of a Business Continuity PlanChapter 1 – Overview and General InformationChapter 1 contains an overview of the BCP including the purpose, scope, objectives, andassumptions made for the plan. Additional sections and subsections include, but are not limitedto, a company’s BCP Policy, BIA Summary, recovery strategy, EOC location(s), damageassessment, escalation plans/procedures, and general information about the Crisis ManagementTeam in this chapter. The team organization and an organization chart are also included in thischapter.1.0Before You BeginIn accordance with the DRII Professional Practices, there are several steps you should havecompleted before you begin the preparation of your Business Continuity Plan:1.2.3.4.5.10.Project Initiation and ControlRisk Evaluation and ControlBusiness Impact AnalysisDeveloping Recovery StrategiesEmergency Response and OperationsCoordination with Public AuthoritiesI have found that item 5. Emergency Response and Operations and item 10. Coordination withPublic Authorities seem to be most appropriate in the Crisis Management Plan.The following DRII Professional Practices areas will be specifically addressed in this BusinessContinuity Plan:6.7.8.9.Developing and Implementing Business Continuity PlansAwareness and Training ProgramsMaintaining and Exercising Business Continuity PlansPublic Relations and Crisis CoordinationThere are at least two documents you should prepare before you get too far along in your BCP: acover page and a table of contents. Other documents you should also have are described in thefollowing sections.ITPol A135-Disaster Recovery Plan ExamplePage 5

A Professional’s Guide to the Contents of a Business Continuity Plan1.0.1 Cover pageThe cover page may be the most important part of your BCP, at least in the beginning. Whensomeone asks to see your plan, even if you don’t have a professional binding, a nice cover pagewill make a good impression. Your company logo on the cover page helps convey a professionalimage. Keep the cover page simple and professional.1.0.2 Confidentiality StatementThe information in your BCP is quite sensitive and usually confidential within your organizationor company, so you should at least have a Confidentiality Statement immediately after the coverpage. Some organizations have security requirements that dictate a statement of confidentialityappear on every page, usually in a footer. Be sure to find out any special requirements for yourorganization or company.1.0.3 Distribution/Update ListYour BCP will need updating, especially the call lists when people change positions or leave theorganization, and you will need some way of tracking who has the BCP and when the last updatewas made to that particular copy. A distribution/update list helps with this task, especially if youare the Business Continuity Coordinator and need to be able to look at a particular BCP todetermine its latest update.The distribution/update list only needs to have the following information:Name Phone Mail Location Date Issued BCP Updated on BCP Updated byTable 1 – BCP Distribution/Update ListIf you have the mail location on your list as shown above, you can simply attach the page to theupdates you send out and highlight the name and mail location.1.0.4 Table of ContentsI have found it’s always helpful to prepare a draft table of contents, or at least an outline, of whatI expect to have in a BCP before I actually begin writing. A few minutes’ thought and planningcan save you a lot of time later on. Of course, you will want to use the automated feature of mostword processors to generate your table of contents as a final document.ITPol A135-Disaster Recovery Plan ExamplePage 6

A Professional’s Guide to the Contents of a Business Continuity Plan1.1Business Continuity Plan OverviewAn overview and description of the organization of the Business Continuity Plan.For example Chapter 1 contains an overview of the BCP including the purpose, scope, objectives, andassumptions made for the plan. Additional sections and subsections include, but are not limitedto, ABC company’s BCP Policy, BIA Summary, recovery strategy, EOC location(s), damageassessment, escalation plans/procedure

A Professional’s Guide to the Contents of a Business Continuity Plan by William M. Adney InfoSolutions, Inc. 3642 Racquet Club Drive Grand Prairie, TX 75052-6107 Phone: 972-642-4549 Email: b