‘How can we have wondered about so much for so long, and received so few answers?’ | ||
| --The Judybats | ||
Here is a long assorted list of general and specific questions business owners can ask themselves, or the persons responsible for disaster prevention and recovery.
This chapter contains dozens of questions related to DR and BC planning but there is one important question that must be answered first before any work can start on creating a proper DR or BC setup:
It is easy to get the best possible plans, technical equipment, manpower, external consultants, etc, for establishing a proper disaster recovery setup if an organization is willing to invest the right amount of money. However, none of this is achievable if senior management, the decision-makers in an organization, are unable or unwilling to spend money on it. The inertia could be caused by financial or political factors or simply lack of knowledge.
An organization may have hired some IT staff or an external vendor to provide tech support for an important server. But, speaking from a business perspective, the IT staff, operators or external vendors are not really the owners of DR or BC for the organization. For example, if the server blows to pieces the IT staff cannot be held responsible for the organization being unable to conduct its business. Actually, the true owners of DR and BC are the business managers of an organization. They should know or understand what they will lose in financial, reputation or legal terms due to stoppage of various critical businesses and IT functions. They are responsible for ensuring provision of necessary, budgets, manpower, resources, alternative methods, etc, to tackle and prevent disasters.
Hence, for a successful DR or BC setup, the drive has to come from the top. It is usually the job of a CTO (Chief Technical Officer) or CIO (Chief Information Officer) to prepare a convincing DR or BC proposal with the necessary justifications to establish a DR or BC site for the IT systems. However, senior management and business managers are usually not interested in the technical ‘nitty-gritty’ of a DR or BC plan. They will mainly want to see a financial figure and why that amount has to be spent. A DR proposal therefore needs to cover all the following points:
Aim and objectives. For example, why the organization must have a DR-BC plan facility.
A list of all business critical functions and their priorities or importance. For example, our organization has the critical systems A, B and C.
An estimated business or revenue loss if those critical functions stop beyond an acceptable timeframe. For example, US$5,000 loss per day if the main sales system fails.
Reputation losses from disasters. For example, a newspaper report about the lack of DR and BC plan facilities for a reputable organization leading to the company stock nose-diving.
Audit and regulatory requirements and penalties by not having a proper DR setup. For example, any penalties or fines for not sending some reports on time.
A high-level plan of business alternatives available or planned for each of the critical functions. For example, whether business alternatives are possible manually or available for rent, hire, lease, and at what cost.
A financial figure or budget of one-time and ongoing expenses involving hardware, software, manpower, non-technical stuff, real estate, and other expenses.
Timeframes to establish.
Some high-level details and diagrams on how it works.
Other issues and requirements.
Signatures.
If the above proposal is brainstormed and approved, the second-level work of in-depth technical and non-technical details can start. The key job of a CTO or a CIO is not only to write a convincing proposal, but also to get it approved and signed off and to start the activities. And after establishing a DR or BC site he or she must be able to prove that the proposed site is adequate to meet the current and agreed business requirements.
(Yes, No or N/A for each)
Are your existing disaster recovery processes adequate?
Are your offices close to airports or military areas prone to various threats?
Are your offices close to factories and chemical plants that manufacture hazardous substances?
Are there proper access control systems to prevent unauthorized systems entering your premises?
Are employees allowing tailgating into the premises?
Do you have proper security policies and guidelines published?
Are your offices and workplaces fire-proof and waterproof? If not, what precautions do you need to take?
Is physical security of your offices and workplace adequate?
Are you sure that no unauthorized persons are entering your premises after office hours or during office hours, weekends or holidays?
Are you sure that employees and other personnel are not passing on sensitive information to unauthorized destinations?
Is your information security and classification adequate?
Are you sure that sensitive information is not stored in unprotected laptops and local hard disks of employee PCs?
(Yes, No or N/A for each)
Are you sure that you are backing up all important data?
Have you insured and properly labelled all equipment?
Are you sure that laptops do not contain sensitive information?
Have you ever tested restoring important data?
Is there any obsolete outdated equipment or software you are still using which is not supported by vendors?
Do you have sufficient redundancy on your telephone and other communication links?
Are you following software-licensing guidelines properly?
Is access to the data centre secure and to authorized persons only?
Have you ensured that there is no electrical overload anywhere?
Are all your critical and sensitive passwords secured?
Are you sure that no unauthorized persons are accessing your network?
Is your website safe from hackers?
Are your employees writing their passwords on whiteboards provided to them?
Do you have a proper firewall between your internal and external networks?
Do you have spare and redundant power supplies on critical IT equipment?
Are you adequately protected against spammers, hackers, and other attacks?
Is your senior management committed to spending enough on disaster recovery?
Are your networks hacker-proof?
Do you have proper anti-virus protection?
Do you have fire-proof safes to store backup tapes and important documents?
Do you have an offsite to store important documents and tapes?
Is there a proper change management board to approve all technical changes to the infrastructure?
Are your telephones supplied by at least two or more different service providers?
Is your office public address system audible in every nook and cranny?
Are there enough static eliminators in fire hazard areas, data centres, etc?
Are your electrical systems and wiring of the proper standard?
Do you have proper UPS and electric generators to handle long power outages?
Are you sure that you are backing up all important data?
(Yes, No or N/A for each)
Do all your critical staff know how to operate the fire extinguishers?
Does everyone know where the fire exits are, and are they marked clearly?
Is your company water supply free from pollution and safe for drinking?
Are there any harmful and hazardous materials stored in common areas?
Do you have enough emergency lamps, torches, etc, at the necessary places?
Is your fire alarm system in working condition?
Do you have 24x7 surveillance in critical areas?
Is there any water seepage in critical areas?
Do fire safety experts inspect your building periodically?
Do you have emergency medicines and first aid facilities on the premises?
Do you periodically have a clean-up drive to eliminate all hazardous and inflammable material around the office and premises?
Do employees smoke cigarettes inside the office?
Are your smoke detectors in working condition?
Are the paths to the fire exits free from unwanted materials, boxes, etc?
Do you have periodic and surprise fire drill and building evacuation exercises?
Do you have posters, e-mails, newsletters, etc, that can be used to create awareness among employees?
Are all emergency numbers readily available?
Is your cafeteria clean and hygienic?
(Yes, No or N/A for each)
Do you have sufficient insurance coverage for all critical equipment?
Are you sure that all critical equipment is covered under vendor maintenance agreements?
Do you have sufficient capacity to meet reasonable or sudden high demands?
Do you have backup copies or scanned copies of every important document?
Are your important paper documents safe?
Are you storing all financial information in a highly secure location?
Are you following professional management practices to avoid employee harassment, litigation, workplace bullying, legal complications, etc?
Are you following all government and local tax laws?
Are adequate budgets available to cover disaster recovery, business continuity, etc?
(Yes, No or N/A for each)
Do you have a list of all current emergency contact numbers?
Do you have enough technical staff to handle major emergencies and disasters?
Are there any critical business or technical functions that are handled/known only by one person? Is there somebody else who can handle those functions if the primary person falls sick or quits or dies?
Have employees installed electrical appliances such as coffeepots, radios, mobile chargers, etc? These appliances can cause electrical fires by short circuits. Building maintenance staff must be able to educate staff regarding the problems these appliances can cause.
Do any of your IT staff consume excessive alcohol or take drugs?
Are you paying best industry standard salaries to critical staff so that you don’t have frequent resignations?
Have you tried contacting all your key and critical staff after office hours or on weekends just for a mock exercise?
Is there a crisis management team to handle crisis situations?
Do you have a user awareness programme or training for employees on disaster recovery and preparedness?
Is there a specialized and dedicated department to handle disaster recovery, business continuity, crisis management, etc?