Understanding BCP, DRP, and COOP ◾ 327
© 2011 by Taylor & Francis Group, LLC
Communications
In the event of any incident requiring the need to invoke a business continuity or
disaster recovery plan, communications within the organization and to all impacted
external parties are key. It is therefore important to ensure that you have a properly
thought out communications plan. You must identify beforehand and as part of
your plan preparation who will take responsibility for all communications and the
message you want to convey. e critical issue is to reduce alarm, putting the minds
of employees, suppliers, customers, and all other stakeholders (shareholders, etc.) at
ease. You also need to ensure that you have an appropriate communications plan
that provides for interaction with emergency services and government bodies (local
and national).
Communications Plan
Communications is concerned with several elements, all equally important:
e content: What do you want to say? Are you actually saying something by
omitting details?
e medium: How are you going to deliver the message? In a press interview?
Written or verbal?
e delivery: Why are you delivering the message? What are your expected
outcomes?
e timing: When do you deliver the message? How often should you repeat it
or provide updates?
e audience: Who are you expecting to listen? Will a single message reach out
to all or do you need dierent messages for dierent audiences?
First impressions count—if you deliver the correct message in the correct way
to the right audience and achieve the desired eect, i.e., reducing any exacerbation
of the situation and producing a calming, reassuring impact, then condence in
the organization will be sustained. However, a negatively received message can only
add to your damaged situation.
us your plan should identify the most appropriate person to deliver the
message in the correct format with the right level of detailed information using a
medium relevant for the intended audience.
Let us consider a sample of scenarios.
1. An explosion at your plant:
Who do you need to inform?
Who is the best person to make the initial communications?
How do you communicate with the emergency services?
328 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
How do you communicate with the families of your employees?
How do you communicate with the public in the vicinity impacted by
the incident?
How do you manage the internal communications to employees to ensure
continuity of operations?
2. A hostage situation:
With whom do you share the incident information?
What action can you take?
What assets have been impacted? People? Physical assets?
How do you communicate the information to the public? How much infor-
mation do you share to protect those involved? How do you communi-
cate to those relatives directly involved?
How do you work with government agencies?
How do you communicate with the hostage takers?
3. Flooding of key computer site:
Which vendors need to be contacted to assist in equipment cleanup?
Who should be hired to dry out and clean documentation?
What action is needed to clean and restore the facility?
How long will it take to repair or replace critical resources?
Will it be necessary to activate an alternate site for critical system processing?
Public Relations
e importance of the public relations aspect of the plan varies with the scope of
the incident. Major incidents will attract the media. In this case, it is necessary that
the incident be explained by an experienced spokesperson in a straightforward man-
ner. Eorts to fool the media will surely fail and serve to worsen the image of the
organization. It is important that a single voice speaks for the organization in order
to avoid contradictions and misunderstandings. e reputation of the organization
is at stake, so this is a very important activity.
Vendors
During any incident that results in a severe disruption of a data processing facil-
ity, emergency vendor support will be necessary to maintain processing continuity
and conduct restoration procedures. All vendors that will be needed to help sat-
isfy requirements should be placed under contract to provide emergency services.
Vendors normally involved include providers of backup storage; contractors for
alternate site processing; experts in water, mold, smoke, and re cleanup; and those
providing critical equipment repair or replacement. In the event that personnel will
be required to move to an alternate site, vendors to provide transportation, oce,
and living space, etc., may be required.
Understanding BCP, DRP, and COOP ◾ 329
© 2011 by Taylor & Francis Group, LLC
Utilities
Electrical power is probably the most critical utility to the operation of data process-
ing mechanisms. Alternate sources of power should be investigated and contracted
for. It is important to review BCP and DRP plans for available power companies
and ensure that your requirements are included. Forward-thinking organizations
often acquire portable power generators for use as emergency power when all else
fails. Critical systems should be linked to an uninterruptible power source to pro-
vide continuity of service during short outages.
Lessons learned from previous major incidents have identied the loss of voice
communications as a serious handicap during the response and recovery phases.
erefore, it is important to consider the probable loss of the primary phone system
as well as the impairment of mobile and cellular communications. When consider-
ing handheld radios for backup, it is prudent that they be located in convenient
and secure places for distribution and have spare batteries and training in their
use available. Finally, the need for fresh water and HVAC should be determined,
particularly in areas likely to be ooded or have high humidity.
External Agencies
Government, both local and regional, can play an important role in your ability to
recover from a wide area incident. ey will be responsible for helping their constituents
and, unless you can convince them otherwise, may be tempted to commandeer your
critical resources, such as transportation, utility equipment, and facilities to support
the populace. Consequently, it is important to communicate your recovery require-
ments to local and regional authorities and be included in their BCP/DRP plans.
Recovery Plans
Priorities identied in your business impact analysis must be clearly communi-
cated to all of the stakeholders in the organization in order to counter attempts to
increase personal priorities during the heat of response/recovery eorts.
Key personnel need to be able to communicate directly and eectively with
each other in order to ensure that response/recovery procedures are carried out as
planned. erefore, communication equipment/facilities must be assigned to them
on a priority basis.
Logistics
Transportation to relocate personnel and materials from the damaged site to the
alternate site must be pre-planned. Also, transportation needs to be arranged to move
items required from o-site storage to the alternate processing site expeditiously.
330 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
is is a critical function to enable the continuity of services in accordance with
the BCP. Procedures in the BCP related to transportation should include best esti-
mates of the numbers of personnel to be transported, the volume of material to
be moved, services payment, and reimbursement of expenses. Contracts with ven-
dors for transportation services should be prepared that commit the vendor to the
required level of support.
Facilities at the alternate site will be required to provide personnel workspace,
IT and oce equipment, and a dedicated meeting room. At the alternate site or
nearby, prearrangements for temporary shelter with showers, exercise facilities, and
medical care should be made.
Data backups in support of critical systems can be kept at the alternate site or in
an o-site facility. e backup and o-site storage facility should feature the same
environmental characteristics as the primary facility. is includes physical security,
temperature, humidity, power, and re suppression controls, etc. e stored data
should be used in operational tests to ensure that all anticipated items are there and
in a computer-readable form. e location of o-site data storage is an important
consideration. e facility must be available 24 hours a day and in an easily acces-
sible location far enough from the primary location to avoid being involved in the
same geographical disaster (usually about 25 miles). Communications procedures
necessary to access the facility must be included in the plan as well as identication
of those personnel authorized to retrieve items.
Communications network priorities to support the transmission of data for criti-
cal systems must be agreed upon and included in the plans. As an example, initial
emergency data communications could be through modems or DSL followed by
plans and procedures to direct higher bandwidth capabilities, such as E1/T1, multiple
T1s, T3, ISDN, or ATM to meet BIA-established critical data communications.
Supplies required for recovery operations must be identied and placed in o-
site storage to be available for movement to the alternate site. Items to be included
on the list are as follows:
◾ Hard and soft copies of the BCP, DRP, and other plans
◾ Contracts for recovery and restoration support
◾ Oce supplies, forms, and stationery
◾ Spare parts, equipment, tools, etc.
◾ Financial supplies, such as checks, credit cards, and petty cash
◾ Documentation, such as inventory lists, wiring diagrams, operating manu-
als, etc.
◾ Flashlights, cameras (digital and video), handheld radios, spare batteries, etc.
Equipment not already in place at the alternate site that is required to support
critical system continuity of operations must be made available. Some organizations
are able to stockpile excess equipment or used equipment that is not yet obsolete at
an organization storage facility. Otherwise, vendor agreements to provide equipment
Understanding BCP, DRP, and COOP ◾ 331
© 2011 by Taylor & Francis Group, LLC
on an emergency basis must be executed. e ability to move stored equipment or
obtain vendor-supplied equipment to be quickly available at the alternate facility
must be included in tests of the plans. It is important that the communications links
to notify the storage facility and vendors that a disaster requires activation of the
alternate site and expeditious movement of the equipment are available 24 hours a
day and be included in plan tests.
Plan Implementation
Implementing the developed plans requires coordinated action by all of the per-
sonnel involved in the response, recovery, and restoration phases of the plans. is
coordination can only be achieved and maintained by regular and thorough testing
of the plans. It must be ensured that all key personnel and their backups are thor-
oughly trained and involved in plan tests so that they are condent in their ability
to perform their roles.
Testing
Once the draft BC, DR, and COOP plans have been developed they should be
fully tested to ensure that they will be eective.
Methods
ere are basically ve types of tests listed in order from the simplest to the
most complex.
1. Checklist is a test involving a meeting of the key stakeholders and plan par-
ticipants who review the plan contents to agree that all issues have been ade-
quately addressed.
2. Structured walkthrough is a more thorough review that includes the plan pro-
cedures by the plan participants and team leaders to ensure that they under-
stand their roles and the interfaces and that the plan will work as expected.
3. Parallel testing is essentially an operational test of the plan that includes the
operations recovery team, critical system users, and observers to ensure that
the systems being recovered will run at the alternate site. O-site storage data
and software should be utilized to ensure that it is sucient and usable. Hot
site contracts should include adequate testing time for this purpose, and all
critical systems must be tested on a regular basis.
4. Simulation is a comprehensive test involving the vendors, all critical systems
users, and all teams and participants with designated backups. Usually this is
scenario driven to provide everyone involved with an example of what would
transpire during an actual recovery. e players include the executives who
would man the Emergency Operations Center and control the simulated
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.