Apply Your Knowledge
Exercises
6.1. Sorting the Steps
There are eight critical phases in the disaster planning and recovery process. Each of them is contained in the following list, but the order in which they appear is scrambled. Sort these steps in chronological order.
Estimated Time: 10 minutes
A. Building the plan
B. Risk analysis
C. Project initiation
D. Implementation
E. Testing and validating the plan
F . Plan approval
G. Plan modification
H. Business impact analysis
6.2. Performing a Business Impact Analysis
Acme Enterprises is a telemarketing firm based in your local area. Acme has centralized operations in one facility located in an urban environment. This building houses the telemarketing operations floor where 30 telemarketers place outbound calls offering Acme's products to consumers. It is also home to the data center, which handles data processing for the telemarketers, order fulfillment, and administrative services. The data center also houses a Web server that hosts Acme's e-commerce site.
You've been assigned the task of performing a business impact analysis for Acme. Upper management already prioritized the departments in this order: Data Processing, Telemarketing, and Administration They also identified the Web site as the highest-priority task within the Data Processing department.
Estimated Time: 45 minutes
1. | Identify the risks. Remember that Acme's home is your local area. What risks face their operations? |
2. | Assess the likelihood. For each of the risks identified during the previous step, assign a percentage chance that the event will occur within the next year. For example, “There is a 30% chance that an earthquake will occur within the next year.” |
3. | Judge the impact. For each of the risks identified in Step 1, assign an impact rating on a scale of 1 to 10 where 1 represents minimal impact on operations and 10 represents complete failure. |
4. | Prioritize resource allocation. Calculate the threat value for each risk by multiplying the likelihood percentage by the impact rating. For example, if an earthquake has a 30% likelihood of occurrence and an impact rating of 8, the threat rating would be 8×30%, or 2.4. List the risks in order of their threat rating. |
6.3. Developing a Disaster Recovery Plan
In the “Disaster Recovery Plan” section of this chapter, you learned the three main elements of disaster recovery—choosing a recovery facility, ensuring data recovery, and restoring normal operations.
In this exercise, you implement each one of these strategies for Acme Enterprises. (Refer to Exercise 6.2 for more information on Acme.) Acme's management wants to minimize costs but keep downtime to less than one week.
Estimated Time: 30 minutes
1. | Choose an appropriate disaster recovery facility for Acme and justify your decision. |
2. | What type of data recovery options does Acme have? What do you think the best solution is, based upon your choice of recovery facility and the fact that Acme wants to minimize costs? |
3. | What considerations must Acme take into account when planning for recovery of normal operations? |
Review Questions
| 1: | What are the main issues involved in restoring normal operations after a disaster? |
| 2: | What types of people should be involved in the disaster planning process? |
| 3: | What are the differences between business continuity planning and disaster recovery planning? |
| 4: | What types of training should be conducted to ensure personnel know their roles in the disaster recovery process? |
| 5: | Why should you be cautious of Reciprocal Assistance Agreements? |
Exam Questions
| 1: | Which of the following groups are critical to the success of any disaster planning team?
|
| 2: | Which one of the following is not a natural disaster?
|
| 3: | Which one of the following is not a man-made disaster?
|
| 4: | Which of the following disaster planning techniques assesses the effect a disaster would have on an organization?
|
| 5: | What type(s) of disaster recovery test(s) do not require utilization of recovery facilities? |
| 6: | Which of the following backup strategies record information in real-time?
|
| 7: | What is the final stage of disaster recovery that the disaster recovery plan needs to address?
|
| 8: | Which one of the following tests is most disruptive to normal business operations?
|
| 9: | Jeff is chairman of the disaster recovery planning team for Yellow Book Publishers. He wants to implement a disaster recovery strategy that minimizes expense but has an expected downtime of no longer than 48 hours. What type of disaster recovery facility best fits his needs?
|
| 10: | Which of the following is not a common single point of failure for a network?
|
| 11: | Which of the following items should be addressed by the disaster recovery plan (DRP)?
|
| 12: | What type of disaster recovery plan test best approximates an actual disaster?
|
| 13: | What type(s) of backup strategies utilizes a backup system that remains synchronized with the production server?
|
| 14: | Which disaster planning tool mandates establishing operational priorities?
|
| 15: | What format should be used for business continuity plans and disaster recovery plans?
|
Answers to Exercises
C. Project initiation
B. Risk analysis
H. Business impact analysis
A. Building the plan
E. Testing and validating the plan
G. Plan modification
F. Plan approval
D. Implementation
Answers to Review Questions
| A1: | The three main issues in restoring normal operations are salvaging equipment from the primary data center, restoring the data center to working order, and transitioning from the recovery facility to the primary data center. See the section “Restoring Normal Operations.” |
| A2: | There are four main groups that should be represented on the project team, at a minimum. These are senior management, operational personnel, IT staff, and other key personnel. See the section “Assembling the Project Team.” |
| A3: | The business continuity plan (BCP) outlines the preventive measures in place to ensure that a disaster does not interrupt a business's operations. The disaster recovery plan (DRP) focuses on the procedures to follow in the event that a disaster does interrupt operations. The differences between these two plans are discussed in the “Business Continuity Versus Disaster Recovery” section of this chapter. |
| A4: | All personnel should receive initial and refresher training on disaster recovery with the content tailored to their role in the organization. Key personnel should participate in disaster recovery exercises on a periodic basis. See the section “Testing and Training.” |
| A5: | Reciprocal Assistance Agreements place a large deal of trust in another organization. They may involve storing copies of your critical data at another company's site, which brings up obvious security concerns. Additionally, you must keep in mind that a single disaster might strike both companies simultaneously and render the agreement useless. See the section “Recovery Facilities.” |
Answers to Exam Questions
| A1: | A, C, D. Senior management, IT staff, and operational personnel are all identified as critical components of the disaster planning team in the “Assembling the Team” section of this chapter. Public relations personnel may play a role in your disaster planning process, but they are not a necessary component of all planning team. |
| A2: | B. Power outages are identified as man-made disasters in the “Business Impact Analysis” section of this chapter. |
| A3: | C. Earthquakes are identified as a natural disaster in the “Business Impact Analysis” section of this chapter. |
| A4: | C. The Business Impact Analysis identifies each of the threats that face an organization and identifies the impact each would have on operational continuity. See the section “Business Impact Analysis.” |
| A5: | A, D. The tabletop exercise and plan review are both “paper tests” that involve theoretical simulations and do not utilize disaster recovery facilities. All four of these tests are discussed in the “Testing the BCP/DRP Plans” section of this chapter. |
| A6: | B, C. Remote journaling and mirrored servers are both real-time backup strategies. See the section “Data Backup.” |
| A7: | C. The DRP should guide personnel through the disaster recovery process right up to the point normal business operations are restored at a permanent location. See the section “Restoration of Normal Operations.” |
| A8: | A. The disaster simulation actually involves shutting down operations at the primary site and attempting to make exclusive use of the backup site. Disaster recovery test types are discussed in the “Testing the BCP/DRP Plans” section of this chapter. |
| A9: | B. The only two options that satisfy Jeff's requirements are a hot site and a warm site.Warm sites require at least 24 hours to recover operations, but are much more cost effective than a hot site. These options are discussed in the “Recovery Facilities” section of this chapter. |
| A10: | B. Organizations generally do not have workstations in a situation where they constitute a single point of failure. The other three items (servers, power supplies, and telecommunications circuits) are identified as common SPOFs in the “Single Point of Failure Elimination” section of this chapter. |
| A11: | D. Data recovery is one of the three elements of disaster recovery discussed in the “The Disaster Recovery Plan” section of this chapter. The other three choices (prioritizing resource allocation, business impact analysis, and single point of failure elimination) are all elements of business continuity discussed in the “The Business Continuity Plan” section of this chapter. |
| A12: | A. Although it is the most disruptive type of test (as you learned in Question 8), the disaster simulation provides the best demonstration of how your team will respond when an actual disaster strikes. This test is discussed in the “Testing the BCP/DRP Plans” section of this chapter. |
| A13: | C. Mirrored servers differ from the other backup strategies in that the backup data is actually processed on a server. This creates a “hot” backup ready to process information instantaneously. These strategies are discussed in the “Data Backup” section of this chapter. |
| A14: | A. Establishing operational priorities is the first step of business continuity planning. See the section “Establishing Operational Priorities.” |
| A15: | D. No document type is best for all situations. The choice of a format depends upon your organization's needs. See the sections “The BCP Document” and “The DRP Document.” |
Suggested Readings and Resources
1. Disaster Recovery Planning: Strategies for Protecting Critical Information Assets, Jon William Toigo and Margaret Romano Toigo
2. Disaster Recovery Testing: Exercising Your Contingency Plan, Philip Jan Rothstein
3. A Guide to Business Continuity Planning, James C. Barnes and Philip Jan Rothstein