Business Resumption Planning
Put an alternate phone number down and remember to put the area code and/or country code because people will dial what they see and if you have people in different area codes, they need to know the full phone number.Just a quick sidebar on preventive measures like surge protectors, UPSs, backup generators, dual but separate power feeds, dual but separate ISP connections. If you have a data center or just a server room, you need to consider all of those things which go into supporting the infrastructure to “PREVENT” interruptions from occurring.So in addition to the BIA, the organization needs to have an accurate IT asset inventory to support those functions.Once those two pieces are complete, but still in the BIA process, the owner of the business function needs to define the Recovery Point Objective and the Recovery Time Objective.Finally, but probably most important, is the testing of the plans, all of them, BCP, COOP, DRP, and BRP.You need to know the different types of testing, such as, checklist, structured walkthrough/tabletops, simulation, parallel processing, and full business interruption testing.With a little give and take on both sides — and there are always options — in this case it might make sense to change the RTO to eight hours or to purchase a second server and implement HA (High Availability) clustering. The COOP is where the owner of the business function will define how they’re going to continue to do business while IT is restoring the systems that crashed.Pay particular attention to (HINT) documented procedures for manual processes.
The BIA also includes which IT assets are required to support the business function as well as which supporting business functions are required.Obviously it is more expensive to have a mirror image redundant site and it is debatable as to whether a reciprocal agreement will actually provide the facilities you need in the event of a disaster. And last, but not least, are your backups; tapes or whatever; protected from the same disaster.One thing to consider, particularly in light of 9/11 and the recent tsunami, is how many businesses are using your same backup site and what happens if that backup site can’t support a major disaster? In other words are they stored a reasonable distance away from your business such that the disaster will not affect the backups.The COOP will also include things like succession planning, contacts with external authorities, and contact lists.Remember in a disaster scenario, people act differently so when you put someone’s phone number down, don’t put the office number only, because the office is no longer there.Your suppliers may face a shortage of the materials you need to continue your business activities, or demand for your services may simply decline.No one can predict the future; however, you can be ready with a sound business continuity plan.The RPO will help IT determine what backup strategy will be required.For example, let’s say the owner of the business function states they can afford to lose up to one day’s worth of entered data.Let’s begin this domain by enumerating some tasks that need to be performed in order to be successful at business continuity and disaster recovery.The first thing an organization needs to do is to complete a Business Impact Analysis (BIA).