Posts
I just received this newsletter from Lenny Chesal, CMO/VP of Strategic Sales of Host.net, SFTA Platinum Sponsor and also the event sponsor for our May event. Thanks to Steve Elliot of Elliot Consulting Service!
Elliot Consulting Services - Business Resiliency Tips
How Do I Build a Business Continuity / Disaster Recovery Plan?
Second Quarter 2009
· Ten Points to Consider when Building a BCP / DR Plan
· Useful BCP Links
· About Elliot Consulting
Enterprise risk management and the related business continuity plan require an investment of time, resources, and strategic thought. Unfortunately many of today's business leaders are focused solely on short-term profits, and therefore business continuity planning projects get pushed onto the back burner for another day. As a result, many companies have not considered the likelihood of various risk scenarios and the probable impact to their businesses. Even fewer organizations have taken the time to evaluate mitigation strategies to offset these risks and to develop appropriate plans to manage the business during a time of emergency. Sadly many companies wait until a disaster strikes, and then try to "wing it" as they attempt to recover critical business operations in the midst of complete chaos.
The Numbers Speak for Themselves
According to the National Federation of Independent Businesses, a University of Texas study estimates that more than half of small and mid-size businesses that lose their data in a disaster will go out of business within two years after that disaster. Another survey conducted by the U.S. National Archives and Records Administration found that 25 percent of companies experiencing an IT outage of two to six days went bankrupt almost immediately.
When Hurricanes Katrina and Wilma passed over South Florida in 2005, many companies lost 14 days of operations and revenue. While their data and servers remained secure and intact, these firms realized that they needed to implement a business continuity plan and upgrade the technology infrastructure to support it.
While the 2004 and 2005 record- breaking hurricane seasons became the impetus for many firms to begin considering a business continuity plan, it is important to note that natural disasters represent only a small fraction of potential threats to business survivability.
Businesses contend daily with the threat of data losses; human error or malfeasance; supply chain disruptions; systems failure; and viruses, worms or other malware. A comprehensive business continuity plan that can protect organizations from these threats is necessary to ensure that the business survives every day of the year, not only during hurricane season.
How Do We Get Started?
Ask 10 business owners what should be included in a Business Continuity / Disaster Recovery Plan and you're likely to get ten different answers. The process of building that first plan can seem intimidating without some guidance as to what should be included in the first effort.
The most important part of the documentation for a BCP / DR plan is step by step instructions on what to do and how to do it. All of the information needed to recover the critical business processes and associated databases and applications should be explained in such a way that anyone in the company could help perform the recovery.
In the best of circumstances, you will have your top IT professionals there to help with the technology recovery efforts. In the worst of circumstances you might have another department head or an outside firm trying to perform those same functions. Your documentation should be printed out and stored safely away from the computer room and the main building.
Other things that you should document in your plan include:
Internal contact information (including cell and home phone numbers) for everyone that could, would, or should be involved in the recovery effort.
Copies of contracts with all of your 1st, 2nd and 3rd level vendors.
Who pushes the button? Or in other words, who makes the decision to declare an emergency and activate the company's emergency management and disaster recovery efforts.
This is just a small list of recommendations. Please read this month's guest editorial from HS Daily Wire for more lessons learned on building a BCP / DR Plan.
Stay safe and be prepared!
Steve Elliot, CBRMPresident and CEOElliot Consulting ServicesTampa, FL813-792-8833Copyright 2009. Elliot Consulting Services, Inc.
Ten Points to Consider when Building a BCP / DR Plan
(HS Daily Wire, Vol. 3, no. 186, Wednesday, 17 October 2007)
Volcanic eruptions, earthquakes, torrential rains, gale-force winds, and floods have only highlighting the importance for businesses to have a working disaster recovery plan. According to IT security company Symantec, the first few minutes following any catastrophic system failure are critical (they say the same about heart attacks or strokes), so executing the disaster recovery plan quickly is central to mitigating losses. M-net's Ken Lewis offers ten disaster recovery key points to consider when you next look at protecting one of the your most valuable business assets-your data.
1. Unrealistic expectations: Make sure people understand how long (two minutes, two hours, or two days) it will take for systems to come back after a disaster. Usually established within the Business Impact Analysis, the Recovery Time Objectives are the time requirements set by the business to recover critical systems.
2. Assuming a tool will fix everything: Do not make the mistake of assuming that you have a business continuity or disaster recovery plan because you bought a software tool. A backup and recovery tool is not a plan. Organizations need to create a customized Business Continuity Plan, which is more than simply filling in the blanks in a software tool and then saying that you have an effective IT Disaster Recovery Plan.
3. Understand the risks: Threats and risk exposures come in all shapes and sizes. It is important to weigh and categorize these exposures. Once they have been evaluated, a decision can be made to mitigate them. Additionally, the potential financial loss exposure should be determined to establish mitigation cost models.
4. "Project" mentality: Business continuity / disaster recovery plans are not projects- they are processes which are never finished and need to be continually reviewed, updated, and integrated into an enterprise risk management culture.
5. Inadequate testing: Plans are only as good as the last time they were tested and can fail when organizations simply test for success and not for the range of potential issues. After the inaugural test, introduce variables into the test methodology, for example, what if some recovery team members are unavailable to participate.
6. Lack of documentation: It is important for organizations to document the business continuity / disaster recovery plan, as well as the assumptions that went into defining it, so the plan can be changed as the organization evolves. Documentation should define all BCP / DR team roles (and alternates), responsibilities, and procedures.
7. Forgetting the people: Systems and applications are useless without people to use and manage them. Do not forget to build appropriate personnel resource considerations into your plan. Include manual process workarounds when applicable since some systems may not be operational for an extended period of time.
8. Education: Money invested on business continuity / disaster recovery education and training is well spent and should be included in the plans, the results of which can be measured during BCP / DR drills.
9. Downplaying security: Recovering from a disaster is critical, but not so critical that you can forget about security. BCP / DR and security are intimately related, as often security breaches beget the need to declare a disaster.
10. Doing business as usual: Do not assume that just because it has always been done that way, it is the right thing to do. Organizations need to make sure they question assumptions when establishing a recovery program. Lastly, it is important to have provisions to return to a normal state as soon as possible following the recovery efforts.
About HS Daily Wire
HS Daily Wire is an authoritative and concise daily report on underlying trends, innovative technologies, and emerging market directions in homeland security. It offers practical knowledge, actionable information, and insightful analysis -- and does so in accessible writing and organization.
Useful BCP Links
Florida Business Disaster Survival Kit
Dept of Homeland Security / FEMA
IBHS - DisasterSafety.org
Florida Division of Emergency Management
National Hurricane Center
Tampa Bay Hurricane Guide from TBO.com
FEMA Disaster Assistance
About Elliot Consulting
Elliot Consulting Services (ECS) is a full-service consulting firm providing organizations with the following services:
Business continuity planning
Emergency preparedness
Disaster recovery and restoration
A disaster can be the smallest setback that disrupts normal operations, such as a malfunctioning network controller card, or an unavoidable catastrophic event such as a regional weather disaster. These events can shut down daily operations in a matter of moments. But when companies plan for the continuity of their business operations during less-than-ideal circumstances and take adequate protective measures, they can survive even major disasters.
Being prepared for the unexpected is the key to the resiliency of one's business. It is not just about the process of recovering from a disaster - it is also about maintaining continuous daily operations and protecting critical business functions, systems, and procedures. A resilient business is prepared to help prevent or minimize loss or damage to life and property, quickly return employees to work, restore essential services, and resume business operations.
ECS provides Business Resiliency Planning, a process which helps companies protect their information, their people, their physical infrastructure, and their means of doing business before, during, and after a time of crisis. A solid Business Resiliency Plan starts with a thorough understanding of critical business functions and then explores the risks and vulnerabilities which could impact those procedures. The ultimate goal of this plan is to ensure the stability and continued success of the business.
ECS functions as a third party advocate and facilitator to help companies create, develop, and implement all-hazards business resiliency and crisis management plans, pandemic response strategies, and effective disaster recovery programs which are designed to protect vital business resources and operational processes.
ECS can also review, audit, and help modify existing disaster recovery and business continuity programs to ensure that the essential components of the organization will continue to function in the event of an unplanned disruptive incident.
The team from Elliot Consulting will assist with staff training and simulation exercises, and regular plan validations and updates to test the thoroughness of a company's preparedness model.
The ECS consultants are professionally-certified business continuity planners and business resiliency specialists with Fortune 200 experience. Our consultants are trained in the Incident Command System as developed by the National Incident Management System (NIMS); and a variety of technical recovery, restoration, and resiliency strategies. Elliot Consulting is a vendor-neutral organization and does not re-sell any services or products.
Click here for more information about Elliot Consulting Services.
Previous Newsletters from Elliot Consulting
· Previous Newsletters
Email: info@elliot-consulting.com
Phone: 813-792-8833
Website: http://www.elliot-consulting.com
Elliot Consulting Services, Inc. 7853 Gunn Highway Suite #326 Tampa FL 33626
Jackie Fernandez
Executive Director
South Florida Technology Alliance
954.239.9739
P.O. Box 831046
Miami, Florida 33183-1046
http://www.southfloridatech.org/
http://twitter.com/JackieatSFTA
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment