Developing Plans and Procedures Chapter 5

You Will Learn How To… Determine what disaster recovery procedures need to be developed Develop and write disaster recovery procedures Review and approve disaster recovery procedures Develop basic disaster recovery plans for a facility Publish the disaster recovery plan

What Disaster Recovery Procedures Are Needed Recovery procedures fall into one of six categories Direction, control, and administration Internal and external communications Safety and health Containment and property protection Resuming and recovering operations Restoring facilities and normalizing operations Classifications of disaster Catastrophic, Major, and Minor

Types of disaster recovery procedures

Classifications of a Disaster

Developing and Writing Disaster Recovery Procedures Planning team should monitor committee work for thoroughness and consistency Subcommittees of the disaster recovery team may form to work with departments to develop procedures All affected parties must draft and approve procedures, including those employees that implement the procedures Procedures should be maintained on paper, intranets may make the more accessible

Generic Procedure Worksheet

Reviewing and Approving Disaster Recovery Procedures Entire planning team reviews drafts Subcommittee of planning team or group of middle managers not involved in procedure development can act as independent reviewer Reviewers should ensure that the procedure has the following attributes Clearly documented Easy to Read and understand Consistent with other procedures Does not contradict other procedures

Reviewing and Approving Disaster Recovery Procedures Review committee submits changes to drafting committee Drafting committee resubmits the changed procedure to the review committee The review and revision process continues until the disaster recovery team and review committee are satisfied Acceptance is a formal process involving the entire disaster recovery planning team, allowing all members of the planning team to comment

Developing Basic Disaster Recovery Plans for Every Facility Basic rules for a disaster recovery plan Everything must be clearly documented The plan must be understandable by all employees Multiple copies of the plan must be available from multiple locations to ensure the plan is accessible All response teams need copies of the plan Team members should be listed on a separate page in the plan, including their names, department, and contact information

Basic Disaster Recovery Plan Outline Front matter: Title Page, Table of Contents, Introduction Primary Disaster Recovery Staff Disaster Classification Disaster Recovery Procedures Appendices: Contact Lists, Building Plans Risks assessment reports Organizational agreements, Requirements

Outline for a Basic Disaster Recovery Plan

Basic Disaster Recovery Plan Front Matter Title Page Name and location of facility or business process Legal confidentiality statements Contact information for Disaster Recovery Staff Table of Contents Introduction Overview of the plan Summarize specific laws, policies and regulations Detailed exhibits may be referenced in an appendix

Basic Disaster Recovery Plan Front Matter Primary Disaster Recovery Staff Names, Titles, Addresses Phone numbers and e-mail addresses Disaster Classification Clearly define how to classify catastrophic, major, and minor disasters A catastrophic loss may be downgraded if other facilities can be used for the same purpose, and no employees are dead or missing Planning team classifies events to provide response teams with enough information to classify and respond to an event

Direction, Control, and Administration Procedures These procedures enable managers to direct the organization from response to recovery Organizing the response team Establishing an emergency operations center Establishing first alert notifications Confirming a disaster Declaring the disaster Keeping an activity log

Composition of Disaster Response Team

Emergency Operations Center Especially necessary for catastrophic disasters Response team leaders direct response from this location Response team may work and rest at this location Location may be one of the organizations facilities in a community Local hotel with conference facilities may also be used

Emergency Operations Information Sheet

First Alert Procedures Methodical and structured process for notifying Managers Employees Emergency Services Organizations Who is responsible for initiating first alerts Who can authorize a first alert Names of those to contact first after a disaster An authorized manager must initiate the alert, but the manager’s staff may make contacts

First Alert Information Sheet

Disaster Confirmation Procedure Verifies that a disaster has occurred Validates the impact of the disaster Determines the initial damage and scope of the disaster Once confirmed, disaster declaration is made Disaster is initially classified as catastrophic, major, or minor

Disaster Confirmation and Declaration Report

Disaster Recovery Activity Log Describe the activity, date and time, contact information for the activity Recovery plan should provide a sample log to be used to record recovery activities Detailed instructions on how the log should be maintained Risk assessments help the team understand which operations are affected by an activity Individual teams may keep logs to integrate into the master activity log

Disaster Response Activity Log

Safety and Health Procedures Two teams should be organized Evacuation and Rescue Team Security Team Both teams need access to building plans Teams develop procedures for facility evacuation, reentry, movement of employees, and crisis counseling One team member keeps the log, entire team may be debriefed after initial response to complete log Evacuation and rescue team employees should be trained to supervise evacuation procedures and initiating rescue efforts

Evacuation and Rescue Team

Security Team Ensure facilities and valuable properties are protected during evacuation, after evacuation, and during recovery

Procedures for Internal and External Communication Establish a communication team The communication team establishes contact with all parties and provides consistent explanations of the recovery Timelines for expected recovery activities are distributed after being approved by the director of the disaster response team

Communications Team Activity log is maintained listing organizations and individuals contacted, and when they were contacted Contact lists are maintained in an appendix of the recovery plan Agreements and external relationships that can assist in recovery documented in an appendix Team members can manage internal and external communications and facilitate disaster response Team is responsible for contacting law enforcement, government agencies, and media

Communication Team

Procedures for Containment and Property Protection Establishes an insurance and damage assessment team Consists of trained employees that can Prepare initial, detailed damage assessments File reports with insurance companies Work with demolition crews or construction contractors for cleanup and repairs

Insurance and Damage Assessment Team

Procedures for Resuming and Recovering Operations Procedures that may be necessary to resume operations Determining the duration of the shutdown Activating back-up systems Activating alternate systems Activating hot or cold sites Moving records Moving equipment Moving supplies Recovering critical systems and functions Recovering essential systems and functions Recovering necessary systems and functions Recovering desirable systems and functions Business continuation team develops and executes these procedures during recovery

Business Continuation Team Consists of trained employees with the skills to manage operations and restore critical business systems and functions Team responsibilities Moving employees into temporary quarters Providing telecommunications, computer networks, and computing support Managing shipping and receiving

Business Continuation Team

Procedures for Restoring Facilities and Normalizing Operations The organization’s restoration team is responsible for executing these procedures The team consists of employees who can manage the restoration or rebuilding of facilities Team responsibilities Obtaining restoration estimates Managing temporary repairs Preparing facilities for reoccupation

Restoration Team

Publishing the Disaster Recovery Plan The disaster recovery planning team appoints a plan publishing team leader Team leader should have a background in technical writing, publishing, or procedure documentation Works with all parties to make sure all materials are accurate and approved Team leader establishes the document flow from the planning team to the publishing team Planning team determines how the plan is published, a copy of the plan must always be accessible All departments receive a copy of the plan Training materials are developed from the plan to train employees The plan is confidential material and the planning team should keep a log of who has copies of the plan

Disaster Recovery Plan Distribution Log

Disaster Recovery Confidentiality All employees receiving a copy of the plan should sign a confidentiality and nondisclosure agreements A blanket nondisclosure agreement signed initially by employees may cover receiving a copy of the recovery plan

Confidentiality Agreement for Disaster Recovery Plan

Assessing Progress and Moving Forward Organizations must develop detailed recovery procedures Disaster recovery procedures must be documented to smoothly recover operations Chapter 6 discusses the importance of organizational relationships in disaster recovery Chapter 7 explains how to develop procedures for responding to computer attacks Chapter 8 covers documenting recovery procedures for special circumstances

Chapter Summary The disaster recovery planning team needs to evaluate all facilities and business operations to determine what kinds of procedures it must help develop As planning team members oversee the development of recovery procedures, they should continually monitor the drafts for thoroughness and consistency of formatting Subcommittees of the disaster recovery team must work with the necessary departments to develop procedures The procedures must be drafted and approved by all affected parties, as well as by employees who must implement the procedures

Chapter Summary The entire disaster recovery team should review drafts of all recovery procedures Planning team members not developing procedures or a group of middle managers not involved should review the procedures Every facility should have at least a basic disaster recovery plan in place A team leader should be appointed to oversee publication of the disaster recovery plan