Developing Plans and Procedures

Chapter 5

You Will Learn How To…

Determine what disaster recovery procedures need to be developed

Develop and write disaster recovery procedures Review and approve disaster recovery

procedures Develop basic disaster recovery plans for a

facility Publish the disaster recovery plan

What Disaster Recovery Procedures Are Needed

Recovery procedures fall into one of six categories Direction, control, and administration Internal and external communications Safety and health Containment and property protection Resuming and recovering operations Restoring facilities and normalizing operations

Classifications of disaster Catastrophic, Major, and Minor

Types of disaster recovery procedures

Classifications of a Disaster

Developing and Writing Disaster Recovery Procedures

Planning team should monitor committee work for thoroughness and consistency

Subcommittees of the disaster recovery team may form to work with departments to develop procedures

All affected parties must draft and approve procedures, including those employees that implement the procedures

Procedures should be maintained on paper, intranets may make the more accessible

Generic Procedure Worksheet

Reviewing and Approving Disaster Recovery Procedures

Entire planning team reviews drafts Subcommittee of planning team or group of

middle managers not involved in procedure development can act as independent reviewer

Reviewers should ensure that the procedure has the following attributes Clearly documented Easy to Read and understand Consistent with other procedures Does not contradict other procedures

Reviewing and Approving Disaster Recovery Procedures

Review committee submits changes to drafting committee

Drafting committee resubmits the changed procedure to the review committee

The review and revision process continues until the disaster recovery team and review committee are satisfied

Acceptance is a formal process involving the entire disaster recovery planning team, allowing all members of the planning team to comment

Developing Basic Disaster Recovery Plans for Every Facility Basic rules for a disaster recovery plan

Everything must be clearly documented The plan must be understandable by all employees Multiple copies of the plan must be available from

multiple locations to ensure the plan is accessible All response teams need copies of the plan Team members should be listed on a separate page

in the plan, including their names, department, and contact information

Basic Disaster Recovery Plan Outline

Front matter: Title Page, Table of Contents, Introduction Primary Disaster Recovery Staff Disaster Classification

Disaster Recovery Procedures Appendices:

Contact Lists, Building Plans Risks assessment reports Organizational agreements, Requirements

Outline for a Basic Disaster Recovery Plan

Basic Disaster Recovery Plan Front Matter

Title Page Name and location of facility or business process Legal confidentiality statements Contact information for Disaster Recovery Staff

Table of Contents Introduction

Overview of the plan Summarize specific laws, policies and regulations Detailed exhibits may be referenced in an appendix

Basic Disaster Recovery Plan Front Matter

Primary Disaster Recovery Staff Names, Titles, Addresses Phone numbers and e-mail addresses

Disaster Classification Clearly define how to classify catastrophic, major, and

minor disasters A catastrophic loss may be downgraded if other

facilities can be used for the same purpose, and no employees are dead or missing

Planning team classifies events to provide response teams with enough information to classify and respond to an event

Direction, Control, and Administration Procedures

These procedures enable managers to direct the organization from response to recovery Organizing the response team Establishing an emergency operations center Establishing first alert notifications Confirming a disaster Declaring the disaster Keeping an activity log

Composition of Disaster Response Team

Emergency Operations Center

Especially necessary for catastrophic disasters Response team leaders direct response from

this location Response team may work and rest at this

location Location may be one of the organizations

facilities in a community Local hotel with conference facilities may also be

used

Emergency Operations Information Sheet

First Alert Procedures

Methodical and structured process for notifying Managers Employees Emergency Services Organizations

Who is responsible for initiating first alerts Who can authorize a first alert Names of those to contact first after a disaster An authorized manager must initiate the alert,

but the manager’s staff may make contacts

First Alert Information Sheet

Disaster Confirmation Procedure

Verifies that a disaster has occurred Validates the impact of the disaster Determines the initial damage and scope

of the disaster Once confirmed, disaster declaration is

made Disaster is initially classified as

catastrophic, major, or minor

Disaster Confirmation and Declaration Report

Disaster Recovery Activity Log

Describe the activity, date and time, contact information for the activity

Recovery plan should provide a sample log to be used to record recovery activities

Detailed instructions on how the log should be maintained

Risk assessments help the team understand which operations are affected by an activity

Individual teams may keep logs to integrate into the master activity log

Disaster Response Activity Log

Safety and Health Procedures

Two teams should be organized Evacuation and Rescue Team Security Team

Both teams need access to building plans Teams develop procedures for facility evacuation,

reentry, movement of employees, and crisis counseling One team member keeps the log, entire team may be

debriefed after initial response to complete log Evacuation and rescue team employees should be

trained to supervise evacuation procedures and initiating rescue efforts

Evacuation and Rescue Team

Security Team

Ensure facilities and valuable properties are protected during evacuation, after evacuation, and during recovery

Procedures for Internal and External Communication

Establish a communication team The communication team establishes

contact with all parties and provides consistent explanations of the recovery

Timelines for expected recovery activities are distributed after being approved by the director of the disaster response team

Communications Team

Activity log is maintained listing organizations and individuals contacted, and when they were contacted

Contact lists are maintained in an appendix of the recovery plan

Agreements and external relationships that can assist in recovery documented in an appendix

Team members can manage internal and external communications and facilitate disaster response

Team is responsible for contacting law enforcement, government agencies, and media

Communication Team

Procedures for Containment and Property Protection

Establishes an insurance and damage assessment team

Consists of trained employees that canPrepare initial, detailed damage assessmentsFile reports with insurance companiesWork with demolition crews or construction

contractors for cleanup and repairs

Insurance and Damage Assessment Team

Procedures for Resuming and Recovering Operations

Procedures that may be necessary to resume operations Determining the duration of the shutdown Activating back-up systems Activating alternate systems Activating hot or cold sites Moving records Moving equipment Moving supplies Recovering critical systems and functions Recovering essential systems and functions Recovering necessary systems and functions Recovering desirable systems and functions

Business continuation team develops and executes these procedures during recovery

Business Continuation Team

Consists of trained employees with the skills to manage operations and restore critical business systems and functions

Team responsibilitiesMoving employees into temporary quartersProviding telecommunications, computer

networks, and computing supportManaging shipping and receiving

Business Continuation Team

Procedures for Restoring Facilities and Normalizing Operations

The organization’s restoration team is responsible for executing these procedures

The team consists of employees who can manage the restoration or rebuilding of facilities

Team responsibilities Obtaining restoration estimates Managing temporary repairs Preparing facilities for reoccupation

Restoration Team

Publishing the Disaster Recovery Plan

The disaster recovery planning team appoints a plan publishing team leader

Team leader should have a background in technical writing, publishing, or procedure documentation

Works with all parties to make sure all materials are accurate and approved

Team leader establishes the document flow from the planning team to the publishing team

Planning team determines how the plan is published, a copy of the plan must always be accessible

All departments receive a copy of the plan Training materials are developed from the plan to train employees The plan is confidential material and the planning team should keep

a log of who has copies of the plan

Disaster Recovery Plan Distribution Log

Disaster Recovery Confidentiality

All employees receiving a copy of the plan should sign a confidentiality and nondisclosure agreements

A blanket nondisclosure agreement signed initially by employees may cover receiving a copy of the recovery plan

Confidentiality Agreement for Disaster Recovery Plan

Assessing Progress and Moving Forward

Organizations must develop detailed recovery procedures

Disaster recovery procedures must be documented to smoothly recover operations

Chapter 6 discusses the importance of organizational relationships in disaster recovery

Chapter 7 explains how to develop procedures for responding to computer attacks

Chapter 8 covers documenting recovery procedures for special circumstances

Chapter Summary

The disaster recovery planning team needs to evaluate all facilities and business operations to determine what kinds of procedures it must help develop

As planning team members oversee the development of recovery procedures, they should continually monitor the drafts for thoroughness and consistency of formatting

Subcommittees of the disaster recovery team must work with the necessary departments to develop procedures

The procedures must be drafted and approved by all affected parties, as well as by employees who must implement the procedures

Chapter Summary

The entire disaster recovery team should review drafts of all recovery procedures

Planning team members not developing procedures or a group of middle managers not involved should review the procedures

Every facility should have at least a basic disaster recovery plan in place

A team leader should be appointed to oversee publication of the disaster recovery plan