Resources for disaster recovery.SHIPPING CLERK opens a package that was mistakenly sent to the company to find a return address. Inside the box are several plastic bags filled with a powdery pow·der·y adj. 1. Composed of or similar to powder. 2. Dusted or covered with or as if with powder. 3. Easily made into powder; friable. Adj. 1. substance. The clerk tries to remove one of the bags for inspection and rips the comer of it on the sharp edge of the box. The startled star·tle v. star·tled, star·tling, star·tles v.tr. 1. To cause to make a quick involuntary movement or start. 2. To alarm, frighten, or surprise suddenly. See Synonyms at frighten. employee drops the bag, showering the work area with the powder, which is dispersed into the building's ventilation system ventilation system Public health An air system designed to maintain negative pressure and exhaust air properly, to minimize the spread of TB and other respiratory pathogens in a health care facility . Several employees in the immediate work area become exposed to the substance and begin convulsing. Within two minutes, the people in the lobby begin displaying symptoms of toxic reaction. A disaster situation such as the one described requires quick, decisive action. However, if the company has never encountered this type of situation, either in reality or hypothetically, management has no frame of reference from which to draw to make the right decisions during an emergency. An effective disaster management and business resumption plan eliminates the guesswork. The committee. The responsibility for creating a plan should be given to a disaster recovery executive committee. Members of this committee should include the company's president, the security director, other selected executives and senior managers, such as the operations, audit, and finance managers, and members of the board of directors. If the company works with a data processing data processing or information processing, operations (e.g., handling, merging, sorting, and computing) performed upon data in accordance with strictly defined procedures, such as recording and summarizing the financial transactions of a service bureau or other critical vendors, a senior member of the service bureau or vendor company should also be made a member of the disaster recovery executive committee. Those people responsible for management and recovery efforts should be designated by name in the disaster recovery plan. The line of succession Noun 1. line of succession - the order in which individuals are expected to succeed one another in some official position line - a formation of people or things one behind another; "the line stretched clear around the corner"; "you must wait in a long line at the for the board of directors as well as the company's managers should be spelled out in specific terms. Two chairpersons should be appointed and given the responsibility for assigning the tasks required for the research, development, and implementation of the plan. The chairpersons should also be responsible for assuming control over business operations Business operations are those activities involved in the running of a business for the purpose of producing value for the stakeholders. Compare business processes. The outcome of business operations is the harvesting of value from assets during and after the disaster until business operations return to normal. In addition, the committee should name two of its members as coordinators who will be responsible for implementation of the plan and follow-through under the guidance of the chairpersons. The coordinators would head up a team of department leaders who are charged with implementing the plan in their areas of responsibility. As a whole, the disaster recovery executive committee should function as a strategic planning Strategic planning is an organization's process of defining its strategy, or direction, and making decisions on allocating its resources to pursue this strategy, including its capital and people. and tactical response unit. During a disaster, members may be assigned temporary duties and higher levels of authority than their job descriptions indicate. Risk assessment. To create a plan that works, the committee should first conduct a comprehensive analysis of each department within the company. The assessment determines which threats are most likely to occur. It provides a basis for establishing which policies must be in place in the event of a disaster to minimize disruptions of service and financial loss, provide for timely resumption of operations, and limit exposure to liability claims. The risk assessment phase of the analysis should concentrate on real, likely, or historical risks. It should include a definition of a disaster; a list of potential threats--natural, technological, and human; and a list prioritizing disasters by theft likely occurrence. The analysis should also assess the potential impact with regard to the company's legal, insurance, and regulatory requirements Regulatory requirements are part of the process of drug discovery and drug development. Regulatory requirements describe what is necessary for a new drug to be approved for marketing in any particular country. , as well as its financial condition, competitive position, and customer confidence. An analysis of the anticipated short-term and long-term costs should also be incorporated into the risk assessment. Data processing procedures as well as the procedures for all critical functions must be examined. The plan. The plan should be the result of a written directive from the company's board of directors or the president. This directive should clearly state the company's intention to implement a plan. If local, state, and federal governments or any regulatory agencies regulatory agency Independent government commission charged by the legislature with setting and enforcing standards for specific industries in the private sector. The concept was invented by the U.S. have issued applicable guidelines, the directive should indicate that the plan will comply with these rules. It should also provide a schedule for the plan's completion. After the risk assessment, the first step when writing a plan is to prioritize a company's concerns. The ranking of concerns will be different for each company, depending on their importance to the company's survival, but in general, the safety of people comes first. The next priority is the integrity of the facilities, followed by other assets other assets Assets of relatively small value. For financial reporting purposes, firms frequently combine small assets into a single category rather than listing each item separately. and records. Duties. The plan must include an evaluation of critical and accessory tasks necessary for the continuing operation of all departments, offices, facilities, functions, and personnel. Every job contains critical tasks that must be performed and accessory tasks that may be performed after the critical activities have been completed. An appropriate response to a disaster dedicates all available resources to stabilizing critical functions first and then restoring less important ones. Comprehensive written policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental should govern the routine duties and responsibilities of all departments, offices, functions, and personnel. Written in the form of an operations manual, or desktop procedures, these guides provide immediate help to people involved in both day-to-day and exceptional disaster recovery tasks. Lack of a comprehensive policy manual may promote arbitrary and capricious capricious adv., adj. unpredictable and subject to whim, often used to refer to judges and judicial decisions which do not follow the law, logic or proper trial procedure. A semi-polite way of saying a judge is inconsistent or erratic. decisions by personnel at all levels, crippling crip·ple n. 1. A person or animal that is partially disabled or unable to use a limb or limbs: cannot race a horse that is a cripple. 2. A damaged or defective object or device. tr.v. the recovery effort. Once a company develops a policy and procedure manual, management must ensure that it is used, because its directives, along with position descriptions and the company's description of functional duties and responsibilities, may be introduced into court proceedings in the event of a lawsuit. This may be done to demonstrate that the company failed to exercise reasonable and prudent care in implementing its plan and may open the organization to costly civil actions. Resources. A list of individuals and companies who will help the company recover from the disaster should be developed, maintained, and distributed. Contacting these resources in a timely manner is critical. Included on the list should be the names and phone numbers of essential personnel, emergency services emergency services Emergency care '…services …necessary to prevent death or serious impairment of health and, because of the danger to life or health, require the use of the most accessible hospital available and equipped to furnish those services' , local governmental agencies, vendors, public and private transportation services, media representatives, and insurance representatives. Additional information should include diagrams of the facilities, the locations of emergency staging areas staging area n. A place where troops or equipment in transit are assembled and processed, as before a military operation. Noun 1. , evacuation routes, public telephones, and utility shut-off devices. Vendors. The adequacy of disaster recovery plans for a service bureau, if one is used, must also be evaluated. The company's plan must be compatible with its service bureau's plan. It should include the service bureau's written recovery plan, similar in format to the office, department, and function recovery plans created by the company. The service bureau's plans should provide the names of the people responsible for recovery, their addresses, and phone and fax numbers. Maps and directions to the facilities to be used for recovery efforts should also be in the plan, along with appropriate access and security information, recovery steps, schedules for each function to be restored, and costs for services. Alternative sites. At least one other location for housing critical functions on a temporary basis should be researched. If the company maintains several facilities, shifting strategic operations to a designated alternate site is simplified. If the company does not maintain another location or facility, it should arrange to use a facility controlled by a similar company. To prepare for disaster, a company needs an off-site facility to store copies of the disaster recovery plan and data backups. During a disaster, an off-site facility may be needed to allow the company to resume administrative, operational, and nonservice bureau data processing functions. The disaster recovery plan should be specific about the offsite location, giving the same type of detailed contact-information and directions as the service bureau plan. Written recovery agreements must be obtained from the company whose facilities will be used during a disaster. A written contract commands performance and assures appropriate access and service. Records. An effective storage and recovery plan for the organization's original documents and vital records should be part of the plan. Recovering business operations after a disaster often requires the use of original documents and vital records not stored as electronic data. The disaster recovery plan should include instructions for the consolidation and storage of appropriate original documents and vital records in a central, fire-proofed location. Important documents to consider storing include contracts, insurance policies, and corporate papers. An inventory list of the stored items should be stored in two locations and should be reviewed annually for applicability and legality. Supplies. Emergency supplies of food, water, first-aid kits Noun 1. first-aid kit - kit consisting of a set of bandages and medicines for giving first aid kit, outfit - gear consisting of a set of articles or tools for a specified purpose first-aid kit first n → , and basic tools must be stored. Both employees and customers may be trapped at a work location for hours or days, depending on the magnitude of the disaster. They will require nourishment nour·ish·ment n. Something that nourishes; food. , sanitation facilities, and light. Since medical care may not be immediately available, first-aid supplies and written instructions may help some of the injured to survive. The facility itself may also suffer. Structural and utility damage could place employees and customers at risk. Basic tools and other nonbusiness non·busi·ness adj. 1. Unrelated to business or industry. 2. Unrelated to one's own business or employment. supplies should be available to help employees deal with these hazards. Suggested items include the following: * Tools such as a hand axe with a hammerhead hammerhead, common name for a heavy-looking, heronlike bird, Scopus umbretta. Its plumage is brown with light and dark glossy, purplish streaks on the wings and body. It has short legs, partially webbed feet, and a heavy, wide, moderately long, black bill. at one end, vice-grips, a small crowbar, a small shovel, a Swiss army knife, a pipe wrench wrench or spanner Tool, usually operated by hand, for tightening bolts and nuts. A wrench basically consists of a lever with a notch at one or both ends for gripping the bolt or nut so that it can be twisted by a pull at right angles to the axes of the lever , channel lock pliers pliers, n a tool of pincer design with jaws of varying shapes; used for holding, bending, stretching, contouring, and cutting. pliers, contouring, n , a one-inch-wide stiff putty knife, wire cutters wire cutters npl → cortaalambres msg inv wire cutters npl → cisaille f wire cutters wire npl → , a Phillips head and a flat screw-driver * One pair of large-sized heavy-duty leather work gloves and one box of 100 latex latex, emulsion of a polymer (e.g., rubber) in water (see colloid). Natural latexes are produced by a number of plants, are usually white in color, and often contain, in addition to rubber, various gums, oils, and waxes. surgical gloves. * A battery-powered AM/FM AM/FM Amplitude Modulation / Frequency Modulation AM/FM Auto-Mapping/Facilities Management radio and extra batteries * Two flashlights
Flashlights is the third record by the Atlanta-based independent rock band Y-O-U. , twice the number of batteries necessary to power each, one package of light sticks, candles, and matches * Three fifty-foot rolls of duct tape duct tape n. A usually silver adhesive tape made of cloth mesh coated with a waterproof material, originally designed for sealing heating and air-conditioning ducts. Noun 1. , one fifty-foot roll of plastic electrical tape Electrical tape is a type of pressure-sensitive tape used to insulate electrical wires and other material that conduct electricity. It can be made of many plastics, but vinyl is most popular; it stretches better, giving a more effective and longer lasting insulation. , and two twenty-five-foot roles of strapping strap·ping adj. Having a sturdy muscular physique; robust. n. 1. Straps considered as a group. 2. Material for making straps. tape * One 100-foot coil of one-quarter-inch nylon rope and one roll of yellow emergency marking ribbon * One box of 100 each--33 gallon plastic heavy-duty garbage bags with ties and tall kitchen garbage bags * Metallic emergency blankets * Hygiene products Employees should also be encouraged to keep prescriptions, extra eyeglasses eyeglasses or spectacles, instrument or device for aiding and correcting defective sight. Eyeglasses usually consist of a pair of lenses mounted in a frame to hold them in position before the eyes. , and other critical personal items available at the work site. Training. Once the plan is researched and written, a disaster recovery plan training program must be provided to employees at all levels within the company. Training all employees regarding their duties and responsibilities during disaster recovery efforts is critical to the plan's success. The delivery of standardized training for all employees results in a disaster recovery teamwork effort and promotes reasonable behavioral expectations. Employees who are knowledgeable about the company's procedures, the risks associated with each employee's role, and appropriate disaster recovery techniques reduce the potential for operational losses. Training reduces the opportunity for miscommunication mis·com·mu·ni·ca·tion n. 1. Lack of clear or adequate communication. 2. An unclear or inadequate communication. when the plan is implemented during a real disaster. It also offers management an opportunity to spot weaknesses and improve procedures. An effective training program covers the following three areas: * Orientation. All new employees, regardless of position description, should be introduced to the company's philosophy, organization, reporting structure, goals, priorities, and other appropriate information. * Promotions. Any employee who has been transferred to a new department or has received a promotion should be thoroughly trained regarding his or her new duties during a disaster and responsibilities and the policies, procedures, and control mechanisms used in this new capacity. * Updates. Any change in management, business philosophy, technology, legal requirements, policies, or procedures should require retraining re·train tr. & intr.v. re·trained, re·train·ing, re·trains To train or undergo training again. re·train of all involved employees. Effective training programs make liberal use of demonstrations. Training should provide demonstrations or explanations of all procedures to be used during an emergency, including individual duties and responsibilities, reporting requirements, behavioral expectations, and performance standards. Training should also address emergency procedures for shutting off electricity, water, and gas, including a description of the shut-off device's location, access requirements, and physical operation. The facility's emergency staging site Website development usually involves staging and production servers. The staging site is used to assemble, test and review new versions of a website before it goes into production. , to be located an appropriate distance from the facility in a place clearly visible from the facility and the surrounding area, should be pointed out during training. Evacuation and building plans should be reviewed. Management may also want to conduct a timed, mock exercise to test the effectiveness of the evacuation procedures. Alert procedures for notifying personnel of an emergency, including the stages of alert and individual duties and responsibilities for all phases of the recovery effort, should be covered, as should locations, purpose, and use of emergency equipment, fire extinguishers fire extinguisher: see fire fighting. , first-aid kits, and other survival tools and supplies stored at the facility. Testing. Criteria for testing the disaster recovery plan are as important as the plan itself. Testing all aspects of the plan at least annually is critical. Actual hands-on testing exposes developmental errors and tests the interaction of the plan's components. Since it is physically impractical to move an office, department, or function to another location during testing, the use of hypothetical problem-solving exercises may provide the necessary test results. Physically testing the company's data processing backup capabilities is essential, however. An appropriate physical test should be conducted at least annually at each of the company's designated recovery facilities. A plan should be an evolutionary program, designed to adapt to changes as they occur. After the annual test, the plan should be reassessed and updated. If changes to plans are made, a synopsis should be presented to the board of directors for review and approval. This annual approval should be reflected in the board of directors' minutes. The company's insurance coverage must also undergo annual reassessment Reassessment The process of re-determining the value of property or land for tax purposes. Notes: Property is usually reassessed on an annual basis. You may request a "reassessment" if you disagree with your assessment. . This insurance coverage reassessment should look at all policies addressing directors and officers, casualty claims, property damage, and business interruption costs. Again, a synopsis should be presented to the board for review and approval. Developing an effective disaster recovery plan is one of the most prudent and cost-effective projects a company can undertake. Just as a ship without a rudder rudder, mechanism for steering an airplane or a ship. In ships it is a flat-surfaced structure hinged to the stern and controlled by a helm. When the ship is on a straight course, the rudder is in line with the vessel; if the rudder is turned to one side or the other is at the mercy of the tides, a company without a plan is at the mercy of events. The Core Elements of a Plan A sensible plan contains at least three core elements: business resumption plans, emergency procedures, and information systems/data processing recovery procedures See: explosive ordnance disposal procedures. . The plan should have a table of contents and an appendix to make information easy to retrieve. To be truly effective, a company's disaster recovery and business resumption plan should include the following: * The company's philosophy, mission statement, and goals regarding disaster recovery and business resumption * Written and approved executive succession instructions * The appointment of a temporary executive committee that heads the emergency operations and makes important emergency decisions in the absence of the board of directors * Clearly defined guidelines for all disaster recovery and business resumption efforts, based on a thorough risk-assessment exercise * Clearly defined duties for each employee classification, with designated primary and secondary department leaders and staff personnel * Designated and equipped sites for the coordination of personnel, supplies, and equipment * A comprehensive training program for all personnel Written copies of the plan should be distributed to all office and department leaders, and it should be tested at least annually. Dana Turner is a partner with Security Education Systems in Pale Cedro, California. He is a member of ASIS 1. ASIS - Application Software Installation Server. 2. (language) ASIS - Ada Semantic Interface Specification. . |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion