Business continuity plan provides an end-to-end guideline for the overall lifecycle of theDisaster Recovery Planning. A coordination of DR efforts will be required to ensure effective strategies are in place in the event of a disaster. Systems Questionnaire as Business Continuity plan template will also be provided.
This Disaster Recovery Planning is based on the IT scenario, but the processes can be applied to your overall Business continuity plan which can be based on the following processes:
- Identifying the systems, applications and interdependencies
- Determining the criticality
- Identification of risks security
- Priorities and risks documentation
- Identifying mitigation strategies for risks
- Documentation of roles, responsibilities and contracts
Identifying Systems, Applications and Interdependencies
The first process of Business continuity plan is identifying the systems, applications and interdependencies with the following supporting business functions:
- Information gathering
- Information analysis
Information gathering in Disaster Recovery Planning processes could be difficult and complex tasks to do which involve many key management and also key users accountable to certain divisions. A DR system questionnaire should be used either by interviewing them or ask them to compile the questionnaire to provide the following information in completing the Disaster Recovery Planning:
- Management assessment on criticality of the systems
- Understanding of frequency of interruptions and threats to systems
- Network diagrams showing interdependencies
- Mapping of systems to business functions
- Current back up procedures and other countermeasures
- List of third parties providing support
- Person responsible for each system and contact details.
Gathering information can involve all levels of staff members within the organization to provide a holistic overview of the system independencies.
Information analysis
After completing the information gathering the next Disaster Recovery Planning processing steps is conducting the analysis to determine if the following have been identified and assuring no gaps exist:
- business functions
- critical assets
- systems
- applications
- interdependencies
- mapping of which systems support business functions
- Responsible person for each systems/assets.
Business Continuity plan template
The following is an example of the Systems Questionnaire that can be used as Business Continuity plan template:
DISASTER RECOVERY Systems Questionnaire
Date | |
Site or Office | |
Name | |
Position | |
Overview of the role |
Include all systems such as Exchange; Domain name; Internet services Connection; LAN; WAN; Applications such as ERP, Medical Record Systems and so on.
Systems / Applications used | Business Importance / Reliance | Indicative Financial Details of System if known | Contact details of the System or Application owner |
- Is there a Disaster Recovery Strategy developed for any of the Systems and Application listed in the above table?
- If YES, lists details and copy relevant documents should be enclosed.
- Has a risk analysis been conducted for any of the systems and applications?
- If YES, lists details and copy relevant documents should be enclosed
- If the identified systems and applications were not available, what impact would this have on your organization or on the area of your responsibilities?
- For each of the systems and applications outlined, describe the backup procedures which are used for backing up the data including regularity. You should developed a form that will register things like:
- System / Application
- Backup Process, what type of backup system used such as VERITAS; ARCServe.
- Person responsible for backup, write name of the responsible person
- Where are they stored? How the backup tapes are stored, including offsite details.
- If you also used third party for off-site storage, you should also mentioned here.
- How often are backup tested, outlined how often test restored are performed on the backups for data validation. See also the tape backup solutions.
- For each of the system you have identified, you should supply the timeframe that your business or your organization could go without the system whether an hour; a day; a week or longer.
- Have you had any interruptions with these systems in the past?
- If YES, please outline the issues which occurred and when?
- If possible please attach a network diagram that depicts how this system integrates into the existing network. This information will assist in determining what measures are currently in place to protect this system from potential threats.
- Please note or list any other information that may help in the compilation of a disaster recovery plan.
Identifying Interdependencies
The process of identifying inter-dependencies may be technically complex. A number of “what-if” scenarios should be envisaged to reduce the likelihood of a critical component being overlooked. Network mapping will provide you with a comprehensive network diagram, which will provide you valuable interdependency data.
A number of systems are dependent on other systems to function. To ensure that all systems related to a business function are captured, interdependencies between systems must be identified. For example in the provisioning of external E-mail functionality to end-users in a Windows 2003 / Exchange 2003 environment, the following systems might be required:
- Domain name
- LAN network at your site
- WAN link connection to the ISP whether using frame relay; ISDN BRI or ISDN PRI; or leased line connection
- Firewalls
- SMTP gateway
- DNS servers and Active directory – domain controllers
- DHCP for clients computers
- Exchange 2003 system
- WINS server
In the above example, the loss of any one of these systems would result in E-mails being unable to reach external E-mail addresses. Therefore, all of the above systems/technologies are required for the successful provision of external E-mail to the user base rather than just the Exchange server.