Transcription of Business Continuity Planning Guidelines
1 BusinessContinuity PlanningGuidelinesBusinessContinuity PlanningGuidelinesTexas Department ofInformation ResourcesRev. December 2004 Austin, TexasiiiPrefaceState government addresses Business Continuity Planning because of the consequencesof not Planning financially, operationally, and Information Resources Asset Protection Council (IRAPC) was a forum for agenciesand universities to seek solutions in areas of resource protection through cooperativeefforts and information sharing. In 1997, over ten agency and university representativesformed a special IRAPC team and began writing Business Continuity planningguidelines. These Guidelines were presented to the Department of Information Resources(DIR) for publication.
2 This document is a result of that special team s term agencies alone in this document also refers to state institutions of is given to the following individuals and their organizations for theircooperation and support in the development and authorship of this Information Resources Asset Protection CouncilContingency Planning Special Function TeamPhyllis Jamar, CBCP, Team ChairpersonTexas Department of InsuranceClaudette Clendennen University of Texas Health Science Center at HoustonRich Holmes, CBCP Texas Rehabilitation CommissionRichard Landon Office of the Attorney GeneralJohn Morgan, CBCPT exas Rehabilitation CommissionSteve Schroeter Texas Parks and Wildlife DepartmentRick Torres, CBCPT exas Department of TransportationRobert Von Quintus Texas Workers Compensation CommissionChuck Walts, CBCP, CRPT exas Education AgencyEdited by Nena Young, CBCP, CRP, Texas Department of Information Resources,Richard Landon, Office of the Attorney General, and Barbara Bostick, State Office ofRisk ManagementRichard Fairlamb, Fairlamb and Associates, for Appendix 5: Example of a BusinessContinuity Plan Development Project [Note.]
3 This acknowledgment was inadvertently omittedfrom the original published version and is therefore being inserted after publication.] Tex computer graphic created and contributed by Jay Galvan and Mike McCathern,Texas Water Development BoardEndorsed by the Texas Department of Information Resources, the Texas State Office ofRisk management , and the Texas State Auditor s OfficeivDisclaimerInclusions of references to vendor concepts or methods in these Guidelines are forinformation purposes only. The appearance or absence of a vendor or product in thispublication should not be construed as an endorsement or non-endorsement of aspecific vendor, product, or company by the Department of Information Resources, theState Office of Risk management , the State Auditor s Office, or any persons involved inthe development of these by the Texas Department of Information ResourcesCopies of this publication have been distributed in compliance with the State DepositoryLaw, and are available for public use through the Texas State Publications DepositoryProgram at the Texas State Library and other state depository.
4 1 Determining Scope and Readiness .. 3 Business Recovery 7 Executive management .. 7 Program management .. 8 Technical management .. 9 Business Recovery 9 Internal Auditor .. 11 Risk Manager .. 11 Records management .. 11 Recovery 12 Team Leaders .. 14 Team 15 Analysis and Strategy 17 Business Impact 18 BIA Questionnaire Development .. 18 Information provided by the BIA Questionnaire .. 19 Analysis Report 20 Fine Tuning 20 Determining Resource Dependencies .. 21 Organizing and Tabulating the Results .. 24 Foundation of the Business Recovery 25 Business Recovery 25 Types of Business Recovery Strategies .. 27 Comparing Strategies.
5 28 Recovery Plans .. 31 Definition .. 31 The Planning Goal .. 32 Elements of a Recovery Plan .. 32 Recovery Plan: Items to Consider .. 33 Incident Response Procedures .. 34 Support Function Procedures .. 35 Business Function Planning 35 Business Function Recovery 36 Return to Home Site Tasks .. 37 Recovery Plan Attachments, Activity Reports, and Logs .. 38viBusiness Continuity ..39 Testing Objectives ..40 Test/Exercise the Exercise ..42 Evaluate the Exercise ..44 Update the Plan ..45 Some Final Thoughts .. 1. Business Process Study for Business 2. Business Impact Analysis ..53 Appendix 3. Business Continuity Planning Process Flow.
6 57 Appendix 4. Distributed System Continuity Plan Components ..59 Appendix 5. Example of Business Continuity Plan Development 6. Example 7. Things to Remember in Developing a Disaster Recovery Plan ..65 Appendix 8. Example of a Plan s 9. Business Recovery 10. Examples Responsibilities and Teams ..75 Appendix 11. Disaster Recovery Service Vendors: Tips, Check Lists, andExamples of Requests for Proposal ..85 Appendix Tips and Check Example One: Request for Proposal ..91 Appendix Example Two: Request for Proposal ..93 Appendix 12. Example Team Checklists ..95 Appendix 13. Physical Facility Study 14. Support Reference List ..109 Appendix 15.
7 Business Process Owner Survey ..111 Appendix 16. Phone System Recovery Hit List ..113 Glossary ..115 Sources and References ..131 Business Continuity Planning Guide | Introduction1 IntroductionBusiness Continuity Planning provides a quick and smooth restoration of operationsafter a disruptive event. Business Continuity Planning is a major component of riskmanagement. Business Continuity Planning includes Business impact analysis, Business Continuity plan (BCP) development, testing, awareness, training, Business Continuity plan addresses actions to be taken before, during, and after adisaster. A BCP spells out in detail what, who, how, and when.
8 It requires a continuinginvestment of time and resources. Interruptions to Business functions can result frommajor natural disasters such as tornadoes, floods, and fires, or from man-madedisasters such as terrorist attacks. The most frequent disruptions are less sensational equipment failures, theft, or employee sabotage. The definition of a disaster, then, is anyincident that causes an extended disruption of Business , disaster recovery Planning has focused on computer systems. Becausemission-critical functions inevitably depend on technology and telecommunicationsnetworks, rapid recovery of these is of little value without also recovering Business unitoperations.
9 Mainframe and minicomputer systems usually have reliable recovery , however, many critical applications have migrated to distributed, decentralizedenvironments with less rigid controls. Recovering functional processes includes morethan just information systems consideration needs to be given to such items as 800and long distance service, locations for employees to work, the salvage of buildingcontents, and so with an insurance policy, it is hoped that a Business Continuity plan is never neededfor a real disaster. Keep in mind that a BCP not maintained can be worse than no planat all. An agency s ability to recover mission-critical processes, resume operations, andeventually return to a normal Business environment can be considered a major Planning can reduce liability, disruption to normal operations, decisionmaking during a disaster, and financial loss.
10 And equally important to stategovernment, it can provide continued goodwill and service to the state s Continuity Planning Guide | IntroductionBusiness Continuity Planning Guide | Determining Scope and Readiness3 Determining Scope and ReadinessThe purpose of this section is to determine what information is needed to begin businessrecovery Planning , and how to determine the scope of the Planning effort based on commitment of management is essential for the Business recovery effort to commitment can be recognized when! A sound impact analysis is funded, the results of which are read, understood, andacted on by management deciding to use a strategy based on likely impacts to theorganization.