Program Initiation

Management Buy In Program Evaluation

Program Planning
Interim Temporary BC Plan BC Program Management Document

Functional Requirements
General Assessment Detailed requirements related to standards, rules, and regulations Risk Management

Design and Development
General Assessment Risk Controls

Program Implementation
Risk Controls IT Recovery Systems

Plan Testing
BC Plan Testing Test Evaluation

Program Maintenance
Primary Site Change Monitoring Recovery Site Change Monitoring

Program Commitment

Program Structure

IT Systems Recovery Strategy Alternate IT Recovery Site Tertiary Recovery Site Offsite Data Storage Critical Record Storage Alternate Work Area Crisis Management Center (CMC) Assembly Location

Alternate IT Recovery Site A Tertiary Recovery Site Offsite Data Storage Critical Record Storage Alternate Work Area Crisis Management Center (CMC) Assembly Location

BC Plan Approval

Contract Management Risk Controls BIA IT Systems Recovery Strategy BC Plan Testing Recovery Vendor's BC Plan Reviews Training and Awareness Management Process External Coordination BC Audits BC Program Reviews

Approval Process

BIA Offsite Data Storage Alternate Work Area Crisis Management Center (CMC) Personnel

BC Plan Document

Critical Records

SLA and Contract Requirements External Coordination Training and Awareness Salvage & Restoration Insurance Requirements BC Tools Assembly Location

Data Communication Services Voice Communication Training and Awareness BC Tools Salvage and Restoration SLA and Contracts BC Plan Document

Data Communication Services Voice Communication Work around Procedures Training and Awareness Salvage and Restoration

1

PI: Program Initiation
Questions R ati ng 6.4 7 Program was initiated by the IT department CIO and other C-level officers are aware of the program but other than CIO they don't consider it a top priority. CIO is the project sponsor CIO is the project sponsor Several presentations were presented to management. Some were made on their own requests. They were a high level presentations. There is no formal plan to raise awareness. BC Program needs to be raised to top level and not just owned by IT Response and conclusions Further Actions Recommendation

PI.1: Management Buy In Has the program been Initiated formally What is the extent of management's awareness

8

Is there a Project Sponsor What is the seniority and position of Project Sponsor Plan exist to raise awareness of management

6 7 4

Find out if there is a steering committee. Steering committee will help in raising top level awareness.

Utilize Steering Committee to raise top level awareness.

PI.2: Program Evaluation and Approval High level program objectives, requirements and drivers analyzed and documented

5 .33 4

Business case prepared and evaluated

4

We have some program requirements analyzed as a result of a recent BIA effort and we have recently updated with new requirements for Ecommerce application environment. We also have an extensive document on the reasons for establishing a BC program. Yes. An informal business case was prepared.

Find out if objectives for the program were defined in these documents (not clearly)

Define clear objectives for the program. Objectives should be stated in both general and specific terms.

Was a budget prepared (Yes. We presented our initial budget and provided an estimate of yearly budget to CIO)

2

Questions Clear Go/No Go decision made and at what level of the management

R ati ng 8

Response and conclusions Yes.

Further Actions CIO made the Go/No Go decision and presented this decision to senior management. But the board was not involved in this process.

Recommendation Board needs to have an active involvement in the overall high level evaluation process.

PI.3: Program Commitment Full-time qualified program manager assigned

2 .86 2 No. We have a parttime (70%) business continuity coordinator assigned to this task. He is from the corporate planning department and has been involved with Emergency Response Planning in the past. A committee structure has been proposed and awaiting approval. (company has the history of establishing SC for high profile critical projects) No. Find out if the coordinator has business continuity or DRP experience (No.) Assign full-time BC responsibility to BC coordinator

Steering committee established

6

This is a definitely a strength.

Steering committee members have clear roles and responsibilities defined BC Program is part of Strategic objectives and plan BC Program policy exists

3

1

No.

2

BC Program policy fully communicated BC culture is well established

1

We have a security policy which covers BC from the perspective of availability of critical systems. No.

Define clear roles and responsibilities for Steering Committee. Include BC Program as part of Corporate Strategic Objectives Create a BC policy statement

5

No. But, IT and Business units have a better BC/DR culture compare to the rest of the company.

Utilize corporate communications to communicate BC policy Develop a plan to improve corporate wide BC culture.

3

PP: Program Planning
Questions Ratin g Response and Conclusion Further Actions Recommendation s

PP.1: Interim Temporary BC Plan
Interim BC Plan exists if a long term plan doesn't exist Interim Recovery Strategy Developed

5

5 5

Yes. But, it has evolved since it was initially written. Mutual Agreement with our strategic partner.

Review all earlier versions. Review agreements (Not enough carefull planning and design. Agreements show weaknesses in disaster lasts for longer than 2 or 3 days)

Interim Agreements in place for recovery of key resources, sources, and services Interim Recovery Teams created

5

Mutual Agreement.

5

Yes. The team has evolved since it was initially established.

PP.2: BC Program Management Document
BC Program management document exist

4.43

6

We have a project plan in place.

A need statement prepared (Why is the program needed and what are the drivers?)

7

Program objectives are well defined, aligned and approved Program Scope are defined and approved

4

We have a statement that indicates the main drivers: External contract requirements and SOX compliance and it also includes company's strategic objectives Defined in BC plan document

Check the project plan details (Project plan is well structured but a complete program document is missing; project plan is part of BC plan). Review the statements. Ask if they have researched industry specific requirements (No.) Plan objectives are defined in general terms. Suggest inclusion of specific objectives. Plan scope are defined. Suggest including what is not in scope as well.

Create a BC program document which is separate from the BC plan

Research industry specific BC requirements.

6

Defined in BC plan document

4

Questions

Ratin g

Response and Conclusion

Further Actions

Recommendation s

Program assumptions are stated explicitly Program deliverables are identified Program risks are analyzed and mitigation actions identified

0

Defined in BC plan document Defined in the project plan Defined in BC plan document

No written program assumptions

State all key assumptions in program document

8 0

Investigate further (No evidence of program risks BC Plan document)

Assess program risks and mitigation steps

PP.3: Program Structure
Program divided into logical phases

4.7 8

3 (high risk factor) Project Plan has logical phases Risk and BIA are combined as one phase (not a major concern at this time since it has been completed)

Phases are divided into activities Activities are assigned due dates, start and end times, and dependencies A BC Steering Committee exists

7 7 4

Yes. Yes. Not currently. But CIO is presenting a case to top management for such a committtee next month. Establishment of a SC must become a high priority. It will help to resolve a number of current obstacles and issues Assess team structure. Three types of teams: Emergency management, Emergency response, and Business unit teams. Emergency management team includes President/CEO, COO, CFO, etc. Define tasks for team members Define responsibilities for team members Assign alternates to team members

A BC program team structure is defined with reporting hierarchy

7

Yes.

Team structure includes top management, program sponsor, BC coordinator, consultants, etc. Team roles and responsibilities are well defined Personnel assigned to the team structure with well defined responsibilities Alternates to team members are assigned

7

Yes.

2

At a high level only. Team members task's are not assigned No. Personnel are assigned to teams but not with well defined responsibilities No.

2

2

5

Questions

Ratin g

Response and Conclusion

Further Actions

Recommendation s

Are there any BC team members working on a parttime capacity.

1

Yes. BC coordinator is part-time. There are two assistants to BC coordinator working parttime on BC project. Business unit representatives also work on a part-time and asneeded basis.

Find out what those part-time staff are responsible for and how critical those responsibilities are. This is a high risk factor.

PP.4: Approval Process
BC Program approval process exist for budget, objective and scope, contract, projects, policy, hiring etc. Senior Management and Board level process

5.17 7 Only through CIO but once a steering committee concept is approved, program approval process will be defined. Senior management will be presenting the case for a formal BC program in the next board meeting. None CIO is the program sponsor. BC program coordinator requests approval directly to CIO. None. They are currently not involved in the approval process

6

Steering committee level process Program sponsor level BC program coordinator level Business unit level

3 7 7 1

6

FR: Functional Requirements
Questions Rating Response and Conclusion Further Actions Recommendations

FR.1: General Assessment
Functional requirements have been assessed Functional requirements have been documented Functional requirements have been reviewed by senior management Functional requirements have been approved Partially. Not in a formal way. We will be presenting general requirements to Steering Committee in the near future. Not yet. Complete: FR.2

FR.2: Detailed Requirements related to Standards, rules, and regulations
General applicable standards and guidelines have been identified Industry guidelines, rules, and regulations identified

4.3333

8

Yes. Documents indicate DRII and BS17799 There hasn't been any effort to find out industry specific requirements other then SOX No. There hasn't been any effort to find out industry specific requirements other then SOX Briefly research industry specific guidelines and make recommendations

Recommend also including NFPA 1600 standards

4

Specific requirements related to standards, rules and regulations assessed and documented

1

FR.2: Risk Management
Formal or Informal risk assessment was conducted and how long ago. Risk assessment was comprehensive in scope and aligned with Program scope A qualified risk expert(s) assisted with the risk assessment

3.6 3 Informal assessments (brain storming) has been done every year. Limited to HQ, data center, office areas only. BC coordinator conducted risk assessment with key staff involvement. Review reports

8

2

Recommend obtaining qualified experts assistance to review and conduct threats and risk assessments.

7

Questions

Rating

Response and Conclusion

Further Actions

Recommendations

All potential threats were considered

2

As many as we could determine.

Review list of threats and company's exposure (Not all threats were considered). Review methods used. Quantitative vs. Qualitative approach. Are there sound basis for calculating threat probabilities (Risk assessment is based on qualitative and informal approach)

Assessment was based on sound and proven method

3

Yes.

Top management reviewed the threats and risks Company's appetite for risk identified and approved Both regional and local threats were considered Existing risk controls were considered Management concurs with Risk Assessment findings

3 4 3 5 3

CIO and senior business unit managers only. Not formally Local threats mostly but some regional. Yes. CIO and senior business unit managers have reviewed the findings but have not provided feedback on concurrence.

FR.3: BIA
A formal BIA was conducted Scope of the BIA is consistent with program scope Representatives from all areas of business within scope participated in the BIA Critical business processes have been identified Financial losses analyzed Operational Impacts analyzed Worst case assumptions were used Maximum Tolerable Downtime identified RTO identified RPO identified How long ago was it completed Critical Systems and Applications identified

8.6667 9 9 Yes. Yes. Review BIA findings

9

Yes.

9 9 9 9 9 9 9 9 9

Yes. Yes. Yes. Yes. Yes. Yes. Yes. 3 months ago Yes.

8

Questions

Rating

Response and Conclusion

Further Actions

Recommendations

Qualified experts conducted BIA Key concerns and issues captured and addressed Management is aware of and concurs with BIA results

9 4 9

Yes. Yes. Yes.

FR.4: Offsite Data Storage
Offsite storage requirements analyzed thoroughly When were requirements last analyzed Scope of storage requirements are consistent with program scope Data backup requirements are known for all critical applications and systems Gaps in backup frequency is analyzed Backup frequency established for all critical data Backup media type requirements are known

5.5

6 7

Partially through the BIA IT department has a list of backup data requirements We backup both critical and non-critical applications and data. Find out which backup vendor they use. Assess vendor's service reliability. (Storage Mountain).

8

9

We now have different RPO Yes. Yes, through BIA

9 9

4

Right now it is all on tapes.

Find out if any one uses media other then tape. Some users still use CD to store data on their PC. We didn't see this on the list of data backup requirements from IT.

Recommendation:

Safe handling and storage requirements documented Data integraty testing requirements are known Data classification and security requirements are documented

2 1 1

No. No. No. Check to see if there is any sensitive data (Client's credit card information is stored along with their address information)

Assess safe handling and storage requirements Assess data integrity test requirements Assess data classification and security requirements

Storage media retention period documented Backup Tool/software requirements are known

1 9

No. But we recyle the tapes from time to time. We currently use IBM's Tivoli Storage Manager.

9

Questions

Rating

Response and Conclusion

Further Actions

Recommendations

FR.5: Work Area
Requirements for alternate work area are analyzed and documented (space, personnel, equipment, facilities, etc.) Requirements are aligned with BIA findings in terms of critical business units and applications Space requirements are known Support personnel are known

6 8 Our canadian site may be sufficient as a work area until we get the more permanent work site with SunGard Work station requirements are aligned with critical applications. No Yes. We know the key staff from the business areas needed in the recovery. 9 9 1 Yes Yes No. We will rely on whatever is available at the Canadian site Work out the Non-IT work area requirements for long term recovery strategy. They have work area requirements in terms of number of workstations needed.

8

1

Work out the detailed work area space requirements

Workstation requirements are known Network connectivity requirements are known Non-IT resource requirements are known (faxes, copiers, etc.)

FR.6: Crisis Management Center (CMC)
Requirements for CMC are analyzed and documented (space, personnel, equipment, facilities, etc.)

2.3

2

Emergency Operations Center (EOC) already exists as part of Emergency Response Plan.

Verfiy if BC plan is very closely integrated with EOC. (EOC team has not yet assessed the specific BC response requirements. There is an assumption that the current design of the EOC will be sufficient to include BC response activities)

Assess BC related CMT requirements and determine if the current EOC design is sufficient.

Requirements for crisis management center are analyzed and documented (space, equipment, facilities, etc.) Workstation requirements

2

We expect to use EOC.

4

We will need a Workstation for each member of CM Team.

Find out if the planning tool is included in this requirement (Not yet, since they have not purchased the tool)

connectivity requirements

2

No.

10

Questions

Rating

Response and Conclusion

Further Actions

Recommendations

Non-IT resource requirements

2

No.

FR.7: Personnel
Are detailed requirements for personnel covered Contractors required

1.8 No. 5 No. Find out if they have contractors (IT department has several contractors that support critical applications) Include BC related support requirements in contractor agreements. Identify specific temporary staff requirements to help with recovery effort Identify detail skill requirements for key recovery staff. Develop pay requirements for recovery staff during a disaster

Contract agreement includes support during recovery period. Temporary help required

1

No. But we assume that they will help us out. Only if full-time staff are not available. No. We have started talking with HR on Salary requirements during a disaster recovery time. HR wants to talk to Senior Management first on this issue. Company is unionized but they have not been involved in BC effort.

1

Detailed skill requirement for recovery staff Pay requirements

1 1

Union rules and policies are part of the requirements

1

Government labor laws are accounted for in the requirements

1

No.

Work with worker's union to evaluate impact of rules and regulations on BC team and staff in general Work with HR to evaluate labor laws and their impact on reocovery team and their recovery assistance

Travel requirements are known

8

Do you have BC team insurance coverage

0

Yes. Team members are expected to travel to Canadian site and each is given a checklist. No.

Evaluate insurance requirements for BC team.

FR.8: Critical Records

5.5

11

Questions

Rating

Response and Conclusion

Further Actions

Recommendations

Critical records recovery is part of BC program

4

It is the responsibility of business units

It seems like the IT recovery has been the biggest focus so far. Check to see if critical record is part of BC Project Plan (It is not covered). But, business unit recovery assessment shows that some units do have a critical record recovery program. Are there electronic records that are critical (yes, but they are not backed-up).

Critical record should not be responsibility of business units alone; Assign some one with central responsibility for coordinating critical record continuity.

Critical records inventory exists

4

Records are categorized (vital, important, useful, etc.) Inventory includes title of record, ownership, content type, users, etc. Record retention period determined Inventory includes information on backup frequency Inventory includes media storage type and capacity Requirements for document scanning assessed Requirements for Document Management System analyzed Requirement for local storage assessed Requirement for remote storage assessed Security requirements are documented Safe handling procedures are documented

7 7

Business units maintain their own records inventory. Critical paper records are stored with laptops to Iron Mountain. Yes. Yes.

Assess electronic record recovery requirements.

5 6

No. It is mostly paper based It is all done weekly.

5 0

Yes. No. We don't have any document management system. No. We don't have any document management system other than Iron Mountain Connect. No. Yes. Yes. Yes. Suggest investigating document management system tool.

0

0 6 7 7

FR.9: SLA and Contract Requirements

7.4

12

Questions

Rating

Response and Conclusion

Further Actions

Recommendations

SLAs and contracts identified

9

Points of contacts are documented

9

SLA with data communication services and voice services. There is also a pending SLA with our key client. We also have contracts in place with our data backup vendor. A contract is also in place for quickship of a server. Yes.

Internal procurement procedures are well structured and controlled. Review the guidelines.

General requirements and obligations analyzed Quality of service and performance requirements are documented Worst case noncompliance scenarios and impacts assessed

9 9

Yes. We follow internal contract guidelines. Yes.

1

No. It is not part of our internal guideline.

Include clauses (penalties) in SLA and contracts for worst-case non compliance scenario.

FR.10: External Coordination
All external coordination requirements analyzed First responders and local authorities

4.75

6

Through ERP only.

Review ERP for external coordination and find out if it includes BC coordination (Not very tight integration of BC and ERP)

Develop a closer integration of BC with ERP. Include a member of ERP in BC and vice versa.

Coordination requirements documented for Suppliers Coordination requirements documented for Distributors Coordination requirements documented for Labor unions Coordination requirements documented for Service providers

Not in scope Not in scope 0 No. Review labour union rules and contracts Review SLA to see coordination points. Check point of contacts, SLA review dates, meetings, etc. Review ERP for external coordination and find out if it includes BC coordination Recommendation: Include Labour union representative in BC team.

9

Yes. We already have SLA for WAN, Internet, Voice services.

Coordination requirements documented for Clients and Customers

6

It is part of ERP.

13

Questions

Rating

Response and Conclusion

Further Actions

Recommendations

Coordination requirements documented for Landlords and building management

1

We only have one building in the area leased, but we have not coordinated with the landlord. Insurance documents are attached to our Interim BC plan. Mutual agreement includes coordination information and but we also have coordination information with SunGard. So far there has been any major problem with coordination with the backup vendor. We have a yearly contract in place. We deal with issues as they arise.

ERP does not include landlord coordination.

Coordination requirements documented for Insurance company Recovery vendors

3

Review insurance documents

Recommend establishing disaster coordination with landlords and building management. Recommend communication and coordination with insurance agents and adjustors.

8

Data backup vendors

5

Recommend better coordination with data backup vendor.

FR.11: Training and Awareness
Training and awareness is part of BC Program

6.5 8 Our BC coordinator and her assistance have been to BC conferences and training courses. BC coordinator has documented the need for training and awareness. BC team members only. No. Focus of training is primarily on BC team members. Yes. Only for BC team members. Assess requirements for personnel outside of BC teams.

Personnel requiring training identified Experience levels assessed Training needs documented

6 6

6

FR.12: Salvage & Restoration

0

Recommend evaluating and documenting salvage and restoration requirements. Critical documents are the responsibilities of business units Facilities is responsible for this.

All critical resources for salvage and restoration identified Physical areas and buildings for salvage and restorations assessed

0

0

14

Questions

Rating

Response and Conclusion

Further Actions

Recommendations

Salvage and restoration scenarios for critical resources and areas assessed

0

No.

FR.13: Insurance Requirements
Disaster insurance exists and who is responsible for it's purchase internally.

3.5 3 We have a standard disaster clause in our insurance policy; Finance is responsible for it. No. Review insurance policy for comprehensive disaster coverage. Integrate insurance purchase process with BC program. Determine insurance claim process.

Insurance purchase process is integrated with BC program Insurance requirements to report and claim a disaster are known Secondary sites insurance requirements

0

0

No.

7

Covered by the recovery vendor

FR.14: BC Tools
BC tools and software requirements are known

5 5 Yes. We need a tool that is web based and allows business unit plans and integration of IT and ERP. Easy to maintain and learn. Security is also important. Yes. Assess document/record management system tool requirements.

High level descriptions of tool's features and capabilities are identified Tools have been researched and compared Support staff resource requirements have been analyzed

6

8 1

We have evaluated four different tools. No.

Assess requirements for tool admin/support staff

FR.15: Assembly Location
Assembly location requirements identified Assembly location capacity requirements are known

2.75 4 1 ERP specifies assembly location. No.

Find out if it was used in the last plan test (Yes. We were not able to get every one in the assembly location due to fire and safety regulations).

Assess detail assembly site capacity requirements

15

Questions

Rating

Response and Conclusion

Further Actions

Recommendations

Distance location requirements are known

5

About 3 miles away from the primary site.

Do you have another site in case this assembly site is not available (Yes, EOC)

Ability of personnel to travel and meet at Assembly Location analyzed

1

Not specifically for BC team members.

Recommendation assessing requirements for tertiary assembly location. Assess detail travel and accessibility requirements for BC team members.

16

DD: Design and Development
Questions Rating Response and Conclusion Further Actions Recommendations

DD.1: General Assessment Designs & Development completed Designs have been documented Designs have been reviewed by senior management Designs have been approved Budget is reviewed and approved DD.2: Risk Controls 3 See Risk Assessment word file for additional assessment. Problems in this stage is due to weaknesses in the previous functional requirement process. Initiate a risk assessment and management project with the help of risk management expert and full management support.

Risk control design is part of BC Program Control options have been researched and analyzed Qualified risk expert(s) assisted with the risk control designs Cost of options have been compared Residual risks are known Top management reviewed the risk control options and residual risks Top management selected the best options for implementation Top management has approved the budget for control option implementation

5 3

Yes Yes. We can do a lot more given more time and resources. No. Not all control options have been researched and analyzed

1

2

Only for some threats

Find out the reasons (lack of resources and time)

1 3

No. Not the residual risk.

3

For some options

3

For some options

17

Questions

Rating

Response and Conclusion Focus on long-term strategy

Further Actions

Recommendations

DD.3: IT Systems Recovery Strategy

5.30769

Overall design is aligned with the requirements but there are still some gaps and room for improvents. Example: Generic applications such as email is not part of recovery strategy. Drop ship of billing system server; the ability of people to get to recovery site on time. Email strategy is missing.

Appropriate recovery strategies exist for all critical IT systems and applications Alternate site strategies exist Quick-ship strategies exist Recovery strategies are aligned with RTO values Cost versus RTO trade-off analyzed Effort requirements analyzed Control requirements analyzed

4

Yes. Completed the strategy design stages. Yes. Yes for some systems. Partially. Partialy. No. Yes. With the alternate site we have more control over the IT infrastructure. We are counting on the recovery vendor for that. Yes.

7 7 8 5 3 8

Reliability requirements analyzed Strategies aligned with system capacity requirements Strategies aligned with system performance requirements Strategies aligned with system configuration requirements Recovery system and primary systems exact in type, configuration, capacity, etc Flexibility in upgrading the recovery systems to match primary systems upgrades

3 5

recommend tertiary site

7

3

Alternate systems have more capacity than our production environment There are some configuration compatability issues. No. But they are compatible.

Recommend testing compatability issues.

5

Recommend testing compatability issues.

4

We don't know. We will include it in the contract agreement with the vendor.

Recommend inclusion in contract for upgrade flexibility in recovery systems.

18

Questions

Rating

Response and Conclusion Focus on long-term strategy Yes.

Further Actions

Recommendations

DD.4: Alternate IT Recovery Site Alternate site meets the strategy requirements for IT systems/servers/networks Unlikely to be effected by the same disaster Located outside of local area threats Located outside of regional area threats Alternate travel routes exists Floor plan exists A comprehensive and validated BC Program exists for Alternate Recovery Site Secondary power generator/supply exists

6.82353 8

8 8 8 8 8 7

Yes. Particularly regional disaster. Yes. Yes Yes. Yes. Yes.

Review their BC program even though they are reputable and reliable Has any body visually inspected the power supply (part of the tour).

9

Yes.

Technical support is available at alternate site Supports connectivity to primary site supports connectivity to work areas

8 7 9

Yes. Yes. Well connected. Work area and IT recovery area are with the same vendor Yes. Find out if the servers and systems are shared by other clients of the vendor (yes they are). Find out if there are clauses in the contract that may deny access (yes it does) Find out if there are reasons for having complete control (none) Recommend: Involving IT security department in the secure design; suggest development of security policy and procedures before, during, and after disaster situations. Recommend: creating a tertiary recovery site

Sufficient security exists at alternate site

5

Access to recovery area is gauranteed in case of recovery need

4

It is on the first-comefirst serve basis.

Organization has sufficient control over the recovery area and its resources Meeting areas exist Basic facilities exist (HVAC, Bathrooms, etc.) Close proximity to Accommodation and Food Services/restaurants, banks, etc.

4

Partial

2 6 7

Yes but it will cost more Yes. Yes.

19

Questions

Rating

Response and Conclusion

Further Actions

Recommendations

DD.5: A Tertiary Recovery Site A tertiary recovery site exists with sufficient recovery capabilities and capacities Is it used for backup of data from secondary site Is it used for recovery of all systems at the secondary site DD.6: Offsite Data Storage Backup Strategies are aligned with RPO requirements What is the method of data backup Data is replicated to servers at recovery site Data is backed-up through tape media Data is backed-up through Electronic Vaulting Cost versus recovery strategy options analyzed Backup method is reliable and dependable All data required for recovery is backed-up Backup Tools/Software exist and their capabilities are compatable with backup strategies Sufficient backup media capacity exist at the storage facility Strategies exist for remote backup during the recovery period Facilities exist to ship backup data to recovery sites in time to meet RTO requirements Safe handling and storage procedures documented Data integrity testing procedures are documented

0 0 No.

We recommend a use of a tertiary recovery site.

0 0

No. No.

20

Questions

Rating

Response and Conclusion

Further Actions

Recommendations

Data classification and security procedures and guidelines are documented Storage media retention procedures are documented Cost and budget for the above are estimated DD.7: Critical Record Storage Area Internal facilities/areas exist to store critical documents Internal facilities meet the fire and water protection requirements Internal facilities meet the security requirements External facilities/areas exist to store critical documents External facilities meets the heat, humidity, and other climate control requirements External record storage facility is under the management and control of qualified personnel External facilities meet the security requirements External facility can ship the records to work areas/primary site within required time-frame. External facility supports 24x7 operations Appropriate record management system is reviewed and assessed 4.66783 2 They stored in filing cabinets by business units themselves No. Implement an internal critical document/record management group and facility in addition to a remote storage site.

0

0 7 7

No. Yes. Iron Mountain only for paper documents. Yes

7

Yes.

7 7

Yes. Yes.

7 8

Yes. We are using Iron Mountain Connect™ portal to track and retrieve documents. Yes. Is Iron Mountain Connect setup for Laptop access in the event of a disruption (No)

Critical record management procedures are developed and are aligned with the requirements

DD.8: Alternate Work Area

4.68182

Expedite design and development of long term alternate work area

21

Questions

Rating

Response and Conclusion Plan to contract out the work area from SunGard. We will use Canadian site as an interim solution N/A

Further Actions

Recommendations

Alternate work areas exist (contracted, company owned, reciprocal ?)

4

Alternate work area meets the BIA and functional requirements for recovery personnel Acquisition strategy for workstation and servers in work area is consistent with BIA and other business process requirements Floor plan exists Non-IT resource acquisition strategy is in place (faxes, copiers, etc.) Site is unlikely to be effected by the same disaster Located outside of local area threats Located outside of regional area threats Alternate travel routes exists A comprehensive and validated BC Program exists for work area Secondary power generator/supply exists Technical support is available at alternate work site Supports connectivity to primary site supports connectivity to alternate IT recovery sites Work area is expandable depending on the need

0

0

N/A

0 0

N/A No.

7 7 7 7 3

Yes. Yes. Yes. Yes. Don't know

8 2 8 8 2

Yes. Don't know Yes. Yes. Don't know

Sufficient security exists at alternate work site Contains sufficient floor space for workstation and IT infrastructure and endusers Designed to support usage 24x7

8 2

Yes. Don't know

7

Yes.

22

Questions

Rating

Response and Conclusion Don't know

Further Actions

Recommendations

Organization has sufficient control over the work area and its resources Meeting areas exist Basic facilities exist (HVAC, Bathrooms, etc.) Close proximity to Accommodation and Food Services/restaurants, banks, etc.

2

7 7 7

Yes. Yes. Yes.

DD.9 Crisis Management Center (CMC) CMC design meets the requirements for space, personnel, equipment, facilities, etc.

7.25

Evaluate whether or not EOC meets the BC requirements. EOC will be used as CMC. 1st location is a leased site 30 miles away from HQ. Alternate location is a hotel meeting room to be decided at the time of disaster Yes.

9

Location is easily accessible for Crisis Management Team (CMT) and it is not prone to single point of failure with the primary site. Reliable and dependable CMC meets the IT requirements (workstations, laptop, printers, etc.) CMC meets the Non-IT requirements (Faxes, copiers, presentation tools, etc.) CMC meets the voice connectivity requirements CMC meets the data connectivity requirements Designed to support usage 24x7 Organization has sufficient control over the work area and its resources Meeting areas exist Basic facilities exist (HVAC, Bathrooms, etc.)

9

9 3

Yes. Don't know about BC requirements. Yes.

8

3

Don't know about BC requirements. Don't know about BC requirements. Yes. Yes.

3 9 9

9 8

Yes. Yes.

23

Questions

Rating

Response and Conclusion Yes.

Further Actions

Recommendations

Close proximity to Accommodation and Food Services/restaurants, banks, etc.

8

DD.10: Assembly Location

5.97619

Evaluate design of assembly location to determine if it meets BC requiremens. Don't know

Assembly location meets the functional requirements Assembly location complies with safety guidelines Easily accessible, dependable, and expandable Close proximity to Food, Accommodation, banks, etc. Controlled by the organization Less likely to be effected by the same local disaster

1

8 8 8 3 8

Yes. Yes. Yes. No. MOU with another organization. Likely to be effected by the local or regional disaster; but we have the EOC as an alternate.

DD.11: Data Communication Services Designs for Data Communication and Networking services are complete Design takes into account single points of failure concerns and communication redundacy requirements Different transmission medium is used (wireless, satellite, land lines) Network design for alternate recovery site exists with specifications for connectivity, capacity, throughput, reliability, etc.

5.83333 Review design documents Design overall meets the continuity requirements but needs some additional improvements Review data link for improving redundancy and single-point-offailure

7

Yes. We have redundant carrier links

do they go through the same conduit to the building (yes)

2

Same medium.

7

Yes.

24

Questions

Rating

Response and Conclusion Yes. IT has all that worked out.

Further Actions

Recommendations

Network design for work area exists with specifications for connectivity, capacity, throughput, reliability, etc. Network design for data backup site exists with specifications for connectivity, capacity, throughput, reliability, etc. Network design for connectivity between primary site, alternate site, data backup site, and work area is complete. Data transmission security is par of the design. DD.12: Voice Communication Strategies are developed for redundancy of voice communication Design takes into account single point of failures

8

Yes. IT has all that worked out.

4

It is complete except for work area which will is planned to be completed six weeks. Yes.

7

6.6 Design overall meets the continuity requirements but needs some additional improvements 9 Voice service provider has provided multiple voice lines going through redundant exchange routes. Yes. We have the capability to reroute our 1-800 numbers that customers use. No. They are all Land lines. provide additional redundancy by combining voice communication mediums.

Design takes into account rerouting of critical phone numbers Design includes different communication mediums (cables, satellite, wireless, etc.) Design takes into account bandwidth requirements Design takes into account work area requirements Design takes into account CMT requirements Design takes into account Recovery Site requirements

9

3

Yes. Yes. 6 6 Yes. Yes.

DD.13: Work around Procedures

3.86111

See business process audit file.

Ensure work around procedures for all critical areas are complete and documented with consistent format.

25

Questions

Rating

Response and Conclusion Most have them documented

Further Actions

Recommendations

Work around procedures are documented for all critical business units and processes Each work around procedure clearly specifies its objectives and scope Each work around procedure clearly specifies conditions for invoking the procedure Each work around procedure clearly specifies tasks to be performed and resources required including critical records. Each work around procedure clearly specifies tasks depedencies Work around procedures include recovery of lost data

3

3

Some do and some don't Some do and some don't Yes.

3

3

Some do and some don't Yes.

6

DD.14: Training and Awareness

5.16667

Assign training and awareness responsibility to a staff. Review current training and awareness design for additional improvements.

Training and awareness program is designed and developed Training database/site designed and developed 7 We have an intranet site for business continuity which provides training documents and general information. We plan to have onsite training on a regular basis. No. We currently have an internal BC monthly newsletter. No. We are currently talking to HR training department to take on this task.

Training methods and services selected Training schedule prepared Awareness plan developed

4

1 9

Training evaluation process designed and developed Training responsibilities assigned

2 8

26

Questions

Rating

Response and Conclusion See comments from functional requirements

Further Actions

Recommendations

DD.15: Salvage and Restoration

0

The design and development for Salvage and Restoration must be based on the functional requirements once they are completed.

All critical resources for salvage and restoration identified Physical areas and buildings for salvage and restorations assessed Types of damage to critical resources and areas assessed Salvage and restoration experts and contractors identified and contacted Requirements and cost discussed with Salvage and Restore contractors Contractors are selected

DD.16: Program Budget Detail budget established Percentage of the IT budget or overall revenue Detail budget and spendings established for individual projects Detail budget and spendings established for hiring staff Detail budget and spendings established for contracts Detail budget established for recovery resources and services Detail budget established for BC tools Detail budget established for training and awarenesss

27

PP: Program Implementation
Questions Rating Response and Conclusion Further Actions Recommendations

PI.1: Risk controls

Problems in this stage is due to weaknesses in the functional requirement process. See recommendations in Design and Development. Some have been implemented including secondary power generator. We have plans to continue implementation of risk controls. 3 6 Most systems are in place and the plans in place to acquire the rest Email systems recovery capability is not in place Yes Currently talking to the vendor 8 IT recovery site is in final stages of complete implementation. Yes. SunGard Yes 90 percent 30 percent.

All risk controls have been implemented

Implementation project plans exist and approved

Percentage Implemented PI.2: IT Recovery Systems

Alternate IT systems purchased or leased Quick-ship strategies implemented Percentage completed PI.3: Alternate IT Recovery Site Alternate IT recovery site completed Alternae IT site inspected and approved for use Percentage completed 8 8 9

PI.4: A Tertiary Recovery Site Tertiary site completed Tertiary site inspected and approved for use Percentage completed

No. No. N/A

28

Questions

Rating

Response and Conclusion

Further Actions

Recommendations

PI.5: Offsite Data Storage

5

Backup site is currently in use. Backup frequency needs adjustments. Yes. Yes.

Remote backup site is complete Data backup process to remote site has started Percentage completed PI.6: Critical Record Storage Remote record backup site is complete

8 2

90 percent

Remote record backup process has started Percentage completed PI.7: Alternate Work Area

Implemented for document records only. It is remote only. There are no internal storage process or system Yes. 5 4 50 Expedite design and development of long term alternate work area Yes. Currently at the Canadian site but later at Sungard. Partially. 50 EOC will be used as CMC. 1st location is a leased site 30 miles away from HQ. Alternate location is a hotel meeting room to be Yes Yes 100 Assembly location is in place. Yes

Alternate work areas exist (contracted, company owned, reciprocal ?) Work area inspected and approved Percentage completed PI.8: Crisis Management Center (CMC)

4

3 4 7

CMC exists CMC inspected and approved Percentage completed PI.9: Assembly Location Assembly sites exists

7 7

29

Questions

Rating

Response and Conclusion

Further Actions

Recommendations

Assembly sites inspected and approved Percentage completed

Yes. 7 100

PI.10: Data Communication Services Data Communication and Networking services are complete Connectivity between Primary site and alternate IT recovery site is complete Connectivity between primary site and data backup site is complete Connectivity between alternate IT site and work area is complete Connectivity between CMC and alternate IT site is complete Connectivity between CMC and alternate work area is complete Percentage Complete PI.11: Voice Communication VC infrastructure and services are complete Percentage completed

8 Yes

Yes

Yes

Yes

Yes

Yes

8 8 Yes. 8

80

80

PI.12: Training and Awareness

2

Expedite initiation of training and awareness program. Not fully.

Training and awareness program activated Percentage implemented PI.13: BC Tools BC tool is purchased 2 2 2

10 percent

No. we are still evaluating tools

Expedite tool evaluation to begin tool usage and deployment

Tool training is complete

30

Questions

Rating

Response and Conclusion

Further Actions

Recommendations

Plans and information from paper/computer sources have been imported into the tool Security and access control is in place BC tool is deployed A dedicated staff manages and maintains the BC tool Team members have access to the tool Percentage Complete PI.14: Salvage and Restoration 0 Salvage and restoration is not yet included in BCP No. No. 0 0

Salvage and restoration contracts are in place Salvage and restoration procedures are documented Percentage Complete

PI.15: Personnel Are all required personnel hired

4 5

Most have been hired but we are still waiting to hire two more staff reporting to the Coordinator. Mostly assigned No. 60

Responsibilities assigned to personnel. BC team insurance purchased Percentage Complete

5 0 4

PI.16: SLA and Contracts SLA have been negotiated and implemented Contracts have been negotiated and implemented Percentage Complete

7 6 6 The key SLA are in place Yes. Work area contract is under review. 80

7

PI.17: BC Plan Document Plan document is complete Executive Summary Plan components Objective

31

Questions

Rating

Response and Conclusion

Further Actions

Recommendations

Scope Assumptions Constraints and limitations Risk Assessment BIA Recovery Strategies Plan Execution phases BC Team Structure Contact List Call Tree Alternate contacts Contact Procedures Disaster Definition Disaster Declaration Procedures Service Level Agreements Insurance policy Critical resource inventory Critical Staff Crisis Communication Plan Emergency Response Plan Business unit plans Disaster Recovery Plan Recovery site Information Data backup procedures Data backup site information Critical record backup procedures Critical record backup site information Critical record recovery procedures Plan execution logistic procedures Security requirements and procedures Recovery logistics Team responsibilities Salvage and Restoration procedures IT recovery procedures Data network recovey procedures Voice communication recovery procedures Work area site information Work area recovery procedures Critical service recovery procedures Assembly location procedure

32

Questions

Rating

Response and Conclusion

Further Actions

Recommendations

Assembly location information Crisis management center or EOC information Plan execution timeline and schedule Disaster scenarios and recovery procedures BC Plan change controls BC plan distribution list BC plan appendices

33

PT: Plan Testing
Questions Rating Response and Conclusion Further Actions Recommendation s

PT.1: BC Plan Testing Test plans exist for testing BC plan Test objectives cover all essential elements of BC plan Types of testing conducted so far

3.714285714 6 2 2

Interim plans has been tested No. It is missing testing of key business areas Table top and some systems at hotsite

No testing of notification procedures; EOC location, Work areas, etc.

Recommend testing of notification procedures; EOC, and work areas.

Types of testing planned for future Test scenarios are realistic Tests have been completed for all required parts of BC plan Tests have been conducted according to test plans PT.2: Test Evaluation

7 1 3 5

Hot site testing of all systems No real scenarios have been tested No. It is missing testing of key business areas Yes.

conduct likely scenario based testing. Conduct testing of all key aspects of BC plan

8

Tests have been evaluated well, particularly for hotsite testing. Evaluation included lessons learned. Many issues related hotsite vendor support and coordination were identified and resolved.

This is one of the strength area. A good test evaluation process is in place.

Test results have been evaluated What criteria used to evaluate tests Testing met all of test objectives What were the strengths identified by the test What were the weaknesses identified by the test PT.3: BC Plan Approval

8 8 8 8 8

4

The long term plan document is not yet complete.

BC Plan is approved BC Plan is approved by program sponsor and BC steering committee BC plan is distributed to all staff and personnel on

34

Questions

Rating

Response and Conclusion

Further Actions

Recommendation s

distribution list

PT.4: BC Plan Document Which parts of the plan below have been tested? Objective Scope Assumptions Constraints and limitations Risk Assessment BIA Recovery Strategies Plan Execution phases BC Team Structure Contact List Call Tree Alternate contacts Contact Procedures Disaster Definition Disaster Declaration Procedures Service Level Agreements Insurance policy Critical resource inventory Critical Staff Crisis Communication Plan Emergency Response Plan Business unit plans Disaster Recovery Plan Recovery site Information Data backup procedures Data backup site information Critical record backup procedures Critical record backup site information Critical record recovery procedures Plan execution logistic procedures Security requirements and procedures Recovery logistics Team responsibilities Salvage and Restoration procedures IT recovery procedures Data network recovey procedures Voice communication recovery procedures Work area site information Work area recovery procedures

35

Questions

Rating

Response and Conclusion

Further Actions

Recommendation s

Critical service recovery procedures Assembly location procedure Assembly location information Crisis management center or EOC information Plan execution timeline and schedule Disaster scenarios and recovery procedures BC Plan change controls

36

PM: Program Management
Questions Rating Response and Conclusion Further Actions Recommendations

PM.1: Primary Site Change Monitoring Process is in place to monitor changes

3.143 4 Yes. BC Coordinator monitors all changes by attending all IT change management meetings. Yes. Through IT change management Not at this time. By business units only. Business units have people assigned to this task.

Extend change management to beyond IT related changes.

IT level changes are monitored Business process changes are monitored Critical record changes are monitored

4 1 4

People changes are monitored

3

We have been talking to HR to keep us in the loop. Not at this time. Yes. We plan to go through regular review of service and resource related changes. Implement proactive process for monitoring recovery site changes. We expect vendor to notify us of any changes. Yes. Yes. Yes. Yes. Yes. Yes.

Critical resource related changes are monitored Critical services related changes are monitored

3 3

PM.2: Recovery Site Change Monitoring Process is in place to monitor changes at the recovery sites Hardware changes are monitored Software changes are monitored Network changes are monitored Facility changes are monitored Policy changes are monitored Security procedures are monitored

3

3

3 3 3 3 3 3

37

Questions

Rating

Response and Conclusion

Further Actions

Recommendations

PM.3: Contract Management BC related contracts management process established

7 7 BC coordinator and procurement representative conduct a frequent review/update of contracts. Yes. Yes. Yes.

Contracts are reviewed on a regular basis Contracts include maintenance and upgrades Procurement and legal departments are involved in the contract management

7 7 7

PM.4: Risk Controls Risk assessment occurs periodically Existing controls are reviewed and inspected on a regular basis

3 3 3

No. Facilities is responsible for reviewing physical controls such as secondary power generator. No.

Risk experts are involved in risk assessment and control process Risk assessment reports are presented to and reviewed by management PM.5: BIA BIA is conducted periodically Gaps are identified Results are reported to and reviewed by management Recovery strategy gaps are evaluated

3

3

No.

4

We plan to do it regularly.

PM.6: IT Systems Recovery Strategy Recovery strategies are reviewed regularly Alternate sites are inspected for changes and problems.

4

We plan to review it regularly.

38

Questions

Rating

Response and Conclusion

Further Actions

Recommendations

Quick-ship strategies are reviewed regularly PM.7: BC Plan Testing A plan exists for regular testing of BC Plan Both minor and major tests are carried out regularly Tests are reviewed and evaluated Test results are well documented and reported to management Test issues are resolved effectively Backup data integrity checks are done regularly Work around procedures are tested regularly PM.8: Recovery Vendor's BC Plan Reviews Recovery vendors' BC plans are reviewed regularly Recovery strategies and capabilities of vendors' are reviewed regularly BC audit reports of vendors are reviewed 4 We will include it in our program 4 We plan to do it regularly

PM.9: Training and Awareness Training and awareness program is monitored, evaluated and updated New hire orientation includes BC information Program includes learning resource/database Program includes newsletters Program includes regular BC informational meetings Program includes BC tool training

Currently not in maintenance stage.

39

Questions

Rating

Response and Conclusion

Further Actions

Recommendations

PM.10: Management Process Steering committee is actively involved in the maintenance phase Program sponsor is actively involved in the maintenace phase BC Management meetings are held on weekly, monthly, and quarterly periods Reports from the steering committee are presented to Board and senior management Rules and regulations are monitored and reviewed

5 4 Steering Committee will be establish in few months. Yes.

8

8

Weekly with the sponsor and monthly with business unit managers Steering Committee will be establish in few months. No.

4

1

PM.11: External Coordination BC plan is coordinated with external public authorities BC plan is coordinated with business partners BC plan is coordinated with recovery vendors Meetings are held regularly to coordinate BC plan with external entities

3

Improve external coordination related to BC plan Through ERP. Coordinate with ERP team to include BC plan's coordination requirements. Coordinate BC plan with business partners on a regular basis

3

1

No.

7 1

Yes. No. Arrange regular meetings with external entities to coordinate BC plan activities

BC Audits are conducted periodically BC Audits include internal and external auditors Audit recommendations are followed through Audits are done through expert auditors PM.12: BC Program Reviews 6.25

40

Questions

Rating

Response and Conclusion

Further Actions

Recommendations

BC program is reviewed periodically

7

BC plan document is reviewed frequently Review involves all BC team members

7

7

Results of the reviews are presented to steering committtee and program sponsor

4

We hold monthly meeting with all business units to review relevant BC program activities and sections. BC coordinator and his team review the plan biweekly. Most team members depending on what we are discussing at the time. Not yet. But we present it to our program sponsor.

PM.13: Plan Document Maintenance Stored offsite and onsite

5.4 6 One copy is always with BC coordinator on a memory card. One copy is with Iron Mountain. Yes Yes. It is encrypted. No. We have a common distribution list with access to all parts of the plan. Yes. Recommend storing a BC document at the hot site. If possible use webbased planning tool.

Easily accessible during a disaster Secured Need-to-know list maintained

5 8 3

Develop a need-to-know distribution list.

Distribution list maintained

5

41

Program Budget
Questions Rating Response and Conclusion Further Actions Recommendations

Program Budget

5.333333

BC program needs a separate budget; Work out detail budget for each phase, project, and activities. It is part of IT budget Yes. Business Managers are very supportive. IT

Separate annual budget allocated Business area supporting the BC Program budget Source of budget

5 8 3

BC program needs a separate budget and not simply be part of IT budget. Does it account for a specific and its cost (We know the tool we want and its cost)

Detail budget established for BC tools

5

Yes.

Overall budget estimates established Percentage of BC budget relative to annual revenue

5 3

Overall budget established for individual projects Overall budget established for hiring staff Overall budget established for contracts Overall budget established for recovery resources and services

7 7 7

We do not have an yearly budget but last year we spent $240K IT budget is about 2%. Last year we spent about 240 k on BC beyond people resources. We were allocated $125K originally. Business units have their own budgets for BC activities. We have put the request to hire two more staff for next year. The budget for contracts will come out of the overall BC budget. Our recovery resource and service budget is mostly part of the overall IT budget. Find out if this budget is outside of the BC budget. Yes it is outside of the IT budget. Last year approximately 60K was spend on the recovery resources and services.

Obtain more information.

3

42

43