The Binomial Bookstore

THE DISASTER RECOVERY HANDBOOK:
A STEP-BY-STEP PLAN TO ENSURE BUSINESS CONTINUITY AND PROTECT VITAL
OPERATIONS, FACILITIES, AND ASSETS
by Michael Wallace and Lawrence Webber

INCLUDES CD-ROM

“Without careful planning, organizations often do not survive major interruptions in the
operation of their business. The Disaster Recovery Handbook gives readers proven
processes and techniques to develop a disaster recovery plan and protect their
organizations in the face of extraordinary circumstances.

“Featuring a CD-ROM with templates for process and skill matrices, contact databases,
risk-assessment score sheets, and more, the book gives detailed instructions for:
- Assembling a recovery team
- Building an interim plan
- Setting up an emergency operations center
- Recovering vital records
- And more.

“Filled with practical solutions and immediately usable tools, The Disaster Recovery
Handbook gives readers everything they need to keep their businesses running as smoothly
as possible after a disaster.”

- - - - - - -

CONTENTS

Foreword
Introduction

PART 1 THE PLAN
This section shows you how to get started with the nuts and bolts of developing your disaster
recovery plan.

1 GETTING STARTED: OVERVIEW OF THE PROJECT
Some companies live and breathe proper project planning and the methodical construction of
business processes. A team made up of the right people using proper project management
processes will help ensure the success of your disaster recovery project.

2 RISK ASSESSMENT: UNDERSTANDING WHAT CAN GO WRONG
A risk assessment is the key to your disaster plan. It identifies what risks you need to
address. It breaks your risks into five layers ranging from natural disasters down to a crisis at
your desk.

3 BUILD AN INTERIM PLAN: DON’T JUST SIT THERE, DO SOMETHING
Some projects are like a bad lunch they never seem to go away. What can I do until the plan
is completed? This identifies actions that you can do today to assemble a useful interim plan
to provide some initial protection. Everything you do here is needed in the final document. If
you read no other, at least read this one.

4 EMERGENCY OPERATIONS CENTER: TAKE CONTROL OF THE SITUATION
In the event of a disaster, there must be a single place where people can call to report
problems and find out what is going on. We will describe the sort of things required in an
emergency operations center (sometimes called a “war room”), and how it might run.

5 WRITING THE PLAN: GETTING IT DOWN ON PAPER
Here is where we lay a bit more groundwork for the plan. We establish a standard format for
the documents and explain what needs to be included—and excluded from a plan.

6 TESTING: MAKING SURE IT WORKS
A plan is a wonderful thing but until it is tested and debugged, it should not be relied upon.
Testing can be formally done or can be incorporated with other maintenance activities. In
either case, the results of using a plan should be recorded. Testing a plan is an excellent way
to familiarize your team with your plan and to gain their ideas on improving it.

PART 2 THE ASSETS
This section discusses the various assets most firms have to protect and tells you want you
need to know to make sure they’re covered in your disaster recovery plan.

7 ELECTRICAL SERVICE: KEEPING THE JUICE FLOWING
It is hard to imagine work without electricity. We use it constantly at home (if for nothing else
but to keep the clocks on time). We use it all day at work. We have all also experienced the
effects of a power outage. What should our workers be doing if the lights go out?

8 TELECOMMUNICATIONS: YOUR CONNECTION TO THE WORLD
Few companies can quickly walk or drive to their customers’ or suppliers’ sites.
Telecommunications makes coordination between companies quick and easy. It provides a
medium for fax messages and also provides the data communications lines. How long can
your company run without it?

9 VITAL RECORDS RECOVERY: COVERING YOUR ASSETS
There are many documents essential to your company’s operations, such as invoices,
checks, software licenses, receipts, and on and on. Some of these documents you must
safeguard to meet legal and regulatory requirements. What if, what if, what if . . .

10 DATA: YOUR MOST UNIQUE ASSET
Data is one asset that cannot be easily replaced. No one else has the same data you do.
What are the unique issues encountered when planning for data processing recovery?

11 NETWORKS: THE TIES THAT BIND
Years ago, we used over night batch programs to generate mounds of paper. Today we view
our data in real time. We check inventory levels, the status of customer orders and many
things we take for granted. This is all made possible by a very complex system called a data
network. Lose this and it’s back to piles of last night’s reports for answers!

12 END USER PCS: THE WEAKEST LINK
The personal in personal computers means that many people can develop tools to make their
job easier. Along with these tools is data. Lots of company data. If it is useful, then it needs
to
be backed up. PCs are also a source of virus attacks on your company.

13 CUSTOMERS: OTHER PEOPLE TO WORRY ABOUT
Customers have their own problems. In a time of lean inventories, they cannot tolerate a very
long delay in getting their materials or their own efforts will enter a crisis. So if they hear that
you have had a disaster, might they shift their orders to someone else? This is even more of
a problem if the fire was in your offices and you have a warehouse full of good that need to be
sold.

14 SUPPLIERS: COLLATERAL DAMAGE
Suppliers extend credit to you in the form of the goods. Their terms may be 30, 45 or 60
days. If they hear of a disaster, they may fear that your company will become insolvent and
cease all shipments to you. They need to know the facts. You need to tell all of them.

PART 3 PREVENTING DISASTER
This section discusses threats to your organization and how to include mitigation plans in
your disaster recovery plan.

15 FIRE: BURNING DOWN THE HOUSE
A thorough understanding of fire safety systems can help you to evaluate your company’s
existing safeguards to ensure they are current, adequate and focused on employee safety.

16 Human Resources: Your Most Valuable Asset
Your Human Resources department has an important role to play in Business Continuity
Planning. Major business emergencies are very stressful events. From a business
perspective, stress reduces the productivity of the workforce. The Human Resources
department ensures that the “people side” of an emergency is addressed for the best long
term benefit of the company.

17 BACKUPS: THE KEY TO A SPEEDY RECOVERY
Making backup, or safety, copies of your vital computer files is a common business practice.
They are made to speed the recovery of a failed or damaged computer system. Are you sure
that they will work when you need them?

18 VIRUS CONTAINMENT: HIGH TECH PEST CONTROL
Unfortunately, new computer viruses regularly make the rounds of our far-flung data networks.
This plan lists steps for implements a virus containment and remediation plan.

19 HEALTH AND SAFETY: KEEPING EVERYONE HEALTHY
This should already be in place at your facility. Get a copy from your building security folks.
Check it against the list we have here to see if all of the bases are covered. The safety of your
workers is your number one concern.

20 TERRORISM: THE WRATH OF MAN
While not a new phenomenon, terrorism is making the headlines. Even if your organization is
not a target, you can still be shut down even if you’re an innocent bystander.

Appendix
Index
About the Authors

- - - - - - -

EXCERPT FROM THE FOREWORD

“Few of us question the importance of having insurance, yet too often businesses fail to
consider a Business Continuity Plan as invaluable protection against disasters.

“If you have delayed starting your business continuity plan because you think it will be too
complicated, too costly, or too time consuming—or because you simply aren’t sure where to
begin, The Disaster Recovery Handbook will provide the resources you need to get your plan
up and running. Everyone, regardless of experience, can benefit from the authors’ insights
and common sense tips in creating and updating viable business continuity plans.

“Down to earth, easy to read, and wonderfully (even surprisingly) interesting, this
comprehensive “how-to” manual guides you step by step. The authors’ sequential and logical
approach takes what can be a daunting challenge and breaks it down into manageable
pieces. Michael Wallace and Lawrence Webber’s combined expertise pulses from the
pages, as their relevant, real-life examples clarify the subject matter and bring home the
topics to us. As you progress through the book, you’ll find your questions have already been
anticipated and answered. Loaded with examples, references, statistics, and guidelines, the
text addresses every detail.

“Through our business, Fireproof Records Center, which specializes in information
management, business continuity and disaster recovery, we have had the good fortune to
have met and worked with Michael Wallace. He has been a keynote speaker at numerous
seminars we sponsor, and we refer clients to him on a regular basis. We asked Michael what
prompted his collaborative work with Lawrence Webber. He told us their search for reference
material turned up significant information aimed primarily at people working in information
technology—but nothing that covered all of the business processes for small and medium
sized companies. So they joined forces to fill that need by sharing knowledge and insight
gained from their unique and considerable experiences.

“At Fireproof, we think companies can never be too prepared—especially when it comes to
business continuity. We are pleased that such a valuable tool has been developed by these
highly qualified authors. If you can add but one reference to your corporate library, it should
be
this handbook.”
Michael James, CEO
Fireproof Records Center

- - - - - - -

EXCERPT FROM THE INTRODUCTION

“THE DISASTER RECOVERY HANDBOOK: A Step-by-Step Plan to Ensure Business
Continuity and Protect Vital Operations, Facilities, and Assets, is designed to provide proven
processes and techniques to help you develop a disaster recovery plan to protect your
business in the event of a disaster. A disaster can mean anything from the loss of a critical
machine to a natural disaster destroying your entire facility. Anything that can cause a
disruption in the normal operation of your business can be a disaster. Without careful
planning, most organizations do not survive a major interruption in the operation of their
business.

“Business Continuity Plans are really nothing new to your life. They are grounded on basic
actions you take on a daily basis. In fact, these actions are considered so normal that you
probably don’t even think about why you do them. These actions fall into three general
classes: mitigation, avoidance, and transference.

“MITIGATION is something you do to reduce the likelihood of occurrence or the amount of
damage caused by an event that you could not avoid.

“AVOIDANCE is something you do to steer clear of an event.

“TRANSFERENCE is to shift your risk of an uncontrolled event to a third party.

“For example, if you owned a grocery store, you can mitigate the slowdown in business due
to a snowstorm by buying your own snowplow to clear your parking lot. You avoid all damage
from a snowstorm by moving your business to the Bahamas. You can transfer the risk of
financial loss from your roof collapsing from too much snow by purchasing insurance. You
practice risk avoidance, mitigation, and transference in your daily life. For example, take the
car you drive. It has a spare tire and a car jack in it to mitigate the amount of time lost and
cost due to a flat tire. Instead of the expense and time involved in calling a tow truck, you can
change the tire yourself and return to the road for a drive to the repair shop. If you did not
believe there was a possibility of a flat tire, you would have long ago removed the spare and
jack from your car to save weight and get better gas mileage. Therefore, you believe that you
cannot avoid a flat tire, but have devised a way to reduce its inconvenience.

“Throughout this book, we will frequently use the term Business Continuity Planning. In
recent
years, variations on this theme have included Business Recovery Planning and Disaster
Recovery Planning. Strictly speaking, in the recovery business jargon, we will be detailing a
Business Continuity Plan because it will handle any disruption to the normal operation of your
business. We occasionally use the term disaster because, in data processing or business
recovery planning, it is the more common term. We also use it because our plan will
encompass everything from large natural events to smaller day-today inconveniences. The
terms we will use and their meanings include these:
- Disaster Recovery Planning (DRP). The actions you would take to recover from a
disaster. Includes the planning steps to avoid risks, to mitigate them, or to shift the risk to
someone else through insurance or other means. DRP is applicable to all aspects of a
business but usually used in the context of data processing operations.
- Business Recovery Planning (BRP).Takes Disaster Recovery Planning one step
further and includes efforts by the rest of the company’s operations including customer and
supplier relations to recover from the problem.
- Business Continuity Planning (BCP). These are plans that allow your business to
function at possibly a reduced level during and immediately after an emergency.

“The goal of this book is to show you a systematic approach to analyzing your business
situation and building written procedures for avoiding problems or reducing the damage
should they occur. These concepts apply equally to offices, factories, hospitals, hotels,
transportation companies, and even your home. As we progress, you will see how in many
areas you already practice disaster planning but never tied it all together into one big picture.
Many firms have what we call the “resident expert.” This is the person everyone turns to when
problems occur. Usually through sheer longevity in their current position, this person has
amassed a wealth of information (but poorly documented) on how things really work. A good
start to a business recovery plan is to simply document what this person has in their head
and
in notes scattered within their files.

“A common misconception of disaster planning is that we are out to build a know-all book of
what to do when the great flood hits again. That is not our goal. Your final disaster plan will
consist of a series of smaller plans to address specific issues (such as a loss of cooling in
your telephone switch room). Additionally, there will be a section on natural hazards and how
they will be dealt with. Some of these specific plans may only be a few pages. In the
telephone room air conditioning example, we are not going to write a manual on repairing
cooling systems. The plan should explain what to check before calling the technician and
actions you might take to cool the room until the technician arrives. The plan documents who
the contracted technician is, how to contact them, what sort of service agreement you have
with them, etc.

“DO I REALLY NEED TO DO THIS?

“Disasters happen much more often than people realize. The big things that end up on the
evening news are not frequent, but there are a multitude of smaller disasters that can do just
as much damage. Things like computers failing, water leaking on paper files, a labor problem
causing equipment to mysteriously malfunction, etc. It not a question of if something will
happen, but when it will happen. Unless you can answer yes to all the following questions,
you
need this manual to help you develop your plan to survive a disaster:
1. Do you know how long your Uninterruptible Power Supply (UPS) will power your
equipment if the electrical grid fails? Do you know which equipment can be shut down first?
2. Do you know where you can get critical supplies if your primary supplier has a
problem?
3. Do you know the location of all your software licenses?
4. Do you have a plan to contact customers to make sure they don’t immediately go
to competitors if they hear you’ve had a disaster?
5. Have you tested your backups to ensure you can restore critical data? What about
any custom applications? Is your backup software up to date?
6. Do our employees know who to call if they see on the news that your building had
a fire?
7. Do you know what do to if a backhoe cuts your telecommunications cables?
8. Is your virus protection up to date?
9. Can you name the location of your warranty information, registration codes, and
CD keys for all your hardware and software?
10. Do you have a plan for using alternative equipment until you can restore or replace
your production equipment?

“These issues and more are covered in this manual. Although you can’t always prevent a
disaster, you can have a plan in place to ensure that it doesn’t put you out of business.
According to several recent surveys, almost 50% of all businesses that suffer from a disaster
and do not have a disaster recovery plan in place never reopen for business.

“WHAT THIS MANUAL WILL DO FOR YOU

“No two organizations are alike, but many do share some basic elements such as facilities,
important documents, computer systems, and personnel. This manual defines the common
threads that link all business operations, providing for a variety of situations—not as a ‘one
size fits all’ model—but instead as an updated guide and decision-making reference that can
help you to devise a disaster recovery program uniquely tailored to the needs of your
organization.

“The Health Insurance Portability and Accountability Act of 1996 requires any organization
that processes health record information to have a documented disaster recovery plan. This
includes hospitals, nursing homes, medical centers, doctor’s offices, pharmacies, and
medical laboratories.

“ORGANIZED FOR QUICK ACCESS

“For fingertip access to the information you need on disaster recovery planning, this
ready-reference desk-side manual is organized to help you find what you need quickly and
easily. You or your staff can use the book itself as a model or a template to create similar
documents for your own organization. The book consists of three major parts. Part 1: The
Plan, details the steps you need to take to develop your plan; Part 2: The Assets, describes
the various assets that drive your business and the steps you should take to protect them;
Part 3: Preventing Disaster, gives you the information you need to help mitigate threats to
your organization.

“Simplicity is the ultimate design.” Often, a dearth of forms is included in disaster recovery
handbooks, but this manual provides a multitude of forms that can jump-start your disaster
recovery planning process. All the forms discussed in the book are included on the CD-ROM,
so that you can quickly and easily put them to use. As an operation grows in complexity, the
challenge to keep it running smoothly grows, and thus the need for a formal system of
operations becomes a necessity. A disaster recovery plan can greatly improve your
understanding of how the organization really works.

“Organizations that have a formal disaster recovery manual in place are noticeably more
efficient. To build our plan, we will repeatedly ask the following questions:
- What are my critical assets?
- What are the risks to these assets?
- How can I reduce the likelihood of a threat occurring?
- How can I minimize the damage if it is unavoidable?
- What does the team do when it happens?
- Where can I find information on this to develop my plan?

“ADDED STRATEGIC VALUE

“The real benefit of a Business Continuity Plan is how it forces you to look at the weaknesses
in your business tools and processes and to strengthen them before a tragedy occurs. The
analysis required in developing your plan will help you to better understand your business,
and it almost invariably uncovers inefficient or unnecessary activities within the organization.
A well-designed plan can also increase your competitive edge as part of the overall value
chain. Many companies have reduced their in-house inventories and therefore require
reliable suppliers to keep their own operations running. The more reliable your operation is,
the higher your delivery credibility will be.

“This may be a distinct advantage over your competition; or they may already be at that level
and you need to raise your delivery credibility just to stay in business. (This implies you
should also check out the Business Continuity Plans of your key suppliers—especially if
they
deliver to you “just-in-time”).

“The Disaster Recovery Handbook: A Step-by-Step Plan to Ensure Business Continuity and
Protect Vital Operations, Facilities, and Assets is a compilation of disaster recovery
processes—the best practices within the industry—in current use. This manual is a process
development tool that any seasoned business manager, working in a large or small
organization, will find useful.

“SAVING YOU TIME

“To make the manual even more valuable, a CD-ROM is included, containing the manual’s
forms and text. Use the included forms as a starting point for developing your own, by
importing it into a word processor on a PC. Of course, you can also make needed changes
and post the forms on a local area network or even on a company intranet site.

“In addition to this book, there is a wide range of help available for building your plan. Help is
available from local and federal governments, from emergency agencies, from trade
organizations, and on and on. Appendix A will give you a start in finding resources in your
area. Whatever format you use to publish your plan, a well-designed disaster recovery plan
will help ensure that your business is prepared to deal with whatever may happen in the
uncertain world in which we live.

“Out of the blue? We all shared in the tragedy of New York City on September 11, 2001. Yet
while many dedicated rescue workers were struggling to save those people that they could,
the Business Continuity Plans for the companies affected immediately kicked into high gear.
The disaster not only involved the World Trade Center, but many of the surrounding office
buildings were also severely damaged. Traffic to that part of the city was cut off. Even if your
business was several blocks away, the confusion and rushing of rescue equipment severely
interrupted your workflow. Were you affected by this attack? Would your company have
survived if it was in one of these buildings?”

- - - - - - -

ABOUT THE AUTHORS

“MICHAEL WALLACE has 21 years of experience in the information systems and business
consulting field. He began his career after graduation from Lima Technical College as a
mainframe operator for Super Food Services, and then moved to a programming position at
Reynolds+Reynolds.

“He became a consultant after graduating magna cum laude from Wright State University with
a Bachelor of Science degree in Management Science. He recently received his MBA from
The Ohio State University. Mr. Wallace has been an application developer, system analyst,
technical and business consultant, and recently assisted the State of Ohio in developing
statewide IT policies. Mr. Wallace is currently President of Q Consulting, an IT management
and disaster recovery consulting firm.

“Mr. Wallace is a Microsoft Certified Professional, a past Vice President of the Columbus
Computer Society, and has served on the board of directors of various computer
organizations. He is presently a member of the Contingency Planners of Ohio and the Project
Management Institute.

“LAWRENCE WEBBER has more than 25 years experience in the information services field.
He began his career in the U.S. Marine Corps as a digital network repairman and then
moved to a position as a COBOL programmer supporting the Marines' Logistics traffic
management systems.

“After his release from active service, he worked as a COBOL programmer on an IBM
mainframe for Waddell & Reed in Kansas City before moving on to program factory support
systems on a UNIVAC system at Temperature Industries. During his tenure at United
Telecommunications in Kansas City, he rose to the position of Manager of the Information
Centers, providing mainframe and personal computer support to four mainframe data centers
and nine subsidiary telephone companies.

“His next position was as Applications Manager at the law offices of Shook, Hardy & Bacon
where he migrated a Data General professional services accounting system to a DEC
cluster. He also migrated the 600+ person office from standalone IBM magnetic card
machines to a PC LAN-based word processing network.

“For the next 12 years, Mr. Webber held various systems engineering and data processing
management positions with Navistar International Truck and Bus in Springfield, OH, where,
among other achievements, he authored an extensive data systems Disaster Recovery plan
for the 2-million-square-foot manufacturing facility. He is currently a Project Manager and Six
Sigma Black Belt consultant.

“Mr. Webber has an Associate in Science degree from Darton College in Albany, GA, in
Data Processing, a Bachelor of Science degree in Business Administration and an MBA,
both from Rockhurst University in Kansas City, MO, and an Associate in Science degree in
Industrial Engineering from Sinclair Community College in Dayton, OH. He recently
completed a Master of Project Management degree from West Carolina University.

“Mr. Webber is a former Marine and retired from the U.S. Army Reserve as a First Sergeant
in the Infantry. He is a certified Project Management Professional by the Project Management
Institute, Certified in Production and Inventory Management by APICS, and is a Microsoft
Certified Professional.”

- - - - - - -
July, 2004, 416 pages plus CD-ROM
Order #DR727.
- - - - - - -

The Binomial Bookstore

Business Continuity & Disaster Recovery

Rothstein Associates Inc.