Disaster Center Bookstore-a service of Rothstein Associates

BUSINESS CONTINUITY, DISASTER RECOVERY, AND INCIDENT MANAGEMENT
PLANNING: A
RESOURCE FOR ENSURING ONGOING ENTERPRISE OPERATIONS
Albert J. Marcella Jr., Ph.D., COAP, CQA, CSP, CFSA, CDP, CISA, and Carol Ann Stucki,
CISA
Includes CD-ROM.

If one segment of your business were to disappear in an instant, would your business
survive? What
about disruptions like power outages, vendor or provider bankruptcy, denial of service
attacks on your
servers, computer viruses, and employee sabotage, cyber terrorism?

If you cannot honestly say that you have a viable plan that will have your business up and
running with little
disruption within hours or days, then you need this book. This book covers the latest
networking
considerations of disaster recovery and business continuity planning that include Internet,
intranet, service
providers, and client server-based applications that are the core of today's businesses.

This book will provide:
1. An overview of what a good business continuity plan should entail;
2. How to evaluate your plan;
3. How to build a plan for your current and future business needs;
4. How to test your plan to ensure it is effective; and
5. How to maintain the plan to ensure it will keep up with your growing business and
changes in
global technology.

- - - - - - - -

CONTENTS

Acknowledgments
About the Authors
Disclaimer
Foreword
Introduction
Chapter 1 — Disaster Recovery, Business Continuity, and Incident Management Plans
Chapter 2 — Risk Assessment
Chapter 3 — Selecting a Continuity Strategy
Chapter 4 — Documenting, Developing, and Implementing the Business Continuity Plan
Chapter 5 — Testing the Business Continuity Plan
Chapter 6 — Maintaining the Business Continuity Plan
Chapter 7 — Auditing/Evaluating the Business Continuity Plan
Chapter 8 — Building an Incident Response Team
Chapter 9 — Disasters and the Human Stress Response
Chapter 10 — Human Resource Continuity Planning: An Audit Approach
Glossary of Terms
Recommended Readings

PULSE PIECES (LOCATED ON CD-ROM)
Disaster Management Experts Speak Up and Out on Disaster Recovery, Business
Continuity, and
Incident Management Issues

Audit’s Role in the Business Continuity Process -Terri A. Kirchner, MBCP, CCP, and
Douglas E. Ziegenfuss, Ph.D., CIA, CISA

The Role of HR Management in BCP - George Nixon, DPA

Using the Generalized Cost Containment (GCC) Model - Michael Miora, CISSP

Planning for a Regional Disaster: A Military Strategy - Hank Kalt, CBCP

Staffing Disaster Recovery Teams - Gary L. Renz, Ph.D., J.D.

When Disaster Strikes Home! Family Disaster Preparedness - A “Must” for CEOs and Their
Employees
- Norris L. Beren, CPCM

Creating a Spin-free Workplace - Vali Hawkins Mitchell, Ph.D., LMHC

The Emerging Face of Contingency Planning - Legal and Regulatory Liability - Joseph I.
Rosenbaum

Business Continuity - An Increasing Regulatory Environment - Brian J. Zawada, CBCP, CISA

Contingency Planning for Professional Services - Charles A. Zweck

APPENDICES (LOCATED ON CD-ROM)
Appendix A Business Continuity Planning Audit Programs
Appendix B Human Resource Continuity Planning (HRCP) Audit Programs
Appendix C Disaster Recovery and Business Continuity Assessment Questions
Appendix D Disaster Recovery Planning and Business Continuity Planning Online
Resources
Appendix E Disaster Management Software
Appendix F Business Continuity Planning Interdependencies
Appendix G Security Solution Sets
Appendix H General Security Checklist
Appendix I Business Continuity/Disaster Recovery Organizations and Services
Appendix J Building a Crisis Response Team
Appendix K Disaster-related Organizations and Other Sources of Hazards/Disaster
Information
Appendix L U.S. Government Agencies Involved in Disaster-related Activities
Appendix M International and Overseas Organizations Involved in Disaster-related
Activities
Appendix N Crisis Management and Communications Contingency Planning: A
Checklist for
Corporate Survival Overview
Appendix O Protection Program — Assessment Checklist
Appendix P Business Impact Analysis — Worksheet
Appendix Q Emergency Preparation and Response Plan (Template)
Appendix R Business Continuity Plan (Template)
Appendix S Crisis Communication Plan (Template)
Appendix T Recovery Exercise Evaluation (Template)
Appendix U Emergency Management Team Set Up
Appendix V Salvage at a Glance
Appendix W Emergency: If You’re First
Appendix X Disaster Recovery/Business Continuity Plan Table of Contents
Appendix Y Terrorism and Continuity Planning
Appendix Z Securities and Exchange Commission Interagency Paper on Sound
Practices to
Strengthen the Resilience of the U.S. Financial System
Appendix AA SIA Business Continuity Planning Committee Best Practices
Guidelines
Appendix BB Business Continuity Readiness
Appendix CC Critical Success Factors: What to Look for in a Business Continuity
Service
Provider
Appendix DD Do It In-house, or Use a Business Continuity Provider?
Appendix EE Internal and External Threats

- - - - - - - -

EXCERPT FROM THE FOREWORD
Richard L. Arnold, CBCP
Publisher, Editor-in-Chief, Disaster Recovery Journal (DRJ)

“Disaster Recovery Planning: The technological aspect of business continuity planning. The
advance
planning and preparations that are necessary to minimize loss and ensure continuity of the
critical
business functions of an organization in the event of disaster.

“Disaster Contingency Planning: The method of assessing the potential for disasters. This
includes, but is
not limited to, risk analysis and mitigation.

“Human Resource Contingency Planning: This segment entails planning for the human side of
disaster
recovery. It is vital to consider employees when making your plans. Evacuation routes,
personnel
planning, and staffing issues fall under this category

“These three segments of contingency planning are but some of the many you will find
discussed in this
book. I have written the definitions here to detail the intricate differences between the many
sectors of
contingency planning that have emerged over the past decade. I do this not only for the
readers, but also
for myself. The business continuity industry is constantly growing, changing, and evolving,
and
even an
experienced contingency planner like myself sometimes has trouble discerning and defining
the many
areas.

“I began working in the disaster recovery field in the early 1980s. At that time, the role of
contingency
planner was mainly considered a part-time position focused on two areas: data backup and
disaster
recovery.

“By the mid 1980s, I recognized that the industry was beginning to expand rapidly and knew
many
contingency planners would be caught unprepared and unaware of how to handle the
increasing number
of risks. I began publishing Disaster Recovery Journal in 1987 in order to educate and
disseminate
information to those in the field who, at that time, had very few resources for current
information. Shortly
thereafter, my company began hosting annual conferences so contingency planners would
have a
common meeting place for education, networking, and problem solving. I have watched as
my own
endeavors have grown and I know that it is a direct reflection of the unbridled growth in the
contingency
planning industry.

“Over the past 10 years, I have seen more emphasis on business contingency planning —
not
just
disaster planning or technical planning. The real goal is sustaining business processes and
not just
looking at the recovery of technology. Integrated planning of both business and the
technology
that
supports the business is the

“Today, to protect a business, it is critical to ensure ongoing enterprise operations. The
smallest detail to
the largest task must be comprehensively attended to and even then, no business is 100
percent safe. A
tornado, a terrorist attack, or a T-1 failure could be lurking right around the corner.

“I am sometimes overwhelmed by all that business continuity planning entails, and I do not
even work in
the “trenches” of BCP anymore. I have been here on the sidelines — monitoring, reporting to,
and
educating those in the industry. Many other contingency planners who are out in the field on
a
day-to-day
basis have often been as equally overwhelmed. It can be a daunting task to pull together all
the plans,
tests, and strategies needed to protect a business from every potential threat.

“Over the years I have met, consulted, questioned, and clasped hands with thousands of
contingency
planners from all across the world. Some were at the top of their game; others were
struggling with new
decisions, new budget cuts, and new technology. But all shared a common goal — to
completely protect
their company from any business interruption. That goal is a daunting task. But it is far from
impossible. A
changing industry such as business continuity requires motivation and dedication. Lessons
learned have
been the foundation of our industry and have launched many a new process or plan.

“I will share with you some of the top concerns of today’s planning professionals and hope
that the issues
discussed here, and in this book, will lead to solutions for you and your organization.

CRITICAL ISSUES IN BUSINESS CONTINUITY PLANNING

Business continuity planners of the 21st century face a variety of critical issues that must be
tackled. At
the same time, they are facing obstacles not known a decade ago. Some of the greatest
challenges
include the following:

“The recovery time objective (RTO) continues to grow shorter for most organizations. The
RTO is the
window of time that can elapse before the lack of a business function severely impacts the
business
entity. In many cases, the window has either closed or has almost closed, and “downtime” is
not
acceptable. Forty years ago organizations measured their acceptable downtime in terms of
days or
weeks. This was acceptable to manufacturers who maintained inventories that lasted several
weeks and
to businesses that ran on paper-based systems. However, as the use of technology and
automation has
increased over the years, the RTO has been reduced to hours, minutes, or seconds. As the
RTO has
shortened, organizations have had to find a means of restoring their electronic data in a
timely manner.
To ease this problem, they have turned to the development of systems such as:
- Electronic vaulting and journaling.
- Database mirroring and shadowing.
- Hot standby systems.
- Load balancing solutions.

“The tremendous growth of databases and online applications has increased the pressure on
disaster
recovery plans to increase the speed of recovery while the amount of data to be restored
continues to
increase. One answer to this problem is the use of “active archiving,” which, according to Jim
Lee’s
article in the spring 2003 Disaster Recovery Journal, “… allows companies to remove rarely
accessed
data from production databases and manage archived data efficiently, while providing easy
access to
the archived data on demand.”

“Other solutions are also available for managing the excess data. The key is researching
what is
available and choosing the application or service that meets your company’s needs.

THE DECREASE IN STAFFING AND BUDGETS

“Though the situation has improved in some larger organizations, there are still many who
struggle with
lack of funding and staffing. Even with the increased awareness that has occurred and the
improved
management support, many organizations still have limited resources to devote to
contingency planning.

“A survey taken on DRJ’s Web site in 2001 reflected these statistics. The question was,
“What is the
biggest challenge in your planning efforts?” Responses were: Funding - 38%; Staff Shortage
- 33%;
Complexity - 27%; and Nothing - 2%.

“The decision of many organizations in the last 10 to 15 years to centralize business
operations as the
result of mergers, downsizing, or cost-saving strategies has created additional challenges for
the
business continuity plan. When making this business decision, an organization must ensure
that it has not
jeopardized its ability to successfully recover from a disaster at the new central location.

INCREASE IN RISKS, VULNERABILITIES, AND THREATS

“Continuity planners of today face a tremendous amount of potential risks. Terrorism is
certainly
the most dominant threat to arise in the past few years, but there are many more. In today’s
environment, risks can include technology failures, Internet hackers, viruses, software
glitches,
media relations, natural disasters, and a variety of human resource concerns.

TERRORISM ADDS NEW DIMENSION TO BCP

“As I noted earlier, terrorism is the most dominant threat to emerge over the past few years.
None of us
will ever forget the images we saw September 11, 2001, as terrorists attacked the World
Trade Centers
and the Pentagon. Along with the devastating loss of life, there were an incredible amount of
businesses
that suffered as a result of those terrorist acts. More than two years later, many companies
have not fully
recovered. Some have folded; others are struggling to return to a stable point.

“It has become vital for companies to protect themselves against this type of threat. In
today’s
political
environment, plans need to consider:
- The loss or unavailability of many key personnel during the recovery effort.
- The need to provide additional security safeguards to protect the safety of
employees and
customers from acts of terrorism.
- The possible restriction to travel services such as a shutdown of the airlines during
a time of
national emergency. Many business continuity plans are designed for the use of an alternate
facility that
could be hundreds or thousands of miles away - and impossible to reach within the RTO if the
airlines are
not operating.
- The possibility that an organization’s facility might be off limits if it is located in
close proximity
to a bombed area or other disaster. It could be part of the crime scene.

“I recently spoke to Jay Bender, former executive director for Disaster Recovery Institute
International. Mr.
Bender and I have worked together for many years, first at DRJ and later at DRI, an industry
certification
program. He, like myself, has watched this industry expand rapidly in the last decade. He
noted a new
dimension in business continuity planning since the World Trade Center bombing.

“While the risk to the health and safety of an organization’s personnel, and to the loss of an
entire facility,
has always existed, very few, if any, organizations were willing to address this issue prior to
9/11.”

“According to a poll on DRJ’s Web site, the increased awareness from 9/11 is continuing.
The poll taken
in 2002 asked if disaster recovery/business continuity was still getting increased exposure
from 9/11 in
your organization. Of the 3,042 responses, 71 percent of respondents said “Yes;” 29 percent
voted “No.”

“The terrorist attacks of 2001 are only one in a long line of catalysts that have raised
awareness of the
continuity planning industry. Other events that stand out are the 1995 Oklahoma City
bombing, the 1993
World Trade Center bombing, Hurricane Andrew, the Oklahoma City tornadoes, and Y2K.
Each of these
in its own way enlightened many CEOs and top managers that continuity planning was a
necessary
business tool. It could no longer be considered a part-time profession or an optional
department.

“A plan should not be written and placed on a shelf. Planners must be vigilant on assessing
risks and
putting plans into place to mitigate those risks. Training and education for employees is
crucial.

BUSINESS CONTINUITY INDUSTRY CONTINUES TO EVOLVE

“This increased awareness in business continuity is just one of the positive changes that has
occurred
throughout the business continuity industry in the last decade. “There is an increased
awareness and
commitment on the part of top management to the need for a viable business continuity plan,”
said
Bender. “The professionals in the industry have worked to promote the need for business
continuity
planning, and events such as Y2K and 9/11 have provided a point of focus.”

“Other positive changes have included:
1. Increased professionalism through certification programs and by organizations
expanding
their business continuity planning staffs from a part-time project to a full-time, multiple-person
commitment.

As I said earlier, staffing and budgeting are still a concern, but it is refreshing to
see an
improvement in funding and awareness. Management has grown much more aware of the
threats and
vulnerabilities, and now actively fund resources to promote business continuity in their
industry.

2. Increased cooperation between the public and private sectors for emergency
management
and business continuity.

I have recently been involved in several projects that reflect the cross-coordination
between the
different sectors of business continuity planning. One was the development of an organization
that fosters
that relationship and is working to better define the terminology. Another is a credential
verification
program that will allow approved employees early access to a facility after a crisis or disaster
has been
declared. Programs such as these are cropping up across the nation, and are a very
important asset in
improving the business continuity industry.

SUMMARY

“On the whole, I have seen a great improvement in the business continuity industry over the
past decade.
While we are still not without our problems, there has been great progress made in bringing
this industry
into the 21st century. Though it is easy to credit the many disasters that have occurred
recently with
raising awareness, I also must credit the individuals who make up this complicated and vast
industry. The
thousands of contingency planners I have met during my tenure as magazine publisher and
conference
host has been instrumental in furthering the awareness and professionalism in this industry.
They have
always been very enthusiastic and very interested in educating themselves and those around
them. I’m
sure that business contingency planners from all experience levels and all segments will find
this book
informative and educational. It should be a great contribution to the resources available in this
complicated and ever-growing industry.”

- - - - - - - -

EXCERPT FROM THE INTRODUCTION

“Not all events are emergencies, and not all emergencies become disasters. A hasty
decision to declare
a disaster can be more disruptive than the event itself. A timely and appropriate response,
however, is
necessary to protect the safety of employees and reduce the risk to property.” - Chubb Loss
Control
Services

LOOKING AHEAD WITH A VIEW TO THE PAST

“On the morning of September 11, 2001, the buildings of the World Trade Center housed the
records,
archives, and libraries of at least 500 corporate and commercial firms, nonprofit
organizations, and
municipal, state, and federal departments or agencies. Works of art with an estimated value
of $100
million graced walls, corridors, and galleries. On the 105th floor of Tower One soared a
“museum in the
sky” owned by the brokerage firm Cantor Fitzgerald.

“According to press accounts, it housed 19th century and 20th century sculptures, paintings,
and
photographs, including drawings, casts, and sculptures by the great French artist Auguste
Rodin. Other
parts of the buildings featured the creations of Pablo Picasso, David Hockney, Roy
Lichtenstein, and
Ross Bleckner. Among the numerous corporate collections, Bank of America’s holdings
included over
100 contemporary works on paper, while the offices of investment firm Fred Alger
Management
displayed more than 45 pieces of photographic art. An art inventory for the Marriott Hotel in
Three World
Trade Center listed over 40 works by artists such as Le Corbusier and Paul Klee. The vast
public spaces
of the complex held over 100 pieces of art, many specially commissioned for the site. With
works by such
renowned contemporary artists as Alexander Calder, Louise Nevelson, Joan Miro, and
Masayuki
Nagare, this public art collection owned by the Port Authority of New York and New Jersey
was estimated
to be worth between $8 million and $10 million.

“The monumental outdoor sculptures in the plaza around the Twin Towers, such as the
rotating Sphere for
Plaza Fountain by Fritz Koenig and Ideogram by James Rosati, had become recognized
symbols of the
Trade Center itself. Five World Trade Center was home to the Lower Manhattan Cultural
Council, one of
the largest and oldest such organizations in the city. Its art collection, records, and archives
documented
the council’s 30-year history of support for the performing, visual, and media arts, as well as
its
commitment to individual artists. Through the appropriately named World View and
Studioscape
programs, the council provided artists with workspace on the 91st and 92nd floors of Tower
One.

“On the morning of September 11, these two studios contained over 400 pieces of art, the
work of 27
artists-in-residence supported by the council. While new art was created in studios in the
sky,
subterranean rooms beneath Six World Trade Center held objects crafted centuries earlier.

“Thousands of artifacts from an 18th-century African burial ground and millions of objects
from a
19th-century working class neighborhood were stored and catalogued, along with
photographic and
computer records documenting their excavation. Discovered in 1991 during construction of a
new federal
courthouse and office building, the burial ground, together with the remains of the community
known as
Five Points, represented one of the most important archaeological finds in the history of
Lower
Manhattan.

“Housed in the West Street Building were the global headquarters of the nonprofit Helen
Keller
International Foundation. Its archives contained extensive scientific and medical texts on the
treatment
and causes of preventable blindness, as well as photographs, historical files, letters, and
mementos
belonging to the organization’s namesake. An estimated $4 million in equipment, records,
and historical
data was lost, including first editions of Keller’s works, priceless photographs, and many of
her own
letters. In the end, it took less than a morning to destroy what had taken decades to build,
years to create,
and generations to preserve. When the fires first ignited by the planes were finally
extinguished, none of
the Center’s other five buildings had escaped ruin, and uncounted works of art, historic
artifacts, archives,
and libraries were lost forever.

“The offices, records, and archives of the Lower Manhattan Cultural Council were totally
demolished,
along with 150 art works in its collection. Valued at $650,000, all 424 pieces of art in the
Council’s tower
studios vanished when the buildings collapsed. A complete inventory of the numerous
corporate art
collections lost on September 11 may be impossible to compile because it is believed many
art
inventories were destroyed along with the Trade Center itself.

“AXA Art Insurance Corporation has estimated the value of artwork lost at $100 million. (AXA
has
estimated that it will itself pay out $17.2 million for the loss of three corporate collections.)
But
a reliable
listing of either the number or titles of the works themselves, beyond a few examples in news
accounts,
does not seem to exist.

“The results of a survey conducted in the months immediately following 9/11 of 122
museums,
libraries,
archives, and other collecting institutions in Lower Manhattan by the nation’s leading nonprofit
advocate
for the proper care of our cultural heritage preservation revealed:
- Only 46 percent of the institutions surveyed had a written emergency plan, and only
42 percent
had staff trained in disaster response procedures.
- Only 60 percent of respondents had a current collections catalogue or inventory,
and more
than half did not keep an off-site record of their inventory. Had the destruction of 9/11 been
more
widespread throughout Lower Manhattan, many collecting institutions would have been left
with no
complete record of what had been lost.
- Although the events of 9/11 were caused by an unprecedented act of terror, the
study
found that standard emergency plans and responses turned out to be the most effective
way of dealing with the resulting damage.
- A full 80 percent of survey respondents reported interruptions in communications
in the weeks
following 9/11; 67 percent experienced a decrease in public visitation. Although the survey
did not set out
to examine economic impact, respondents indicated that decreased revenue was one of
their primary
concerns and was closely linked to communications problems and the drop in public
attendance.
- In light of the events of 9/11, 68 percent of respondents said their staffs would
benefit from
emergency management training; 67 percent intended to create new emergency plans or
revise existing
ones (Heritage Preservation, 2002).

PUTTING DISASTER MANAGEMENT IN PERSPECTIVE

“This may seem to some as a very unusual way to begin a book on business continuity,
disaster recovery,
and incident management. However, it is often the very things that we take for granted - that
blend into the
background of our daily lives - that we tend to overlook, and through this oversight critical
issues may fall
between the cracks and therefore never make it into a recovery strategy or resumption plan.

“Our objective is to provide a broad perspective as well as the granular and well-focused
view of
business continuity planning (BCP), disaster recovery planning (DRP), and incident
management (IM).
Whatever and however it is defined, BCP, DRP, and IM must address the full spectrum of
risks and
exposures, and not simply the myopic, traditional view of one or two organizational
departments. Rather
the entire corporate environment must be evaluated, controlled, and protected.

“The loss of cultural heritage can never be accurately measured or evaluated in financial
terms, nor can
the loss of human life. Yes, the price or market value of a specific item can be established,
but a price
can never be placed on the cultural loss to the people of a nation or society.

“For many, if not for most, of those who will read this text, by the very nature of our
profession,
we
concentrate our efforts and focus our attentions on the technical, physical and human, and
data aspects
of an organization’s recoverability potential. Working daily within an organization, we often
become numb
or complacent to the “texture” of the organizational environment that surrounds us and serves
to fulfill our
need for a point of reference - a home base.

“Take a moment to look around you. What defines your organization? What is contained
within its
corridors, on its walls, which like the data residing within countless information systems is
priceless,
valuable, and worth recovering in the event of a disaster? Are these items, their descriptions,
values,
photographic records, owner’s names (if on loan), etc., documented and stored in a location
removed
from the primary place of business?

“Does your recovery/continuity plan assign responsibility to securing, protecting, and
recovering these
corporate assets? Are these assets inventoried and appraised regularly? Is appropriate
insurance
coverage afforded to these potentially unique and valuable corporate assets? What would the
organization’s liability be if such corporate assets where lost or destroyed? Would your firm’s
insurance
coverage adequately indemnify the corporation for such a loss?

“Not all disaster events ravage binary bits!

“The reader is encouraged to examine Appendix V, Salvage at a Glance, and Appendix W,
Emergency:
If You’re First. These two appendices provide basic recovery instructions for not only cultural
collections,
which may be found within your organization, its subsidiaries, or executive residences, but
also for media
of varying types and importance to all organizations. For those readers whose
responsibilities include (a)
the evaluation and assessment of continuity and recovery plans for cultural institutions,
including libraries
and art centers; (b) developing said plans for such institutions; or (c) evaluating preparedness
plans for
organization’s listing cultural collections/artifacts as corporate assets or holdings on loan, the
following
sources of specific guidelines and information are available and essential:
- Lord, A., Reno, C., and Demeroukas, M., “Steal This Handbook! ...
- Southeastern Museums Conference Disaster Response Handbook ...

RECOVERING FROM A DISASTER, PLANNING FOR CONTINGENCIES, OR
MANAGING
AN INCIDENT?

“Disasters, those that impact our daily lives: District of Columbia (sniper shootings, World
Bank protests),
Georgia (crematorium crime investigation), Florida (Amtrak crash), Michigan (bus crash),
Oklahoma (I-40
bridge collapse). To those that shape it forever: September 11th terrorist attacks, Oklahoma
City
bombing, loss of the space shuttles Challenger and Columbia. Through it all, we must remain
ever vigilant
and ever prepared.

“Business continuity plans can assist an organization in avoiding escalating and often
crippling downtime
costs.

COST OF DOWNTIME
Average cost per hour of downtime in various industries
Broker Operation $6,500,000
Banking Center $2,500,000
Retail $140,000
Manufacturing $28,000
Other Industries $82,500
(Data: Contingency Planning Research)

“Crime/civil disturbance, earthquakes, floods, ice/hail storms, hurricanes, tornadoes,
transportation
accidents, tropical storms, typhoons, severe ice storms, wildfires, windstorms, plane crashes
- disasters
of all types impact our daily lives and day-to-day business operations. Preparing for the
unknown is often
quite difficult and challenging; however, failing to be properly prepared could be criminal.

“At a minimum, being unprepared may cost your organization more in the long-run in terms of
lost
revenues, customers, trading partners, investor/stakeholder confidence, fines, and penalties
than taking
the time necessary to develop fully functioning recovery, contingency, and resumption plans.

“Backing up data doesn’t guarantee you’re going to be back in business. What if all your
people end up injured or traumatized? It’s the whole ecosystem of the business that has to
be accounted for, not just the data.” - Tony Adams, Gartner analyst

“While often thought of as being one and the same, there is a critical distinction between
disaster
recovery and business continuity. A disaster recovery plan should be just one component of a
broader
business continuity strategy to keep business operations continuing as usual no matter what
kind of
disruption occurs — planned or unplanned.

“According to the Yankee Group, business continuity is a strategic process for the
continuation of
essential business operations in instances when a natural disaster or other calamity disrupts
an
organization’s critical operations or services. In contrast, disaster recovery is a tactical
process - or the
“how-to” of coping with adversity. It is a bottom-up approach (Yankee, 2001). Obviously, if you
don’t have
a disaster recovery strategy, you can’t even begin to think of business continuity.

- Computer downtime costs U.S. businesses $4 billion a year, primarily through lost
revenue.
- 20 percent of all small to medium-size businesses suffer a major disaster every
five years.
- Criminals now choose electronic methods of harming business more than any
other.
- 60 percent of the businesses in the World Trade Centers were out of business
within two
years of the terrorist bombing of 1993 because they did not have business continuity plans.
- Companies now have to think about the loss of life of key employees when
developing
recovery and continuity plans.

“In the aftermath of recent natural disasters, terrorism, and equipment breakdown,
businesses have
recognized more than ever the need for an organization to be prepared. Companies are
striving to meet
the demand for continuous service. With the growth of e-commerce and other factors driving
system
availability expectations toward 24x365, the average organization’s requirement for recovery
time from a
major system outage now ranges between two and 24 hours. This requirement is pushed by
the
expectation an organization faces on all sides:
- Customers expect supplies and services to continue — or resume rapidly — in all
situations.
- Shareholders expect management control to remain operational through any
crisis.
- Employees expect both their lives and livelihoods to be protected.
- Suppliers expect their revenue streams to continue.
- Regulatory agencies expect their requirements to be met, regardless of
circumstances.
- Insurance companies expect due care to be exercised (Fry, 2001).

“Only 25 percent to 35 percent of small firms have disaster-recovery plans, according to
market
researcher Gartner Group, compared with 85 percent of large firms (Kessler, 2001). Under
Standards 29
CFR 1910.38, the Occupational Safety and Health Administration (OSHA) requires that all
firms with
more than 10 employees have a written disaster plan (Del Franco, 2002).

“A survey of more than 200 professionals involved in corporate disaster-recovery planning
found that
most U.S. businesses are unprepared for the damage IT systems would suffer. A lack of
money is the
main reason for inadequate preparation, according to a Dataquest survey. The survey found
that one in
three U.S. businesses would lose critical data or operational capability if struck by disaster.
Twenty-four
percent of respondents cite a lack of funds as the main reason for not having adequate
recovery
programs in place (Gonsalves, 2003).

“Given the following, how well prepared would your organization be if required to recover from
an event
half as catastrophic?

THE IMPACT AND AFTERMATH OF SEPTEMBER 11, 2001
2,830 The number of lives lost as a result of the terrorist attacks.
14,600 An estimate of the number of businesses directly impacted
by the
disaster.
13.4 million The total office space (in square footage) that was
destroyed.
36 Miles of new replacement cabling installed by Con Edison.
652 Corporate tenants that were temporarily or permanently
displaced.
200,000 Verizon Communication lines out of service as a result of system-wide
network
failures.
12,000 Con Edison customers who lost power or had their power
cut as a result
of the disaster.
Incalculable The long-term financial, emotional, and psychological
impact on a
nation’s economy and population.

“Responsibility for disaster recovery planning is shifting from the IT department to the
business leaders.
Chief information officers and technology executives must partner with chief operating and
financial
executives to gain the business-critical, enterprise-wide approach to business recovery
planning.” - John
Sheaffer, CEO, Sysix Technologies LLC

“A disaster the scope of which occurred on September 11, 2001, was always considered by
recovery
professionals to be a worst-case scenario that no one truly expected to occur and for which
no one could
have truly prepared. The world, the industry, the profession is now looking for its next level, its
next
definition of a worst-case scenario. Regardless of what that definition may ultimately be,
organizations
and their associated security and recovery personnel must be flexible, creative, proactive,
and diligent in
the continuous development, testing, implementation, and refinement of disaster recovery,
business
continuity, and incident management planning.

ORGANIZATION OVERVIEW

“This book will provide readers with the insights, knowledge, information, and skills
necessary to
effectively review and assess your organization’s preparedness to survive a disaster “event.”

“Chapter 1 begins with a review of the three major tools for such preparedness, disaster
recovery,
business continuity, and incident management plans. Chapter 2 follows with an in-depth
examination of
risk assessment and its role in developing viable recovery strategies. The reader is next
taken through
the process of selecting an appropriate recovery strategy for specific operations in Chapter
3. Chapter 4
focuses on the development, documentation, and implementation of a business continuity
plan.

“Chapter 5 stresses the importance of the continuity plan and provides an in-depth
examination on its
testing. Chapter 6 follows with a discussion on the procedure and requirements of
maintaining an
effective and viable continuity plan.

“Chapter 7 examines the essential and critical process of auditing and evaluating the
organization’s
business continuity plan.

“In Chapter 8 there is an in-depth analysis into building an incident response team (IRT). The
authors are
indebted to Michael Miora, who authored this chapter, for allowing his work to be reprinted
here and for
his keen insight into continuity and recovery planning. An IRT represents a critical element to
successful
recovery strategy, and the reader should endeavor to heed the solid advice that Michael
provides.

“Chapter 9, Disasters and the Human Stress Response, and Chapter 10, Human Resource
Continuity
Planning: An Audit Approach, focus exclusively on the emergence of Human Resource
Continuity
Planning (HRCP) as a critical element to any successful business continuity planning
process. Within
these two chapters, the reader will find a wealth of information regarding human resource
planning, and
the impact of failing to identify, recognize, and incorporate this strategic element into the very
core of any
continuity plan.

PULSE PIECES

“Unique to both this Tool Kit and the treatment of disaster management is the section aptly
titled Pulse
Pieces, which can be found on the CD-ROM. In this section, leading experts on disaster
management
speak out on critical recovery and continuity issues as they see them from their poignant
perspective of
having their “fingers on the very pulse” of disaster management.

“The issues discussed by these professionals are both critical and timely. They are issues
that every
reader should be acutely aware of and have tightly focused on their personal radar screens.
These are
issues that will affect individuals and corporations alike. Heed their words well.

VALUE-ADDED APPENDICES

“Last but certainly not least are the multitude of Appendices (located on the CD-ROM) that
provide
value-added information to this text. The reader is strongly encouraged to examine each of
these various
Appendices as each provides additional resources for the disaster management
professional.

“The reader will find an abundance of value-added resource material, which could not have
been logically
embedded within the core of the text. In the Appendices, critical supplemental/supportive
materials can
be more fully detailed and examined. Each appendix has been compiled to provide
value-added
information to those individuals responsible for establishing, implementing, and attempting to
maintain
enterprise-wide disaster management initiatives.

“Of particular interest to the reader, however, will be the Appendices that contain various and
basic audit
and evaluative checklists, programs, and guidelines. They are basic only because such
checklists, audit
guides, and programs are never really finalized and never really completed. There are always
modifications, updates, and enhancements that can be made as both time and technology
march
forward.

“The Appendices are presented as a base layer, and they have been developed under the
expressed
intention that they will be used “as is” by readers who currently do not have such assessment
tools. It is
anticipated, however, that many readers will modify (customize) the checklists and guides
presented in
these appendices to reflect individual organizational requirements and operations. Either
utilization is
acceptable.”

- - - - - - - -

ABOUT THE AUTHORS

“ALBERT J. MARCELLA Jr., Ph.D., CQA, CCP, CDP, CFSA, CISA, is the president of
Business
Automation Consultants, a global information technology (IT) and management-consulting
firm. Dr.
Marcella designs, implements, and conducts management consulting and IT audits for an
international
clientele, and is an internationally recognized speaker in the areas of IT security, audit, and
control. Prior
to the formation of his own firm in 1984, Dr. Marcella was employed by the Dun & Bradstreet
Corporation
where he established and formalized the IT audit function.

“Dr. Marcella’s additional professional experiences include providing internal systems
consulting
services to the Hartford Insurance Group, and the design and execution of operational,
financial, and
information technology audits for the Uniroyal Corporation, both in the United States and
abroad.

“Dr. Marcella researches and writes extensively in the information technologies field and has
over 20
information technology/audit and security titles published to date. His dissertation research
examined the
relationship between ethics and auditor judgment.

“Dr. Marcella is The Institute of Internal Auditors’ (IIA) Leon R. Radde Educator of the Year
(2000) Award
recipient, and is a Distinguished Adjunct Faculty Member of The IIA.”

“CAROL STUCKI, CISA, is a senior IT auditor with the University of California. Prior to joining
the audit
department at the University of California, Carol provided management and IT audit
consulting services,
conducted technical audit reviews, and held positions in IT project management. Prior to
consulting,
Carol worked as a manager of strategic project management and as a technical producer for
PurchasePro, an e-commerce company. Carol has also worked for such companies as
Arthur Anderson,
Perot Systems, and GTE (now Verizon).”

- - - - - - - -
2004, book plus CD. Order #DR739.
- - - - - - - -

Rothstein Associates Inc.

4 Arapaho Rd.

Brookfield, CT 06804-3104

1-888-ROTHSTEin

Telephone: 203.740.7444; 888.768.4783

Fax: 203.740.7401

E-Mail: info@rothstein.com