IT Contingency Planning: IT Disaster Recovery Planning



Similar documents
Business Unit CONTINGENCY PLAN

Threat Management: Incident Handling. Incident Response Plan

Disaster Recovery Plan Documentation for Agencies Instructions

NAIT Guidelines. Implementation Date: February 15, 2011 Replaces: July 1, Table of Contents. Section Description Page

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

Technology Recovery Plan Instructions

State of South Carolina Policy Guidance and Training

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Q uick Guide to Disaster Recovery Planning An ITtoolkit.com White Paper

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

CISM Certified Information Security Manager

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

IT Disaster Recovery and Business Resumption Planning Standards

Disaster Recovery and Business Continuity Plan

Appendix 3 Disaster Recovery Plan

IT Disaster Recovery Plan Template

ESCB definitions of major business continuity terms in relation to payment and securities settlement systems 1

<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP

2014 NABRICO Conference

: Chief Executive Officers of all Licensed Commercial Banks, Primary Dealers, Central Depository Systems (Pvt) Ltd. and LankaClear (Pvt.) Ltd.

NIST SP , Revision 1 Contingency Planning Guide for Federal Information Systems

NCUA LETTER TO CREDIT UNIONS

Boston Financial Data Services Business Continuity Executive Summary. November 2009

How to Design and Implement a Successful Disaster Recovery Plan

GUIDE TO DEVELOPING AND CONDUCTING BUSINESS CONTINUITY EXERCISES

MHA Consulting. Business Continuity Management 101

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK

Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

Overview of how to test a. Business Continuity Plan

Business Continuity Planning and Disaster Recovery Planning

DISASTER RECOVERY AND CONTINGENCY PLANNING CHECKLIST FOR ICT SYSTEMS

Documentation. Disclaimer

Business Continuity Planning Toolkit. (For Deployment of BCP to Campus Departments in Phase 2)

Business Continuity Planning (800)

Preparing Your Organization for Disaster. - Preparedness Exercise -

Business Continuity Management Review

Overview of Business Continuity Planning Sally Meglathery Payoff

Table of Contents... 1

Clinic Business Continuity Plan Guidelines

Disaster Recovery Planning. By Janet Coggins

BUSINESS CONTINUITY TABLETOP EXERCISE (TTEX) GUIDE

How to write a DISASTER RECOVERY PLAN. To print to A4, print at 75%.

The handouts and presentations attached are copyright and trademark protected and provided for individual use only.

Comprehensive Emergency Management Plan (CEMP) Annex V CONTINUITY OF OPERATIONS PLAN (COOP)

Agenda. Creating a Robust Testing Program. Notification Tests. Overview of Testing. Beverly Schulz, CBCP

How To Prepare For A Disaster

University of San Francisco EMERGENCY OPERATIONS PLAN

Disaster Recovery Plan Review Checklist. A High-Level Internal Planning Tool to Assist State Agencies with Their Disaster Recovery Plans

SAMPLE IT CONTINGENCY PLAN FORMAT

Disaster Preparedness & Response

BUSINESS CONTINUITY PLAN

University of Massachusetts Medical School's Data Center Relocation For the period July 1, 2008 through August 31, 2010

FINAL AUDIT REPORT WITH RECOMENDATIONS Information Technology No

Ohio Supercomputer Center

FINAL Version 1.0 November 6, 2014

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

Continuity of Operations Planning. A step by step guide for business

Offsite Disaster Recovery Plan

IT Service Management

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Green Mountain College EMERGENCY RESPONSE AND RECOVERY PLAN

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

Business Continuity protection for SIP trunking service

Subject: Internal Audit of Information Technology Disaster Recovery Plan

Contingency Planning and Disaster Recovery for BOMA

South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy

Clinic Business Continuity Plan Guidelines

Why Should Companies Take a Closer Look at Business Continuity Planning?

Clovis Municipal School District Information Technology (IT) Disaster Recovery Plan

Virginia Commonwealth University School of Medicine Information Security Standard

BUSINESS CONTINUITY PLAN OVERVIEW

Disaster Recovery and Business Continuity

How to Plan for Disaster Recovery and Business Continuity

UNION COLLEGE SCHENECTADY, NY EMERGENCY MANAGEMENT PROCEDURES

Supervisory Policy Manual

IP Telephony Basics. Part of The Technology Overview Series for Small and Medium Businesses

Disaster Recovery Planning Process

nexvortex VOIP DISASTER RECOVERY BUSINESS SOLUTION

Emergency Response & Recovery Basic Plan

Disaster Recovery Planning Process

The Joint Commission Approach to Evaluation of Emergency Management New Standards

Business Continuity and Disaster Recovery Planning

BUSINESS CONTINUITY PLANNING GUIDELINES

Tampa Bay Catastrophic Plan ANNEX L: HURRICANE PHOENIX EXERCISE

Domain 3 Business Continuity and Disaster Recovery Planning

CIS 523/423 Disaster Recovery Business Continuity

Western Washington University Basic Plan A part of Western s Comprehensive Emergency Management Plan

Developing a Business Continuity Plan... More Than Disaster

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Hosted VoIP RFP. Throughout this document, the word District refers to BRUNEAU GRAND VIEW JOINT SCHOOL DISTRICT #365

Transcription:

IT Contingency : IT Disaster Recovery Introduction CONTINGENCY PLANNING GUIDELINES FOR TABLE-TOP EXERCISE A tabletop exercise is a focused practice activity that places the participants in a simulated situation requiring them to function in the capacity that would be expected of them in a real event. Its purpose is to promote preparedness by testing policies and plans and by training personnel. The exercise is a written scenario containing a set of circumstances and facts that create the need for the participants in the exercise to problem solve and make decisions that will bring the event to a conclusion with as few negative consequences as possible. By practicing and training with problem-solving tabletop exercises, it is possible for staff members to be able to establish a knowledge base that may help them to be able to develop the automatic responses which they will need when analytical thinking skills are compromised during an actual event. The Disaster Recovery Institute International (DRII) defines a tabletop exercise as, one method of exercising teams in which participants review and discuss the actions they would take per their plans, but do not perform any of these actions. The exercise can be conducted with a single team, or multiple teams, typically under the guidance of exercise facilitators. the Exercise No matter what type of exercise is being presented, it s best to have an exercise planning coordinator assigned. This person selects the type of exercise to be performed and is responsible for selecting the components of the plan to be exercised. For a tabletop exercise, it s the responsibility of the coordinator to: Identify the objectives; Develop an initial exercise scenario and narrative; Identify the participants; Chair the exercise participants meetings; Distribute minutes; 1

IT Contingency : IT Disaster Recovery Facilitate the exercise; Perform a post exercise analysis; Develop a scoring method relative to the response of the participants as their plans are implemented during the exercise. Exercise Facilitator The Exercise Facilitator may be a Business Continuity Plan Subject Matter Expert, or other individual identified by management. The primary role of the facilitator is to ensure that the tabletop exercise proceeds on schedule and achieves the desired result of determining the viability of the Business Continuity Plans. To achieve that result, there are several questions that can be asked as the exercise begins and through the discussion of issues and assignment of responsibility for corrective actions. The facilitator also has the option to introduce "roadblocks", such as unavailability of a key person or resource, to identify gaps or weaknesses in the documented business continuity strategies and plans. The facilitator may also add additional failure conditions during the exercise. The Exercise Facilitator s responsibilities include: Keeping the session flowing (see Facilitator Leading Questions below); Introducing roadblocks during the exercise; Ensuring issues are documented; Keeping the session on schedule; Providing summary comments at the conclusion; Discussing next step activities and time frames. The Scenario The key to the tabletop exercise is the scenario. It must be definitive and sensible; a scenario related to threats that could occur and one that matches the organization s need at the time of the exercise. The scenario should identify and describe the type of disaster that has occurred and the extent of damage or disruption to the facility and area. In addition, the scenario should detail what recovery capabilities are available and the status of backup or recovery resources. Finally, it should outline the time of the event and duration of the exercise. 2

IT Contingency : IT Disaster Recovery During the exercise, the scenario should enable the recovery teams to test the notification procedures (call trees and contact lists), recovery management, recovery operating procedures (tasks and responsibilities), the staffing of the teams and overall communications. Consideration must also be given to limitations as to what can be done in the exercise. It s best to identify any assumptions that need to be in place for the exercise. A chronological sequence of events will illustrate the mock disaster by identifying: The hypothetical moment of the disaster (time of day, day of month, part of year); The cause of the disaster; The method of notification; A description of the events of the disaster leading to the declaration and activation of the plan; A description of the regional implications; A description of the role of the civil authorities and their activities during and after the disaster; Any actions that have been taken prior to activation of the plan; The damage to the facility; The status of all personnel; The status of alternate processing locations, vendors and suppliers, backup storage arrangements and utilities. Based upon the effectiveness of the pre-exercise meetings, the exercise will almost run by itself with team members knowing what has to be accomplished. Exercising is a primary means of training. In any actual recovery effort, the best team members are usually those who have participated in exercises. Post-Exercise Analysis As soon as possible after the exercise, all participants should meet to discuss, evaluate, and document the exercise results. Topics would include a review of the exercise schedule (i.e., date, time, location), exercise objectives both logistically and operationally and the identification of personnel who supported exercise activities. The planning team should then formulate recommendations based on the events that occurred during the exercise and start planning for next exercise. 3

IT Contingency : IT Disaster Recovery Table-top Exercise Information Sources: http://www.coned.iup.edu/safetyscience/disaster/continuity.htm http://www.epa.gov/safewater/watersecurity/tools/trainingcd/pages/scenario8-s.html http://www.recoverychronicles.com/mediapr/enewsletter/july2005/442/article.asp 4

IT Contingency : IT Disaster Recovery CONTINGENCY PLANNING TABLE-TOP EXERCISE Purpose The Table-Top Exercise is intended to assist management and support staff in defining contingency business processes in order to ensure continuity of mission critical student and financial services in the event of a catastrophic loss of WAN connectivity for an extended period of time. It is essentially a sit-down, hands-on planning exercise for key personnel to run through the actions and procedures that need to be taken and the tools needed to maintain operations. Through the exercise, the issues or problems faced by college staff should be surfaced, run through on paper and in discussion, assessed and finally addressed with solutions drawn up to ensure that all efforts toward preparation and readiness for coping with a connectivity failure will be well coordinated and workable. Exercise Scenario Emergency Procedures, Scenario 3: Loss of telecommunications (PSTN or VoIP phone service). Under this scenario, the campus voice gateway router is not functioning. On March 26, 2012 at 8:00 AM the John H. Daniel Campus of SVCC in Keysville, VA looses Voice over IP (VoIP) connectivity. The outage is discovered by the Daniel IT Staff and the problem is investigated. At approximately 9:00 AM the cause of the phone outage is determined to be related to the installation of a new campus firewall. At that time the College IT Network Administrator informs the Dean of IT (face-to-face meeting) of the problem and estimates time of problem resolution to be approximately 1:00 PM March 27. Implications: Loss of VoIP connectivity means that any business processes which depend on phone access to the VCCS and between campuses will not be available as local calls (toll bypass). For example four digit tie-line phone calls or faxes cannot be placed or received: native PSTN telephony (local and long distance phone calls) between campuses and VCCS sites will not be affected. 5

IT Contingency : IT Disaster Recovery Assumptions: Replacement parts will be available within the acceptable downtime. One of the sites will survive the disaster. Backup media and documentation will be secure at the surviving site. Personnel can be made available to implement the Disaster Recovery Plan. In the event of total or partial loss of the College's computer services personnel, assistance will be available from the Virginia Community College System (VCCS) personnel to implement the Disaster Recovery Plan. In case of widespread regional disruption, access to emergency resources and personnel may be severely limited. Objectives The following objectives should be accomplished during the run through of this scenario: Identify the key personnel needed to respond to the contingency. DRP Teams: Emergency Management, Technical Support (SVCC Security Plan Attachment C 2.3. Also Section C, Tabletop Testing document)) Review the COOP and DRP as to provisions for continuity of operations. (Sections C 1 and C 2 respectively, SVCC Security Plan) Review the DRP and COOP Plan Testing document. (Attachment C 2.1 SVCC Security Plan. Also Section B, Tabletop Testing document) Define business processes for critical services as well as technical and procedural problems and their solutions. (Attachment C 1.1 Recovery Strategies, and Manual Procedures documents SVCC Security Plan. Also Sections E and F, Tabletop Testing document) Define the requirements and procedures for communication with other campuses. (Section C 2, SVCC Security Plan, Emergency Procedures document. Also Section D, Tabletop Testing document) Identify issues for future table-top exercises. (To be included in the post exercise report as indicated below) 6

IT Contingency : IT Disaster Recovery Exercise Procedure All exercise participants will assemble in a suitable conference room. A computer with a connection to the college local area network is required. An LCD projector is highly recommended. The college ISO will be the facilitator for the Table-Top Exercise. The exercise facilitator should brief the exercise participants on the exercise scenario and moderate the discussion to ensure all objectives are accomplished. A current copy of the SVCC Security Plan will be used for the exercise. The following minimum exercise participants are recommended: Selected members of the Emergency Management Team: (Attachment C 2.3) IT Disaster Coordinator Network Administrator Information Security Officer College Provost Buildings and Grounds Supervisor Administrative, Financial, and Facilities Management Vice President Selected members of the Technical Support Team: (Attachment C 2.3) Blackboard Administrator PeopleSoft Administrator Any other personnel deemed necessary for this team Test Procedures: The following is an order of operations for the table-top test: Satisfy all requirements of the objectives section of this document give above. Define a testing scenario. Define Emergency Procedures which address the scenario. (Section D, Tabletop Testing document) Define Recovery Strategies which address the scenario. (Section E, Tabletop Testing document) 7

IT Contingency : IT Disaster Recovery Define a Recovery Plan Test which addresses the scenario. (Section B, Tabletop Testing document) Identify a mission critical business process affected by the scenario. Section E, Tabletop Testing document) Apply applicable recovery strategies to the business process. (Sections E and F, Tabletop Testing document) Document all results on the proper forms. (Section C, Tabletop Testing document) Post Exercise Reports Immediately after conclusion of the exercise, a written post exercise report should be prepared to document the observations and findings of the exercise, identify recommendations for contingency management procedures, and to provide lessons learned on the conduct of the table-top exercise. The post exercise report on Continuity of Operations will be maintained by the college Information Security Officer. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information