The software should provide a systematic method for developing an effective plan. Based on the various considerations addressed during the planning phase, the process itself and related methodology can be equally as beneficial as the final written document. Therefore, the system should contain instructional information to guide the organization through the planning process including:
- Obtaining top management support
- Establishing a planning committee
- Performing a risk assessment
- Analyzing insurance
- Reviewing disaster prevention/preparation
- Determining critical needs
- Developing record retention guidelines
- Prioritizing processing and operations
- Determining backup and recovery strategies
- Preparing written agreements
- Performing data collection
- Organizing and developing the written procedures
- Assigning recovery teams
- Developing testing methods and procedures
- Other instructional information
Disaster prevention is also an important aspect of the planning process. A primary objective of disaster recovery planning is to protect the organization from potential disaster threats. Prevention is a major factor to achieving this objective. Therefore, some packages include comprehensive disaster prevention checklists designed to address key security and control issues to assist in preventing disasters.
To be most beneficial, the system should have been specifically developed to address organization-wide disaster recovery planning versus limiting the scope to only the main computer system. Many packages are complex and difficult to use because they are primarily designed for a large mainframe computer environment and use complex coding and cross reference schemes.
Organizations using service centers should develop a plan that is compatible with the service center’s disaster recovery plan. Many service centers market Disaster Recovery Planning systems for their users that contain information to address the compatibility considerations. These systems are beneficial because the linkages between the user and service center are predefined. It also saves significant time and effort, and helps to assure that a comprehensive plan is developed. Since a recovery plan is constantly impacted by changes in the organization, the software should facilitate maintenance for both data input and subsequent printing. The maintenance procedure should not result in a labor intensive need to reprint and distribute the entire plan for relatively minor changes. Some packages have an option to print only the page and/or section that contains the change.
Some packages automatically interface to word processing to enter and maintain information best presented in a text format (e.g., procedures). These systems are especially flexible and easy to use. If the system also provides database capabilities, it has the best of both approaches.
DISASTER RECOVERY PLAN DEVELOPMENT
Many software packages contain sample plans and procedures that can be modified for the unique aspects of the organization. Thorough and detailed sample plans can significantly reduce the time and effort to develop the plan. The sample plan should include:
- Executive Summary including:
- Structure of the plan
- Alternate processing and facility sites
- Other summary information
- Detailed procedures for each department and functional area of the organization that address:
- High priority tasks
- Temporary operating procedures
- Manual processing techniques
- Recovery and reconstruction procedures
- Record salvage procedures
The detailed procedures should identify specific actions related to:
* Computer and communications related disasters
* Facility and departmental related disasters
- Detailed procedures that address temporary processing techniques at a backup site and long-term replacement methods for critical equipment such as:
- Main computer system
- Voice communications
- Data communications
- Other critical equipment
- Detailed procedures to address logistic strategies and replacement of the facilities.
- Detailed emergency and recovery procedures for each Disaster Recovery Plan Team including:
- Management Team
- Administrative Team
- Departmental Support Team
- Technical Recovery Team
- Other potential teams
Database management capabilities are important for information best presented in a list format. A database is comprised of a group of files. Each file contains a group of records that consist of unique information. Each record contains fields that have singular information.
Modern software techniques such as relational database programming allow records and fields of data to be connected and related. This allows various combinations of data to be processed, extracted and reported.
Some database systems are designed to use abbreviations and codes to represent the corresponding field of information. This programming technique can save disk space. However, codes can be difficult to remember and are not “user friendly.” In addition, the use of codes is not necessary with modern software techniques such as relational database programming.
The software should be developed to maximize the flexibility in using the data. Useful features include:
- An option that allows the user to change the sort sequence of records within the database files. For example, it may be helpful to sort employee related information by:
- Employee name
- Employee number
- Recovery Team
- Position Title
- Primary backup
- Secondary backup
- Other sort options
- A search function for each sort option to allow the user to quickly locate a record by entering all or part of a data field. For example, the employee record for John Smith could be displayed by entering “Smi.”
- Optional “user-defined” field names and contents within each database record. For example, another field for additional telephone numbers could be added to the employee record without special programming.
- Providing data integrity by using a “point and shoot” data entry procedure. For example, employee names should only be entered once. Thereafter, the linking of names to other information would be performed by a “pop-up” list of names for user selection. The same concept applies to other information.
- Options to display reports on the terminal screen versus the necessity to print reports. This capability can save time, effort, and paper. Useful features include:
- Scrolling line-by-line
- Scrolling screen-by-screen
- Panning left and right to view reports with more than 80 characters per line
- Windowing to view separate parts of a report side-by-side
- Fields that can be used for typing large amounts of text information in user-defined formats similar to word processing. For example, some packages allow the user to type in free format comments, memos and other information related to the database record.
- Multi-key access to database records and information allows the user to access the database using several methods. For example, a user friendly system will allow access to employee information by name, title, facility, department, recovery team and other access methods.
- Project management capabilities to plan and track long recovery projects involving several activities, many personnel and multiple start and completion dates. Some packages can automatically generate a Gantt chart that displays prioritized activities by responsible party.
It is essential that the plan be thoroughly tested and evaluated on a regular basis (at least annually). Time has a way of eroding a plan’s effectiveness. Environmental changes occur as organizations change, new products are introduced, and new policies and procedures are developed. Such changes can render a plan inadequate. The tests will provide the organization with the assurance that all necessary steps are included in the plan. Other reasons for testing include:
- Determining the feasibility and compatibility of backup facilities and procedures.
- Identifying areas in the plan that need modification.
- Providing training to the team managers and team members.
- Demonstrating the ability of the organization to recover.
- Providing motivation for maintaining and updating the Disaster Recovery Plan.
Disaster recovery planning software may not be complete unless it facilitates the testing process. Specific areas that should be addressed include:
- Testing schedules and responsibilities
- Testing methods and procedures, such as:
- Structured Walk-Through Testing
- Checklist Testing
- Simulation Testing
- Integrated Testing
- Parallel Testing
- Tactical Testing
- Other Testing Methods
- Techniques for evaluating results and updating the related section of the plan.
Part I of II
Some vendors have developed PC software that is specifically designed to facilitate the testing process. This software contains sample testing procedures for various types of tests and maintains schedules and history of completed tests.
Disaster Recovery Plans often contain sensitive and confidential information; therefore, most systems have some form of password security. Important security factors to consider include:
- Multiple levels of security
- Security for each menu item
- Encrypted passwords
- Minimum length of six characters in the password field
- Password expiration dates
- Capability to automatically require password changes based on user assigned expiration time periods
- Access logging capabilities
- Audit trail reports
There are several significant benefits related to using a good PC-based Disaster Recovery Planning System. The attached exhibit contains a checklist of specific features, functions and capabilities to consider in selecting the software. Each feature should be classified as essential, important or desirable based on the specific needs of your organization.
Software features, functions and capabilities are important; however, there are other issues that should also be considered in selecting PC-based Disaster Recovery Planning software. In the next issue, the second part of this series will describe the selection process and specific selection criteria related to PC-based software for disaster recovery planning.
PART II of II
This is the second part of a two-part series that describes the process for selecting a PC-based disaster recovery planning system. The first part of this series explained important features, functions and capabilities related to selecting software in the following major areas:
- General functions
- Disaster recovery plan development
- Database management
This article describes the selection process and provides a methodology for selecting the most appropriate software package and vendor.
The process and methodology involved in selecting the most appropriate disaster recovery planning software is illustrated in the attached diagram. This process can be used as a guide and tailored to fit the specific circumstances of an organization. The methodology is described below.
Appoint a Selection Committee
A Selection Committee should be appointed to oversee the selection process. Potential members include:
- Disaster recovery planning coordinator
- MIS representatives
- User representatives
- Internal auditors
Perform a Needs Assessment
The Selection Committee should determine whether the scope of the project will include:
- Main computer systems
- Departmental computer systems
- Voice communications
- Data communications
It is also important to identify the potential number of copies of the software that may be needed and the related system environment to be used (i.e., stand-alone PC(s), LAN(s), or WAN(s)).
The Selection Committee should carefully analyze, document and prioritize the specific software features, functions and capabilities required. Complex and unnecessary capabilities should be avoided.
Research and Preselect Vendors
Various trade journals can be used to obtain information on the availability of software packages. Vendors can be preselected based on such factors as:
- Financial strength
- Number of users
- Related services (e.g., consulting)
- Other factors
Qualifying vendors should be invited to submit written proposals.
Analyze and Evaluate Proposals
Several factors should be considered in analyzing and evaluating proposals as illustrated on the attached form.
The purpose of using this form is to quantify and compare all issues involved with the selection process. The Selection Committee should list the criteria in order of importance, apply a weighted value to each criteria, and rank each vendor (i.e., first, second, third...) according to the criteria.For example, if Vendor A satisfies the most software features, it would be ranked the highest in software capabilities based on a raw score. And if Vendor B’s proposal is the lowest cost alternative, it would be ranked the highest in cost based on the raw dollars.
Total vendor scores can then be determined by multiplying the weighted value of the criteria times the vendor ranking.
It is important to check several references for each vendor to obtain additional information relating to the software and related services. The major issues that should be discussed include:
- Installation and training
- Software support
- Product enhancements
- Ease of use
As part of the evaluation process, the Selection Committee should attend an in-depth vendor demonstration. This will allow the Committee to analyze the quality of the software and related documentation, and assess the flexibility and ease of use.
Contracts will vary in complexity and content depending on the type of products and/or services selected by the organization. The purpose of developing written agreements for disaster recovery-related products and services includes:
- Documenting all commitments of the parties involved
- Defining the responsibilities of all parties for each aspect of the product and service
- Providing clear technical and legal descriptions
- Establishing quantitative measures of performance
- Protecting against potential difficulties and misunderstandings
- Providing a means of recourse and definition of remedies for potential problems
Reducing the risk associated with the acquisition of inadequate disaster recovery-related products and services
Copies of contracts should be obtained during the evaluation process so they can be reviewed prior to negotiations. Vendor contracts may be one-sided, protecting the seller’s interests rather than the buyer’s. Because of this, the organization should make every effort to identify key contract provisions that should be included for adequate protection.
The Selection Committee should ensure that all contracts are reviewed by legal counsel prior to their approval. The organization may also find it useful to involve their legal counsel during the negotiation of various contract provisions. Attorneys with specific experience in software and disaster recovery planning matters are desirable.
Implement the System
Effective implementation of a PC-based organization recovery planning system starts with proper installation and training on how to use the system.
Experienced consultants can facilitate this process. The organization should decide who needs to be involved in the installation and training process. This should involve the key person(s) responsible for organization recovery planning, along with a backup or alternate for that person(s).
It is also beneficial to include individuals representing all functional areas of the organization in the installation and training process. This helps to ensure that the resultant recovery plan is comprehensive. Representatives from upper management may be involved in the installation and training process as well, at least in an overview basis. This should help to obtain their support and commitment for the project.
The installation and training should address the following issues:
- How to operate the PC-based system
- How the PC-based systems applies to the organization
- What areas need to be tailored in the system for the organization recovery plan to be completed
- What time frame and specific steps are involved in the completion of the organization recovery plan using the system
- What unique recovery planning issues confront the organization
The success of the installation and training depends to some extent on the responsiveness and cooperation of the organization. Therefore, to maximize the benefit received from the installation and training process, the organization needs to devote the time and necessary resources to this process.
To ensure proper and timely completion of the plan, the organization should involve individuals representing all functions of the organization in the planning process. If the system includes data gathering forms that need to be completed, those forms should be distributed to each respective functional area for completion.
If the system includes a generic or sample organization recovery plan that is divided into functional areas, each respective area should be responsible for completing their part of the sample plan. The involvement and participation of “experts” from all functional areas of the organization in the planning process not only ensures that the plan is accurate and comprehensive, but it also helps to ensure a successful recovery. This involvement results in educated employees who understand the plan and how it should work.
Using a good PC-based Disaster Recovery Planning system can significantly reduce the time and effort in the planning and development process. Other benefits include:
- A systematic approach to the planning process
- Predesigned methodologies
- An effective method for maintenance
- A proven technique
There are several PC-based products on the market; however, a careful selection and implementation process is necessary to achieve the benefits described above.
McGladrey & Pullen is a CPA and consulting firm with 75 offices nationwide. Geoffrey H. Wold is Partner and Joseph C. Rocheleau is Manager of Business Recovery Planning Services, specializing in Business Recovery Planning Consulting Services and Software.
This article adapted from Vol. 6 #1.
Use the following list to help you determine your planning software requirements. Prioritize each of the following features as Essential, Important, or Desirable (E, I, or D)
1. Is PC-based and menu driven.
2. Provides a systematic method for developing an effective plan.
3. Uses a popular word processing package for customization of text files (e.g., WordPerfect).
4. Provides database management capabilities for information best presented in a list format, (i.e., equipment inventories, personnel lists, vendor lists, etc.).
5. Is flexible and easy to use.
6. Can be used for developing an organization-wide disaster recovery plan or a plan for only the data processing function.
7. Is designed to facilitate maintenance.
8. Provides a comprehensive Operations Manual.
9. Includes backup and restore procedures.
10. Can be used on a LAN system.
11. Facilitates recovery from multiple levels of disaster.
12. Contains emergency management module.
DISASTER RECOVERY PLAN DEVELOPMENT
13. Provides a time and events schedule (i.e., Project Management System) that describes the various activities necessary to complete the planning process, allowing input of responsible party, start date, targeted completion date and applicable section of the Plan.
14. Provides a data collection questionnaire to assist in identifying critical functions and activities at the department level.
15. Provides methods to determine critical functions and prioritize operations.
16. Describes various backup and recovery strategies for:
a. Main computer systems
b. Voice communications
c. Data communications
d. Departmental systems
e. Other critical equipment
17. Includes contractual considerations for backup/alternate site arrangements.
18. Can be used with any backup and recovery strategy.
19. Provides sample team designations based on the type of organization and scope of the Plan.
20. Contains data gathering forms that tie to the detailed exhibits within the Plan.
21. Describes typical assumptions used during disaster recovery plan development.
22. Includes descriptions of the various insurance coverages that should be considered by your organization including:
a. Extra expense coverage
b. Business interruption costs
c. Valuable paper and records coverage
d. Errors and omissions coverage
e. Fidelity coverage
f. Medical transportation coverage
g. Electronic funds transfer systems coverage.
23. Includes insurance analysis techniques to reduce premiums.
24. Provides records retention guidelines for corporate, financial, information systems and other records.
25. Describes salvage procedures for various types of records, including magnetic media, paper, microfilm, etc.
26. Provides a comprehensive disaster prevention checklist designed to address key security and control issues to assist in preventing disasters.
a. Physical prevention
b. Procedural prevention
27. Includes procedures and forms for performing a risk assessment (business impact analysis), considering the various natural, human and technical threats and their impact on various departments within the organization.
SAMPLE BUSINESS RECOVERY PLAN
28. Provides for multiple levels of disasters.
29. Contains disaster assessment forms and procedures to assist the Management Team in assessing the extent of the disaster and determining alternative actions.
30. Includes emergency/evacuation procedures for medical emergencies, fire, tornadoes, thunderstorms, gas leaks, power failures, water
31. Contains detailed procedures for the accounting and operational areas.
32. Contains high priority tasks, temporary operating procedures, facilities requirements, equipment and supplies, manual records and forms and reconstruction procedures for each Team.
33. Contains disaster tracking forms once a disaster strikes.
34. Provides detailed procedures for contingency processing at an alternate site (i.e., fixed location hot-site, mobile facility, etc.).
35. Includes detailed procedures for establishing voice and data communications with the alternate processing site.
36. Describes detailed procedures for facility reconstruction and restoration.
37. Includes the following areas:
a. Department procedures
b. Team responsibilities and procedures
c. Distribution procedures
d. High priority tasks
e. Manual processing techniques
f. Emergency accounting procedures
g. Functional area procedures
h. Notification procedures
i. Disaster policies
j. Temporary operating procedures
k. Risk assessment procedures
l. Procedures for establishing a command and control center
38. Addresses the following equipment considerations:
a. Main computer system
c. Data communications
d. Voice communications
e. Other critical equipment
39. Addresses the following facility considerations:
a. Main building
b. Remote facilities
c. Off-site facility
d. Backup facility
40. Provides sample testing schedules and procedures, including types of tests, test participants, Team test responsibilities and test forms.
41. Includes exhibits or reports to supplement the main body of the Plan.
42. Allows for user-defined capabilities.
a. User-defined sections of the plan
b. User-defined exhibits
43. Includes maintenance procedures for keeping the Plan current.
44. Uses a clear, concise writing style.
45. Uses a standard format.
DATABASE MANAGEMENT SYSTEM
46. Uses “point and shoot” for data input.
47. Provides multi-key access to database information and reports.
48. Provides “memo” fields for certain database records allowing over 200 lines of text to be added per field.
49. Includes “user-defined” field names and contents within each database record.
50. Provides on-line help screens.
51. Allows for multiple facilities, locations with facilities and departments within locations.
52. Allows the user to find specific database records or browse the contents of all records.
53. Allows the user to change the sort sequence of records within the database files.
54. Provides a report writer that allows the user to select from a variety of reports and report sequences.
55. Allows reports to be printed or viewed on the screen.
56. Allows reports to be recorded in ASCII format for input into WordPerfect or other software packages.
57. Provides for the following functions when reports are viewed on the screen:
a. Scrolling line by line
b. Scrolling screen by screen
c. Panning left and right
d. Windowing to view separate parts of a report side- by-side
58. Allows the combining of separate database reports into a consolidated file.
59. Provides project management capabilities.
60. Contains the following files/information:
a. Facilities File
b. Location File
c. Department File
d. Alternate Location File
e. Off-site Storage Location File
f. Position Description File
g. Personnel File
h. Personnel Skill Ratings File
i. Team Members File
j. Vendor File
k. Data Communications Inventory File
l. Main Computer Hardware Inventory File
m. Main Computer Software Inventory File
n. Microcomputer Hardware Inventory File
o. Microcomputer Software Inventory File
p. Documentation Inventory File
q. Forms Inventory File
r. Insurance Policies Inventory File
s. Office Equipment Inventory File
t. Office Supply Inventory File
u. Records Inventory File
v. Telecommunications Inventory File
w. Emergency Procedure File
x. Recovery Procedure File
y. Project Management File
61. Contains testing schedules.
62. Includes testing methods and procedures for:
a. Structured Walk-Through Testing
b. Checklist Testing
c. Simulation Testing
d. Integrated Testing
e. Parallel Testing
f. Tactical Testing
63. Contains techniques for evaluating results.
64. Contains user ID and password capability.
65. Encrypts passwords.
66. Includes the capability to require users to change their passwords after a specified period of time.
67. Allows the capability to establish security levels for each user.
68. Contains multiple levels of security.
69. Provides the capability to establish security levels for each menu item.
70. Provides a minimum length of six characters in the password field.
71. Logs and reports user access and usage:
a. Summary reports
b. Detailed reports
Geoffrey H. Wold is Partner and Joseph C. Rocheleau is Manager of Business Recovery Planning Services, specializing in Business Recovery Planning Consulting Services and Software with McGladrey & Pullen.
This article adapted from Vol. 5 #4.