Contingency Planning And Business Recovery

PURPOSE

To develop a plan to minimize disruptions of critical functions and the capability to recover operations expediently and successfully to comply with the COV ITRM Standard SEC2001-01.1.

SCOPE

This process covers the contingency management-planning phase of the VCCS Information Technology Disaster Prevention and Business Program.

APPLICABILITY

This process is applicable to the System Office and all colleges.

EXPECTATIONS

The System Office and each college will allocate the appropriate resources to create a business recovery plan. This plan should be developed based on the information obtained from the Business Impact Analysis and Risk Assessment Analysis. It is not expected that each college will follow these guidelines in total, only to the extent that the purpose noted above is fulfilled.

GUIDELINE

The guidelines developed in this document define a minimum set of expectations. The guidelines will be reviewed as necessary to reflect changes in the use of technology, State and Federal Laws and State Policies, and Directives.

The team approach is used in developing the plan as well as in the recovery from a disaster. Examining the scope of operations at the college should determine what teams and how many teams should be deployed in the plan. The teams have specific responsibilities that allow for a smooth recovery. Use only teams that are applicable to the business environment at the college. The following are the minimum set of teams that should be used in the business recovery plan:

• Planning Coordinator - to lead the business recovery effort
• Emergency management team - assess the damage
• Technical support team - do the actual restoration of automated services
• Special projects team - handle specific issues
• Customer support team - take care of all customer concerns

The following is an example of other teams that could be considered:

• Facilities support team
• Administrative support team
• LAN management team
• Systems and programming team
• Operations team
• Off-site storage team
• Software team
• Hardware team
• Applications team
• Computer backup team

The contingency plan should also incorporate plans for a disaster at other locations that contain critical applications for which the colleges rely upon. For example, all colleges rely on critical applications that reside on servers that are supported by the Utility.  The following recommendations could be included in the Contingency Plan under the assumptions section or under the description of the business/data-processing environment section:

• List all critical applications that are located  on the Utility servers.
• Determine an acceptable downtime period for each application.
• Implement manual procedures as required in the event of a disaster at the Utility. If these manual procedures do not currently exist, give a date for when they will exist.
• Include the Utility's help desk telephone number in the plan under the telephone list.

A standard format for the business recovery plan should be developed to facilitate the consistency and conformity throughout the plan. The following outline is offered as an example of a format with a listing of some of the issues that could be addressed.

PURPOSE

Clearly state the purpose of the business recovery plan.
 

1. ASSUMPTIONS

List and describe the things that could be assumed from the plan. The list of assumptions will not be all-inclusive. Some assumptions could be:

1. All resources and staff can be made available as soon as possible.
2. All members of the disaster recovery teams have the most current copies of the disaster recovery plan.
3. Users will continue to operate via a manual mode.
4. Backups will be made available as soon as possible.
2. INFORMATION TECHNOLOGY/BUSINESS ENVIRONMENT

Provide a detailed description of your business and/or information technology environment.

3. WHEN A DISASTER IS RECOGNIZED

State the course of actions that should occur when a disaster is recognized. The following is an example:

In the event of a disaster, the planning coordinator should be contacted. The coordinator should contact the emergency management team. The emergency management team should go to the area of the disaster, assess the damage and provide the coordinator with the results of the assessment as soon as possible. The planning coordinator should decide which other teams to contact depending on the type and severity of the disaster. Business recovery operations should not begin until the coordinator has designated the plan of operation.

4. BUSINESS RECOVERY TEAMS

Organize business recovery teams to handle different functions during the period from which the disaster is first reported until full recovery is completed. Depending on the size of your site, the size of each of your teams may vary as well as the number of teams. Each team is responsible for developing a set of actions to be followed to facilitate an orderly recovery from a disaster.

1. Disaster Planning Coordinator

Determine who the business recovery coordinator should be. List the responsibilities of the coordinator. Some responsibilities could be:

1. Serve as the primary contact and coordinates the recovery effort.
2. Contact all support personnel involved in the recovery effort.
3. Provide all support personnel with a copy of the plan.
4. Contact the following individuals as soon as possible: College President, Provost, IT Director, etc.
5. Maintain the disaster recovery plan.
2. Emergency Management Team

Determine who the members of the emergency management team will be. List the responsibilities of the emergency management team. Some responsibilities could be:

1. Assessment of the damage.
2. Provide a detail status of the disaster to the disaster planning coordinator as soon as possible.
3. Contact all vendors, contractors or external resources necessary to restore services to the damaged areas.
4. Provide a general status of the disaster to college personnel.
5. Determine the priorities. There should be a minimal accepted time frame the college will function with degraded operations before the backup plan is implemented.
6. Ensure all needed support staff have been contacted to provide assistance.
7. Determine a general time frame for when all services will be restored.
    
3. Technical Support Team

Determine who the members of the technical support team will be. List the responsibilities of the technical support team. Some responsibilities could be:

1. Determine what computer hardware/software has been damaged.
2. Review the risk assessment analysis and business impact analysis and determine what the critical/non-critical applications are and to determine whom is responsible for each application.
3. List procedures to create a new environment for the hardware or for the purchase of new hardware (give actual procedures).
4. List procedures to restore critical software/applications (give actual procedures).
5. List procedures to restore non-critical software/applications (give actual procedures).
6. Contact application owners to determine their role in the recovery process.
    
4. Special Projects Team

Determine whom the members of the special projects team will be. List the responsibilities of the special project team. Some responsibilities could be:

1. Provide transportation to/from backup facilities.
2. Make any necessary telephone calls.
3. Order supplies, complete necessary paper work, provide assistance as required to all support groups.
    
5. Customer Support Team

Determine who the members of the customer support team will be. List the responsibilities of the customer support team. Some responsibilities could be:

1. Notify computer customers of the disaster and give them a time frame for recovery.
2. Help customers develop manual procedures to accomplish work if resources are unavailable for a long duration of time.
3. Have customers list the priority of their day to day work.
5. EMERGENCY RESPONSE PROCEDURES

List the emergency response procedures appropriate to any incident or activity, which may endanger lives, property or the capability to perform essential functions.

6. EMERGENCY TELEPHONE LIST

Make a list of the emergency services telephone numbers in your area; i.e., fire and police service, air-condition service, security service, etc. List all the names and telephone numbers (work and home) of all the members of the disaster recovery teams. You can also list the telephone numbers of any hardware and/or software vendors as well as any other important telephone numbers.

7. MAINTAINING THE PLAN

This should be the responsibility of the Planning Coordinator. List the steps the coordinator should take to maintain this plan. Some steps could be:

1. Develop a timetable to test the plan (at least once a year).
2. Have a sign-off from higher management that the plan complies with the COV ITRM Standard SEC2001-01.1.
3. Keep the plan updated with the most recent information.
4. Make sure plan is safeguarded at the office and a copy on file at a secured off-site location.