Project 4 - Business
Create a three page policy for business continuity for
the White House security staff. Prepare a plan based on the critical nature of
information that is presented within the executive department and military
strategies that are reviewed for action. Address each item in the policy
The information to use as a resource for your policy is
provided below (taken from SunGard Availability Services at www.sungardas.com, limited use for
educational purposes) and also in your reading for the week (See Appendix 1 for
Plan purpose: for example, to allow
company personnel to quickly and effectively restore critical business
operations after a disruption.
Plan objective: for example, to
identify the processes or steps involved in resuming normal business
Plan scope: for example, the work
locations or departments addressed.
Plan scenarios addressed: for
example, loss of a primary work area, loss of IT services for a prolonged
period of time, loss of workforce, etc.
Plan assumptions: for example, you
may want to call out the number of work locations impacted at any given time
that key personnel are available for any recovery efforts, or any assumptions
you may have made about vendor or utility service availability.
Recovery Strategies and Activities
After the initial introductory section, there are usually
a number of paragraphs about the strategies outlined in the plan, as well as
the specific personnel undertaking the recovery and the recovery activities.
Examples of sections that you may want to consider for your own BC/DR plan
Recovery Strategy Summary: In this section, a
plan will typically outline the broad strategies to be followed in each of the
scenarios identified in the plan Introduction section. As an example, if “loss of
work area” is identified as a possible failure scenario, a potential recovery
strategy could be to relocate to a previously agreed-upon or contracted
alternate work location, such as a SunGard work area recovery center.
Recovery Tasks: This section of the plan will
usually provide a list of the specific recovery activities and sub-activities
that will be required to support each of the strategies outlined in the
previous section. For example, if the strategy is to relocate to an alternate
work location, the tasks necessary to support that relocation effort could
include identifying any equipment needs, providing replacement equipment,
re-issuing VPN tokens, declaration of disaster, and so on.
Recovery Personnel: Typically, a BC/DR plan
will also identify the specific people involved in the business continuity
efforts, for example, naming a team lead and an alternate team lead, as well as
the team members associated with any recovery efforts. This section of the plan
will also include their contact information, including work phone, cellphone,
and email addresses. Obviously, because of any potential changes in personnel,
the plan will need to be a “living” document that is updated as
personnel/workforce changes are made.
Plan Timeline: Many plans also include a
section in the main body that lays out the steps for activating a plan (usually
in the form of a flow chart). For example, a typical plan timeline might start
from the incident detection, then flow into the activation of the response
team, the establishment of an incident command center, and notification of the
recovery team, followed by a decision point around whether or not to declare a
disaster. A plan timeline may also assign the recovery durations or recovery
time objectives required by the business for each activity in the timeline.
Critical Vendors and their RTOs: In this
section, a plan may also list the vendors critical to day-to-day operations and
recovery strategies, as well as any required recovery time objectives that the
vendors must meet in order for the plan to be successful.
Critical Equipment/Resource Requirements: A
plan may also detail the quantity requirements for resources that must be in
place within specified timeframes after plan activation. Examples of resources
listed might include workstations, laptops (both with and without VPN access),
phones, conference rooms, etc.