Corey, Adam, Dave, Nick. Copyright © 2019, FPP, LLC. All rights reserved.

SOGGy Monthly Meeting: February 2019

DISASTER RECOVERY PLAN.
Creating a Disaster Recovery Plan (DRP) involves assessing risks—or threats—to the continuity of business operations, and then producing a plan to recover after disaster strikes.

SWOT ANALYSIS
One straightforward approach to threat assessment is to perform a SWOT Analysis.

SWOT is an acronym for Strengths | Weaknesses | Opportunities | Threats, and has been popularized over decades by marketing departments to produce and assess the effectiveness of marketing strategies. The SWOT Process analyzes the strengths and weaknesses internal to the organization in order to promote the strengths and remediate the weaknesses; and then looks outside the organization to identify opportunities for future growth and threats to ongoing operations.

A SWOT Analysis framework can also be used in the production of a Disaster Recovery Plan.

This Tech Talk describes a method to restore business operations in enough detail that anyone with appropriate ambient knowledge of the immediate environment can execute the process. Following are some simple examples of using the method to recover from disasters large and small.

EXAMPLE DISASTERS:

  • Drop a glass on the kitchen floor.
    • Are there any small children or animals near the spill location?
      • Y: Contain anyone who might wander in and cut their feet.
      • N: Continue
    • Was the glass full of fluid?
      • Y: Find a towel and mop-up the mess.
      • N: Find a broom and dust pan, and sweep-up the mess.
    • Wrap glass shards in a paper towel so they aren’t a hazard and put them in trash.
    • Clean the floor.
    • Release any captive small children or pets.
  • Car Crash
    • Take photographs of vehicle positions.
    • Are the cars drivable?
      • Y: Pull off the road.
      • N: Push off the road or set up a warning flare for oncoming motorists.
    • Anyone injured?
      • Y: Call 911
      • N: Call insurance company
    • Exchange information with other driver(s)
    • Take photographs of drivers licenses, vehicles and driver(s).
    • Is DUI suspected?
      • Y: Call police
      • N: Continue
    • Call tow truck(s) and remove valuables from vehicle.
    • Call car rental.
  • House Fire
    • Preparation
      • Have fire extinguisher and/or garden hose available.
      • Practice the evacuation procedure by having a fire drill.
      • Move valuables to a safe place.
      • Notify insurance company of high-end items; include receipts & photographs.
    • Call 911 if there’s potential for the fire to spread.
    • Call Forest Service if trees are nearby, or if there are high winds blowing.
    • Notify neighbors, if appropriate.

Now let’s apply the method to a business environment.

THE METHOD: BIA >> DRP >> BCP
Since each business is unique—by design—there is no exact template that will fit all models, however, the method can be used to produce a framework.

Think about the elements of the business, whether by department, function, cost center, goals, supply chain, or staff. Depending on the size of the business, functional elements may overlap so choose the format that fits the way your business works.

Analyze the impact to your business (BIA; Business Impact Analysis) of failure of one or more elements.

Consider cascading failures: That’s when one small, possibly insignificant failure is not attended-to soon enough and then triggers a cascade of failures, compounding the situation.

PRODUCE AN OUTLINE
Once you have a collection of categories—or classifications—produce an outline that identifies the processes handled by each element. EX: If your company is structured by departments, produce an outline for each department. If your company is small and responsibilities are shared by everyone, produce an outline for each function or operation. Outlines may be sub-divided within structural elements, to accommodate shared responsibilities.

To provide a basis for understanding the outlining process, think about a small business that has office space in an old house, with a phone, a computer with an internet connection, and a staff of two. The business owner has the responsibility of running the business: marketing the service, delivering the service, collecting payment for services rendered, and staff payroll. The staff has the responsibility of: opening-up and closing-down the office space each day, handling administrative details, and identifying issues that need management decisions. And everybody answers the phones.

What could go wrong?

THREAT ANALYSIS CATEGORIES

  • Loss of Electrical Power
  • Loss of Telephone System
  • Loss of Internet Connection
  • Equipment Failure
  • Supply Chain Disruption
  • Ransomware
  • Death of the Business Owner

DISASTER RECOVERY METHOD

Each Threat Analysis Category must be analyzed from the perspective of: the impact of failure on business operations | recovery method | progression back to normal operations.

  • Loss of Electrical Power
    • Is this temporary (power company had a glitch; restoration expected within hour)?
      • Will a UPS have enough battery life to supply power to critical equipment?
      • Do you need a generator?
        • What kind of fuel?
        • Where is the fuel source?
    • Is this long-term (EX: vehicle accident took down a power pole)?
      • Can you go home for the day and return tomorrow?
      • Who do you need to notify about the temporary shutdown?
  • Loss of Telephone System
    • How dependent on phones is the business?
    • Can you switch to Cellular Network?
  • Loss of Internet Connection
    • Can you use Cellular Network?
  • Equipment Failure
    • Are there backup devices available on-site or off-site?
    • How long does it take to replace physical equipment?
      • Local (Computer Store)
      • Order (Manufacturer)
  • Natural Disasters
    • Fire | Flood | Earthquake
      • Back up everything regularly & store off-site. Test backups with a restore.
      • Store fire extinguishers near flammables.
      • Buy insurance.
  • Supply Chain Disruption
    • A competing country has purchased the completesupply of a ubiquitous electronic part required for your product, and the component is backordered for one year.
  • Ransomware
    • Call your business insurance provider
    • Call your MSP or CyberSecurity Consultant
  • Death of the Business Owner: Key Man Insurance

CREATE THE RECOVERY PROCESS

  • Write down the step-by-step procedures on Ring-Bound 3×5 Cards.
    • Face of Card: The What.
    • Back of Card: The Why | How | Where | When | Who | Pertinent Notes.
  • Use Stick-on Tabs to label important 3×5 cards.
  • Use Stick-on Flags to mark ToDo items for follow-up activities.
  • Use binder ring to contain cards in booklet form.
  • Use separate booklet of cards for each disaster category.
  • Test the process. Make changes as appropriate. Update the Card Booklet.

CREATE A COMPUTER-PRINTED VERSION

  • Using Avery Unruled Index Cards, produce a printed version of each Card Booklet.
    • Note that this process provides an editable, re-printable—and backup—version of each Booklet.
  • Using either one hole of a 3-hole paper punch or a drill press (from any print shop), add a hole for the Binder Ring.
  • Assemble the 3×5 cards in ring-bound Card Booklets.

PLACE THE RING-BOUND CARD BOOKLETS IN STRATEGIC PLACES

  • Useful for training new-hires—or temporary techs.
  • Useful for cross-training staff from other departments.

ASSUMPTIONS, DEPENDENCIES & CONSTRAINTS
Following are the assumptions upon which the project plans are based, the dependencies of the project plans, and the constraints placed upon the project plans. View the operation with a critical eye to identify and assess these areas.

  • Assumptions: Assumptions are details we assume will either continue as is, or not change in a manner that negatively impacts the operation. EX: Geographic location; plan for an earthquake!
  • Dependencies: Dependencies include deliverables from interfacing entities; entities without which the process would not be able to operate. EX: Supply chain stability; Multiple suppliers! | Vertical integration.
  • Constraints: Constraints relate to matters which will impact the project, and mean that the project may not be completed on schedule. EX: Schedule; keep open spaces in schedule! | Budget; allocate disaster funds!

PREVENTIVE MEASURES (ToDo List)

  • Investigate UPSs and Generators.
  • Investigate DRaaS; compare to DIY.
  • Set up multiple suppliers and track supply chain logistics.
  • CyberSecurity Training for everyone.
  • Business Risk Insurance; get it!

DISCUSSION
Following the presentation on creating a plan to recover from a disaster, there was a lively discussion and some great suggestions from everyone in attendance. The essence of this exchange is included as a .pdf  with names and company references removed, in order to focus on the commentary.

You are invited to join us at the Rogue Tech Hub networking meetings; see the Event Calendar for details.

Author: Karen
Written: 2/10/19
Published: 2/27/19
Copyright © 2019, FPP, LLC. All rights reserved.