Project 4: Business Continuity Plan
Create a three page policy for business continuity for the White House security staff. Prepare a plan based on the critical nature of information that is presented within the executive department and military strategies that are reviewed for action. Address each item in the policy headings below:
The information to use as a resource for your policy is provided below (taken from SunGard Availability Services at www.sungardas.com, limited use for educational purposes) and also in your reading for the week (See Appendix 1 for policy information).
Plan purpose: for example, to allow company personnel to quickly and effectively restore critical business operations after a disruption.
Plan objective: for example, to identify the processes or steps involved in resuming normal business operations.
Plan scope: for example, the work locations or departments addressed.
Plan scenarios addressed: for example, loss of a primary work area, loss of IT services for a prolonged period of time, loss of workforce, etc.
Plan assumptions: for example, you may want to call out the number of work locations impacted at any given time that key personnel are available for any recovery efforts, or any assumptions you may have made about vendor or utility service availability.
Recovery Strategies and Activities
After the initial introductory section, there are usually a number of paragraphs about the strategies outlined in the plan, as well as the specific personnel undertaking the recovery and the recovery activities. Examples of sections that you may want to consider for your own BC/DR plan include:
Recovery Strategy Summary: In this section, a plan will typically outline the broad strategies to be followed in each of the scenarios identified in the plan Introduction section. As an example, if â€œloss of work areaâ€ is identified as a possible failure scenario, a potential recovery strategy could be to relocate to a previously agreed-upon or contracted alternate work location, such as a SunGard work area recovery center.
Recovery Tasks: This section of the plan will usually provide a list of the specific recovery activities and sub-activities that will be required to support each of the strategies outlined in the previous section. For example, if the strategy is to relocate to an alternate work location, the tasks necessary to support that relocation effort could include identifying any equipment needs, providing replacement equipment, re-issuing VPN tokens, declaration of disaster, and so on. Recovery Personnel: Typically, a BC/DR plan will also identify the specific people involved in the business continuity efforts, for example, naming a team lead and an alternate team lead, as well as the team members associated with any recovery efforts. This section of the plan will also include their contact information, including work phone, cellphone, and email addresses. Obviously, because of any potential changes in personnel, the plan will need to be a â€œlivingâ€ document that is updated as personnel/workforce changes are made.
Plan Timeline: Many plans also include a section in the main body that lays out the steps for activating a plan (usually in the form of a flow chart). For example, a typical plan timeline might start from the incident detection, then flow into the activation of the response team, the establishment of an incident command center, and notification of the recovery team, followed by a decision point around whether or not to declare a disaster. A plan timeline may also assign the recovery durations or recovery time objectives required by the business for each activity in the timeline.
Critical Vendors and their RTOs: In this section, a plan may also list the vendors critical to day-to-day operations and recovery strategies, as well as any required recovery time objectives that the vendors must meet in order for the plan to be successful.
Critical Equipment/Resource Requirements: A plan may also detail the quantity requirements for resources that must be in place within specified timeframes after plan activation. Examples of resources listed might include workstations, laptops (both with and without VPN access), phones, conference rooms, etc.
Resources to use: