Emergency Disaster Plan - Essay Example

DISASTER MANAGEMENT PLAN Table of Contents I. PROJECT INITIATION AND MANAGEMENT The XYZ Insurance Company business depends on the information to run through their daily work. This becomes important when disasters do strike. The location of the company is specifically prone to flooding and it is only wise to ensure that every disaster when it strikes is met with a clear plan and management. The problem in the current case is to protect the company from flooding and to safe guard the IT data. In order to safe guard the data in the company and to ensure that there is no loss of information which in turn could result in litigation and financial loss, there should be a clear disaster management plan. If such a plan is not presented and activated in time, it becomes highly risky in the course of time when such an eventuality occurs. The cost of the loss sustained is far higher and in many cases, there is no compensation possible for such losses. Whether this is a flood or a fire or a terrorist strike the company should be ready to take care of the eventuality. A high level technical support should be planned and there should be a clear commitment from across the company and its management. Management should be aware of the liability and accountability to the company and the public in general. The process would involve a steering committee being set up for this purpose which would enable the members to know the different classes of security and protection in addition to disaster management for different types of companies. It is also essential that an appropriate budget is drawn for this purpose. Budget can be effectively planned only if there is a clear allocation of teams for specific jobs and execution plan for every one of the jobs in the disaster management. II. RISK EVALUATION AND CONTROL The possible loss potentials or threats have to be identified in the company as a first step. In the current case, the loss would include the following: 1. Property damages could occur due to water seepage in the company as well as due to wind. In an insurance company, the threat perception is noticed only for the information contained in the computers and the loss that could occur to this data will be the one that would cause loss to the business. 2. Water is capable of damaging the entire computer network in the office which could result in loss of data in the computer as well as loss due to stoppage of work. 3. Loss due to wind could take the form of disrupted wiring and networks resulting in communication issues that could stop smooth flow business. Loss of business activity would mean that clients are not served and orders are not booked. Either of them would result in a loss to the company in terms of finance or in terms of service creating wrong impressions with the clients. 4. Apart from this the company is also vulnerable to external man made attacks in terms of virus or such other external ingression of unwanted elements on to the computer network. 5. The possibility of a fire to the building also exists. 6. The possibility of an earthquake in that area is also possible. Out of these possible vulnerabilities, the area is prone to flooding and winds of hurricane grade. Therefore, the company should ideally plan for defending itself against such vulnerabilities. In order to safeguard itself against flooding and hurricanes, the company should look for the following measures: 1. To counter flooding, physical security is primary. All back up data taken every day should be kept inside safe packs of water proof and fire proof quality. Fire can also be caused by hurricanes. 2. The structure of the building may be so planned that the building is appropriately raised and built so that the chances of flooding the building goes down to zero if possible. 3. Company should ensure that the data is safely backed up every day and moved to a different location so that even in the case of a large flood stopping the work and spoiling the data in the company main data center, the data in the other location can be called on for restoring the system. 4. This will not take care of the issue of interrupted work. However, if that has to be countered then the company should look at having two servers working in unison as a mirror of the other and should come on line in case the main machine fails. Ideally this alternate server and mirror server should be located elsewhere in the country so as to be away from any natural disaster or man made disaster that might bring the first machine down. 5. Appropriate virus protection software is to be installed. Ideally an online update server that would ensure that all virus updates are updated live into every one of the network nodes in the company. This would also ensure that the virus checking is appropriate and that no external virus or worm threat would be serious. 6. However, physical limitations to using external floppies or CD or zip drives or pen drives can be brought down to zero by appropriately controlling it. Similar controls need to be brought in to ensure that the company does not have unauthorized software installed on their network. 7. External ingression can be restricted by using appropriate firewalls in the network at the point of internet connectivity which will ensure that no unauthorized person could come into the company network. 8. In order to detect external ingress of people on to the network or attempts to do such an ingress, it is advisable to install an intrusion detection hardware that would warn even when some one is trying to get into the network. While these measures would help in suppressing the cause of the vulnerability in some cases and in others, it would also help in reducing the effect of damages. These will also reduce the impact of damages in the system and would restore the company back on trail at the earliest. In order to ensure that these tools are appropriately installed and used, it is important that the personnel are trained fully with the procedures. The backup of data and protection measures need to be taken in right earnest as per the laid down processes. Information security is manifold as reflected in the measures. Typically, the hardware and the software security is to be done using the firewalls and other such measures. Similarly data security is done using the proper backup processes and the restoration processes. Duplication of the data and a redundant server would ensure that in case of a failure the other would take over the work and the client might not feel any discrepancy in service. The entire process could be transparent to the end user. III. BUSINESS IMPACT ANALYSIS The disruptions in an insurance company affect its standing with the customers. Since a customer does not look forward to its service every day but once in a rare case. But if the insurance company was not available at that point of time, it makes the matter pretty worse and the availability of the insurance company is therefore critical for its existence. Physical loss to the company can be measured and possibly are insured against. Whereas, intangible loss to the company happens in these forms which arise out of discontinuity of service to the clients and also loss of information. By not responding to the client requirements when he needs the insurance company, then it might even be a violation of a law. Loss exposure that the company has to face includes the following: 1. Loss of information resulting in collection losses would amount to a direct cash loss. Depending upon the quantum of business being executed by the company, till the time of restoring data this loss could be continuing. 2. Intangible loss of business perception of the company is not quantifiable though the size of loss could be pretty high depending on the duration of the interruption and on the possible emergencies that people are facing. 3. There could also be qualitative losses in terms of human resources, legal, social, morale and confidence of both the employees and the clients. Therefore it is important that the company identifies the recovery time frames and is prepared for an emergency operation that might take the specified time or less to restore operation in the company. This declaration will also help keep the people in the know and will enable appropriate service provided to the customer. IV. DEVELOPING RECOVERY STRATEGIES Recovery time frame in this case has to be specified. In case of a redundant server being present it is not uncommon to find that there is almost no service interruption and the clients do not feel the change over at all. This would be the ultimate and the best recovery option that a company IT manager could wish for. Based on the recovery strategy worked out, the options could vary and the time frame required to reinstate status could also change. Reinstating option could also be in the form of restore data if it is coming out of an off line data or from a remote server if there is an online mirroring available and so on. This would also ensure that the personnel communications are also restored through this mode. Most of the recovery strategies invariably cover the possible recovery options. But should the option fail, then the alternative recovery strategies should be in place. This would include on failure of the recovery strategy what action is to be taken for every one of the recovery options. In the current scenario, the recovery option that we have is a redundant server that would come on line once there is a failure. If the redundant server does not come on line, then the mirror site has to be started manually by appropriately redirecting. This can happen only if the data in the mirror site is updated appropriately. Alternate strategy will other wise involve restoring data manual on to the alternate mirror site and then redirect the access to the alternate mirror site. Alternate sites and Off-site storage facilities have to be identified depending upon the nature of data, storage and use. Ideally a different weather condition, a different seismological and climatic and political area should be chosen so that any change that happens in one does not have any impact on the other. The benefits realized out of this exercise will be phenomenal compared to the risk that is taken due to a loss that might occur. V. EMERGENCY RESPONSE An emergency response plan is needed to ensure that the work is completed in cases of an emergency swiftly. Ideally in this case the change over should be automatic from the main server to the mirror server. However, in case if this does not go through then the human intervention is needed. The restoration of the operation in the offices in case of building has to be clearly laid out and the cessation of work should be lifted at the earliest. VI. DEVELOP AND IMPLEMENT THE PLAN The plan has to be developed further and implemented. Planning should indicate all the details including the minute ones and take care of all possible options. This is needed since there may not be an option to look into and ascertain actions at the time of an emergency. It is therefore, essential that the appropriate checklists, action plans, job descriptions, matrixes, forms and all other supporting documents are readily available with the plan. A recovery team is to be identified and this team should have a meeting room or an assembly point in case of an emergency. This point should be so positioned that it should be out of the vulnerability and alternate assembly points should also be specified. There should also be a recovery coordinator or a leader for the recovery exercise. Most often the assembly point or the emergency meeting room will the Emergency Operations Center and the control room for the operation will be this. The team should comprise of a public relations executive who will be the contact point for all the clients under an emergency condition. VII. CORPORATE AWARENESS PROGRAMS AND TRAINING Appropriate training is to be provided to the recovery team so that they are in the know about the methods for recovery. Apart from this the rest of the team in the company should also know the basic details on the recovery process and should be in a position to set aside any fear that a client or a colleague might harbor. These programs have to be appropriately designed depending on to whom this is addressed and they could be computer based, class room based or test based programs. For the general people, it is enough if an awareness program is run through. General education using some of the generic business continuity plans should also be done to ensure that there is no cessation of work when there is a disruption of service or even if it happens, the cessation is to the minimum possible. In order to ensure that the training is conducted in appropriate fashion, a proper short listing of people involved in the process is to be made. The people who form the core group needs to be identified and included in the list. Similarly others who need nominal training should also be appropriately identified and listed. Training according to their needs is to be provided to the respective people in the company. VIII. TESTING AND EXERCISING THE PLAN The plan should be tested and ensured that it would work. It would be ideal if a simulation of the test program is done. In order to ensure that the testing is appropriate, the test specifications, requirements should all be clearly specified and then a test program is to be established. Evaluation criterion for the test and the specifications for the same are established before commencing the test. All the factors of the test, the acceptable results for these tests should also be established. This will help in identifying any factor that is not satisfactory and could be improved if there is a need. This is possible only if there is a clear set of metrics decided and described for every factor that is tested. The factors themselves are identified based on the importance of the factor in the entire process and the extent any change in it would affect the overall safety of the information both physical and virtual. This will ensure that at the end of the test, it is possible to measure the performance and appropriate metrics are derivable. IX. MAINTAINING AND UPDATING OF THE PLAN The plan has to be clearly documented and maintained. And this has to be reviewed periodically and if possibly a test is simulated at regular intervals to ensure that the plan works satisfactorily. In case of execution of the plan and if an emergency does occur, it is essential that the documents connected with collecting of information is also filled up in the due course of setting things right. This will ensure that the updating of the plan is done to the extent required. In order to ensure that the latest techniques are used for this purpose, it is essential that there is a study conducted every planned period and is updated into the process. X. Public Relations and Crisis Communications As mentioned earlier one member in the crisis team should ideally be a public relations person, who will be in a position to take care of any PR requirements that might come up in the course of the crisis. This could particularly happen when there is lots of human interest and intervention in and during the recovery process. This person should be in a position to coordinate with the rest of the stake holder groups like share holders, clients and others. This is to ensure that the company will not be having any negative propaganda during the period of recovery and appropriate action is taken. Once this is established, the plans should be tested to ensure smooth operation. It should also be remembered that there are issues which need to be communicated to the entire public who will also become a stake holder for certain types of crisis. XI. Coordination with Public Authorities In case of fire or flood or any such natural calamity or man made calamity, there will be public authorities who will be involved in the recovery process. One of the emergency recovery team members need to ensure that the coordination with these public authorities is in line and that they will be liaising with the people in preparing and responding to the calamity. These people should also be in the know with respect to the laws that cover such emergency procedures and should ensure that the recovery process that is laid in the company is in line with the legal tenets. Most often it is the public relations executive who would double as a coordinator with public authorities since both could be interconnected and are legally bound. In order to safeguard the interests of the company this person should be exclusively allocated for the purpose. XII. Execution of the Plan Once all the specifications are ready then the recovery committee and the management could make an appropriate declaration to all the people concerned indicating that the emergency plan is activated and that all concerned should follow the rules without any reservations. All the concerned teams should be activated, support vendors are informed and included in mock and tests. The Emergency Operations Center and the teams are activated to implement the emergency plan in case they should occur. XIII. References 1. Steven J Carlson & D J Parker, 1998, Disaster Recovery Planning and Accounting Information Systems, Review of Business, Vol 19. 2. Brian Pereira, Aug 2002, Implementing a Business Continuity Plan, Network Magazine. 3. Padmavathy Ramesh, July 2002, Business Continuity Plan, Tata Consultancy Services, available at: http://www.tcs.com/0_whitepapers/htdocs/BCP.pdf 4. Federal Financial Institutions Examination Council, Mar 2003, Business Continuity Planning, available at: http://www.ffiec.gov/ffiecinfobase/booklets/bcp/bus_continuity_plan.pdf Read More