Details

<p>Foreword xix</p> <p>Introduction 1</p> <p>About This Book 1</p> <p>How This Book Is Organized 2</p> <p>Part I: Getting Started with Disaster Recovery 2</p> <p>Part II: Building Technology Recovery Plans 2</p> <p>Part III: Managing Recovery Plans 2</p> <p>Part IV: The Part of Tens 3</p> <p>What This Book Is — and What It Isn’t 3</p> <p>Assumptions about Disasters 3</p> <p>Icons Used in This Book 4</p> <p>Where to Go from Here 4</p> <p>Write to Us! 5</p> <p><b>Part I: Getting Started with Disaster Recovery 7</b></p> <p><b>Chapter 1: Understanding Disaster Recovery 9</b></p> <p>Disaster Recovery Needs and Benefits 9</p> <p>The effects of disasters 10</p> <p>Minor disasters occur more frequently 11</p> <p>Recovery isn’t accidental 12</p> <p>Recovery required by regulation 12</p> <p>The benefits of disaster recovery planning 13</p> <p>Beginning a Disaster Recovery Plan 13</p> <p>Starting with an interim plan 14</p> <p>Beginning the full DR project 15</p> <p>Managing the DR Project 18</p> <p>Conducting a Business Impact Analysis 18</p> <p>Developing recovery procedures 22</p> <p>Understanding the Entire DR Lifecycle 25</p> <p>Changes should include DR reviews 26</p> <p>Periodic review and testing 26</p> <p>Training response teams 26</p> <p><b>Chapter 2: Bootstrapping the DR Plan Effort 29</b></p> <p>Starting at Square One 30</p> <p>How disaster may affect your organization 30</p> <p>Understanding the role of prevention 31</p> <p>Understanding the role of planning 31</p> <p>Resources to Begin Planning 32</p> <p>Emergency Operations Planning 33</p> <p>Preparing an Interim DR Plan 34</p> <p>Staffing your interim DR plan team 35</p> <p>Looking at an interim DR plan overview 35</p> <p>Building the Interim Plan 36</p> <p>Step 1 — Build the Emergency Response Team 37</p> <p>Step 2 — Define the procedure for declaring a disaster 37</p> <p>Step 3 — Invoke the interim DR plan 39</p> <p>Step 4 — Maintain communications during a disaster 39</p> <p>Step 5 — Identify basic recovery plans 41</p> <p>Step 6 — Develop processing alternatives 42</p> <p>Step 7 — Enact preventive measures 44</p> <p>Step 8 — Document the interim DR plan 46</p> <p>Step 9 — Train ERT members 48</p> <p>Testing Interim DR Plans 48</p> <p><b>Chapter 3: Developing and Using a Business Impact Analysis 51</b></p> <p>Understanding the Purpose of a BIA 52</p> <p>Scoping the Effort 53</p> <p>Conducting a BIA: Taking a Common Approach 54</p> <p>Gathering information through interviews 55</p> <p>Using consistent forms and worksheets 56</p> <p>Capturing Data for the BIA 58</p> <p>Business processes 59</p> <p>Information systems 60</p> <p>Assets 61</p> <p>Personnel 62</p> <p>Suppliers 62</p> <p>Statements of impact 62</p> <p>Criticality assessment 63</p> <p>Maximum Tolerable Downtime 64</p> <p>Recovery Time Objective 64</p> <p>Recovery Point Objective 65</p> <p>Introducing Threat Modeling and Risk Analysis 66</p> <p>Disaster scenarios 67</p> <p>Identifying potential disasters in your region 68</p> <p>Performing Threat Modeling and Risk Analysis 68</p> <p>Identifying Critical Components 69</p> <p>Processes and systems 70</p> <p>Suppliers 71</p> <p>Personnel 71</p> <p>Determining the Maximum Tolerable Downtime 72</p> <p>Calculating the Recovery Time Objective 72</p> <p>Calculating the Recovery Point Objective 73</p> <p><b>Part II: Building Technology Recovery Plans 75</b></p> <p><b>Chapter 4: Mapping Business Functions to Infrastructure 77</b></p> <p>Finding and Using Inventories 78</p> <p>Using High-Level Architectures 80</p> <p>Data flow and data storage diagrams 80</p> <p>Infrastructure diagrams and schematics 84</p> <p>Identifying Dependencies 90</p> <p>Inter-system dependencies 91</p> <p>External dependencies 95</p> <p><b>Chapter 5: Planning User Recovery 97</b></p> <p>Managing and Recovering End-User Computing 98</p> <p>Workstations as Web terminals 99</p> <p>Workstation access to centralized information 102</p> <p>Workstations as application clients 104</p> <p>Workstations as local computers 108</p> <p>Workstation operating systems 113</p> <p>Managing and Recovering End-User Communications 119</p> <p>Voice communications 119</p> <p>E-mail 121</p> <p>Fax machines 125</p> <p>Instant messaging 126</p> <p><b>Chapter 6: Planning Facilities Protection and Recovery 129</b></p> <p>Protecting Processing Facilities 129</p> <p>Controlling physical access 130</p> <p>Getting charged up about electric power 140</p> <p>Detecting and suppressing fire 141</p> <p>Chemical hazards 144</p> <p>Keeping your cool 145</p> <p>Staying dry: Water/flooding detection and prevention 145</p> <p>Selecting Alternate Processing Sites 146</p> <p>Hot, cold, and warm sites 147</p> <p>Other business locations 149</p> <p>Data center in a box: Mobile sites 150</p> <p>Colocation facilities 150</p> <p>Reciprocal facilities 151</p> <p><b>Chapter 7: Planning System and Network Recovery 153</b></p> <p>Managing and Recovering Server Computing 154</p> <p>Determining system readiness 154</p> <p>Server architecture and configuration 155</p> <p>Developing the ability to build new servers 157</p> <p>Distributed server computing considerations 159</p> <p>Application architecture considerations 160</p> <p>Server consolidation: The double-edged sword 161</p> <p>Managing and Recovering Network Infrastructure 163</p> <p>Implementing Standard Interfaces 166</p> <p>Implementing Server Clustering 167</p> <p>Understanding cluster modes 168</p> <p>Geographically distributed clusters 169</p> <p>Cluster and storage architecture 170</p> <p><b>Chapter 8: Planning Data Recovery 173</b></p> <p>Protecting and Recovering Application Data 173</p> <p>Choosing How and Where to Store Data for Recovery 175</p> <p>Protecting data through backups 176</p> <p>Protecting data through resilient storage 179</p> <p>Protecting data through replication and mirroring 180</p> <p>Protecting data through electronic vaulting 182</p> <p>Deciding where to keep your recovery data 182</p> <p>Protecting data in transit 184</p> <p>Protecting data while in DR mode 185</p> <p>Protecting and Recovering Applications 185</p> <p>Application version 186</p> <p>Application patches and fixes 186</p> <p>Application configuration 186</p> <p>Application users and roles 187</p> <p>Application interfaces 189</p> <p>Application customizations 189</p> <p>Applications dependencies with databases,operating systems, and more 190</p> <p>Applications and client systems 191</p> <p>Applications and networks 192</p> <p>Applications and change management 193</p> <p>Applications and configuration management 193</p> <p>Off-Site Media and Records Storage 194</p> <p><b>Chapter 9: Writing the Disaster Recovery Plan 197</b></p> <p>Determining Plan Contents 198</p> <p>Disaster declaration procedure 198</p> <p>Emergency contact lists and trees 200</p> <p>Emergency leadership and role selection 202</p> <p>Damage assessment procedures 203</p> <p>System recovery and restart procedures 205</p> <p>Transition to normal operations 207</p> <p>Recovery team 209</p> <p>Structuring the Plan 210</p> <p>Enterprise-level structure 210</p> <p>Document-level structure 211</p> <p>Managing Plan Development 212</p> <p>Preserving the Plan 213</p> <p>Taking the Next Steps 213</p> <p><b>Part III: Managing Recovery Plans 215</b></p> <p><b>Chapter 10: Testing the Recovery Plan 217</b></p> <p>Testing the DR Plan 217</p> <p>Why test a DR plan? 218</p> <p>Developing a test strategy 219</p> <p>Developing and following test procedures 220</p> <p>Conducting Paper Tests 221</p> <p>Conducting Walkthrough Tests 222</p> <p>Walkthrough test participants 223</p> <p>Walkthrough test procedure 223</p> <p>Scenarios 224</p> <p>Walkthrough results 225</p> <p>Debriefing 225</p> <p>Next steps 226</p> <p>Conducting Simulation Testing 226</p> <p>Conducting Parallel Testing 227</p> <p>Parallel testing considerations 228</p> <p>Next steps 229</p> <p>Conducting Cutover Testing 230</p> <p>Cutover test procedure 231</p> <p>Cutover testing considerations 233</p> <p>Planning Parallel and Cutover Tests 234</p> <p>Clustering and replication technologies and cutover tests 235</p> <p>Next steps 236</p> <p>Establishing Test Frequency 236</p> <p>Paper test frequency 237</p> <p>Walkthrough test frequency 238</p> <p>Parallel test frequency 239</p> <p>Cutover test frequency 240</p> <p><b>Chapter 11: Keeping DR Plans and Staff Current 241</b></p> <p>Understanding the Impact of Changes on DR Plans 241</p> <p>Technology changes 242</p> <p>Business changes 243</p> <p>Personnel changes 245</p> <p>Market changes 247</p> <p>External changes 248</p> <p>Changes — some final words 249</p> <p>Incorporating DR into Business Lifecycle Processes 250</p> <p>Systems and services acquisition 250</p> <p>Systems development 251</p> <p>Business process engineering 252</p> <p>Establishing DR Requirements and Standards 253</p> <p>A Multi-Tiered DR Standard Case Study 254</p> <p>Maintaining DR Documentation 256</p> <p>Managing DR documents 257</p> <p>Updating DR documents 258</p> <p>Publishing and distributing documents 260</p> <p>Training Response Teams 261</p> <p>Types of training 261</p> <p>Indoctrinating new trainees 262</p> <p><b>Chapter 12: Understanding the Role of Prevention 263</b></p> <p>Preventing Facilities-Related Disasters 264</p> <p>Site selection 265</p> <p>Preventing fires 270</p> <p>HVAC failures 272</p> <p>Power-related failures 272</p> <p>Protection from civil unrest and war 273</p> <p>Avoiding industrial hazards 274</p> <p>Preventing secondary effects of facilities disasters 275</p> <p>Preventing Technology-Related Disasters 275</p> <p>Dealing with system failures 276</p> <p>Minimizing hardware and software failures 276</p> <p>Pros and cons of a monoculture 277</p> <p>Building a resilient architecture 278</p> <p>Preventing People-Related Disasters 279</p> <p>Preventing Security Issues and Incidents 280</p> <p>Prevention Begins at Home 283</p> <p><b>Chapter 13: Planning for Various Disaster Scenarios 285</b></p> <p>Planning for Natural Disasters 285</p> <p>Earthquakes 285</p> <p>Wildfires 287</p> <p>Volcanoes 288</p> <p>Floods 289</p> <p>Wind and ice storms 290</p> <p>Hurricanes 291</p> <p>Tornadoes 292</p> <p>Tsunamis 293</p> <p>Landslides and avalanches 295</p> <p>Pandemic 297</p> <p>Planning for Man-Made Disasters 300</p> <p>Utility failures 300</p> <p>Civil disturbances 301</p> <p>Terrorism and war 302</p> <p>Security incidents 303</p> <p><b>Part IV: The Part of Tens 305</b></p> <p><b>Chapter 14: Ten Disaster Recovery Planning Tools 307</b></p> <p>Living Disaster Recovery Planning System (LDRPS) 307</p> <p>BIA Professional 308</p> <p>COBRA Risk Analysis 308</p> <p>BCP Generator 309</p> <p>DRI Professional Practices Kit 310</p> <p>Disaster Recovery Plan Template 310</p> <p>SLA Toolkit 311</p> <p>LBL ContingencyPro Software 312</p> <p>Emergency Management Guide for Business and Industry 312</p> <p>DRJ’s Toolbox 313</p> <p>Chapter 15: Eleven Disaster Recovery Planning Web Sites 315</p> <p>DRI International 315</p> <p>Disaster Recovery Journal 316</p> <p>Business Continuity Management Institute 316</p> <p>Disaster Recovery World 317</p> <p>Disaster Recovery Planning.org 317</p> <p>The Business Continuity Institute 318</p> <p>Disaster-Resource.com 319</p> <p>Computerworld Disaster Recovery 319</p> <p>CSO Business Continuity and Disaster Recovery 320</p> <p>Federal Emergency Management Agency (FEMA) 320</p> <p>Rothstein Associates Inc 321</p> <p><b>Chapter 16: Ten Essentials for Disaster Planning Success 323</b></p> <p>Executive Sponsorship 323</p> <p>Well-Defined Scope 324</p> <p>Committed Resources 325</p> <p>The Right Experts 325</p> <p>Time to Develop the Project Plan 326</p> <p>Support from All Stakeholders 326</p> <p>Testing, Testing, Testing 327</p> <p>Full Lifecycle Commitment 327</p> <p>Integration into Other Processes 328</p> <p>Luck 329</p> <p><b>Chapter 17: Ten Benefits of DR Planning 331</b></p> <p>Improved Chances of Surviving “The Big One” 331</p> <p>A Rung or Two Up the Maturity Ladder 332</p> <p>Opportunities for Process Improvements 332</p> <p>Opportunities for Technology Improvements 333</p> <p>Higher Quality and Availability of Systems 334</p> <p>Reducing Disruptive Events 334</p> <p>Reducing Insurance Premiums 335</p> <p>Finding Out Who Your Leaders Are 336</p> <p>Complying with Standards and Regulations 336</p> <p>Competitive Advantage 338</p> <p>Index 339</p>

<b>Peter H. Gregory, CISA, CISSP,</b> is the author of fifteen books on security and technology, including <i>Solaris Security</i> (Prentice Hall), <i>Computer Viruses For Dummies</i> (Wiley), <i>Blocking Spam and Spyware For Dummies</i> (Wiley), and <i>Securing the Vista Environment</i> (O’Reilly).<br /> Peter is a security strategist at a publicly-traded financial management software company located in Redmond, Washington. Prior to taking this position, he held tactical and strategic security positions in large wireless telecommunications organizations. He has also held development and operations positions in casino management systems, banking, government, non-profit organizations, and academia since the late 1970s.<br /> He’s on the board of advisors for the NSA-certified Certificate program in Information Assurance & Cybersecurity at the University of Washington, and he’s a member of the board of directors of the Evergreen State Chapter of InfraGard.

<b>Create a safety net while you work out your major plan</b> <p><b>Identify critical IT systems, develop a long-range strategy, and train your people</b></p> <p>Some disasters get coverage on CNN — some just create headaches for the affected organization. The right plan will get your business back on track quickly, whether you're hit by a tornado or a disgruntled employee with super hacking powers. Here's how to assess the situation, develop both short-term and long-term plans, and keep them updated.</p> <p><b>Discover how to:</b></p> <ul> <li> <p>Select your disaster recovery team</p> </li> <li> <p>Conduct a Business Impact Analysis</p> </li> <li> <p>Determine risks</p> </li> <li> <p>Get management support</p> </li> <li> <p>Create appropriate plan documents</p> </li> <li> <p>Test your plan</p> </li> </ul>

US