| Another critical component, which will determine the success
of business continuity management (BCM) is awareness and training.
This section will focus on the creation of a program to increase
employee awareness and enhance the skills required to develop, implement,
maintain, and execute the business continuity plan.
Audits...
Audits are reports that continually review plans, emergency and
recovery tests and exercises. The purpose of auditing is to ensure
the continuing readiness of the plan and should be conducted prior
to, during, and after a test exercise. It is the responsibility
of the BCM manager to make sure that the plan is periodically audited.
His or her responsibilities include scheduling, conducting, coordinating
and evaluating the auditing process and making sure that senior
management is kept aware of the results. These audits make senior
management aware of the fact that all necessary critical data is
being verified and is available should the need occur.
Some examples of auditing frequencies are:
- Off-site storage or vault inventories audits should be conducted
a minimum of once every quarter both with and without notification.
Calling back critical data sets from the vault, and testing/exercising
the application on-site or off-site, is a viable way to conduct
and report on auditing results.
- Pyramid Call Tree audit should be conducted at least semi-annually
or more frequently depending on personnel changes. This will periodically
audit and verify the accuracy of the employee contact information
contained in the plan.
- A Hot-Site test (if applicable) or exercise conducted no less
than semi-annually should also include an audit that reports on
the problems and situations encountered while exercising the Hot-Site
recovery procedures.
- On-site or remote test and exercise audits, which could include
tabletop exercises, should be conducted semi-annually.
- Critical applications audits should be conducted a minimum of
once every quarter to verify that recovery can be performed with
in established recovery time objectives.
- Lessons learned reporting is also a beneficial way to provide
senior management with a current status of the BCM program.
The BCM manager should evaluate the results of every audit carried
out to ensure that it is properly carried out. The manager will
then formulate a written report to senior management indicating
results and recommendations for plan improvement.
Types of Audits:
- Telecommunications and work flow verification.
- Daily maintenance and debugging of applications.
- System problems and resolutions.
- Required critical forms.
- On-site/off-site storage and shipping of critical
data sets.
- Outsource recovery plans.
- Vendor problems and resolutions.
- Resource problems and resolutions.
Training...
No matter how well crafted a plan may be, it is only as good as
the performance of the participants. The purpose of the training
is to get people to perform instinctively, with the precision that
a live disaster requires. In order to achieve this purpose, the
participants must first know the plan. The assumption that people
know what to do when "the fire bell rings" is a dangerous one. The
following types of training should be considered when developing
a program:
- Orientation - We should conduct orientation
when new procedures are introduced and when new people enter the
workplace. Individual employees must be trained on basic emergency
procedures, such as:
- Locations of fire extinguishers.
- Recognition of alarms, emergency exits and
evacuation routes.
- Basic first aid procedures.
- Who to notify in the case of an emergency.
Although managers and supervisors conduct the training, the plan
coordinator is responsible for the content of the training and
for the follow-up to see that training does, in fact, take place.
- On-site Emergency Preparedness Testing - The
chief means by which the plan coordinator determines the effectiveness
of orientation is by conducting emergency preparedness drills.
The objectives of such drills are:
- Validate employee readiness.
- Verify that equipment is maintained, handled
properly, and functions as intended.
- Discover changes made in procedures made
but not updated in the plan.
- Tabletop/Scenario Testing - The target audience
for tabletop scenarios are those data processing and management
employees who are responsible for the more detailed and technical
tasks in the plan. This group writes up the circumstances or scopes
of an event for consideration.
- On-Site Functional Application Testing - As
the title suggests, the test is performed to validate application
functionality. The purpose is to discover any procedural changes
that may affect the plan. Functional application testing is usually
conducted each quarter.
- Off-Site Functional Application Testing - This
test is performed to test the Hot or Back-up site environment.
It is conducted in the same manner as the on-site functional application
testing except that the environment is off-site. Off-site testing
is usually conducted semi-annually.
- Responsibility of the Business Continuity Planner
is:
- Recovery team members are trained.
- Attend appropriate education seminars to
keep abreast of latest advances in recovery procedures.
- Scope and method of training - Should include
classroom instruction as well as facility tours to show the
locations of fire extinguishers, fire alarms, emergency exits,
first aid kits, and all emergency utility shut-off.
- Frequency - Depending on each office environment,
orientation should be conducted once a month for new employees
with functional departmental testing occurring every 6 months.
- Evaluation of results - Should be conducted
after each and every test to ensure that training has been
properly conducted and to measure the level of employee understanding.
A formal report should be written and submitted to management
indicating results and recommendations to improve the training
process.
Maintenance Testing...
Emergency tests are simulations of actual emergency and disaster
conditions and if conducted correctly should determine a realistic
timeframe for recovery.
- Responsibility - The recovery coordinator is
responsible for periodic testing of the plan and his/her responsibilities
would include:
- The scope of the test is agreed on.
- The objectives of the test are agreed on.
- A change management request is raised to book
time and personnel.
- Contracts are raised with external vendors
for equipment etc.
- Agreements are gained from affected bodies
(internal or external).
- Briefings of personnel are held on a regular
basis.
- Independent observers are selected when appropriate.
- Preparations and support is put in place (catering,
accommodations, travel, etc).
- Business areas briefed about the test and
the potential impact to those who are left.
- Notification of the test to all areas of the
business.
- The test is executed to a strict project plan
with a clear cut-off time.
- Detailed notes are taken during the test describing,
in detail, the proceedings.
- A post review meeting is held to discuss outcome.
- A test report is written collating all logs
and key findings.
- Plans are amended and strategies altered to
reflect findings.
- Scope and Method of Training - On-site procedures,
such as exercising critical applications and testing strategies
and procedures stated in the plan, must be conducted periodically
both with and without notification. Preparation for a test or
exercise should include:
- The SCOPE - The goal you set for the test
or exercise and a way to measure your accomplishments.
- The AGENDA - Schedule of events and times
you plan to follow.
- The LEVEL OF SUPPORT - The involvement of
special groups or teams, which will aid in the success of the
test or exercise.
- The STATISTICS - These will give you the exact
times used during a recovery test or exercise and an estimate
of the recovery time needed during a real recovery event.
- Frequency
- On-site/Remote testing should be conducted
once a quarter.
- Hot-site/Off-site testing semi-annually.
- Pyramid Call Tree testing semi-annually.
- Evaluation of Results - Should be conducted
after each and every test to ensure that training has been properly
conducted and to measure the level of employee understanding.
A formal report should be written and submitted to management
indicating results and recommendations to improve the training
process.
- Types of Testing - Typically, recovery testing
begins with component testing, and through a series of successful
tests, progresses to comprehensive testing.
- Component testing - Is narrowed in focus and
designed to test the recovery capability of a specific piece
of the overall recovery plan. Some examples might include:
- Testing the Call Tree.
- Auditing the off-site procedures and contents.
- Restoring only the operating system.
- Comprehensive testing - Focuses on the entire
set of business recovery plans and is designed to test overall
recovery capabilities. Examples of comprehensive testing might
include the following:
- Companies mainframe environment (operating systems,
software products, production and test applications, data,
etc).
- Companies midrange environment (operating systems,
software products, production and test applications, data,
etc).
- LAN/WAN environment.
- Centralized services (purchasing, legal, mail
services, facilities, etc).
- Business operations areas.
|
