Strikes When designing your business continuity and disaster recovery plans, don’t forget about the importance of the human factor in emergency planning. One form of man-made disaster that is often overlooked is the possibility of a strike or other labor crisis. If a large segment of your employees walked out at the same time, what impact would that have on your business? How long would you be able to sustain operations without the regular full-time employees that staff a certain area? Your BCP and DRP teams should address these concerns, providing alternative plans if a labor crisis occurs. TheftVandalism In a previous section, we looked at the threat that terrorist activities pose to an organization. Theft and vandalism represent the same kind of activity on a much smaller scale. In most cases, however, there’s a far greater chance that your organization will be affected by theft or vandal- ism than by a terrorist attack. Insurance provides some financial protection against these events subject to deductibles and limitations of coverage, but acts of this nature can cause serious NYC Blackout On August 14, 2003, the lights went out in New York City and large portions of the northeastern and midwestern United States when a series of cascading failures caused the collapse of a major power grid. Fortunately, security professionals in the New York area were ready. Spurred to action by the September 11, 2001 terrorist attacks, many businesses updated their disaster recovery plans and took measures to ensure their continued operations in the wake of another disaster. The blackout served as that test, as many organizations were able to continue operating on alter- nate power sources or transferred control seamlessly to offsite data processing centers. There were a few important lessons learned during the blackout that provide insight for BCP DRP teams around the world: Ensure that your alternate processing sites are located sufficiently far away from your main site that they won’t likely be affected by the same disaster. Remember that the threats facing your organization are both internal and external. Your next disaster may come from a terrorist attack, building fire, or malicious code running loose on your network. Take steps to ensure that your alternate sites are segregated from the main facil- ity in a manner that protects against all of these threats. Disasters don’t usually come with advance warning. If real-time operations are critical to your orga- nization, be sure that your backup sites are ready to assume primary status at a moment’s notice. damage to your business, on both a short-term and long-term basis. Your business continuity and disaster recovery plans should include adequate preventative measures to control the fre- quency of these occurrences as well as contingency plans to mitigate the effects theft and van- dalism have on your ongoing operations. Keep the impact that theft may have on your operations in mind when planning your parts inventory. It would be a good idea to keep an extra inventory of items with a high pilferage rate, such as RAM chips and laptops. Recovery Strategy When a disaster interrupts your business, your disaster recovery plan should be able to kick in nearly automatically and begin providing support to recovery operations. The disaster recovery plan should be designed in such a manner that the first employees on the scene can immediately begin the recovery effort in an organized fashion, even if members of the official DRP team have not yet arrived on site. In the following sections, we’ll examine the critical subtasks involved in crafting an effective disaster recovery plan that will guide the rapid restoration of normal busi- ness processes and the resumption of activity at the primary business location. In addition to improving your response capabilities, purchasing insurance can reduce risk of financial losses. When selecting insurance, be sure to purchase sufficient coverage to enable you to recover from a disaster. Simple value coverage may be insufficient to encompass actual replacement costs. If your property insurance includes an Actual Cost Evaluation ACV clause, then your damaged property will be compensated based on the value of the items on the date of loss plus 10 percent. Valuable paper insurance coverage provides protection for inscribed, printed, and written documents and manuscripts and other printed business records. However, it does not cover damage to paper money and printed security certificates. Business Unit Priorities In order to recover your business operations with the greatest possible efficiency, you must engi- neer your disaster recovery plan so that the business units with the highest priority are recovered first. To achieve this goal, the DRP team must first identify those business units and agree on an order of prioritization. If this process sounds familiar, it should This is very similar to the prioritization task the BCP team performed during the Business Impact Assessment, discussed in the previous chapter. In fact, if you have a completed BIA, you should use the resulting doc- umentation as the basis for this prioritization task. As a minimum requirement, the output from this task should be a simple listing of busi- ness units in prioritized order. However, a much more useful deliverable would be a more detailed list broken down into specific business processes listed in order of priority. This