BUSINESS RESUMPTION PLANNING Second Edition OTHER INFORMATION SECURITY BOOKS FROM AUERBACH 802.1X Port-Based Authentication Edwin Lyle Brown ISBN: 1-4200-4464-8 Building an Effective Information Security Policy Architecture Sandy Bacik ISBN: 1-4200-5905-X CISO Soft Skills: Securing Organizations Impaired by Employee Politics, Apathy, and Intolerant Perspectives Michael Gentile, Ron Collette and Skye Gentile ISBN: 1-4200-8910-2 Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI Debra S Herrmann ISBN: 0-8493-5402-1 Computer Forensics: Evidence Collection and Management Robert C Newman ISBN: 0-8493-0561-6 Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition Albert Marcella, Jr and Doug Menendez ISBN: 0-8493-8328-5 Digital Privacy: Theory, Technologies, and Practices  Alessandro Acquisti, Stefanos Gritzalis, Costos Lambrinoudakis and Sabrina di Vimercati ISBN: 1-4200-5217-9 How to Achieve 27001 Certification: An Example of Applied Compliance Management Sigurjon Thor Arnason and Keith D Willett ISBN: 0-8493-3648-1 Information Assurance Architecture  Keith D Willett ISBN: 0-8493-8067-7 Information Security Management Handbook, Sixth Edition Harold F Tipton and Micki Krause ISBN: 0-8493-7495-2 Information Security Management Handbook, Sixth Edition, Volume Harold F Tipton and Micki Krause ISBN: 1-4200-6708-7 Information Security Management Handbook, 2008 CD-ROM Edition Harold F Tipton and Micki Krause ISBN: 1-4200-6698-6 Insider Computer Fraud: An In-depth Framework for Detecting and Defending against Insider IT Attacks  Kenneth Brancik ISBN 1-4200-4659-4 Mechanics of User Identification and Authentication: Fundamentals of Identity Management Dobromir Todorov ISBN: 1-4200-5219-5 Official (ISC)2 Guide to the SSCP CBK  Diana-Lynn Contesti, Douglas Andre, Eric Waxvik, Paul A Henry and Bonnie A Goins ISBN: 0-8493-2774-1 Oracle Identity Management: Governance, Risk, and Compliance Architecture, Third Edition  Marlin B Pohlman ISBN: 1-4200-7247-1 Software Deployment, Updating, and Patching  Bill Stackpole and Patrick Hanrion ISBN: 0-8493-5800-0 Testing Code Security Maura A van der Linden ISBN: 0-8493-9251-9 Wireless Crime and Forensic Investigation Gregory Kipper ISBN: 0-8493-3188-9 AUERBACH PUBLICATIONS www.auerbach-publications.com To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401 E-mail: orders@crcpress.com BUSINESS RESUMPTION PLANNING Second Edition Edited by LEO A WROBEL Auerbach Publications Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2009 by Taylor & Francis Group, LLC Auerbach is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S Government works Printed in the United States of America on acid-free paper 10 International Standard Book Number-13: 978-0-8493-1459-9 (0) This book contains information obtained from authentic and highly regarded sources Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint Except as permitted under U.S Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400 CCC is a not-for-profit organization that provides licenses and registration for a variety of users For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe Library of Congress Cataloging-in-Publication Data Wrobel, Leo A (Leo Anthony) Business resumption planning / Leo A Wrobel 2nd ed p cm Includes bibliographical references and index ISBN-13: 978-0-8493-1459-9 (alk paper) ISBN-10: 0-8493-1459-3 (alk paper) Crisis management Business planning Data recovery (Computer science) Emergency management I Title HD49.D48 2007 658.4’7 dc22 Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the Auerbach Web site at http://www.auerbach-publications.com 2007013876 Dedication This book is dedicated to Sharon M Wrobel, without whom this project would have been a largely unrealized dream Sharon worked tirelessly in the final editing of my submissions and those of numerous other contributors More important, Sharon actually “came of age” not only as an editor but also as an active author in her own right, having written a significant portion of this book on her own Don’t be surprised to see a disaster recovery book by her in the future Finally, I would especially like to thank Sharon not only for her work in this project, but for her 31 years of marriage to me, which has included children and 10 grandchildren Indeed, many dreams would have remained unfulfilled if not for her Leo A Wrobel Contents Introduction ix About the Editors xiii Contributors xv So, You Want to Write a Disaster Recovery Plan … Leo A Wrobel Understanding Business Impact Analysis 23 Frank W Gesinski and Leo A Wrobel Selling Management with a Compelling Business Impact Analysis and FMEA (Failure Mode Effects Analysis) 57 Radi Shourbaji Leveraging Internal Resources to Complete the Plan 77 Leo A Wrobel Developing Operating and Security Standards 99 Leo A Wrobel Documenting the Plan — What to Include .133 Leo A Wrobel Writing a Telecommunications Recovery Plan 181 Leo A Wrobel Notification, Teams, Recruitment, and Testing 241 Leo A Wrobel Special Section — Legal Implications of Not Adequately Planning 269 Legal and Regulatory Requirements Regarding Disaster Recovery Planning 271 Eddie M Pope vii viii  n  Contents 10 Sarbanes–Oxley Act of 2002 .337 David P Mowery Special Additional Section: Regulatory Issues and How They Affect Business Continuity (BC) Programs .353 Tracy Cowan Rick Holler Appendix 1: Now Pull It All Together and Write a Great Disaster Recovery Plan 359 Leo A Wrobel Appendix 2: Partial Glossary of Telecommunications Terms and Acronyms 441 Leo A Wrobel Index 487 Introduction It’s a.m on a dark, rainy night, and you get the call you have always dreaded There has been a gas explosion at the company The building has been reduced to ashes and flames Your first thought is to call Bob Bob is your resident network genius Bob knows where all the wires go, knows who the vendors are, and has every critical phone number committed to memory If you are going to recover from this disaster, you need Bob You dial the phone and Bob’s wife, half-asleep, answers You apologize, but explain that there has been a terrible explosion at the company You explain that you need Bob to come to work now Just when you think things can’t be any worse, Bob’s wife responds with four words that prove to you that it can: “Bob is at work!” Now you have another problem to deal with! You may be frantically thinking, “But I am a network manager, not a grief counselor! How can I deal with a hysterical wife? What should I do! If only I had planned ahead … !” I have used this story many times over the years because it graphically illustrates one aspect of contingency planning—how to call-out employees—in a manner that makes the issue easy to remember There are thousands of other issues to remember, and we hope to use the same kinds of “memory joggers” in this book to try to assure you that as many of them are remembered as possible We this using every trick, scheme, manipulation, and example And, by the way, we hope to make learning this material fun However we attempt this, we make it possible for you to recall what you read here, and become a more effective contingency planner in the process Given the complexity of the task, you will need all the help you can get! Addressing the many issues that confront the network recovery planner today is a mind-boggling task Presently, organizations are almost totally dependent upon their networks for operations and cannot operate without their functionality It involves much more than the technical stuff like LANs, WANs, MANs, FANs, CANs, and PANs (those really are technical terms of art for local, wide, metropolitan, foreign, campus, and personal area networks) Then you have the whole world ix ... concepts first published in 1997 in the successful first edition of Business Resumption Planning This new edition, Business Resumption Planning—Second Edition (BRP2E), updates all the best parts... Library of Congress Cataloging-in-Publication Data Wrobel, Leo A (Leo Anthony) Business resumption planning / Leo A Wrobel 2nd ed p cm Includes bibliographical references and index ISBN-13: 978-0-8493-1459-9... — a network that nobody owns! 2  n  Business Resumption Planning, Second Edition The auditors of years past would have a cow Today it’s all part of doing businesses Consider just a few examples