Sample project Charter
I am student#3, and I have uploaded the introduction and sample. due is 17th.
Table of Contents
Disaster Recovery Plan
Introduction
(Student #1)
3
Plan Purpose
(Student #1)
3
Plan Objective
(Student #1)
3
Plan Scope
(Student #1)
3
Plan Scenarios Addressed
(Student #1)
3
Plan Assumptions
(Student #1)
3
Recovery Strategies and Activities (Students #2,3,
4
)
Risk Assessment (Student #2)
4
Business Impact Analysis (Student #3)
5
Risk Mitigation Strategy (Student #2)
6
Business Continuity / Disaster Recovery Plan (Student #4)
7
Summary of Risk Mitigation Strategy (Student #2,3,4)
8
· Recovery Strategy Summary (Student #4)
8
· Recovery Tasks (Student #4)
8
· Summary Activation Criteria by Response (Student #4)
8
· Recovery Personnel (Student #4)
8
· Critical Vendors and their Maximum Tolerable Downtimes (MTD) (Student #3)
8
· Plan Timeline (Student #3)
9
· Critical Equipment / Resource Requirements (Student #2)
9
Training, Testing, Auditing (Student #5)
10
· Training (Student #5)
10
· Testing (Student #5)
11
· Auditing (Student #5)
12
Plan Updates/Maintenance (Student #1)
13
Appendices
14
A. Business Continuity Site Information (Student #1)
14
B. Site Contact Details (Student #2)
15
· How is Site Invoked (Student #2)
15
· Maps of Meeting Points (Student #2)
15
· Vendor Contact Information (Student #2)
15
· Forms (Student #2)
15
C. Communication Plans (Student #3)
16
· Communications by Audience (Student #3)
16
D. Employee Contact Information (Student #4)
17
· Employee Contact Information (Student #4)
17
· Crisis Management Team (Student #4)
18
· Emergency Response Team (Student #4)
19
E. Disaster Declaration Procedures (Student #5)
20
F. Checklists (Student #5)
21
References (Student #1)
22
Miami
IT problems(water in the computer room?) during the hurricane:
· Computerized system for automatically updating store inventory levels.
· Unable to make a transaction.
· Logistics and transportation.
IT recovery after the hurricane:
Introduction
This business continuity & disaster recovery plan will focus on Walmart Inc. especially in the Miami region caused by the hurricane. As a retail company, Walmart needs a strong warehousing system to support their normal operation while in the Miami area, a hurricane is a high-risk factor threatening Walmart on both the physical business system and the huge back-office system it owns. In this plan, ()
Plan Purpose
This plan aims to ensure that when a tornado hits the local area, WalMart can have timely countermeasures to deal with such measures as computer system failures caused by floods and subsequent operational problems. On this basis, the plan will give suggestions on how to avoid risks, minimize risks, and how to quickly solve them to restore normal operations after a disaster occurs.
Plan Objective
There are three major objectives within this plan:
1. Maintain normal operations of Wal-Mart during the hurricane disaster.
2. Reduce the severity of the disaster.
3. Speed up post-disaster recovery.
Plan Scope
The plan focuses on the IT system of Walmart Inc. in the Miami area.
Plan Scenarios Addressed
The specific prioritized scenario that this plan addresses are:
· Computerized system for automatically updating store inventory levels.
· Unable to make a transaction.
· Logistics and transportation.
Plan Assumptions
Totally, there are 20 Walmart stores currently operating in the Miami area. According to the information provided by Walmart official website, on average, there are about 350 employees working inside each Walmart supercenter. Therefore, the available labor force is about 7,000. ()
Company
Name
Business Continuity & Disaster Recovery Plan
>Student Name #1
Student Name #2
Student Name #3
Student Name #
4
(
10
)
Table of Contents
Disaster Recovery Plan Introduction
(Student #1)
3
Plan Purpose (Student #1)
3
Plan Objective (Student #1)
3
Plan Scope (Student #1)
3
Plan Scenarios Addressed (Student #1)
3
Plan Assumptions (Student #1)
3
Recovery Strategies and Activities
4
Risk Assessment (Student #2)
4
Business Impact Analysis (Student #3)
5
Risk Mitigation Strategy (Student #4)
6
Business Continuity / Disaster Recovery Plan (Student #5)
7
Summary of Risk Mitigation Strategy
8
· Recovery Strategy Summary (Student #1 & 3)
8
· Recovery Tasks (Student #1 & 3)
8
· Summary Activation Criteria by Response (Student #1 & 3)
8
· Recovery Personnel (Student #1 & 3)
8
· Critical Vendors and their Maximum Tolerable Downtimes (MTD) (Student #1 & 3)
8
· Plan Timeline (Student #1 & 3)
9
· Critical Equipment / Resource Requirements(Student #1 & 3)
9
Training, Testing, Auditing
10
· Training (Student #2 &4)
10
· Testing (Student #2 &4)
11
· Auditing (Student #2 &4)
12
Plan Updates/Maintenance (Student #5)
13
Appendices
14
A. Business Continuity Site Information (Student #1)
14
B. Site Contact Details (Student #2)
15
o How is Site Invoked (Student #2)
15
o Maps of Meeting Points (Student #2)
15
o Vendor Contact Information (Student #2)
15
o Forms (Student #2)
15
C. Communication Plans (Student #3)
16
o Communications by Audience (Student #3)
16
D. Employee Contact Information (Student #4)
17
o Employee Contact Information (Student #4)
17
o Crisis Management Team (Student #4)
18
o Emergency Response Team (Student #41)
19
E. Disaster Declaration Procedures (Student #5)
20
F. Checklists (Student #5)
21
References (Student #51)
22
Disaster Recovery Plan Introduction
Introduction – Mandatory
The plan introduction usually consists of general information about a plan, such as the information about the entity creating the plan (i.e., the particular company, business unit, or functional area), maintenance history of the plan (i.e., when the plan was last revised and tested), the purpose of the plan, the scenarios being targeted, and any assumptions underlying the plan. Some sections that we commonly see included in the introductory section include:
Plan Purpose – Mandatory
For example, the purpose of this plan is to provide a framework from which the personnel indicated herein can work to restore and harden internal information systems in the case that a disaster by way of cyber security occurs. Based on criticality, the plan will address a way in which the business can work to re-establish its core business processes that are predicated upon the availability of its IT systems.
Plan Objective – Mandatory
For example, the objective is to identify the most efficient and cost-effective solution to responding to
Facilitate … Protect … Minimize …
Plan Scope – Mandatory
For example, the organization on which this plan is focused is
Plan Scenarios Addressed – Mandatory
For example, the specific prioritized scenario that this plan addresses are …. loss of a primary work area, loss of IT services for a prolonged period of time, loss of workforce, etc.
Plan Assumptions – Mandatory
For example, you may want to call out the number of work locations impacted at any given time that key personnel are available for any recovery efforts, or any assumptions you may have made about vendor or utility service availability.
Recovery Strategies and Activities – Mandatory
After the initial introductory section, there are a number of modules about the strategies outlined in the plan, as well as the specific personnel undertaking the recovery and the recovery activities.
Risk Assessment – Mandatory
A Risk Assessment is the process of determining the likelihood that a specified negative event will occur. It is a systematic process of evaluating the potential risks that may be involved in a projected activity or undertaking.
In the IT disaster recovery world, we typically focus on one or more of the following four risk scenarios, the loss of which would have a negative impact on the organization’s ability to conduct business:
· Loss of access to premises
· Loss of data
· Loss of IT function
Note: Risk scenarios for a Cyber-Attack may include different/additional scenarios, depending on the type of cyber-threat.
Risk assessments focus on the risks that can lead to these outcomes. One easy way to create a risk assessment is illustrated by this table.
Risk assessment – Using quantitative method
|
Disaster Event |
Likelihood (a) |
Impact (b) |
Risk Factor (a*b) |
|||
|
Disaster Event #1 |
0.7 |
0.9 |
0.63 |
|||
|
Disaster Event #2 |
0.4 9 |
|||||
|
Disaster Event #3 |
0.4 |
0.36 |
Working with IT managers and members of your building facilities staff as well as risk management staff will help to identify the events that could impact data center operations.
Based on experience and available statistics, you can estimate the likelihood of specific events occurring on a scale of 0 to 1 (0.0 = will never occur, and 1.0 = will always occur). You can do the same with the impact of the event, using a 0 to 1 range (0.0 = no impact at all, and 1.0 = total loss of operations). The final column lists the product of likelihood x impact, and this becomes your risk factor. Those events with the highest risk factor are the ones your disaster recovery plan should primarily aim to address.
Business Impact Analysis (BIA) – Mandatory
In this section, you will describe which processes in your business are vital to your ongoing operations and to understand the impact the disruption of these processes would have on your business.
A BIA attempts to relate specific risks to their potential impact on things such as business operations, financial performance, reputation, employees and supply chains.
The table below depicts the relationship between specific risks and business factors
|
Risk Identified |
Business Activity Affected |
Potential Operational Loss |
Potential Financial Loss |
Maximum Time Need to Recover |
|||
|
Fire in the Data Center |
All Activities |
Inability to function normally |
$2M-$3M |
1 hour |
BIAs are built on a series of questions that should be posed to key members of each operating unit in the company, including IT. Questions should address the following issues, as a minimum:
· Understanding how each business unit operates
· Identification of critical business unit processes that depend on IT
· Data requirements
· Financial value of critical business processes (for example, revenues/ hour)
· Dependencies on internal organizations
· Dependencies on external organizations
· Minimum time needed to recover data to its previous state of use
· System requirements
· Minimum time needed to return to normal or near-normal operations following an incident
· Minimum number of staff needed to conduct business
BIA outputs should present a clear picture of the actual impacts on the business, both in terms of potential problems and probable costs. The results of the BIA should help determine which areas require which levels of protection, the amount to which the business can tolerate disruptions and the minimum IT service levels needed by the business.
Business System/Function Criticality Matrix
|
Maximum Tolerable Downtime |
||||
|
# |
Business System |
|||
|
1 |
Website Monitoring |
Critical / Mission Critical |
Cannot monitor company website without it. |
|
|
2 |
Ordering System |
High Volume Sales requirement |
||
| 3 |
Payroll |
Essential / Vital |
Salary/Commission tracked daily |
4-1 2 hours |
| 4 |
Reporting System |
Necessary / Important |
Produce management & sales reports |
1- 3 days |
|
5 |
HR Benefit Management |
Desirable / Minor |
Fringe Benefits, Paid-Time- Off (PTO) |
>3 days |
Table Z: Critical Systems & Maximum Downtimes
Disaster Magnitude
a) Small disruption
In the incident of a small disruption by way of
b) Medium disruption
A medium scale cyberattack disruption would result in an inability to function normally due to
c) Large scale disruption
A large scale disruption would differ from a medium scale disruption only in terms of magnitude.
Such a disruption would affect all business activities within the company and the ability to function normally would be massively reduced. The potential loss could be $XX million to
$YY millions and would be an absolute highest order catastrophe as millions of claims could be affected. The minimum time to recover normal operations would be days to weeks.
Disruption Scale
|
Disruption Scale |
Impact on ability to function normally |
Potential financial loss |
Minimum time to recover normal ops |
|
Small |
Reduced function |
$Xmm to $Ymm |
5 mins to 1-2 hours |
|
Intermediate |
$Ymm to $Zmm |
Hours to a few days |
|
|
Large-scale |
Affect all business activities and inability to function normally |
$Zmm to +$ZZmm |
Days to multiple weeks |
Risk Mitigation Strategy – Mandatory
Risk mitigation is defined as taking steps to reduce adverse effects.
Risk mitigation is a commonly used process within traditional business risk management, but there are unique aspects to risk mitigation related to IT business continuity and disaster recovery.
There is no one-size-fits-all answer in the risk mitigation phase—you’ll have to create a strategy that meets your company’s financial, operational, and risk management goals. The four standard choices are acceptance, avoidance, limitation, and transference.
Risk Mitigation Summary
|
Scenario |
Threat |
Strategy |
Actions taken |
|
|
Small-scale (1-2 hours) |
Minor blackout |
Limit/Reduce |
Use backup generators at Control Centers. |
|
|
Intermediate (3-9 hours) |
Major local blackout event. |
Limit/Reduce |
Application may be accessed through an authenticated portal using a VPN from any location. |
|
|
Large-scale
(10-15 hrs.) |
Major regional blackout event. |
Application may be accessed through an authenticated portal using a VPN from any location. |
Develop BC/DR Plan – Mandatory
Recovery Strategy Summary – Mandatory
In this section, a plan will typically outline the broad strategies to be followed in each of the scenarios identified in the plan Introduction section. As an example, if “loss of work area” is identified as a possible failure scenario, a potential recovery strategy could be to relocate to a previously agreed-upon alternate work location.
Recovery Tasks – Mandatory
This section of the plan will usually provide a list of the specific recovery activities and sub-activities that will be required to support each of the strategies outlined in the previous section. For example, if the strategy is to relocate to an alternate work location, the tasks necessary to support that relocation effort could include identifying any equipment needs, providing replacement equipment, re-issuing VPN tokens, declaration of disaster, etc.
Recovery Personnel: Elective:
Typically, a BC/DR plan will also identify the specific people involved in the business continuity efforts, for example, naming a team lead and an alternate team lead, as well as the team members associated with any recovery efforts. This section of the plan will also include their contact information, including work phone, cellphone, and email addresses. Obviously, because of any potential changes in personnel, the plan will need to be a “living” document that is updated as personnel/workforce changes are made.
Note: This section can also be an Appendix.
Critical Vendors/Maximum Tolerable Downtime (MTD) – Mandatory
In this section, a plan may also list the vendors critical to day-to-day operations and recovery strategies, as well as any required recovery time objectives that the vendors must meet in order for the plan to be successful.
|
Vendor |
MTD |
Description |
|||
|
Amazon Web Services |
50 mins |
Additional server/storage capacity (alternate) |
|||
|
Akamai |
2 hours |
Prevent DDoS attack |
|||
|
Rapid Notify |
3 days |
Notification to staff and other key partners; assists in communicating when the emergency is over. |
|||
|
Sia Tech |
Additional server/storage capacity |
The vendors critical to day-to-day operations are listed above. Amazon Web Services and Sia are cloud storage service providers. They provide additional server and storage capacity.
Plan Timeline – Elective
Many plans also include a section in the main body that lays out the steps for activating a plan (usually in the form of a flow chart). For example, a typical plan timeline might start from the incident detection, then flow into the activation of the response team, the establishment of an incident command center, and the notification of the recovery team, followed by a decision point around whether or not to declare a disaster. A plan timeline may also assign the recovery durations or recovery time objectives required by the business for each activity in the timeline. Note: This section can also be an Appendix.
Critical Equipment/Resource Requirements – Elective
A plan may also detail the quantity requirements for resources that must be in place within specified timeframes after plan activation. Examples of resources listed might include workstations, laptops (both with and without VPN access), phones, conference rooms, etc. Note: This section can also be an Appendix.
Training, Testing,
Auditing – Mandatory
Training – Mandatory
Many organizations invest heavily in technology controls to protect their data and systems. However, most of these technical controls are rendered useless because employees lack cyber security awareness training. Training employees to adopt security conscious behaviors improves the UHC’s overall security awareness. Insufficiently trained personnel are often the weakest security link in the company security perimeter and are the target of cyber-attacks. It is therefore critical to provide adequate security awareness training to all new hires, as well as refresher training to current employees. The UHC must establish, document, implement, and maintain a security awareness program for all personnel. The awareness program describes common security risks and how to mitigate them. Awareness reinforcement should occur frequently (at least quarterly).
Training Outline
|
Topic |
Details |
|
Scope |
Train all net admins on retrieving data and information from the system breakdown and backing up important information. |
|
Objectives |
1. Develop awareness of loss of data and information and the importance of backing up. 2. Train staff on how to retrieve lost data and make the systems operate normally. |
|
Timeline |
Training will be provided once a quarter, or within 15 days of new employee joining the company. The training is a 2.5-hour session. All net admins are required to attend. |
|
Requirements |
1. Ability to identify missed data or information. 2. Ability to access to cloud and get back-up data or information. 3. Ability to take actions to retrieve missed data and information. 4. Anility to help systems back to normal working mode. |
Testing – Mandatory
The objective of testing the BC/DR plan is to make sure that the plan will work effectively in the situation of a real disruption or a disaster (Snedaker & Rima, 2013). To enhance the readiness of staff of Panasonic and optimize limited resources, a diversified testing regime is encouraged (“Make Disaster Recovery Actionable”, 2011). After consideration, Panasonic will test the plan using two methods (Paper Walk-through & Functional Exercise) at a different frequency respectively.
According to Snedaker & Rima (2013), there are eight steps for each testing method:
· Develop realistic scenarios
· Develop evaluation criteria
· Provide Copies of the plan
· Divide participants by team
· Use checklists
· Take notes
· Identify training needs
· Develop summary and lessons learned
Testing Outline
|
Test scenario |
Steps |
|
Goals of test scenario |
The goal of this test is to make information systems running again within one day, ensuring that all data and information is restored, and systems work well. |
|
Date of test |
X times a year. On the first Monday of the first month of the X quarter and the X quarter of each year |
|
Type of test to be performed |
Exercise Type |
|
People/groups/departments involved in test |
· Groups 1 · Group 2 |
|
Downtime forecast |
X hours |
Auditing – Mandatory
Issues to Be Considered in Auditing BC/DR Plan
|
Issues to Be Considered in Auditing BC/DR Plan |
Yes |
No |
|
Have the resource shortages and problematic fields diagnosed in the vulnerability analysis been sufficiently addressed? |
||
|
Does the plan reflect experience gained from actual situations and simulated tests? |
||
|
Do members of Emergency Response Team and Emergency Management Group understand their own responsibilities ? Were new employees trained during orientations? |
||
|
Does the plan reflect updates of information systems, including new software, cloud services, data security measures? |
||
|
Are records of facilities and images up to date? |
||
|
Does the facilities help to reach the training objectives? |
||
|
Are the phone numbers, names, emails in the plan correct and up to date? |
||
|
Are there any communities, organizations and agencies involved in the plan? Are they required to evaluate the plan? |
Plan Updates/Maintenance – Mandatory
The BC/DR Plan will be updated once a month or any time a major system update or upgrade is performed, whichever is more often. The Disaster Recovery Lead is in charge of updating the whole plan and is also allowed to ask for updates and information from other staff or departments inside the company to finish the work (“Disaster Recovery Plan Template”, n.d.).
· Maintenance of the plan will incorporate (but not limited to) the following:
· Ensuring that the information of all employees is up to date
· Ensuring that all of the instructions are still relevant to the company
· Ensuring that revisions are made in the plan to reflect the changes of organizational personnel, goals, etc.
· Ensuring that the plan meets all requirements stated in laws and regulations
· Other organizational specific maintenance goals
During the Maintenance process, the Disaster Recovery Team must be responsible for any kind of changes. If any member of the Disaster Recovery Team leaves the company, the Disaster Recovery Lead is responsible to assign a new team member.
Appendices – Mandatory
A. Business Continuity Site Information – Mandatory
If your plan calls for “failing over” to an alternate work location, it may be a good idea to include information about that alternate work site in the plan’s appendix. The details of the site might include:
· Commencement date (including last contract renewal date)
· Location of the facility
· Details about the office environment, such as number of workstations, servers, telephony, printers, internet access, and other equipment provided
Location of
Alternate
Site
B. Site Contact Details – Mandatory
· How the site is invoked and the personnel authorized to invoke it
|
Name of Contact person |
|
|
Laurent Abadie |
In charge of the senior operation manager for new site |
|
Yukio Nakashima |
In charger of IT related operation for new site |
· Maps of meeting points (Elective): For those plans specifying a meeting location for employees, maps of the routes and alternate routes to those locations are useful.
· Vendor Contact Information: Many plans include the details of how to reach the vendors listed as critical to normal operations or recovery operations.
· Forms (Elective): If there are forms required by the plan, such as an incident report form, injury summary form, disaster-related expense tracking forms, consolidated status report forms, manual purchase order forms, etc., the plan appendix is a useful place to locate them.
C. Communication Plans – Mandatory
Successful plans will include the individuals responsible for communications during the time in which the plan is invoked, as well as the groups or constituents with which they are responsible for communicating. For example, it would be desirable to specify both internal and external communicators. For internal communicators, you will need to identify the person communicating with the command team and with employees, as an example. For external communicators, best practices include identifying the individual in charge of communications with the media, with customers, with partners, and with vendors, etc.
Business Continuity/Disaster Recovery (BC/DR) Plan
Communications by Audience
|
Audience |
Spokesperson |
Vehicle |
Key Information |
Internal
|
Employees |
CEO |
Intranet Security Status page |
Send alerts to employees with a role as indicated in this plan Email & secured intranet website will be used to provide employees relevant information related to a particular incident. Timing is either before communicating publicly, or in conjunction with the public communication. |
||
|
Support Desk |
Crisis Management IT Lead |
Knowledgebase articles Intranet Security Status Meetings |
Send alerts to the Support Desk resources as outlined in our contract The Support Desk Lead is responsible for ensuring all agents responding to any clients’ or partners’ calls |
||
|
Board of Directors |
Board meetings Email Internal secure site |
The CRT Lead is responsible for providing custom communications to this important group of stakeholders. |
External
|
Customer & Business Partners |
VP Sales |
Email
(Personalized as needed) |
Inform immediately of the potential impact, even if the complete information is not known. |
|
|
Shareholders |
Shareholders Call Email |
Inform immediately with particular information about the potential financial impact of the incident. |
||
|
Community Leaders |
Corporate Communications |
Email
Phone calls to key contacts |
Inform immediately, include particular information about any possible impact on items of special interest. |
|
|
General Public |
Press releases News articles Social Media |
Inform as soon as feasible after the directly impacted stakeholders have been notified. |
D. Disaster Recovery Contact Information – Mandatory
Instead of inserting the contact details of the employees in the Recovery Strategies and Activities section of the plan (which can often take up many pages and become unwieldy), you can also leverage the plan’s Appendices as an alternate location for this information, as well as any phone tree procedures or call lists.
Crisis Management Team (CMT) – Mandatory
|
Team Role (Title) |
Name |
|
|
CMT Lead (CEO) |
Steve Nelson |
As the CEO of running a PMO. |
|
CMT Lead, first alternate (Chief Information Officer) |
Phil McKoy |
(Acting CMT Lead as needed) SME for all information technology |
|
CMT Admin istrator |
Bob Brown |
Maintains team roster. Responsible for all coordination activities |
|
CMT Administrator (first alternate) |
Melvin Cash |
(Acting CMT Administrator as needed) No additional responsibilities |
|
CMT member (Executive Vice President) |
Brian Brueckman |
Assists leads in evaluating incidents, setting priorities, activating plan(s) |
|
CMT member (Chief Financial Officer) |
Jeff Putnam |
SME for budgetary questions Assists leads in evaluating incidents, setting priorities, activating plan(s) |
|
CMT Communications Lead (Chief Communications Officer) |
Kirsten Gorsuch |
SME for communications Oversees all communications process as related to a crisis |
|
CMT member (Senior VP, UnitedHealthcare Human Capital) |
Chris Coleman |
SME for human resources Assists leads in evaluating incidents, setting priorities, activating plan(s) |
|
CMT member (Executive VP, Operations) |
Brian Brueckman |
SME for Operations Assists leads in evaluating incidents, setting priorities, activating plan(s) |
|
CMT member (Chief Strategy Officer) |
John Cosgriff |
SME for strategy Assists leads in evaluating incidents, setting priorities, activating plan(s) |
Emergency Response Team – Elective
| Role | ||
|
CIRT Lead |
Bernardo Vasquez |
Chief Information Security Officer (CISO) Through direction from the CMT Lead, is responsible for all operations of the CIRT; a skilled project manager with cybersecurity expertise. |
|
CIRT Lead Alternate |
Ann Smith |
(Acting CIRT Lead as needed) Deputy CISO |
|
Network Monitoring Lead |
John Doe |
Responsible for network monitoring; responds to/escalates alerts from monitoring systems. NOC Senior Manager |
| Network |
Will Shoo |
(Acting Network Monitoring Lead role as needed) |
|
Database Lead |
Wei Chu |
Responsible for database monitoring; responds to alerts from monitoring systems. Director, DB Services |
| Support Desk Lead |
Jane Lee |
In coordination with the CMT Communications Lead, is responsible for standard message about the incident to any clients calling with questions. Director, Support Desk |
|
CIRT Team Admin |
Andy Haas |
Responsible for daily roster for the CIRT team and providing administrative support once an incident is triggered. |
|
CIRT Communications Lead |
Brenda May |
In coordination with the CMT Communications Lead, drafts press releases, statements to the press, UHC website updates, etc. related to a particular incident. Informs our employees either before or in conjunction with the public. Director, Communications |
Other Teams – Elective
All Teams listed in your Plan including:
· Damage Assessment Team
· Crisis Communication Team
· Notification Team
E. Disaster Declaration Procedures – Elective
If there are business continuity or disaster recovery vendors contracted, an appendix is a good place to include any relevant contact information.
F. Checklists – Elective
This section has checklists that are referred to elsewhere in the plan.
Checklists that provide useful reminders of “what to do” are often found in plan appendices. During an unexpected outage, human beings are often operating under higher levels of stress and anxiety, so offering them an easy-to access checklist of to- dos can smooth and even automate the recovery process towards a successful result.
Examples of checklists might be the steps involved in accessing an application via the Internet, or how to redirect call volumes in a call center.
References – Mandatory
· Amazon Web Services
· Audit Vendor: Active Audit Agency
· Harvard Business Essentials. 2004. Crisis Management: Mastering the Skills to Prevent Disasters, Harvard Business Review Press
· Snedaker, S. (2013). Business Continuity and Disaster Recovery Planning for IT Professionals, Second Edition by Susan Snedaker, Syngress.