% Overall Comment/Reason

Complete Rating
Program Initiation 90

Program Planning 80
Functional 50
Requirement

Design and 40
Development

Implementation 40

Testing 30

Maintenance 20

Execution N/A
Program Program Planning Functional Design and Program Plan Testing Program
Initiation Requirements Development Implementation Maintenance
Management Buy Interim Temporary General General Risk Controls BC Plan Primary Site Change
In BC Plan Assessment Assessment Testing Monitoring
Program BC Program Detailed Risk Controls IT Recovery Test Recovery Site Change
Evaluation Management requirements Systems Evaluation Monitoring
Document related to
standards, rules,
and regulations
Program Program Structure Risk Management IT Systems Alternate IT BC Plan Contract Management
Commitment Recovery Recovery Site Approval
Strategy
Approval Process BIA Alternate IT A Tertiary BC Plan Risk Controls
Recovery Site Recovery Site Document

Offsite Data Tertiary Offsite Data BIA

Storage Recovery Site Storage
Alternate Work Offsite Data Critical Record IT Systems Recovery
Area Storage Storage Strategy
Crisis Management Critical Record Alternate Work BC Plan Testing
Center (CMC) Storage Area
Personnel Alternate Work Crisis Management Recovery Vendor's BC
Area Center (CMC) Plan Reviews

Critical Records Crisis Assembly Location Training and

Management Awareness
Center (CMC)
SLA and Contract Assembly Data Management Process
Requirements Location Communication
Services
External Data Voice External Coordination
Coordination Communication Communication
Services
Training and Voice Training and BC Audits
Awareness Communication Awareness
Salvage & Work around BC Tools BC Program Reviews
Restoration Procedures
Insurance Training and Salvage and
Requirements Awareness Restoration
BC Tools Salvage and SLA and Contracts
Restoration
Assembly Location BC Plan Document
PI: Program Initiation
Questions
PI.1: Management Buy In
Has the program been Initiated
formally
What is the extent of management's
awareness
Is there a Project Sponsor
What is the seniority and position of
Project Sponsor
Plan exist to raise awareness of
management
PI.2: Program Evaluation and
Approval
High level program objectives,
requirements and drivers analyzed
and documented
Business case prepared and
evaluated
Rati Response and conclusions
ng
6.4
7 Program was initiated by the IT
department
8 CIO and other C-level officers are aware
of the program but other than CIO they
don't consider it a top priority.
6 CIO is the project sponsor
7 CIO is the project sponsor
4 Several presentations were presented
to management. Some were made on
their own requests. They were a high
level presentations. There is no formal
plan to raise awareness.
5.33
4 We have some program requirements
analyzed as a result of a recent BIA
effort and we have recently updated
with new requirements for E-commerce
application environment. We also have
an extensive document on the reasons
for establishing a BC program.
4 Yes. An informal business case was
prepared.
Further Actions Recommendation
BC Program needs to be raised to top level and
not just owned by IT
Find out if there is a Utilize Steering Committee to raise top level
steering committee. awareness.
Steering committee will
help in raising top level
awareness.
Find out if objectives for Define clear objectives for the program.
the program were defined Objectives should be stated in both general and
in these documents (not specific terms.
clearly)
Was a budget prepared
(Yes. We presented our
initial budget and
provided an estimate of
yearly budget to CIO)
Clear Go/No Go decision made and at
what level of the management
PI.3: Program Commitment
Full-time qualified program manager
assigned
Steering committee established
Steering committee members have
clear roles and responsibilities defined
BC Program is part of Strategic
objectives and plan
BC Program policy exists
BC Program policy fully communicated
BC culture is well established
8 Yes.
2.86
2 No. We have a part-time (70%)
business continuity coordinator
assigned to this task. He is from the
corporate planning department and has
been involved with Emergency
Response Planning in the past.
6 A committee structure has been
proposed and awaiting approval.
(company has the history of establishing
SC for high profile critical projects)
3 No.
1 No.
2 We have a security policy which covers
BC from the perspective of availability of
critical systems.
1 No.
5 No. But, IT and Business units have a
better BC/DR culture compare to the
rest of the company.
CIO made the Go/No Go Board needs to have an active involvement in
decision and presented the overall high level evaluation process.
this decision to senior
management. But the
board was not involved in
this process.
Find out if the coordinator Assign full-time BC responsibility to BC
has business continuity coordinator
or DRP experience (No.)
This is a definitely a strength.
Define clear roles and responsibilities for
Steering Committee.
Include BC Program as part of Corporate
Strategic Objectives
Create a BC policy statement
Utilize corporate communications to
communicate BC policy
Develop a plan to improve corporate wide BC
culture.
PP: Program Planning
Questions
PP.1: Interim Temporary BC
Plan
Interim BC Plan exists if a long term plan
doesn't exist
Interim Recovery Strategy Developed
Interim Agreements in place for recovery of
key resources, sources, and services
Interim Recovery Teams created
PP.2: BC Program
Management Document
BC Program management document exist
A need statement prepared (Why is the
program needed and what are the drivers?)
Program objectives are well defined, aligned
and approved
Program Scope are defined and approved
Program assumptions are stated explicitly
Program deliverables are identified
Program risks are analyzed and mitigation
actions identified
PP.3: Program Structure
Ratin Response and Conclusion
g
5
5 Yes. But, it has evolved since it
was initially written.
5 Mutual Agreement with our
strategic partner.
5 Mutual Agreement.
5 Yes. The team has evolved since
it was initially established.
4.43
6 We have a project plan in place.
7 We have a statement that
indicates the main drivers:
External contract requirements
and SOX compliance and it also
includes company's strategic
objectives
4 Defined in BC plan document
6 Defined in BC plan document
0 Defined in BC plan document
8 Defined in the project plan
0 Defined in BC plan document
4.7 3 (high risk factor)
Program divided into logical phases
Phases are divided into activities
Activities are assigned due dates, start and
end times, and dependencies
A BC Steering Committee exists
A BC program team structure is defined with
reporting hierarchy
Team structure includes top management,
program sponsor, BC coordinator,
consultants, etc.
Team roles and responsibilities are well
defined
Personnel assigned to the team structure
with well defined responsibilities
Alternates to team members are assigned
Are there any BC team members working on
a part-time capacity.
PP.4: Approval Process
BC Program approval process exist for
budget, objective and scope, contract,
projects, policy, hiring etc.
Senior Management and Board level
process
Steering committee level process
Program sponsor level
BC program coordinator level
8 Project Plan has logical phases
7 Yes.
7 Yes.
4 Not currently. But CIO is
presenting a case to top
management for such a
committtee next month.
7 Yes.
7 Yes.
2 At a high level only. Team
members task's are not assigned
2 No. Personnel are assigned to
teams but not with well defined
responsibilities
2 No.
1 Yes. BC coordinator is part-
time. There are two assistants
to BC coordinator working
part-time on BC project.
Business unit representatives
also work on a part-time and
as-needed basis.
5.17
7 Only through CIO but once a
steering committee concept is
approved, program approval
process will be defined.
6 Senior management will be
presenting the case for a formal
BC program in the next board
meeting.
3 None
7 CIO is the program sponsor.
7 BC program coordinator requests
approval directly to CIO.
Business unit level 1 None. They are currently not
involved in the approval process
Further Actions Recommendations

Review all earlier versions.

Review agreements (Not

enough carefull planning and
design. Agreements show
weaknesses in disaster lasts for
longer than 2 or 3 days)

Check the project plan details Create a BC program

(Project plan is well structured document which is
but a complete program separate from the BC
document is missing; project plan
plan is part of BC plan).
Review the statements. Ask if Research industry
they have researched industry specific BC
specific requirements (No.) requirements.

Plan objectives are defined in

general terms. Suggest
inclusion of specific objectives.
Plan scope are defined.
Suggest including what is not in
scope as well.
No written program assumptions State all key
assumptions in
program document

Investigate further (No evidence Assess program risks

of program risks BC Plan and mitigation steps
document)
Risk and BIA are combined as
one phase (not a major concern
at this time since it has been
completed)

Establishment of a
SC must become a
high priority. It will
help to resolve a
number of current
obstacles and issues
Assess team structure. Three
types of teams: Emergency
management, Emergency
response, and Business unit
teams.

Emergency management team

includes President/CEO, COO,
CFO, etc.
Define tasks for team
members

Define responsibilities
for team members

Assign alternates to
team members
Find out what those part-time
staff are responsible for and
how critical those
responsibilities are. This is a
high risk factor.

Questions
FR.1: General
Assessment
Functional requirements have
been assessed
Functional requirements have
been documented
Functional requirements have
been reviewed by senior
management
Functional requirements have
been approved
FR.2: Detailed
Requirements
related to
Standards, rules,
and regulations
General applicable standards
and guidelines have been
identified
Industry guidelines, rules, and
regulations identified
Specific requirements related
to standards, rules and
regulations assessed and
documented
FR.2: Risk
Management
Formal or Informal risk
assessment was conducted
and how long ago.
Risk assessment was
comprehensive in scope and
aligned with Program scope
FR: Functional Requirements
Rating Response and Further Actions Recommendations
Conclusion
Partially. Complete: FR.2
Not in a formal way.
We will be presenting
general requirements to
Steering Committee in the
near future.
Not yet.
4.33
8 Yes. Documents indicate Recommend also including NFPA
DRII and BS17799 1600 standards
4 There hasn't been any Briefly research industry
effort to find out industry specific guidelines and
specific requirements make recommendations
other then SOX
1 No. There hasn't been
any effort to find out
industry specific
requirements other then
SOX
3.6
3 Informal assessments
(brain storming) has been
done every year.
8 Limited to HQ, data Review reports
center, office areas only.
A qualified risk expert(s)
assisted with the risk
assessment
All potential threats were
considered
Assessment was based on
sound and proven method
Top management reviewed
the threats and risks
Company's appetite for risk
identified and approved
Both regional and local threats
were considered
Existing risk controls were
considered
Management concurs with
Risk Assessment findings
FR.3: BIA
A formal BIA was conducted
Scope of the BIA is consistent
with program scope
Representatives from all areas
of business within scope
participated in the BIA
Critical business processes
have been identified
Financial losses analyzed
Operational Impacts analyzed
Worst case assumptions were
used
Maximum Tolerable Downtime
identified
RTO identified
RPO identified
How long ago was it
completed
2 BC coordinator conducted Recommend obtaining
risk assessment with key qualified experts
staff involvement. assistance to review and
conduct threats and risk
assessments.
2 As many as we could Review list of threats and
determine. company's exposure (Not
all threats were
considered).
3 Yes. Review methods used.
Quantitative vs.
Qualitative approach. Are
there sound basis for
calculating threat
probabilities (Risk
assessment is based on
qualitative and informal
approach)
3 CIO and senior business
unit managers only.
4 Not formally
3 Local threats mostly but
some regional.
5 Yes.
3 CIO and senior business
unit managers have
reviewed the findings but
have not provided
feedback on concurrence.
8.67
9 Yes. Review BIA findings
9 Yes.
9 Yes.
9 Yes.
9 Yes.
9 Yes.
9 Yes.
9 Yes.
9 Yes.
9 Yes.
9 3 months ago
Critical Systems and 9 Yes.
Applications identified
Qualified experts conducted 9 Yes.
BIA
Key concerns and issues 4 Yes.
captured and addressed
Management is aware of and 9 Yes.
concurs with BIA results

FR.4: Offsite Data 5.5

Storage
Offsite storage requirements
analyzed thoroughly
When were requirements last
analyzed
6 Partially through the BIA
7 IT department has a list of
backup data requirements

Scope of storage 8 We backup both critical Find out which backup

requirements are consistent
with program scope
Data backup requirements are
known for all critical
applications and systems
Gaps in backup frequency is
analyzed
Backup frequency established
for all critical data
Backup media type
requirements are known
Safe handling and storage
requirements documented
Data integraty testing
requirements are known
Data classification and
security requirements are
documented
Storage media retention
period documented
Backup Tool/software
requirements are known
and non-critical
applications and data.
9 We now have different
RPO
9 Yes.
9 Yes, through BIA
4 Right now it is all on
tapes.
2 No.
1 No.
1 No.
1 No. But we recyle the
tapes from time to time.
9 We currently use IBM's
Tivoli Storage Manager.
vendor they use. Assess
vendor's service
reliability. (Storage
Mountain).
Find out if any one uses Recommendation:
media other then tape.
Some users still use CD
to store data on their PC.
We didn't see this on the
list of data backup
requirements from IT.
Assess safe handling and
storage requirements
Assess data integrity test
requirements
Check to see if there is Assess data classification and
any sensitive data security requirements
(Client's credit card
information is stored
along with their address
information)
FR.5: Work Area
Requirements for alternate
work area are analyzed and
documented (space,
personnel, equipment,
facilities, etc.)
Requirements are aligned with
BIA findings in terms of critical
business units and
applications
Space requirements are
known
Support personnel are known
Workstation requirements are
known
Network connectivity
requirements are known
Non-IT resource requirements
are known (faxes, copiers,
etc.)
FR.6: Crisis
Management Center
(CMC)
Requirements for CMC are
analyzed and documented
(space, personnel, equipment,
facilities, etc.)
Requirements for crisis
management center are
analyzed and documented
(space, equipment, facilities,
etc.)
Workstation requirements
connectivity requirements
Non-IT resource requirements
6
8 Our canadian site may be They have work area
sufficient as a work area requirements in terms of
until we get the more number of workstations
permanent work site with needed.
SunGard
8 Work station requirements
are aligned with critical
applications.
1 No Work out the detailed work area
space requirements
Yes. We know the key
staff from the business
areas needed in the
recovery.
9 Yes
9 Yes
1 No. We will rely on Work out the Non-IT work area
whatever is available at requirements for long term
the Canadian site recovery strategy.
2.3
2 Emergency Operations Verfiy if BC plan is very Assess BC related CMT
Center (EOC) already closely integrated with requirements and determine if the
exists as part of EOC. (EOC team has not current EOC design is sufficient.
Emergency Response yet assessed the specific
Plan. BC response
requirements. There is
an assumption that the
current design of the EOC
will be sufficient to include
BC response activities)
2 We expect to use EOC.
4 We will need a Find out if the planning
Workstation for each tool is included in this
member of CM Team. requirement (Not yet,
since they have not
purchased the tool)
2 No.
2 No.
FR.7: Personnel
Are detailed requirements for
personnel covered
Contractors required
Contract agreement includes
support during recovery
period.
Temporary help required
Detailed skill requirement for
recovery staff
Pay requirements
Union rules and policies are
part of the requirements
Government labor laws are
accounted for in the
requirements
Travel requirements are
known
Do you have BC team
insurance coverage
FR.8: Critical
Records
Critical records recovery is
part of BC program
1.8
No.
5 No.
1 No. But we assume that
they will help us out.
1 Only if full-time staff are
not available.
1 No.
1 We have started talking
with HR on Salary
requirements during a
disaster recovery time.
HR wants to talk to Senior
Management first on this
issue.
1 Company is unionized but
they have not been
involved in BC effort.
1 No.
8 Yes. Team members are
expected to travel to
Canadian site and each is
0 given
No. a checklist.
5.5
4 It is the responsibility of
business units
Find out if they have
contractors (IT
department has several
contractors that support
critical applications)
Include BC related support
requirements in contractor
agreements.
Identify specific temporary staff
requirements to help with
recovery effort
Identify detail skill requirements
for key recovery staff.
Develop pay requirements for
recovery staff during a disaster
Work with worker's union to
evaluate impact of rules and
regulations on BC team and staff
in general
Work with HR to evaluate labor
laws and their impact on
reocovery team and their
recovery assistance
Evaluate insurance requirements
for BC team.
It seems like the IT Critical record should not be
recovery has been the responsibility of business units
biggest focus so far. alone; Assign some one with
Check to see if critical central responsibility for
record is part of BC coordinating critical record
Project Plan (It is not continuity.
covered). But, business
unit recovery assessment
shows that some units do
have a critical record
recovery program.
Critical records inventory
exists
Records are categorized (vital,
important, useful, etc.)
Inventory includes title of
record, ownership, content
type, users, etc.
Record retention period
determined
Inventory includes information
on backup frequency
Inventory includes media
storage type and capacity
Requirements for document
scanning assessed
Requirements for Document
Management System
analyzed
Requirement for local storage
assessed
Requirement for remote
storage assessed
Security requirements are
documented
Safe handling procedures are
documented
FR.9: SLA and
Contract
Requirements
SLAs and contracts identified
Points of contacts are
documented
General requirements and
obligations analyzed
4 Business units maintain Are there electronic Assess electronic record recovery
their own records records that are critical requirements.
inventory. Critical paper (yes, but they are not
records are stored with backed-up).
laptops to Iron Mountain.
7 Yes.
7 Yes.
5 No. It is mostly paper
based
6 It is all done weekly.
5 Yes.
0 No. We don't have any
document management
system.
0 No. We don't have any Suggest investigating document
document management management system tool.
system other than Iron
Mountain Connect.
0 No.
6 Yes.
7 Yes.
7 Yes.
7.4
9 SLA with data
communication services
and voice services. There
is also a pending SLA with
our key client. We also
have contracts in place
with our data backup
vendor. A contract is also
in place for quickship of a
server.
9 Yes. Internal procurement
procedures are well
structured and controlled.
9 Yes. We follow internal Review the guidelines.
contract guidelines.
Quality of service and
performance requirements are
documented
Worst case non-compliance
scenarios and impacts
assessed
FR.10: External
Coordination
All external coordination
requirements analyzed
First responders and local
authorities
Coordination requirements
documented for Suppliers
Coordination requirements
documented for Distributors
Coordination requirements
documented for Labor unions
Coordination requirements
documented for Service
providers
Coordination requirements
documented for Clients and
Customers
Coordination requirements
documented for Landlords and
building management
Coordination requirements
documented for Insurance
company
Recovery vendors
9 Yes.
1 No. It is not part of our Include clauses (penalties) in
internal guideline. SLA and contracts for worst-case
non compliance scenario.
4.75
6 Through ERP only. Review ERP for external Develop a closer integration of
coordination and find out BC with ERP. Include a member
if it includes BC of ERP in BC and vice versa.
coordination (Not very
tight integration of BC and
ERP)
Not in scope
Not in scope
0 No. Review labour union rules Recommendation: Include
and contracts Labour union representative in
BC team.
9 Yes. We already have Review SLA to see
SLA for WAN, Internet, coordination points.
Voice services. Check point of contacts,
SLA review dates,
meetings, etc.
6 It is part of ERP. Review ERP for external
coordination and find out
if it includes BC
coordination
1 We only have one ERP does not include Recommend establishing
building in the area landlord coordination. disaster coordination with
leased, but we have not landlords and building
coordinated with the management.
landlord.
3 Insurance documents are Review insurance Recommend communication and
attached to our Interim BC documents coordination with insurance
plan. agents and adjustors.
8 Mutual agreement
includes coordination
information and but we
also have coordination
information with SunGard.
Data backup vendors
5 So far there has been any Recommend better coordination
major problem with with data backup vendor.
coordination with the
backup vendor. We have
a yearly contract in place.
We deal with issues as
they arise.

FR.11: Training and 6.5

Awareness
Training and awareness is
part of BC Program
Personnel requiring training
identified
Experience levels assessed
Training needs documented
8 Our BC coordinator and Assess requirements for
her assistance have been personnel outside of BC teams.
to BC conferences and
training courses. BC
coordinator has
documented the need for
training and awareness.
6 BC team members only.
6 No. Focus of training is
primarily on BC team
members.
6 Yes. Only for BC team
members.

FR.12: Salvage & 0 Recommend evaluating and

Restoration
All critical resources for
salvage and restoration
identified
Physical areas and buildings
for salvage and restorations
assessed
Salvage and restoration
scenarios for critical
resources and areas
assessed
documenting salvage and
restoration requirements.
0 Critical documents are the
responsibilities of
business units
0 Facilities is responsible for
this.
0 No.

FR.13: Insurance 3.5

Requirements
Disaster insurance exists and
who is responsible for it's
purchase internally.
Insurance purchase process is
integrated with BC program
3 We have a standard
disaster clause in our
insurance policy; Finance
is responsible for it.
0 No.
Review insurance policy for
comprehensive disaster
coverage.
Integrate insurance purchase
process with BC program.
Insurance requirements to
report and claim a disaster
are known
Secondary sites insurance
requirements
FR.14: BC Tools
BC tools and software
requirements are known
High level descriptions of
tool's features and capabilities
are identified
Tools have been researched
and compared
Support staff resource
requirements have been
analyzed
FR.15: Assembly
Location
Assembly location
requirements identified
Assembly location capacity
requirements are known
Distance location
requirements are known
Ability of personnel to travel
and meet at Assembly
Location analyzed
0 No.
7 Covered by the recovery
vendor
5
5 Yes. We need a tool that
is web based and allows
business unit plans and
integration of IT and ERP.
Easy to maintain and
learn. Security is also
important.
6 Yes.
8 We have evaluated four
different tools.
1 No.
2.75
4 ERP specifies assembly
location.
1 No.
5 About 3 miles away from
the primary site.
1 Not specifically for BC
team members.
Determine insurance claim
process.
Assess document/record
management system tool
requirements.
Assess requirements for tool
admin/support staff
Find out if it was used in Assess detail assembly site
the last plan test (Yes. capacity requirements
We were not able to get
every one in the
assembly location due to
fire and safety
regulations).
Do you have another site Recommendation assessing
in case this assembly site requirements for tertiary
is not available (Yes, assembly location.
EOC)
Assess detail travel and
accessibility requirements for BC
team members.
Recommenda
tion Type
(Negative,
OK, Positive)
DD: Design and Development

Questions Rating Response and Further Actions

Conclusion

DD.1: General Assessment

Designs & Development

completed
Designs have been
documented
Designs have been reviewed
by senior management
Designs have been approved
Budget is reviewed and
approved

DD.2: Risk Controls 3 See Risk Assessment Problems in this

word file for additional stage is due to
assessment. weaknesses in the
previous functional
requirement process.
Initiate a risk
assessment and
Risk control design is part of 5 Yes management project
BC Program with the help of risk
Control options have been 3 Yes. We can do a lot management
Not all controlexpert
options
researched and analyzed more given more time and full
have management
been
and resources. support.
researched and
Qualified risk expert(s) 1 No. analyzed
assisted with the risk control
designs
Cost of options have been 2 Only for some threats Find out the reasons
compared (lack of resources
Residual risks are known 1 No. and time)
Top management reviewed 3 Not the residual risk.
the risk control options and
residual risks
Top management selected the 3 For some options
best options for
implementation
Top management has 3 For some options
approved the budget for
control option implementation
DD.3: IT Systems Recovery 5.31 Focus on long-term
Strategy strategy

Appropriate recovery 4 Yes. Completed the Email strategy is

strategies exist for all critical strategy design stages. missing.
IT systems and applications
Alternate site strategies exist 7 Yes.

Quick-ship strategies exist 7 Yes for some systems.

Recovery strategies are 8 Partially.

aligned with RTO values
Cost versus RTO trade-off 5 Partialy.
analyzed
Effort requirements analyzed 3 No.
Control requirements analyzed 8 Yes. With the alternate
site we have more
control over the IT
infrastructure.
Reliability requirements 3 We are counting on the
analyzed recovery vendor for that.

Strategies aligned with system 5 Yes.

capacity requirements
Strategies aligned with system 7 Alternate systems have
performance requirements more capacity than our
production environment

Strategies aligned with system 3 There are some

configuration requirements configuration
compatability issues.

Recovery system and primary 5 No. But they are

systems exact in type, compatible.
configuration, capacity, etc

Flexibility in upgrading the 4 We don't know. We will

recovery systems to match include it in the contract
primary systems upgrades agreement with the
vendor.
DD.4: Alternate IT Recovery 6.82 Focus on long-term
Site strategy
Alternate site meets the 8 Yes.
strategy requirements for IT
systems/servers/networks
Unlikely to be effected by the 8 Yes. Particularly
same disaster regional disaster.
Located outside of local area 8 Yes.
threats
Located outside of regional 8 Yes
area threats
Alternate travel routes exists 8 Yes.
Floor plan exists 8 Yes.
A comprehensive and 7 Yes. Review their BC
validated BC Program exists program even though
for Alternate Recovery Site they are reputable
and reliable

Secondary power 9 Yes. Has any body

generator/supply exists visually inspected the
power supply (part of
the tour).
Technical support is available 8 Yes.
at alternate site
Supports connectivity to 7 Yes.
primary site
supports connectivity to work 9 Well connected. Work
areas area and IT recovery
area are with the same
vendor
Sufficient security exists at 5 Yes. Find out if the servers
alternate site and systems are
shared by other
clients of the vendor
(yes they are).
Access to recovery area is 4 It is on the first-come- Find out if there are
gauranteed in case of first serve basis. clauses in the
recovery need contract that may
deny access (yes it
does)
Organization has sufficient 4 Partial Find out if there are
control over the recovery area reasons for having
and its resources complete control
(none)
Meeting areas exist 2 Yes but it will cost more
Basic facilities exist (HVAC, 6 Yes.
Bathrooms, etc.)
Close proximity to 7 Yes.
Accommodation and Food
Services/restaurants, banks,
etc.
DD.5: A Tertiary Recovery 3.16
Site
A tertiary recovery site exists 0 No.
with sufficient recovery
capabilities and capacities
Is it used for backup of data 0 No.
from secondary site
Is it used for recovery of all 0 No.
systems at the secondary site

DD.6: Offsite Data Storage 3.63 3

Backup Strategies are aligned 1 RPO is unknown for
with RPO requirements Billing System but
backups are made daily
to Iron Mountain.
What is the method of data 5 Tapes
backup
Data is replicated to servers 1 No.
at recovery site
Data is backed-up through 5 Yes.
tape media
Data is backed-up through 2 No.
Electronic Vaulting

Cost versus recovery strategy 2 No.

options analyzed
Backup method is reliable and 4 Yes.
dependable
All data required for recovery 7 Yes.
is backed-up
Backup Tools/Software exist 7 Yes.
and their capabilities are
compatable with backup
strategies
Sufficient backup media 7 Yes.
capacity exist at the storage
facility
Strategies exist for remote 1 No.
backup during the recovery
period
Facilities exist to ship backup 5 Yes.
data to recovery sites in time
to meet RTO requirements
Safe handling and storage 4 Mostly.
procedures documented
Data integrity testing 1 No.
procedures are documented
Data classification and 5 Yes.
security procedures and
guidelines are documented
Storage media retention 1 No.
procedures are documented
Critical Record Storage Area 4.67

Internal facilities/areas exist to 2 They stored in filing

store critical documents cabinets by business
units themselves

Internal facilities meet the fire 0 No.

and water protection
requirements
Internal facilities meet the 0 No.
security requirements
External facilities/areas exist 7 Yes. Iron Mountain only
to store critical documents for paper documents.
External facilities meets the 7 Yes
heat, humidity, and other
climate control requirements
External record storage facility 7 Yes.
is under the management and
control of qualified personnel

External facilities meet the 7 Yes.

security requirements
External facility can ship the 7 Yes.
records to work areas/primary
site within required time-
frame.
External facility supports 24x7 7 Yes.
operations
Appropriate record 8 We are using Iron Is Iron Mountain
management system is Mountain Connect™ Connect setup for
reviewed and assessed portal to track and Laptop access in the
retrieve documents. event of a disruption
(No)
Critical record management Yes.
procedures are developed and
are aligned with the
requirements

DD.7: Alternate Work Area 4.68

Alternate work areas exist 4 Plan to contract out the

(contracted, company owned, work area from
reciprocal ?) SunGard. We will use
Canadian site as an
interim solution

Alternate work area meets the 0 N/A

BIA and functional
requirements for recovery
personnel
Acquisition strategy for 0 N/A
workstation and servers in
work area is consistent with
BIA
Floorand other
plan business
exists 0 N/A
process requirements
Non-IT resource acquisition 0 No.
strategy is in place (faxes,
copiers, etc.)

Site is unlikely to be effected 7 Yes.

by the same disaster
Located outside of local area 7 Yes.
threats
Located outside of regional 7 Yes.
area threats

Alternate travel routes exists 7 Yes.

A comprehensive and 3 Don't know
validated BC Program exists
for work area
Secondary power 8 Yes.
generator/supply exists
Technical support is available 2 Don't know
at alternate work site
Supports connectivity to 8 Yes.
primary site
supports connectivity to 8 Yes.
alternate IT recovery sites
Work area is expandable 2 Don't know
depending on the need

Sufficient security exists at 8 Yes.

alternate work site
Contains sufficient floor space 2 Don't know
for workstation and IT
infrastructure and end-users

Designed to support usage 7 Yes.

24x7

Organization has sufficient 2 Don't know

control over the work area and
its resources

Meeting areas exist 7 Yes.

Basic facilities exist (HVAC, 7 Yes.

Bathrooms, etc.)
Close proximity to 7 Yes.
Accommodation and Food
Services/restaurants, banks,
etc.

DD.8 Crisis Management 7.25

Center (CMC)

CMC design meets the 9 EOC will be used as

requirements for space, CMC. 1st location is a
personnel, equipment, leased site 30 miles
facilities, etc. away from HQ.
Alternate location is a
hotel meeting room to be
Location is easily accessible 9 decided
Yes. at the time of
for Crisis Management Team disaster
(CMT) and it is not prone to
single point
Reliable andofdependable
failure with the 9 Yes.
primary site.

CMC meets the IT 3 Don't know about BC

requirements (workstations, requirements.
laptop, printers, etc.)
CMC meets the Non-IT 8 Yes.
requirements (Faxes, copiers,
presentation tools, etc.)
CMC meets the voice 3 Don't know about BC
connectivity requirements requirements.

CMC meets the data 3 Don't know about BC

connectivity requirements requirements.
Designed to support usage 9 Yes.
24x7
Organization has sufficient 9 Yes.
control over the work area and
its resources
Meeting areas exist 9 Yes.
Basic facilities exist (HVAC, 8 Yes.
Bathrooms, etc.)
Close proximity to 8 Yes.
Accommodation and Food
Services/restaurants, banks,
etc.

DD.9: Assembly Location 5.98 Evaluate design of

assembly location to
determine if it meets
BC requiremens.
Assembly location meets the 1 Don't know
functional requirements

Assembly location complies 8 Yes.

with safety guidelines
Easily accessible,
dependable, and expandable
Close proximity to Food,
Accommodation, banks, etc.
Controlled by the organization
Less likely to be effected by
the same local disaster
8 Yes.
8 Yes.
3 No. MOU with another
organization.
8 Likely to be effected by
the local or regional
disaster; but we have the
EOC as an alternate.

DD.10: Data Communication 5.83

Services
Designs for Data Review design
Communication and documents
Networking services are
complete
Design takes into account 7 Yes. We have do they go through
single points of failure redundant carrier links the same conduit to
concerns and communication the building (yes)
redundacy requirements
Different transmission medium 2 Same medium.
is used (wireless, satellite,
land lines)
Network design for alternate 7 Yes.
recovery site exists with
specifications for connectivity,
capacity, throughput,
reliability, etc.
Network design for work area 8 Yes. IT has all that
exists with specifications for worked out.
connectivity, capacity,
throughput, reliability, etc.
Network design for data Yes. IT has all that
backup site exists with worked out.
specifications for connectivity,
capacity, throughput,
reliability, etc.
Network design for 4 It is complete except for
connectivity between primary work area which will is
site, alternate site, data planned to be completed
backup site, and work area is six weeks.
complete.
Data transmission security is 7 Yes.
par of the design.

DD.11: Voice 6.6

Communication
Strategies are developed for
redundancy of voice
communication

Design takes into account 9 Voice service provider

single point of failures has provided multiple
voice lines going through
redundant exchange
routes.
Design takes into account 9 Yes. We have the
rerouting of critical phone capability to reroute our
numbers 1-800 numbers that
customers use.
Design includes different 3 No. They are all Land
communication mediums lines.
(cables, satellite, wireless,
etc.)
Design takes into account Yes.
bandwidth requirements
Design takes into account Yes.
work area requirements
Design takes into account 6 Yes.
CMT requirements
Design takes into account 6 Yes.
Recovery Site requirements

DD.12: Work around 3.86 See business process

Procedures audit file.

Work around procedures are 3 Most have them

documented for all critical documented
business units and processes
Each work around procedure 3 Some do and some don't
clearly specifies its objectives
and scope
Each work around procedure 3 Some do and some don't
clearly specifies conditions for
invoking the procedure
Each work around procedure Yes.
clearly specifies tasks to be
performed and resources
required including critical
records.
Each work around procedure 3 Some do and some don't
clearly specifies tasks
depedencies
Work around procedures 6 Yes.
include recovery of lost data

DD.13: Training and 5.17

Awareness

Training and awareness

program is designed and
developed

Training database/site 7 We have an intranet site

designed and developed for business continuity
which provides training
documents and general
information.

Training methods and 4 We plan to have onsite

services selected training on a regular
basis.
Training schedule prepared 1 No.
Awareness plan developed 9 We currently have an
internal BC monthly
newsletter.
Training evaluation process 2 No.
designed and developed
Training responsibilities 8 We are currently talking
assigned to HR training
department to take on
this task.

DD.14: Salvage and 0 See comments from

Restoration functional requirements

All critical resources for

salvage and restoration
identified
Physical areas and buildings
for salvage and restorations
assessed
Types of damage to critical
resources and areas
assessed
Salvage and restoration
experts and contractors
identified and contacted
Requirements and cost
discussed with Salvage and
Restore contractors
Contractors are selected
Recommendations Recomme
ndation
Type
(Negative,
OK,
Positive)
Overall design is aligned with the
requirements but there are still
some gaps and room for
improvents. Example: Generic
applications such as email is not
part of recovery strategy. Drop
ship of billing system server; the
ability of people to get to
recovery site on time.

recommend tertiary site

Recommend testing
compatability issues.

Recommend testing
compatability issues.

Recommend inclusion in contract

for upgrade flexibility in recovery
systems.
Recommend: Involving IT
security department in the secure
design; suggest development of
security policy and procedures
before, during, and after disaster
Recommend: creating a tertiary
situations.
recovery site
We recommend a use of a
tertiary recovery site.
Implement an internal critical
document/record management
group and facility in addition to a
remote storage site.

Expedite design and

development of long term
alternate work area
Evaluate whether or not EOC
meets the BC requirements.
Design overall meets the
continuity requirements but
needs some additional
improvements
Review data link for improving
redundancy and single-point-of-
failure
Design overall meets the
continuity requirements but
needs some additional
improvements

provide additional redundancy by

combining voice communication
mediums.

Ensure work around procedures

for all critical areas are complete
and documented with consistent
format.
Assign training and awareness
responsibility to a staff. Review
current training and awareness
design for additional
improvements.

The design and development for

Salvage and Restoration must be
based on the functional
requirements once they are
completed.
PP: Program Implementation

Questions Rating Response and Further Recommendations

Conclusion Actions

PI.1: Risk controls 3 Problems in this stage is due

to weaknesses in the
functional requirement
All risk controls have been Some have been process. See
implemented implemented recommendations in Design
including secondary and Development.
power generator.
Implementation project plans We have plans to
exist and approved continue
implementation of
risk controls.
Percentage Implemented 3 30 percent.

PI.2: IT Recovery Systems 6 Most systems are in

place and the plans
in place to acquire
the rest Email
systems recovery
capability is not in
place
Alternate IT systems Yes
purchased or leased
Quick-ship strategies Currently talking to
implemented the vendor
Percentage completed 8

PI.3: Alternate IT Recovery 8 IT recovery site is in

Site final stages of
complete
Alternate IT recovery site 8 Yes. SunGard
implementation.
completed
Alternae IT site inspected 8 Yes
and approved for use
Percentage completed 9 90 percent

PI.4: A Tertiary Recovery

Site
Tertiary site completed No.
Tertiary site inspected and No.
approved for use
Percentage completed N/A
PI.5: Offsite Data Storage
Remote backup site is
complete
Data backup process to
remote site has started
Percentage completed
PI.6: Critical Record
Storage
Remote record backup site is
complete
Remote record backup
process has started
Percentage completed
PI.7: Alternate Work Area
Alternate work areas exist
(contracted, company owned,
reciprocal ?)
Work area inspected and
approved
Percentage completed
PI.8: Crisis Management
Center (CMC)
CMC exists
CMC inspected and
approved
Percentage completed
PI.9: Assembly Location
Assembly sites exists
Assembly sites inspected and
approved
Percentage completed
PI.10: Data Communication
Services
5 Backup site is
currently in use.
Backup frequency
needs adjustments.
Yes.
Yes.
8 90 percent
2
Implemented for
document records
only. It is remote
only. There are no
internal storage
process or system
Yes.
5 50
4 Expedite design
and
development of
long term
alternate work
area
4 Yes. Currently at
the Canadian site
but later at Sungard.
3 Partially.
4 50
7 EOC will be used as
CMC. 1st location is
a leased site 30
miles
Yes away from
HQ. Alternate
Yes
location is a hotel
7 meeting room to be100
7 Assembly location is
in place.
Yes
Yes.
7 100
8
Data Communication and Yes
Networking services are
complete
Connectivity between Primary Yes
site and alternate IT recovery
site is complete
Connectivity between primary Yes
site and data backup site is
complete
Connectivity between Yes
alternate IT site and work
area is complete
Connectivity between CMC Yes
and alternate IT site is
complete
Connectivity between CMC Yes
and alternate work area is
complete
Percentage Complete 8 80

PI.11: Voice 8
Communication
VC infrastructure and Yes.
services are complete

Percentage completed 8 80

PI.12: Training and 2 Expedite

Awareness initiation of
training and
awareness
program.
Training and awareness Not fully.
program activated
Percentage implemented 2 10 percent

PI.13: BC Tools 2
BC tool is purchased 2 No. we are still Expedite tool
evaluating tools evaluation to
begin tool usage
and deployment

Tool training is complete

Plans and information from
paper/computer sources
have been imported into the
tool
Security and access control
is in place
BC tool is deployed
A dedicated staff manages
and maintains the BC tool
Team members have access
to the tool
Percentage Complete

PI.14: Salvage and 0 Salvage and

Restoration restoration is not yet
included in BCP
Salvage and restoration No.
contracts are in place
Salvage and restoration No.
procedures are documented
Percentage Complete 0 0

PI.15: Personnel
Are all required personnel
hired
Responsibilities assigned to
personnel.
BC team insurance
purchased
Percentage Complete
4
5 Most have been
hired but we are still
waiting to hire two
more staff reporting
to the Coordinator.
5 Mostly assigned
0 No.
4 60

PI.16: SLA and Contracts 7

SLA have been negotiated
and implemented
Contracts have been
negotiated and implemented
Percentage Complete
6 The key SLA are in
place
6 Yes. Work area
contract is under
review.
7 80

PI.17: BC Plan Document 3

Plan document is complete
Executive Summary
Plan components
Objective
Scope
Assumptions
Constraints and limitations
Risk Assessment
BIA
Recovery Strategies
Plan Execution phases
BC Team Structure
Contact List
Call Tree
Alternate contacts
Contact Procedures
Disaster Definition
Disaster Declaration
Procedures
Service Level Agreements
Insurance policy
Critical resource inventory
Critical Staff
Crisis Communication Plan
Emergency Response Plan
Business unit plans
Disaster Recovery Plan
Recovery site Information
Data backup procedures
Data backup site information
Critical record backup
procedures
Critical record backup site
information
Critical record recovery
procedures
Plan execution logistic
procedures
Security requirements and
procedures
Recovery logistics
Team responsibilities
Salvage and Restoration
procedures
IT recovery procedures
Data network recovey
procedures
Voice communication
recovery procedures
Work area site information
Work area recovery
procedures
Critical service recovery
procedures
Assembly location procedure

Assembly location
information
Crisis management center or
EOC information
Plan execution timeline and
schedule
Disaster scenarios and
recovery procedures
BC Plan change controls
BC plan distribution list
BC plan appendices
PT: Plan Testing
Questions Rating Response and Conclusion Further
Actions

PT.1: BC Plan Testing 3.71

Test plans exist for testing BC plan 6 Interim plans has been tested

Test objectives cover all essential 2 No. It is missing testing of

elements of BC plan key business areas
Types of testing conducted so far 2 Table top and some systems No testing of
at hotsite notification
procedures;
EOC location,
Work areas,
etc.

Types of testing planned for future 7 Hot site testing of all systems

Test scenarios are realistic 1 No real scenarios have been

tested
Tests have been completed for all 3 No. It is missing testing of
required parts of BC plan key business areas
Tests have been conducted 5 Yes.
according to test plans

PT.2: Test Evaluation 8 Tests have been evaluated

well, particularly for hotsite
testing. Evaluation included
lessons learned. Many
issues related hotsite vendor
support and coordination
were identified and resolved.

Test results have been evaluated 8

What criteria used to evaluate 8
tests
Testing met all of test objectives 8
What were the strengths identified 8
by the test
What were the weaknesses 8
identified by the test
PT.3: BC Plan Approval 4 The long term plan document
is not yet complete.

BC Plan is approved
BC Plan is approved by program
sponsor and BC steering
committee
BC plan is distributed to all staff
and personnel on distribution list

PT.4: BC Plan Document

Which parts of the plan below have
been tested?
Objective
Scope
Assumptions
Constraints and limitations
Risk Assessment
BIA
Recovery Strategies
Plan Execution phases
BC Team Structure
Contact List
Call Tree
Alternate contacts
Contact Procedures
Disaster Definition
Disaster Declaration Procedures
Service Level Agreements
Insurance policy
Critical resource inventory
Critical Staff
Crisis Communication Plan
Emergency Response Plan
Business unit plans
Disaster Recovery Plan
Recovery site Information
Data backup procedures
Data backup site information
Critical record backup procedures
Critical record backup site
information
Critical record recovery procedures

Plan execution logistic procedures

Security requirements and
procedures
Recovery logistics
Team responsibilities
Salvage and Restoration
procedures
IT recovery procedures
Data network recovey procedures
Voice communication recovery
procedures
Work area site information
Work area recovery procedures
Critical service recovery
procedures
Assembly location procedure
Assembly location information
Crisis management center or EOC
information
Plan execution timeline and
schedule
Disaster scenarios and recovery
procedures
BC Plan change controls
Recommendations

Recommend testing of
notification procedures;
EOC, and work areas.

conduct likely scenario

based testing.
Conduct testing of all key
aspects of BC plan

This is one of the strength

area. A good test
evaluation process is in
place.
PM: Program Management

Questions Rating Response and Further Recommendations

Conclusion Actions

PM.1: Primary Site Change 3.14 Extend change management

Monitoring to beyond IT related
changes.
Process is in place to monitor 4 Yes. BC
changes Coordinator
monitors all changes
by attending all IT
change
management
IT level changes are 4 Yes. Through IT
meetings.
monitored change
management
Business process changes 1 Not at this time.
are monitored
Critical record changes are 4 By business units Business units
monitored only. have people
assigned to this
task.
People changes are 3 We have been
monitored talking to HR to keep
us in the loop.
Critical resource related 3 Not at this time.
changes are monitored
Critical services related 3 Yes. We plan to go
changes are monitored through regular
review of service
and resource related
changes.

PM.2: Recovery Site 3 Implement proactive process

Change Monitoring for monitoring recovery site
changes.
Process is in place to monitor 3 We expect vendor to
changes at the recovery sites notify us of any
changes.
Hardware changes are 3 Yes.
monitored
Software changes are 3 Yes.
monitored
Network changes are 3 Yes.
monitored
Facility changes are 3 Yes.
monitored
Policy changes are monitored 3 Yes.
Security procedures are 3 Yes.
monitored
PM.3: Contract 7
Management
BC related contracts 7 BC coordinator and
management process procurement
established representative
conduct a frequent
review/update of
contracts.
Contracts are reviewed on a 7 Yes.
regular basis
Contracts include 7 Yes.
maintenance and upgrades
Procurement and legal 7 Yes.
departments are involved in
the contract management

PM.4: Risk Controls 3

Risk assessment occurs 3 No.
periodically
Existing controls are reviewed 3 Facilities is
and inspected on a regular responsible for
basis reviewing physical
controls such as
secondary power
generator.
Risk experts are involved in 3 No.
risk assessment and control
process
Risk assessment reports are 3 No.
presented to and reviewed by
management

PM.5: BIA 4 We plan to do it

regularly.
BIA is conducted periodically
Gaps are identified
Results are reported to and
reviewed by management
Recovery strategy gaps are
evaluated

PM.6: IT Systems Recovery 4 We plan to review it

Strategy regularly.
Recovery strategies are
reviewed regularly
Alternate sites are inspected
for changes and problems.
Quick-ship strategies are
reviewed regularly
PM.7: BC Plan Testing 4 We plan to do it
regularly
A plan exists for regular
testing of BC Plan
Both minor and major tests
are carried out regularly
Tests are reviewed and
evaluated
Test results are well
documented and reported to
management
Test issues are resolved
effectively
Backup data integrity checks
are done regularly
Work around procedures are
tested regularly

PM.8: Recovery Vendor's 4 We will include it in

BC Plan Reviews our program
Recovery vendors' BC plans
are reviewed regularly
Recovery strategies and
capabilities of vendors' are
reviewed regularly
BC audit reports of vendors
are reviewed

PM.9: Training and Currently not in

Awareness maintenance stage.
Training and awareness
program is monitored,
evaluated and updated

New hire orientation includes

BC information
Program includes learning
resource/database
Program includes newsletters

Program includes regular BC

informational meetings
Program includes BC tool
training

PM.10: Management 5
Process
Steering committee is actively
involved in the maintenance
phase
Program sponsor is actively
involved in the maintenace
phase
BC Management meetings
are held on weekly, monthly,
and quarterly periods
Reports from the steering
committee are presented to
Board and senior
management
Rules and regulations are
monitored and reviewed
PM.11: External
Coordination
BC plan is coordinated with
external public authorities
BC plan is coordinated with
business partners
BC plan is coordinated with
recovery vendors
Meetings are held regularly to
coordinate BC plan with
external entities
BC Audits are conducted
periodically
BC Audits include internal
and external auditors
Audit recommendations are
followed through
Audits are done through
expert auditors
PM.12: BC Program
Reviews
BC program is reviewed
periodically
4 Steering Committee
will be establish in
few months.
8 Yes.
8 Weekly with the
sponsor and monthly
with business unit
managers
4 Steering Committee
will be establish in
few months.
1 No.
3 Improve external
coordination related to BC
plan
3 Through ERP. Coordinate with ERP team to
include BC plan's
coordination requirements.
1 No. Coordinate BC plan with
business partners on a
regular basis
7 Yes.
1 No. Arrange regular meetings
with external entities to
coordinate BC plan activities
6.25
7 We hold monthly
meeting with all
business units to
review relevant BC
program activities
and sections.
BC plan document is
reviewed frequently
Review involves all BC team
members
Results of the reviews are
presented to steering
committtee and program
sponsor
PM.13: Plan Document
Maintenance
Stored offsite and onsite
Easily accessible during a
disaster
Secured
Need-to-know list maintained
Distribution list maintained
7 BC coordinator and
his team review the
plan biweekly.
7 Most team members
depending on what
we are discussing at
the time.
4 Not yet. But we
present it to our
program sponsor.
5.4
6 One copy is always Recommend storing a BC
with BC coordinator document at the hot site. If
on a memory card. possible use web-based
One copy is with planning tool.
Iron Mountain.
5 Yes
8 Yes. It is encrypted.
3 No. We have a Develop a need-to-know
common distribution distribution list.
list with access to all
parts of the plan.
5 Yes.
Program Budget 5.33

Separate annual budget allocated 5 It is part of IT budget

Business area supporting the BC 8 Yes. Business Managers are very
Program budget supportive.
Source of budget 3 IT

Detail budget established for BC 5 Yes. Does it account

tools for a specific and
its cost (We know
the tool we want
and its cost)

Overall budget estimates 5 We do not have an yearly budget

established but last year we spent $240K and
this year it has increased to $300K.

Percentage of BC budget relative 3 IT budget is about 2.5M. Last year

to annual revenue
Overall budget established for
individual projects
Overall budget established for
hiring staff
Overall budget established for
contracts
Overall budget established for
recovery resources and services
we spent about 240 k on BC
beyond people resources.
7 Business units have their own
budgets for BC activities.
7 We have put the request to hire two
more staff for next year.
7 The budget for contracts will come
out of the overall BC budget.
3 Our recovery resource and service Find out if this
budget is mostly part of the overall budget is outside
IT budget. of the BC budget.
Yes it is outside
of the IT budget.
Last year
approximately
60K was spend
on the recovery
resources and
services.
BC program needs a separate
budget; Work out detail
budget for each phase,
project, and activities. The
budget needs to be at
between $500K to $800K

BC program needs a separate

budget and not simply be part
of IT budget.

The budget needs to be at

between $500K to $800K

BC budget needs to be about

20 to 30 percent of IT budget.