In early 2003, a Computer Technology Associates, Inc. (CTA) property management
client within a large nationwide bank requested support in the planning, development,
implementation, and maintenance of business continuity alternatives in the event
of a technological or natural disaster. Working within the organization's business
continuity guidelines and structure, CTA prepared and validated six technology
business continuity plans and one organizational business continuity plan.
Each plan provided an overview of the business resumption process, descriptions
of key roles and responsibilities, and standard processes and procedures to be
used in the event of a business disruption. Working with the client, CTA supported
the design, implementation, and deployment of remote business resumption systems
to support rapid cutover in the event of a production system failure. Plans were
segregated into two basic types:
Technology Business Continuity Plans - These plans addressed the analysis
of a failed technology system such as a web server or database server, and documented
the decision processes and sequence of cutover activities in restoring system
access and functionality. Each plan addressed not only system failures, but also
addressed the loss of access to systems, such as a data center failure.
Organizational Business Continuity Plans - These plans addressed disasters
that could affect an organization's ability to perform its function due to denied
access to office space, which could include local facility disasters such as a
fire that may limit access to a single office facility or more severe natural
disasters such as an earthquake that may limit access to an entire region. Each
plan addressed the procedures to be used for notifying employees in where to report,
retaining work in process records, and executing interim processes and procedures
to be used until the affected location can be re-accessed. In cases where a regional
disaster would prohibit access to an office facility for an extended time, the
plan addressed the establishment of an alternate regional disaster location and
The key to effect business continuity planning is the identification of the critical
business processes and functions. In support to plan development, CTA performed
Identified and documented all business processes/functions.
Measured and established the quantitative and qualitative impacts of
a business disruption and the related loss of specific business processes/functions.
Provided a basis for identifying which business processes/functions will
be required and develop a detailed business continuity strategy for each.
Established a priority for restoring the business processes/functions.
These activities culminated in a Business Impact Analysis that addressed financial
loss in terms of lost revenue or additional costs, customer impact in terms of
customer confidence or impaired competitive position, and legal and/or regulatory
In addition to plan development, CTA also supported and coordinated maintenance
activities designed to ensure the plans remain current. These activities included:
Plan Simulation - A documented response to an incident in a production/non-production
environment that includes a physical visit to the business' "Hot-Site"
utilizing recovery procedures to restore technology.
Plan Walkthrough - A roundtable discussion that reviews the entire concept
of the recovery and response for the plan unit including recovery procedures.
Plan Distribution - Ensures the most current plan has been distributed
to those that need to know.
Report Verification - A review of all required report fields ensuring
that all information is accurate and complete.
Affirmation Documentation - Documents the completion of the annual affirmation
and provides a tracking mechanism to ensure all plan units are included.
Back Up Rotation and Verification - Reviews the process of media rotation
ensuring that backups are being completed, stored properly, and can be retrieved.
Also verifies the integrity of randomly selected media.
Review Recovery Time Objective and Recovery Point Objective Information
- Provides for comparison of anticipated RTO/RPO timeframes between technology
support group and business group. Also provides for communication of variances
and changes needed.
Quality Assurance Program Review - A thorough review of the entire plan
ensuring that all required documentation is included. Verifies the accuracy of
Review and Update Risk Assessment - Documents the completion of the risk