GTAG —  BCM Requirements





            used to optimize production based on available resources and   recovery  solutions  are  implemented,  they  must  own  the
            (vendor and utility) services.                      continuity strategies for their team.


            C.  Alternative Offices Needed for Recovery
            Activities                                          5.5   Disaster Recovery for IT
            Alternative office space may be required in nearly all disas-  Depending on the business functions being performed and
            ters that require the activation of the BCP. There are many   their reliance on IT, some portion of the critical business
            options to provide offices for staff, but the cost of these solu-  processes  can  be  recovered  without  IT  or  information.
            tions varies greatly. Below are some of the alternative office   In  other  cases,  IT  systems  and  information  are  needed  to
            space options.                                      support the recovery of some critical business processes. Each
               •   Another organization facility that is outside of the   organization must determine the maximum downtime of IT
                  disaster zone but near the primary office is often a   systems that can occur before it becomes an issue that could
                  low-cost solution. This requires the business unit at   jeopardize the entire organization, whether it be hours, days,
                  the  alternative  organization  office  to  invoke  their   weeks, or more.
                  BCP to send noncritical staff home.             Disaster  recovery  planning  is  a  term  used  to  describe  IT
               •   Many  people  today  use  remote  access  to  perform   recovery.  Some  companies  use  different  terms  to  include
                  many office-related functions from home or a hotel.   the  recovery  of  IT  systems,  data,  information  manage-
                  The  key  requirement  is  that  employees  have  the   ment  systems  and  processes,  and  other  related  systems.
                  appropriate security tools (e.g., remote access token)   The disaster recovery document should describe the IT and
                  and  appropriate  hardware  (e.g.,  laptop  or  personal   information  management  systems  recovery  strategies.  The
                  computer)  they  need  to  work  remotely.  When   DRP should cover detailed recovery instructions that may
                  evaluating  remote  access  solutions,  the  impact  to   include references to procedures, vendor references, system
                  productivity  must  be  considered,  particularly  as  it   diagrams, and other related recovery materials. The detailed
                  pertains  to  lack  of  collaboration  and  communica-  recovery procedures must be updated when system and busi-
                  tions if a team is spread across multiple sites.  ness processes change.
               •   Commercial recovery sites also offer office space, but   Below are some examples of the components that may be
                  usually at high cost and often with limited network   recovered as part of the DRP.
                  connections to the organization IT systems.      •   IT systems, including:
                                                                         o  IT data center.
              Any  alternative  office  space  solution  must  be  tested  by     o  Applications  and  data  needed  by  the
            users to ensure they can log on. Some volume (performance)   organization.
            testing  also  must  be  completed  to  verify  the  solution  will     o  Servers and other hardware.
            support the desired number of users. Noncritical staff should     o  Communications such as phone, radio, etc.
            be instructed to not log on during a disaster so that resources     o  Network,  including  external  (third  party)
            remain available for those deemed critical.                  connections.
                                                                         o  IT  infrastructure  (e.g.,  logon  services  and  soft-
            D.  Planning to Transition Back to Normal                    ware distribution).
            Operations                                                   o  Remote access services.
            A plan must be developed to transition the organization back     o  Process control systems (e.g., SCADA/DCS).
            to a normal state after the recovery solutions are no longer   •   Information management systems, including:
            needed. This can be challenging because the organization     o  File rooms.
            operates  in  an  abnormal  state  during  a  disaster.  Manually     o  Document  management  systems  (electric  and
            collected data must be entered into systems once they are    manual).
            restored. Financial and regulatory exceptions that occurred
            during the disaster must be resolved by filing the appropriate   A.  Considerations When Selecting DRP
            paperwork  and  obtaining  approvals.  Product  exchanges   Strategies
            (borrowed)  that  occurred  during  the  disaster  either  need   There are a number of things to consider when selecting IT
            to be replenished, or the other party must be paid for those   recovery strategies:
            products.                                              •   The DRP document should describe the strategies for
              The BCM sponsor and an appropriate team of managers     recovering systems and information based on direc-
            must  approve  the  continuity  strategies  for  their  scope  of   tion from staff after staff members have performed a
            operations. Because managers throughout the organization   BIA.
            are  responsible  for  ensuring  the  business  continuity  and



                                                             12