Be Prepared: What to Include in Disaster Recovery Plan · Be Prepared: What to Include in Disaster...
Transcript of Be Prepared: What to Include in Disaster Recovery Plan · Be Prepared: What to Include in Disaster...
Professional Development Course
Be Prepared: What to Include in Disaster Recovery Plan
COPYRIGHT © Chartered Professional Accountants of British Columbia
All rights reserved. No part of this publication/course material may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means (photocopying, electronic, mechanical, recording or otherwise) without the prior written permission of the copyright holder and publisher, applications for which shall be made to the Chartered Professional Accountants of British Columbia, 800-555 West Hastings Street, Vancouver, BC, V6B 4N6.
DISCLAIMER
This course material deals with complex matters and may not apply to particular facts and circumstances. As well, the course material and references contained therein reflect laws and practices which are subject to change. For these reasons, the course material should not be relied upon as a substitute for specialized professional advice in connection with any particular matter.
Although the course material has been carefully prepared, neither the Chartered Professional Accountants of British Columbia, the course author and/or firm, nor any persons involved in the preparation and/or instruction of the material accepts legal responsibility for its contents or for any consequence arising from its use.
September 2015
Be Prepared: What to Include inDisaster Recovery Plan
© 1
BE PREPARED !: WHAT EVERY BUSINESS SHOULD INCLUDE IN
THEIR DISASTER RECOVERY PLANTHEIR DISASTER RECOVERY PLAN
Be Prepared: What to Include in Disaster Recovery Plan
GLENROSA FIRE - 2009
Be Prepared: What to Include in Disaster Recovery Plan
GLENROSA FIRE - 2009
Be Prepared: What to Include inDisaster Recovery Plan
© 2
Be Prepared: What to Include in Disaster Recovery Plan
GLENROSA FIRE - 2009
Be Prepared: What to Include in Disaster Recovery Plan
GLENROSA FIRE - 2009
Be Prepared: What to Include in Disaster Recovery Plan
TESTALINDEN FIRE - 2015
Be Prepared: What to Include inDisaster Recovery Plan
© 3
Be Prepared: What to Include in Disaster Recovery Plan
ROCK CREEK FIRE - 2015
Be Prepared: What to Include in Disaster Recovery Plan
VANCOUVER - 2015
IT CAN HAPPEN TO YOU B.C. fires of 2009/2015
Glenrosa Oliver and Osoyoos
IT CAN HAPPEN TO YOU
Be Prepared: What to Include in Disaster Recovery Plan
Grand Forks and Rock Creek
New Orleans, La. (08/29/05) Nepal earthquake Vancouver windstorm Ongoing general weather extremes
Be Prepared: What to Include inDisaster Recovery Plan
© 4
40 % of businesses lost in a disaster never reopen
Usually little or no time to prepare or evacuate
Glenrosa fire – we had 120 minutes to evacuate from the first evidence of the fire
IT CAN HAPPEN TO YOU
Be Prepared: What to Include in Disaster Recovery Plan
from the first evidence of the fire
Vaughan, Ont. – no warning; 30 minute warning of potential possibility
Oliver fire – evacuation order at 2:00 AM
What if you weren’t in the area and couldn’t evacuate – no one was allowed into the Glenrosa area after the evacuation order was issued
You need to be prepared for a total loss of data
IT CAN HAPPEN TO YOU
Be Prepared: What to Include in Disaster Recovery Plan
p pand/or facilities and be prepared to restart operations as if you couldn’t salvage anything from the old operation
One year later – 80 % of the homes and businesses were uninhabitable in New Orleans
Where would your business be ?
Be Prepared: What to Include in Disaster Recovery Plan
NEW ORLEANS - 2005
Be Prepared: What to Include inDisaster Recovery Plan
© 5
Be Prepared: What to Include in Disaster Recovery Plan
NEW ORLEANS - 2005
NATURAL
Environmental Fire
Flood
TYPES OF DISASTERS
Be Prepared: What to Include in Disaster Recovery Plan
Flood
Earthquake
Tornado
NATURAL
Biological West Nile
H1N1
TYPES OF DISASTERS
Be Prepared: What to Include in Disaster Recovery Plan
H1N1
SARS
Ebola
Critical injury or illness
Be Prepared: What to Include inDisaster Recovery Plan
© 6
MAN – MADE Sabotage
Terrorism
Hackers
TYPES OF DISASTERS
Be Prepared: What to Include in Disaster Recovery Plan
Hackers
Power grid surges/failures
Disgruntled employees
Hardware failures
Varying degrees of preparedness for any of the above disasters
Some give significant warning , some none at all
Sometimes, the damage isn’t found until well after the event, i.e., sabotage
Occasionally the full extent of the damage is never
TYPES OF DISASTERS
Be Prepared: What to Include in Disaster Recovery Plan
Occasionally, the full extent of the damage is never determined
Therefore, it is always best to have a recovery system in place that will allow for a recovery from a complete loss, in the event that the amount of loss
TYPES OF DISASTERS
Be Prepared: What to Include in Disaster Recovery Plan
p ,and/or compromise is indeterminate
Be Prepared: What to Include inDisaster Recovery Plan
© 7
Be Prepared: What to Include in Disaster Recovery Plan
VAUGHAN ONTARIO -2009
Be Prepared: What to Include in Disaster Recovery Plan
VAUGHAN ONTARIO -2009
To safeguard the business, its assets, and its ability to continue to function
For yourself, your family, your staff and your clients
To minimize disruption and facilitate restoration of
WHY PROTECT ?
Be Prepared: What to Include in Disaster Recovery Plan
To minimize disruption and facilitate restoration of the operations
To protect your professional reputation as a CPA
Be Prepared: What to Include inDisaster Recovery Plan
© 8
Backups Offsite – in a separate, secure location away from the
ongoing operations
Virtual or mirror drives – can be either an actual bl h d d i t d t th t
TYPES OF PROTECTION
Be Prepared: What to Include in Disaster Recovery Plan
removable hard drive connected to the system, or a remote provider that automatically backs up your complete system on a regular and ongoing basis for a monthly fee (see later slide)
Cloud backup – no official policy, but be careful of data vulnerability and application of non-Canadian security Acts (Patriot Act, etc.). It is estimated that 90% of Canadian internet traffic is routed via the USA
Offsite and/or portable hardware – to allow for restoration of systems after a loss, and to check on the integrity of backups
TYPES OF PROTECTION
Be Prepared: What to Include in Disaster Recovery Plan
g y p
Offsite listing of program codes – to allow reacquisition of programs downloaded through online access codes. Ensure codes are complete, as Emailed codes may be truncated
Careful use of systems – to avoid loss through viruses, theft of data and other consequences of careless use, i.e., cautious use of email, avoiding
TYPES OF PROTECTION
Be Prepared: What to Include in Disaster Recovery Plan
, , , gsuspicious websites, and the like. Be particularly cautious of email scams involving the CRA, “overdue invoices” or “resume/CV attached” – if you don’t recognize who the email is from, don’t open it, just delete it
Be Prepared: What to Include inDisaster Recovery Plan
© 9
Software security systems – such as antivirus programs, regular system scans, etc., to protect the integrity of data contained in the computer system
TYPES OF PROTECTION
Be Prepared: What to Include in Disaster Recovery Plan
g y p y
Passwords – to protect the data on an ongoing basis, and restrict use to authorized personnel
Use of the most recent versions of computer software – to allow for an easier recovery
Hard drive lockdown systems - to prevent removal of physical computer hardware.These may also get
TYPES OF PROTECTION
Be Prepared: What to Include in Disaster Recovery Plan
p y p y gyou insurance discounts
Office alarm systems and smoke detection systems– to protect from theft and fire threats
Practice Continuation Agreement – to allow for continued operation of the practice in the event of incapacitation and/or absence of principal for an
TYPES OF PROTECTION
Be Prepared: What to Include in Disaster Recovery Plan
p p pextended time
Assisting Accountant – Bylaw Regulation 704/4 requires that an assisting accountant be appointed
Be Prepared: What to Include inDisaster Recovery Plan
© 10
Networking and Strategic Alliances – In addition to formal arrangements, creating informal alliances will also help in times of need. A team of accountants
TYPES OF PROTECTION
Be Prepared: What to Include in Disaster Recovery Plan
pmay be able to help you more effectively and efficiently than one, particularly if they are impacted too, or the event occurs at demanding time such as personal tax season
Personal care and maintenance – taking care of yourself physically and mentally to avoid a critical illness issue. Looking after the well-being of your staff to ensure the same. Know your lifestyle risks
TYPES OF PROTECTION
Be Prepared: What to Include in Disaster Recovery Plan
and minimize them to prevent a “crash” and the disruption to the practice it will cause
Hiring Policies – to ensure all staff are of good character and possess a high level of integrity. Check references thoroughly
Adequate insurance coverage – to ensure your out-of-pocket costs to restart are minimized, and that you have sufficient insurance to restart to
TYPES OF PROTECTION
Be Prepared: What to Include in Disaster Recovery Plan
yoperations exactly as they were before the loss (not the way it was 10 years ago). Also, critical illness insurance needs to be considered
Be Prepared: What to Include inDisaster Recovery Plan
© 11
Types of insurance:• Liability insurance: E & OE
• Life/Critical illness/Disability
• Office overhead – pays for expenses and a
TYPES OF PROTECTION
Be Prepared: What to Include in Disaster Recovery Plan
Office overhead pays for expenses and a replacement practitioner
• Business premises and liability – to protect devices and assets, and against client injury
Secure storage of paper-based information –through the use of fireproof storage, or scan to backup discs
Emergency Supplies Kit/ “Go Bag”: acquire an
TYPES OF PROTECTION
Be Prepared: What to Include in Disaster Recovery Plan
g y pp g qemergency kit and have it readily available and accessible. Kits can be acquired from various suppliers such as the Red Cross who has two types available, for $ 59.95/$ 99.95. See the “Basic Emergency Kit” checklist from the Government of Canada included in your material
MAJOR COMPONENTS OF A PLAN: Backups – type (email, files, systems, lists, the plan
itself), and location of backups along with the retrieval process. Has this process been tested ? If so, when ?
Timetable how long from initial loss to
CREATE THE PLAN
Be Prepared: What to Include in Disaster Recovery Plan
Timetable – how long from initial loss to recommencement of operations (full or partial) ? 72 hours is preferred, 120 hours at the latest. The longer it takes the less likely the success rate is for the reopening
Where will you reopen ? Is there an alternate facility location set ? How will they be advised of your requirement to use their facility ? The contact individual’s information should be in the plan itself
Be Prepared: What to Include inDisaster Recovery Plan
© 12
How will you reopen ? Who is responsible for this process and all of its components ? A list of individuals and their responsibilities should be in the plan. Everyone should have an alternate to handle
CREATE THE PLAN
Be Prepared: What to Include in Disaster Recovery Plan
their duties if the primary individual is unable to do so
Document all office procedures, in some degree of detail, so they can be easily replicated in an emergency situation
Inform and remind key people of the plan
Update for changes in people, places and technology
Assume in the plan a total loss situation – you can
CREATE THE PLAN
Be Prepared: What to Include in Disaster Recovery Plan
Assume, in the plan, a total loss situation you can easily exclude specific steps if they are not applicable. It is harder to add steps “on the fly”
How will you pay – suppliers, personnel, yourself ? Do you have business interruption insurance ? If not, have you made the appropriate financial arrangements to carry on, i.e., loans, savings, etc.
CREATE THE PLAN
Be Prepared: What to Include in Disaster Recovery Plan
Take photos of assets for insurance purposes
Online/offsite ‘mirror drive’ backups Generally, cost is $ 4 – 5.00/GB per month
E.g. Simplyoffsite, Mozy, Xdrive, Storagepipe
See “onlinebackupguide.com” site
Be Prepared: What to Include inDisaster Recovery Plan
© 13
Identify critical systems and information that needs to be maintained on an ongoing basis to comply with all regulatory and statutory requirements, i.e., tax, legal, CPA, etc. Determine which of these have
CREATE THE PLAN
Be Prepared: What to Include in Disaster Recovery Plan
been lost and/or compromised office administration systems, such as time and
billing, accounts receivable, accounts payable, payroll, etc.
functional work systems: file preparation, tax filing and research systems and software
The plan needs to be very mechanical and objective in form to preclude the need for decision-making in the crisis. This is not the best time to be making decisions of any kind as you will be subjected to
CREATE THE PLAN
Be Prepared: What to Include in Disaster Recovery Plan
varying levels of turmoil and confusion
Include appendices/schedules to the plan, which should include the following: A list of all contacts; A list of required software along with the appropriate access codes to redownload ; A list of hardware and
CREATE THE PLAN
Be Prepared: What to Include in Disaster Recovery Plan
specifications; An organization chart delineating various responsibilities; A client list including addresses and telephone numbers and Email addresses; A suppliers listing including addresses, phone numbers and contacts
Be Prepared: What to Include inDisaster Recovery Plan
© 14
Integrate your business disaster recovery plan into your personal disaster plan, which will generally include basic survival planning. The tools you will have in your personal plan may be useful in your
CREATE THE PLAN
Be Prepared: What to Include in Disaster Recovery Plan
business plan – items such first aid kits, flashlights, food, water, portable power units, etc. You may want to duplicate some of those items in the office facility
Here is a sample, and very simplified, outline of a Disaster Recovery Plan:1. Determine the urgency and magnitude of the crisis: is the loss total or partial ?
SAMPLE PLAN
Be Prepared: What to Include in Disaster Recovery Plan
is it software/data related only, or also hardware ?
does it require setting up at a new location ?
does it involve the loss of personnel or a principal of the business ?
2. Based on the answers to the first question, determine the systems and/or personnel that need to be replaced and/or restored
3. Once it has been determined what needs to be restored/replaced, reacquire the appropriate software/hardware, contact and advise the applicable personnel, and arrange to relocate to new facilities if needed Determine the timetable
SAMPLE PLAN
Be Prepared: What to Include in Disaster Recovery Plan
new facilities, if needed. Determine the timetable for the recovery, by date and hour. Utilize the appendices/schedules previously prepared to facilitate this process
Be Prepared: What to Include inDisaster Recovery Plan
© 15
4. Once a ‘recovery’ location and time has been specified, gather the appropriate assets at the predetermined time and location, and commence recovery procedures, which will have been tested and run through in the testing phase of the
SAMPLE PLAN
Be Prepared: What to Include in Disaster Recovery Plan
and run through in the testing phase of the recovery plan. Location and integrity of assets needed should be ensured by the periodic testing process
5. Prioritize the systems that need to be restored first, then those of secondary importance, e.g., financial statement preparation and tax software may need to be done first, if there are deadlines approaching for clients, with business operational
SAMPLE PLAN
Be Prepared: What to Include in Disaster Recovery Plan
pp g psystems restored later (time and billing, etc.). Determine how data is to be collected in the interim for systems not immediately restored
6. Once you have reached a level of functionality, and have a degree of operational stability, advise clients whose work is in process with the firm of the status of their work
7. Having attained a degree of stability, determine the duration of the need for operations as they are currently (permanent, or, if temporary, for how long). This will determine how the practice
SAMPLE PLAN
Be Prepared: What to Include in Disaster Recovery Plan
will proceed operationally – whether to acquire furniture and other permanent assets, to look for a more suitable permanent facility, to replace a lost member of the firm, etc.
Be Prepared: What to Include inDisaster Recovery Plan
© 16
At this point, the business should be able to carry on in an uninterrupted fashion indefinitely. Short, medium and long term recovery plans should be
SAMPLE PLAN
Be Prepared: What to Include in Disaster Recovery Plan
g y pdeveloped at this time to secure the future of the business
Periodically test, or dry run, the plan to ensure its effectiveness in a crisis situation.
Testing will ensure all of the components are up to date, that alternate facilities are up to the latest
TEST THE PLAN
Be Prepared: What to Include in Disaster Recovery Plan
, prequirements, and that the backups are restorable in a proper form and in a reasonable time frame
It keeps staff familiar with the procedures needed to restart the practice
“Practice makes perfect”
If the plan is not tested and there are critical flaws
TEST THE PLAN
Be Prepared: What to Include in Disaster Recovery Plan
If the plan is not tested, and there are critical flaws, after there is a real crisis it is too late to fix them – it could cost you your business
Be Prepared: What to Include inDisaster Recovery Plan
© 17
It CAN happen to you
Just because you prepare for disaster doesn’t mean that it is an inevitability – but if a crisis does occur, and you are not prepared for it, your practice will
THE FINAL WORD
Be Prepared: What to Include in Disaster Recovery Plan
y p p , y plikely collapse in spite of your efforts
Disaster recovery planning provides for a recovery of the business from various levels of disruption –from a ‘simple’ hard drive failure to a complete loss of the business, to a continuation of the business
THE FINAL WORD
Be Prepared: What to Include in Disaster Recovery Plan
even in the absence/loss of a principal
Being prepared can save you from substantial financial loss and personal stress, and minimize the disruption of your personal and professional life
Create a plan, Test the plan, and Continuously
THE FINAL WORD
Be Prepared: What to Include in Disaster Recovery Plan
p , p , yUpdate that plan
BE READY AND BE SAFE !
Thank you for your time.