Be Prepared: What to Include in Disaster Recovery Plan · Be Prepared: What to Include in Disaster...

Professional Development Course

Be Prepared: What to Include in Disaster Recovery Plan

COPYRIGHT © Chartered Professional Accountants of British Columbia

All rights reserved. No part of this publication/course material may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means (photocopying, electronic, mechanical, recording or otherwise) without the prior written permission of the copyright holder and publisher, applications for which shall be made to the Chartered Professional Accountants of British Columbia, 800-555 West Hastings Street, Vancouver, BC, V6B 4N6.

DISCLAIMER

This course material deals with complex matters and may not apply to particular facts and circumstances. As well, the course material and references contained therein reflect laws and practices which are subject to change. For these reasons, the course material should not be relied upon as a substitute for specialized professional advice in connection with any particular matter.

Although the course material has been carefully prepared, neither the Chartered Professional Accountants of British Columbia, the course author and/or firm, nor any persons involved in the preparation and/or instruction of the material accepts legal responsibility for its contents or for any consequence arising from its use.

September 2015

Be Prepared: What to Include inDisaster Recovery Plan

© 1

BE PREPARED !: WHAT EVERY BUSINESS SHOULD INCLUDE IN

THEIR DISASTER RECOVERY PLANTHEIR DISASTER RECOVERY PLAN


GLENROSA FIRE - 2009




© 2






TESTALINDEN FIRE - 2015


© 3


ROCK CREEK FIRE - 2015


VANCOUVER - 2015

IT CAN HAPPEN TO YOU B.C. fires of 2009/2015

Glenrosa Oliver and Osoyoos

IT CAN HAPPEN TO YOU


Grand Forks and Rock Creek

New Orleans, La. (08/29/05) Nepal earthquake Vancouver windstorm Ongoing general weather extremes


© 4

40 % of businesses lost in a disaster never reopen

Usually little or no time to prepare or evacuate

Glenrosa fire – we had 120 minutes to evacuate from the first evidence of the fire



from the first evidence of the fire

Vaughan, Ont. – no warning; 30 minute warning of potential possibility

Oliver fire – evacuation order at 2:00 AM

What if you weren’t in the area and couldn’t evacuate – no one was allowed into the Glenrosa area after the evacuation order was issued

You need to be prepared for a total loss of data



p pand/or facilities and be prepared to restart operations as if you couldn’t salvage anything from the old operation

One year later – 80 % of the homes and businesses were uninhabitable in New Orleans

Where would your business be ?


NEW ORLEANS - 2005


© 5


NEW ORLEANS - 2005

NATURAL

Environmental Fire

Flood

TYPES OF DISASTERS


Flood

Earthquake

Tornado

NATURAL

Biological West Nile

H1N1

TYPES OF DISASTERS


H1N1

SARS

Ebola

Critical injury or illness


© 6

MAN – MADE Sabotage

Terrorism

Hackers

TYPES OF DISASTERS


Hackers

Power grid surges/failures

Disgruntled employees

Hardware failures

Varying degrees of preparedness for any of the above disasters

Some give significant warning , some none at all

Sometimes, the damage isn’t found until well after the event, i.e., sabotage

Occasionally the full extent of the damage is never

TYPES OF DISASTERS


Occasionally, the full extent of the damage is never determined

Therefore, it is always best to have a recovery system in place that will allow for a recovery from a complete loss, in the event that the amount of loss

TYPES OF DISASTERS


p ,and/or compromise is indeterminate


© 7


VAUGHAN ONTARIO -2009


VAUGHAN ONTARIO -2009

To safeguard the business, its assets, and its ability to continue to function

For yourself, your family, your staff and your clients

To minimize disruption and facilitate restoration of

WHY PROTECT ?


To minimize disruption and facilitate restoration of the operations

To protect your professional reputation as a CPA


© 8

Backups Offsite – in a separate, secure location away from the

ongoing operations

Virtual or mirror drives – can be either an actual bl h d d i t d t th t

TYPES OF PROTECTION


removable hard drive connected to the system, or a remote provider that automatically backs up your complete system on a regular and ongoing basis for a monthly fee (see later slide)

Cloud backup – no official policy, but be careful of data vulnerability and application of non-Canadian security Acts (Patriot Act, etc.). It is estimated that 90% of Canadian internet traffic is routed via the USA

Offsite and/or portable hardware – to allow for restoration of systems after a loss, and to check on the integrity of backups

TYPES OF PROTECTION


g y p

Offsite listing of program codes – to allow reacquisition of programs downloaded through online access codes. Ensure codes are complete, as Emailed codes may be truncated

Careful use of systems – to avoid loss through viruses, theft of data and other consequences of careless use, i.e., cautious use of email, avoiding

TYPES OF PROTECTION


, , , gsuspicious websites, and the like. Be particularly cautious of email scams involving the CRA, “overdue invoices” or “resume/CV attached” – if you don’t recognize who the email is from, don’t open it, just delete it


© 9

Software security systems – such as antivirus programs, regular system scans, etc., to protect the integrity of data contained in the computer system

TYPES OF PROTECTION


g y p y

Passwords – to protect the data on an ongoing basis, and restrict use to authorized personnel

Use of the most recent versions of computer software – to allow for an easier recovery

Hard drive lockdown systems - to prevent removal of physical computer hardware.These may also get

TYPES OF PROTECTION


p y p y gyou insurance discounts

Office alarm systems and smoke detection systems– to protect from theft and fire threats

Practice Continuation Agreement – to allow for continued operation of the practice in the event of incapacitation and/or absence of principal for an

TYPES OF PROTECTION


p p pextended time

Assisting Accountant – Bylaw Regulation 704/4 requires that an assisting accountant be appointed


© 10

Networking and Strategic Alliances – In addition to formal arrangements, creating informal alliances will also help in times of need. A team of accountants

TYPES OF PROTECTION


pmay be able to help you more effectively and efficiently than one, particularly if they are impacted too, or the event occurs at demanding time such as personal tax season

Personal care and maintenance – taking care of yourself physically and mentally to avoid a critical illness issue. Looking after the well-being of your staff to ensure the same. Know your lifestyle risks

TYPES OF PROTECTION


and minimize them to prevent a “crash” and the disruption to the practice it will cause

Hiring Policies – to ensure all staff are of good character and possess a high level of integrity. Check references thoroughly

Adequate insurance coverage – to ensure your out-of-pocket costs to restart are minimized, and that you have sufficient insurance to restart to

TYPES OF PROTECTION


yoperations exactly as they were before the loss (not the way it was 10 years ago). Also, critical illness insurance needs to be considered


© 11

Types of insurance:• Liability insurance: E & OE

• Life/Critical illness/Disability

• Office overhead – pays for expenses and a

TYPES OF PROTECTION


Office overhead pays for expenses and a replacement practitioner

• Business premises and liability – to protect devices and assets, and against client injury

Secure storage of paper-based information –through the use of fireproof storage, or scan to backup discs

Emergency Supplies Kit/ “Go Bag”: acquire an

TYPES OF PROTECTION


g y pp g qemergency kit and have it readily available and accessible. Kits can be acquired from various suppliers such as the Red Cross who has two types available, for $ 59.95/$ 99.95. See the “Basic Emergency Kit” checklist from the Government of Canada included in your material

MAJOR COMPONENTS OF A PLAN: Backups – type (email, files, systems, lists, the plan

itself), and location of backups along with the retrieval process. Has this process been tested ? If so, when ?

Timetable how long from initial loss to

CREATE THE PLAN


Timetable – how long from initial loss to recommencement of operations (full or partial) ? 72 hours is preferred, 120 hours at the latest. The longer it takes the less likely the success rate is for the reopening

Where will you reopen ? Is there an alternate facility location set ? How will they be advised of your requirement to use their facility ? The contact individual’s information should be in the plan itself


© 12

How will you reopen ? Who is responsible for this process and all of its components ? A list of individuals and their responsibilities should be in the plan. Everyone should have an alternate to handle

CREATE THE PLAN


their duties if the primary individual is unable to do so

Document all office procedures, in some degree of detail, so they can be easily replicated in an emergency situation

Inform and remind key people of the plan

Update for changes in people, places and technology

Assume in the plan a total loss situation – you can

CREATE THE PLAN


Assume, in the plan, a total loss situation you can easily exclude specific steps if they are not applicable. It is harder to add steps “on the fly”

How will you pay – suppliers, personnel, yourself ? Do you have business interruption insurance ? If not, have you made the appropriate financial arrangements to carry on, i.e., loans, savings, etc.

CREATE THE PLAN


Take photos of assets for insurance purposes

Online/offsite ‘mirror drive’ backups Generally, cost is $ 4 – 5.00/GB per month

E.g. Simplyoffsite, Mozy, Xdrive, Storagepipe

See “onlinebackupguide.com” site


© 13

Identify critical systems and information that needs to be maintained on an ongoing basis to comply with all regulatory and statutory requirements, i.e., tax, legal, CPA, etc. Determine which of these have

CREATE THE PLAN


been lost and/or compromised office administration systems, such as time and

billing, accounts receivable, accounts payable, payroll, etc.

functional work systems: file preparation, tax filing and research systems and software

The plan needs to be very mechanical and objective in form to preclude the need for decision-making in the crisis. This is not the best time to be making decisions of any kind as you will be subjected to

CREATE THE PLAN


varying levels of turmoil and confusion

Include appendices/schedules to the plan, which should include the following: A list of all contacts; A list of required software along with the appropriate access codes to redownload ; A list of hardware and

CREATE THE PLAN


specifications; An organization chart delineating various responsibilities; A client list including addresses and telephone numbers and Email addresses; A suppliers listing including addresses, phone numbers and contacts


© 14

Integrate your business disaster recovery plan into your personal disaster plan, which will generally include basic survival planning. The tools you will have in your personal plan may be useful in your

CREATE THE PLAN


business plan – items such first aid kits, flashlights, food, water, portable power units, etc. You may want to duplicate some of those items in the office facility

Here is a sample, and very simplified, outline of a Disaster Recovery Plan:1. Determine the urgency and magnitude of the crisis: is the loss total or partial ?

SAMPLE PLAN


is it software/data related only, or also hardware ?

does it require setting up at a new location ?

does it involve the loss of personnel or a principal of the business ?

2. Based on the answers to the first question, determine the systems and/or personnel that need to be replaced and/or restored

3. Once it has been determined what needs to be restored/replaced, reacquire the appropriate software/hardware, contact and advise the applicable personnel, and arrange to relocate to new facilities if needed Determine the timetable

SAMPLE PLAN


new facilities, if needed. Determine the timetable for the recovery, by date and hour. Utilize the appendices/schedules previously prepared to facilitate this process


© 15

4. Once a ‘recovery’ location and time has been specified, gather the appropriate assets at the predetermined time and location, and commence recovery procedures, which will have been tested and run through in the testing phase of the

SAMPLE PLAN


and run through in the testing phase of the recovery plan. Location and integrity of assets needed should be ensured by the periodic testing process

5. Prioritize the systems that need to be restored first, then those of secondary importance, e.g., financial statement preparation and tax software may need to be done first, if there are deadlines approaching for clients, with business operational

SAMPLE PLAN


pp g psystems restored later (time and billing, etc.). Determine how data is to be collected in the interim for systems not immediately restored

6. Once you have reached a level of functionality, and have a degree of operational stability, advise clients whose work is in process with the firm of the status of their work

7. Having attained a degree of stability, determine the duration of the need for operations as they are currently (permanent, or, if temporary, for how long). This will determine how the practice

SAMPLE PLAN


will proceed operationally – whether to acquire furniture and other permanent assets, to look for a more suitable permanent facility, to replace a lost member of the firm, etc.


© 16

At this point, the business should be able to carry on in an uninterrupted fashion indefinitely. Short, medium and long term recovery plans should be

SAMPLE PLAN


g y pdeveloped at this time to secure the future of the business

Periodically test, or dry run, the plan to ensure its effectiveness in a crisis situation.

Testing will ensure all of the components are up to date, that alternate facilities are up to the latest

TEST THE PLAN


, prequirements, and that the backups are restorable in a proper form and in a reasonable time frame

It keeps staff familiar with the procedures needed to restart the practice

“Practice makes perfect”

If the plan is not tested and there are critical flaws

TEST THE PLAN


If the plan is not tested, and there are critical flaws, after there is a real crisis it is too late to fix them – it could cost you your business


© 17

It CAN happen to you

Just because you prepare for disaster doesn’t mean that it is an inevitability – but if a crisis does occur, and you are not prepared for it, your practice will

THE FINAL WORD


y p p , y plikely collapse in spite of your efforts

Disaster recovery planning provides for a recovery of the business from various levels of disruption –from a ‘simple’ hard drive failure to a complete loss of the business, to a continuation of the business

THE FINAL WORD


even in the absence/loss of a principal

Being prepared can save you from substantial financial loss and personal stress, and minimize the disruption of your personal and professional life

Create a plan, Test the plan, and Continuously

THE FINAL WORD


p , p , yUpdate that plan

BE READY AND BE SAFE !

Thank you for your time.

Be Prepared: What to Include in Disaster Recovery Plan · Be Prepared: What to Include in Disaster...

Documents

Transcript of Be Prepared: What to Include in Disaster Recovery Plan · Be Prepared: What to Include in Disaster...