Contingency and Business Continuity Plan
Information Technology and Information Systems are the essential basics of EasyShopping. As these resources are primary things for business achievement, it is crucial that the services provided by these resources are able to work effectively with no unnecessary disruption. These resources are susceptible to a range disruption. It can be power outage, fire, floods, equipment destruction, system failure, terrorist attacks etc. These susceptible can be minimized through solutions in technical, operational and managerial levels. But it's impossible to eliminate these risks completely. Contingency Planning can diminish the possibility of service and systems failure by focusing well-organized and valuable recovery plans.
Comprehensive Contingency and Disaster Recovery Plan
Contingency and Disaster recovery policy
The contingency and disaster recovery plan must define a clear policy which should be effective and efficient. It should define EasyShopping goal with its organisational structure and task. Policy must focus on roles and duties, resource, training, plan testing, maintenance of plan, backup frequency and its storage. These policies should be related with actions like information technology security and process, disaster awareness, human resources and physical security. These actions must be well-suited with program needs according to suitable areas.
Business Impact Analysis
Business impact Analysis will figure out contingency requirements and relates particular system mechanism with its service. This will define the effect of a disorder to the system mechanisms.
Identify crucial resources
To identify crucial resources, generally two steps must be followed. First, the full range of service and support provided by the system like managerial, technical and operational should be characterized. It should include Internal and external contacts related with the system. This helps in identifying and managing the contingency plan.
Next, System needs to be evaluated to find the relationship between critical services and system resources. This analysis will help in identifying the infrastructure needs such as electricity, telecommunications and environmental controls. Also it helps in identifying critical resources such as routers, application servers, authentication servers which will need to support those critical services discovered.
Impacts on procedures and allowable outage time
After identifying the crucial resources, its analysis must be done to find out the impacts on operations if there is any damage in resources. There are two ways to assess the impact. Firstly, the consequence of outage must be tracked which will identify the greatest allowable time that a resource may be refused before it prevents the performance of a crucial task. And secondly, the consequence of associated systems and resources must be tracked describing any effects which may occur of disordered system.
Above mentioned impacts in procedures and allowable outage time will identify and prioritise recovery scheme in contingency plan and helps to save time, add more information and customise decisions of resource allowance and expense.
Identify Preventive Control
There are different kinds of preventive control depending on system configuration and nature like: Uninterruptible power supply (UPS) and gasoline powered generator could be usable for electricity backup for all systems, equipments can be protected from fire by using fire and smoke detectors and inhibition systems, Backup mediums could be protected from water by installing water detector in the room. Also it should be placed in heat resistant and water proof area, to protect Information Technology equipments from water, plastics can be used to cover it, master shutdown of electric power should be there which can be use in emergency case, backup medium and documentation should also be placed outside the site, backups must be taken time to time and the system should be secured by using encryption and data classification.
These above discussed preventive control must be maintained in excellent state for its effectiveness in urgent situation.
System backup must be taken on regular basis with data backup policies. These policies should allocate the place to store data, file identification principle and technique of transferring data in offsite location. For the backup of data different media can be used such as optical disks, tape or magnetic disk. Different methods such as direct access storage device, floppy disks, electronic vaulting can be used to take backup depending upon the data accessibility and reliability. Storing backup data in offsite area is an excellent way for all business. And for using this offsite storage area, first of all data is backed up then packed at the administration service and transmitted to storage service. If any data is required from offsite then administration must contact the storage service to request the particular specific data. While choosing an offsite storage service, different things should be taken in condition like whether the place is secure or not, how is the environmental and structural condition, is it accessible to retrieve the data from storage service in suitable time, the chance getting same calamity as the organisation and cost of calamity/improvement services, transport etc.
Maintaining an Alternative Site
Periodically Backup mediums should be stored in some alternative site that may be owned or leased outside of business premises. It is a facility to relocate the organization's primary operations in case of disasters and disruptions or destruction. In deciding an alternative site, Easyshopping will have to consider factors like how far the alternate site should be selected so that same disaster does not affect both centers, the time it will take to communicate data between two sites and the cost associated with building, acquiring or maintaining alternative sites.
Destructions with long term effects are not regular or predictable and a good sum of money are invested in setting up an alternative site still we need them to support the system operations in extreme cases .These sites will have all the necessary infrastructures like electricity, telecommunications and are secure however, they are divided into different categories based on time they need to fully support the backup plan.
Easyshopping can choose between Cold Site which are relatively cheap but takes longer backup time as they don't have any IT infrastructures needed for backup or a Warm Site which is modest equipped and have a shorter recovery time. These are cost centered choices. The best alternative is Hot Site which guarantees the fastest recovery time as it is fully equipped to support the primary operations of an organization but obviously the cost incurred in setup of Hot site is relatively higher than two discussed above.
A mirrored site is the best solution, where the mirrored site will have exact same system and configuration with recent data as in the primary system. It will be most effective solution for data backup however, is the most expensive one because both primary sites and mirrored site must have same hardware, software and associated settings.
The Decisions regarding choosing a particular Alternative Site for Easyshopping depends on the budget and sensitivity of its business operations.
Substituting Equipments on Demand
If there is any IT equipment casualty or occupied then necessary system should be activated. There are three types of key strategy for the substitution of equipment.
Service Level Agreements with Retailers
In the agreement with retailer, it should be clearly mentioned about the time period of response after the notification. Also priority in status of EasyShopping for the delivery of equipment when it is purchased and when Easyshopping is facing a disaster should be included. The detail of agreement should be maintained in contingency plan.
Keeping Equipments in stock
Equipments which are required frequently can be bought and stored in a safety place where recovery process will take place. This strategy has few downsides like in advance organisation must waste its monetary source to purchase equipment and this equipment may become outdated as technologies changes time to time.
Using Compatible Equipments
Equipment which is currently being used by other organisation can be used by EasyShopping. Certain agreement can be done with an agency that compatible and similar equipment used by organisation will be accessible for contingency use.
The thing that should be considered while buying the equipment is that rather than waiting for delivery, unused equipment can be processed for recovery operation. But for this cost expense and recovery time must be considered.
Dividing Responsibilities between Groups
After making the recovery strategy, for the implementation appropriate group must be selected. Each group should be chosen for specific task on the basis of their knowledge and skill. For example, Database recovery group should include database administrator Training must be provided to each group for the deployment in the event of a troublesome condition. Each group member should be assigned with a group leader who should be responsible for the making system into normal condition by assigning task to each member for the recovery plan.
Understanding of contingency plan purpose is not only enough for group member they also need to know the course of action to be taken for the accomplishment of recovery strategy. Each group should have enough members to remain feasible in the absence of any member. While making contingency plan it should also deal with a disaster that could occur and would render all members who are not available to respond. In such case accomplishment of plan can be possible only by hiring workers from different organisation.
Consider the Limiting factor: Cost
The cost of recovery strategy like equipment substitution, backup etc should consider budget limitation. The budget should be enough to cover travel and delivery, hardware, software, testing, employment cost, guidance programs, services and resources like telephones, stationary etc.
Testing and Training
Testing of plan will help to identify the deficiency of plan. Also it will weigh up the skill of recovery staff to apply the strategy rapidly and efficiently. Testing of contingency plan should be there to confirm the accurateness of recovery process and its efficiency. Contingency test must concentrate areas such as system recovery by using backup source, recovery group member coordination, system performance, and operation process.
Training must be given at least a year to the entire member who are responsible to accomplish contingency plan. They should be trained in such a way that they will be able to accomplish particular recovery process without looking actual document because it's impossible to get document after certain disaster. Each and every member should be trained about the principle of the plan, communication and coordination between team members, security, process of writing report, team specific and individual training on how to start, how to recover and restructure according to different stages.
The contingency plan should be maintained which enables to reflect the exact system requirements, process, formation and policies. As information technologies changes according to the business requirements, policies and technologies, there will be changes in systems. As a result it is fundamental necessity in an organisation that there contingency plans and measures should be reviewed and modernised regularly. Generally the plan should be revised yearly or every time when considerable changes occur which could affect contingency plan. Contingency plan review should emphasis on technical, security and operational requirements, software and hardware specifications, basic information of groups and vendors (both onsite as well as offsite), and crucial records.