Business Continuity Planning is an area often neglected by many organizations. There are many definitions of business continuity planning. One of the popular definition for business continuity planning is

"Business Continuity Planning essentially is a process of developing advance arrangements and procedures that enable an organization to respond to an event in such a manner that critical business functions continue with planned levels of interruption or essential change."

Organizations are often confused as to how to go about planning for business continuity. I have put together a sample risk assessment questionnaire that you can use for assessing status of your business continuity plan. Feel free to print out this questionnaire. For each question you can answer in YES / NO and priority.

Area 1 - Fire Exposure

1. Is the computer room housed in a building that is fire resistant or non-combustible?

2. Are the areas surrounding the data center protected from fire?

3. Are the raised floor tiles and hung ceiling tiles non-combustible?

4. Can the walls, doors, partitions, floors, furniture and window coverings in the data center resist the spread of fire?

5. Does the data center have adequate automatic fire extinguishing systems?

6. Are flammable and otherwise dangerous materials and activities prohibited from the data center and surrounding areas?

7. Are flammable materials which are used for computer maintenance, stored in small quantities in fire resistance containers?

8. Are paper and other supplies stored outside the computer area?

9. Is there fire and smoke detection equipment in the data center, under the floor, in the air ducts, in the ceilings?

10. Are portable fire extinguishers in suitable locations?

11. Are clear and adequate fire instructions plainly posted?

12. Is the fire department telephone number clearly posted?

13. Are the fire alarm switches clearly visible, unobstructed and easily accessible at points of exit?

14. Can the fire alarm be activated manually?

15. Does the fire alarm sound: outside of the data center, at a guard station, at the local fire station?

16. Is there an emergency evacuation exit that is different than the main exit?

17. Is there an evacuation plan posted?

18. Is there an adequate supply of clean agents (i.e., water, CO2, inert gas, FM-200, FE-13 etc.) for fire fighting?

19. Does emergency power shut down the air conditioning?

20. Are fire and smoke detection equipment checked and tested on a regular basis?

21. Can emergency crews easily gain access to the data center?

22. Are fire drills held regularly?

23. Are tapes and other storage media stored at another location?

Area 2 - Water Damage Exposure

25. Are the computers above ground and protected from flooding?

26. Is there a drainage system in the area of the data center?

27. Can the data center ceiling protect the room from leaks in overhead water pipes?

28. Is there protection against accumulated rainwater or leaks in the rooftop cooling towers?

29. Are floor level electrical junction boxes protected?

30. Other Natural Disaster Exposures — Probability of Threat (H/M/L)

31. Can the Department withstand: high winds, tornadoes, earthquakes?

32. Is the data center and equipment grounded for protection against lightning?

Area 3 - Electricity and Telecommunications

33. Are generators and transformers located outside of the data center?

34. Is there an emergency lighting system in the data center?

35. Is the data center equipped with power conditioning to protect against power surges?

36. Are there backup power sources available?

37. Do alternate voice and data transmission services exist?

38. Is there protection from unauthorized access to the telecommunications system?

39. Is there a shutdown checklist provided in case of emergency?

40. Are the machine operators familiar with shut down procedures?

Area 4 - Air Conditioning

41. Is the air conditioning system and power supply for the data center separate from the rest of the building?

42. Is there backup air conditioning available?

43. Is the fresh air intake located above ground level and away from smoke stacks and sources of combustible dust and gas?

44. Are air conditioning and emergency shutoff switches linked,
Are switches easily accessible?

Area 5 - Facility Access Control

45. Are there procedures to guard against vandalism, sabotage, and unauthorized intrusion?

46. Are there windows that can be broken to gain access to the data center?

47. Are there procedures for data center personnel to handle: unauthorized intruders, bomb threats, notifying the local police?

48. Are security devices checked and tested on a regular basis?

49. Do any of the following pose a threat to the data center based on their proximity to the data center, loading ramps, cafeteria or workshops, storage areas, outside walls, power panels, heavy usage of electrical equipment?

50. Are there access controls during regular and off-hours: to other departments, to the computer room?

Area 6 - General Housekeeping

51. Is the data center kept clean and orderly?

52. Are food and beverages prohibited in the data center or at least confined to a designated area?

53. Is smoking banned in the data center?

54. Is there a media cleaning and rotation schedule?

55. Is there adequate lightning for all areas?

Area 7 - Organization and Personnel

56. Are there company personnel responsible for data center security?

57. Does management have procedures for dealing with disgruntled employees?

58. Have recovery teams been selected in the event of a disaster?

59. Are there disaster plans in place?

Area 8 - Backup and Recovery

60. Is there an inventory of critical files?

61. Have specific task assignments been made for al personnel for recovery strategy procedures?

62. Are duplicate data files and copies of all computer programs stored at another location?

63. Is a backup computer available? If so, can it adequately handle critical processing requirements?

Area 9 - Magnetic Tapes and Disks

64. Is there an inventory list of tapes and disks?

65. Do procedures exist for controlling tape and disk storage?

66. Is the alternate storage site protected from fire, flood, dust, vandalism, theft, etc.

67. Is access to the library restricted to authorized personnel only?

Related Posts

Developing an Information Security Policy
Concept of Digital Signatures
Recovery Time Objectives
Confidentiality, Integrity & Availability