“SLOSH” ZoneCentralWelcome To Florida!!!

Are you prepared to recover from a disaster?

ARMA Chapter MeetingJune 18, 2013

Donna Read, CRM, CIDA+dlread@verizon.net

What is a SLOSH zone?• Sea and Lake Overland Surge from Hurricanes

• Surges of water that exceed normal height

• If coastal, then it comes with the tide and stays as long as the tide

• If near a lake, then it is the overflow from the lake after a hurricane or excess rain

Impact of Data Disasters on U.S. Companies

43% did not reopen after a disaster & 29% more closed within 3 years.

93% that suffered a significant data loss went out of business within 5 years.

Source: Disaster Recovery Journal

Remember Katrina?

DefinitionsDefinitionsWhat do we mean by “disaster?”What do we mean by “disaster?”A disaster is any event that causes a A disaster is any event that causes a

loss of life, records, property, or disrupts loss of life, records, property, or disrupts business operationsbusiness operations

A disaster can be isolated and affect A disaster can be isolated and affect only one person--a car wreckonly one person--a car wreck

A disaster can affect many people--warA disaster can affect many people--war

Disaster PlanningDisaster Planning

What is the goal of disaster planning?What is the goal of disaster planning?

There are two closely related goals:There are two closely related goals: Mitigate the effects of a disaster by Mitigate the effects of a disaster by

having a tested, comprehensive having a tested, comprehensive plan in placeplan in place

Recover from a disaster as speedily as Recover from a disaster as speedily as possible possible

Disaster PlanningDisaster PlanningWhat would mitigate a disaster?What would mitigate a disaster? Having certain records protected in a Having certain records protected in a

vital records planvital records plan

Providing rapid response in a disasterProviding rapid response in a disaster contacting fire, police departmentscontacting fire, police departments knowing how to recoverknowing how to recover

Knowing who is responsible for what Knowing who is responsible for what

Disaster PlanningDisaster PlanningHow do we ensure that our records will How do we ensure that our records will

survive a disaster?survive a disaster? Create a planCreate a plan

Identify all those who have a stake in Identify all those who have a stake in recoveryrecovery

Include records management, Include records management, IT, IT, legal, safety officer, legal, safety officer, and and othersothers

Disaster Planning – Role of IT

Responsible for electronic records

Ensures backups are performed

Store backups off-site

Arranges for mirroring, hot sites, cold sites, mobile sites

Data recovery – knows the priorities

Knows hardware/software needed for access

Disaster Planning – Role of RM

Inventory records

Identify vital records

Responsible for non electronic vital records

Arranges off-site storage of non electronic vital records

Analyze The Threat Look at natural and man made

threats.

Are you sitting in a SLOSH zone, if so which one?

Next to a rail line, what is being transported on the rail cars?

How far are you from a nuclear power plant, a river?

Are you in a highly competitive business?

Levels of Disaster

Lost DocumentSubfunction affectedOne or two functions affectedDestruction of major building-nonwork hoursDestruction of major building-working hoursSevere localized natural disasterMost sever conceivable-national scope

Obvious DisastersFire - electrical, arson, lightning

Water - hurricane, sprinklers, busted pipes

Structural - tornado, termites, sink holes

Power Outage – storms, terrorist, construction workers

Quiet Disasters Pest problems

Media decay

Technology obsolescence

Food spills

Light

Temperature

Humidity

Poor Records Management

Technological Disasters Unauthorized access, alteration or theft of data

System failure

Inadequate firewalls and antivirus protection

Backup tapes not checked for integrity

Machinery used too close to computer equipment

Incompatible software

Threat Levels 1 & 2 to Digital Infrastructure

Level 1: Nontechnical threat that impacts technical resources. This includes media threats and sabotage situations that don’t involve direct infrastructure attacks.

Level 2: Nontechnical attack; technical threat. This includes the loss of sensitive media/laptops and detection of unsuccessful intrusion attempts against vital systems.

Threat Levels 3 & 4

Level 3: Technical attack; potential for data loss. This includes failing hardware, successful intrusion attempts, and virus alerts.

Level 4: Data loss; small-scale system outage. This includes the loss of a single server, a single data system taken offline, and multiple nonvital services lost.

Threat Level 5

Level 5: Severe technical disaster. This includes data center destruction, a widespread virus attack, and multiple failures of vital data systems.

Why Have Threat Levels?Everyone in the organization will be on

same page.

You won’t waste vital time and resources disseminating information to staff.

A definitive systems for disaster response gives you an edge when it is time to document systems and procedures.

There are 5 levels of HurricanesCategory 1 storms have winds of 74-95 miles

per hour, making them the weakest of hurricanes. Even these storms can generate a storm surge of 4 or 5 feet above normal high tide.

Category 2 storms have winds of up to 110 miles per hour, and can push a storm surge of 6 to 8 feet.

Category 3 storm winds can reach 130 miles per hour. This is the cutoff for "major" hurricanes, with commensurate storm surge potential of 9 to 12 feet.

Hurricane Categories cont.Category 4 winds can be as high as 155 miles

per hour, and such a storm brings a 13 to 18 foot storm surge.

Category 5 storms, with winds greater than 155 miles per hour, are very rare. These monsters can have storm surges of over 30 feet. Only 2 such hurricanes have hit the U.S. this century - Camille in 1969 and Andrew in 1992. Katrina was downgraded to a Cat. 4/3

Recent History - 2004Charlie was a category 4

14 foot storm surge in Tampa Bay

Frances was a category 413 to 18 foot storm surge.

Ivan reached category 5 storm surges of over 20 feet

Does Your Disaster Plan Have Levels?

Depending upon your location the difference between a category 1 and category 5 hurricane might be placing the CPU on the desk or removing it from the building.

Critical Business Functions

What would put you out of business?

What critical functions does your organization perform?

What records and infrastructure are needed to support those functions?

Vital Records--What are They?Vital Records--What are They?

Vital Records provide the means for Vital Records provide the means for your your business to resume business to resume operations after a operations after a natural or natural or human disasterhuman disaster

Two Types:Two Types: Emergency operatingEmergency operating

records records Legal and financialLegal and financial

rights records rights records

Vital Records Needed During Emergency

Staff Contact and Assignment InformationEmergency/Continuity of Operations PlanOrders of Succession and Delegations of

AuthorityPolicy, Procedural, and Systems ManualsBuilding BlueprintsSoftware Documentation List of Who has the Credit Cards so Emergency

Purchases can be madePayroll and Accounts Receivable (if emergency

is of long duration)

Vital Records Not Needed Immediately During the

Emergency Payroll and Accounts Receivable (If

emergency is of short duration)

Social Security and Retirement

Public Safety Records

Titles, Deeds, and Contracts

Licenses and Long-term Permits

Vital Records--Vital Records--ProtectionProtection

Ensure that Vital Records are Ensure that Vital Records are identified identified and included in disaster and included in disaster planplan

Include electronic records Include electronic records

Involve upper management in this Involve upper management in this program; support is keyprogram; support is key

Vital Records--ProtectionVital Records--Protection

Four methods to protect Vital Records. Four methods to protect Vital Records. All have advantages and All have advantages and disadvantages. Choose carefullydisadvantages. Choose carefully

Vaults/fire resistant cabinets Vaults/fire resistant cabinets Off-Site Storage/Records CenterOff-Site Storage/Records Center Planned DispersalPlanned Dispersal Routine DispersalRoutine Dispersal

Inside TX HHS Bldg

Disaster Planning– Elements of a Disaster Planning– Elements of a PlanPlan

Create a plan – based on risk Create a plan – based on risk assessmentassessment

First and foremost--human safetyFirst and foremost--human safety Ensure everyone understands that Ensure everyone understands that

safety safety comes firstcomes first

Galveston Hurricane, 1900

Disaster Planning - Elements of a Disaster Planning - Elements of a PlanPlan

Appoint a team to be Appoint a team to be responsibleresponsible

Elements include Elements include prevention, prevention, preparation, action during preparation, action during disaster, & disaster, & recoveryrecovery

Assign prioritiesAssign priorities Know what needs to be Know what needs to be

saved first, saved first, second, second, third, etc.third, etc.

Disaster Planning - Elements of a Disaster Planning - Elements of a PlanPlan

Develop a list of supplies you will Develop a list of supplies you will needneed

Have a sheet of contacts, who will Have a sheet of contacts, who will contact whom, and whencontact whom, and when

Have multiple copies of this Have multiple copies of this information and keep in multiple information and keep in multiple locationslocations

Disaster Planning - Elements of a Disaster Planning - Elements of a PlanPlan

Know your buildingKnow your building Floor plansFloor plans Emergency cut off switches for Emergency cut off switches for

utilitiesutilities

Know your neighborhoodKnow your neighborhood Hazards around youHazards around you Flood plain, etc.Flood plain, etc.

Disaster Planning - Elements of a Disaster Planning - Elements of a PlanPlan

Keep it updatedKeep it updated Current telephone Current telephone

numbers, etc.numbers, etc.

Re-examine Re-examine yearly--at leastyearly--at least

Disaster Planning - Elements of a Disaster Planning - Elements of a PlanPlan

Test the planTest the plan Mock disastersMock disasters

Make them Make them meaningfulmeaningful

Disaster will Disaster will strike, strike, so be so be readyready

Arlington, TX Tornado March 2000

Disaster Planning – Testing Disaster Planning – Testing Cont.Cont.

Is plan out of date Bottlenecked data links Test becomes a disaster Acceptable down-time

changes Needed personnel were

not available Personnel was not trained

to recover data Equipment not available

Disaster Planning – Testing Disaster Planning – Testing Cont.Cont.

Identify areas that need modification

Review reliability of backup systems, facilities & procedures

Assure backup & duplication systems are adequate & appropriate

Assure training is adequate

Ensure that recovery & salvage procedures are adequate

Disaster RecoveryDisaster RecoveryWhat would help a rapid recovery?What would help a rapid recovery? Knowing how records will be Knowing how records will be

salvagedsalvaged

Knowing vendors for Knowing vendors for supplies/services and having supplies/services and having some supplies on handsome supplies on hand

Reducing confusionReducing confusion after a disaster after a disaster

Knowing where recordsKnowing where records are located are located

Priorities in the Recovery Process

People First – find and account for your people

Physical environment – stabilize it

It Systems (This should be documented so well that anyone can restart systems, etc.)

Paper, film, and other media

Assess the Damage

How much damage?Kind? (Document on paper & photo)Confined?Records affected – vital or not?Media?Replaceable?Outside help needed?

Is Paper Relevant?It is estimated that 90% of information is still

retained on paper

2.7 billion sheets generated daily

Average document is copied 19 times

200M documents filed daily

World-wide consumption of paper has tripled in the last 3 decades.

Freezing Records Immediate stabilization of

affected records

Protects most damaged records until they can be treated

Freezer trucks or coldplants for big volumes

Chest freezer or lunchroom fridge for small volumes

Disaster Planning--Disaster Planning--SummarySummary

Know who will do what whenKnow who will do what when

Plan to provide recovery suppliesPlan to provide recovery supplies

Ensure safetyEnsure safety

Prevent or mitigate disastersPrevent or mitigate disasters

Plan for the worst, hope for the bestPlan for the worst, hope for the best

Disaster Planning--Disaster Planning--SummarySummary

Disaster planning mitigates your Disaster planning mitigates your losses if losses if disaster strikes disaster strikes

A good plan allows you to recover A good plan allows you to recover and and to deliver your services quicklyto deliver your services quickly

A disaster plan is always evolving; A disaster plan is always evolving; update frequentlyupdate frequently

Thank You Very Much

Donna Read, CRM, CDIA+www.Donnaread.com

727-781-0568