Disaster Recovery and Business Continuity Template Update Released

Janco released Version 8 of its Disaster Recovery Business Continuity Template. It now includes 17 electronic forms and a new Business Impact Analysis tool

Janco Associates has just released version 8.0 of its industry standard Disaster Recovery Business Continuity Template.

Over 3,000 companies from 150 countries have selected the Janco Disaster Recovery Business Continuity Template as their product of choice.

Included with this version are 9 specific electronic forms to help create and keep the plan up to date and 8 electronic forms that can be used during the execution of the plan which will aid in compliance with a company’s safety program during a recovery process.

Many of the best features of the template are newly created electronic forms and best practices that are clearly defined within the product. Also included is a Business Impact Analysis updated for mobile devices and BYOD.

The Disaster Recovery and Business Continuity template is delivered electronically and comes as an easily modifiable Microsoft WORD document.  The template is over 250 pages long and includes everything needed to customize the Disaster Recovery Plan to fit an organization’s specific requirements. The document includes proven written text and examples. Included are: Business Impact Analysis – including a sample impact matrix ;  Organization Responsibilities pre and post disaster – DRP checklist; Backup Strategy for Data Centers, Departmental File Servers, Wireless Network servers, Data at Outsourced Sites, Desktops (In office and “at home”), Laptops, PDA’s and BYOD; Recovery Strategy including approach, escalation plan process and decision points;  Disaster Recovery Procedures in a check list format; Incident/Media Communication Plan; Plan Administration Process; Technical Appendix including definition of contact points; Job Description for Disaster Recovery Manager (3 pages long) – entire disaster recovery team job descriptions are also available in the premium version of the offering; and,  a Work Plan to modify and implement the template.

 Order Disaster Plan TemplateDisaster Plan SampleDR BC History

Risk Assessment Methodology

Risk Assessment Methodology

Security ManualRisk Assessment Methodology extracted from Janco’s Security Manual Template — Risk management is a process to identify, assess, manage and control potential events to provide reasonable assurance regarding the achievement of business objectives. The risk management process has five key objectives:

  • Identify and prioritize risk arising from business strategies and activities
  • Determine the level of risk acceptable to the enterprise (risk appetite)
  • Design and implement risk mitigation activities designed to reduce risk
  • Perform on-going monitoring activities to re-assess risk and the effectiveness of controls
  • Communicate periodic risk management process reports to management

The risk management process should not be treated primarily as a technical function carried out by IT staff, but as an essential management function of the enterprise. The principle goal of the Information Technology Security Risk Management Program is to protect IT assets and the  enterprise’s ability to carry out its mission in the face of potential threats to its IT assets.

The purpose of the IT Security Risk Management Program is to:

  • Comply with the Board of Director’s enterprise risk guidelines, as  well as other state and federal regulations, to develop, implement, and maintain a security  plan with appropriate and audit-able security controls;
  • Provide a governance framework for understanding potential risks to IT assets based on  the security plan;
  • Provide guidelines for evaluating and documenting the management, operational and  technical security environment of IT assets; and
  • Provide management with direction, planning, and guidance in the area of information  Security

The scope of an IT Security Risk Management Program should include physical and logical perimeter of the local-area network. The Program will assess tangible and intangible assets (e.g., people, data, facilities, technology) as well as the effectiveness of security controls (e.g., management, operational, technical).

The risk assessment approach uses qualitative risk analysis techniques, relying on subjective judgment, to determine the overall risk to IT assets. Qualitative risk analysis techniques employ  the product of two elements, the likelihood of an event occurring and the impact should it occur, to determine risk ratings, expressed in terms of low, medium and high.

The risk assessment approach follows the Control Objectives for Information and Related  Technology (COBIT) framework.

Phase 1 – Identify and Understand IT Strategy

A fundamental element of risk assessment is to gain an understanding of the business objectives and to determine how IT is used to support the achievement of those objectives. Defining an IT universe provides an inventory of key computing environment components to determine which  IT areas pose a business risk. IT universe elements are classified under five categories:

  • Strategic – high-level goals, aligned with and supporting its mission
  • Operations – effective and efficient use of IT resources
  • Compliance – compliance with applicable laws and regulations
  • Reporting – reliability of reporting
  • Data Classification – the level of sensitivity (confidential, sensitive, public)

Phase 2 – Inherent Risk Assessment

Risk is defined as the likelihood of an event occurring and the potential impact it may have on  the achievement of business objectives should it occur. Inherent risk is the risk related to the  nature of an objective before internal controls are applied. Based on the ISO/IEC 27002  framework, the likelihood and impact are assessed for each identified risk and calculated using a  weighted matrices approach with a rating scale, expressed in terms of low, medium and high.

Each identified risk is assigned a risk response that determines how the risk will be handled:

  • Accept – acknowledge the risk’s existence, but take no preemptive action
  • Reduce – implement internal controls to mitigate the risk
  • Transfer – share the risk (e.g., insurance, third-party contract)
  • Avoid – eliminate the condition that allows the risk

Identified risks assigned a “high” risk rating may not have a risk response of “accept”.  Acceptable risks must be supported by a validated business case and reviewed in conjunction with the risk assessment cycle.

Phase 3 – Internal Control Assessment

An effective internal control environment provides reasonable assurance regarding the effectiveness and efficiency of operations, reliability of financial reporting and compliance with applicable laws and regulations. Internal control activities are actions, supported by policies, which help to increase value and reduce risk.

Phase 4 – Residual Risk Assessment

Residual risk is defines as the risk remaining after internal controls have been applied. Based on the residual risk identified from the control activity, the likelihood and impact are calculated using a weighted matrices approach with a rating scale, expressed in terms of high, medium and low.

Phase 5 –Risk Assessment Results

Results from the risk assessment are expressed using a heat map showing the inherent risk levels of the IT universe across four domains: strategic, operational, compliance and reporting, using the following risk ratings:

Security Manual

Phase 6 – Risk Mitigation and Monitoring

Risk mitigation involves evaluating and implementing the appropriate risk-reducing controls recommended from the risk assessment process. Based on a cost-benefit analysis, the recommended control will be prioritized and assigned to a responsible party for implementation.

Risks should be reviewed and monitored based on the following review schedule:

Security ManualOrder Security ManualTable of Contents