The Project Disaster Recovery Plan

From my experience, it’s not often that you’ll put together a Disaster Recovery Plan that is project-specific. The exceptions are government projects – which sometimes require separate one-time documents for the project for which you charge dearly to put them together – and larger, very visible and mission critical projects that may involve highly sensitive data.

However, if you find yourself up against a wall and facing a deadling to put a DRP together, maybe this template will be just what you need. As with all the others I’ve posted over the past few days, if you want a Word doc version of this template, let me know and I’ll be happy to send it out to you. And, if you have your own version that you’d like to see posted and share with the readers here on PM Tips, send it along to me and I’ll see that it gets posted.

Disaster Recovery Plan

1.0 Preliminary Planning

This part of the plan describes the purpose, scope, assumptions, responsibilities, and overall strategy relative to the plan.

1.1 Purpose

Describe the reason and objectives for having a DRP.

1.2 Scope

Describe the extent of the coverage of the plan in concise terms.

1.3 Assumptions

A DRP is based on several categories of assumptions. Most can be established only after the completion of a risk assessment that includes the following information:

• Nature of the problem
• Priorities
• Commitments to or Assumptions of Support

1.4 Responsibilities

Document the specific responsibilities as assigned by management to all activities and personnel associated with the plan.

1.5 Strategy

The selection of appropriate strategies should follow the risk assessment. Until the risk assessment is completed, it is difficult to know the critical systems that must be maintained, and the demand for resources that will be made to support those critical systems.

1.5.1 Emergency Response

The strategies selected must provide a sufficient base upon which procedures can be devised which afford all personnel the immediate capability to effectively respond to emergency situations where life and property have been, or may be, threatened or harmed.

1.5.2 Backup Operations

Most backup sites will not have sufficient equipment, personnel, supplies, etc., to sustain the complete operational requirements or another facility. In this case, a more detailed backup strategy must be developed.

1.5.3 Post-Disaster Recovery Actions

The strategy for recovery must be linked closely with that of backup operations, as initiation of recovery actions may overlap.

1.6 Record of Changes

Each DRP should be preceded by a change audit record that lists all changes to this document, including the change number, change date, change detail, person making the change, and the date that the document is published.

1.7 Security of the Plan

This plan should be available to just those personnel affected by the plan.

2.0 Preparatory Actions

This part of the plan is key. Preparatory actions are critical to the emergency response, backup, and recovery from all but the most routine problems.

2.1 People

Provide names, addresses, and telephone numbers of all people, internal and external (vendors and/or contractors) who may be required in any backup or recovery scenario. Alternates should be designated.

2.2 Data

It is essential that all data on which backup and recovery are dependent be adequately recorded, stored offsite at a secure, environmentally safe facility, maintained in as current condition as is feasible, and occasionally tested to ensure validity.

2.3 Software

It is also essential that a current copy of the systems and application software programs be stored offsite at a secure, environmentally safe facility that will make that software available immediately.

2.4 Hardware

A DRP should minimize, to the greatest feasible extent, the dependence on rapid replacement of hardware. Define a list of the hardware and where replacements are available. Identify any contracts in place to ensure the availability of any hardware.

2.5 Communications

Define both the internal (LAN) and external (WAN) communications connectivity.

2.6 Supplies

Describe any special supplies that are needed.

2.7 Backup Site

Describe the location of the backup facility. When choosing a backup site, consideration should be given to accessibility, and the site should be free of whatever external problems are hampering the supported facility.

2.8 Space

Describe the physical location where the recovery operations will take place.

2.9 Power and Environmental Controls

Define the power and environmental controls that are required for the recovery.

2.10 Documentation

Describe all backup documentation that is kept in the offsite facility.

3.0 Action Plan

This part of the plan consists of the “what to” actions to be accomplished by those personnel or activities identified in section 1.4, and should only consist of concise, short instructions of the specific actions to take in response to each of the categories below:

3.1 Emergency Response

Include the immediate actions to be taken to protect life and property, and to minimize the impact of the emergency.

3.2 Backup Operations

Describe what must be done to initiate and effect backup operations.

3.3 Recovery Actions

These should be limited to describing what to do in effecting recovery from disasters, including any alternate manual scenarios until the systems have been restored at the backup site.

4.0 Post-Disaster Review

Immediately after the resumption of the IT function, IT management should assess the success and adequacy of the plan, and update the plan accordingly.

Approved:

__________________________________________

Business Sponsor

__________________________________________

IT Director

__________________________________________

Development Director

__________________________________________

Infrastructure Director

Strategies for Managing a Mobile Team

I ran across a great document put together by Terrence Gargiulo for Makingstories.net. Mr. Gargiulo discusses what he feels are the top ten strategies for managing mobile workers. His full document is a very good read because he also discusses things such as risks and issues to consider when managing mobile workers.  You can access his full document here.

I’m sharing this here because so many times as project managers we are overseeing the work of a very geographically dispersed team. In the past three years I’ve only managed one project with a team that I could see on a daily basis. Dozens of others involved remote workers all around the country.

Here are Mr. Gargiulo’s Top 10 Strategies for Managers of Mobile Workers as described in his document.

Top 10 Strategies for Managers of Mobile Workers

1.    Focus on building relationships

You are now in the business of managing relationships. Once a quarter audit your time. How much time are you spending engaged in activities meant to foster stronger relationships with your mobile employees? Rate each relationship on a scale of 1 to 10 where 1 is weak and 10 is very strong. Craft a strategy for continuing to develop your strong ones and triage the weak ones. Ask yourself why they are weak and what you can learn from them. Avoid finger pointing and hold up the mirror to reflect on your own opportunities for improvement. Extreme cases of under-performance do not warrant time or effort. These however are few and far between.

2.    Streamline communications

Consolidate and prioritize communications. Use email and IM (instant message), texting, blogging, threaded discussions, etc. for relationship-driven communications (i.e., staying in touch and being personal). Communications of an important nature should be cohesive and never delivered in fragmentary pieces that have to be cobbled together by the receiver. Mutually assess the communication preferences of yourself and your team members to develop a communication plan. Avoid assumptions and revisit your plan on a regularly basis especially when the nature of the work is about to change.

3.    Incorporate less didatic forms of communications

Determining the right amount of detail and when to provide detail is an ongoing responsibility of a manager with a mobile worker. As a general rule, less is more. This leaves bandwidth for the times when lengthy, explicit instructions and information are essential for the work at hand. Try working with more story-based forms of communications. Sharing tidbits from the field and office in the form of stories, anecdotes, case studies (use cases), jokes, innocent productive gossip, and even metaphors will relay context, encode key pieces of information, and give mobile workers a sense of inclusion.

4.    Spend more time listening

Obvious, but counterintuitive. When you are out of easy reach and you are tasked with managing the performance of others it’s easy to get sucked into the trap of needing to transmit lots of information. In most cases the opposite is what is most productive. Make listening a priority. This is the hardest and most tiring aspect of managing others. It is also the single most important thing you can do accelerate the development of strong relationships. Listening is not enough. Keep an open mind. Be present and try to enter the perspective of the speaker. This will help you ask effective questions and identify what direction to go with your own needs and agenda. You’ll be surprised at what emerges.

5.    Let mobile workers define communication and reporting practices they want to follow

Structure is critical. Adopt rules of engagement that place people at the center of their own decisions. Managers provide the boundaries and constraints but let employees define the working and communication styles, tools, and processes that will help them perform at the best. Set expectations on two fronts. First, treat these employees’ defined practices as privileges that can and will be modified if key performance metrics are not hit. Second, let employees know there will be times when a projects or work require less flexible, employee-driven communication and reporting practices.

6.    Manage deliverables, not activities

Lots of project-oriented work is well suited to mobile workers. Even roles that are more task driven can be effectively managed if they are broken into deliverables. For mobile workers this may mean collapsing some of the activities of a business process or workflow that had manual checkpoints and controls associated with them into deliverables. Automation where possible can be used or batching activities into larger groups can transform task oriented jobs into deliverables. Realize that there can be many facets of people’s jobs that need to be adjusted to accommodate a mobile work style.

7.    Engage in more frequent and informal performance management activities

When you manage mobile workers, relationships are at the heart of your job. Performance management does not need to be a loathsome, “administrivia” obligation. Designing some unstructured, informal ongoing dialogs with mobile employees about their performance goals and personal development plans is a great way to strengthen communications, and shows an active interest in employees and relationships. This might look and feel very different from one employee to the next. This is another tangible way managers can adapt their style to match the needs and preferences of employees. It works best when the performance management conversation flows in both directions.

8.    Give complete trust until given a concrete behavioral reason to do otherwise

According to a recent survey conduct by HR.com and ic4p, listening and trust are the two most important factors to virtual and remote teams. Without trust, relationships are bankrupt. Abuses of trust can always be found but these occur in spite of whatever systems we put in place. Mobile workers thrive when managers give them complete trust. In some respects managers of mobile workers have no other choice. Use trust to create strong relationships. When some concrete behavior and not just someone else’s word of mouth shows that trust has been violated, then take it away, but not until then.

9.    Use adaptive management styles tailored to individual workers

Every employee is different. Mobile workers make it easier for managers to take a more personalized approach in how they work and interact with members of their team. It takes more work and effort on a manager’s part but the results can be phenomenal. Understanding what enables each employee to perform at his or her best is the most important responsibility of a manager.

10. Leverage technology

Technology drives and supports managing mobile workers. Using technology well is not as simple as it appears. Standard models of communication and transaction should not always be mapped in a simple one-to-one way. Communication and collaboration technologies offer new and exciting models. These need to be purposely exploited in order for organizations to realize the full extent of benefits these wonderful new capabilities and features offer.

Beyond email, IM and phone, Web conferencing plays a key role in virtual team enablement. Take an inventory of “stuff” you need to collaborate on with your virtual team. If the list includes Word docs, spreadsheets, software applications, or anything else on your desktop, Web conferencing will be critical for collaborating in real time. You’re projects will lag if you can’t be on the same page with mobile workers.

The IT Auditor’s Role in Risk Assessment

In continuing our discussion of the IT Auditor’s Role in the Project Management Process, we will now look at the auditor’s role in risk assessment. Much of this information comes from the book “Information Technology Control and Audit” and it identifies that the auditor’s role in assessing risk focuses on conducting an assessment of the risks associated with the processes that are being utilized in project management within the organization the risks associated with the project itself.

Audit Risk Assessment

Depending on the organization, auditors may not have enough time to be involved in all phases of every project. Project involvement will depend on the assessment of process risks and project risks.

Process Risks:

• Lack of strategic direction
• Lack of project management standards
• Lack of a formal project management process
• Negative organizational climate

Project Risks:

• Resource unavailability and budget
• Project complexity and magnitude
• Inexperienced staff
• Lack of end-user involvement
• Lack of management commitment

The level of risk may be a function of the size of the project, scope of organizational change, complexity of the system being developed, the number of people involved, and the importance of the project to the organization.

The scope of the audit involvement will depend on the maturity of project management in the organization. Audit involvement may be minimal if the IT group has a well-established project management lifecycle and project of?ce that perform regular oversight and tracking activities. In this case, the auditor may focus more on project-speci?c risks rather than on project management risks. For less mature organizations, the auditors may take on the role of oversight and tracking for the project.

As discussed in the previous article, the level of auditor involvement will likely also depend on the types of projects being handled. For projects and programs involving a government agency as a customer and formal status meeting presentation process, the need for or requirement of the involvement of a formal auditing process is much higher. In those cases, regular auditing of the PM processes in the organization – no matter how mature the process are – may be required with the findings presented on a monthly or quarterly basis to the customer as well as to executive leadership within your organization.

Ten Guidelines for Managing Passwords in the Enterprise

As a follow-up to my article entitled “The Most Serious Data Threat May be Sitting Next to You,” Mark Sanford from Click Studios sent me a link to their article on “10 Guidelines for Managing Passwords in the Enterprise.” Since data security and data integrity is a critical issue on any enterprise IT project that involves significant data – and they all do – this is extremely timely and appropriate.

Mark and Click Studios have graciously allowed for their article to be provided to the readers of PM Tips. I strongly urge you to also visit their site and the original article here.

10 Guidelines for Managing Passwords in the Enterprise

Today the world is totally dependent on information technology, and many corporations struggle to effectively manage and store passwords securely for their employees. Every other day you hear of large companies exposing customer account details to non-intended audiences, due mainly to poorly managed IT systems and processes. The confidentiality and integrity of sensitive data is paramount to the operations of any size business, and the following guidelines should be considered when choosing any type of electronic password management system (PMS).

1. Remove the need for employees to remember passwords, or even worse, write them down

A key cause of bad password management practices is many employees don’t have a system in which to records their passwords, resulting in them having to either remember them, or write them down and store them in an unsecure manner. The password management system (PMS) must provide adequate functionality, removing the need for employees to remember passwords.

2. Centralize the management of passwords

Centralization of an organization’s passwords is the first step in gaining control of the IT accounts used to operate their business, otherwise there is no visibility or governance of their usage.

3. Ensuring the integrity of sensitive data

To ensure the integrity of data stored in an electronic PMS, there are a few key things to consider:

• Passwords should be encrypted with 256bit AES encryption, and a unique Initialization Vector used for every install
• Users should authenticate against the PMS using their Microsoft Windows domain account credentials
• PMS must provide the option to use two-factor authentication for the user(s) who administer the system
• Sensitive code of the PMS should be obfuscated, to prevent reverse engineering by system or web administrators
• PMS must mitigated against system or database administrators granting themselves access to unauthorized data

4. Make the passwords easily accessible

Users must be able to get to the PMS from any location, must not rely on any client installs, and must give them quick and easy access to their passwords.

5. Must promote the use of strong passwords

The PMS must promote the use of strong passwords, of which the policy for password strength is set by the administrator(s) of the system. Visual representation of password strength must be available when entering passwords, or when reporting against, so the user is constantly reminded if a password’s strength is poor.

6. Must promote regular resetting of passwords

A key component of bad password management practices is not resetting passwords at regular intervals. The PMS must have one or more options for reminding users that passwords are about to expire.

7. Must be portable and recoverable

There is little use centralizing your organization passwords if you’re unable to get to them in case of a disaster. The PMS must provide the mechanism by which all passwords can be exported to a separate file, to be stored outside of existing IT systems – preferable with trusted security personnel.

8. Changes must be traceable and auditable

All large organizations require governance over access to IT systems, and its imperative the PMS must support traceability of all events within it, and must be easily reportable. This applies to standard usage by employees, or administration of the PMS.

9. Must be scalable

If you intend to implement an enterprise class PMS, its crucial the system can scale with your organization, otherwise your investment (time and money) may be wasted.

10. Must be simple to use

As with any IT system, acceptance by its audience is crucial to its success. Provide users with a poorly designed interface, and you will meet resistance at every step. To successfully employ a PMS and realize the benefits it can bring, the PMS must be very simple to use and provide the user community with sound help documentation if required.

(Click Studios – 18^th October 2009)

Book Review: Project Governance

The July 2009 book review from Project Management Tipoffs (brought to you by Arras People) covers Ralf Muller’s book entitled, “Project Governance.”

The concept of the book is that without a governance structure, an organization runs the risk of conflicts and inconsistencies between the various means of achieving organizational goals, the processes and resources, causing costly inefficiencies that impact negatively on both smooth running and bottom line profitability. Please read on…

Project Governance

A night to read and some real practical solutions to implementing governance in your organisation – either at portfolio, programme or project level. “Project Governance” from Ralf Muller is a little misleading as it doesn’t just cover project level governance. Starting at the corporate level, with academic theory, the book soon moves onto programme and project governance taking into account different organisational models. Is your organisation a “Flexible Economist Paradigm”? Or in others words has your organisation established project management as a core competence, with professional project managers? Governance within this environment will follow a different path to that of a “Conformist Paradigm” organisation where project management is performed by technical experts as an on-the-side task.

So what is governance and why would you want to know more about this area of project management? Governance is defined in the book as:

“Governance provides a framework for ethical decision making and managerial action within an organisation that is based on transparency, accountability and defined roles”

This book covers everything from portfolio management, sponsors & steering groups, strategic and tactical project management offices, programme management, in fact it brings together a lot of areas and topics already within the public domain. There are two sections that are particularly worthy of note; a governance framework for project management and how much governance is enough? The framework provides a three step process which enables an organisation to increase its PPM governance. Within each step there are three areas; what can be done, what should be done and what is done. Step 1, includes basic training and methodology use (it talks about the adoption of methodologies such as PRINCE2), introducing steering committees (ensuring what is learnt is adopted and put into use) and the use of audits and reviews to ensure the “what is done” or learnt has translated to successful project delivery.  A simple framework which covers the different levels of organisational maturity has been conveyed well in this book and would be a welcome addition to any programme office manager, portfolio manager or organisational change specialist’s bookshelf.  That said, this is also a book aimed at the project manager, especially their role within project governance but also programme level, portfolio level and ultimately how their delivery impacts the corporation as a whole.

Knowing when there is enough governance – appropriate to your organisation and the programmes and projects it delivers – is also covered. A simple approach which focuses on the relationship between project manager and steering group and the roles & responsibilities of each may be useful insight for any project manager.  Like much in project management, communication is the key for effective governance at each level of the organisation and Muller’s book goes a long way to showing how to utilise effective communication to achieve a integrated governance model.

More information and review text about Mr. Muller’s book, as well ordering information, is available at Gower Publishing.