K-12 School Computer Networking/Chapter 15

What is Disaster Planning?
Disaster planning is having a plan prepared to be implemented in the event of a disaster. A disaster could be as small as one computer crashing to as destructive as a fire burning down the whole school. Every business, hospital, organization and school, regardless of their size, should have a disaster plan. While the planning process and the actual plan will vary based on the size and nature of the organization, the main idea is true for any size: Be prepared. If you are prepared for a disaster, the recovery time and losses will be significantly lowered. As a K-12 Technology Coordinator, you need to be in charge of the technology aspect of a disaster plan. In today's world, technology effects all aspects of the school; Schools rely on technology for teaching, storing student records and information, communication with stakeholders, and more. Therefore, you need to be prepared for a disaster, because even a small one will interrupt the school environment.

This chapter will help you develop a plan for your school. Keep in mind, there is no perfect template for a disaster and you cannot always predict every type of disaster. You should not make a disaster plan for every possible crisis, rather, your disaster plan should be able to handle a variety of situations.

The Consortium for School Networking (CoSN), has taken on the initiative to prepare K-12 Technology Coordinators for disaster planning. They have realized that technology is affecting all aspects of the school and therefore the technology coordinator is very involved in the disaster plan. You can subscribe to their newsletter, view power points, case studies and briefs, as well as be informed of their professional development events at their website: CoSN



This image depicts the process of disaster planning: Mitigation and Prevention and Preparedness - before the disaster, Response - during the disaster, and Recovery - after the disaster.

Mitigation and Prevention:
"Actions you take to identify preventable and unavoidable disasters and to address what can be done to eliminate or reduce the likelihood of a disaster and/or its accompanying risks"

Step One - Brainstorm:
The first thing you do before you can prepare, is to brainstorm the possible disasters that pose a threat to your school. You have to think internally and externally, about man-made disasters and natural disasters. The Nonprofit Coordinating Committee of New York has a guide, "Disaster Planning, Emergency Preparedness and Business Continuity." While the guide's focus is on business continuity, there are still a lot of guidelines that can be applied to a technology disaster plan. The guidelines they give for where to start thinking about possible disasters is divided into historical, geographic, human error, and physical:


 * Historical: What types of emergencies have occurred in the community, at your facility, or nearby? (for example, fire, natural :::disasters, accidents, utility, etc.)


 * Geographic: What can happen as a result of your location? (e.g., proximity to: flood-prone areas; hazardous material production, :::storage or use; major transportation routes; power plants, etc.)


 * Human Error: What emergencies might be caused by employees? Are employees trained to work safely? Do they know what to do in an :::emergency? Human errors can result from poor training and supervision, carelessness, misconduct, substance abuse, fatigue, etc.


 * Physical: What types of emergencies could result from the design or construction of the facility? Does the physical facility enhance :::safety? Consider the: physical construction of the office; the facilities for storing combustibles or toxins; hazardous processes or :::byproducts; lighting; evacuation routes and exits; shelter areas, etc.

In addition to thinking about all those possibilities, you need to think about a disaster which prohibits access into your school for an unknown amount of time. You may not even be able to go in to retrieve your backed up files. Or you can enter the building to get your equipment, but then you need to remove it and bring it to another location. The idea in planning for a disaster is to plan for small problems as well as major disasters. When brainstorming, do not forget to plan for disasters that are not dramatic. A major natural disaster is not as likely as a power outage, a compromised system, or a network crash. It will not help you to always be prepared for major crises if you cannot handle weekly disasters.

Step Two - Assign a Team:
If you are the only one that knows the disaster plan, and a disaster occurs when you are not there, the plan is useless. In a large organization, you will most likely be a part of a team creating the plan. Your component will be regarding the technology in the school, while someone else is in charge of the safety of the students, etc. There should be communication and cooperation between the team while creating the plan so that the plan is cohesive and possible. If you are the technology coordinator in a small school, you would not have a team. But, you should still make sure that there are people who know the ins and outs of the plan in case you are not there when disaster strikes.

When assigning your team, keep in mind that there needs to be a chain of command, so that in the case when the number one person is not there to place the plan in effect, the number two person can take charge and so on. If part of your plan is in techie language, it is very possible that you wasted your time writing your plan, because if no technical staff is available, it wont get implemented!

Step Three - Risk Analysis:
In CoSN's ‚"Crisis Planning Brief," they say that after brainstorming, you need to perform a risk assessment/analysis, to ‚"consider all possible threats and vulnerabilities and the consequences of each."

Performing a Risk Assessment:

* Analyze processes and functions deemed mission-critical.

* Identify types of potential disasters and impact of each on mission-critical items.

* Prioritize based on acceptable period of unavailability.

* Chart the workflow, considering hardware, software, people and other resource requirements for continued operations.

Preparedness:
"Consideration of worst-case scenarios and development of comprehensive plan for coordinated and effective response to any given disaster."

Step Four - Prepare and Write Plan:
Now that you have brainstormed possible disasters, collected a team, and preformed a risk analysis, you need to actually write your plan. Your disaster plan should have three components: What to do to prepare for a disaster, what to do during the disaster, and what to do after the disaster.

-Take preventive measures (based on brainstormed possibilities). Some examples: secure your data, back it up, back it up at a remote location, have off site office space, make multiple copies of the plan, and have the plan backed up off site too. (If the plan is caught in the disaster, not so useful!)

-Identify and list resources (hardware and software), operations and records. Go through and classify what is critical, important, and not so important. Regularly update these lists. Have lists for the major software vendors you can call in the time of need.

-Have a fireproof box that can hold sensitive and vital information.

-Communicate with partners who can help in the time of emergencies, such as consultants and local emergency agencies. Also, have lists of computer vendors, and computer rental companies in the area.

-"Have a list of contact numbers for people who would need to be contacted during an emergency. This list should be in the hands of multiple people and it should include everyone's number don't assume that you will have access to the Rolodex sitting on your desk or that your palm pilot will be working."

-Plan for worst-case scenarios. For example, all regular communication lines are unavailable. Have a backup plan for communicating.

The Plan should be written clearly and organized very well. There should be detailed tasks that need to be completed and it should be broken down into sections. You do not want to put all this work into preparing your plan and then it doesn't get used because the plan is not clearly written and you are not around to explain it.

Step Five - Practice:
The plan needs to be reviewed and practiced regularly for the best results of quick recovery. In jobs people come and go, so make sure to keep reviewing so that new people can learn it too. Continuously check your backups to make sure they are reliable. The employees involved in the plan should know what they have the authority to do in times of disaster. The more you practice, prepare, review, and train the easier it will be to recover from a disaster.

Response:
"Execution of the preparedness plan and management of the disaster."

Step Six - Implement Plan:
When disaster strikes, you need to implement your plan. If you are not there, you need to have someone at the school who knows what to do. How does someone know when it is a disaster? This should be made clear in the training sessions.

You need to stay calm during the disaster. When you need to communicate, speak fast but clearly and say the most important things. If communication is cut, implement the backup communication (indicated in plan) and be organized.

Recovery:
"The aim of the recovery phase is to restore the affected area to its previous state"

The goal of recovery is to return to a regular school day as soon as possible. If it was a small disaster and it will only take a few hours to reload all the information back into the computers, (hopefully everything was backed up and the back up was not damaged) and the recovery time will be short. If it was a large disaster and the computers cannot be used for a few months, without a plan your school could be out for months and your information cannot be accessed during that time. But, if you have a plan, such as contacting a computer rental company and having your data backed up at a remote location, the rentals can keeping the school days running normally and you will have access to your information. If you have been forced to evacuate the building for an unknown amount of time, hopefully you have temporary space set up for classes to run and for the equipment to be brought there. As mentioned at the beginning of the chapter, there is no cookie-cut disaster plan. You just have to plan as well as you can and hopefully your plan can tackle any disaster.

YouTube Video
This YouTube video is of Tom Petry, the coordinator of network technology of Collier County School District. His school district is prone to hurricanes and explains how vmware technology plays a major aspect in their disaster plan. (He speaks very quickly so you may need to listen more than once) YouTube Video

Technology Disaster Recovery Checklist:
***Provided as a courtesy by CoSN - Free to copy and distribute***

1. Identify and contact personnel in charge of recovery efforts

2. Identify and/or establish an Emergency Operations Center (EOC)

3. Staff meeting

4. Establish communication links

5. Contact insurance company

6. Inventory

7. Contact vendors

8. Re-establish payroll quickly

9. Recover data

10. Begin the clean-up process!

A more detailed description of the checklist:

Tips:
Don't think 'this won't happen to me.' Always be prepared.

Always update and review your records, your team, and your plan.

Practice, practice, practice.

Introduction
Introduction to the Plan (Choice of Scenario):

The company I intend to write a Quality Assurance proposal for will be for a university setting. I shall refer to the university throughout this proposal as University of X. University of X has one of the largest campuses in the Nation. Security is always an issue, and the result of what dreadfully occurred on the campus of Virginia Polytechnic Institute and State University has and will for ever be a turning point for security measures on campuses nationwide. This proposal serves only as an example. I furthermore hope this information may be used in practicality to serve the better good to aid in supplying more efficient safety and security to students, faculty and staff.

The purpose of this plan is to provide a quality assurance method to assist local security and police officers with specific means to broadcast critical safety information in real-time to a large number of students, faculty and staff.

Introduction of the Project for the Plan:

The project will involve researching available communications technologies and understanding the practicality of such devices and their means of transmitting and receiving information (data). Furthermore, I will create an online survey and distribute it to Chiefs of Security at 25 comparable universities nationwide. The results of this survey will help me to compare security procedures and the uses of technology which are in practice by these universities. ADD PIC

Company Background:

The University was established in the early 1800s and is nationally and internationally ranked. Though being a public institution, the out-of-state cost of tuition for graduates and undergraduates is one of the most expensive in the nation. The University enrolls over 36,000 students annually and employs over 10,000 faculty and staff. The campus is divided into two sections, South Campus and North Campus. Combined they measure over 1,400 acres (5.7 km2).

Areas for the Company to Improve (Strengths and Weaknesses):

The main area for improvement within University of X is within the Department of Security. The connection between campus security, local Police and Fire Departments needs to be defined. For the safety of students, faculty and staff, critical safety information needs to be supplied to these persons in real-time. There exist many different procedures and ways of doing so, though many different topics need to be taken into consideration. Such considerations are as follows:

•	Budget •	Technology •	User-ability of such technology •	Practicality of such technology •	Overall Quality Assurance of such technology •	Efficiency

Scope
Scope of the Plan:

To begin the project I need to appoint a team which will consist of five to six persons. This team will brainstorm and devise a series of thirty questions. The questions will then be placed into an online survey and then submitted to 15 Universities. When the universities Department of Security fills out the survey, the information is submitted in real time. At this point I will collaborate with one or more experienced Security officers to extrapolate the data. This data will allow me to know the types of security technology and methods which are used and set in place at different universities.

While this plan will involve a great deal of research there will exist limitations. Such limitations may include but are not limited to:

•	Retrieving information regarding private security procedures. •	Retrieving data from my survey and incorporating it prior to the end of this course. •	Deciphering the data and collaborating with one or more campus security specialists.

'''Outline Quality Assurance issues and problems. Determine what the problem includes and what it does not include.'''

There does not seem to exist a plausible method for distributing specific accurate information wirelessly and in real-time to a dense population. Technologies exist such as the Internet, Cell Phones, Text Messaging, and Digital/Analog Radio. For example: A mass email is sent to the entire campus population consisting of safety information pertaining to a possible hurricane warning. Some students may be in transit and may not be able to check their email. Therefore, this process concludes to be partially non-effective. Another example: A Text Message was sent to the population of students pertaining to a water main which has broken. Some students may have their cellular devices on silent, or may not own a cellular device. Furthermore, many students may not have subscribed to such a service allowing security to alert them via text messaging pertaining to campus wide safety alerts.

Objectives of the QA Plan:

The primary objective of this Quality Assurance Plan (QAP) will be to provide statistical and comparative information to College and University Campus Security Departments Nationwide. The QAP is focused on one hypothetical University, though the data which I will provide will be used for practical purposes. This QAP will serve as the foundation for my project and I intend to build upon this idea up to and surpassing the completion of this course.

Approach (outline the methodologies or work to be done):

The primary approach I will need to take is to devise a survey consisting of specific questions (open ended and closed) and to submit to several different educational institutions. The process is then dependent on the Institution to fill out the survey and to then submit it. I will be using a survey engine (Surveymonkey) which will allow me to obtain the data in real time as well as other options such as exporting data into Excel for quick review and comparisons. After most more than 50% of the institutions have filled out the survey and submitted it, I will then be able to review the data. This data will be reviewed by myself as well as A institution security officer professional. As far as disclosing the schools involved in this project, I am uncertain at this time that listing names is possible.

Purpose of the plan:

The purpose of this plan is to allow any number of educational institutions to analyze and learn many approaches regarding the ability to broadcast communications to students, faculty and staff on a campus-wide scale. Due to the nature of our world today, crime on campuses is inevitable. Natural disasters on campus are as well an issue. In order to broadcast a message in real-time campus wide, some new technology may need to be implemented. The overall conclusion and most cost effective method may be the use of cellular phones, and the requirement to list your number with the local security office. I hope to review alternative and possible more effective methods. The overall information from this QA Plan can serve as a foundation for institutions nationwide to become familiar with alternative means of distributing information wirelessly.

Plan
Define the QA plan for the Company:

The Quality Assurance Plan (QAP) will assure educational institutions with the processes needed to disperse information quickly and accurately. This includes but is not limited to specific technological devices. This plan will also serve as a basis for allowing institutions nationwide to become familiar with alternative means of communications disbursing.

Determine the process and procedures for your plan (design, development, implementation, maintenance, revisions):

The main part of the QAP will be the survey. The survey will consist of several questions which will hopefully be answered in a timely fashion. I may not be able to determine some data such as: •	How many cell phones are on campus? •	How many handheld PDA devices are on campus? •	How many MP3 devices are on campus?

For the most part I feel it is plausible to assume in this day and age, over 95% of students, faculty and staff on campus own a cellular device.

Reviews (how will reviews be conducted):

The reviews will be conducted by myself and possibly someone with a significant background in campus security. The reviews will be for educational purposes only. I may take the data a step further and allow more professionals to analyze the data and allow constructive feedback. The simple notion I am aiming for is what alternative sources are available today which are cost effective and easily implemented. I will be conducting research via Internet to venture into the world of different types of wireless devices. This data will be included.

Standards
Define the standards for your organization (ISO, IEEE...etc.)

List and identify the specific standards that you will use for the QA plan:

My organization(s) will be using the ISO/IEC 15408 standard for their new QA process. This standard is defined as Evaluation Criteria for Information Technology Security (Wikipedia, ISO ISO/IEC 1540).

Explain the methods and techniques that will be used to meet standards

While transmitting confidential information wirelessly, the standards set in place insure the correct method of doing so is accurate and safe. The methods and techniques may seem tedious, though will be proven effective. Information submitted campus wide needs to be overlooked by three Security personnel as well as the president of the institution. This insures the accuracy of the information being transmitted. If an emergency occurs, the approval of the president of the institution is only needed. The method for transmitting this information will be by:

•	Email •	Cellular text messages (MMS, SMS) •	CCTV (Closed Circuit Television) •	Verbal announcements (via PA system)

Describe the procedures and explain the goals or purpose of procedures:

The procedures will ensure that accurate information is distributed effectively throughout a dense institutional population. The goals of this procedure will be to distribute accurate information with the correct approvals using sufficient technology and strategies. Having a universal means for broadcasting information is of severe need in many institutions. Thus allowing this QAP to strengthen their security procedures ad overall operations.

Describe the activities or tasks for each procedure:

The activities involved for my primary procedure for creating a survey will be to utilize a survey creation program and service called Surveymonkey. This will be an intricate process as I need to devise the right questions and take note of the length of the survey. Since the persons I will be asking to fill out the survey may be busy, I need to assure the questions are to the point, precise and will allow me to obtain the right information.

Explain when and how the activity will be executed, recorded, who will participate, reporting and follow-up for corrective action:

The activity will be executed by submitting a mass survey to the Department of Security at twenty-five different educational institutions. This activity will supply valuable information pertaining to security procedures. Security can be a life or death situation whereas implementing the standards which I have set within the QAP may or may not be applicable for some institutions. The goal as reiterated is to supply accurate information with hope to implement a set of standards and practices relating to that of distributing accurate information wirelessly to a set group within the institution.

Testing Activities:

One of the possible testing activities is to mentor the effectiveness of a newly implemented means for broadcasting information wirelessly and accurately within a given institution. This activity can allow trial and error data for other institutions who wish to implement the same or similar system.

A second testing activity will be to privately test equipment which may be used in a practical situation. The only draw back here will be the funding to do so. This method may be a safer approach as performing mock trials is better than the possibility of risking life or death.

Documentation
What type of documentation will be created to support management (user guides, computer system guides, interim reports, progress reports, final reports)

There will be several documents which will be created to support management. The most important document which will be created will be contingency plan guidelines. A troubleshooting guide for operating the equipment will as well be created. The technology is computer based, so understanding the operating system is a must and will be included within the ISO/IEC standards. For implementation purposes, there will be a final report which will be needed to fill out upon the completion of a security procedure.

Explain how the documentation will be created, used and the guidelines and maintenance of the reports

Contingency Plan guideline: This plan will list step-by-step the process necessary to carry out the correct action(s).

Troubleshooting Guide: This guide will supply technical information for troubleshooting the central computer system and other technologies.

Final Report: This report will ensure the correct measures were taken and will be reviewed and analyzed for future reference. This data will also allow for the future development of my QAP.

Documentation for testing activities

The documentation for testing activities will be provided by the technical writer who is appointed to the QA Team. The step-by-step procedures and trial and error occurrences will be recorded by and filed appropriately. The information may or may not be included in the final phase of the QAP.

Measurements
Purpose of Measurements

The purpose of the measurements will be to record the effectiveness of the new technology and implemented procedures. The process of distributing emergency information to a dense population in real-time can mislead people if the information is incorrect. These overall measurements will strengthen the QAP.

Type of Measurements (example – calibration)

The main type of measurements I will be using will be calibration. This will allow me to review the before and after. This calibration will continue on a quarterly scale and will determine the effectiveness of the QAP. Following is a list of other applicable testing methods which may or may not be used:

Unit Testing: This testing will ensure the source code within the software used to launch mass information will work.

Functional testing: This testing will insure that all the functions of the software and product will operate according to the products advertised capabilities.

End-to-End testing: This type of testing may be used to mimic real life situation with regards to cellular, internet, intranet, and WiFi situations.

Regression testing: This type of testing will ensure the modification from a previous software or hardware was corrected.

When and how Measurements will be used

The measurements will be used at the start of the QAP. Following, these measurements will continue on a quarterly scale.

Reporting Measurements and checking for adequacy:

The QAP Team will assess and extrapolate the data from the testing measurements. The information will be used to strengthen the testing process. Errors will be corrected such as the shift from one type of computer hardware, or software to a more efficient type. Corrective Action Process If there is an error within the trials or the QAP, this will be assessed and corrected by the QAP team. With this type of QAP, there are many errors which can default, though having a Team in place will hopefully catch these inefficiencies before they occur, or correct them immediately before the data is interrupted.

Risk Management
Type of Risk management plan, methodology, process, tools:

The Risk Management Plan will include all known risks involved with the plan and will be created by the analysis team. The following six steps will be used to create the plan in full:

Define Risk Management, as it applies to your project Identify the categories of risk List all of the types of risks which may occur Determine the likelihood of the risks occurring Calculate the impact on the project if risk does occur Rank the risks identified in order or priority (Method123, 2003)

Determining risk is a very difficult task and involves many different types of processes. Nonetheless risk management is a crucial part of a Quality Assurance Plan (QAP).

Procedures and methods to be used to identify and analyze the collected data to determine risk:

A system will be implemented which will record the amount of broadcasted transmissions from the Central Security Offices. This system will work to improve the quality of the newly implemented technology. I will be using a Risk Priority Number (RPN) to analyze the risk identified during the Failure Mode and Effects Analysis (FMEA). According to the following three rating scales will conclude tot the severity of a potential risk.

Severity, which rates the severity of the potential effect of the failure.

Occurrence, which rates the likelihood that the failure will occur.

Detection, which rates the likelihood that the problem will be detected before it reaches the end-user/customer.

The risk will then be calculate on a five-point severity scale which will allow the true acknowledgement of the severity of the risk and the Analysis Team will then be able to correct the risk.

Determine the level of risk and tools used to manage risk in the project (risk matrix, risk mitigation plan:

When the Risk Priority Number (RPN) is identified and then used to determine the Failure Mode and Effects Analysis (FMEA), the collected data will be included into a final Risk Mitigation Plan. This plan will identify the severity of the risks, types of risks, and will address all possible solutions.

Describes the performance criteria for the analysis procedures:

The project team will be involved in the analysis procedures. The data will be presented and the team will view the Matrix and the mitigation plan, as well as the survey answers. The types of pertinent technology will be discussed and a plan to implement it will be created. Section 7 concludes the performance criteria for the analysis procedures.

Corrective Action for Risks:

As issues arise such as possible software failure, hardware failure, or user error a Corrective Actions Plan will be created. This plan will include a detailed list of the problems and will have an associated number as well as an implementation date.

Training
Define and describe the training plans for the project:

The training plan will assure that all personnel are on the same level and understand how to effectively use the equipment as well as troubleshooting and error reporting. A training manual will be designed which will consist of procedures and troubleshooting chapters.

Special training or certification that may be required to implement the plan:

There will not be any required certification though the following certifications are recommended:

•	Certified Software Quality Analyst (CSQA) •	Certified Software Tester (CSTE) •	Certified Software Project Manager (CSPM) •	COPC Registered Coordinator Training •	CBTL SM- 1 •	CBQASM •	Six Sigma Black Belt •	Six Sigma Green Belt •	Accredited ITIL Foundation Course •	Foundation Certificate in ITSM Training for the personnel:

All personnel within the Security Department will be trained on the Quality Assurance Plan. Troubleshooting and error reporting procedures will be included.

Training process for corrective action and procedures (frequency of reports to management, plans for closeout activities to document lessons learned):

All staff will participate in error reporting and will contribute to the Bi-weekly Corrective Actions and Procedures Plan. This plan will consist of the problems that occurred and the corrective actions to take. The chosen committee will review this plan and upon approval the corrective actions will be implemented.

Analysis and Milestones
Determine the milestones and process for overall corrective action:

The implemented technology will be monitored for a period of 12 months and all known issues will be recorded and transmitted real time to a central database. After 12 months, if all known software quarks and/or issues are not corrected and the issues do not lie in fault with the personnel, an alternative technology may be implemented which would start the QAP over at the beginning.

Results, Conclusion and Follow-Up
Determine how results will be collected, reviewed, and list the different types of corrective action:

The results will be reviewed via a central database designed to retrieve data from the security offices with the implemented system. Each Security Office will have personnel who will be in charge of the troubleshooting and recording the issues. The types of possible corrective actions are as follow:

1.	Implement an entirely new system 2.	Use different wireless devices 3.	Change the training procedures 4.	Correct the issues and continue with current infrastructure

References:
Council of Education Faculty Planners International (CEFPI) http://www.cosn.org/Initiatives/ITCrisisPrep/TechnolgyRecoveryChecklist/tabid/4620/Default.aspx

Crisis Preparedness Leadership for IT Disaster Recovery. (2007) CTO Forum Crisis Preparedness Retrieved from http://www.cosn.org/Initiatives/ITCrisisPrep/ToolsandResources/PresentationsandWorkshops/tabid/4643/Default.aspx

Crisis Preparedness Leadership for IT Disaster Recovery. (2009, January 19) Crisis Planning Brief. Retrieved from http://www.cosn.org/Resources/ResourceLibrary/tabid/4189/id/19/Default.aspx

Cummings, J. (2008, October 28) ‚"Prepare for Disaster for Before it Strikes." National Association of Media and Technology Centers.

Mills, L. (2006, April) "Flirting with Disaster."The School Administrator. American Association of School Administrator. Retrieved from http://www.aasa.org/publications/saarticledetail.cfm?ItemNumber=5877

NonProfit Coordinating committee of New York, "Disaster Planning, Emergency Preparedness and Business Continuity." Retrieved from http://www.npccny.org/info/disaster_plan.htm

Terrill, T. (2006) Technology on a Shoestring. A Survival Guide for Educators and other Professionals. New York and London. Teacher's College Press.

Wikipedia - Emergency Management http://en.wikipedia.org/wiki/Emergency_management

http://en.wikipedia.org/wiki/VMware

http://www.youtube.com/watch?v=fqK6uluwzOo