This is an exhaustive list of all IT assets in the organization, including hardware, software, routers, firewalls, desktops, contact information, and so on. Be sure to keep the inventory in a secure location once it is completed.

Here you will determine and record what types of threats exist for specific assets. Tools will be provided to help you identify specific risks, be they natural or man-made. When completing this step, ensure that likelihoods are carefully considered. After all, while it is possible that terrorists could attack the data center, the likelihood of this occurring is incredibly remote for the vast majority of companies. The data center is far more likely to suffer a water leak than a terrorist attack.

Now that IT has identified assets and determined any risks to those assets, it’s time to examine what is currently being done to protect assets. The operational analysis is therefore a good exercise for uncovering any holes in current security and protective operations.

Here, you will document the results of the operational analysis. This will provide management and stakeholders with a concise summary of actions taken so far.

This comprehensive, Excel-based tool is designed to walk you through a complete review of data center operations, physical security, etc. This tool will automatically generate recommendations for improving the security and resilience of the data center based on audit results. The Advanced version of this tool includes calculations for measuring risk against desired and current security states.

Probabilities of negative events occurring in the data center are calculated using this tool. Outputs from this tool will be entered into the 2.1 tool where instructed.

• The "Compliance Checklist" is designed for those companies for which legislative compliance for changes to production systems is a concern.

Interviewing stakeholders is a critical task for achieving consensus during the DRP initiative and getting everyone on the same page. This exercise will include such information-gathering as: stakeholder analysis; DRP project goal and definition statements; business unit listings; dependencies of IT resources; and contact information of key stakeholders. The Call Tree tool will also provide you with a list of important contacts to communicate with should the DRP ever be invoked.

This downtime policy template will help create a baseline for what is considered acceptable or planned downtime of systems and applications. Most assets do not require five-nines or six-nines availability, so a written policy should help determine their relative value.

The business impact analysis is one of the most important elements of any DRP. All IT shops are strongly encouraged to complete these tools to help calculate the actual cost of downtime or asset loss due to a disaster or attack. The follow-up tool, "Technical Risk Analysis Report," will guide you through the process of further documenting risks as they relate to your network’s topology.

Now that you have defined which assets are most critical, it’s time to draw the connection between those critical assets and the business units that would be most impacted by the loss of those assets. This basic tool documents the relationship between critical applications and business units.

Using the "Recovery Prioritization Meeting" tool presented in this step, document worst-case scenarios, cost of downtime, and other DR information for hardware, software, and IT services. Then list such assets in order of priority for recovery efforts. This list will form the basis of which assets must be brought back online first in the event of a disaster.

The "Asset Risk Report" tool is designed to help you create finalized risk profiles for various assets across the enterprise. The reports specifically look at the human, operational, technological, and natural disaster aspects of risk.

Because threats can change, it is important to continually monitor risks over time. Use the "Risk Management Spreadsheet" to plot out threats, risks, and cost of exposure, as identified in earlier steps.

This is an exhaustive list of all IT assets in the organization, including hardware, software, routers, firewalls, desktops, contact information, and so on. Be sure to keep the inventory in a secure location once it is completed.

Here you will determine and record what types of threats exist for specific assets. Tools will be provided to help you identify specific risks, be they natural or man-made. When completing this step, ensure that likelihoods are carefully considered. After all, while it is possible that terrorists could attack the data center, the likelihood of this occurring is incredibly remote for the vast majority of companies. The data center is far more likely to suffer a water leak than a terrorist attack.

Now that IT has identified assets and determined any risks to those assets, it’s time to examine what is currently being done to protect assets. The operational analysis is therefore a good exercise for uncovering any holes in current security and protective operations.

Here, you will document the results of the operational analysis. This will provide management and stakeholders with a concise summary of actions taken so far.

This comprehensive, Excel-based tool is designed to walk you through a complete review of data center operations, physical security, etc. This tool will automatically generate recommendations for improving the security and resilience of the data center based on audit results. The Advanced version of this tool includes calculations for measuring risk against desired and current security states.

Probabilities of negative events occurring in the data center are calculated using this tool. Outputs from this tool will be entered into the 2.1 tool where instructed.

• The "Compliance Checklist" is designed for those companies for which legislative compliance for changes to production systems is a concern.

Interviewing stakeholders is a critical task for achieving consensus during the DRP initiative and getting everyone on the same page. This exercise will include such information-gathering as: stakeholder analysis; DRP project goal and definition statements; business unit listings; dependencies of IT resources; and contact information of key stakeholders. The Call Tree tool will also provide you with a list of important contacts to communicate with should the DRP ever be invoked.

This downtime policy template will help create a baseline for what is considered acceptable or planned downtime of systems and applications. Most assets do not require five-nines or six-nines availability, so a written policy should help determine their relative value.

The business impact analysis is one of the most important elements of any DRP. All IT shops are strongly encouraged to complete these tools to help calculate the actual cost of downtime or asset loss due to a disaster or attack. The follow-up tool, "Technical Risk Analysis Report," will guide you through the process of further documenting risks as they relate to your network’s topology.

Now that you have defined which assets are most critical, it’s time to draw the connection between those critical assets and the business units that would be most impacted by the loss of those assets. This basic tool documents the relationship between critical applications and business units.

Using the "Recovery Prioritization Meeting" tool presented in this step, document worst-case scenarios, cost of downtime, and other DR information for hardware, software, and IT services. Then list such assets in order of priority for recovery efforts. This list will form the basis of which assets must be brought back online first in the event of a disaster.

Highly-critical assets may require some further investment before they can be disaster resilient. Use the "Mitigation Project ROI & Prioritization Tool" to gain a clear understanding of what a return on investment means to IT. Document and justify expenditures necessary for meeting the goals of the DRP. Only use the advanced "Return on Security Investment Calculator" worksheet if planning to implement security-specific solutions to beef up the DRP initiative. Now add such projects into IT’s overall project portfolio.

The "Asset Risk Report" tool is designed to help you create finalized risk profiles for various assets across the enterprise. The reports specifically look at the human, operational, technological, and natural disaster aspects of risk.

Because threats can change, it is important to continually monitor risks over time. Use the "Risk Management Spreadsheet" to plot out threats, risks, and cost of exposure, as identified in earlier steps.