Business Continuity Planning
Business continuity planning is the process involved in creating a system of prevention and...
Disaster Recovery Planning and developing a Disaster Recovery Plan (DRP) is a vital part of a Business Continuity Plan. A DRP ensures that all of your systems, data and personnel are protected. It makes sure your business continues to operate in the event of an emergency or disaster– be it hurricane, hacking, or the hindering high-jinks of 2020.
At this point in the business continuity planning process, you will have identified risks in a risk assessment. You will also have investigated who and how will be impacted in business impact analysis. Your DRP should include strategies to restore hardware, applications, and data in a timely fashion to meet the needs of your business continuity plan. A DRP seeks to aid an organization resolve data loss and recover system functionality so that it can perform in the aftermath of an incident.
As cyber-crime and security breaches become more complex and sophisticated, it is important for a business to define its data recovery and protection strategies. The ability to pivot quickly in the event of an emergency can reduce downtime and minimize damages to an organization’s finances and reputation.
Data Center Disasters
A disaster recovery strategy should begin at the business level and determine which applications are most important to running the organization. The Recovery Time Objective (RTO) describes the target amount of time a business application can be down, and is typically measured in hours, minutes, or seconds. The recovery point objective (RPO) describes the age of files that must be recovered from backup storage for normal operations to resume.
Recovery strategies will define how an organization plans to respond to an incident, while disaster recovery plans will describe the how. A recovery plan flows from a recovery strategy.
Resources—people and physical facilities
Vendors and Suppliers
All strategies should align with the organization’s overall mission and goals.
Disaster Recovery Plans can be specifically tailored for a given environment or business. Some specific examples for DRPs include:
Virtualized Disaster Recovery Plan: Virtualization provides opportunities to implement disaster recovery in a more efficient and simpler way. Testing can also be easier to achieve, but the plan must include the ability to validate that applications can be run in disaster recovery mode and returned to normal operations within the RPO and RTO.
Network Disaster Recovery Plan: Developing a plan for recovering a network gets more complicated as the complexity of the network increases. It is important to detail the step-by-step recovery procedure, test it properly and keep it updated. Data in this plan will be specific to the network, such as in its performance and networking staff.
Cloud Disaster Recovery Plan: Cloud disaster recovery (cloud DR) can range from a file backup in the cloud to a complete replication. Cloud DR can be space, time and cost-efficient, but maintaining the disaster recovery plan requires proper IT management. The manager must know the location of physical and virtual servers. The plan must address security, which is a common issue in the cloud that can be alleviated through testing.
Data Center Disaster Recovery Plan: This type of plan focuses exclusively on the data center facility and infrastructure. An operational risk assessment is a key element in data center DRPs. It analyzes key components such as building location, power systems and protection, security, and office space. The plan must address a broad range of possible scenarios.
A DRP can range in scope from basic to comprehensive.
A DRP checklist includes identifying critical IT systems and networks, prioritizing the RTO, and outlining the steps needed to restart, reconfigure, and recover systems and networks. The plan should at least minimize any negative effect on business operations. All employees should know basic emergency steps in the event of an unforeseen incident.
The DRP process involves more than simply writing the document. The DRP takes into account the previous steps in the business continuity planning process, such as the Risk Assessment (RA) and the Business Impact Analysis (BIA). The RA identifies threats and vulnerabilities that could disrupt systems of operations. The BIA identifies the impacts of disruptive events and is your starting point for identifying risk within the context of disaster recovery. It also generates the RTO and RPO.
establishing the range or extent of necessary treatment and activity — the scope of recovery.
gathering relevant network infrastructure documents.
identifying the most serious threats and vulnerabilities, and the most critical assets.
reviewing the history of unplanned incidents and outages, and how they were handled.
identifying the current disaster recovery strategies.
identifying the incident response team.
having management review and approve the DRP.
testing the plan.
updating the plan.
implementing a DRP audit.
A good disaster plan is a constant evolution, a living document seeking the input and wisdom of all stakeholders.
Another component of the DRP is a well thought out crisis communications plan. The crisis communications plan should detail how both internal and external crisis communication will be handled. Internal communication includes alerts that can be sent using email, overhead building paging systems, voice messages or text messages to mobile devices. Examples of internal communication include instructions to evacuate the building and meet at assembly points, updates on the progress of the situation and notices when it’s safe to return to the building.
External communications are even more essential to the business’s continuity plan and include instructions on how to notify family members in the case of injury or death; how to inform and update key clients and stakeholders on the status of the disaster; and how to discuss disasters with the media.
An effective disaster recovery plan defines the roles and responsibility of disaster recovery team members and outline the criteria requires to put the plan into action. The plan should then specify, in detail, the incident response and recovery activities.
Testing your DRP identifies weakness and opportunities to fix problems before they occur. An easily recognizable example of this is a fire drill. Students know where to stand on the ball field because they have practiced it and stragglers can be identified and coached through the process. Testing can also offer proof that the DRP is effective and hits RPOs and RTOs. Because IT systems and technologies are constantly evolving, testing also helps make sure your DRP is up to date.