Creating a Business Disaster Recovery Plan

An IT disaster recovery plan includes a set of policies, tools, and procedures to gain recovery or continuation of vital technology infrastructure and systems after a natural or human-induced catastrophic IT event.  It should address different levels of response to a number of disasters that may include disruption to servers, desktops, databases, or applications.

What is The Difference Between a Business Continuity Plan and Disaster Recovery Plan?

A Business Continuity Plan (BCP) is a plan to help ensure business processes can continue during a time of emergency or disasters.  These instances occur where business is not able to occur under normal conditions.  In a BCP your are typically not dealing with recovering items or complete downtown, but ensuring continuity of business.  You may need a BCP during inclement weather when employees are not able to get into your business’ building to work; where as a DRP would be initiated if the building was physically destroyed by a fire and a new site needed to be setup and a network rebuilt and data restored.

Goals to a Disaster Recovery Plan

• Minimize Risk – A primary goal of a good DRP plan is to reduce the overall risk to the company.  Before beginning the planning process it is a good idea for companies to perform a current risk assessment to see where they are most vulnerable.  These vulnerabilities should then be addressed immediately.
• Resume Operations ASAP – Business’ wish to resume their operations as quickly as possible during any type of emergency to push out information to internal or external customers.  A disaster recovery plan should offer accessible platforms from any location with compute abilities.
• Discuss with Owner/ Investors – For a disaster recovery plan to truly be effective, you will need to have an understanding of the top concerns from owners, investors, board of directors, or shareholders.  Discuss with them what would be the highest level of corporate liabilities so they are addressed within the plan.
• Maintenance – IT departments should run routine risk assessments on a schedule (monthly, quarterly, yearly) in order for the DPR to effectively address all risks at any time.  The disaster plan should then be updated regularly to include any new elements.
• Response Deployment – Plan your DPR at least once a year to guarantee narrow disaster response time.  For a disaster recovery plan to work, your IT department and stakeholders must be able to mobilize in a quick and coordinated way.  Continually test your DPR with the objective of multiple staff personal being familiar with the procedures and goal of reducing recovery time.
• Compliance Obligations – If the company is upheld to compliance standards, a disaster recovery plan will address these and is your best solution at effectively not incurring penalties for failure to meet these obligations after a disaster.

Who Designs a Disaster Recovery Plan?

Top management personal will be in charge of laying out the disaster recovery plan in order to meet business requirements and business operational needs.  Depending on the size of your company, the committee should include members from each business unit or key function (i.e. human resources, finance, security, vendor management, and accounting).  Your IT department (whether outsourced or internal) will then come in to be the main facilitator of the plan to document and test the procedures.  Top management and IT will then be the bases for your disaster recovery plan committee who will outline, implement, test, and maintain the plan.

Steps for Designing a DRP

The initial thing to do when sitting down with your disaster recovery plan committee is to decide on the most important business activities and the applications and data that are needed to support them.

1. Identify Critical Business Processes – What business processes are imperative to continued operations and how long can business be performed without them? These processes may or may not be visible to customers or clients.
2. Label Dependencies – What applications do the critical business processes depend on and what is the maximum downtime for each.
3. Define Applications – Create a list of the applications that must be restored as quick as possible.
4. Asses Your Data Recovery Strategy – Understand your current data recovery; address any weaknesses or risks.
5. Business Impact Analysis (BIA) – Perform a BIA to measure the impact any downtime would effect your business including the cost and any legal or compliance level areas regarding data security.
6. Define Recovery Point Objective (RPO) – A RPO is the age of files that must be recovered from backup storage for normal operations to resume if a computer, system, or network fails.
7. Define Recovery Time Objectives (RTO) – A RTO is the amount of time in which full restoration is desired.  It is the time that restoration is required to avoid unacceptable consequences associated with a break in business continuity.
8. Decide Maximum Tolerable Downtime (MTD) – MTD is the maximum amount of time that applications, data, or hardware can be unavailable before a company begins to lose business.  Now that you have performed a BIA, defined RPO, distinguished RTO, and designated MTD you should have established your recovery time requirements.  Now you can begin to test your technology and recognize any risks or weaknesses that may need alternative solutions.  *It is important to note that when establishing RPOs and RTOs that you be realistic and have a prospective on cost efficiency.  The smaller the RPO and the RTO, the higher the cost to the company, because it will require more resources to achieve.  If a business was willing to have an hour of downtown versus zero downtown it would be less expensive on their part in the long term.
9. Access Risks – Record any risks you could possibly face by single point of failure. Rank them according to priority.
10. Test – Test your disaster recovery plan by walking through a scenario and analyzing the current vs. desired RPOs, RTOs, and MTD.
11. Redesign – If necessary, redesign poor performance areas. If newer technology is necessary prioritize those investments based on risk areas.
12. Implementation – Create a timeline to incorporate any elements you deemed necessary    during the redesign step to put into your effective DRP.
13. Emergency Response Procedure – Develop step-by-step instructions that define the procedures for responding and achieving full recovery of normal operations.  This will become your playbook on how to recover.  In theory, departments will regularly test your DPR in a training scenario and any IT personnel on hand with the correct passwords will be able to recover the business following the playbook steps. With multiple people trained in executing the DPR anyone that is available during a disaster will be able to execute successfully.
14. Align Procedures – Assign which procedures should be escalated to meet DRP timeline requirements and MTD in different scenarios.
15. Designate a Team – Assign roles and train team members on how to respond accordingly. Also determine a succession of leadership for key positions.
    Determine who will take over roles if that person is unavailable during the time of the disaster.  It is better to have it in writing to cut down on any guesswork.
16. Keep it Simple – Don’t make a disaster recovery plan that is overcomplicated that no one is going to read. A 30 page DRP that everyone is familiar with is much better than a 200 page plan never read.
17. Store DPR Copies in Multiple Places – Store your DPR where it is easy to get to. Don’t leave it where it could potentially be unaccessible during an actual disaster. For example, if your network goes down and the only copy is on the network you won’t be able to access it. Or if you only have a hard copy printed out and store in the office, and the office burns down due to a fire no one will know what to do.Keep a hard copy at home, in your office, copy to your network at the office, and another on your laptop’s desktop or your personal computer.

Conclusion

Businesses are dependent on technology in almost every aspect of modern day-to-day business tasks.  A disaster recovery plan is key to minimizing damage and restoring your working environment as quickly as possible if it becomes interrupted or data is lost. Small to medium sized business are not expected to have the in-house resources or staff to execute a thorough, dynamic, and effective IT disaster recovery plan. CORTEX provides a cost effective IT support alternative in these instances.  Contact us to discuss your technology infrastructure and options for your DRP.