Disaster Recovery Planning and developing a Disaster Recovery Plan (DRP) is a vital part of a Business Continuity Plan.  A DRP ensures that all of your systems, data and personnel are protected. It makes sure your business continues to operate in the event of an emergency or disaster– be it hurricane, hacking, or the hindering high-jinks of 2020.

At this point in the business continuity planning process, you will have identified risks in a risk assessment.  You will also have investigated who and how will be impacted in business impact analysis.  Your DRP should include strategies to restore hardware, applications, and data in a timely fashion to meet the needs of your business continuity plan. A DRP seeks to aid an organization resolve data loss and recover system functionality so that it can perform in the aftermath of an incident.

As cybercrime and security breaches become more complex and sophisticated, it is important for a business to define its data recovery and protection strategies. The ability to pivot quickly in the event of an emergency can reduce downtime and minimize damages to an organization’s finances and reputation.

Some types of disasters that a business should plan for could include:

• Application Failures
• Communication Failures
• Data Center Disasters
• Building Disasters
• Power Outages
• Ransomware Attacks
• Weather Emergencies
• National Disasters
• Active Shooters

DRP Considerations

A disaster recovery strategy should begin at the business level and determine which applications are most important to running the organization. The Recovery Time Objective (RTO) describes the target amount of time a business application can be down, and is typically measured in hours, minutes, or seconds. The recovery point objective (RPO) describes the age of files that must be recovered from backup storage for normal operations to resume.

Recovery strategies will define how an organization plans to respond to an incident, while disaster recovery plans will describe the how.  A recovery plan flows from a recovery strategy.

When determining your organization’s recovery strategy, the following should be considered:

• Budget
• Insurance
• Resources—people and physical facilities
• Technology
• Data
• Vendors and Suppliers
• Compliance requirements

All strategies should align with the organization’s overall mission and goals.

Types of Disaster Recovery Plans

Disaster Recovery Plans can be specifically tailored for a given environment or business. Some specific examples for DRPs include:

• Virtualized Disaster Recovery Plan: Virtualization provides opportunities to implement disaster recovery in a more efficient and simpler way. Testing can also be easier to achieve, but the plan must include the ability to validate that applications can be run in disaster recovery mode and returned to normal operations within the RPO and RTO.

• Network Disaster Recovery Plan: Developing a plan for recovering a network gets more complicated as the complexity of the network increases. It is important to detail the step-by-step recovery procedure, test it properly and keep it updated. Data in this plan will be specific to the network, such as in its performance and networking staff.

• Cloud Disaster Recovery Plan: Cloud disaster recovery (cloud DR) can range from a file backup in the cloud to a complete replication. Cloud DR can be space, time and cost-efficient, but maintaining the disaster recovery plan requires proper IT management. The manager must know the location of physical and virtual servers. The plan must address security, which is a common issue in the cloud that can be alleviated through testing.

• Data Center Disaster Recovery Plan: This type of plan focuses exclusively on the data center facility and infrastructure. An operational risk assessment is a key element in data center DRPs. It analyzes key components such as building location, power systems and protection, security, and office space. The plan must address a broad range of possible scenarios.

Scope and Objectives of Disaster Recovery Planning

A DRP can range in scope from basic to comprehensive.

A DRP checklist includes identifying critical IT systems and networks, prioritizing the RTO, and outlining the steps needed to restart, reconfigure, and recover systems and networks. The plan should at least minimize any negative effect on business operations. All employees should know basic emergency steps in the event of an unforeseen incident.

 

 

How to Build your Disaster Recovery Plan

The DRP process involves more than simply writing the document. The DRP takes into account the previous steps in the business continuity planning process, such as the Risk Assessment (RA) and the Business Impact Analysis (BIA). The RA identifies threats and vulnerabilities that could disrupt systems of operations. The BIA identifies the impacts of disruptive events and is your starting point for identifying risk within the context of disaster recovery. It also generates the RTO and RPO.

A DRP checklist should include:

• establishing the range or extent of necessary treatment and activity — the scope of recovery.
• gathering relevant network infrastructure documents.
• identifying the most serious threats and vulnerabilities, and the most critical assets.
• reviewing the history of unplanned incidents and outages, and how they were handled.
• identifying the current disaster recovery strategies.
• identifying the incident response team.
• having management review and approve the DRP.
• testing the plan.
• updating the plan.
• implementing a DRP audit.

A good disaster plan is a constant evolution, a living document seeking the input and wisdom of all stakeholders.

Another component of the DRP is a well thought out crisis communications plan. The crisis communications plan should detail how both internal and external crisis communication will be handled. Internal communication includes alerts that can be sent using email, overhead building paging systems, voice messages or text messages to mobile devices. Examples of internal communication include instructions to evacuate the building and meet at assembly points, updates on the progress of the situation and notices when it’s safe to return to the building.

External communications are even more essential to the business’s continuity plan and include instructions on how to notify family members in the case of injury or death; how to inform and update key clients and stakeholders on the status of the disaster; and how to discuss disasters with the media.

An effective disaster recovery plan defines the roles and responsibility of disaster recovery team members and outline the criteria requires to put the plan into action. The plan should then specify, in detail, the incident response and recovery activities.

Testing Your Disaster Recovery Plan

Testing your DRP identifies weakness and opportunities to fix problems before they occur.  An easily recognizable example of this is a fire drill.  Students know where to stand on the ball field because they have practiced it and stragglers can be identified and coached through the process. Testing can also offer proof that the DRP is effective and hits RPOs and RTOs. Because IT systems and technologies are constantly evolving, testing also helps make sure your DRP is up to date.