Why You Need a Disaster Recovery Plan
Having a comprehensive Information Technology Disaster Recovery Plan (DRP) is central to your business operations. No matter what industry you’re in, there’s no escaping the fact that conducting business has evolved into a technology-centric venture. Your IT network is the center of business operations and without a robust, optimized, and secure IT infrastructure, you will not be able to compete in today’s marketplace.
Time is money and the cost of a downed network – in lost productivity, customer responsiveness, and reputation – is significant. Therefore, implementing a DRP is critical to business continuity. When disaster strikes, having a detailed written plan that outlines the steps to get your business up and running will prove invaluable in times of crisis.
IT networks are vulnerable to disasters, both natural and man-made. Natural disasters can include events like hurricanes, tornados, floods, blizzards, and lightning strikes. Man-made disasters can include events such as cyber-attacks, terrorism, electrical fires, and water pipe bursts. Given there are a number of developments that can seriously threaten your business’s ability to operate normally, it’s imperative you develop a DRP.
While your customers will be sympathetic at first when disaster strikes, they are unlikely to wait for long periods of time before they begin looking at competitors to meet their needs. If you don’t yet have a DRP drafted for your business, the time to begin developing one is now. There are many websites and resources that provide DRP templates such as www.disasterrecoveryplantemplate.org. You should also consider utilizing an Information Technology (IT) consultant with experience in developing DRPs.
Formulating a DRP
There are many factors that determine how comprehensive a DRP will be – including the company size, human resources available, and budget. Businesses should perform a cost-benefit analysis to determine how extensive their DRP needs to be to meet their business and customer needs.
Establishing and implementing a DRP requires the support of upper management. The tone at the top of the organization is central to communicating just how important the DRP really is. To begin developing an effective DRP, a team of key employees (which should include members of upper management and IT) should collaborate, brainstorm, and perform a risk assessment to determine the types of risks and disasters that are most likely to occur which would impact daily business continuity.
A thorough DRP does not just cover one type of disaster that could occur; it should cover all the most likely disaster scenarios that could impact your business and should outline a recovery plan for each of the scenarios. For example, responding to a hurricane disaster where the physical office could be impacted by flooding, wind damage, and power failure will be very different than responding to a cyber-attack.
When a disaster occurs, the DRP should clearly identify the individual or individuals who have the authority to activate the DRP. The names and contact information for each critical individual or vendor that is responsible for executing the various aspects of the DRP should be included in the plan. If a key person cannot be reached in an emergency, a backup individual and their contact information should be listed in the DRP. Since an emergency can occur at any time and time is of the essence, it is vital to maintain updated contact information for key parties at all times. Training key employees responsible for executing the DRP is also extremely important.
A DRP Checklist
There is not just one DRP that will work for all types of companies. Each DRP should be unique and specific to a business’s set of circumstances. Below is a list of some items to consider including when developing a DRP.
- Purpose and goals of the DRP.
- Diagram of the entire IT network.
- Updated inventory listing of all critical IT assets (hardware and software).
- Description of the elements in place to prevent certain disasters from occurring, such as generators and surge protectors.
- Description of what the business does and the tools in place to detect possible issues before a disaster occurs such as antivirus software, network monitoring tools, and regular employee training.
- Likely disaster scenarios and the plan for an orderly recovery for each scenario.
- Define the recovery time objective or the maximum amount of time allowed between the disaster taking place and when normal operations and service levels are resumed. This will vary depending on what each business is willing to accept.
- Location of backups.
- Comprehensive off-site data backup procedures including the procedures for regularly testing backups.
- The frequency at which backups are performed. Data should be backed up with enough frequency that any potential data loss is not deemed unacceptable to the business. If no more than 4 hours of data loss is acceptable for a particular application, then backups should be conducted for that application at least every 4 hours.
- Clearly list the recovery priorities, i.e., the most critical business continuity systems that need to be up and running first.
- List of software and systems that will be used to recover from the disaster and any useful/helpful information related to these.
- Name and contact information for those who will be tasked with implementing and executing the DRP. Be specific in terms of who is responsible for identified tasks. Backup personnel should also be clearly identified in case the individual in the first position to respond is unable to do so.
- List any vendors that will be used in the disaster recovery efforts and how to get in contact with them.
- Contact information for law enforcement, first responders, property managers, and other critical parties should be included.
- Description of how communication with employees will occur.
- Description of how communication with customers will occur.
- Possible relocation site if work cannot be conducted in the normal business location and directions on how to get to the relocation site. Careful consideration should be given to the location of the alternate site since you don’t want to select a location that would also be impacted by the disaster.
- Document history which includes dates the DRP was revised, what was revised, and by whom.
Download the DRP Checklist here.
Testing and Updating your DRP
Simply having a DRP is not enough. Testing the DRP in a simulated environment is vital to ensure the plan will work as intended. Testing is also beneficial to employees who will be tasked with implementing and executing the DRP because the more comfortable they are with executing the DRP, the smoother things will go in an actual emergency. The frequency of testing will vary based on the needs of your company but should occur at least twice per year. One thing to note is that having a test fail is not necessarily a bad thing because it will alert you to an issue that can be corrected ahead of an actual real disaster event.
Once developed, written and tested, the DRP should be reviewed and approved by key members of upper management and any feedback from upper management should be incorporated into the DRP as deemed necessary.
A DRP is a living document and can’t just be developed and filed away. An outdated DRP is almost as bad as not having one at all. It is important to conduct risk assessments annually to consider new vulnerabilities that could impact the business and to take into consideration any new IT tools that can be used to further reduce downtime or make the business less vulnerable to disasters. Any changes made to the DRP should be tested, staff should be notified of the changes, and training materials should be updated. We live in a world of constant change and this requires key employees to update the DRP at least once a year.
Safeguarding your Business
All employees should know where to locate the DRP and have a copy available to them at all times. In the event of a disaster, employees need to clearly understand their roles and responsibilities and also know who to contact so that incident response can begin. Key employees who will play a role in the execution of the DRP should be given a hard copy and an electronic copy of the most recent DRP to be filed away in their homes or some other off-site location.
In a competitive business environment, your company simply can’t afford the significant downtime and data loss which can lead to lost revenue, lost customers, and other significant expenses. While all disasters can’t be avoided, their impact can be minimized with an updated and tested DRP in place.