By Ian Hight
In my first article on disaster recovery, I identified the two key objectives the business needs to set for its IT recovery strategy: the Recovery Point Objective (RPO) and Recovery Time Objective (RTO). This was followed by an article exploring the key elements of a Business Continuity Plan (BCP), which includes a Disaster Recovery (DR) plan for the IT systems. I now drill down into the key elements of DR for an organisation.
The first elements of the plan, while obvious, are still worth stating: it needs to be documented, agreed and supported by senior management (not just IT) and communicated so everyone responsible for its execution understands their roles and responsibilities.
Key IT DR plan components
1. How the IT DR plan fits into the overall Business Continuity Plan (BCP)
2. Disaster prevention measures such as: component protection technology; an uninterruptible power supply (UPS) and backup generator in the event of power failure; electricity surge protectors; fire and heat detectors, alarms, fire extinguishers; anti-virus software and other security measures.
3. IT DR plan team members, contact details as well as roles and responsibilities
4. Objectives and goals of disaster recovery:
(Here RPO and RTO for all business processes and the metrics for each of these processes is mapped to the IT systems/infrastructure that support that process.) As I set out in my previous article, not all RTOs and RPOs are created equally as different processes (even within the same application) have different consequences for the business if they fail. Furthermore, IT needs to be the final arbiter of how mission-critical a process is because they hold the DR budget. Line-of-business managers want the very best coverage for their operations (nil data loss and nil time loss would be ideal …) so IT has to play Solomon with the competing business interests.
5. Asset Inventory of hardware, software, both IT and comms: it should include as much detail as is known, such as location, configs/specs, schematics and diagrams (LAN diagram of routers, switches, servers and wiring for comms), original and depreciated costs and, of course, supplier details for replacements
6. Documented backup processes – what is backed up, how often, on what media and where the backed up data is held. (Note: at this stage the business could outsource the back-up services but this service provider is still a part of the team and their role is documented in the plan)
7. Documented restoration processes – what happens when, how, and by who in order to bring the required systems back up in order to meet the RTO and RPO goals and return to pre-disaster levels. (There is often a good economic case for restoration to also be outsourced to a specialist supplier if the back-up service is also managed by them.)
8. The next step is to test the plan and giving it a thorough run-through to ensure that the roles, responsibilities, processes and procedures are realistic and actionable
9. After testing and sign-off by the plan owners, it should be signed by senior management (and be updated with these as personnel change) so that the organisation clearly understands the importance of the plan for the whole business
10. Finally, the plan should be published and promulgated so everyone needs to understand it and knows how it works!
One aspect of DR that is receiving more focus is not necessarily the business itself that may have a disaster. All businesses fit somewhere in a supply chain, either providing other businesses or consumers directly with products and services. These same businesses also rely on a range of suppliers for the ‘raw materials’ for their product and services.
More and more larger organisations, usually those with many key suppliers, are requiring those suppliers to have a BCP/DR plan themselves. In the event of the supplier having a disaster the larger organisation wants to be assured of a limited, acceptable impact on the supply of those goods and services. Whenever a business develops and publishes its DR Plan, it should also inform its customers to ease their minds that they can get supply lines up and running again quickly to ensure minimal disruption to those third party organisations’ own customers. Which all makes for good customer relations!
In the next article, we look at key roles within the plan and ask who is best to take on those roles.