By Ian Hight
In a previous article, I set out 10 key components of a disaster recovery (DR) plan for an organisation. I now expand on those views and set out the key roles and responsibilities.
The most essntial roles are the owner and/or manager of the DR plan. A senior manager can then have responsibility for the development and success of the plan. In a smaller team, the IT manager may well have both roles, which is perfectly workable.
The development of the plan and the remaining roles in executing can be outsourced. However, we recommend that the organisation retain ownership and management of the plan. This is because the business is the one with the greatest stake in the success of the plan.
The DR plan owner is primarily responsible for developing the objectives and goals. The plan should also set out the Recovery Point Objective (RPO) and Recovery Point Objective (RTO) for all business processes. It will also include a budget for implementing the plan.
The plan owner should be the CIO. This is because their role is to determine how critical a function or process is to the business. Then they will need to negotiate that decision with the line-of-business manager who owns that function or process.
The DR plan manager sets out how the plan fits into the overall business continuity plan (BCP). Once done, the plan manager sets out the fine details, along with resources (internal and external) needed to execute it.
A key element of the plan is to purchase, install, test and support the agreed disaster prevention measures. These range from the uninterruptible power supply (UPS) and backup generator to security measures such as anti-virus software. This will likely involve external suppliers and can be a complex and specialised this role. The organisation may well choose to outsource entire role via a facilities management contract. If it is kept internally, it needs a mid-level technician to undertake it.
One further task is to prepare the inventory of all relevant assets. These cover hardware, software, networks and telecommunications. This task requires attention to detail as a range of technical information is required.
Another vital task is documenting two key sets of processes. The first is back-up, such as which data will be backed up, how often, on which media and where the backed up data is held. The second set is recovery including what happens when, how, and by whom. This is essential in order to restore essential systems within the agreed RTO and RPO goals.
The organisation may well outsource this task too. There are specialist agencies for which this is their daily meat and drink.
Once the draft plan is ready the DR plan manager takes over. They edit the draft and finalise such areas as the budget. Then the plan owner and manager sign off deliverables as meeting the plan’s goals. The plan manager should next supervise a complete test of the backup and restore processes. This will test that are realistic and actually work.
The plan manager incorporates the learnings from the test into the final draft. A further test may be warranted. and the plan manager then signs and forwards it to the plan owner for executive agreement.
The senior management group should now own the full plan. This ensures they and the staff all understand their roles in business continuity. Finally, the DR plan manager keeps the plan open on their desk so that it is a living document. Then is can be updated and refreshed as often as needed to ensure it meets the organisation’s changing goals.