Disaster Recovery Plans
So what exactly is a Disaster Recovery Plan?
What is a Disaster Recovery Plan?
A Disaster Recovery Plan (DRP) is a documented process or set of procedures to execute an organization’s disaster recovery process and recover a business IT infrastructure in the event of a disaster. Disasters can range anywhere from natural disasters to a data breach. The DRP is a part of the organization’s Business Continuity, which refers to the ability to continue critical functions and business processes after the occurrence of a disaster.
Implementing a well written and well documented DRP can have several benefits for a company. A DRP minimizes risk delays and decision- making during the event of a disaster, which ultimately decreases a stressful work environment. A DRP guarantees reliability of standby systems and provides a standard for the testing plan. The DRP also reduces potential legal liabilities.
Without a DRP, Business Continuity can be greatly affected. Organizations may experience a loss of assets including financial and reputation loss. Companies may also experience extra expenditure during a data breach, as it takes an average of 69 days to recover from a data breach.
Developing a Disaster Recovery Plan
The DRP is a comprehensive statement of actions to be taken before, during, and after a disaster. Every company is different, so it is important to develop a DRP catered to the company’s specific needs. The DRP should include prevention, detection, and correction strategies.
RPO and RTO
The Recovery Point Objective (RPO) and Recovery Time Objective (RTO) provide guidelines on creating the DRP. The RPO refers to the interval of time that might pass during a disruption before the quantity of data that exceeds maximum tolerance. The RTO refers to the duration of time in which the business process must be restored before Business Continuity is affected.
DRP are most effective when they are updated frequently. The DRP should be a part of all business analysis processes and be revisited at every milestone.
Step 1: Perform a Security Risk Assessment (SRA)
A Security Risk Assessment (SRA) is an assessment that involves identifying the risks in your company, your technology, and your processes to verify that controls are in place to safeguard against security threats. The results of the SRA with provide guidance for the rest of the DRP process. It should include a risk analysis and business impact analysis that includes a range of possible disasters and potential consequences.
Step 2: Establish Priorities for Processing and Operations
The organization should define the critical needs of each department. Apps and systems that are critical to business functions should be prioritized. Doing so will help create a plan to get these apps and systems up and running first to decrease downtime in case of an outage.
Step 3: Collect Data
After prioritizing assets, the organization should create various lists to refer to in the event of a disaster. These lists should include vendors and their telephone numbers, inventories, backup and retention schedules, and any other information that is essential to business functions.
Step 4: Organize and Document a Written Plan
Using all of the data collected, the organization can now document a written plan. Key parts of a well- constructed DRP include:
- Business Impact Assessment
- Off- site Storage Location
- Communications Plan
- Response and Recovery Strategy
- Hardware and Software Inventory
Step 5: Develop Testing Criteria and Procedures
After writing the DRP, the organization should determine the feasibility and compatibility of backup facilities and procedures and identifying areas in the plan that need modification. After developing these procedures, the organization may now test the plan.
Important Tips to Remember
- Always define your tolerance for downtime and data loss
- Layout who is responsible for what and identify backup personnel. Clearly define key roles and responsibilities involved during a DR event
- Create an effective communication plan, as the main communication platforms may be affected during a DR event
- Make sure the Service Level Agreement (SLA) with vendors include disasters and emergencies
- Always include operational and technical procedures to handle sensitive information.
So How do I Get Started?
Adsero Security provides full Disaster Recovery Planning services. We can help your organization design and craft a complete Disaster Recovery Plan from the ground up, or simply help you update and test your current plan.