DISASTER RECOVERY 
JOURNAL
P. O. Box 510110
St. Louis, MO 63151
(314) 894-0276 
Fax: (314) 894-7474
Internet www.drj.com 
E-mail drj@drj.com

PUBLISHER
Richard L. Arnold, CBCP
richard@drj.com

EDITOR-IN-CHIEF
Jon Seals
jon@drj.com

SENIOR EDITOR
Janette Ballman
janette@drj.com

COPY EDITORS
Richard Sandhofer
richards@drj.com
Pamela Clifton
pamelaclifton@hotmail.com

ADVERTISING 
Robert Arnold
bob@drj.com

_____________

Corporate

President/CEO
Richard L. Arnold, CBCP
richard@drj.com

Vice President 
Robert Arnold
bob@drj.com

CONFERENCE COORDINATOR
Patti Fitzgerald, CBCP
patti@drj.com

CONFERENCE REGISTRAR
Merce Knese
 mercedes@drj.com

CIRCULATION
Laura Baugh
 laurab@drj.com

EXECUTIVE COUNCIL
Jeff Dato, MBCP, KPMG
John Jackson, J Albright Advisors
Edward Devlin, E.S. Devlin & Associates
James Hammill, CBCP, JMH Consulting
Pat McAnally, SunGard Availability
Brian Turley, Strohl Systems
Belinda Wilson, Hewlett-Packard
INTERNATIONAL
CONTACTS
England: Thom Hetherington
Business Continuity 
Phone: 0161-237-1007
 thomh@tempus.demon.co.uk

Australia: Anthony J. Harvey
Journal of Business Continuity
Phone: 0011-613-953-0055-8
fax: 0011-613-953-0528
 sector@notability.com.au

Japan: Shinji Hosotsubo
Quake Japan Co., Ltd.
Phone: 03-3215-2880
fax: 03-3215-2881

 

Click Here for a Printable Version

Building a Comprehensive Disaster Recovery Plan
Integrating People, Processes and Technology to Prepare for Business Disruptions

By LINDA CERNI, CBCP

Disaster recovery has been top-of-mind for many IT managers as events that cause unplanned business downtime continue to surprise us; 2005 was no exception. Natural disasters, human conflicts and constant exposures to security breaches and attacks have driven organizations of all types and sizes to recognize the need to implement or improve their comprehensive business continuity plan (BCP) that includes a robust IT disaster recovery plan. What exactly does a disaster recovery plan entail? Backup polices? Recovery scripts? Security breach escalation procedures? An effective disaster recovery plan addresses not only the protection and recovery of technology, but as part of a broader BCP, also includes the people, processes, and procedures necessary to bring about the true end game: the ability for end users to manage corporate risk, respond to a potential disruption, and complete new business transactions while protecting historical transactions that together keep a company viable when faced with a disaster event.
That’s a tall order for most organizations. Many IT managers are prepared to take the first step to protect and secure their data; however, few are completely prepared to enable the resumption of critical business processes within a desired timeframe. According to a survey conducted by Applied Research, among 500 IT Managers, 70 percent of those surveyed have deployed data backup, replication, and recovery technologies. However, only slightly more than 54 percent of IT managers in the survey had a complete disaster recovery plan in place. Having recovered data but not applications and end users is a lot like having the sheet music but no instruments, musicians, concert hall or conductor to play the symphony. It’s just not going to get the job done.
According to Infonetics Research, large companies lose up to 16 percent of annual revenue due to unplanned network downtime. So what should IT consider while planning for disasters, events, or crises?

Understand and Communicate Needs
About one-third of respondents in Applied Research’s survey indicated they did not see a need for a disaster recovery plan. Awareness and communication, at the IT management level as well as executive level, is critical. Some leading questions that may help managers understand and communicate the need for an effective disaster recovery plan:

  • How long can we suffer a security attack or IT outage before there is a significant impact to customers/partners/corporate viability?
  • Is information currently available to everyone who is authorized to access it — and protected from everyone else?
  • Are the right policies in place to ensure that information is protected from both internal and external threats — and effectively recovered following an emergency?
  • Is the right data backed up, archived, and easily accessible for regulatory purposes — while unneeded information is permanently and securely deleted?
  • Is the data information put through a formal data information refresh process to ensure that data that is often stored at off-site facilities for extended periods of time is tested for integrity and can be used following technology refreshes and upgrades?
  • Is there a regularly maintained inventory of all purchased applications, tracking license numbers, most current version, versions maintained, and copies owned, with a prioritization in place for restoration?
  • Are application priorities known and agreed to? Are inter-dependencies between applications understood, and inter-dependencies between applications and business processes understood? Are these documented and agreed to by stakeholders?
  • Can improvements be made to the security and availability posture ahead of the most recent vulnerabilities and threats?
  • If an emergency arises that takes all or part of the company’s network down, how quickly can the organization return IT operations to a normal state?
  • Is the organization prepared to quickly and seamlessly restart business processes in order to continue operations?
  • Are we testing the plan to drive out deficiencies or to show success for audit or visibility purposes?
  • Do we truly understand the business needs to meet those service levels through proper investment to close the gap between expectations, realistic capabilities, and risk appetite?

IT managers should prepare a business case and communication with their executive team to obtain resources for disaster recovery plan development and execution. IT managers should also work with executive leadership to maintain an ongoing commitment to testing and change management.

Make It Happen
Thirty-three percent of respondents in Applied Research’s survey stated that the primary reason they did not have a plan in place was because of a lack of resources. Additionally, cost was the most frequently cited challenge for creating a disaster recovery plan.
It is important to note that the cost of developing a disaster recovery plan can be quite low, relative to the impact on recovery. Simply placing critical information such as employee and vendor contact lists, IT equipment lists, existing network diagrams and application manuals is a step in the right direction. You would be surprised how many businesses have not done this. Spending a half hour during a regular staff meeting to discuss who would be in charge at time of disaster and who would take responsibility for what, is another simple step. Asking management to approve of automatic higher spending limits for IT managers in the event of a disaster is another step. Disaster recovery planning is all about taking another step. It is never perfected but can always be improved, regardless of the level of available resources or funding.
Respondents in the Applied Research study consistently cited several motives for creating a disaster recovery plan (respondents could choose more than one): 61 percent cited data corruption, 59 percent cited component/application failure, 54 percent cited site outage, and 54 percent cited downtime required for maintenance.
Once IT has a clear understanding of the environment, key motivators, and possible exposures, take action. The first step is to prioritize identified risks and fill gaps that may exist via mitigation, acceptance, or assignment. These may be gaps in policy, technology, personnel, capabilities, processes, people, or all of the above. Filling these gaps helps harden the infrastructure against potential downtime. Without this step in place, IT may spend too much time recovering from emergencies, somewhat like bailing water out of a boat without repairing the leaks.
Action also includes ensuring the proper technologies, processes, and procedures are in place to recover from the unexpected. Regardless of how well IT might prepare, something can always happen. A ruptured sprinkler line in the server room can create a very bad day for IT personnel – which can turn into a nightmare without a solid, un-tested recovery plan in place.

Maintaining Control
Control is about managing the IT infrastructure for the highest level of resilience in the future. It’s about maintaining the highest operational state within the infrastructure, from servers to workstations to laptops. This starts from the moment a new piece of hardware or software is introduced into the environment. IT administrators need to be able to maintain control over the IT infrastructure to continuously ensure that client devices are secure, available and compliant with established corporate standards. Control means IT knows – not thinks, but knows – it can maintain the infrastructure in a known good state. It also means not just keeping up, but staying ahead.

Summary
Everyone wants to protect and guard against potential incidences – whether it’s a simple server outage or a catastrophic event. But in addition to the right technology, personnel, processes, and procedures, organizations must have a commitment to an effective business continuity plan, inclusive of more than just a disaster recovery plan, to make it work. This includes crossing some traditional boundaries to ensure that information is always secure and readily available. The entire system only works if all the parts are properly connected. The invisible “wall of silence” that often exists between the IT security and IT operations teams must drop in order for the IT organization to be able to fully understand, act, and control. It is all risk management at the core. In fact, with a broader view on the entire company’s operations, IT must communicate better and more often with the entire company. Creating a governance board comprised of senior IT, corporate, and business managers will greatly assist in building and maintaining an effective awareness and prioritization of business continuity with an organization.
Organizations should ask some important business questions before embarking on disaster recovery planning in order to prioritize investment spending and communicate the need to relevant parties. Additionally, business and IT executives should remember that building a disaster recovery plan is all well and good, but it is equally important to regularly test any disaster recovery plan in order to ensure that operations can be established as documented. Testing ensures that there are no surprises should an unplanned event occur.
While no organization can guarantee 100 percent resilience, they can take appropriate steps through proper planning that will help them quickly recover from any disruption to its infrastructure. By incorporating disaster recovery plans into the greater enterprise business continuity plan, organizations can protect corporate viability and ensure a continuity of operations to customers, partners and investors.

Linda Cerni, CBCP, is the worldwide business continuity practice director for Symantec Corporation. Cerni has been in the disaster planning, response, and recovery industry for more than 16 years. Her former employers include the American Red Cross, the Federal Emergency Management Agency, and the United Nations.

©Copyright Systems Support Inc. All rights reserved. Reproduction in whole or in part in any form or medium without the express written permission of System Support Inc. is prohibited.