Here are some questions CIOs should look into to evaluate their disaster recovery (DR) plans. You could ask yourself and your business continuity managers these questions to determine the efficacy of your DR plan.
1. When was the last time you tested your DR plan?
Typically we suggest the DR plan be tested twice during a year with a gap of six months between the two exercises. (1 point)
2. What was the scope of the last DR exercise?
The scope should include recovery of all IT services that support critical business processes. The criticality of the business processes would have been identified in the most recent business impact analysis (BIA) survey. Do get hold of the BIA results and validate whether the identified IT services supporting them were within the scope. (2 points)
3. What was the objective set for the DR exercise, and did you achieve it?
The objective of a DR exercise is to fulfill the end users’ expectations of recovery time objective (RTO) and recovery point objective (RPO). RTO is within what time frame are you able to recover your platforms, systems, applications, and network and recovery point objective is how recent is the data that is being recovered. The last DR exercise should have met the RTO and RPO objectives. (2 points)
4. Who validated the success?
Were the end-users a part of the exercise? Did they actually logon to the recovered systems and validate the success? In case the end-users are your customers and you have not involved them in the recovery exercise, then you would have created dummy customers who would have tested the recovery. In this case what you expect is signoff criteria and a formal signoff from those entrusted with testing. (1 point)
5. Who carried out the recovery?
An additional objective of DR exercise is to exercise career succession plans. This can only be achieved if an associate other than one who is responsible for day-to-day operations of that IT service is made responsible for the recovery. Did you have a mentor/protégé recovering every system who would build up the necessary depth in your succession plans? (2 points)
6. Did you involve the offsite service provider in the exercise?
The backups used for recovery should be the ones that were shipped by the offsite storage service provider to the warm/cold site. This validates the efficacy of the backups and also exercises the service provider in being able to ship the tapes to the site. (2 points)
7. What were the lessons learned and follow-up actions?
If an exercise is 100 percent successful, then there is something wrong. Rarely have we seen a recovery exercise that has gone without any issues. Even within a successful recovery – complete scope, RTO/RPO achieved, and back-up personnel involved – we have identified issues that could help optimize the recovery process. What were the lessons learned during your exercise, and what have been the follow-up action points and time frames for completion? Is anyone monitoring that? (1 point)
8. How much of the environment has changed between the last exercise and now?
New applications are added, new servers added, new technologies implemented, old applications retired, old servers retired; the IT world is in a state of constant change. No two exercises spaced more than six months would be the same even if we set aside the fact that people involved in recovery should be different. Was a new BIA warranted in this period, and were its results an input for deciding the scope of the last exercise? (1 point)
9. Who were the third party vendors involved in this exercise?
With the concept of an extended IT ecosystem in place – equipment, annual maintenance contracts, licenses, print jobs, janitor services, etc. being outsourced, who were the third-party vendors involved in this exercise. (1 point)10. When was the last time you were included in the third-party vendors’ disaster recovery exercises?
Have you asked the third-party vendors to include you in their disaster recovery exercises? (1 point)
GRADING
12 to 14: You can trust your DR plan.
8 to 11: You should pro-actively involve yourself in the next DR exercise – decide the scope, participants, vendors’ involvement, evaluate the results and follow up on all lessons learned.
Below 8: You are an optimist who believes "hope" is a DR strategy.Business continuity is not a one-time activity. It is a living and learning system that changes continuously to adapt to externalities. Consultants design, develop, implement a business continuity plan, train people, and leave. What we seek is to empower the CIO to be able to ask the right questions and to seek answers that validate the efficacy of the business continuity plan. This is particularly important to ensure that the success of the business continuity plan continues even when the consultants have finished the project.
v
Joseph McHugh is the executive deputy director operations for Judiciary Information Systems (JIS) of the State of Maryland Judiciary, US. With more than 30 years of IT experience, he is responsible for providing mission supportive facilities and infrastructure, ensuring security, and optimizing operations at JIS. He is the project champion for business continuity management system implementation project at JIS. McHugh can be reached on joe.mchugh@mdcourts.gov.
Sandesh Sheth, CISA, PMP, Six Sigma Black Belt is lead consultant with Enterprise Risk Management Group of Satyam Computers Services Limited, developing, and implementing business continuity management systems for organizations worldwide. Sheth can be reached on sandesh.sheth@yahoo.com.
"Appeared in DRJ's Spring 2007 Issue"
