Disaster recovery report card: Measuring your company's disaster recovery profile

Disaster recovery preparation is challenging because you don't know exactly what you're preparing for. Events like Hurricane Katrina also point to our inability to reliably predict the scale of damage and the inability of government at all levels to cope with the aftermath of an adverse event. The adverse event can range from extreme weather conditions or disturbances in the earth's geology to human-related events caused by errors, accidents or malice. Regardless of the cause, adverse events become disasters when the event's negative consequences affect your company's ability to maintain operations. Even though IT planners cannot predict what event may threaten the continuity of IT operations, the basics of disaster recovery planning and recovery requirements change very little. To see how your company's disaster recovery efforts may measure up, consider using the following criteria to measure your disaster recovery plan and the probability that your IT operations can be recovered to support your business operations within a short period of time. Grade F (Unprepared) Regular data backups are not performed. Processes or documented procedures for recovery are not in place. You have never tested your ability to recover operations in any way should normal IT operations be threatened or fail. Grade D (Marginally Prepared) Operating systems and applications are backed up daily, but not tested. @22946 Tape backups haven't been tested since the last staff change -- or in the last six months. Data backups are sent out each night to an alternate location nearby. Grade C (Prepared) Full back-ups (digital trio replicas) have been recently tested, as have processes and documented procedures for recovery. Backups are done off-site over a communications link on alternate hardware. Tape backups are stored off site or sent by courier each evening to an alternate location up to ten miles away. Grade B (Well Prepared) Backups are done on a redundant SANS storage array at alternate locations separated by 10-63 miles. Alternative electric power is available at one or both sites. Data, OS and application recovery steps have been tested in the last quarter and found to be adequate to recover normal business operations within 24 hours. Grade A (All Set) Redundant, near real time, bit-by-bit hot backup site separated by 64-200 miles or more, with alternative power. Backup site runs daily production operations at least one day per month to verify smooth transfer of operations. The days of having your entire backup and recovery tapes and hardware in the same building should long be a thing of the past for any of today's publicly traded companies reliant on their data systems. The technology and communications options available allow placing replicas in geographically dispersed locations and communicating backup data in near real time. Should an organization not want to invest in the resources themselves, pooling with others or using third-party providers should be considered as alternatives. Management should know the company's disaster recovery profile and have an honest assessment of the time it would take to recover after an adverse event. The grading scale above should provide a starting point and help communicate the situation in easily understood terms to decision makers regarding the ability to recover. It should also help to demonstrate the funding and resources needed to prevent an event from becoming a disaster by moving up one or more grades. About the author Dennis C. Brewer is the author of Security Controls for Sarbanes-Oxley Section 404 IT Compliance: Authorization, Authentication and Access published by Wiley. His resume includes a BSBA degree from Michigan Technological University, Novell Network Engineer Certification, and over a dozen years as an information technology specialist with the State of Michigan. He retired from his position as an IT security solutions specialist in January of 2006 from the State of Michigan, Department of Information Technology, Office of Enterprise Security and is now operating his own IT consulting practice in Laurium, Michigan.