Arguably the most critical parts of disaster recovery planning are the disaster recovery strategy and the detailed recovery plan. It is here that you will codify the concrete steps to take to get up and running again following an unplanned outage. The disaster recovery strategy and detailed recovery plan are based on a risk assessment and business impact analysis of your organisation and your understanding of the systems most critical to the business and what you need to do to get them working again in an acceptable time frame.
In this interview, SearchStorage.co.UK Bureau Chief Antony Adshead speaks with Paul Kirvan, board member with the Business Continuity Institute, about the key elements in a disaster recovery strategy, how to research them and what should be included in a detailed recovery plan.
You can read the transcript below or listen to the podcast.
Download for later:
- Internet Explorer: Right Click > Save Target As
- Firefox: Right Click > Save Link As
Kirvan: Once you have completed risk assessments and business impact analyses, you should have identified the critical systems and functions, and their recovery time objectives [RTOs] and recovery point objectives [RPOs] should be defined and approved. You are now ready to develop DR recovery strategies. These strategies will help you respond to and recover from disruptive incidents when they occur.
The ISO standard for IT disaster recovery, ISO 27031, states, “Strategies should define the approaches to implement the required resilience so that the principles of incident prevention, detection, response, recovery and restoration are put in place.”
A key way to distinguish the difference between strategies and plans is that strategies define what you plan to do when responding to an incident, while plans describe how you will do it.
One way to develop strategies is to create a table listing your critical systems, their RTOs and RPOs, and any other relevant information from your initial research. The legend across the top of the table should include 1) the critical system’s name, 2) its RTO and RPO values, 3) the threats you have identified for the critical system, and 4) to 6) columns describing prevention strategies, response strategies and recovery strategies.
Completing such a table, and validating it by sharing the results with others in the project team, will help you define the strategies you will use to develop your DR plans.
SearchStorage.co.UK: How does one research/populate the key elements of an organisation’s recovery strategy?
Kirvan: Create a table, as we described earlier, to help develop strategies. Your table will list the critical systems, their RTOs and RPOs, and threats to these systems. If you are not sure of the strategies available to you, you can research them in several ways. First, you can buy books on the subject from a reputable source like the Rothstein Catalog on Disaster Recovery.
Next, you can search for strategies on the Internet using. The Business Continuity Institute has access to thousands of business continuity professionals who will be happy to assist you. And the BCI’s Good Practice Guidelines is an excellent source for all aspects of business continuity management. Continuity Central, at www.continuitycentral.com, is the leading Web portal on BCM topics. It has an entire section on the basics of business continuity. You should be able to find plenty of useful information there.
Check domestic and global DR standards, such as BS 25777 and ISO 24762, respectively, for guidance on defining strategies. And be sure to ask your vendors for their input on disaster recovery strategies. You should also contact your business continuity management colleagues for their suggestions. Also, don’t forget the many excellent business continuity consultants whose years of experience could save you a lot of time and money.
SearchStorage.co.UK: What should be the key elements of an organisation’s disaster recovery plan?
Kirvan: Disaster recovery plans have a fairly standard format. … Refer to the sources we described earlier. And be sure to review disaster recovery standards, such as ISO 27031 and ISO 24762.
Firstly, before we begin with the formal disaster recovery plan structure, be sure to have a page or two at the very front of the plan that summarises key action steps (such as, where to assemble employees if forced to evacuate the building) and lists key contacts–both internal and external–and their contact information. As seconds and minutes count in an unfolding disruption, this information will help you save valuable time when authorising and launching the plan.
Now, let’s briefly go through each section in a disaster recovery plan.
The introduction follows the initial emergency pages, and this section includes the purpose and scope of the plan. It should also specify who has approved the plan [and] who is authorized to activate it; and it should include linkages to any other relevant plans and documents.
In the roles and responsibilities section, we define the roles and responsibilities for disaster recovery team members, [including] their contact details, spending limits (such as, if equipment has to be purchased) and their limits of authority in a disaster.
The incident response section gets us through the initial onset of the incident. We typically become aware of an out-of-normal situation (say, we receive alerts from system-level alarms). We next quickly diagnose the situation (and any damage) and try to make an early determination of the severity of the incident. Next we try to contain the incident and bring it under control. We also notify management and other key stakeholders.
If the incident cannot be stopped, we go to the plan activation section. Based on outcomes from incident response activities, we would determine if disaster recovery plans should be initiated, and which ones in particular. This section defines the criteria for launching the plan, what data are needed and who makes the decision. Included within this section are primary and alternate assembly areas for staff, procedures for notifying and activating disaster recovery team members, and procedures for standing down the plan if management determines the disaster recovery plan response is not needed.
The next section is document history, which lists document dates and revision dates, what was revised, and who approved the revisions. You may locate this section at the front of the plan, if you prefer.
The heart of a disaster recovery plan is the procedures section. Once the plan has been launched, disaster recovery teams take the materials assigned to them and proceed with response and recovery activities as specified in the plans. The more detailed the plan is, the more likely the affected IT asset will be recovered and returned to normal operation. Include relevant vendor information and procedures where possible in technology disaster recovery plans
Finally, located at the end of the plan, appendixes can include systems inventories, application inventories, network asset inventories, contracts and service-level agreements, supplier contact data, and any additional documentation that will facilitate recovery.
SearchStorage.co.UK: How do you generate such a plan? Where do its component parts come from?
Kirvan: You can generate a disaster recovery plan from scratch, but itmay not be necessary since there are many resources and tools available to help you. Refer to the resources we mentioned earlier, such as The Rothstein Catalog, the Business Continuity Institute and Continuity Central.
Look into BC/DR software products that can greatly simplify the process. A few dozen are available–you can invest as little as £100 or well into thousands of pounds for more sophisticated products. BC/DR professionals may be willing to share their plans with you. Consultants will be happy to assist you in all aspects of your disaster recovery plans. And when developing your plans, be sure to use the frameworks provided by the BC/DR standards. That way, your plans will be ready for auditing, should that become necessary.