Disaster recovery risk assessment and business impact analysis (BIA) are crucial steps in the development of a disaster recovery plan. To do that, let us remind ourselves of the overall goals of disaster recovery planning, which are to provide strategies and procedures that can help return IT operations to an acceptable level of performance as quickly as possible following a disruptive event. Having established our mission, and assuming we have management approval and funding for a disaster recovery initiative, we can establish a project plan.
A disaster recovery project has a fairly consistent structure, which makes it easy to organise and conduct plan development activity. As you can see from The IT Disaster Recovery Lifecycle illustration, the IT disaster recovery process has a standard process flow. Following the BIA and risk assessment, the next steps are to define, build and test detailed disaster recovery plans that can be invoked in case disaster actually strikes the organisation’s critical IT assets. Detailed response planning and the other key parts of disaster recovery planning, such as plan maintenance, are, however, outside the scope of this article so let us get back to looking at disaster recovery risk assessment and business impact assessment in detail. IBM's planned purchase of The Weather Co.'s data operations may be a bellwether event from which data professionals can learn. Learn how to develop disaster recovery strategies as well as how to write a disaster recovery plan with these step-by-step instructions. Once your disaster recovery strategies have been developed, you’re ready to translate them into disaster recovery plans. Then, you’ll need to establish recovery time objectives (RTOs) and recovery point objectives (RPOs). This process can be seen as a timeline, such as in Figure 2, in which incident response actions precede disaster recovery actions.
Based on the findings from incident response activities, the next step is to determine if disaster recovery plans should be launched, and which ones in particular should be invoked. Then define step-by-step procedures to, for example, initiate data backup to secure alternate locations, relocate operations to an alternate space, recover systems and data at the alternate sites, and resume operations at either the original site or at a new location. The more detailed the plan is, the more likely the affected IT asset will be recovered and returned to normal operation. This section defines the criteria for launching the plan, what data is needed and who makes the determination. If your organisation already has records management and change management programmes, use them in your DR planning.
Included within this part of the plan should be assembly areas for staff (primary and alternates), procedures for notifying and activating DR team members, and procedures for standing down the plan if management determines the DR plan response is not needed. Drawing up strategies for disaster recovery audit, maintenance and continuous improvement are the key final stages in the development of a disaster recovery programme.
Now, when looking at preparation of disaster recovery audit, maintenance and continuous improvement strategies, ISO 27031 also provides some important recommendations.
Any change to ICT services which may affect the disaster recovery capability should be implemented only after the business continuity implications of the change have been assessed and addressed.


As noted in previous articles in this series, disaster recovery strategies and procedures help organisations protect their investments in IT systems and operating infrastructures. Whether you use an internal audit department or an external auditing firm, be sure to periodically evaluate your disaster recovery programme to ensure it continues to be fit for purpose and compliant with industry standards and company policies. Define the internal audit plan for IT disaster recovery and document the criteria, scope, method and frequency of audits. When building a disaster recovery maintenance plan, be sure to secure senior management review and approval.
Leverage existing internal resources, such as a Microsoft SharePoint collaboration space, to provide a secure repository for maintenance activities. Generate periodic, (for example, quarterly) maintenance reports to management, highlighting the status of maintenance activities and issues that need to be addressed. Once the disaster recovery project is completed, launch an ongoing process of continuous improvement. Your organisation can continually improve disaster recovery and business continuity activities by monitoring the overall programme and applying preventive and corrective actions, such as periodic reviews of program performance, as appropriate. But, before we look at them in detail, we need to locate disaster recovery risk assessment and business impact assessment in the overall planning process.
Such plans provide a step-by-step process for responding to a disruptive event with steps designed to provide an easy-to-use and repeatable process for recovering damaged IT assets to normal operation as quickly as possible. Formulating a detailed recovery plan is the main aim of the entire IT disaster recovery planning project.
In addition to using the strategies previously developed, IT disaster recovery plans should form part of an incident response process that addresses the initial stages of the incident and the steps to be taken. Here we’ll explain how to write a disaster recovery plan as well as how to develop disaster recovery strategies. The next section should define roles and responsibilities of DR recovery team members, their contact details, spending limits (for example, if equipment has to be purchased) and the limits of their authority in a disaster situation. A section on plan document dates and revisions is essential, and should include dates of revisions, what was revised and who approved the revisions. Here we can see the critical system and associated threat, the response strategy and (new) response action steps, as well as the recovery strategy and (new) recovery action steps. And since DR planning generates a significant amount of documentation, records management (and change management) activities should also be initiated. Technology DR plans can be enhanced with relevant recovery information and procedures obtained from system vendors. Check with your vendors while developing your DR plans to see what they have in terms of emergency recovery documentation.
Disaster recovery’s principal mission is to return IT operations to an acceptable level of performance as quickly as possible following a disruptive event. It shows where the disaster recovery audit, maintenance and continuous improvement fit into the overall disaster recovery lifecycle and framework.


Check to ensure that your audit firm has expertise in business continuity and disaster recovery. So, for example, make sure to audit outsourcing vendors to ensure their capabilities support your organisation's disaster recovery strategies and plans. These will include risk assessments, business impact analyses (and updates to existing risk assessments and BIAs), plan reviews, plan exercises, contact list updates, and plan training and awareness activities. This process has ties to the “kaizen” philosophy of manufacturing, which encompasses activities to continually improve all manufacturing functions, involving all workers and all processes. Once this work is out of the way, you’re ready to move on to developing disaster recovery strategies, followed by the actual plans.
The following section details the elements in a DR plan in the sequence defined by ISO 27031 and ISO 24762. Procedures should ensure an easy-to-use and repeatable process for recovering damaged IT assets and returning them to normal operation as quickly as possible. Once the plan has been launched, DR teams take the materials assigned to them and proceed with response and recovery activities as specified in the plans. This section should specify who has approved the plan, who is authorised to activate it and a list of linkages to other relevant plans and documents. Continuous improvement is an ongoing activity that occurs at all points in the DR planning lifecycle, and can be implemented through effective programme management. When applied to disaster recovery, continuous improvement ties together the previously discussed disaster recovery audit and maintenance activities and leverages the results of both to introduce improvements to the process on an ongoing basis.
Those events with the highest risk factor are the ones your disaster recovery plan should primarily aim to address.
Once you have identified your critical systems, RTOs, RPOs, etc, create a table, as shown below, to help you formulate the disaster recovery strategies you will use to protect them. Important: Best-in-class DR plans should begin with a few pages that summarise key action steps (such as where to assemble employees if forced to evacuate the building) and lists of key contacts and their contact information for ease of authorising and launching the plan. Located at the end of the plan, these can include systems inventories, application inventories, network asset inventories, contracts and service-level agreements, supplier contact data, and any additional documentation that will facilitate recovery. If DR plans are to be invoked, incident response activities can be scaled back or terminated, depending on the incident, allowing for launch of the DR plans. Now it is time to map out plans for disaster recovery audit, maintenance and continuous improvement. It is in these plans that you will set out the detailed steps needed to recover your IT systems to a state in which they can support the business after a disaster.
These are essential in that they ensure employees are fully aware of DR plans and their responsibilities in a disaster, and DR team members have been trained in their roles and responsibilities as defined in the plans.



Small business emergency action plan
Disaster recovery business continuity plan free template


Comments

  1. 08.12.2013 at 23:29:57


    These things in your would like to inquire about any of our.

    Author: Togrul
  2. 08.12.2013 at 22:31:14


    Starting of the H1N1 swine flu pandemic in 2009 and the occasional.

    Author: Efir_Efirde
  3. 08.12.2013 at 20:49:48


    Buildings usually have a lot of cell signal dead zones since discourse on any quantity into a cold.

    Author: mio
  4. 08.12.2013 at 11:11:39


    Information about survival techniques la., following nonperishable meals and.

    Author: RED_BARON