When companies are hit by disasters, certainly their physical facilities can be damaged and sustain huge physical losses – however, most companies realize that the even larger cost is in potential data losses that, if recovered at all, could take months, thereby putting the entire business organization at risk. Such data losses can even, in some cases, lead to additional lawsuits and litigation fees. Although it is important to implement a DR Management Plan for your physical facilities this report will center on the IT or data piece of implementing a DR Plan.
What exactly is a disaster recovery plan? It is a plan that provides step-by-step procedures for the recovery of data, systems, and networks, then helping them to return to normal operations.
The question in many people’s minds is why their company should even have a DR plan in place? After all, it is quite easy to tell everyone to back up their computer once a week and make each employee responsible for their own data. So, I guess it boils down to this: are you willing to trust your employees with your business? If so, then you are quite the gambler!
A study done by the University of Texas found that 43 percent of companies that experience a catastrophic data loss will never re-open its doors. Another 51 percent will close within two years of that catastrophic event. Only six percent of companies that experience a catastrophic data loss will recover and survive. So if you are not willing to put a data recovery management plan in place, then you are taking a huge risk.
If you are reading this and these percentages do not alarm you, then you probably either have a very strong constitution or, hopefully, you already have implemented an effective data recovery plan there.
The Five Steps to prepare Disaster Recovery Plan
What happens if your company or organization does not have a DR management plan in place or the plans are not in alignment with company requirements? If this is the case, then here are the five things that will put you on the right path in implementing a Disaster Recovery Plan.
Step 1 – Create a DR Management contingency statement for your company or organization
DR Management Contingency Statement is a formalized policy or set of guidelines that authorizes a DR plan to be developed and implemented. Is this a policy that should be set in stone? Absolutely not. A DR recovery plan should be a “living” document. IT, data, and networks within companies are constantly changing and evolving. Even a software update changes the dynamics of your IT systems, therefore, the structure of the plan needs to have flexibility built into the system.
When developing a DR Plan, it is important to understand the implications of each department involved and how they mesh. Therefore, it is critical that a team is created and not just one or two people to get involved. This team is accountable for:
- Determining the scope of the plan (including both internal and external elements and assets), choosing third-party vendors and systems, and briefing senior management.
- Assembling all the documentation necessary to develop a relevant DR Plan. This includes compiling network diagrams, systems documentation, and configurations for equipment.
Identifying the following and then compile and document the same:
- What are the serious threats to infrastructure – both natural and man-made? This could be power system failures, human error, fire, etc.
- What are the most serious vulnerabilities?
- What is the history of any previous disruptions?
- Prioritize the most critical areas that must be back up and running first.
Step 2 : Conduct a Business Impact Analysis (BIA)
Throughout the process of developing a Disaster Recovery Management Plan, it is common for many of the processes to overlap and morph together – and it is natural. One of the reasons for this to be a flexible plan is because there are constant changes within most companies or SMB organizations. But creating a DR Plan should never be a case of the blob that ate your company. So, when you are creating the plan, keep in mind the scope of the work and create a timeline with several built-in phases. This will allow your team to track their own progress and will help senior management to keep informed.
After the DR team has gathered the relevant information, it is time to create a business impact analysis. This BIA is used to determine how the risks that were identified will have effect your business operations. When an incident negatively impacts business ops, your company will be affected, and the consequences could be disastrous.
A business impact analysis helps companies and organizations to identify their priorities and create, modify, and validate plans for the company.
Step 3: Identify Control Measures
Within the disaster recovery plan, one of the most important areas is identifying control measures and eliminating threats. What are control measures? They are the steps that are implemented to reduce threats to companies.
For example, often employees can visit almost any Internet site from their company computers. When there are no structures placed on their surfing, this can open the company servers up to the possibilities of viruses, malware, and other disastrous possibilities. By filtering the websites that employees can visit, a company can reduce the possibilities of viruses or malware potentially contaminating their systems.
This is just a small example of how a control measure can be implemented to keep your company’s data safer and more secure and to reduce the potential of a disaster striking. The three types of control measures that can be implemented:
- Detective measures: Controls that will detect and discover events.
- Preventative measures: Helps prevent an incident from occurring.
- Corrective measures: Rectifies or restores a network or system after an incident occurs.
When your company or organization has identified and implemented control measures, they should be documented, updated, and tested on a regular schedule.
Step 4: Create recovery strategies including an IT contingency plan
Each department in your company or organization should have a set recovery strategy as well as a well-defined and understood priority list set in place. Identify the critical departments and areas of each department that are crucial to a company’s ability to get back up and running with minimal impact on the business.
Some of the most common strategies for a company should be data protection. Backups should be made frequently (often daily) and the data should be sent off-site. The most common backup are to tape and disk (on-site as well as off-site). It is also crucial for the back-up information to be tested regularly so that data won’t be lost in the event that it is needed. There are some excellent high availability systems on the marketplace that keep data safe.
Many companies or organizations choose to outsource their data recovery to a DR specialist since the providers are dedicated to data management and are affordable.
Step 5 : Implement testing, training, measuring, and maintaining the plan
It is critical that once you have implemented DR Management Plans that they are maintained. Set a timeframe for the disaster recovery management team to meet – perhaps on a bi-annual basis – to review the priorities of each department. It is also important for not only the team and senior management to be aware of the plan, but also each employee to be trained about their part of the DR process.
Involving all your employees in the DR management process will ensure that they are aware of what is necessary to keep their company or organization running smoothly but also help it recover quickly in the event of an emergency.
No one wants a disaster to happen, however, creating an effective disaster recovery management plan for your company will go a long way in helping you stay in business in the event of a disaster.
Download a free Disaster Recovery Plan Template here!
We will be happy to help you devise DR Plans or inhouse your DR site infrastructure within our certified and audited data centers coast-to-coast.
Reach us at firstname.lastname@example.org.