Disaster recovery planning is defined as the process of creating a comprehensive plan that helps your organization resume work after the loss of data or IT equipment due to natural or human-made disasters. A good disaster recovery plan will make sure that this is done with minimal business disruption. This article introduces you to disaster recovery planning, key steps involved in creating it, and ten best practices to develop and implement a DRP template. Show
Table of Contents
What Is a Disaster Recovery Plan (DRP)?A disaster recovery plan is defined as a well-defined set of actions that helps an organization recover its technology and operations based on its business policies. It is a component of security planning and a subset of business continuity planning. If there is anything 2021 has taught the world, it is that disaster strikes with no warning. Come pandemic or wildfires, businesses must be equipped to provide the services it has committed to, with zero to little disruption. One way of doing this is planning — figuring out which resources are essential and how they can be protected and backed up. Importance of having a stable DRP:
Now that it is clear why every business needs a disaster recovery plan, let us take a look at the steps involved in creating a viable disaster recovery plan template. Also Read: What Is Disaster Recovery? Definition, Cloud and On-premise, Benefits and Best Practices 8 Key Steps for a Disaster Recovery PlanLet’s look at the step-by-step breakdown of the tasks required to build a robust and adaptive DRP. 1. Gather a team of experts and stakeholdersCreating a disaster recovery plan is not a one-person job. It involves input from various internal employees and external vendors. A good DRP team consists the following roles:
Apart from these internal members, property managers, law enforcement contacts, and emergency responders must be added to the final disaster recovery plan. These are variables that need to be constantly updated at regular intervals. 2. Take inventory and analyze business impactBusiness impact analysis (BIA) is the foundation of good DRP. In this step, the business is broken down into individual assets, services, and functions. Each asset and service is then evaluated based on how long the company can run without facing financial losses, reputational losses, or regulatory penalties if this asset fails. Inventory typically includes individual assets that drive the functioning of the organization. These include assets such as:
This step produces an inventory list along with cost, legal and regulatory requirements, details such as operating systems, configuration settings, version numbers, license keys, and criticality of each. Mission-critical assets — the breakdown of which can bring significant services of the company to a halt — are marked. Also Read: Top 8 Disaster Recovery Software Companies in 2021 3. Identify the disaster recovery planning metricsOnce the BIA is done, the business’s IT infrastructure and processes are broken down and quantified in terms of the cost of downtime and criticality. We can create formal and tangible goals of recovery for each function of the business.
This is the amount of time a particular service can be offline without a significant business impact. For example, for an e-commerce website, the ‘Add to Cart’ functionality cannot be down for more than a few minutes. But the ‘Customer Care chat history’ option can be down for a couple of hours without significant impact.
When we talk about addressing vulnerabilities during disasters, we are usually talking about security changes or data backup. The best way to prevent data loss would be to back up critical information into tiered servers or the cloud. The RPO determines how frequently this needs to be done for each asset or function. This essentially tells you how outdated your data can afford to be when an unplanned incident occurs. For example, marketing and sales data can be more than 24 hours old without causing any real damage. But banking transactions need to be as recent as five minutes ago. Keep in mind that these metrics do not depend on just business impact alone. Industry regulations need to be taken into account too. For instance, hospitals that lose patient electronic health records are subject to HIPAA penalties. 4. Conduct a risk assessment and identify the scope of the DRPThe BIA stage takes stock of what the business has to lose. The risk assessment stage looks into possible reasons for the loss. During risk assessment, make sure that you:
Also Read: 5 Step Guide to Business Continuity Planning (BCP) in 2021 5. Decide on the type of disaster recovery planAll businesses cannot use a one-size-fits-all disaster recovery plan template. Based on the results of the previous steps and the DRP budget, you can opt for one of the following types of DRP:
2. Virtualization based DRP: Virtualization based DRP works with virtual machines rather than actual hardware and recovery sites. Images of the primary infrastructure are stored and updated at regular intervals. A virtual machine can be that of the database, server, or application setup. While virtualization-based DRPs are considerably cheaper than the first option, a recovery strategy is essential for it to work. Identifying recovery software and the backup medium is crucial. This type of DRP requires extensive testing. 3. Cloud-based DRP: Cloud-based DRP involves backing up critical assets or even the entire primary setup with a cloud provider. This type of planning requires extensive coordination with the cloud managers in terms of security, testing, and meeting the RTO and RPO goals. It is best to pick a cloud provider that allows you to pick the location of the physical and virtual servers. This option is cheaper than data center recovery planning but can be more expensive than virtualization-based DRP. 4. Disaster recovery as a service (DRaaS): If an organization lacks the expertise and resources to create their own DRP, they can enlist the services of a third-party service provider. These providers are referred to as DRaaS companies. It is important to make sure that the service level agreement (SLA) with these companies is in line with the organization’s DRP vision. DRaaS costs vary based on disaster recovery planning goals. Some DraaS solutions also offer artificial intelligence, machine learning, and predictive analysis based disaster recovery plan templates. These help with pre-emptive strikes by automatically detecting ransomware, predicting data loss, hardware failure, and application downtime in case of disaster. Also Read: Will Extreme Weather Events Affect Your Business? Lessons From the Texas Winter Storm 6. Create a disaster recovery playbookA disaster recovery plan must consist of an RTO and RPO for each service and a step by step recovery plan based on the type of disaster recovery plan chosen. A completed disaster recovery playbook doesn’t just end with that. Other mandatory information includes:
7. Test the disaster recovery planBy this stage, the first draft of the disaster recovery plan is ready. A good DRP is defined by how well-tested it is. Considering the magnitude of this operation, this can be tricky and time-consuming. It might also be an expensive affair, so make sure to include this while budgeting for your DRP efforts. There are many ways of testing a disaster recovery plan:
Like every other testing activity, DRP testing must be carried out at regular, scheduled intervals. Keep in mind that all of these tests need to be carried out in every testing cycle. Different tests can be carried out at different points of time in the cycle. It is also not necessary to test the entire system in every cycle. Individual components can be tested based on any changes made in the system or routine maintenance. Make sure the person in charge is in the loop. Combining multiple components for a narrow test run is also an option. Success metrics are how you conclude if a DRP was a success or failure. A successful test isn’t just a playbook implementation that runs without errors. Any holes captured during the testing and marked to be fixed without delay are considered successes too. Success metrics need to be detailed in the DRP too. In the case of DRaaS, testing frequency and success metrics are included in the SLAs. Also Read: Offsite Data Replication: A Great Way To Meet Recovery Time Objectives 8. Establish a communication planApart from automated tests, employee awareness training sessions must be conducted by the HR department. The people in charge of different services in the DRP must be walked through the different scenarios covered in the playbook at different intervals. Their contact information and their roles and responsibilities must be readily available in case of emergencies. Disaster recovery exercises and drills need to be carried out at regular intervals. Since an outage can cause panic and outrage, it is prudent to have a PR team in place. Exact information about how long it would take for the system to come up and the cause of failure will be easy to gather, thanks to the DRP. This makes stakeholder appeasement easier. Following these 10 steps will definitely result in a fail-proof disaster recovery plan. There are multiple checklists available online to make sure that you do not skip over any of them. Remember — a good DRP focuses on managing the crisis, restoring business-critical functions, and recovering, all while communicating with your stakeholders, as explained by Tom Roepke and Steven Goldman in the Disaster Recovery Journal. Top 10 Best Practices To Create and Implement a Disaster Recovery Plan (DRP) in 2021Best Practices To Create and Implement a Disaster Recovery Plan (DRP) in 2021 1. Focus on the assets and vulnerabilities, rather than the disasterPicking particular disasters and focusing only on risks associated with them can draw attention away from other threats. A better approach would be to identify core assets and services and then working up to the associated vulnerabilities. 2. Keep iterating the processDisaster recovery planning is not a one-time process. Business requirements keep changing, new infrastructure is added every day and industry regulations are updated all the time. This means that the DRP also needs to keep changing. It is best to have scheduled sessions, ideally three to four times a year. It can also be based on certain milestones or triggers — like adding a new service or making major changes in an existing one. A good DRP grows with the business. 3. Maintain a readily accessible disaster recovery playbookA Disaster recovery playbook is meant for multiple stakeholders at different business levels and professions. It must be written in a clear and concise language understood by all. Once a playbook has been approved and tested, a hard copy must be placed in a readily accessible area, while a soft copy is loaded onto the cloud or a portable medium. A DRP must also be easily modifiable since it is subject to change with every iteration. Any changes made in the plan must be reflected in all storage and communicated to all stakeholders and team members. Also Read: What Is Password Management? Definition, Components and Best Practices 4. Do not forget the processesDRP is not just about the hardware and the software. There are people and processes involved in each step too. It is important to make sure that the recovery team has a backup work location to operate from. If employees are logging in from home, do they have secure access points to reach your systems? Remember to include these work-process solutions in the playbook. 5. Have a testing schedule and stick to itA disaster recovery plan is only as good as its testing schedule. A 2014 Global Benchmark Study showed that poor planning, testing, and technological deficiencies led to more than a $5 million loss by critical application failure, data center outages, and data loss. An untested plan leads to a false sense of security. Usually, DRP tests are scheduled three to four times a year, though some bigger enterprises with complex systems carry them out monthly. 6. Create comprehensive post-test reportsA testing activity must always result in a comprehensive report detailing the following points:
Also Read: 10 Best Password Managers for 2021 7. Keep up employee awareness, training, and drillsAll concerned people must always be kept in the loop, and DRP drills need to become part of the company culture, just like fire drills. Training must be frequent and contact information updated. 8. Supplement your DRP with security and data protection solutionsReplicating a whole new secondary setup means replicating security concerns as well. Any cyberattacks or ransomware demands must be curtailed within the primary system and cannot permeate the WAN while duplicating data for backup. 9. Protect the everyday softwareAny SaaS applications used, like MS Office or Salesforce, need to be considered in the inventory logging stage. While they might not directly be involved with the company’s services, losing contact information with potential clients might have a long term effect. Even email suites come into play here because the loss of important communication can be a major business impediment. 10. Ensure good reportingOn-ground reporting is just as, if not more, important than test reports. When a disaster actually strikes, and the DRP is set in motion, provisions must be made for documenting each step. It is the best way to figure out what works best and what needs tweaking. With the number of natural and human-made threats increasing daily, creating, adopting, and maintaining a well-thought-out disaster recovery plan makes good business sense. A good DRP goes a long way in creating a confident and resilient business. Did this article help your research for a disaster recovery plan that suits your business? Tell us on LinkedIn, Twitter, or Facebook. We would love to hear from you! Which of the following is the known plaintext document that helps view the entire organization's disaster recovery efforts?A. The executive summary provides a high-level view of the entire organization's disaster recovery efforts.
What is disaster recovery plan document?A disaster recovery plan (DRP) is a formal document created by an organization that contains detailed instructions on how to respond to unplanned incidents such as natural disasters, power outages, cyber attacks and any other disruptive events.
What is a disaster recovery report?A disaster recovery plan (DRP) is a documented, structured approach that describes how an organization can quickly resume work after an unplanned incident. A DRP is an essential part of a business continuity plan (BCP).
Which among the following is used for disaster recovery?
|