Hurricanes. Tornadoes. Earthquakes. Fires. Floods. Terrorist attacks. Cyberattacks. You know any of these could happen to your business at any time. And you’ve probably got a disaster recovery (DR) plan in place to protect your enterprise’s data, employees and business.
But how thorough is your DR plan? When was it last updated and tested? Have you taken into account new technologies and services that can make it easier to recover from disaster? The following are 7 things your IT disaster recovery plan should include.
1. An analysis of all potential threats and possible reactions to them
Your DR plan should take into account the complete spectrum of “potential interrupters” to your business, advises Phil Goodwin, research director of data protection, availability and recovery for research firm IDC. (IDC is part of IDG, which publishes CSO.)
You should then spell out a recovery plan for each scenario. For example, Goodwin says, “If there’s a cyberattack that shuts down servers in D.C., do you have a transition plan for that scenario?”
Of course, not all scenarios are equally likely to occur. So as best you can, try to anticipate which potential disruptors are most probable. Sadly, cyberattacks are becoming “a more likely scenario” these days, Goodwin notes. So, you might want to give cyberattack planning precedence over some natural disruptors in your planning, he explains.
2. A business impact analysis (BIA)
To effectively determine DR priorities, put each major information system through a business impact analysis, recommends Mark Testoni, president and CEO, SAP National Security Services, Inc.
A BIA “identifies and evaluates the potential effects (financial, life/safety, regulatory, legal/contractual, reputation and so forth) of natural and man-made events on business operations,” according to Gartner.
“Completing a BIA for major IT systems will allow for the identification of system priorities and dependencies,” notes Testoni. “This facilitates prioritizing the systems and contributes to the development of recovery strategies and priorities for minimizing loss. The BIA examines three security objectives: confidentiality, integrity, and availability.”
Testoni adds that a BIA helps establish priorities for your disaster recovery, business continuity, and/or continuity of operations plans. “A standard approach to developing a comprehensive disaster recovery plan is to first develop the policy, then conduct the BIA,” he says. “After creating a prioritization with the BIA, contingency strategies are developed and formalized in a contingency plan.”
A common mistake many organizations make in their DR plans is “too much focus on technology and not enough on people and process,” Goodwin says. “IT is an enabler. Never forget you’re not just recovering data and servers.” He recommends thinking about how to build a DR plan in the context of your entire organization. “What behaviors will you need from your user community? What do they need to get up and running again after a disaster?”
Sign up for CIO Asia eNewsletters.