Business Disaster Recovery Plan
DISASTER RECOVERY
Business continuity programs are designed to keep a business up and running in the face of a disaster, but unfortunately, they don’t always work. Sometimes, continuity controls fail or the sheer magnitude of a disaster overwhelms the organization’s capacity to continue operations. That’s where disaster recovery begins. Disaster recovery is a subset of business continuity activities designed to restore a business to normal operations as quickly as possible following a disruption.
The disaster recovery plan may include:
1. Immediate measures that get operations up and running again temporarily, but the disaster recovery effort is not finished until the organization is completely back to normal operations.
2. Initial Response following an Emergency disruption to an Organisation is designed to:
- Contain the damage caused by the disaster.
- Recover whatever capabilities that can be immediately restored. Include a variety of activities depending upon the nature of the disaster and may include activating an alternate processing facility, containing physical damage or calling in contractors to begin an emergency response.
During a disaster recovery effort, the focus of most of the organization shifts from normal business activity to a concentrated effort to restore operations as quickly as possible.
But before we go into detailed recovery plan, we need to consider risk assessment (RA) and business impact analysis (BIA) to identify the IT services that support the academy critical business activities. Which we will then establish the recovery time objectives (RTOs) and recovery point objectives (RPOs).
The recovery time objective, or RTO, is the targeted amount of time that it will take to restore a service to operation following a disruption. The organization must also think about the amount of data that it needs to restore as well. The recovery point objective, or RPO, is the maximum time from which data may be lost as the result of a disaster. Together, the RTO and RPO provide valuable information to disaster recovery planning.
Before we explain more about the planning process we need to follow some strategies that will help us to make a proper planning process. The Disaster recovery strategies, ISO/IEC 27031, the global standard for IT disaster recovery, states, “Strategies should define the approaches to implement the required resilience so that the principles of incident prevention, detection, response, recovery and restoration are put in place.” Strategies define what you plan to do when responding to an incident, while plans describe how you will do it.
Once you have identified your critical systems, RTOs, RPOs, as shown in the table below, we can formulate the disaster recovery strategies that is suitable to protect them.
|
Critical systems |
RTO/RPO |
Threat |
Prevention strategy |
Response strategy |
Recovery strategy |
|
Account payable |
4hrs/2hrs |
Server Failure |
Secure equipment room, backup server, UPS |
Switch over to backup server, validate UPS running |
Fix/replace primary server. fall back to primary server |
|
Building security |
2hrs/2hrs |
Security systems destroyed |
Locate systems in secure area, UPS, install protective enclosures around sensor unit. |
Deploy guards at strategic points |
Obtain/install replacement units, sensors |
We have been able to modify strategy to planning process in this second table below;
|
Critical systems |
Threat |
Response strategy |
Response action steps |
Recovery strategy |
Recovery action steps |
|
Account payable |
Server Failure |
Switch over to backup server, validate UPS running |
verify server is down, verify data has been backed up and is safe, test backup server, start switchover to alternate server. |
Fix/replace primary server, fall back to primary server. |
verify cause of server outage, obtain new server, install new server, test new server, fail systems back to new server. |
|
Security systems destroyed |
Deploy guards at strategic points |
Verify security system is down, verify security data has been backup and is safe, contact guard agencies to source on-site guards, define guard duties, brief guards on duties, provide communications devices for guards. |
Obtain/install replacement units, sensors |
verify cause of security system outage, contact supplier to get a replacement, test replacement system, test sensors, restart security systems. |
When developing your organisation Disaster recovery plans, we make sure to review the global standards ISO/IEC 24762 for disaster recovery and ISO/IEC 27035.”This is a standard of requirements which deal with all aspects of information security within your organisation. This can vary from physical to intellectual to electronic security. You will establish what is critical to your business and how you therefore control and protect these aspects.”
From a staffing perspective;
- This means that many employees will be working in temporary jobs that may be completely different from their normally assigned duties.
- Flexibility is key during a disaster response. Also, the organization should plan disaster responsibilities as much as possible in advance and provide employees with training that prepares them to do their part during disaster recovery.
- Communication is critical to disaster recovery efforts. Responders must have secure, reliable means to communicate with each other and with the organization’s leadership.
This communication includes ;
the initial communication required to activate the disaster recovery process, even if the disaster occurs after normal business hours.
It also includes regular status updates for both employees in the field and leadership and
it should include ad hoc communications capabilities to meet tactical needs.