Security Series: Disaster Recovery Tactics that Ensure Business Continuity (Part 1 of 6)
- Chapter 1: Disaster Recovery Tactics that Ensure Business Continuity
- Chapter 2: Disaster Recovery Target
- Chapter 3: Formulation of the Business Continuity Plan
- Chapter 4: Disaster Recovery Objectives and Milestones
- Chapter 5: Building Preparation
Approval for the Disaster Recovery (DR) ongoing project will be essential in keeping this perpetual process alive the IT professional needs to ensure that your primary goal is to get this directive. Top level support is necessary to ensure the survival of the disaster recovery project.
This document points out topics that even after years of repetition are neglected and for this reason many DR plans collapse and are not worth the paper they are printed on. It is vital to have a document that outlines and details the DR process. Please note a BCP (Business Continuity Plan) is part of a Disaster Recovery Plan. Backups do not constitute Disaster Recovery and are only a component of DR. No matter how good the Disaster recovery planning there is no way that any team can prepare for every single disaster possibility. There is quite a bit that can be done to mitigate risk however. Generic type plans can be constructed that help in alleviating down time. The whole objective of DRP and BCP is to reduce downtime and to promote business continuity.
Disaster recovery is not only about information technology it also encompasses other aspects like communications, buildings, stationary, office equipment, stationary, water supplies, electrical supplies and other forgotten business processes. These are often overlooked causing DR failure. The scope of this series is focused around IT resources and process.
Ten Steps to Disaster avoidance
- Perform backups regularly. Keep information central, this will help control information backup and help protect information integrity.
- Increase physical security to server room to prevent Data loss.
- Antivirus and Patch update and management.
- Internet facing systems are secured and maximum security is applied.
- Remote access to data servers is controlled and strictly monitored.
- Backups are stored offsite.
- Physical solutions like fire suppression environmental monitoring and access control are implemented.
- Document all changes using proper change control.
- Perform systematic scheduled restores that verify Tape or backup media integrity.
- Ensure the whole process is documented and can be followed by non-technical personnel.
Potential disasters and their types
Many professionals feel that Disaster Recovery is not important. If they felt it was important they would all have comprehensive DR plans that worked in the event of a disaster. The reason for this is miseducation and misinformation. It is guaranteed that when a disaster emerges no matter the professional's opinion prior to the disaster, DR is worth every cent. The DR Team needs to examine each potential environmental disaster or emergency situation that may occur. The focus should be on the level of business disruption potentially resulting from each situation.
When disaster strikes it is important to be prepared so that the business can continue to function with the least amount of impact possible. Irrespective of sound backup strategies and intelligent decisions taken to protect a company's data many organizations leave out the vital disaster recovery aspect of the whole security strategy. A comprehensive solution is important as many things now depend on IT. Potential emergencies include business disruption caused by one or more of the following disasters.
- Tornados, Hurricanes, Strong winds
- Floods, Snowstorms
- Earthquakes, Electrical storms
- Fires, Subsidence and Landslides
- Freezing Conditions
- Contamination and Environmental Hazards
- Organised and/or Deliberate Disruption
- Act of terrorism, Act of Sabotage
- Act of war
- Theft, Arson, Disgruntled employee.
- Labour Disputes/Industrial Action
- Loss of Utilities and Services
- Electrical power failure
- Loss of gas supply, Loss of water supply
- Petroleum and oil shortage
- Communications services breakdown
- Loss of drainage / waste removal
- Equipment or System Failure, Internal power failure, Air conditioning failure
- Production line failure, Cooling plant failure
- Equipment failure (excluding IT hardware)
- Serious Information Security Incidents
- Cyber crime, Loss of records or data
- Disclosure of sensitive information
- IT system failure
- Mergers and acquisitions
- Negative publicity
- Legal problems
The Cost of a disaster
Disasters can have serious impact on your organization and business if you do not recover quickly. Some operations can not be down for more than an hour before the organization has to close shop due to penalty clauses that are binding in contracts. Below are some "costs" That may be used to persuade management of budgetary approval.
- Revenue Loss
- Brand image Loss and recovery
- Loss of share value
- Loss of interest on overnight balances; cost of interest on lost cash flow
- Delays in customer accounting, accounts receivable and billing/invoicing
- Loss of control over debtors
- Loss of credit control and increased bad debt.
- Loss of revenue for service contracts from failure to provide service or
meet service levels
- Lost ability to respond to contract opportunities
- Penalties from failure to produce annual accounts or produce timely
- Where company share value underpins loan facilities, share prices could
drop and loans be called in or be re-rated at higher interest levels.
- Cost of replacement of buildings and plant
- Cost of replacing equipment
- Cost of replacing software
- Replacing Staff that may have been lost because of disaster.
- Salaries paid to staff unable to undertake billable work
- Salaries paid to staff to recover work backlog and maintain deadlines
- Cost of re-creation and recovery of lost data
- Loss of cash flow
- Interest value on deferred billings
- Penalty clauses invoked for late delivery and failure to meet Service Levels
- Loss of customers (lifetime value of each) and market share
- Loss of profits
- Additional cost of credit through reduced credit rating
- Recruitment costs for new staff on staff turnover
- Training / retraining costs for staff
- Fines and penalties for non-compliance
- Liability claims
- Additional cost of advertising, PR and marketing to reassure customers
and prospects to retain market share
- Additional cost of working; administrative costs; travel and subsistence etc.
- Potential prosecution for non compliance and contract adherence.
The Business Continuity Plan Recovery document
The BCP document is a living document that needs to be kept up-to-date and this process ensures its effectiveness. After each quarterly test a new version needs to be created and updated. At anytime you should only have one document with all of the changes and updates appended. If the document is well constructed the organization should be able to use external resources that do not have intrinsic knowledge of your current network to recover your system. This can only be achieved once the BCP document has matured and it is recommended to attempt such a recovery after the first three DR tests. The reason for this document is to reduce the risk of not being able to restore because process has not been documented.
Getting senior management to buy in is most probably the hardest part of DR. For this reason it is important to start with the directive and management buy in. The way that most IT professionals get DR motivations approved is through the financial department. DR should not be the responsibility of the IT professional but should be a directive delegated to the IT professional and this mandate then allows the IT professional to implement the directive. It is necessary for the DR plan to form part of organization's security policy.
Please note that no matter how large or how small the organization DR is always applicable. Management support is vital and for this reason education about the DR process would be relayed both to management and to staff by the responsible department and DR team.
Build a plan for each department
Most organizations have many departments; this may necessitate a plan for each department as a full plan can be incomplete because the correct process was not followed. The recommendation is that if the departments are larger than 50 users then it may be necessary for individual plans to be rendered for each department that will be incorporated into an enterprise plan. The best way to get a decision on this is to consult the head of each department and for the IT professional to explain the DR planning process to the respective head. This will build awareness and will help in the process of establishing plans for respective departments.
In part one of the DR series we have covered potential disasters and what possible events could come to pass within an organization, for this reason it is vital to have a plan in place like an insurance policy on any valuable item. Do not backup anything up unless you plan on restoring what you backed up. Time is of the essence and the longer that the organization waits to implement the disaster recovery and business continuity plan the higher the risk.
If you would like to be notified when Ricky Magalhaes releases the next part in this series please click here to sign up to our Real-time Article Update.