Security Series: Disaster Recovery Target (Part 2 of 6)
- Chapter 1: Disaster Recovery Tactics that Ensure Business Continuity
- Chapter 2: Disaster Recovery Target
- Chapter 3: Formulation of the Business Continuity Plan
- Chapter 4: Disaster Recovery Objectives and Milestones
- Chapter 5: Building Preparation
The company's disaster recovery objective should be to simplify and support the development and testing of a well prearranged and rational preparation of sequences which will enable the organization to recover as efficiently and effectively as possible from an unforeseen disaster or crisis which interrupts normal business operations. A well designed DRP should aim at a 24 hour resolution. This means that the business will only suffer 24 hours down time at most. For some organizations this will not be acceptable, in these situations it is necessary to take a different approach that decreases the down time. It is possible to restore in minutes of a disaster occurring.
Some organizations require high availability and have shadow sites offsite that are mirror images of live systems. These live systems have replication software that consistently updates the remote site and keeps the information and applications installed current. For those organizations that can not afford these luxury systems the next best thing is described within this document. Most of the tips and tricks have been harnessed and developed form remote offsite type of systems.
A Project Manager or team leader needs to be appointed to take ownership of the Disaster recovery process. He will need to lead the DR team and will be held responsible for developing and maintaining the Business Continuity Plan (BCP). This document will guide the Security/IT/project manager and will help in the formulation of your organizations DR plan.
If your organization does not currently have sufficient available resources to get your business continuity planning process up and running, it may be important to outsource this function, visit www.fastennet.com for more information. It is important to initiate this process as soon as possible at it stands as your insurance policy. Without it you will be caught high and dry in the event of a disaster.
It is important that the Project Manager selected work closely with your management and technical staff to undertake the risk assessment, prepare suitable back-up and recovery strategies and develop procedures for both the disaster recover phase and the business recovery phase.
The time preparing for a disaster and the resources invested are well worth it at crunch time. A basic example would be as follows: A high profile user has access to entire folder structure and by mistake deletes the top level directory. Restoring from backup is an option. But most backup tapes are sent offsite and are a day away. (This is best practice) By having un-delete software on the file server the IT professional can recover by just searching for the latest deleted files and by restoring them. Out of a network of 200 users I have done basic research that shows that on a monthly basis accidental loss occurs that will cost minimum of $100. This may seem minuscule but these $100 add up and this situation could be remedied for less than $300 form multiple vendors available on the internet. Just think of the hourly charge for a resource creating a spreadsheet. The cost of electricity, rent, air-conditioning, parking per hour, etc... and all the input that goes into a basic spread sheet. This spreadsheet only needs to be worked on for an hour and the cost of the spreadsheet will amount to close to $100.
Company communication on BCP Project
All Employees need to be informed of the BCP and it is good practice for the organization's Board or Governing Body to exhibit an apparent commitment to establishing and maintaining an successful Business Continuity Planning process. It is necessary to communicate to all staff that a Business Continuity Plan is mandatory in order to ensure that vital business functions which enable the organization to continue operations in the event of disaster.
When ever I consult any company or speak with people that are in the IT security arena and I ask what they are doing for disaster recovery I often get the answer that they are doing backups and that there is no reason to look at other solutions. I then ask if there is anything else that is being done and often I get the response, "What else is needed?" Backups do not constitute disaster recovery. Backups are only a small component of DR. Planning, Offsite storage, Testing, Documenting, Design and many other components constitute a good disaster recovery plan.
Everyone in the organization is responsible for the information security strategy and many attacks from different sources and levels. In the information age it is necessary to protect the organization against new threats that have not yet been identified. For this reason it is important to ensure that data security is the organization's primary concern. New threats are devised and distributed on the same day as the speed of e-mail. Intruders and hackers like to broadcast these newly found weaknesses. Terrorists have a different strategy that strikes when they are least expected. The threats, natural or man-made, are all around us all the time and in this day and age it is imperative that the business is preserved and continues to function without interruption.
When the disaster strikes it is important to maintain the security of the organization maintaining application and data availability integrity and confidentiality ensures organizational security at an IT/IS level. Ensuring that other IT dependencies are working and in place is strategic and it is imperative that your other organizational team leaders are involved in the DR process.
When looking for a disaster recovery strategy many IT professionals find it difficult to start. If you are struggling because you do not know how go about getting ready for DR all you need to do is get a test bed of computers that you will use offsite or onsite an then attempt a restore. These restores should be repeated and documented each time to ensure that no detail is lost. It is important to get other people to attempt the restore as this will verify that the documentation is complete. It is recommended that the person restoring have some level of expertise as even though the documentation may be complete certain dynamic occurrences such as hardware and software failure and compatibility issues may occur even if the same or similar hardware is used. This seems to be a contentious issue and it is agreed that comprehensive documentation does help. All the dynamic things that happen that have not been planned for, is when experience means success or failure.
Disaster recovery is the process of:
- Business Impact analysis, this process encompasses a designated IT professional looking at the whole DR plan and continuity process if one exists and an evaluation is performed in order to identify the risk and highlight it to management.
- Documentation of all of the contact details of the people concerned. This includes pone numbers address, designations, e-mail address details, etc...
- Understanding the expectations of the Client and also discussing with them how long the recovery may take and what the acceptable recovery time may be. This will help you to design a strategy and will also align you with the company's vision.
- Breaking the plan into smaller bits like phases and assigning team leaders to each phase. Constant monitoring of this process is a full time job. For this reason it is important to get a responsible influential figure involved.
- Defining a testing frequency and keeping to them. It is a good idea to test offsite as this will test both the documentation contents of your DR pack.
- Defining the roles of the DR participants and the procedure for initiating the disaster.
- There are a few types of disasters. These need to be defined so that when a disaster happens you are able to phase the recovery. Total disasters and partial disaster each need to be defined
- Salvaging of working equipment from effected site.
- Relocation information needs to be communicated before the disaster and needs to be known and the staff needs to become familiar with the site and procedure of arriving at the site and settling in to avoid complication in the event of a real disaster.
- Client expectations need to be defined and accepted downtimes need to be predetermined.
- Responsibilities of IT and selected disaster recovery staff needs to be communicated and simulated disasters practiced.
In part two of the Disaster Recovery series I have covered information pertaining to communication that should be sent out to staff regarding the organizations stance on disaster recovery. The planning of DR is also covered and what potential requirements each organization may have in terms of availability of resources that need to be taken into account. DR is not about backups but about processes that facilitate business continuity, the documentation there of and the continual updating of the documentation so that in the event of a disaster the affected organization is able to recover.