Security Series: Final countdown tips for Disaster Recovery and Business Continuity (Part 6 of 6)
- Chapter 1: Disaster Recovery Tactics that Ensure Business Continuity
- Chapter 2: Disaster Recovery Target
- Chapter 3: Formulation of the Business Continuity Plan
- Chapter 4: Disaster Recovery Objectives and Milestones
- Chapter 5: Building Preparation
- Chapter 6: Final countdown tips for Disaster Recovery and Business Continuity
There is yet to be an organization that has not suffered accidental loss of data from an incident or a disaster. Furthermore neglecting these facts is illegal, in the United States not protecting data as information is taken very seriously and executives are now being prosecuted for not taking the due diligence required to protect the data. Data is that is no longer just a commodity but a growing asset and more over intellectual property of the organization.
It is important that the plan be adhered to by all involved. The plan consists of small tasks that eventually cluster together to form the full continuity and recovery plan. The coordination of such a plan needs a project manager or IT professional that is well versed in IT disaster recovery and continuity planning and implantation. For this reason it is important to ensure that the person selected has the required experience, this person will be held partially responsible for the success of such an implantation.
The biggest failure in disaster recovery and business continuity to date from experience is undoubtedly lack of backups or corrupt untested backup tapes. Tapes that do not restore the data when needed or failing backup mechanisms are common and this is often the primary reason for failure. You are not able to recover if you do not have backups. As obvious as this sounds, many fail to take it into cognizance. Many organizations have called on recovery operations to assist with recovery of deleted data and lost data due to physical catastrophe and disaster that impedes the business. You would think that vital database files and vital documents will be backed up but many organizations take the stance that: if it is working do not react or be proactive; they only react once the data is gone and this, in turn, costs thousands of dollars in loss, as not only is the data valuable, but the time it took to construct the data.
It is important that all clients on the network be informed of the IT professional's plans to implement BC and disaster recovery. The clients need to be informed that they are to store the organization's data in a central place that will be part of the backup strategy. If all clients follow this approach then backing up company data should be much simpler.
A comprehensive corporate awareness program for communicating the procedures of the business recovery process needs to be devised. This will help formalize the DR policy and reinforce its importance in the minds of the users concerned. Team leaders and staff that are involved in the BCP process need to be trained and this means that facilitation of training needs to be provisioned for in the budget.
A question that directors need to ask themselves is: can the business go even one day without access to critical technology systems like e-mail, database and payroll related files? If so, the organization may need to invest in recovery technology. Keep in mind, however, that a better investment will pay off in the long run especially when a disaster or data loss occurs. It doesn't pay to skimp if the plan is not able to fit your business needs. It is recommended that if the risk is substantial that at least 1-5% of the value of the data is budgeted as protection there of.
The system that the IT professional uses for BC and DR should be a solution that can scale with the organization's future needs and that doesn't lock the organization into a particular technology or vendor. The benefits realized from regular innovation in server and storage technology will be disadvantaged by a disaster recovery system that isn't flexible. For this reason it is important that the technology be reviewed annually.
Assigning a Responsible Agent for Maintaining the Business Continuty Plan
It is essential that the BCP gets updated in an orderly fashion and that the team is made aware of the changes every time it has been updated. Testing the BCP when doing a parallel test or DR rehearsal will highlight areas that may have been neglected and that need to be added to the BCP. This in turn should prompt a change in the document that is approved and updated by the agent assigned by the team leader.
Change Controls for Updating the Plan
It is strongly recommended that official change controls are adhered to. This is needed to cover any changes necessary made to the BCP. Change control is a virtue that needs to be practiced in any organization that would like to conform to good business practices. Complex systems need to be documented for the good of the organization. Even if the individual configuring the system is in a permanent position it is vital that all steps pertaining to the BCP/DRP are documented and stored in a secure offsite location.
The DR and BC plan should be living documents. They should reflect the latest information available. Project managers are responsible for reviewing and updating their plans on a regular basis at least each quarter after and before each test.
It is necessary to perform a regular review and audit of your contingency and back-up arrangements as it forms part of due diligence process. It is essential for your corporate IT continuity assurance - to help ensure that you are able to withstand and recover from a major incident or disaster.
Documentation and preparedness
Some documentation is done for filling the required role or to match the auditor's requirements. The reason for documentation is to be able to back track and recreate the system without ambiguity, quickly and effectively. The other reason is to protect the organization from placing too much reliance on one individual or team of people that can be killed in a disaster or that can leave the organization at anytime.
Many professionals feel threatened by documentation but when a level of maturity is reached where the professional is more than the work that is documented the threat subsides. If the rocket scientist and astronaut could document the entire process of taking a rocket ship to the moon and landing it on the moon, then the documentation of DR or any IT system can be achieved. However you look at this vital part of disaster recovery it must be noted that the documentation must not be designed for anyone to be able to do the restore and should be aimed at IT professionals that have intrinsic knowledge. This means that the documentation must not be too verbose as to boggle down the person restoring the system but must be detailed enough to remove doubt when recovering. For this type of documentation read the manual.
If all is documented and planned when disaster strikes, recovery of the critical IT systems should run smoothly without much discussion and appear to be organized and professional. The IT professional should know that forgetting a simple fact that is not included in the plan may result in failure of the restoration of the data and may in turn hinder the continuity process. For this reason it is important to use someone that has adequate guidance and experience in disaster recovery planning.
Documentation should be stored in an offsite location and even in another state in case of earthquakes, tsunamis and other disasters that cover vast amounts of ground. Remote locations that are at branch offices may work as regular shipments of internal mail travel between the two sites.
A good idea and is to form a checklist that is followed once disaster is initiated. You may want to include information and contact details of vendors and organizations that will be able to assist in restoring the downed systems.
Tips for DR and BC
- Remove single points of failure.
- Ensure your passwords are stored within the documentation and that the documentation is in a secure location, preferrably sealed in an envelope.
- Ensure that some contingent hardware is available onsite in case of incident or small disaster.
- Use a UPS with filter circuitry. UPS = continuous power. Some do not protect against surges and this needs to be looked into when purchasing or planning for contingency.
- Physical security is a good contingency plan to ensure business continuity. This will reduce possible loss caused by many factors that need physical access to your servers and data.
- Fire suppression and protection is always a good idea.
- Protect critical systems with priority.
- Store tapes offsite and ensure that the vendor can return them when requested. Try to choose a vendor that is in a different geographic location.
This article completes the series and we have covered many aspects that need to be taken into consideration when designing both a Disaster Recovery and Business Continuity Plan. These articles and in total e-book should be used as a guide to help the security IT professional. Ultimately the executives are responsible for securing the organization's data and nothing they do can dissolve that responsibility. Be safe! Insure your organization starts on a DRP/BRP today. For more information and consultancy you are welcome to contact Fastennet @www. fastennet.com