IT disasters can be devastating to the infrastructure of an organization. An IT disaster recovery plan (DRP) is a group of procedures that allows IT personnel to recover data and resume normal operations in the event of a disaster. It must identify the most critical systems and prioritize their recovery in order to minimize the disaster’s impact on the organization. IT disaster recovery templates must also specify the steps needed to restart and reconfigure those systems during the recovery. A template can aid in the development of the DRP, although the specific steps depend on the organization. Developing a DRP from a template is a required skill for a graduate with a master's degree in information assurance. Having educated employees that can develop and implement an IT disaster recovery plan is necessary for every business.
Developing a Recovery Strategy
The National Institute for Standards and Technology (NIST) provides extensive information on disaster recovery planning for IT systems in Special Publication 800-34. The document advises that copies of the DRP should be stored in multiple secure locations in the form of CDs and hard copies. A copy should be issued to each member of senior management, and a protected master copy should also be stored in a dedicated location.
The DRP must also be updated as needed to reflect changes to the infrastructure or recovery requirements. This update must be performed in a controlled, structured manner that includes thorough testing. The appropriate training materials also need to be updated at this time. DRP updates must be controlled by the IT Director.
Many disasters can disrupt IT processes to the point that business processes are significantly impacted. IT disasters can generally be classified into natural and manmade disasters. Natural disasters typically include hurricanes, tornados, flooding and earthquakes, while manmade disasters primarily include sabotage, espionage, and accidents. The best recovery strategy depends on the most likely threats to an organization’s IT operations and its available resources. The most robust strategy is a fully mirrored recovery site at a physically separate facility, although this isn’t a practical option for many organizations.
A DRP must specify the conditions under which it will be activated. Common triggers for the DRP include the loss of all communications, complete loss of power, and flooding of a building.
- Evacuation Assembly Points: Every disaster recovery plan template should include assembly points in the event that the building must be evacuated. Common evacuation assembly points include the far end of the main parking lot.
- Emergency Response Team: The DRP must list the members of the Emergency Response Team (ERT) that will be activated in the event of a disaster. All members of the organization should also be issued a card containing the ERT’s contact details. The ERT is responsible for responding to potential disasters and calling emergency services. Team members must also assess the disaster to determine its impact to the organization, and contact the disaster recovery team (DRT).
Timeframe for Restoration
A disaster recovery plan template should establish the expectations of the DRT, which primarily include timeframes for restoring various types of services. These services typically include emergency services, key services, and normal business services. The DRP should describe the specific services in each category, and it may also list additional staff members with technical skills that are essential for the disaster recovery.
Business Recover Team
The DRP should specify the members of the Business Recovery Team (BRT), which will primarily consist of senior representatives of the business departments. It will also include other key members of management that are needed for the smooth restoration of business services. The BRT leader should be a senior member of management who will be responsible for ensuring that business operations are restored as quickly as possible.
BRT members must maintain a hard copy of the contact details for all of the employees in their departments. They must also keep copies of the DRP and business continuity plans at their home in the event that the organization’s building is unusable or inaccessible.
The employees in each department should be contacted to discuss immediate plans regarding the recovery. Employees’ emergency contacts may be used in the event that they can’t be reached through their normal contacts. Managers must serve as focal points for their departments during this process. They’ll also need to designate staff members to perform essential duties in the event that an employee can’t be reached.
The ERT must assess the financial impact of the disaster on the company. This assessment will typically focus on the company’s immediate financial needs, including the availability of credit for products and services that will be required for the recovery. Additional requirements that should be immediately assessed include cash flow position, temporary borrowing capability and upcoming payments.
A media team must be created from appropriate staff members to communicate with the media regarding the disaster. Guidelines for post-disaster communications must also be established and approved. The DRP must list the members of the media team and specify the communication guidelines.
The media team will typically be asked questions about how the company was affected by the disaster and what their recovery plans include. Media members must strive to avoid adverse publicity and seek out opportunities for useful publicity. Only members of the media team should have direct contact with the media. Media members who contact other personnel should be referred to the media team.
The DRP should also specify exercises to test disaster recovery procedures. The purpose of DRP exercises is to identify needed improvements by observing how smoothly each phase launches into action. Participants will then develop procedures for implementing these improvements. Participants should also strive to learn from the process by ensuring that they are confident in their capabilities and familiar with their assignments.
These exercises usually simulate a particular type of disaster. They typically involve role-playing by some of the participants, which will require at least one rehearsal. DRP exercises should not be graded, nor should they involve any assessment of blame.
This template provides guidance for developing, testing and documenting the DRP. It also ensures that all planned activities in the DRP adhere to operational policies. In the event of a disaster, this template helps to verify that employees are fully informed of their duties in the event of a disaster. It’s crucial for businesses to have educated professionals in place who are dedicated to their cyber security career and have the ability to develop, and assist with the implementation of an IT disaster recovery plan in the event of a disaster.
Visit our Resource Center for more details on the information assurance industry.