Businesses use information technology (IT) to process virtually every aspect of its operations. A common misconception is that as long as there is a data backup plan in place, then the company is prepared to get its operations up and running in the event of a disaster. A solid IT disaster recovery plan has a data backup component to it, but it encompasses much more.
According to U.S. Department of Homeland Security, recovery strategies need to be developed for all IT systems, applications and data. Priorities for IT recovery should be consistent with the priorities for recovery of business functions. A well-developed plan will help identify priorities for what needs to be back up and running first. It will then define the remaining needs of the business recovery process.
As part of the disaster recovery strategy, the backup strategy also needs to be defined. There are two concepts to consider when discussing an effective backup strategy. Recovery time objective (RTO) – how long it takes to restore and recovery point objective (RPO) – how much operating time a company will accept losing. If it takes two days to recover from a tape or USB drive with a large data set but the company can only allow half a day of downtime, then the system is not adequate from a RTO standpoint. Likewise, if a company can only lose four hours of operating time but backups happen nightly, the system is not adequate.
The National Institute of Standards and Technology (NIST) is a good resource for standards and guidelines to help businesses build a solid IT recovery plan. In its Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, recommendations are outlined to help organizations systematically review their plans to identify gaps that need to be addressed. There are three common ways to review a plan:
- Testing the system. An organization can test the system. Tests often focus on recovery and backup operations. An example would be removing power from a system to evaluate how quickly the organization can recover.
- Conducting a tabletop exercise. These are discussion-based exercises where a facilitator presents a scenario and asks the exercise participants questions related to the scenario, which initiates a discussion among the participants of roles, responsibilities, coordination, and decision-making. A tabletop exercise is discussion-based only and does not involve deploying equipment or other resources.
- Conducting a functional exercise. This allow staff to execute their roles and responsibilities as they would in an actual emergency situation, but in a simulated manner. The goal is to exercise the roles and responsibilities of specific team members, procedures and assets involved in one of more aspects of the recovery plan.
Developing a well thought out disaster recovery plan requires input and support from leadership. However, if disaster strikes, the organization will be equipped to respond quickly and remain a viable entity. At BerganKDV, our technology team works with clients at all stages of disaster recovery planning, from writing the initial plan to helping test the plan on a scheduled basis. If you are ready to build/analyze your current disaster preparedness, contact us!
