Developing a Disaster Recovery Plan

disaster recovery plan

Information Gathering

  • Determine which senior executive(s) will have overall responsibility for disaster recovery.
  • Have this executive appoint a disaster recovery coordinator.
  • Appoint a disaster recovery team leader for each operational unit, such as the server backup or the telephone system.
  • Convene the disaster recovery planning team and sub-teams as appropriate. Working with senior executives responsible for disaster recovery, the disaster recovery coordinator should identify the following:
    • Scope — the areas to be covered by the disaster recovery plan
    • Objectives — what is worked toward and the course of action that the disaster recovery team intends to follow
    • Assumptions — what is being taken for granted or accepted as true without proof?
  • Set a project timetable and draft project plan, including assignment of task responsibilities.
  • Obtain senior management’s approval for scope, objections, assumptions and project plan.

Conduct the Business Impact Analysis

  • Identify which business departments, functions or systems are most vulnerable to potential threats, what the potential types of threat are, and what effect each identified potential threat would have on each of the vulnerable areas within the organization.
    • Identify functions, processes and systems.
    • Interview information systems support personnel.
    • Interview business unit personnel.
    • Analyze results to determine critical systems, applications and business processes.
    • Prepare impact analysis on interruption on critical systems.

 

Conduct Risk Assessment

  • Work with the organization’s technical and security person to determine the probability of each functional business units’ critical systems becoming severely disrupted. Document the amount of acceptable risk the business unit can tolerate. For each critical system, the following information needs to be provided:
    • Review physical security. (i.e., secure office, building access off hours, etc.).
    • Review backup systems and data security.
    • Review policies on personnel termination and transfer.
    • Identify systems supporting mission-critical functions.
    • Identify vulnerabilities, such as physical attacks, or acts of God, such as floods.
    • Assess probability of system failure or disruption.
    • Prepare risk and security analysis.

 

Develop Strategic Outline for Recovery

  • Assemble groups as appropriate for the following:
    • hardware and operating systems
    • communications
    • applications
    • facilities
    • other critical functions and business processes as identified in the Business Impact Analysis step
  • For each of the above systems/processes quantify the following processing requirements:
    • light, normal, and heavy processing days
    • transaction volumes
    • dollar volume, if any
    • estimated process time
    • allowable delays (days, hours, minutes, etc.)
  • Detail all the steps in workflow for each critical business function. (For example, for payroll processing, include all of the steps and the order in which the steps must be completed.)
  • Identify systems and applications:
    • component name and technical identification, if any
    • type (online, batch process, script)
    • frequency
    • run time
    • allowable delay (days, hours, minutes, etc.)
  • Identify all vital records:
    • name and description
    • type (backup, original, master, history)
    • storage location
    • source of item or record
    • ease of replacement by another source
    • backup and backup generation frequency
    • number of backup generations available onsite and offsite
    • location of backups
    • media key, retention period, rotation cycle
    • person authorized for backup retrieval
  • Identify what the minimum requirements or replacement of the critical function during the disruption would be if a severe disruption occurred:
    • type (server hardware, software, research materials, etc.)
    • item name and description
    • quantity required
    • location of inventory, alternative, or offsite storage
    • vendor/supplier
  • Identify if alternative methods of processing either exist or could be developed, quantify processing (include manual processes).
  • Identify person(s) who support the system or the application.
  • Identify both primary and secondary person to contact if system or application cannot function as normal.
  • Identify all vendors associated with the system or application.
  • Document business unit strategy during recovery (conceptually how the unit will function).
  • Quantify resources required for recovery by time frame.
  • Develop and document recovery strategy, including priorities for recovering system/function components, and recovery schedule.

Review Onsite and Offsite Backup and Recovery Procedures

  • Review current records (operating systems, code).
  • Review current offsite storage facility or arrange for facility.
  • Review backup and offsite backup storage policies or create them.
  • Present to functional business unit leader for approval.

 

Select Alternate Facility

  • Determine resource requirements.
  • Assess platform uniqueness of unit systems (Macintosh, IBM, Oracle, etc.).
  • Identify alternative facilities.
  • Review cost/benefit.
  • Evaluate and make recommendation.
  • Present to business unit leader for approval.
  • Make selection.

 

PLAN DEVELOPMENT AND TESTING

Develop Recovery Plan

  • Determine objective — This may have been documented in the information gathering phase. Establish information for each business unit.
  • Plan assumptions.
  • Develop criteria for invoking the plan:
    • Document emergency response procedures to occur during and after an emergency is declared for that business unit, and after the emergency check the building before allowing individuals to enter.
    • Document procedures for assessment and declaring a state of emergency.
    • Document notification procedures for alerting all senior management executives, disaster recovery team members, and business unit executives.
    • Document notification procedures for alerting business unit’s personnel of alternate location.
  • Define role responsibilities and authority:
    • Identify disaster recovery team and business unit personnel.
    • Determine recovery team description and charge.
    • Determine recovery team staffing.
    • Create transportation schedules for media and teams.
  • Create procedures for operating in contingency mode:
    • Create process descriptions.
    • Determine minimum processing requirements.
    • Determine categories for vital records.
    • Identify location of vital records.
    • Identify forms requirements.
    • Document critical forms.
    • Establish equipment descriptions.
    • Document equipment — at the recovery site and in the business unit.
    • Create software descriptions.
    • Determine software used in recovery and in production.
    • Produce logical drawings of communication and data networks in the business unit.
    • Produce logical drawings of communication and data networks during recovery.
    • Produce a list of all vendors.
    • Review vendor restrictions.
    • Determine miscellaneous inventory.
    • Determine communications needs — production and in the recovery site.
  • Document resource plan for operating in contingency mode.
  • Develop criteria for returning to normal operating mode.
  • Develop procedures for returning to normal operating mode.
  • Perform testing and training:
    • Document testing data.
    • Complete disaster/disruption scenarios.
    • Develop action plans for each scenario.
  • Implement plan maintenance:
    • Document maintenance review schedule (yearly, quarterly, etc.).
    • Develop maintenance review action plans.
    • Create maintenance review for recovery teams.
    • Perform maintenance review of team activities.
    • Perform maintenance review/revise tasks.
    • Perform maintenance review/revise documentation.
  • Include appendices:
    • inventory and report forms
    • maintenance forms
    • hardware lists and serial numbers
    • software lists and license numbers
    • contact list for vendors
    • contact list for all staff with telephone numbers for home, work numbers, cell phone, and pager
    • network schematic diagrams
    • equipment room floor grid diagrams
    • contract and maintenance agreements
    • special operating instructions for sensitive equipment
    • cellular telephone inventory and agreement

Test the Plan

  • Develop test strategy.
  • Develop test plans.
  • Conduct tests.
  • Modify the plan as necessary.

 Maintain the Plan

  • Review changes in the environment, technology and procedures.
  • Develop maintenance triggers and procedures.
  • Submit changes for system development procedures.
  • Modify unit change management procedures.
  • Produce plan updates and distribute.
  • Establish periodic review and update procedures.