Checklist for Disaster Recovery
February 22, 2010When reviewing disaster recovery plans, the first step is to determine the financial impact of data downtime. How long can your business remain afloat without your critical data? This information will affect your decisions concerning the sophistication and capabilities of your disaster recovery solution. Governmental regulations should also be considered at this stage. Some organizations, such as financial institutions, face strong regulation by the federal government and these regulations will need to be considered when putting together a disaster recovery plan.
After giving due consideration to your business objectives, the next step is to identify the segment of your data that is truly mission-critical. This information will include both data and applications that must be accessible for your organization to resume business. This information will vary from industry to industry and business to business. The important point is to ensure that you have all of the information your organization needs to resume business. For example, depending on the timing of your data disaster, you may need to access your payroll information within days, perhaps hours, of your initial data loss. Those organizations that fail to protect this data may risk alienating their employees at a time when their skills are most needed.
After identifying the possible impact of a data loss disaster and discerning the segment of your data that is mission-critical, the next step is to review your current disaster recovery plan. Like any reaction-driven plan, your data recovery plan should be reviewed periodically. Is your plan still up to date with your technology? Often, data recovery plans are left unaltered as the rest of the IT infrastructure swells to meet the demands of a growing business. It is important to remember to review your plan whenever you augment your network or storage capabilities.
Once you have looked at the first three steps in the checklist, you should decide if your internal IT staff is capable of updating your disaster recovery capabilities, or if the project should be handed off to an expert in the field of disaster recovery and business continuity. If you decide to outsource your disaster recovery solution, you should look for a company that is well versed in storage networking, because they will have a keen appreciation for the need for interoperability between various brands of servers, storage arrays, and networking equipment. Look for a vendor that is willing to recommend third party solution partners to ensure that your disaster recovery solution is made up of best-of-breed technologies.
Developing a Disaster Recovery Plan
There are several data recovery tools available that can be used to form a comprehensive, yet cost-sensitive disaster recovery plan. When deciding which technologies to use, it is helpful to use the concept of a data pyramid. In a data pyramid, your most important, business critical data forms the tip. This is data that must be protected at all costs, and some organizations will use a dedicated interconnected hot site strategy to maintain full availability. The next step down on the data pyramid is remote disc mirroring, followed by disc mirroring, shared disc backup, disc consolidation backup, and tape backup.
One of the keys to developing a disaster recovery plan is recognizing what data you can and cannot reasonably afford to be without-and for how long. Once this determination is made, experts from the disaster recovery field can assist in the design of a data recovery infrastructure for your organization. The figure suggests specific technologies that can be used to protect data of varying criticality.
Disaster recovery and contingency procedures are important elements of a comprehensive operational plan for computing systems. Suppliers of computing resources normally have some type of plan designed to facilitate recovery from a disaster.
Often overlooked, however, is the impact of downtime on the end-users of computing services. End-users should have their own disaster recovery/contingency procedures in place to ensure critical operations will continue in the event access to computing resources is unavailable.
The following list presents the major elements to be included in a disaster recovery/contingency plan.
Checklist for Developing a Comprehensive
Disaster Recovery / Contingency Plan
A comprehensive disaster recovery/contingency plan should include:
Objectives of the plan.
Documentation in the plan regarding its development, review, and approval by management.
A list of all authorized personnel to whom the plan will be distributed. One copy of the plan should be kept in a secure, off-site location.
A list of key personnel and their functions in the disaster recovery/contingency plan.
Relevant threats to the system, their impacts, and their likelihoods for each hardware platform (mainframe, local area network, freestanding PCs, etc.).
The length of time the department could operate without access to computing services (i.e. the maximum acceptable downtime before management must implement contingency procedures).
A list of “critical” functions, applications, hardware, and information required for operations, including an explanation of why each item is critical. This section may include a functional flowchart depicting key processes, and a “topographical” flowchart showing configuration of hardware and equipment in the department.
A list of manual/alternative procedures necessary to continue critical operations in the event of a disaster.
Security/control requirements for operations when alternate processing methods and/or facilities are used. These are particularly important to identify before a disaster.
A sequence of steps for restoring and recovering data once computing services are back on/line. The information captured by the user department must be the same as that needed to restore files once computing services are available again.
A designated off-site are in which operations could be continued in the event current facilities are inaccessible. This should take into account hardware, telecommunications, and environmental requirements necessary to support the critical workload.
Backup policies, including the location of all backup tapes/disks. Backup copies should be kept in a secure, off-site location.
Documentation in the plan regarding testing procedures. The plan should be tested and evaluated periodically and updates to the plan should be made to reflect significant test results.
Procedures to update the plan when there are changes in key personnel, hardware, critical operations, etc.
Business continuity plan (“BCP”) in case of a major disaster. How will you get back up and running if your office becomes uninhabitable… your files disappear… your staff can’t get to work… your phone lines are down…? The BCP addresses events that could cause a significant business disruption and how the business will regain functionality within the shortest possible time span.
What the SEC looks for (RIAs)Based on deficiencies found in audit letters, the SEC has outlined topic areas they are looking for in BCPs. There is a pending SEC rule (“Compliance Programs”) that would require RIAs to have BCPs, but this is just a small line item of a more comprehensive rule. The pending rule does not give any further insight or guidance as to the contents of a BCP.
What the NASD looks for (BDs) The NASD has a pending rule out for comment. The pending rule provides guidance as to topic areas that should be covered in the BCP.1. Data back-up and recovery;2. All mission critical systems;3. Financial and operational assessments;4. Alternate communications between customers and the BD;5. Alternate communications between the BD and its employees;6. Business constituent, bank, and counter-party impact;7. Regulatory reporting; and8. Communications with regulators. Each BD must update its BCP in the event of any material change to its operations, structure, business, or location.Each BD must also conduct an annual review of its BCP to determine whether any modifications are necessary.