Why Need For Disaster Recovery Policies

Published Date: 02 Nov 2017

Disaster is sometime inevitable and unpredictable and therefore it is vital for any organization to have strategy and plan which set out the procedure for organization to return to normal business operation after disaster strike. Researching on disaster recovery policy requirements and the approaches relating to the disaster recovery plan (DRP), is provided much needed understanding to develop and improve DR plan in both government and private organization in the present global information security context. There is requirement in my current organization to formulate disaster recovery policy and plan. So, researching on subject matter will greatly help me to improve the knowledge and enable me to provide considerable contribution towards developing disaster recovery plan in my organization.

Disaster recovery policy (DR) comprise of senior management’s directives regarding disaster recovery goals, scope within which it should be applied, key responsibilities related to DR plan and also it address general and specific legal compliance and issues. Disaster recovery policy provide systematic approach and framework for safeguarding vital IT systems and data managed by Information Technology and Service Department. Also it provide guidance and commitment of management towards building, implementing and maintaining disaster recovery plan.

Disaster recovery plan (DRP) is basically comprised of two related documents. The one is policy document which set management directive regarding what should do during disaster recovery process, expected recovery goals and standards, responsibility of each identified roles. The second document is the procedure document which provide information related to recovery procedures and specific tasks in order to fulfill disaster recovery policy. Most of the time, the two types of documents are cross-reference and sometime, combines into single document whenever it appropriate.

It can be seen that both "business continuity" and "disaster recovery" terms are interchangeably used, but both are having distinct meaning and differences. Business continuity planning is involved all aspect of business functions rather than information systems in an organization and provide complete guideline and procedure to return to normal business operation in an event of disaster which disrupt all or part of business operation. Whereas disaster recovery is subset of business continuity plan. It mainly focus on information technology services and infrastructure and provide a recovery plan to restore IT systems operations when disaster occur.

Most of the time disaster recovery and business continuity address same basic issue and number of areas focus on get overlapped between two processes. Many organization tend to build disaster recovery plan before going for overall business continuity plan.

Type of disasters

Disaster would cause disruption to one or more business operation of enterprise organization or complete failure in all business function causing damages to total business closure for days or months sometimes fatal damage to the business. The causes of the disaster can origin from various sources and identified as follows:

Power failure

Water damage or flooding

Fire or smoke Damage

Earthquakes, tornado or storm damage

Terrorist attack or explosion

Equipment or hardware failure result from server failure, network equipment and connectivity failure,

System/Application/Software Failure

Network connectivity failure within and outside of the corporate network

Accident and human error causing file loss, database record loss, data corruption or sabotage

Why need for disaster recovery policies?

Today, all most all enterprise organizations are heavily depend on Computer systems and information technology services and these are vital and critical for running the business. Any disruption or failure in the key information technology system would cause interruption to the services offered by organization and thereby revenue and time loss and also frustration among internal and external users who use the systems for their day to day business requirements. If operations of the bank get halted due to the power failure, the bank would have get considerable impact in their revenue and having risk of losing valuable customers and their confidence. Therefore, it is necessary to have disaster recovery policy and plan in the organization, which assess the risk and damages, before disaster is happened and set the contingency plan required. If the contingency plan in place and also well informed among the relevant staff, users are not get panic and frustrated when the disaster happened and saving organization money, time and creditability.

The main objective of the disaster recovery policy and plan is to prepare organization for disaster and recovery, the productivity gaining can be achieved with IT infrastructure and procedure restructuring process identified and implement by the DRP. Storing, managing, backing-up data centrally and having redundant and fail-over technologies would immensely improve employee productivity by minimizing IT service downtime and increased availability.

According to various type of organizations, DR policy and plan to be in place to compliance with rules, regulations and standards with which, these organizations are governed. Even though, law and regulation are not specifically mandate for certain types of organization to have disaster recovery policy and plan, requirement of data integrity and availability bring additional demand to have contingency plan in place.

The Sarbanes Oxley Act of 2002 set recommendation for DR planning, though it is not explicit requirement by this law but mandatory for the organizations to provide certain corporate data available when needed.

Banks and financial institutions, stockbrokers, power utilities, telecommunication utilities, health care providers are having varying degree of commitment to have disaster recovery plan by the law and regulation based on their vitality and impact to general public.

The disaster recovery policy and plan provide below benefits:

Senior management personal are provided relevant guidance and procedures to respond effectively and reduce operational and business effects in an event of disaster.

Enable management to handle crisis situation in an organized and coordinated manner

Minimize magnitude and impact of the disaster to the various organizational units

Provide preventive measures to avert the disaster.

Minimize the time elapse between the failure and the time, when IT system and services are available for use, in technical term, it is called "Recovery Time Objective" (RTO) or "Service Delivery Objective" (SDO). This factor is varying according to criticality of the system, impact of the disaster and type of recovery plan in place.

Minimize the data loss incurred and establish "Recovery Point Objective" (RPO) which is the acceptable level of data loss in the event of disaster agreed by organization policy

Approaches used in commercial and government organisations

The disaster recovery project planning is vary organization to organization and has to tailored according to organization's nature of business and needs, operation, IT infrastructure and IT systems available. But, we can identify common approach and disaster recovery management process workflow in developing the DR plan. The below is the high level process workflow for disaster recovery.

Pre Study

Management Awareness

Planning

Assessments & Audits

Priority

Strategy

Plan

Verification

Management Approval

Implementation

Periodic Reports & Audits

Pre-study:

At pre-study phase of disaster recovery development process, the following key tasks can be identified to follow:

The most important step is to identify top ten possible disasters that would affect the organization and analyze their impact. The possibility of each disaster scenarios are depend on type of IT infrastructure and technologies used, geographical location and political stability

Initial risk assessment has to be carried out to determine current information systems vulnerabilities and threats which lead to understand required disaster recovery plan.

Initial business impact analysis should be performed to understand the interdependencies among organization business processes and determine how information systems outage would affect the business

The inventory of information systems assets has to be taken to include hardware, software and data

Identify whether any single point of failure situation could be happened within information systems infrastructure,

Identify business critical IT applications, systems and data

Management Awareness

Senior management involvement in the disaster recovery planning process is vital and should be aware of the risk and potential impact of the disaster for the organization. Information gathered during the pre-study phase of the disaster recovery is very helpful for management to understand possible financial, physical and business costs and time associated with disaster. Base on this understanding, strategy can be build and ensure to implement across the organization.

Management sign-off and funding for the DR plan

The senior management should be agreed on disaster recovery project and should provide the backing of financial and human resources for the project. The disaster recovery project is kickoff by announcing the project initiation with the management approval and establishing the steering committee, which is headed by senior management person. This steering committee or else DR planning group should comprise of key people from each organizational units and responsible for all disaster recovery planning and activities. Regular reports and updates has to be provided to senior management by the DR planning group.

Disaster recovery planning process

It is important to identify organization's mission-critical IT applications and also systems, processes and services which should be available and restored in first place after disaster. Less important applications and systems are also take into account when developing DR plan.

Risk Assessments and Audits

In order to form the disaster recovery plan, thorough study should be done to understand organization process, technology, systems and services including security access control applied in datacenters, servers and systems and also installed security devices and backup practices. The committee should prepare risk analysis and business impact analysis that should at least include top ten disaster scenarios. The risk analysis has to be done for the possible scenario where complete damage and destruction are caused by disaster. When doing risk analysis, geographical situations, current IT infrastructure design, lead-times of services and existing service contracts also should be considered. It is important to include financial impact cost of replacing damaged equipment, procurement of additional resources and setting up extra service contracts. It is very important to perform IT assessment, IT practice and procedure audit, and single point of failure analysis in this risk assessment and audit phase.

Establish Priorities

DR steering committee should identify and set priorities for applications, systems and services base on business impact analysis IT assessment done in previous phase. Business requirements and supported IT systems are categorized as critical, essential, necessary and optional as follows:

Critical systems

These systems should be available in the organization for any business operation to continue at all. These are mission critical systems and have significant financial impact on viability of the organization. Extended none availability of the system would cause unrespectable damage to the organization and facing possibility of legal ramifications.

Essential systems

These are the systems should be available to support day-to-day business operations and generally integrated with critical systems. In the recovery strategy, essential systems must be included in high priority list.

Necessary Systems

These systems contribute to improve organizational process and provide productivity improvement for the employees. Business forecasting tools, reporting tools and other improvement tools utilized by the organization are included in this category. Minimal business and financial impact can be seen in the event of none availability of these.

Optional Systems

These systems may not essentially enhance the productivity of the business. Under this category, test systems, archived and historical data intranet and non-essential complimentary systems are listed.

The system classification and prioritizing offer the baseline for disaster recovery decision making matrix. The key factor is that IT recovery team and business management should agree on disaster recovery planning scope and the classifications of the systems based on priority. This classification helps the reduction in number of systems need to be supported in disaster recovery plan as well as increase backup and recovery efficiency. Also it minimize financial budget for disaster recovery.

Develop recovery strategy and plan

Recovery strategy should be develop to cover the practicalities of dealing with the disaster. Strategy should be applicable to several disaster scenarios, but the plan must be dealing with each scenario to identify required actions specific to different disaster types. Disaster recovery strategy should include the accepted downtime of the IT systems, action plans and escalation procedures. Also it determine thresholds for minimum level at which business can be functioned, the IT systems that should have full functionality and the systems that can be minimized.

If any particular application cannot tolerate any downtime, fail-over hot site has to be in place to handle all data processing requirements and run in parallel with data synchronized between two datacenters.

Standardized hardware used in organization IT infrastructure minimize time and effort to replicate and reimage new hardware at the time of disaster. Also it is vital to ensure safe storing and secure accessibility for copies of program software, license keys, and hardware and application support vendor contacts numbers at the time of disaster.

Data backup and recovery

IT disaster recovery plan should ensure to organization’s critical information is properly backup. Thorough inventory on IT systems, data and equipment help to identify and prioritize the required backup and recovery. Large amount of business data and data files are changing in the organizational operation throughout the workday. There is risk of data loss, compromise or stolen due to hardware failure, human error, hacking and malware. This data loss and corruption could result in significant business disruption. Therefore proper data backup and recovery plan should be integral part of organizational contingency plan.

It is also important to decide and implement proper hardware and software backup procedures, scheduling and periodic validation of backup data in order to ensure required data are accurately backup.

Options for data backup

DR planning team should consider how cost effectively use different types of backup media such as tapes, cartridge, and high capacity USB drives with integrated backup software. Security of the backup media and secure off-site storage should be addressed in the plan. The arrangement must be made to store backup media as same level of security as the original business data.

Today, many vendors offer online data backup solutions providing storage in the "cloud". If organization are having adequate internet bandwidth, cloud backup service is cost-effective and hassle free solution.

It is important to have data backed up as frequently as necessary to ensure that backup procedures and scheduling meet standards and threshold set in backup policy such as "Recovery Point Objective" (RPO) and "Recovery Time objective" (RTO).

Vendor supported recovery strategies

DR planning team should consider whether vendor provided "hot site", "warm site" or "cold site" solutions are appropriate and cost effective solution for the organization to implement based on business criticality and requirement. Service level agreements can be made with vendor to provide required vendor hosted site solution at the time of disaster or ready for the use. There are several type of vendor solutions such as data streams, data security services and hosted applications, also should take into account at this phase. These vendors also offer solution for data filtering (Spam gateway solution), malware and intrusion detection which enhance organization information security further.