UPDATED: September 15, 2023
Technology plays an essential role in practically every aspect of the modern-day business process. If your technology is interrupted or data is lost because of an unexpected disturbance, a Disaster Recovery Plan is key to minimizing damage and restoring your environment as quickly as possible. But these things take time, planning, and a clear strategy to implement. Ultimately, if it's done hastily and inefficiently, you might as well not have one. So what do you do to make sure your DRP is up to snuff?
A Disaster Recovery Plan (DRP) is a strategic set of procedures in place for your company in the event of a "disaster" such a ransomware attack, power outages, hurricanes, or data loss. It is a paramount part of your Business Continuity Plan (BCP) which outlines how your company will operate when threats arise. Your DRP will establish procedures for reducing downtime during a disaster by focusing on the most effective way to recover. So, where do you start?
First things first, it's best to do a full scale of your business. Assess your current vulnerabilities so you can appropriately plan for them in the future. Once you've assessed what you need to plan for, you can start working on the plan itself.
1. Identify Critical Business Processes, Dependent Programs, and Vital Applications
What business processes are imperative to your company’s continued business, and how long can you survive without them? This would be things like your computer systems or programs essential to doing anything productive in your business. Consider your downtime during this step. If you need your customer service devices, what's the average time you can allot for a disaster shutting that system down?
From there you should label dependencies between programs. Outline the applications your business processes depend upon the most and diagnose each application’s maximum downtime accordingly.
Finally, in the initial step, make a list of the applications with the most urgent restoration times. Remember that device for customer service? What application are on that device that you would need nearly immediately after a dangerous event?
Once you've outlined the devices, programs, and applications you depend upon and the appropriate downtime, it's time to assess.
2. Assess Your Current Data Recovery Strategy
Understand and consider high availability vs. failover vs. restore vs. backups, and closely investigate your current weaknesses or risks within each of those areas. Without knowing where you stand now, you'll never fully understand where you need to be in the future.
Look for things like the protection strength of your cloud systems, misconfigured storage, inadequate authentication methods (can we hear an MFA plug?), or compliance requirements that are not being met.
From here, you should have gathered enough information to determine your recovery time requirements.
3. Perform a Business Impact Analysis (BIA)
Conducting a BIA allows you to measure the impact of downtime for effected areas of the business, determine availability requirements, estimate the cost of downtime (lost sales, reduced customer confidence, etc.), and identify legal/compliance levels regarding data security. This will keep you informed on how many resources you'll need to prepare for as well.
By understanding the impacts, you might also be a little more considerate to things like Employee Awareness Trainings so certain disasters can be avoided altogether.
4. Define Recovery Point Objectives (RPO), Recovery Time Objectives (RTO), and Maximum Tolerable Downtime (MTD)
You can define RPO by prioritizing your business’s data dependencies to ensure that the last point in time a valid replication or backup was made and data can be restored from aligns with your business needs.
You can then asses time objectives or the amount of time after data corruption or hardware failure has occurred in which full restoration is desired (ASAP is not a qualitative answer, by the way, be specific!).
Finally, you should have an absolute maximum length of time that your most important applications, data or hardware can be unavailable before irreversible damage has been done, or you begin to lose business. Plan accordingly, you don't want to be down for long.
Now, it’s time to test your hypothesis and become aware of your technology gaps or weaknesses. If risks are high, investing in more innovative solutions may be necessary.
5. Assess and Test Your theory
It’s crucial to your Disaster Recovery Plan's success to be aware of the possible risks faced by single points of failure, such as data loss. Create a risk/impact chart to record risks and rank their priority.
Then you test it! Walk through a DRP scenario (or two or three! Try different types, even) and perform a technology gap analysis of your current vs. desired Recovery Point Objectives, Recovery Time Objectives, and Maximum Tolerable Downtime. If you find your plan needs work, don't be afraid to move on to the next crucial (and often needed) step.
5.5 Redesign Accordingly
Is your plan handicapped by old solutions, inadequate data recovery vehicles or poor archiving systems? Maybe it’s time to visit more innovative technology. Prioritize necessary investments to close gaps and address risk areas. Fix your problems to prevent your problems.
6. Implement New Solutions
Outdated solutions are really the first things to go. If you're solely an on-premise organization your DRP is going to look much different from a cloud-based company but if you're noticing that some of your systems need updating regardless of your infrastructure, it's time to implement those new solutions.
Go ahead and create an implementation timeline that outlines your plan to incorporate those new solutions into an effective DRP so you can stay accountable, proactive, and ultimately, prepared for what comes next. Once you have your ducks in a row, you can begin building a strategic response plan and delegate roles and responsibilities to a team.
7. Develop and Align an Emergency Response Procedure
Create step-by-step instructions that define the criteria and procedures for responding, achieving full recovery and restoring normal operations. Back this up in multiple places and it's best to have a hard copy for safe keeping. You don't want to lose your disaster plan because you only had one copy in the cloud which is now in the hands of a cybercriminal. Even if you know it by heart, that hacker now knows your next moves.
Make sure you define severity definitions and assign escalation rules for procedures that may be needed in order to meet your plan's timeline requirements and maximum tolerable downtime (MTO) according to various disaster scenarios.
8. Form a Team
Finally, you have a plan! It's now time to designate roles and train the chosen to respond accordingly. Oversee the success of procedures put in place to ensure your DRP is followed to avoid recovery failure.
Than maybe test again? Just to be sure.
By following these 8 steps, your DRP will prove to be thorough, dynamic and effective. Most companies don’t have in-house resources or staff to develop and execute a Disaster Recovery Plan or a Business Continuity Plan. We can help with that, too. Services from Centre Technologies focus on a cost-effective delivery of support for organizations with IT services that are stretched too thin, or companies not large enough to justify the in-house staff expense. If that sounds like you, contact us today for a free assessment (who doesn't like free?) of your technology infrastructure, and discuss your organization’s options for creating a Disaster Recovery Plan that aligns with your business objectives and goals.