Disasters & Information Technology

As information technology systems, networks, and organizations become complex, disaster recovery becomes more essential to the continuity of companies worldwide. The more complex an organization is, the more financial loss it can incur in the event of a disaster. Although some companies can spend up to 25% of its information technology budget on disaster recovery, it is a worthwhile cost to minimize the downtime and reduce potential losses.

Disaster Recovery Plans

“A practical disaster recovery plan is one that is proactive, well planned, and most importantly, in place and well tested before a disaster strikes” (Robbins Gioia LLC, Preparing for the Worst: A Best-Practices Guide to Disaster Recovery, p. 1).

Organizations should develop written, comprehensive disaster recovery plans that assess all the critical operations and functions of the business. In addition, they should include documented and tested procedures, which, if followed, will ensure the ongoing availability of critical resources and continuity of operations. Even though the probability of a disaster occurring in an organization is highly uncertain, a disaster plan provides a certain level of comfort assuring that if a major catastrophe occurs, financial liability will be limited.

A disaster recovery plan (DRP), is sometimes referred to as a business continuity plan (BCP) or business process contingency plan (BPCP). The plan should outline in detail how a company or organization is to deal with potential disasters, whether naturally occurring or man made. The plan provides ways for a company to prepare for a disaster in order to minimize its effects. It also outlines post disaster actions to ensure the organization can resume operations as soon as possible.

A disaster recovery plan should take into consideration of customers, facilities and knowledge workers, business information, computer equipment, and communications infrastructure. The following addresses the above factors in greater detail.

Customers: Include both end consumers and B2B suppliers and customers. These stakeholders will be reassured if they are involved in the disaster planning process in order for them to plan accordingly.

Facilities: Companies can have more than one “site” for the company. In case of a physical disaster, the company can be quickly relocated to another site that is also attached to its server so business processes can be quickly resumed.

Types of Facilities:

Hot: Almost a duplicate of the original facility, fully equipped and ready for use immediately after the disaster.

Warm: Contain most of the features of the mother facility, but without the most relevant technology available.

Cold: A mock site for the company to momentarily stabilize itself after a disaster. It is without computer equipment installed.

Knowledge workers: Train workers and provide them with the information and personal care so they have the necessary knowledge to function during and post disaster.

Business Information: All business information should be backed up regularly. Some companies perform this daily; some even do it on an hourly basis. This ensures the most up-to-date information is available as soon as the disaster passes.

Computer Equipment: Large companies have a myriad of different software and operating platforms. Organizational costs for this level of complexity is quite high, however the benefits of being prepared for disaster will greatly outweigh the costs.

Telecommunication infrastructure: This relates to how a company communicates with its external and internal partners. It is important to have a backup telecommunications carrier and portable handheld devices, i.e. blackberries. (The above section is adapted from: Cummings, Donavan, Haag, McCubbrey, Pinsonneault, Management Information Systems: For the Information Age, McGraw-Hill Ryerson. Toronto: 2004)

Steps in Developing Disaster Recovery Plans

1. Obtain support from management & establish a planning committee

Top management must support and be involved in the development of the disaster recovery planning process. They should be taking the lead for coordinating the recovery plan and updating it as conditions change. A planning committee should be established to oversee the plan development and appoint employees from various departments to carry out the plan.

2. Gather requisite documents and information

Having access to the necessary information is a pre-requisite to a workable plan. The expedite the exercise, ensure that these are readily available to the planning team 1.

3. Perform a risk assessment

The company must establish a guideline of what constitutes a harmful loss of data. This is accomplished considering the impact of losing data. For example, in the event of a system mal-function, a company that is client based will suffer substantial loss as client information is an essential part of its daily business activities.

A risk analysis can be completed by the planning committee by assessing possible disasters, such as natural, technical and human disasters. “Each functional area of the organization should be analyzed to determine the potential consequence and impact associated with several disaster scenarios. The risk assessment process should also evaluate the safety of critical documents and vital records” (Wold, G., Disaster Recovery Planning Process).

4. Establish priorities

Next the company should consider the loss of ACCESS to the database itself. What will be consequences of your end users not being able to access information for a period time after a disaster? For example, loss of data in an airline will result in mass confusion regarding the arrival and departure of individuals on board planes. Answering such questions will assist firms in determining priorities in the operations and what the disaster recovery plan should focus on.

Areas of consideration can include and not limited to:

• Key operation functions

• Personnel

• Information processing

• Service

• Documentation and record keeping

• Policies and procedures

5. Determine Recovery Strategies

After the organization has concluded what is a harmful loss and the consequences of the inability of accessing certain information, it can then begin to develop a backup strategy.

Alternatives recovery strategies may include a combination of the following:

• Hot, warm, and/or cold sites

• Reciprocal agreements

• data and service centres

• Multiple computers

• Consortium arrangement

• Vendor supplied equipment

(Chapple, M., SQL Server Disaster Recovery)

6. Perform Data Collection

The recommended data gathering materials and documentation that all organizations should consider include:

• Backup position listing

• Communications Inventory

• Distribution register

• Documentation inventory

• software, equipment and hardware inventory

• Forms inventory

• Insurance Policy inventory

• Master call list

• Master vendor list

• Notification checklist

• General supplies inventory

• Off-site storage location inventory

• Telephone inventory

7. Organize and document a written plan

At this stage, a detailed outline of the contents should be prepared for the review and approval of top management. The benefits of this doing so are that it:

• Helps to organize the detailed procedures

• Identifies all major steps before the writing begins

• Identifies redundant procedures that only need to be written once

• Provides a road map for developing the procedures

• Ensure consistency in writing styles

The written plan should be composed of the following:

• Immediate response after a destructive event

• Evacuation of facility and notification to emergency services

• Notification sequence for team leaders and backups

• Establishing a temporary Business Recovery Command Center

• Preliminary and detailed damage assessment

• Recall of vital records from off site storage

• Handling legal, financial and insurance issues

• Dealing with the news media to mitigate misinformation

• Locating interim facilities to restart your business

• Recovery of PC’s, LAN’s and Mid-range systems

• Establishing voice and data communication

• Addressing human resource and accounts payable/receivable issues

• Replacement of equipment, furniture and supplies

• Notification to clients, customers, suppliers and stock holders

• Restarting your business

• Reconstruction of the damaged or destroyed facility

8. Testing the Plan

An initial test of the plan should be performed by conducting a structured walk-through. Any glitches can then be resolved and further improvements can be made as appropriate.

9. Approve the plan

At the last stage, management should approve the plan and agree to implement in the organizations and accommodate for future improvements to the plan as changes occur.

(Adapted from: Steps in Recovery Process, at http://www.drj.com/new2dr/w2_002.htm)

References:

Chapple, M., SQL Server Disaster Recovery, http://databases.about.com/od/sqlserver/a/disaster.htm, Retrieved on March 19, 2005.

Cummings, Donavan, Haag, McCubbrey, Pinsonneault, Management Information Systems: For the Information Age, McGraw-Hill Ryerson, 2004 http://www.gcn.com/Resource/disaster.pdf, Retrieved on March 19, 2005.

Disaster recovery plan reference list: http://www.disaster-recovery-guide.com/doclist.htm

Robbins Gioia LLC, Preparing for the Worst: A Best-Practices Guide to Disaster Recovery, Sterling Network Services, http://www.sterlingnetwork.com/

Wold, G., Disaster Recovery Planning Process, http://www.drj.com/new2dr/w2_002.htm, Retrieved on March 19, 2005.

External links

Detailed plan: http://searchcio.techtarget.com/general/0,295582,sid19_gci1049698,00.html

Disaster planning website: http://www.brproactive.com/

Disaster recovery guide: http://www.disaster-recovery-guide.com

Background Information: http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci752089,00.html