Organizations today are exposed to a wide variety of threats that can seriously compromise their ability to continue functioning effectively. These threats include computer viruses, hostile hackers, human error, and even Mother Nature. As technology steadily becomes a foundation in the workplace, there's an increasing dependence on the IT professional. It's your job to provide your company with a sense of security when disaster strikes. Most IT professionals are already taking the first step by backing up their data on a regular basis. However, the development of a disaster recovery plan is a distinct and thorough process that will involve your entire organization. In this article, we'll walk you through the process and help you to ensure the continued operations of your business when disaster strikes.
Items to consider Implementing a successful disaster recovery plan requires taking into consideration what needs to happen before, during, and after a disaster. However, the first step is to determine what preventive measures your organization can take now to minimize the potential risks. The next phase of the process would be to assess which departmental tasks have the greatest effect on the continuity of your business. Each department should then be responsible for determining what resources are critical to the completion of those tasks.
The last item that needs to be evaluated is the maximum amount of downtime your company can experience before the situation becomes unrecoverable. For some mission-critical organizations, being down for even one hour would mean the loss of millions of dollars. At this point, it becomes essential to involve top management in order to appraise what budget will be available to carry out the plan in the event of a disaster.
Preventive tools As an organization, you must analyze what the potential risks are. The best advice we can give you is to always plan for the worst. The loss of your main facilities and everything within is the worst you can prepare for. The key to preparing for disaster is to take any necessary steps to prevent it from happening in the first place. Critical data protection The data that exists on your server and workstations is the foundation of your business. It's critical to your continued operations that you can ensure the retention and security of that data. To do this, you must back up your server and workstations on a regular basis. Most available backup programs will automate this process so that the only intervention required by you is the changing of the tapes. We recommend having at least a week's rotation of tapes so that you can always restore from a week back in time.
Once you can guarantee that your data is being backed up regularly, the only way to really know if your backup is working is to test it. We suggest creating a simple text file on each server volume that you can restore at least twice a week. With most backup programs, this is a simple process that will only take a few minutes out of your morning. Better to spend a few minutes now than the countless hours it would take to recreate lost data.
Now that you're backing up on a regular basis and testing your backups, you need to keep those backups safe from harm. There are several options for storing your backup tapes and any other critical media that you want to protect. Your options will depend upon the level of security you want to maintain and your budget. The important thing is that all of your mission-critical data isn't stored on the premises unprotected.
The most inexpensive way to protect your backup media from destruction is to take the prior night's backup home with you. The backup may not be secured, but if your main facilities are destroyed overnight, you'll still have your data. If your organization is more security-conscious, you can utilize off-site storage options such as a bank safe deposit box.
A more expensive alternative is to purchase a media cooler that you could keep on- or off-site. Most media coolers are designed to keep the internal temperature under 125F and 80 percent humidity after being exposed to a fire for more than an hour. You want to locate one that will provide at least two hours of protection. Coolers can range in price from $300 to $5,000 depending upon the storage capacity and the level of protection offered. When considering the alternatives, however, this cost is extremely minimal.
For the more mission-critical organization that would need almost instant access to backup data, there's also the option to use a business continuity provider. Many times these providers will offer a remote disk mirroring service that enables you to store your data remotely and in real time at one of their sites. However, it's important to ensure that the provider uses extreme security measures to protect your online data from hackers.
Anti-virus measures As the Internet becomes more commonplace in organizations, the constant threat of computer viruses increases. A virus could wreak havoc on your computer systems. If you're not currently using anti-virus software to protect your organization from virus infections, it's time you invested some money. New viruses are introduced at an alarming rate. Therefore, the important thing to consider when researching which software to purchase is the availability and frequency of virus signature file updates. The software vendor should provide updates on a monthly basis at a minimum. Otherwise, you can consider your organization wide open to attack.
For your convenience, you'll want to choose a program that will automate the distribution of signature files to every workstation. Unfortunately, all it takes is one infected workstation to cause your entire organization a lot of headaches.
Anti-virus protection can also become a procedural issue. Many organizations develop policies that become standard operating procedure if you want access to the network or to a PC. We recommend making it a part of your employee manual that any floppy disks, downloaded files, or programs must be scanned before being put on the network or client machines. It's also not a bad idea to monitor employee Internet access and develop policies on Internet usage.
Halting information hackers Whether your organization is connected to the Internet or a wide-area network, you're exposed to a wealth of intruders. The most valuable tool for restricting unauthorized access to your network is an Internet firewall. A firewall will control the flow of information between the Internet and your network. An effective firewall should be able to deny all incoming services except those specifically permitted. You'll have to develop a security policy to determine what services will be allowed to pass through the firewall. When purchasing a firewall, it's important to consider the level of potential threat to your network and the loss that would occur if an intruder hacks in. If you're using the Internet strictly for E-mail purposes, then your need for firewall security isn't as great.
Firewalls will help to protect against outside intruders, but, unfortunately, many of the losses that occur are from inside attacks. Even the most advanced technology will not protect your critical information from users who abuse their privileges. When setting up network rights, take into careful consideration what data you want your users to have access to. It's also important to include a stipulation in your computer policy manual that employees must not reveal information that would compromise the security of the organization. This can include revealing their passwords to discussing your network architecture with outsiders.
Natural disasters Advancements in technology make it easier to avert outside attacks on your computer system. Unfortunately, it's virtually impossible to prevent the threat of a natural disaster. However, it's possible to prepare for them so that the losses your company faces are minimal. Steps to recovery The probability of a natural disaster or a facility-specific emergency destroying your building is unlikely, but it's always best to be prepared for the worst. When trying to minimize the effects a disaster would have on the continuity of your business, it's most important that your plan encompasses all critical functions. Critical functions Before beginning to develop your disaster recovery plan, you should have carefully considered all your organization's critical functions. Each of these critical functions should fall under a department within your company. Utilize these departments to form a refined team approach toward recovery. Each team should be responsible for ensuring that its critical area is operational again within the maximum amount of downtime. The information systems department should be divided into several critical areas. These are hardware, software, and data recovery. The hardware team would be responsible for completing an inventory of all equipment that's necessary for each department to complete its critical tasks. This would include locating vendors to supply alternative equipment if the current hardware is unavailable.
Similar to the hardware team, the team in charge of software would take an inventory of the software used by each department and assess which applications are vital to the organization's continuity. This group would need to confirm that all critical applications would be rapidly available when the computer systems are down.
The data recovery team plays the most important role in the whole disaster recovery process. This group needs to ensure that proper data backup techniques are being followed and that the backups are being adequately protected. When the computer systems go down, the data recovery team will need to react with complete urgency to access the backup data and get the information back online with minimal downtime.
Some additional recovery teams would include logistics, client relations, human resources, and telecommunications. Each of these teams would also be responsible for providing alternative resources and organized information at the time of disaster. The logistics team would play a significant role in the recovery process by locating an alternate site for use when the main facilities have been destroyed.
When developing relationships with vendors who will be providing alternative services, be sure to construct solid and detailed contracts. If using a disaster recovery provider, confirm that they have provisions for multiple-client disasters. Also check to make sure that the provider's idea of a disaster encompasses many different scenarios.
Documentation A crucial part of your disaster recovery plan is ensuring the retention of all mission-critical information. All of your documentation may not exist online with your computer systems, so it's important to determine its location and the availability of backup copies. We recommend storing backups of all documentation necessary for the continued operations of your business off-site at an easily accessible storage facility. When deciding what information should be retained off-site, consider the critical functions and needs of your organization. When your facilities are damaged to the point that your business can no longer function, you'll need to inform all parties involved in the recovery process. You should have an employee list with phone numbers so that you may contact all employees and inform them of any alternative site information. It's crucial to have immediate access to a list of vendors who supply your organization with the necessary resources needed to restore your business. This list should include those vendors you're using to provide alternative resources as well as your disaster recovery provider.
For insurance purposes, you'll need an inventory of all equipment used by your organization. Remember to include make, model, and serial number for all inventoried items. This documentation will also help you with the alternative resources phase of the recovery plan. You may store your inventory off-site with the rest of the documentation, but you should also give a copy to your insurance provider.
As a member of the MIS department, you'll want to have the entire network architecture thoroughly documented to ensure the quickest recovery of your computer systems. To learn more about developing useful network documentation, see the article "How and Why You Should Document Your LAN" in the December 1997 issue. Most importantly, after spending many hours and dollars developing your recovery plan, it's vital to have a copy of it readily available when you need to put it into action.
Notes Part of the recovery process would also include having proper insurance coverage. Once you've completed the development of your plan and have identified your critical areas, check with your insurance provider to ensure that all of those areas are adequately covered. Proving to your insurance provider that you have an effective and tested disaster recovery plan in place could lower your insurance rates so that you can afford to increase your coverage. Discuss your coverage in detail with your provider to make sure that you'll be able to afford all expenses until your business is fully restored. It's not enough to simply have a plan in place; it must be audited on a regular basis in order to locate any holes or changes in procedure. For example, you may have had some staff changes that could drastically impact the completion of a critical phase of the plan. You don't want to wait until disaster strikes to realize that your plan doesn't provide adequate information.
Conclusion Planning for disaster isn't an easy process, but the rewards will be evident if you ever need to put the plan into action. The future of your organization depends upon your preparedness and the availability of critical resources during times of disaster. Business continuity informational Web sites More information on disaster recovery planning:
www.safetynet.co.uk/folder1/yb.htm
www.fema.gov/pte
Anti-virus software buyers information:
www.geocities.com/SiliconValley/1710
www.icsa.net/services/consortia/anti-virus/lab.html
Firewall buyers guide:
http://www.icsa.net/library/research/educational_material.shtml
|
The steps to disaster recovery planning
1. Risk analysis--What are the potential threats? 2. Evaluate your current preventive tools and the need to invest. 3. Determine critical organizational functions. 4. Assess alternative options for all of your critical needs. 5. Protect your mission-critical information. 6. Develop a thoroughly written plan. 7. Routinely test your plan to accommodate organizational changes. |