Things to Consider When Developing Your

Disaster Recovery Plan

Written by
Peter Shand
Chief Technology Officer, Americas

Disaster Recovery for information technology assets is uppermost in the minds of many business and technology decision makers. Whether it is global concern about the possible impact of cybersecurity threats, inevitable breaches, or more location specific concerns related to natural or man-made disasters, the vulnerability is real. The details of how to build and execute a complete disaster recovery plan requires resources and time beyond the scope of this article, however, it is important to review the critical phases and how they interrelate. Each phase can be approached by breaking the process down into a set of questions that leadership needs to address, and a set of requirements that need to be defined.

Disaster Recovery as a Strategy relates to the strategic planning phase of the process where you define what you plan to do when responding to an incident. It assigns levels of criticality to business processes and associates the technology that supports each of these processes. This is not a point in time occurrence but requires continuous review at the leadership level as the business evolves.

This phase seeks to address the following questions:

• What constitutes a disaster for this business?
• What areas of the business are affected by a disaster?
• If a certain type of disaster is inevitable, how can we minimize the damage and continue to operate?
• What is the availability of resources?
• How should this be budgeted?
• What are the costs vs. benefits?
• Is this part of the IT budget or part of a business continuity “pot” that different departments access as needed?
• What is management’s position with regards to risks?
• How to keep leadership engaged and informed on this issue?
• What is the recovery window required?
• Are there human constraints, technological constraints, and regulatory obligations that need to be addressed?

This phase also seeks to define the following requirements:

• A list of stakeholders and team members accountable for preparing the plan.
• A list of scenarios or categories of events that are most likely to occur and address them specifically.

Disaster Recovery as a Policy/Process is the stage after the strategic plan has been completed where implementation and continuous improvement of the technology or processes occurs. Critically, this phase is when operations are running normally and no disastrous events have occurred. This phase provides continuous feedback to the strategic phase.

This phase seeks to address the following questions:

• How do we continuously test the plan to ensure it is viable and meets the needs of the business?
• Who is responsible for continuously testing the plan?
• Can we execute this plan with our internal staff only or would external strategic or tactical partners be needed as well?
• How do we report the testing results to leadership?
• Who is responsible for updating the plan when adjustments need to be made due to operational or business process changes?
• Are our tests meeting the strategic recovery window?

The phase also seeks to define the following requirements:

• A timetable for when complete or partial tests are done.
• A timetable for quarterly reviews with leadership.
• A list of response personnel that will be active during a disaster and who will be continuously involved in ongoing testing and improvement procedures.

Disaster Recovery as a Reality is when a potential triggering event is recognized and acknowledged, e.g., production server hard disks are encrypted or when the primary datacenter is flooded. This means that the response processes and team are active. The goal is to continuously assess the plan in real time as it is being executed. This phase provides experiential feedback to the strategic phase by reviewing the successes and challenges of the plan execution and using that to coordinate updates to the plan going forward.

This phase seeks to address the following questions:

• What is the severity of the incident and can we contain it?
• If it can’t be contained immediately, what is the status of the critical resources required for invoking the plan?
• Do we have enough man power to deal with the requirements of “this” disaster?
• Can we reach the strategic or tactical services partner that can help to expedite some tasks during the execution of the plan?
• Is the activation of the plan proceeding as expected?
• Who is in charge of addressing scenarios that where not addressed in the initial plan?

The phase also seeks to define the following requirements:

• A list of the systems, departments and sites affected.
• A list of the team members and their availability.