Disaster Recovery Planning Jessica Sipple University of Maryland University College Abstract Busines

Disaster Recovery Planning
Jessica Sipple
University of Maryland University
College

Abstract
Business
continuity and disaster recovery is an ever-present, growing concern for many
organizations and businesses alike. Although some organizations would like to
think that they are immune to the threat of emergencies and disasters, whether
it be human-made, natural, intentional, or accidental, the truth is no organization
is immune, as they can occur in any organization. Organizations must learn how
to protect themselves and mitigate the adverse effects of emergencies and disasters.
A disaster recovery plan is one of the most important strategies
to prepare and protect an organization from disasters and emergencies. This
paper discusses the need for a disaster recovery plan and the procedures to
include in a typical plan.

Disaster Recovery Planning
As
organizations rely more on technology and electronic data for their daily
business operations, the occurrences of disasters and the amount of data and
information technology hardware, software, and equipment lost to disasters
appear to be increasing. Organizations are estimated to lose revenue and incur
expenses every year due to disasters, unpreparedness, and lost productivity. Costs
associated with disasters and being unprepared for such can be detrimental to
an organization. The increased occurrence, costs, and impact of disasters and
emergencies and the consequential loss present valid concerns for
organizations. Measures must be taken to protect organizations from disasters.
The more organizations know about disasters and emergencies, the more they can
do to prepare and protect themselves. One way an organization can prepare and protect
itself is to create and implement a disaster recovery plan (DRP).
Create a Plan
Organizations
need to create a disaster recovery plan (DRP) that can address any type of
disaster, is easy to follow, and easy to understand. The plan should be customized
to meet the unique needs of the organization. According to Hall (2011), steps
in a typical disaster recovery plan (DRP) include the following:
1.
“Identify critical applications
2.
Create a disaster recovery team
3.
Provide site backup
4.
Specify backup and off-site storage procedures†(p.
51).
These steps
provide a foundation for an adequate business continuity and disaster recovery
plan. They also help ensure that the disaster recovery plan is systematic and
simple.
Create a Disaster Recovery Team
Although
Hall implies identifying critical applications as the first step of the
disaster recovery process, it may be more beneficial for an organization to create
a disaster recovery team first. DRPs typically identify the specific personnel
or individuals involved in the business continuity efforts, including a team
coordinator, team leaders over various groups, group members associated with
recovery efforts, and alternates (Sungard, 2014). Hall (2011) “presents an
organizational chart depicting the composition of a disaster recovery team,â€
which includes three groups:
1.
“Second-Site Facilities Group
2.
Program and Data Backup Group
3.
Data Conversion and Data Control Group†(p. 53).
Each group or team
has a specific objective and consists of several members. Hall (2011)
recommends that team members be experts in their area to provide the most
benefit to the team and ultimately the organization. As Hall (2011) recommends,
“task responsibility must be cleared defined and communicated to the personnel
involved†to ensure everyone knows and understands their roles,
responsibilities, and the expectations of them.
Sungard
(2014) recommends that the recovery team personnel section of the plan include
contact information (workphone, cellphone, address, and e-mail addresses) for
all recovery team personnel. This information is helpful to get in contact with
the recovery team personnel in the event of disaster or emergency. However, if
contact information is included within the plan, it is important to continually
update this section of the plan for personnel/workforce changes. Additionally,
all employees of an organization need to know what to do and who to contact if
they discover an emergency. Employees need to have a sense of responsibility in
the event of an emergency or disaster, and contact the appropriate personnel
from the disaster recovery team.
One
of the responsibilities of the DRP team is to identify the organization’s risk
of emergency and disasters. The team should identify emergency and disaster
threats that the organization is or may be exposed to. This will assist the
team in identifying the recovery strategies and resources required to recover
from disasters within predetermined acceptable timeframes (Sandhu & NIIT,
2002). The team should establish what the acceptable timelines are for recovery
and restoration, as well as identify critical applications.
Identify Critical Applications
After creating a disaster recovery
team, the next step in a DRP is to identify the organization’s critical
applications and files (Hall, 2011). To do this, the organization must evaluate
their business processes and determine which are critical to their operations,
or which are a convenience and not a necessity (Chernicoff, 2007). As
recommended by Hall (2011), the plan should focus on short-term survivability,
rather than a long term solution restoring the organization’s full functioning
capacity. Short-term survivability focuses on the functions of the organization
that generate cash flows and revenues. Essentially, the organization should
identify which IT infrastructure is essential to the performance of the
organization. From here, the organization can determine the applications,
files, and even the equipment they need to generate such cash flows.
The
organization must determine the minimum technology resources and applications
required to continue or restore those processes (Chernicoff, 2007). Critical
equipment and resource requirements vary depending on the organization;
however, they may include, but are not limited to workstations, computers,
telephones, VPNs, servers, and the applications required to process business
transactions (Sungard, 2014). Once the minimum technology resources are
determined, the organization should be prepared to preserve this and not
eliminate any resources below the minimum level (Chernicoff, 2007). If the
minimum technology level is not upheld, business continuity could be in
jeopardy.
In
addition to determining the minimum technology resources required to run
minimal business operations, the organization must also look at how to alter
procedures and processes if this becomes reality. As the organization will be
running on minimal resources, less essential procedures or steps within a
process may be delayed or altered until the organization returns to running on
full capacity. However, the organization must recognize that there are some
processes that should not be delayed or in which the adverse impact should be
mitigated. One example may include the processing of payroll since employees
may live paycheck to paycheck and depend on their regularly scheduled income to
survive. This is important whether an organization is encountering a disaster
or not. On the contrary, approving training requests may not be as important or
among the top priorities at the time. Normal procedures, such as to how sales
are processed, may be altered to accommodate reduced resources. In addition to
considering critical applications and minimum technology needed, organizations
and the DRP team must also provide site backup to continue operations in the
event of an emergency or disaster.
Provide Site Backup
A critical part of a DRP is to
provide “for duplicate data processing facilities following a disaster†(Hall,
2011, p. 52). Hall (2011) suggests that the most common second-site backup
options are “mutual aid impact; empty shell or cold site; recovery operations
center or hot site; and internally provided backup†(p. 52). According to Hall
(2011), each option provides different advantages and disadvantages. The mutual
aid pact is a reciprocal agreement between two or more organizations that will
assist each other in data processing and sharing of resources, including IT
equipment and space, in the event of an emergency or disaster of one of the
organization’s locations. This can be a give and take relationship, and although
it can come at no or minimal cost, it is one option that requires trust in the
other organization(s) to uphold their end of the agreement when and if the time
comes.
The empty shell or cold site plan is
a second site, such as a building, that could serve as a data center if needed.
However, it is a shell in the sense that it is an empty building ready to house
the minimal hardware to run critical applications, as defined earlier in the
DRP. This option may provide cost savings. However, the significant
disadvantage is that the organization must have the contacts and resources to
obtain the IT equipment needed to fill the site in the event of a disaster. If
not, this option will only be an empty shell, as the name implies and will be
of little benefit to the organization.
On
the contrary, a recovery operations center is a fully operational backup data
center that has all the necessary hardware and IT equipment present in service
to continue operations. However, it comes at a price as an organization must
pay for access rights. In addition, a wide-spread disaster or emergency may
take out or effect the capabilities of the center, depending upon its location.
Larger organizations may have the option of internally provided backup if they have
multiple data processing centers. According to Hall (2011), “this permits firms
to develop standardized hardware and software configurations, which ensure
functional compatibility among their data processing centers and minimize
cutover problems in the event of a disaster†(p. 54). However, not all organizations
have this option available.
The
DRP team should research all of the site backup options available to the
organization and decide which options is are best to meet the organization’s
needs. When creating the DRP, the team should include procedures necessary to
support the relocation, including but not limited to identifying any IT
equipment needs, providing all critical applications, files and documentation,
and reissuing VPN tokens or other credentials (Sungard, 2014). In addition, it
may be helpful to include contact information for the site backup location. After
the DRP team determines the best second-site backup for the organization’s
needs, then they need to consider backup and off-site storage procedures.
Backup and Off-Site Storage Procedures
According to Hall (2011), “all data
files, applications, documentation, and supplies needed to perform critical
functions should be automatically backed up and stored at a secure off-site
location†(p. 54). Data and storage procedures should be clearly identified in
the plan and assigned to specific personnel to ensure responsibility and
completion (Microsoft, 2014). Back up and off-site storage procedures should
specify whether the entire network or select computers should be backed up,
including operating system backup and application backup (Microsoft, 2014). At
a minimum, the previously determined critical applications required for minimal
operations should be backed up. In addition, backups of data files need to be considered.
According to Hall (2011), “databases should be copied daily to high-capacity,
high-speed media, such as tape or CDs/DVDs and secured off-site†(p. 55).
Procedures should be established to secure both the storage device and the
backup media, whether it be physical security measures or electronic controls.
Backup
and off-site storage procedures should be established for documentation,
supplies, and source documents. Hall (2011) recommends that end-user manuals be
backed up as personnel who do not typically process transactions may be
performing these tasks in the event of a disaster or emergency. Critical
supplies required for daily operations, such as checks and purchase orders, as
well as a copy of the DRP, should be stored at the off-site location (Hall,
2011). Microsoft (2014) recommends that source documents, such as hardware and
software inventory records, as well as receipts for software and hardware
purchases also be stored at the off-site location.
In
the DRP, the location of the off-site backup and storage should be identified,
along with contact information and any credentials needed to access the backups
and storage media. One option, although not the only option, is backing up
important systems and files securely off-site in the cloud, as they can then quickly
be recovered and restored. Additionally, organizations may want to consider
migrating applications and systems, especially those determined critical, to
the cloud so they can be accessed whenever and wherever needed.
All
backup and off-site storage procedures should be performed routinely, either by
data processing personnel or automatically by the systems. In either case, the
assigned personal should ensure that the backups and storage procedures are
completed correctly and that systems and files can be recovered or restored at
any time.
Test and Maintain
Disaster recovery planning is a continual process as
risks of disasters and emergencies are always changing. It is recommended that
the organization test the DRP to evaluate the procedures documented in the plan
for effectiveness and appropriateness (Sandhu & NIIT, 2002). Organizations should test their recovery
plan step-by-step regularly to have proof and peace of mind knowing that if the
organization ever needs it, it will work quickly and effectively. The recovery
team should be performing routine maintenance of the DRP, including
incorporating suggested improvements into the plan after testing and throughout
its lifetime (Sandhu & NIIT, 2002).
Conclusion
In summary, an organization must develop a recovery team
to create a disaster recovery plan (DRP) that includes identifying critical
applications, providing site backup, and identifying backup and off-site
storage procedures. Other procedures may be included in the plan based on the
organization. The recovery team and organization must then implement the DRP and
follow through on the plan procedures. The DRP should be continually tested and
maintained to consistently prepare the organization for evolving disasters and
emergencies.

References
Chernicoff,
D. (2007). Disaster-Preparedness Checklist. Windows IT Pro, 13(2), 49-52.
Hall, J. (2011). Information Technology Auditing (3rd ed.). Mason, OH:
South-Western, Cengage Learning.
Microsoft.
(2014). Creating Backup and Off-Site Storage Procedures. Retrieved from.microsoft.com/en-us/library/cc960728.aspx”>http://technet.microsoft.com/en-us/library/cc960728.aspx.
Sandhu,
R., & NIIT. (2002). Disaster Recovery Planning. Cincinnati, Ohio: Premier
Press.
Sungard Availability Services (2014).
What’s in a Business Continuity Disaster Recovery Plan Template? The Building
Blocks for a Successfully Recovery Program. Retrieved from.sungardas.com/Documents/disaster-recovery-plan-template-SFW-WPS-086.pdf”>http://www.sungardas.com/Documents/disaster-recovery-plan-template-SFW-WPS-086.pdf.