Eons ago, I worked as a CICS systems analyst. Looking back, it's clear that IT disaster recovery planning was not a high priority for my department. It was more satisfying and, yes, fun to instead work on projects that produced immediate results. But, I was a worry-wart who liked to plan ahead in case bad things happened, so I would create 'disaster recovery plans' (DRPs) and give them to my manager. My plans were basically the only disaster recovery documents the department had.
Remember, this was at a time when the IT shop only needed to worry about the mainframe, and compliance requirements were few. Nowadays, organizations depend on many types of systems and applications that are highly decentralized and geographically dispersed.
Most Windows IT managers know they must effectively plan for disaster recovery, but they often don't like to take time away from the daily business process management activities that they deem are more important. That works for them until an important file, or thousands of files, are irretrievably lost and they must deal with the legal and financial ramifications.
If your company files were lost, would you be confident that your IT disaster recovery plan complied with applicable legal requirements? Wouldn't it be nice to have a checklist that you could use to determine your disaster recovery plan's level of readiness?
The following is a rundown that identifies steps Windows managers can use to build an IT disaster recovery plan and to ensure it's up to par.
Assign disaster recovery responsibility
A comprehensive and effective IT disaster recovery plan is not only a smart business move but also a requirement to remain compliant with a wide range of laws, regulations, industry standards and contractual obligations. Your business partner contracts may also require one. First, you need to assign the following specific disaster recovery responsibilities:
- Choose a position responsible for all organizational DRP activities.
- Ensure the position has decision-making approval, sufficient authority to perform DRP activities enterprise-wide and the clear support of a senior executive (CEO is best).
Identify key business processes
It's important to know which business processes are the most critical and would require a fast restore. You can conduct a business impact analysis to identify these processes. Here's what you need to do, aside from evaluating the most business-critical process:
- Evaluate and rank all of the business processes running on your Windows IT systems.
- Identify where personally identifiable information (PII) is stored and within which business processes it is used.
- Determine the level of disaster prevention you need to achieve in order to keep the identified business processes running at the necessary levels.
Step 3: Document Windows IT processes that need to be incorporated into the DRP
Once you have defined the critical business processes, identify the Windows IT applications, files and other resources that are necessary to support those processes. The following activities will help identify these processes:
- Evaluate the existing Windows IT backup and recovery processes. Are you backing up the resources necessary for the business processes?
- Encrypt backups containing PII. Recent laws, such as those for the state of Nevada and the Commonwealth of Massachusetts, require PII to be encrypted in storage locations.
- Integrate existing backup and disaster recovery processes into the Window IT DRP.
- Update existing processes as necessary to include critical business processes and encryption.
Step 4: Develop the disaster recovery plan
Be sure your disaster recovery plan provides all of the information that's necessary for an effective recovery by any member of the team. Include these measures:
- Document all duties and responsibilities for each of the disaster recovery roles.
- Define DRP team members' responsibilities.
- Create a clear organizational chart that outlines who is responsible for each aspect of disaster recovery planning.
- Develop clear and actionable disaster recovery procedures for each phase of recovery.
Step 5: Create a budget for disaster recovery activities
To ensure that you have appropriately budgeted for the dollars and resources necessary for your DRP, make sure you include some of these activities:
- Identify the number of personnel necessary to support and manage DRP activities.
- Specify the time needed for DRP planning, management and testing.
- Determine any extra hardware and software necessary for DRP activities.
- Determine any outside services necessary to implement and execute the DRP.
- Identify hot-site costs, including fees for archiving, backup storage, disaster declarations, test time and usage fees.
Step 6: Test and implement the disaster recovery plan
You'll need to test your DRP to validate its effectiveness by conducting the following tests:
- Hold a desktop exercise to walk through the DRP.
- Modify the DRP based on feedback from the walk-through.
- Obtain final management approval for the updated DRP documents.
- Distribute the final DRP documents to all individuals with DRP roles.
- Maintain and securely store offsite printed copies of the DRP documentation.
Step 7: Execute ongoing DRP management activities
Make sure your DRP remains relevant and effective over time by including these types of activities:
- Regularly scheduled DRP team meetings
- Regularly scheduled DRP tests
- Regular updates to the DRP to accommodate changes in business processes and the technology infrastructure
- DRP updates and maintenance assigned to key positions and a person assigned to review all changes
You can't implement an effective disaster recovery plan on just a hope and a prayer. It requires a great deal of thought, many resources -- systems and people -- and the diligence to keep it current. Give this checklist to your IT staff to help them understand what to include in the DRP. Doing so will ultimately help IT managers avoid data loss and ensure that if a disaster occurs, their Windows shops will be prepared to handle it.
ABOUT THE AUTHOR
Rebecca Herold, , CISSP, CISA, CISM, CIPP, FLMI, has more than 17 years of experience in IT, information security, privacy and compliance and is the owner and principal of Rebecca Herold LLC. She is an adjunct professor for the Norwich University Master of Science in Information Assurance program and is writing her 11th book. Her articles can be found at www.privacyguidance.com and www.realtime-itcompliance.com.
This was first published in March 2009