Will your DR plan actually work?

Will your DR plan/s actually work?

While you can’t prepare for every possibility, you can take measures to ensure that your business is resilient enough to survive the most likely disruptions – this preparation will keep you operational until full function can be restored. The ability to do this comes from thinking ahead, planning for multiple possibilities and putting the necessary controls in place in order to mitigate or prevent those risks before they become reality.

What is a Disaster Recovery Plan (DRP)?

Disaster recovery planning aims to minimize the disruption to your business should some form of disabling failure occur. It means having the resources allocated and a plan in place to ensure that your business can return to an operative state as soon as possible. DRPs usually focus closely on the IT operations of an organisation.

A Disaster Recovery Plan is used while your business is in the state of a disaster. It takes effect immediately after a disaster has occurred and is designed to minimise the effects on your business. However, it is not intended to return your business to full operation. The path to normal operation after a significant disaster or long-term outage is outlined by a different document, the Business Continuity Plan (BCP).

While disasters have always occurred, having detailed, accessible and actionable disaster recovery plans was often seen as more of a ‘nice to have’ than an operational necessity. However, with organisations’ increasing reliance on the movement, management and storage of data as part of core business operations, the ability to protect that data and the systems that utilise it has become paramount. As businesses become increasingly digitised, Business Continuity Planning also becomes a key business requirement in order to conform to the appropriate regulations and compliance standards for your industry. (For example, in finance, APRA Prudential Standard CPS 232 deals with Business Continuity Management compliance). But in the end, if the information systems that you rely on go down for an extended period of time, or are irreparably damaged would your business survive?

What types of disaster might affect your business?

When we think of disaster recovery, it’s important to remember that we’re not just talking about natural disasters – although obviously it’s true that events like fires, floods, earthquakes and storms can have a significant and devastating impact on your organisation. Threats faced by your organisation can also include both logical/technical threats; those caused by malware, broken network connections, or a major server crash – and human-generated; those caused by malicious hacking attempts, deliberate sabotage by disgruntled employees or Distributed Denial of Service attacks (DDoS).

How do you start?

The key to determining the right disaster recovery plan for your business is understanding your Maximum Tolerable Downtime (MTD) and defining both your Recovery Point Objective (RPO), and the Recovery Time Objective (RTO). That is, exactly what data and systems you will need to recover and by when in order to ensure that your business can maintain some minimum set level of operations and avoid unacceptable consequences.

These parameters will dictate the types of solutions that you can choose to meet your objectives. For example, if you determine that your operations cannot survive any kind of significant downtime (that is, your RPO is continuous and your RTO is instantaneous), you’re going to need to look at a solution that provides a close to seamless transition from your primary data facility to a secondary disaster recovery data facility.

This type of arrangement may also be known as a “hot site” if you outsource this function, or as a redundant site if you maintain it yourself. This is essentially a secondary facility that is kept in a state of readiness that can be swapped in to pick up mission critical operations as quickly as possible.

You should also note that this type of arrangement will probably affect how much production bandwidth you choose to dedicate to maintaining your offsite preparations.

This type of contingency can be expensive though and before any type of decision should be made regarding this type of investment you need to understand the recovery parameters of your business. What types and lengths of interruption can your business withstand without significant negative consequences?

What standards are applicable and what resources are available?

The US National Institute of Standards and Technology (NIST) provides useful resources in this area, most notably publication 800-34, which is the Contingency Planning Guide for Federal Information Systems. While this document is intended to support federal US agencies comply with the Federal Information Security Management Act (FISMA) of 2002, it contains advice and guidance on a prescribed process to create a robust plan.

This guide describes a comprehensive seven-step process to follow:

  1. Set a planning policy and create a policy statement
  2. Conduct business impact analysis (BIA)
  3. Address prevention strategies
  4. Create recovery strategies
  5. Develop the plan
  6. Test the plan
  7. Update the plan

In Australia, there are a number of different standards that might be applicable depending on the nature of your business. While the Australian Signals Directorate has provided an Information Security Manual to assist Australian Government agencies in protecting their information systems, the manual also provides useful information on Disaster Recovery and Business Continuity planning for other organisations.

Beyond this, there are a number of different international standards that may be applicable, including:
• BS 25999 from the British Standards Institute
• ISO/IEC 27031:2011

It’s also wise to be cognisant of the fact that the list of threats facing your organisation will change over time. Your Disaster Recovery Plan will need to change and be updated too – ideally each year.

You don’t have to do this alone – It’s smart to share the risk

There is no denying that this process represents a significant investment for any organisation and also that it requires a particular degree of specialisation in order to complete successfully. Plans need to cover broad areas of your IT operations and how they will be recovered. This is likely to include considerations regarding your network infrastructure, hardware, specialist equipment, application software and your all-important data. And don’t forget your staff – where will they work and how will they work? As such, outsourcing your disaster recovery and, or sharing some of the risk with a service provider can be a reasonable and pragmatic approach to take.

Considering all the different dimensions involved in creating a DRP having a partner that can help lead you through this process and supply appropriate guidance and possible solutions is also invaluable. NextGen can partner with you in this area and provide a range of services including Disaster Recovery Suites that can be used as secondary data facilities should your primary facilities fail. This kind of dual-facility disaster recovery service can provide you with the assurance you need to avoid the possibly detrimental consequences to your business from an extended outage.

NextGen can also provide:
Internet Shadow Services – Provides a backup Internet connection for service continuity in the event of failure or interruption in the primary link.
Nextgen VPN – Premium grade data services that deliver carrier grade Quality of Service (QoS) and network availability.
Connected Data Centres – Selected intra-city data centres capable of providing high capacity transmission grade, low latency services; mandatory for business continuity applications such as synchronous mirroring and replication.
Data Centre Connect – A managed service that provides connectivity for replication for business continuity and disaster recovery applications.
Data Centre Colocation – Carrier grade co-location facilities such as racks, secure cages or private suite areas.