Ten points to disaster recovery

Volcanic eruptions, earthquakes, torrential rains, gale-force winds, and floods have only highlighting the importance for businesses to have a working disaster recovery plan. According to IT security company Symantec, the first few minutes following any catastrophic system failure are critical (they say the same about heart attacks or strokes), so executing the disaster recovery plan quickly is central to mitigating losses. M-net’s Ken Lewis offers ten disaster recovery key points to consider when you next look at protecting one of the your most valuable business assets — your data.

1. Unrealistic expectations: Make sure people understand how long (two minutes, two hours, or two days) it will take for systems to come back after a disaster. Usually established within the Business Impact Analysis, the Recovery Time Objectives are the time requirements set by the business to recover critical systems.

2. Assuming a tool will fix everything: Do not make the mistake of assuming that you have a business continuity or disaster recovery plan because you bought a tool. A backup and recovery tool is not a plan. More than simply creating an IT Disaster Recovery Plan, organizations need to create a Business Continuity Plan.

3. Understand the risks: Threats and risk exposures come in all shapes and sizes. It is important to weigh and categorize these exposures. Once they are weighed, a decision can be made to mitigate them. Additionally, the potential financial loss exposure should be determined to establish mitigation cost models.

4. Project mentality: Business continuity/disaster recovery plans are not projects — they are processes which are never finished and need to be continually reviewed, updated, and integrated into an enterprise change management culture.

5. Inadequate testing: Plans are only as good as the last time they have been tested and can fail when organizations simply test for success and not for the range of potential issues. After the inaugural test, introduce variables into the test methodology, for example, if some recovery team members are unavailable to participate.

6. Lack of documentation: It is important for organizations to document the business continuity/disaster recovery plan, as well as the assumptions that went into defining it, so the plan can be changed as the organization evolves. Documentation should define all BC/DR team roles (and alternates), responsibilities, and procedures.

7. Forgetting the people: Systems and applications are useless without people to use and manage them. Do not forget to build appropriate personnel resource considerations into your plan. Include manual process workarounds when applicable since some systems may not be operational for an extended period of time.

8. Education: Money invested on business continuity/disaster recovery education and training is well spent and should be included in the plans, the results of which can be measured during BC/DR drills.

9. Downplaying security: Recovering from a disaster is critical, but not so critical that you can forget about security. BC/DR and security are intimately related, as often security breaches beget the need to declare a disaster.

10. Doing business as usual: Do not assume that just because it has always been done that way, it is the right thing to do. Organizations need to make sure they question assumptions when establishing a recovery program. Lastly, it is important to have provisions to return to a normal state as soon as possible following the recovery efforts.