IT disasters are unpredictable – no business plans for their server to break or their data to be encrypted by ransomware.
Disaster Recovery shouldn’t be. In fact, recovery should be planned, predictable and controlled.
Since we launched our new Disaster Recovery as a Service solution, we have been stating that businesses should have a Disaster Recovery plan in place. But what does that look like?
The following steps will help develop the right strategy to build a DR plan that is closely aligned with your business.
Step 1: Conduct an asset inventory
List all the assets under IT management, including all servers, storage devices, applications, data, network switches, access points and network appliances. Upon completion, map where each is physically located, which network it is on and identify the dependencies.
Step 2: Perform a risk assessment
Go through the inventory list and list the internal and external threats to each of those assets. It’s important to be thorough and plan for the worst possible scenario. These threats could include natural disasters or mundane IT failures. Next include the probability of the threat occurring – a power outage or IT hardware failure is a lot more likely to happen than a natural disaster.
Step 3: Define criticality of applications and data
Classify the data and applications according to their criticality. Look for commonalities and group them according to the criticality to your business continuity, frequency of change, and retention policy. This grouping will allow an implementation of a less complex recovery strategy.
Step 4: Define recovery objectives Different classes will have different recovery objectives. For instance, a critical e-commerce database may be critical to recover and have very aggressive recovery objectives because the business simply can’t afford to lose any transactions or be down for long. On the other hand, a legacy internal system may have less stringent recovery objectives and be less important to recover since the data doesn’t change very often and it’s less critical to get back online.
Management in all departments need to be consulted.
Below is a simple list of questions that should be asked to management to assist in defining the objectives:
- What applications and data does each department use?
- What is the tolerance for downtime for each?
- What is the tolerance for data loss for each?
- Are there times when these applications are not being used by employees, partners or customers?
- Are there any requirements (internal or external [i.e industry or regulatory]) for the organization to retain the data for a designated period of time?
- Are there any requirements (internal or external [i.e industry or regulatory]) that prevent the business from moving the data from one geographical region to another?
- Are there any requirements (internal or external [i.e industry or regulatory]) with regard to security and encryption?
From the above questions, the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) is calculated.
The RTO refers to the acceptable time data and production systems can be unavailable. The RPO refers to the acceptable amount of data that the business can afford to lose.
Step 5: Determine the right tools and techniques
Have a look at our Backup vs. Business Continuity blog which we recently published. It explains the advantages that our new DRaaS solution has over traditional backups.
The decision of which solution to invest in should be calculated from the objectives set out in the previous step.
Step 6: Document and communicate your plan
Communication is key. All too often, only one person in the organization really knows the whole picture, leaving the organization vulnerable if that one person is unavailable during a disaster
Step 7: Test and practice your DR plan
With our DRaaS solution, PFH will include one annualised DR test to ensure that the solution is comprehensively tested. This can be carried out at a time suited to each customer.
Step 8: Evaluate and update your plan
A DR plan should be a living document. It’s especially important to regularly review the plan given an ever-changing business environment.
Tolerance for downtime and data loss may decline. Key personnel may leave the business. IT might migrate to new hardware or operating systems.
Planning needs to reflect the current state of the organization.