Printer Friendly Version

Events over the last several years — Sept. 11; bush fires, earthquakes, and mudslides in the West coast of North America; massive floods in China; and the Boxing Day tsunami in Southeast Asia — have forced us to rethink what we consider critical infrastructure. These events brought about the loss of essential services, causing widespread panic and confusion amongst a population unable to handle the emotional and physical stress of what was unfolding before them.

Almost all organizations — whether commercial or governmental — rely on some form of technology to manage the various parts of their operations. A disruption to the availability of any of these resources, if even for a few hours, can have serious consequences for their ability to function at normal capacity. For organizations that provide mission critical services such as power plants, telecommunications facilities, and national defense agencies, disruptions must be kept to a minimum or, if possible, avoided altogether.

How an organization responds to threats during and after a crisis will determine whether they emerge on the other side intact or cause them to cease operations entirely. This is where disaster recovery planning comes into play.

What's a Disaster Recovery Plan?

A disaster recovery plan (DRP) — often referred to synonymously as a business continuity plan (BCP) — is a comprehensive set of measures and procedures put into place within an organization to ensure that essential, mission critical resources and infrastructures are maintained or backed up by alternatives during various stages of a disaster.

A DRP must address three areas:

1. Prevention (pre-disaster): The pre-planning required — using mirrored servers for mission critical systems, maintaining hot sites, training disaster recovery personnel — to minimize the overall impact of a disaster on systems and resources. This pre-planning also maximizes the ability of an organization to recover from a disaster (I discussed the issue of prevention in great detail in my two-part series "The Keys to Maintaining Intranet Integrity").

2. Continuity (during a disaster): The process of maintaining core, mission-critical systems and resource "skeletons" (the bare minimum assets required to keep an organization in operational status) and/or initiating secondary hot sites during a disaster. Continuity measures prevent the whole organization from folding by preserving essential systems and resources.

3. Recovery (post-disaster): The steps required for the restoration of all systems and resources to full, normal operational status. Organizations can cut down on recovery time by subscribing to quick-ship programs (third-party service providers who can deliver pre-configured replacement systems to any location within a fixed timeframe).

Disaster recovery and business continuity planning, however, involves more than just a series of technology-based system recovery procedures. A DRP needs to include contingencies for the loss of:

• IT infrastructure: Network, Internet access, data and application servers.
• Building facilities: Primary power sources, water, heating.
• Communications: E-mail, landline telephone, cell phones.
• Personnel: Key personnel required to take action during a crisis.

The Objectives of Disaster Recovery Plans

A DRP is an insurance policy; you pray that you'll never need to use it but you'll be glad you have it if you ever do. It enables an organization to respond efficiently to potential threats that may render all or parts of its operations and resources unavailable. Unfortunately, according to a META Group article, only 20 percent of the Global 2000 currently claim to be prepared with some type of DRP.

So, why a DRP? They protect an organization in many ways:

• Provides a greater sense of security.
• Ensures a certain level of system and resource stability during a disaster.
• Minimizes system downtime and recovery time.
• Minimizes the risk of permanent loss of core assets or the entire organization.
• Minimizes confusion during a disaster.
• Minimizes the amount of decision-making during a high-stress time when emotions will be running high.
• Provides a platform in which to simulate various disaster recovery scenarios.
• Ensures the reliability of secondary systems such as hot sites and server mirrors.

In general, smaller operations that don't provide any essential services may find it cost ineffective, or even unnecessary, to implement a full-scale DRP beyond keeping off-site backups and maintaining a basic set of server power down procedures. Larger enterprises with mission critical data and systems, however, must consider a more extensive solution in order to prevent a total collapse and cessation of operations.

But DRP necessity — as well as the size and scale of the DRP — really depends on the purpose of the organization and the importance of business continuity during a disaster.