Few businesses are able to develop these plans effectively. How do you manage your DR plans? Is it taken care of in-house or are you using 3rd party to manage it for you? What are some of the important things to include when preparing DR plans.
Few businesses are able to develop these plans effectively. How do you manage your DR plans? Is it taken care of in-house or are you using 3rd party to manage it for you? What are some of the important things to include when preparing DR plans.
Wow, this is a broad question!
We try to be very careful to separate IT DR from Business Continuity. Really, BCDR is what it's all about. IT is just a component within the overall business structure. Getting data protected and applications available following a disaster is important, but you need to know where your people are, that they are okay, that they know how to access the data. They also need to access phones, offices, and many other corporate resources (vehicles, warehouses, factories, third party services, etc.) So plans have to include the business side (where to meet, who to call, who makes the urgent decisions) and be communicated so that people know the plan or where it's available.
Gary
Gary Aulfinger • CTO/Chief Storage Architect • Electronic Vaulting Services • www.evscorporation.com
DR is very very broad and as Gary states it does form part of an umbrella business continuity plan (BC).
ITIL v3 for instance, speaks about ITSC or IT Service Continuity that supports the BC. Understanding and prioritizing IT Services such as Messaging (Email,Blackberry,etc) Authentication Services (Active Directory,etc) and then LOB Services (ERP,CAD,etc) can break the whole DR plan down into more manageable components. It also enables you to identify the inter dependable services such as the Network or Storage from an infrastructure point of view and give you a picture of how (or in what order) you will need to recover your systems and services.
The NIST's SP-800-30 publication has quite a comprehensive DR plan guide, it deals with all the basics and is pretty comprehensive, if a bit simplified. It includes things such as BIA Business Impact Analysis defining RTO/RPO, importantly having the business ratify a DR policy, Disaster Management Teams, etc.
Other aspects include Risk Analysis and Risk Mitigation exercises these should form part of preparing a DR plan as they can help you define the level of disaster your company is able to respond to and help you to prevent disasters from happening in the first place. (NIST SP800-34 has some pointers on risk.)
BC is as Gary states not just about the IT systems, it's all fine and well to have the Servers up and the lights on but there is no one to use it. Therefore things like access to the systems become important, Questions like, Will it be remote, from home or hot site? If remote, will the critical business processes be sustained via remote access? Do I have enough VPN IP addresses to log everyone into the network? as an example.
For instance, BCDR could consider what the PR impact of the disaster could be and who communicates what to the press and loved ones of the employees? Bad PR could cost the firm more that the disaster itself if not managed carefully.
As a starting point getting a clear understanding of what is BC and what DR is from an IT perspective and who is responsible for what is probably not a bad place to start.
Werner
Last edited by wcoetzee; 02-14-2011 at 07:17 AM. Reason: rearrange word
Werner Coetzee
Business Development Consultant - Shoden Data Systems www.shoden.co.za
DR is very very board, especially now because businesses need to also consider the mobile devices that on the network as they often contain vital data.
As suggested above a good starting point would be a clear understanding of what is BC and what is DR from an IT perspective - deciding on what the business class as critical data, applications etc would also be a good task to perform while considering DR.
Kind regards, Tiffany @ Netshield
I absolutely agree. One of the reasons that the discussion of business continuity and disaster recovery is so broad is because it goes way beyond technology to cover aspects of people and processes as well. You want to make sure that you have a call tree and an escalation matrix to make sure that your key people are available when disaster strikes. You also want to have redundant processes with alternate ways to achieve the same result when something does not work. So, totally agree, Tiffany, BC and DR is not just about the technology. It is about so much more!
Posting Permissions
Reply With Quote