Information Security Today Home

New Books

Security Manager's Guide to Disasters: Managing Through Emergencies, Violence, and Other Workplace Threats
Business Continuity Planning: A Project Management Approach by Ralph L. Kliem and Gregg D. Richie; ISBN 9781482251784
High Availability IT Services by Terry Critchley; ISBN 9781482255904
Business Resumption Planning, Second Edition by Leo A. Wrobel; ISBN 9780849314599
Critical Infrastructure: Understanding Its Component Parts, Vulnerabilities, Operating Risks, and Interdependencies by Tyson Macaulay; ISBN 9781420068351

Ten Tips for Successful IT Disaster Recovery Planning

by Paul Chisholm

Businesses of all sizes rely on information technology as a crucial component of their day-to-day operations. Because data availability is a top priority, the need for companies to compile a thorough disaster recovery plan is essential.

According to Info-Tech Research Group, however, almost 60% of North American businesses do not have a disaster recovery plan in place to resume IT services in case of crisis - a recipe for possible business failure. Faulkner Information Services found that 50% of companies that lose their data due to disasters go out of business within 24 months, while the U.S. Bureau of Labor indicates that 93% are out of business within five years.

Ten Tips for Disaster Recovery Planning

  1. Devise a disaster recovery plan: IT disaster recovery planning can be a daunting undertaking, with many scenarios to analyze and options to pursue. It is important to start with the basics and add to the plan over time. To begin, define what is important to keep the business running - i.e., email and application access, database back-up, computer equipment - and the "recovery time objective" or how quickly the company needs to be up and running post-disaster. Other key plan components to consider are determining who within the organization declares the disaster, how employees are informed that a disaster has occurred, and the method of communication with customers to reassure them that the company can still service their needs.
  2. Monitor implementation: Once a disaster recovery plan has been established, it is critical to monitor the plan to ensure its components are implemented effectively. A disaster recovery plan should be viewed as a living, breathing document that can and should be updated frequently, as needed. Additionally, proactive ongoing monitoring and remediation of processes, such as back-up data storage and data replication, results in fewer IT issues and less downtime should a crisis occur.
  3. Test disaster recovery plan: A 2007 eWeek survey of more than 500 senior IT professionals revealed that a whopping 89% of companies test their disaster recovery/failover systems only once per year or not at all, leaving their enterprises vulnerable to massive technology and business failures in the event of a disaster. An under-tested plan can often be more of a hindrance than having no plan at all. The ability of the disaster recovery plan to be effective in emergency situations can only be assessed if rigorous testing is carried out one or more times per year in realistic conditions by simulating circumstances that would be applicable in an actual emergency. The testing phase of the plan must contain important verification activities to enable the plan to stand up to most disruptive events.
  4. Perform off-site data back-up and storage: Any catastrophe that threatens to shutter a business is likely to make access to on-site data back-up impossible. The primary concerns for data back-up are security during and accessibility following a crisis. There is no benefit to creating a back-up file of valuable data if this information is not transferred via a secure method and stored in an offsite data storage center with foolproof protection. As part of establishing a back-up data solution, every company needs to determine its "recovery point objective" (RPO) - the time between the last available back-up and when a disruption could potentially occur. The RPO is based on tolerance for loss of data or reentering of data. Every company should back-up its data at least once daily, typically overnight, but should strongly consider more frequent back-up or "continuous data protection" if warranted.
  5. Perform data restoration tests: Using tape back-up for data storage has been integral to IT operations for many years, however this form of back-up has not been the most reliable. Today, disk to disk systems are gaining popularity. With either type of system, the back-up software and the hardware on which it resides needs to be checked daily to verify that back-up is completed successfully and that there are no pending problems with the hardware. With tape back-up, companies need to store the tapes in an off-site location that is secure and accessible, while disk systems need to have an off-site replication if the back-up is not run off-site initially. Moreover, companies need to perform monthly test restoration to validate that a restoration can be accomplished during a disaster.
  6. Back-up laptops and desktops: Although many companies have policies requiring employees to store all data on the company's network, it is not prudent to assume that the policy is being followed. Users often store important files on local systems for a host of reasons, including the desire to work on files while traveling and the need to protect sensitive data from the eyes of even the IT staff. Backing up laptops and desktops protects this critical data in the event of a lost, stolen or damaged workstation. Using an automatic desktop and laptop data protection and recovery solution is ideal.
  7. Be redundant: Establishing redundant servers for all critical data and providing an alternate way to access that data are essential components of an organization's disaster recovery planning. Having these redundant services in place at a secure, offsite location can bring disaster recovery time down to minutes rather than days.
  8. Invest in theft recovery and data delete solutions for laptops: IDC reports that more than 70% of the total workforce in the U.S. will be considered mobile workers by 2009. Accordingly, laptops are increasingly replacing the traditional desktop PCs. Unlike desktops, however, laptops are more easily misplaced or stolen, thus requiring organizations to secure data deletion and theft recovery options for their users' laptops. Theft recovery solutions can locate, recover and return lost or stolen computers, while data delete options can enable companies to delete data remotely from lost or stolen computers thereby preventing the release of sensitive information.
  9. Install regular virus pattern updates: IT infrastructure is one of those realities of business life that most companies take for granted. Companies often do not focus on email security until an incipient virus, spyware or malware wreaks havoc on employees' desktops. Organizations need to protect its data and systems by installing regular virus pattern updates as part of disaster recovery planning, which may even help prevent a crisis from happening.
  10. Consider hiring a managed services provider: For small- to medium-sized businesses, it is often cost prohibitive to implement a sound disaster recovery plan. Frequently these organizations lack the technical professionals to accomplish this. Managed services providers (MSPs) have emerged in recent years to perform this role. MSPs have the technical personnel to design, implement and manage complex disaster recovery projects. Additionally, MSPs have the server, storage and network infrastructure in place to manage a true disaster recovery plan. To keep costs manageable and make disaster recovery services, such as data storage and redundant servers, available to small- to medium-sized businesses, MSPs build shared, multi-tenant IT infrastructures that host multiple companies on the same hardware and network equipment which helps keep costs affordable and advantageous for its customers.

Future of Disaster Recovery Planning
In determining the components of a disaster recovery plan, businesses typically need to make tough compromises, sacrificing the level of recovery (maximum amount of downtime and data loss) with cost. A relatively new form of technology - server virtualization - is beginning to gain popularity as a viable and cost effective means of achieving highly available, redundant systems. Server virtualization allows companies to consolidate multiple server functions on one host server, thus lowering total cost of operation and effectively managing emerging hardware advancements.

At first glance, server virtualization may appear to be risky and counter-productive when trying to achieve a highly available, redundant IT infrastructure. After all, server virtualization increases the risk of multiple server failures by housing numerous server services on a single host server. But, with the combination of hardware advancements and software ingenuity, companies will be able to capitalize on server virtualization as a practical and effective means to achieve disaster recovery.

In the case of a natural disaster or power outage that impacts a company's primary facility, a host server in a separate location connected to a SAN targeted for virtual server replication can be enabled quickly and with little effort. By capitalizing on increased virtual server performance as a result of software advancements and lower hardware costs with higher capacity, a robust and full-featured disaster recovery plan will be more readily attainable by more organizations.

Bottom Line
Every business is vulnerable to experiencing a serious incident, preventing it from continuing normal business operations at any time. Beyond terrorist threats, less catastrophic events such as a lost or stolen laptop, the Northeast Blackout of 2003, Manhattan's steam pipe explosion in 2007, recent wildfires in California and numerous presently unforeseen possibilities can cause substantial business interruptions. Anticipating disaster and preparing seems both prudent and advisable, as does regular testing of IT services and back-ups.

A well-structured and coherent disaster recovery plan will enable companies to recover quickly and effectively from an unforeseen disaster or emergency, thus avoiding significant business interruption and loss.

About the Author
Paul Chisholm is Chairman and CEO of mindSHIFT Technologies, a leading provider of managed IT services to small and medium-sized organizations. He was most recently President and CEO of COLT Telecom Group plc headquartered in London, England. Under Mr. Chisholm's leadership he grew COLT from inception to over $1 billion in revenue and the company became the largest and most successful European alternative carrier.

Subscribe to Information Security Today

© Copyright 2007-2015 Auerbach Publications