Creating an Effective Disaster Recovery Plan
November 7, 2000

by James Mendelsohn

Whether you're starting or growing your Web presence, you need to plan against technical difficulties, viruses, denial-of-service attacks, floods, fires, and other unexpected events that might suddenly stop your Internet operations in its tracks. This article moves through how to create an effective disaster recovery plan beginning with the important details, but at its end, it provides an equally important checklist of guiding principles.

In the event of a disaster, a business should have a back-up for the following:

• Data file storage and retrieval
• Customer Services
• Communications and User Operations
• Hardware
• Software
• User operations
• Facilities for MIS and for users

An effective disaster recovery plan clearly identifies even the obvious details of how you will respond to disaster to ensure some of those details do not escape attention. It spells out those details, which establishes the plan is comprehensive and well-organized.

Creating the Possibility for Recovery and Potential Alternatives

First and foremost, you need to maintain full documentation of all your important information. A brief checklist encompasses

• software and data file back-ups, including all vital records;
• documentation back-ups and inventory, including all policies and procedures;
• hardware and software inventory, including main computer and all other equipment;
• insurance policies.

Since the enterprise network is likely to hold most if not all of your vital information, those back-ups should include

• call lists, vendor lists, and critical telephone numbers;
• forms, equipment, and office supply inventories;
• off-site storage and temporary locations of the business inventory.

In addition to having back-up data and documentation, you should consider the following alternatives for equipment and service:

• Do you have more than one data center, so a back-up already exists?
• Do you have multiple computers performing the same tasks and with the same data storage, so that you effectively have redundancy?
• Do you outsource your equipment, so that a vendor can then easily and quickly replace it?
• Do you have your own or contracted service centers to provide replacement operations for customer services if not user operations and communications?

Developing and Implementing the Plan

• Create a planning committee that ensures the disaster recovery plan is comprehensive and has the commitment of the entire business.
• Conduct a risk assessment and business impact analysis. The risk assessment considers the variety of potential disasters, including hacker attacks, viruses, sabotage, technical failures, fires, and floods. It explores a range of disasters, from those affecting only one part of the network to those destroying all of it.
• The risk assessment evaluates the full impact of the loss of information data or the inability to serve employees and customers via the Web. It should give that impact a dollar amount and compare it to other assets of the business.
• Evaluate the cost of protecting the business against such disasters.
• Identify the critical components of your network and operations. That identification should include assessing the value of and the ability of the business to operate without the following:
  • Stored Information, including
    • financial records
    • proprietary information
    • all other data files
  • Processing Systems, including
    • all hardware
    • all software
    • all other equipment
    • documentation on all equipment and all IT department processes
  • IT Managers and Employees, including
    • their responsibilities
    • their abilities
  • Operations, including
    • the service that each critical component provides for the business

Securing the Alternatives

Recovery procedures should include a secondary way for maintaining each of the critical components you identify, yet be more specific. If you contract with others for these alternatives, be sure to address the following items in a checklist.

The Equipment and Services

• Is the alternate equipment or service compatible with a business network? Is it guaranteed to be so?
• Does the contract identify the exact kind of equipment, system, and service to be provided? Does it notify a business if there are any changes?
• Does it identify the demand upon equipment, resources, and the people it will provide?
• Does it provide additional security procedures to ensure the safety of a business information and network?
• Does it specify the exact hours that these additional equipment and services will be available to operate? Does it specify how quickly the equipment will be available?
• Does it provide for testing the effectiveness of the equipment and services provided?

[Page 1]   [Page 2]