Disaster is a nebulous term in IT. Whether the cause is natural (a fire in your data center) or manmade (a ransomware attack), an IT disaster threatens the safety of company data, resources, and personnel. This is why an IT Disaster Recovery Plan (DRP) is an integral part of your organization’s broader business continuity strategy.
Here, we discuss the steps for creating a DRP that can handle any disaster, no matter the severity.
How to Create a Disaster Recovery Plan
Step 1: Identify Interconnected Resources
When developing a DRP, you must first identify all the resources and infrastructure that could be impacted by a disaster. More importantly, you should identify points of interconnection. In the age of digital transformation, many previously siloed systems — such as industrial equipment — are now web-enabled and therefore more vulnerable.
Read more: Ransomware Attacks Rise Dramatically
As part of this step, you should also identify your incident response team. According to Flexential, this team should include:
- Executive management to approve the strategy, policies, and budget
- Crisis management coordinator to lead initiate the plan and coordinate teams
- Business continuity expert to ensure the plan is in line with overall business goals
- Impact assessment and recovery team made up of networking, server, storage, and database representatives
- IT applications monitor to handle any changes to business applications, as well as integrations
Flexential’s guide also suggests bringing on critical business unit advisors to provide additional feedback to the incident response team. Either way, your DRP will be more successful when you have input from multiple teams.
Step 2: Assess Vulnerabilities
Your IT infrastructure is only as secure as its weakest point. When creating a DRP, you need to find these weak points and outline steps to mitigate damage if they become compromised. Further, you need to take steps to shore up these vulnerabilities before they become a problem. Above all, you want to avoid a series of cascading failures.
Another important part of assessing your vulnerabilities is studying previous disasters in your company and sector. What lessons can you learn from past mistakes?
Step 3: Determine the Impact of a Disaster
What constitutes a disaster for your organization? Your DRP should clearly outline steps to determine the severity of an event. Too many businesses have failed to adequately anticipate the scope of a disaster, with predictably disastrous results.
Here’s an example: “For a major bank, the online banking system might be a critical workload — the bank needs to minimize time and data loss,” notes IBM’s guide to backup and disaster recovery. “However, the bank’s employee time-tracking application is less important. In the event of a disaster, the bank could allow that application to be down for several hours or even a day.”
When determining severity, the disaster response team should consider the following:
- Company budget
- Insurance coverage
- Damage to personnel
- Damage to hardware and property
- Data loss
- Integrity of backups
- Legal and compliance ramifications
Even a relatively minor event can snowball into a true disaster if any impacted resource is overlooked. Your DRP should help the response team conduct an all-inclusive audit of affected systems.
Step 4: Develop a Short-Term Plan
The window immediately following a disaster is a critical time period. Your team needs to act quickly to quarantine affected systems, switch over to backups, and/or remove damaged resources. The short-term disaster recovery plan outlines the immediate steps your team should take as soon as an event is discovered.
In general, a short-term DRP should address vital business and IT needs, such as:
- Assessing the severity and scope of damage
- Implementing failover processes
- Reestablishing access to mission-critical functions and resources
The main priorities of the short-term disaster recovery plan are identifying and isolating the problem, ensuring the safety of staff and equipment, and mitigating business disruptions.
Step 5: Develop a Long-Term Plan
It’s important for your DRP to go beyond the short-term response. Once the immediate threat is gone, the disaster recovery team needs to begin the hard work of recovering or replacing lost data, hardware, and other resources.
Further, the team needs to implement facility, security, and operations improvements to prevent similar disruptions in the future. Depending on your organization’s business continuity plan and needs, as well as the severity of damage, this could involve months — or even years — of work.
Your disaster recovery plan must have recovery steps that are specific to your industry and the disaster itself. In fact, Acronis’ guide outlines four types of DRPs you may want to develop:
- Virtualized Disaster Recovery Plan for IT infrastructure located on an offsite VM
- Network Disaster Recovery Plan to respond to unplanned network service outages
- Cloud Disaster Recovery Plan for systems and data backed up to a public cloud
- Data Center Disaster Recovery Plan for a separate facility to be used when disaster strikes your primary data center
Depending on your business and IT needs, your long-term disaster recovery plan may require significant company resources to implement. However, it’s not difficult to find recent examples of businesses that failed to properly invest in disaster preparedness.
Carrying out a long-term disaster recovery plan after an event occurs is an investment in the future integrity of your company’s critical systems.
Step 6: DRP Testing
Before disaster strikes, your team needs to know the DRP will work. Luckily, there are multiple methods for testing a disaster recovery plan. According to Nakivo, there are four generally accepted testing methodologies:
- Plan Review: A thorough audit of your current DRP documentation.
- Tabletop Run-Through: A meeting in which your response team does a step-by-step walkthrough of the plan, as if a disaster had occurred.
- Scenario Simulation: The DRP is executed in a test environment with no business interruption.
- Full Disaster Recovery Simulation: Your main site’s operations are taken down, and an offsite recovery is attempted.
In the course of DRP testing, the weaknesses and strengths of your disaster recovery plan should become clear. Updating your plan to address these overlooked points is part of creating a disaster recovery plan your company can count on.
Explore DRaaS Solutions
Putting a disaster recovery plan into practice can be very expensive. Fortunately, several vendors offer Disaster Recovery-as-a-Service (DRaaS), which can reduce the cost of implementing and maintaining disaster recovery. These services typically offer failover and failback, testing, scalable models, reporting, and monitoring.
Some DRaaS vendors we recommend include:
See our full list of the Top Disaster Recovery-as-a-Service Solutions.