23
Practical IT Research that Drives Measurable Results 1 Info-Tech Research Group Document the Disaster Recovery Plan Now

Document the drp now

Embed Size (px)

Citation preview

Practical IT Research that Drives Measurable Results

1Info-Tech Research Group

Document the Disaster Recovery Plan Now

Document Your Disaster Recovery Plan Now

2

Those who should read this:

At the end, you will have: A better understanding of the information needed to create a DRP.

A complete DRP.

Info-Tech Research Group

• Using this Solution Set and accompanying template will drastically reduce the time and money your organization will need to spend on creating a disaster recovery plan (DRP).

• If you have never created a DRP, it is unlikely that you have ever seen one. The solution set’s DRP Template will provide organizations with a complete and fully modifiable template.

• On average, DRPs take almost a year to create and cost companies over $60,000 in labor costs.

Organizations interested in creating a DRP that have already completed Info-Tech’s Right-Size Enterprise DRPs solution set.

Organizations that have built a disaster recovery capability, but do not have a formalized DRP to support it.

Organizations that would like to make changes and improvements to their existing DRP.

“Disaster recovery plans are costly to create but not having one can bankrupt you.”- IT Manager, Manufacturing

Executive Summary

Info-Tech Research Group 3

• DRPs are required by all organizations, especially those in highly regulated industries.

• DRPs contain all of the information required to help an organization restore their IT and business functionality after a disaster has occurred.

• To create an effective DRP, tests, audits and interviews are required beforehand in order to fuel the plan’s creation.

• Most companies budget three to four months to create their DRPs when they actually take an average of ten months to create.

– This discrepancy occurs because most organizations do not have a dedicated disaster recovery department whose sole purpose is to ensure that the organization is ready for a disaster.

– The people that normally create DRPs are overstretched members of the IT department.

• DRPs are living documents and cannot be created and forgotten. Plans should be reviewed and maintained a fixed number of times per year or whenever there is an organizational change, whichever occurs most frequently. DRPs must be tested. Testing can be done in one of four ways:

1. Walkthroughs

2. Simulations

3. Parallel Testing

4. Full Interruption Testing

DRP Basics • Learn about DR planning, plans, and documents

• Learn more about using interviews, tests and audits create DRPs

• A detailed look at the components of a DRP

• Learn about DR planning, plans, and documents

• Learn more about using interviews, tests and audits create DRPs

• A detailed look at the components of a DRP

Next Section in BriefNext Section in Brief

1

Case Studies

Document your DRP

DRP Maintenance & Testing

Disaster Recovery Documents: Plan well for the unexpected

Info-Tech Research Group 5

DRPs & Documentation:

•A DRP is a document that contains all of the information needed by an IT department to get an organization back to business-as-usual after a disaster has occurred.

•DRPs do not include information concerning staffing, HR, real estate, and financial emergencies.

•Organizations without DRPs indicated that the main reasons that they did not currently have a plan in place were:

• Lack of business buy-in.

• Lack of resources to complete the DRP (both financial and labor resources).

• The organization already had some DR capabilities and felt it unnecessary to document these.

Disaster Recovery Planning:

1. Having disaster recovery (DR) capabilities is the first step in protecting your organization from the unexpected.

2. Having DR capabilities documented is the next logical step as it allows organizations to know what needs to be done in a disaster.

3. During a disaster, the DRP will provide all of the information that the organization needs to get back to business-as-usual in as little time as possible.

While it is undeniable that DR Plans are a necessity in an organization, 28% of organizations surveyed did not currently have a plan in place.

Info-Tech Insight

Results from tests and audits should be used to fuel the creation of your organization’s DRP

Info-Tech Research Group 6

• To create an effective DRP you will need to gather information from multiple sources. These will include:

• Interviews- with employees and stakeholders from all levels in the organization.

• Tests- employees should be tested for knowledge and IT security understanding.

• Audits- perform audits on IT systems, policies and procedures.

• Use the information gathered from these sources to determine what your organization's specific Disaster Recovery Capabilities and needs are.

• Once the organization knows what its current capabilities are and what its needs are, it is only then that an effective plan can be created.

Refer to Info-Tech’s Right-Size Enterprise Disaster Recovery Plans solution set for

more information on the information gathering phase of creating a DRP.

“Creating a disaster recovery plan is not simple, you have to know what has to be done and where to get all of the information, and even then there are some things that end up just being assumptions.” – IT Manager, Healthcare

DRPs contain all the information your organization needs to

get back up and running after a disaster

Info-Tech Research Group 7

“There are a number of considerations that must be reviewed and evaluated. Understanding the process to take to develop a comprehensive DRP is more valuable and complex. There is an ocean of information on specific solutions. The trick is understanding.” - Vice President, Information

DRP Basics • Overview of the DRP Template

• Explanation of introduction

• Disaster recovery teams’ roles, responsibilities & members

• Include a DR call tree in your plan

• Documenting the recovery facilities

• Communicating during a disaster

• How the organization should deal with a disaster

• How IT functionality will be restored to the organization

• DRP testing & maintenance

• Overview of the DRP Template

• Explanation of introduction

• Disaster recovery teams’ roles, responsibilities & members

• Include a DR call tree in your plan

• Documenting the recovery facilities

• Communicating during a disaster

• How the organization should deal with a disaster

• How IT functionality will be restored to the organization

• DRP testing & maintenance

Next Section in BriefNext Section in Brief

2

Case Studies

Document your DRP

DRP Maintenance & Testing

Don’t reinvent the wheel; use the Disaster Recovery Plan Template to create a comprehensive plan quickly

Info-Tech Research Group 9

• Delete all fill-in-the-blank text in the gray font.

• Delete the instructional and guidance text that is highlighted gray

• In the template, sections and sub-sections will be marked as MANDATORY or ELECTIVE.

• MANDATORY indicates that this is a section that ALL organizations must complete.

• ELECTIVE indicates that this is a section that only some organizations must complete. Be sure to follow the instructions and guidance text in all ELECTIVE sections; these may be mandatory for some organizations

• Delete any sections that are not relevant to your organization

• The following slides explain the components of each of the sections in the Disaster Recovery Plan Template. Follow the instructions on each of these slides when completing the template.

DRP Introduction defines a disaster, outlines recovery goals & describes scope of the plan

Info-Tech Research Group 10

MANDATORY: All of the fields in the introduction section must be completed.

Sections Included:•Definition of a disaster:Each organization will define a disaster differently, document how yours defines a disaster. •Purpose:This section should make it clear what the plan addresses and what its goals are.•Scope:Clearly outline the scope of the DRP; what information it includes and what it doesn’t. In this section, all of the departments and groups affected by the plan will be listed.•Version information & changes:Explain how proper version control will be maintained for tracking purposes.

Instructions:Edit and change this section to reflect your organization’s specific needs and goals.

“A disaster recovery plan is one of the most important documents that an organization can put in place. Just in the last year we have had several instances arise that required our DR plan.”- IT Specialist

DR Teams & Responsibilities documents the teams, their roles & & actions to be taken in the event of a disaster

Info-Tech Research Group 11

MANDATORY: All of the fields in the Disaster Recovery Teams & Responsibilities section must be completed.

Sections Included:•DR Teams, Responsibilities & Members:Include details about what each team’s specific roles, goals and duties are. Team members along with their contact information will also be included.

Instructions:Edit and change this section to reflect your organization. Depending on the organization’s size and available resources, some of the teams, their roles and responsibilities will change.

The Disaster Recovery Call Tree is a vital component of the DRP

Info-Tech Research Group 12

MANDITORY: All of the fields in the Disaster Recovery Call Tree section must be completed.

Sections Included:•Disaster Recovery Call Tree: Include the disaster recovery call tree that is to be initiated by the Disaster Recovery Lead.•Disaster Recovery Call Tree Flow Diagram: Include a disaster recovery call tree flow diagram. This is an important component of the actual call tree. It makes it clear who is to call whom in the event of a disaster.

Instructions:Edit and change this section to reflect your organization. Depending on your organization’s DR teams, your call tree will vary.

“The call tree is very important to the success of a DR initiative. We take it very seriously at our company and regularly test the tree to ensure that all members of the DR team are contacted.”-

Describe the Recovery Facilities to ensure the DR teams will be effective in a disaster

Info-Tech Research Group 13

ELECTIVE: Complete this section if you have a standby or secondary facility available for use in the event of a disaster.

Sections Included:•Description of the recovery facilities: Include the location to the recovery facilities, a map of the facility location and detailed directions (with alternate routes) on how to get here from the primary office.•Transportation to the standby facilities: Detail how employees are to get to the standby faculties (e.g. rental cars, their own cars, planes, etc.).•Operational considerations: Address considerations (e.g. hotel accommodations, food and beverages, facility maintenance, catering, etc.).•Data backups: Document where the data in the organization resides, where it is backed-up to and how often it is backed-up.

Instructions:Edit section to reflect your organization’s standby/recovery facilities, resources and needs. Skip section if you do not have such facilities.

Knowing how to Communicate During a Disaster is important if the DR process is to run smoothly

Info-Tech Research Group 14

MANDATORY: Explain how the chain of communication will work during a disaster. Address how and when each of the organization’s stakeholders will be contacted.

Sections Included:•Communicating with employees: Explain how all employees of the organization will be notified of a disaster and told what their next steps are.•Communicating with clients: Document how clients will be notified of the disaster. Crucial clients should be notified of the impact to their service first. Secondary clients must be notified after the crucial ones.•Communicating with vendors: Address how vendors will be notified of any changes to the needs of the organization. •Communicating with the media: Detail how and when the media will need to be informed of a disaster in the organization.

Instructions:Edit and change this section to reflect your organization’s specific needs and goals.

Include information on how to Deal with a Disaster;document all steps needed to cope with a disaster

Info-Tech Research Group 15

MANDATORY: Explain how to handle a disaster. Include all steps that the organization should take in order to recover.

Sections Included:•Disaster identification and declaration: Explain how a disaster will be handled when declared.•DRP Activation: Describe how the DR plan is activated.•Communicating the disaster with the relevant parties: Describe how the disaster will be communicated.•Assessment of damage caused by the disaster and the prevention of further damage: Document how to assess damage and prevent further damage from the disaster.•Standby facility activation: Discuss how to activate the standby facilities.•Repair and rebuilding of the primary facility:Document procedures for repairing and rebuilding the primary facility.

Instructions:Describe how your organization is to react to a disaster. Include the organization's specific disaster recovery needs.

Restoring IT Functionality is important to return to business-as-usual, provide all information that IT will need

Info-Tech Research Group 16

MANDATORY: Document all of the steps required to restore the organization's IT functionality.

Sections Included:•Current system architecture: This will be used to help understand how all of the IT systems are linked in the primary facility and will also help when the a disaster does occur.•IT Systems: An outline of the organization’s IT systems as well as their dependant components. This list is ranked in order of criticality.•Description of the system components: The system components are described fully here. Each one’s vendor, model, serial number, and any other important information is documented.

Instructions:Edit and change this section to reflect your organization’s specific needs and goals.

“Keep DR in mind as you build your infrastructure. Know how you want everything to failback beforehand.”- IT Manager, Finance

Testing and Maintenance ensures that the DRP isfunctional & up-to-date

Info-Tech Research Group 17

MANDATORY: Document all of the steps required to test and keep the plan fully maintained.

Sections Included:•Maintenance:Outline who is responsible for maintaining and updating the DRP. Also, include how frequently the plan should be maintained.•Testing: Describe how the DRP will be tested and how often it will be tested. Testing is important since it is the only way that organization's can ensure that the plan is functional.•Call Tree Testing: This particular component is ELECTIVE , it is however a good practice to ensure that the call tree works as intended since so much of the DR process relies on the call tree.

Instructions:Edit and change this section to reflect your organization’s specific needs and goals.

DRP Basics

• The DR Team Lead is responsible for coordinating plan maintenance and testing

• Testing is necessary for all DRPs

• The DR Team Lead is responsible for coordinating plan maintenance and testing

• Testing is necessary for all DRPs

Next Section in BriefNext Section in Brief

3

Case Studies

Document your DRP

DRP Maintenance & Testing

The DR Team Lead is responsible for coordinating plan maintenance & testing

Info-Tech Research Group 19

• The DR Team Lead is always be in charge of testing, maintaining and updating the DRP.

• Updates and maintenance should be performed biannually or whenever major changes occur; whichever is more frequent.

• Testing is performed in accordance with the organization’s DRP Policy. Testing should be performed at a frequency that the organization will determine and can take on multiple forms.

The DR Team Lead is responsible for upholding, testing and maintaining the DRP. This individual heads the DR initiative and is responsible for activating the DRP and making

decisions during a disaster.

For more information on testing and maintenance, refer to the solution set: Make Sure the DRP is Ready for a Disaster

Testing is necessary for all DRPs

Info-Tech Research Group 20

Perform testing on the DRP periodically to ensure that the plan works and that the entire organization knows what to do in the event of a disaster.

Requires no disruption to the organization’s day-to-day activities. With this method, the plan is tested verbally with all of the DR Teams.

Requires no disruption to the organization’s day-to-day activities. With this method, the plan is tested in a disaster simulation, the standby facility is brought on-line to make sure that it is fully operational.

Requires no disruption to the organization’s day-to-day activities. The plan is tested in the standby facility using the historical data. This data is processed to ensure the same results as the primary facility are produced.Requires disruption to the organization’s day-to-day activities. With this method, the plan is tested in a full disaster scenario where the primary facility is brought down and the business runs off of the standby facility alone. This method also tests whether the organization can successfully go back to the primary facility following a disaster.

MA

GN

ITU

DE O

F E

FFO

RT

INC

REA

SES

DRP Basics

• Finance Company to use Full-Interruption Testing

• Government Organization uses DR documentation to plan for more than just IT’s needs

• Finance Company to use Full-Interruption Testing

• Government Organization uses DR documentation to plan for more than just IT’s needs

Next Section in BriefNext Section in Brief

4Case Studies

Document your DRP

DRP Maintenance & Testing

Finance Company to use Full-Interruption Testing

Info-Tech Research Group22

Disaster Recovery Plan• E-mail- E-mail is their main method of

communication and important during a disaster.• Payroll- being able to pay employees

during a disaster is vital to the organization.• Client database solution - daily reports

and access to client contact information is very important.• File shares - network file shares are very

important to have access to for the business to function.

Company Profile at a GlanceIndustry Finance

DR Vendors Created in-house

Time to create 4-5 months

Standby Facility

Secondary office location

Plan testing and Maintenance

• The plan will undergo a full interruption testing.

DR Capability Put to the Test• Their plan has currently not been tested in

a disaster.

DR Planning Experiences• The organization’s main method of

gathering data to fuel their DRP was through interviews.• A consultant was also hired to offer

specialist help in some areas.

Government Organization uses DR documentation to plan for more than just IT’s needs

Info-Tech Research Group23

Disaster Recovery Plan• Activating the plan- the plan needs to be

easy to activate so response time is short.• DR Teams and their roles- since it is a

government agency, all roles need to be clearly defined since some users are non-technical.• How to assess an emergency- being able

to quickly assess damage and needs are vital• Various response strategies- given the

nature of government agencies, they must have their responses to various disaster scenarios outlined.• Updating the plan• Appendices- emergency contacts,

restoring IT functionality, equipment and software specifications.

Company Profile at a GlanceIndustry Government

DR Vendors Created in-house

Time to create N/A

Standby Facility

Yes- Full standby/failback facility

Plan testing and Maintenance• The plan does not undergo any tests that

will compromise the organization’s availability.• Maintenance is performed bi-annually.

DR Capability Put to the Test• Their plan has currently not been tested in

a disaster.

DR Planning Experiences• The actual documentation process

occurred many years ago, well before recent memory.