What is disaster recovery plan explain with example?
Disclaimer Show
The following project outline is provided solely as a guide. It is only intended to be “one example” of requirements for a disaster recovery project plan. It is not, by any stretch of the imagination, the only way to set up a project plan. If you are new to disaster recovery planning, make sure that you research the subject thoroughly before embarking on a disaster recovery planning project. Consider engaging a consultant (internal or external to your organization) to help you in your project planning effort. Disaster recovery planning is not a two-month project, neither is it a project that once completed, you can forget about. An effective disaster recovery planning plan is a live recovery plan. The plan must be maintained current and tested/exercised regularly.
Page Contents
Disaster Recovery PlanningThe primary objective of a Business Resumption Plan is to enable an organization to survive a disaster and to reestablish normal business operations. In order to survive, the organization must assure that critical operations can resume normal processing within a reasonable time frame. Therefore, the goals of the Business Resumption Plan should be to:
The methodology used to develop the plans, emphasize the following key points:
The successful and cost effective completion of such a project requires the close cooperation of management from all areas of Information Systems as well as business areas supported by Information Systems. Senior personnel from Information Systems and user areas must be significantly involved throughout the project for the disaster recovery planning process to be successful. In closing, it is important to keep in mind that the aim of the disaster recovery planning process is to:
PROGRAM DESCRIPTION Since disaster recovery planning is a very complex and labor intensive process, it therefore requires redirection of valuable technical staff and information processing resources as well as appropriate funding. In order to minimize the impact such an undertaking would have on scarce resources, the project for the development and implementation of disaster recovery planning and business resumption plans should be part of the organization’s normal disaster recovery planning activities. The proposed project methodology consists of eight separate phases, as described below. Phase 1 – Disaster Recovery Planning Pre-Planning Activities (Project Initiation)Phase 1 is used to obtain an understanding of the existing and projected computing environment of the organization. This enables the project team to: refine the scope of the project and the associated work program; develop project schedules; and identify and address any issues that could have an impact on the delivery and the success of the project. During this phase a Steering Committee should be established. The committee should have the overall responsibility for providing direction and guidance to the Project Team. The committee should also make all decisions related to the disaster recovery planning effort. The Project Manager should work with the Steering Committee in finalizing the detailed work plan and developing interview schedules for conducting the Security Assessment and the Business Impact Analysis. Two other key deliverables of this phase are: the development of a policy to support the recovery programs; and an awareness program to educate management and senior individuals who will be required to participate in the project. Phase 2 – Vulnerability Assessment and General Definition of RequirementsSecurity and control within an organization is a continuing concern. It is preferable, from an economic and business strategy perspective, to concentrate on activities that have the effect of reducing the possibility of disaster occurrence, rather than concentrating primarily on minimizing impact of an actual disaster. This phase addresses measures to reduce the probability of occurrence by monitoring. This phase will include the following key tasks:
Phase 3 – Business Impact Assessment (BIA)A Business Impact Assessment (BIA) of all business units that are part of the business environment enables the project team to: identify critical systems, processes and functions; assess the economic impact of incidents and disasters that result in a denial of access to systems services and other services and facilities; and assess the “pain threshold,” that is, the length of time business units can survive without access to systems, services and facilities. The BIA Report should be presented to the Steering Committee. This report identifies critical service functions and the timeframes in which they must be recovered after interruption. The BIA Report should then be used as a basis for identifying systems and resources required to support the critical services provided by information processing and other services and facilities. Phase 4 – Detailed Definition of RequirementsDuring this phase, a profile of recovery requirements is developed. This profile is to be used as a basis for analyzing alternative recovery strategies. The profile is developed by identifying resources required to support critical functions identified in Phase 3. This profile should include hardware (mainframe, data and voice communications and personal computers), software (vendor supplied, in-house developed, etc.), documentation (DP, user, procedures), outside support (public networks, DP services, etc.), facilities (office space, office equipment, etc.) and personnel for each business unit. Recovery Strategies will be based on short term, intermediate term and long term outages. Another key deliverable of this phase is the definition of the plan scope, objectives and assumptions. Phase 5 – Plan DevelopmentDuring this phase, recovery plans components are defined and plans are documented. This phase also includes the implementation of changes to user procedures, upgrading of existing data processing operating procedures required to support selected recovery strategies and alternatives, vendor contract negotiations (with suppliers of recovery services) and the definition of Recovery Teams, their roles and responsibilities. Recovery standards are also be developed during this phase. Phase 6 – Testing/Exercising ProgramThe plan Testing/Exercising Program is developed during this phase. Testing/exercising goals are established and alternative testing strategies are evaluated. Testing strategies tailored to the environment should be selected and an on-going testing program should be established. Phase 7 – Maintenance ProgramMaintenance of the plans is critical to the success of an actual recovery. The plans must reflect changes to the environments that are supported by the plans. It is critical that existing change management processes are revised to take recovery plan maintenance into account. In areas where change management does not exist, change management procedures will be recommended and implemented. Many recovery software products take this requirement into account. Phase 8 – Initial Plan Testing and ImplementationOnce plans are developed, initial tests of the plans are conducted and any necessary modifications to the plans are made based on an analysis of the test results. Specific activities of this phase include the following:
The approach taken to test the plans depends, in large part, on the recovery strategies selected to meet the disaster recovery planning requirements of the organization. As the recovery strategies are defined, specific testing procedures should be developed to ensure that the written plans are comprehensive and accurate. DISASTER RECOVERY PLANNING SCOPE AND PLAN OBJECTIVESThe primary objective of recovery planning is to enable an organization to survive a disaster and to continue normal business operations. In order to survive, the organization must assure that critical operations can resume/continue normal processing. Throughout the recovery effort, the plan establishes clear lines of authority and prioritizes work efforts. The key objectives of the contingency plan should be to:
Although statistically the probability of a major disaster is remote, the consequences of an occurrence could be catastrophic, both in terms of operational impact and public image. Management appreciates the implications of an occurrence, therefore, it should assign on-going responsibility for recovery planning to an employee dedicated to this essential service. Management must make a decision to undertake a project that satisfy the following objectives:
PROJECT ORGANIZATION AND STAFFINGThe project team organization is designed to maximize the flexibility needed to deal with the implementation of a plan in the most efficient manner possible. As explained earlier in this document, disaster recovery and business resumption planning is a complex and labour intensive program. A key factor in the successful development and implementation of recovery and resumption programs in other organizations is the dedication of a full-time resource to recovery/business continuity planning. Recovery plans should be treated as living documents. Both the information processing and the business environments are constantly changing and becoming more integrated and complex. Recovery plans must keep pace with these changes. Continuous testing/exercising of plans is essential if the organization wants to ensure that recovery capability is maintained in such an environment. The organization also must ensure that staff with recovery responsibilities are prepared to execute the plans. This cannot be achieved without a full-time resource with responsibility for: maintaining plans; coordinating components and full plan tests; training staff with recovery responsibilities; and updating plans to reflect changes to the information processing and business
environments. The Steering Committee should include representatives from key areas of the organization:
Project Team The composition of the Project Team may vary depending on the environments and business units for which plans are developed. It is important to note that the managers of environments and business units for which plans are developed will be responsible for the maintenance and testing of their respective plans. However, the Person/unit responsible for recovery/continuity planning should retain the role of co-ordinator of testing activities, major plan revisions and maintainer of the Master Plan. The Core Project Team is automatically part of other project teams. Internal Audit should be invited to be part of all teams. The managers represented on the various teams may choose to recommend other senior individuals in their area to represent them or to join specific teams where their expertise will be required for the development of the plans. Suggested Core Project Team Composition
Suggested Information Systems/Technology Support Team Composition
Business Units Team The members of the
various Business Unit teams will be different for each Business Unit. |