Protect your Data: Building a disaster recovery plan
by Matthew Mister, on Mar 3, 2020 10:21:42 AM
Few things are as frustrating as losing data on your personal computer. But frustrating is child's play compared to the loss that could be suffered by a business without a disaster recovery plan in place. In most cases, that is the beginning of the end for that business.
A disaster recovery plan is a structured approach that describes how an organization can quickly resume work after a disaster. Simple. Yet not so simple. There are numerous causes of data loss you must prepare for which makes implementing a disaster recovery plan a formidable task. This is mostly due to the horde of factors that must be considered in ensuring the security and continuity of your business's data. This is probably why most organizations lack disaster recovery preparedness and are reactive to disasters. They do not have a disaster recovery planning team assembled until there's a problem. Without a process for disaster recovery testing you leave your business at risk for data loss. In some cases, the business does not recover after there is a disaster.
To prevent these incidents, you will need to regularly work on a DR plan to ensure that your data is secure in the event of a disaster. It is achievable because disaster recovery can be planned, predictable, and controlled. In fact, businesses that plan ahead and develop a solid IT disaster recovery plan can restore their systems and are ready to get back up and running after a disaster. Here are some tips on how to build a disaster recovery plan.
How to Build your Disaster Recovery Plan
- Perform a risk assessment: Before performing a risk assessment, you need to get an inventory of your assets. As a matter of fact, building your disaster recovery plan should always start with an inventory of all your IT assets: servers, storage devices, applications, data, network switches, access points, and network appliances. The next step should involve mapping these assets. Mapping includes physical location, which network it is on, and dependencies. Running a risk assessment serves to identify potential hazards and analyze them before they occur. So after mapping all your IT assets, networks, and their dependencies, the next step of the process is to go through the assets and list the internal and external threats to each of them. What's the worst that could happen: natural disasters, power outages, mundane IT failures, or worse? You want to include the probability that that event may happen. What would be its impact on your business should the event occur. How will it affect business continuity if each scenario were to occur? It's important that you are thorough and plan for the worst possible scenario in the part of the process. The goal of DR is risk reduction. A great risk assessment checklist will help guide your core DR strategy.
- Define Criticality: The next step in the process is to classify your data and applications according to their criticality. Speaking to your colleagues and support staff to determine the criticality of each application and data set is a great idea and a good place to begin. Identify commonalities and assemble them according to their criticality to your business continuity, frequency of change, and retention policy. Try to avoid applying a different technique to individual applications or datasets because you are better off grouping your data into classes with similar characteristics. This will allow you to implement a less complex strategy. You want to also avoid classifying data in a vacuum based on assumptions. Try as much as possible to involve other business managers and support staff in this aspect of the planning process.
- What Are Your Recovery Objectives? Each of the different classes will have different recovery objectives. A critical e-commerce database may have very aggressive recovery objectives because, by the nature of the business, the site can't be down for long, or the loss of transactions will be sky-high. Conversely, a legacy internal system may have less stringent recovery objectives because the data doesn't change very often, and it's less critical to get back online. Be mindful of this step because a lot of IT professionals fall short here. One mistake they make is that of misalignment. This occurs as a result of setting recovery objectives without consulting business line managers. It is imperative that you involve them in this process because you will be able to understand business needs better. This also allows you to provide a differentiated level of service availability based on priority.
- Decide On the Right Tools: This might be a little difficult to do because of the wide array of solutions on the market today. One thing you should do is to ensure that what you choose provides the appropriate level of protection. When it is excessive, unnecessary costs and complexity arise. On the flip side, under-protection will put your business continuity at risk. So you want an option that suits your needs like a glove. For instance, you could get away with using nightly backups with traditional methods for low-impact data, but that wouldn't work so well for high impact data. One of the most critical components of your backup and disaster recovery plan is your offsite protection. Are you planning on data center disaster recovery? Or will you use a cloud-based disaster recovery service or an outsourced disaster recovery provider? It must be used regardless of the type of data backup method you choose. However, you must ensure that the method aligns with your recovery objectives. Ensure that your data is sent to a location that is far enough to eliminate geographical risks. At least 30 kilometers away from the primary location is a good distance. You must also choose tools and technologies that allow you to automate and streamline the recovery process as much as possible. This is because automation lessens the risk of human error, which tends to occur in the event of disasters.
- Document and communicate your plan: This is also very important, especially in a disaster scenario. There is a need to have a documented strategy that will help you get back on your feet. Communicate your plan. Let all the persons involved stay updated. This reduces the vulnerability of the organization. Documentation and proper communication allow being accessed during a disaster. You want to ensure this by printing the DR plan and posting it in multiple locations.
- Test and practice your DR plan: Perfecting your firm's disaster plan will require lots of testing and practice. Practice allows you to find and rectify problems in your plan. It also facilitates faster and more accurate execution. One great way to do this is to carve out pieces of the plan and practice them one after the other. Often, organizations that are proactive in regards to DR will discover several unaddressed risks through the testing process. It is imperative that you conduct a test run of your DR plan prior to its implementation. This is because it is only during testing that errors are discovered. While testing can be resource-intensive, lots of companies are tempted to skip this step; it is well worth it in the long run.
- Evaluate and update your plan: You must be constantly updated, especially with the ever-changing business landscape. Regular reviews are imperative if you want to recover from a disaster. A lot of things can go wrong. Key personnel may not be available when needed. There might be a need for migration to better hardware or operating systems. There might be reduced tolerance for downtime. Just about anything can happen. That is why your DR plan must be a living document that easily adapts to current needs.
- Set Up A Functional Team: Depending on the size of your organization, you might want to establish a dedicated team that will be responsible for implementing the DR plan. This team will focus on DR, perform regular security audits, and implement the recovery of your data in the event of a disaster. It might be cheaper to outsource, though. Whatever option you choose, ensure that there are people who are ready to implement the DR plan if the need arises.
- Apply the 3-2-1 Backup Rule: This rule is the guiding principle of backup and disaster recovery. What it means is that there should be three copies of your data, on two forms of media, with one copy located offsite at each point in time. When you have three copies of data prepared for the possibilities of human error, technical failure, and unforeseen disaster. In the event of degradation of data stored on traditional tape backups, the other copies (which could either be stored in the cloud or on a third media) will ensure the data's integrity. In addition, data that is stored offsite provides extra assurance in the event of a natural disaster. Applying this rule will help to make your disaster recovery plan more robust and able to function in the event of a disaster.
It is true that Disaster Recovery can be daunting. There are a lot of details, plans, and strategies that must be managed before you arrive at an effective DR plan. However, once a DR is well implemented correctly and completely, your organization is better off. The best part is that advancements in security assurances of Cloud Computing, and the increased need for affordable solutions, makes DR an inexpensive investment. Just start by applying all that you read in this article.