DISASTER RECOVERY PLAN

What is a Disaster Recovery Plan?

Disaster recovery (DR) is an organization’s ability to restore access and functionality to IT
infrastructure after a disaster event, whether natural or caused by human action (or error). DR is
considered a subset of business continuity, explicitly focusing on ensuring that the IT systems
that support critical business functions are operational as soon as possible after a disruptive event
occurs.

Today, disaster recovery planning is crucial for any business, especially those operating either
partially or entirely in the cloud. Disasters that interrupt service and cause data loss can happen
anytime without warning.

Organizations with robust and well-tested disaster recovery strategies can minimize the impact of
disruptions, achieve faster recovery times, and resume core operations rapidly when things go
awry.

A disaster recovery plan (DRP) is a documented, structured approach that describes how an
organization can quickly resume work after an unplanned incident. A DRP is an essential part of
a business continuity plan (BCP).

What is considered a disaster?

Types of disasters can include:

• Natural disasters (for example, earthquakes, floods, tornados, hurricanes, or wildfires)

• Pandemics and epidemics

• Cyber attacks (for example, malware, DDoS, and ransomware attacks)

• Other intentional, human-caused threats such as terrorist or biochemical attacks

• Technological hazards (for example, power outages, pipeline explosions, and transportation
accidents)

• Machine and hardware failure

How disaster recovery works

An effective DR plan addresses three different elements for recovery:

• Preventive: Ensuring your systems are as secure and reliable as possible, using tools and
techniques to prevent a disaster from occurring in the first place. This may include backing up
critical data or continuously monitoring environments for configuration errors and compliance
violations.
• Detective: For rapid recovery, you’ll need to know when a response is necessary. These
measures focus on detecting or discovering unwanted events as they happen in real time.

• Corrective: These measures are aimed at planning for potential DR scenarios, ensuring backup
operations to reduce impact, and putting recovery procedures into action to restore data and
systems quickly when the time comes.

7 Chapters of an IT Disaster Recovery Plan

Here is the typical structure of a DR plan:

1. Goals – what the organization aims to achieve in a disaster, including the Recovery Time
Object (RTO), the maximum downtime allowed for each critical system, and the
Recovery Point Object (RPO), the maximum amount of acceptable data loss.
2. Personnel – who is responsible for executing the DR plan.
3. IT inventory – list of hardware and software assets, their criticality, and whether they are
leased, owned or used a service.
4. Backup procedures – how and where (exactly on which devices and in which folders)
each data resource is backed up, and how to recover from backup .
5. Disaster recovery procedures – emergency response to limit damages, last-minute
backups, mitigation and eradication (for cybersecurity threats).
6. Disaster recovery sites – a robust DR plan includes a hot disaster recovery site – an
alternative data center in a remote location that has all critical systems, with data
replicated or frequently backed up to them. Operations can be switched over to the hot
site when disaster strikes.
7. Restoration – procedures for recovering from complete systems loss to full operations

Why is a DR plan important?

• To minimize interruptions to normal operations.

• To limit the extent of disruption and damage.

• To minimize the economic impact of the interruption.

• To establish alternative means of operation in advance.

• To train personnel with emergency procedures.

 • To provide for smooth and rapid restoration of service.

Types of Disaster Recovery Sites

One of the key elements in any Disaster Recovery plan is selecting a secondary site for data
storage to help prevent data loss in the event of cyber attacks or a natural disaster. DR software
will extract critical business data from this secondary site and restore it to primary servers in case
of a major system failure. Three major types of disaster recovery sites can be used: cold, warm,
and hot sites.

1. Cold Computing Sites - the most simplistic type of disaster recovery site. A cold site
consists of elements providing power, networking capability, and cooling. It does not include
other hardware elements such as servers and storage. Using a cold site is very limiting to a
business since before it can be used, backup data and some additional hardware must be sent
to the site and installed. This will impede workflow.

2. Warm Computing Sites - contain all the elements of a cold site while adding additional
elements, including storage hardware such as tape or disk drives, servers, and switches. Warm
sites are "ready to go" in one sense, but they still need to have data transported for use in
recovery should a disaster occur.

3. Hot Computing Sites - a fully functional backup site that already has important data
mirrored to it. This is the ideal disaster recovery site, but it can be challenging to attain.

Planning a disaster recovery strategy

When it comes to creating disaster recovery strategies, you should carefully consider the
following key metrics:

• Recovery time objective (RTO): The maximum acceptable length of time that systems and
applications can be down without causing significant damage to the business. For example, some
applications can be offline for an hour, while others might need to recover in minutes.

• Recovery point objective (RPO): The maximum age of data you need to recover to resume
operations after a major event. RPO helps to define the frequency of backups.
Elements of Disaster Recovery Plan

1. Create a disaster recovery team. The team will be responsible for developing,
implementing, and maintaining the DRP. A DRP should identify the team members, define each
member’s responsibilities, and provide their contact information. The DRP should also identify
who should be contacted in the event of a disaster or emergency. All employees should be
informed of and understand the DRP and their responsibility if a disaster occurs.
2. Identify and assess disaster risks. Your disaster recovery team should identify and assess the
risks to your organization. This step should include items related to natural disasters, man-made
emergencies, and technology related incidents. This will assist the team in identifying the
recovery strategies and resources required to recover from disasters within a predetermined and
acceptable timeframe.
3. Determine critical applications, documents, and resources. The organization must evaluate
its business processes to determine which are critical to the operations of the organization. The
plan should focus on short-term survivability, such as generating cash flows and revenues, rather
than on a long term solution of restoring the organization’s full functioning capacity. However,
the organization must recognize that there are some processes that should not be delayed if
possible. One example of a critical process is the processing of payroll.
4. Specify backup and off-site storage procedures. These procedures should identify what to
back up, by whom, how to perform the backup, location of backup and how frequently backups
should occur. All critical applications, equipment, and documents should be backed up.
Documents that you should consider backing up are the latest financial statements, tax returns, a
current list of employees and their contact information, inventory records, customer and vendor
listings. Critical supplies required for daily operations, such as checks and purchase orders, as
well as a copy of the DRP, should be stored at an off-site location.
5. Test and maintain the DRP. Disaster recovery planning is a continual process as risks of
disasters and emergencies are always changing. It is recommended that the organization
routinely test the DRP to evaluate the procedures documented in the plan for effectiveness and
appropriateness. The recovery team should regularly update the DRP to accommodate for
changes in business processes, technology, and evolving disaster risks.