Disaster and Data Recovery

Dependence on information technology requires judicious disaster recovery planning to ensure survival of unplanned risks.  Planning for threats not known allows companies to efficiently make decisions in high stress emergency situations that contribute to the safety of employees, and reduce downtime of mission critical services and data loss.  According to Jim Hoffer, “only 6 percent of companies suffering from a catastrophic data loss survive, while 43 percent never reopen and 51 percent close within two years.”  A thorough disaster recovery plan can reduce, if not prevent data loss in catastrophic situations that often lead toward business failure.

The process of developing an effective disaster recovery plan follows a similar structure to the systems developments life cycle and proceeds as follows:

1. Organizational Strategic Plan
2. Analysis
3. Design
4. Implementation
5. Testing
6. Maintenance

It is important to take time to thoroughly complete each step in order as they are interdependent and look at different aspects of disaster recovery.  Disaster recovery planning should also be an interactive process with other members of the disaster recovery and IT teams to encourage input from multiple areas of experience and expertise.

The organizational strategic plan assesses which areas are most critical to business.  For example, recovering email and other communication services is far more important than ensuring all printers are operational.  Indentifying important assets aids in determining how to react to specific disasters and recognize areas of greatest threat.  Upon completion of an organizational strategic plan, a company should have a list of important assets with associated importance rankings.

Analysis considers how the company is affected by different threats and risks.  Some risks require more consideration than the same risk for a different company.  A company in San Diego may give a great deal of attention to earth quake preparedness, whereas a company in Fort Collins would me more concerned with ESD and lightning strikes.  To generate the most accurate and complete set of risks as well as their impact and importance, a brainstorming approach is often used where those involved in the disaster recovery process meet and write down every possible risk or threat.  Later this exhaustive list is reduced by eliminating risks that unrealistic, such as the sun exploding.  Also, risks can often be removed from analysis if they have a probability of greater than 90 percent or less than 10 percent, or an impact that is low enough to not be of concern.  If the probability is greater than 90 percent, the event is assumed to happen and a task must be created to mitigate the impact.  When evaluating the impact of risks, it is also important to look at the worst-case scenario and define the scope of the risk.  The product of analysis is a requirement recovery document which describes “the distinction between critical and non-critical IT systems and information, each possible threat, and the possible worst-case scenarios that can result from each disaster” (Haag and Cummings, p.328).

The next phase in creating a disaster recovery plan is the design phase.  In the design phase, a formal disaster recovery document is written which includes detailed plans and actions required to recover the company from risks identified in analysis.  The plan created in this phase should also identify important information such as who is responsible for what actions, where backup information is kept, emergency contact information, backup site locations, and other details.  According to Haag and Cummings, a disaster recovery cost curve should be used to determine the most cost efficient disaster recovery solution (p. 329).  Careful attention in this phase will reduce the amount of time spent in the remaining phases.

Implementation requires that the disaster recovery plan be distributed and put into action.  Depending on the scope of the disaster recovery plan, additional equipment and services may need to be purchased and employees trained.  The plan will not be functional if the required infrastructure is absent.

Like fire alarms and preparedness, a disaster recovery plan needs to be tested periodically.  Testing a disaster recovery plan keeps procedures fresh for employees and helps to identify areas of weakness and vulnerability.

Lastly, a disaster recovery plan needs to be maintained.  Areas identified as lacking, changes to information contained in the disaster recovery plan, and changes made within the company all need to be updated in the disaster recovery plan.  Many companies have disaster recovery plans; however, because they are not maintained and updated, will likely be discovered to be marginally useful during a disaster.

In summary, disaster recovery planning is essential to the success and survivability of companies that rely on information technology.  An effective disaster recovery plan allows companies to effectively react to disasters in order to reduce data loss and downtime of critical services, and improve employee safety.  A carefully designed disaster recovery plan can help prevent business failure that often results from disasters.

References

Hoffer, Jim. (2001). Backing up business - industry trend or event. Health Management Technology. Retrieved 27 Jun, 2009, from http://findarticles.com/p/articles/mi_m0DUD/is_1_22/ai_68864006/

Haag, Stephen., & Cummings, Maeve. (2008). Management information systems for the information age.  New York: McGraw-Hill.