Although specific disaster recovery plan formats may vary, the structure of a disaster recovery plan should include several features:
Goals
A statement of goals will outline what the organization wants to achieve during or after a disaster, including the recovery time objective (RTO) and the recovery point objective (RPO). The recovery point objective refers to how much data (in terms of the most recent changes) the company is willing to lose after a disaster occurs. For example, an RPO might be to lose no more than one hour of data, which means data backups must occur at least every hour to meet this objective.
Recovery time objective or RTO refers to the acceptable downtime after an outage before business processes and systems must be restored to operation. For example, the business must be able to return to operations within 4 hours in order to avoid unacceptable impacts to business continuity.
Personnel
Every disaster recovery plan must detail the personnel who are responsible for the execution of the DR plan, and make provisions for individual people becoming unavailable.
IT inventory
An updated IT inventory must list the details about all hardware and software assets, as well as any cloud services necessary for the company’s operation, including whether or not they are business critical, and whether they are owned, leased, or used as a service.
Backup procedures
The DRP must set forth how each data resource is backed up – exactly where, on which devices and in which folders, and how the team should recover each resource from backup.
Disaster recovery procedures
These specific procedures, distinct from backup procedures, should detail all emergency responses, including last-minute backups, mitigation procedures, limitation of damages, and eradication of cybersecurity threats.
Disaster recovery sites
Any robust disaster recovery plan should designate a hot disaster recovery site. Located remotely, all data can be frequently backed up to or replicated at a hot disaster recovery site — an alternative data center holding all critical systems. This way, when disaster strikes, operations can be instantly switched over to the hot site.
Restoration procedures
Finally, follow best practices to ensure a disaster recovery plan includes detailed restoration procedures for recovering from a loss of full systems operations. In other words, every detail to get each aspect of the business back online should be in the plan, even if you start with a disaster recovery plan template. Here are some procedures to consider at each step.
Include not just objectives such as the results of risk analysis and RPOs, RTOs, and SLAs, but also a structured approach for meeting these goals. The DRP must address each type of downtime and disaster with a step-by-step plan, including data loss, flooding, natural disasters, power outages, ransomware, server failure, site-wide outages, and other issues. Be sure to enrich any IT disaster recovery plan template with these critical details.
Create a list of IT staff including contact information, roles, and responsibilities. Ensure each team member is familiar with the company disaster recovery plan before it is needed so that individual team members have the necessary access levels and passwords to meet their responsibilities. Always designate alternates for any emergency, even if you think your team can’t be affected.
Address business continuity planning and disaster recovery by providing details about mission-critical applications in your DRP. Include accountable parties for both troubleshooting any issues and ensuring operations are running smoothly. If your organization will use cloud backup services or disaster recovery services, vendor name and contact information, and a list of authorized employees who can request support during a disaster should be in the plan; ideally the vendor and organizational contacts should know of each other.
Media communication best practices are also part of a robust disaster recovery and business continuity plan. A designated public relations contact and media plan are particularly useful to high profile organizations, enterprises, and users who need 24/7 availability, such as government agencies or healthcare providers. Look for disaster recovery plan examples in your industry or vertical for specific best practices and language.
Losing data is a company’s worst nightmare. Unfortunately, no one is immune as security breaches run rampant today.
You not only have to consider the effects of human interference, but also what could happen in the wake of a natural disaster. Wildfires, hurricanes and earthquakes are all natural occurrences that could knock out your data centers and erase pertinent information without a human ever touching a computer.
A comprehensive disaster recovery plan checklist is essential to getting a business back up and running following a disaster. In this blog, you’ll learn the goals of a disaster recovery plan and what to include on your checklist.
Disaster Recovery Plan Goals
Disaster recovery is meant to help your business stay ahead of problems that could result in a loss of data. According to the National Archives & Records Administration in Washington, 93 percent of companies that lose data access for 10 days or more due to a disaster file for bankruptcy within a year.
If you want to avoid financial loss, your disaster recovery strategy should provide the resources needed to:
- Minimize risk. Before you create a disaster recovery plan, perform a risk assessment to uncover vulnerabilities in your current system.
- Resume operations quickly. Your systems need to be available to you and your customers as soon as possible. Your plan should include solutions for accessing the system without needing physical access — such as a Software-as-a-Service (SaaS) platform and redundant data storage that can be accessed anywhere.
- Maintain industry compliance. Depending on your industry, you likely have specific regulations to uphold. Your disaster recovery plan should reduce your risk of incurring penalties for failing to meet compliance obligations.
- Address concerns of employees, owners and investors. Your disaster recovery plan should help business leaders, owners, employees and investors feel at ease knowing your company is secure. Write down the top concerns from each of these groups so you know which liabilities need to be addressed if a disaster occurs.
What Should You Include on Your Disaster Recovery Plan Checklist?
Here are eight key ingredients to include on your disaster recovery plan checklist:
1. Set Your Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
The first thing you need to do is determine your RTO and RPO. These data points refer to:
The amount of time you need to recover all applications (RTO)
The age of the files that must be recovered for normal operations to resume (RPO)
Setting RTO and RPO goals requires input from multiple departments to best assess business needs.
Your RTO and RPO will help you determine what solutions are necessary to survive a disaster or a data breach and keep your data recovery costs low. They help you determine which hardware and software configurations you need to recover your workloads.
2. Take Inventory of Hardware and Software
Take a complete inventory of your hardware and software. Categorize each application in one of three buckets:
- Critical applications you can’t do business without
- Applications you will need to use within a day
- Apps you won’t need for a few days or more
By defining your most critical applications, you’ll know which ones you need to prioritize in the event of a disaster. You should revisit this list once or twice a year as you install new apps or remove old ones.
Pro Tip: Make sure you have the vendor technical support information for each piece of hardware and application on hand so you can get back up and running fast.
3. Identify Personnel Roles
Beyond your software and hardware needs, you also need to outline the roles and responsibilities involved during a disaster recovery event. Duties range from making the decision to declare a disaster to contacting party-vendors.
Your disaster recovery plan should include a list of disaster recovery personnel with each person’s position, responsibilities and emergency contact information. Everyone from C-suite executives to help-desk reps has a role to play, and each person should understand their role in detail.
You should also have a list of back-up employees in case someone is on vacation or no longer available.
4. Choose Disaster Recovery Sites
Any good business continuity plan will also include using a disaster recovery site where all of your company’s essential data, assets and applications can be moved during a disaster. Whatever location you choose should be able to support your critical hardware and software.
Disaster recovery plans typically use three sites:
- Hot sites, which act as a functional data center with hardware, software, personnel and customer data
- Warm sites that allow access to critical applications (excluding customer data)
- Cold sites where you can store IT systems and data, but that have no technology until your disaster recovery plan goes into effect
These sites should automatically perform backups and replicate workloads to speed up recovery.
5. Outline Response Procedures
Documenting your recovery strategy is the only way to guarantee your team will know what to do and where to start. Write down guidelines for everything, including:
- Communication procedures for employees, media and customers
- Data backup procedures, including a list of facilities and third-party solutions
- Instructions for initiating a response strategy, including staff roles and critical activities
- Post-disaster activities that should take place after operations are reestablished, such as contacting customers and vendors
You can’t be too detailed when it comes to documenting response procedures. The goal is to achieve full transparency and make sure each staff member understands the disaster recovery process from start to finish.
6. Identify Sensitive Documents and Data
Thinking beyond hardware and software, you also need a list of the essential documents and data that you cannot lose without disastrous effects. This includes sensitive information, such as Personally Identifiable Information (PII), and who will have access to that data in the event of a breach or disaster.
7. Create a Crisis Communication Plan
No matter the size of your company, you need a clear strategy for communicating with employees, vendors, suppliers and customers in the event of a disaster. As long as you keep customers and the media informed on the status of your data outage or breach, they will feel much better about how you’re handling the situation.
Larger companies should create a crisis management media kit for reporters and customers. Include a statement that your PR team can publish on your website and across social media platforms that includes a number to contact for more information and an estimate on when things will be back up and running.
8. Run Continuous Practice Tests to Ensure Your Plan Is Effective
The last thing you want is to have your disaster recovery plan fail in your time of need. Test your plan at least once or twice each year and look for red flags, such as failed backup hardware or a slow internet connection that can’t restore your data in time.
Any time you run through a practice test, you should also review your risk assessments, personnel lists and inventory to ensure everything is up to date.
Get Expert Disaster Recovery Planning Assistance From KMicro
Today, every company is likely to experience a natural disaster or human interference at one point or another. To keep your data protected, you need a foolproof disaster recovery plan.
Reach out to KMicro to learn more about how we can help you create an effective disaster recovery plan that will get you back up and running in no time.