Disaster check: Elements of an essential recovery plan

Strengthen your organization’s disaster recovery plan with these essential tips from the U.S. Bank cybersecurity team.

Tags: Cybersecurity, Risk mitigation
Published: April 12, 2018

2017 was a banner year for disruption, from massive data breaches to devastating natural disasters.

Syncsoft recently published a 2018 “State of Resilience” report, which outlines the increased pressure IT leaders now feel after last year’s calamities. The report noted that nearly half of the organizations surveyed experienced some form of data failure in 2017, with 31 percent of respondents losing more than one day’s worth of data. For any business, lost data can mean lost revenue.

Shockingly, the report also concluded that 85 percent of respondents had no disaster recovery plan at all, or were not confident in their plan. It’s time to change that.

Comprehensive disaster recovery planning can help limit damages incurred by the unforeseen. Whether you have no plan on file (or it hasn’t been updated in ages), make 2018 the year you protect your data.

Here are some essential elements of an effective disaster recovery program:
 

Document all operational and infrastructural locations

Do you have offices in San Francisco, but a data center in Charlotte? Rent server space in Seattle, but manage clients in Miami? Wherever your organization has a foothold (physical or digital), document those locations in your recovery plan.

Include all relevant network infrastructure documents, diagrams, configurations and databases into the plan’s references. Make sure to add any cloud-based or virtual locations into the plan as well. If an on-premises server is compromised, a cloud-based backup could be vital to restoring operations quickly.

It’s also important to keep track of employee’s locations and account for anyone who may have been affected by an incident as soon as possible.
 

Identify stakeholders and first responders

Who has the largest stake in protecting company and customer data? Who would be most qualified to act in response to a disaster? Assemble an Emergency Response Team (ERT) that spans the entirety of your organization’s infrastructure. Include executives and front-line specialists that can act quickly on any outside threat.

Identifying the ERT is just the first step. You also need to make sure that their roles are clearly defined and all actions follow your operational policies (as well as governmental regulations). Keep all this information in physical and digital form, in case anything happens to your servers.
 

Assign levels based on operational impact

A data center outrage might disrupt operations for a few hours, while a widespread natural disaster might weaken a business for weeks. The response to both of these incidents shouldn’t be the same.

Managers on the ERT should identify the most serious vulnerabilities to the organization’s infrastructure and assign levels of criticality accordingly. This gives the rest of the ERT a roadmap for prioritizing its response.

Consider assessing two areas: the severity of the potential disaster, and by the importance of the asset itself. For example, call centers, data centers and power generators could rate higher than office electronics for critical data preservation.
 

Know where (and how) your data is stored

Having all your data in the same physical vicinity might sound convenient, but it’s a recipe for disaster if something goes wrong. As you develop your disaster recovery plan, find out if there’s enough physical space between your production data and any backup copies.

Cloud and virtual servers can help minimize backup restoration costs. They’re often less costly than buying another on-premises server, and are less susceptible to damages from natural disasters. However, they do present a potential threat from cyber-attacks, so it’s worth weighing the cost savings against those threats.
 

Find out how much downtime your organization can handle

Any downtime can result in lost revenue and productivity. However, some business segments can weather increased downtime better than others. The Syncsoft study noted that 35 percent of respondents lost up to an hour of data, 28 percent lost a few hours and 31 percent lost more than one day of data. Depending on the department, such a loss could have drastically different effects on your business.

Find the breaking point for each business segment and IT asset. How much downtime can it withstand before the next part of your recovery plan kicks in? Make sure to cross-reference these figures with your respective segment leaders. If they say they can’t last more than five minutes offline, make sure you have a proposed response before then. Assign recovery time objectives (RTOs) and recovery point objectives (RPOs) to systems, locations, and operations.
 

Create the plan based on your research

You have all the information from your business segment leaders and front-line specialists. Now, it’s time to draft the plan. You can find online templates to serve as a guide. In any case, start completing the plan with the following information:

 ●  Policy statement: What the plan intends to accomplish

 ●  Objectives: The overall goals of the plan

 ●  Infrastructure overview: Where critical assets are housed, and in what format data is stored

 ●  Emergency response team: The names, addresses and contact information for all members of the response team

 ●  Backup options for all critical assets: Include locations and formats here, too

 ● Plan updating and management process: Include when and how the plan will be updated as resources change

 ●  Media, public relations and legal response

 ●  Insurance documentation

After you document these elements, you’ll be more able to handle an unforeseen event. But the disaster recovery planning process is not a passive activity.
 

Test your plan and identify the gaps

Once you have a recovery plan, you need to make sure it can withstand any future disaster. Practice your plan in a simulated setting, and check for any gaps during plan implementation. There is no universally accepted cadence for practicing a recovery plan, but when in doubt, practice more often than you might think is necessary.

When running through your recovery drills, review your team’s ability to meet RTOs and RPOs. These figures can help measure your plan’s effectiveness against the real thing. You can only track them over time, so make sure that you test your plan as often as possible.
 

How is your recovery plan holding up?

While organizations can’t predict when the next disaster will strike, they can shore up recovery plans to limit damages, save revenue and maintain productivity.

 

©2018 U.S. Bank. Member FDIC.