Disaster recovery plan
Assessment 2 – Semester 2 2015
Conrad
Maurice Maurirere | ITSY&.660 INFORMATION SECURITY SYSTEMS | September 1, 2015
|
|
Contents
Introduction
In this assessment I will describe how the
Business Continuity Plan (BCP), also call an Emergency Plan, relates to the
Disaster Recovery Plan (DR), describe the necessary components, and the
contents of a DR suitable enough for a small business and comment on the
implications of not updating the DR or following through with the DR in the
event that an incident occurs.
BCP and DR relationship
When a company or business suffers from a
disruption, be it an unplanned disaster or other disruptive encounter that
interferes with the normal processes of the business, the business loses a
segment of their worth, this is usually in the form of customers, resources,
materials, value, presence, integrity or even time but ultimately all this can
be defined as a loss in money because lost revenue and increased expenses equals
reduced profits.
Enter the Business Continuity Plan, the BCP
is essential in ensuring a business continues its normal performance, the BCP
is a document that contains critical information designed specifically with the
sole purpose of ensuring that a business stays in optimal form covering any
contingencies that may occur that can cause business disruption.
When creating a business continuity plan
these four steps must be adhered to:
·
Conduct a business impact
analysis to identify time-sensitive or critical business functions and
processes and the resources that support them.
·
Identify, document, and
implement to recover critical business functions and processes.
·
Organize a business continuity
team and compile a business continuity plan to manage a business disruption.
·
Conduct training for the
business continuity team and testing and exercises to evaluate recovery
strategies and the plan.
The Business Continuity Plan would
typically look like this.
Fig 1 (ready.gov, 2015)
A disaster recovery plan (DRP) is a set of
procedures normally in written form that a company or business can use to
recover from a disruption that can cause the business to suffer negative
consequences and/or financial loss, the DRP can also protect a business
infrastructure in the event of a disaster or business disruption, it does this
by identifying business disruptions and replying by correctly responding to the
disruption, by following its procedures the business can recover as quickly as
possible.
"The
DRP is a comprehensive statement of consistent actions to be taken before, during
and after a disaster." (Wikipedia.org, 2015)
The link between the BCP and DRP is that
the BCP stipulates the best practices in ensuring the consistent operation and
continuous maintenance of the business while the DRP is set in place to
correctly identify all problems a business may face and allocate the correct
response to these problems, a Business Continuity Plan without a Disaster
Recovery Plan will lack feasibility in applying its purpose.
Points to consider when creating a
DRP for a small business
There are many different types of DRPs,
some that can take a long time to create improving it over time, a DRP that a
business chooses can vary from the simplest aspects to the more complex points
but it mainly depends on the size and
resources of that business but even a small business would prosper with an
efficient plan, once the plan has been created it should be tested at least
twice a year to ensure it is still successful, a small business if able should
apply this testing regularly to keep up with larger businesses and competition, after the plan has been made at
least 2 individuals must take the responsibility of being on call 24 hours a
day so that if needed are able to be contacted immediately to be informed of
the extent of the damage sustained, the person who is in charge of the DRP will
usually identify the scale of the problem, such as, does it prevent usage or
service, if this disruption occurs through to the business normal working hours
then the DRP must be initiated. The relevant players in this plan would then
meet and start to implement the DRP recovering as efficiently as possible so as
to prevent as much a financial loss as possible, some points to consider for a
small business when creating their DRP could be,
Alternate data storage facilities
Information is important so measures to
protect business information as well as protect the services that pull out and
capture that information must be taken, this can be done by incorporating some
redundancy and resiliency to the systems so if a problem does occur, then not
only can the business recover their information but also recover the systems
that the business provides.
Prioritize and evaluate the business
systems to determine which system should be needed first then test them to
ensure they are ready when needed
Information security is the most important
part of a business, even a small business would consider the security of its
information taking measures such as these to protect it.
Back up
·
Back up information to the
cloud at regular intervals
·
Alternate offline storage
facility
·
Data mirrored between 2 sites
·
Stored data at alternative site
Vendor recovery
·
Vendor may provide alternate
primary business location until business has recovered
Creating the DRP
If a small business was to follow their
Disaster Recovery Plan then that business would have a document that would help
them recover from all disruptions by addressing and correcting problems, these
problems vary over an enormous range of occurrences but can be defined down to
disruptions caused by human-generated threats, environmental disasters, internet
threats and theft.
When making a DRP firstly a thorough
inventory of all resources and materials should be taken, the plan must have a
detailed understanding of the threats and their impact on the business and
should include strategies to recover, replace and correct the disruption as
quickly and efficiently as possible, a small business should consider every
problem that may occur, also being a small business these measures should also be
considered.
·
Preventative and protective measures
identify every disruption that may occur and set in place contingencies to
prevent them, e.g.
• Access
controls, e.g. processes put in place to protect against insecure access like
passwords, firewalls, ID swipe cards
• Policies
in place to ensure the safety of the business, its resources, information and
customers, these policies detail aspects such as,
o Information
o Security
o Usage
o Backup
o Capital
expenditure big dollars
o Operational
expenditures
o Contacts
o Insurance
·
Contingencies to detect
everything that may occur that can cause business disruption e.g. risk
assessments
Consolidation is a small businesses friend for
example one important constraint a small business may encounter may be costs,
the financial status of a small business may hinder its ability to invest into
an effective DRP but for the BCP to be applicable, investment into the DRP
should be of the upmost importance, depending on the size of the small business
the DRP should be considered the businesses lifeline and treated as such when
determining the investment that should be put into it, if costs are a problem,
then the DRP should cover only the most feasible disruptions that may occur as
it would be pointless investing resources into a tornado contingency plan in a
country that never has tornados, but maybe invest into more realistic
disruptions and even lessen the costs more by categorizing the disruptions rather
than investing into each one separately such as a natural disaster plan rather
than a plan for every natural disaster there is.
While making an efficient DRP requires
small businesses to make a significant investment of time, resources and money,
the DRP is critical to the continued success of the small business, as the old
adage says, hope for the best and prepare for the worst (smallbusinesscomputing.com,
2015).
Implications
of not updating or following through with the DRP when an incident occurs.
The DRP should be tested regularly as this
improves redundancy and its ability to prioritize the level of the disruption,
as well as the response necessary by each line of service to address problems that
can occur, the plan is tested by assessing its ability to perform against
disruptions, some tools can be used to help in these assessments such as the
risk assessment
The DRP should always be improved upon, updated
and revised over as this keeps the plan current and more thorough, this allows
it to incorporate any new disruptions that are identified thereby giving the
opportunity of implementing new contingencies to address those disruptions
making the plan more robust and giving the plan more integrity.
If the plan is not updated, then when an
occurrence does happen outside of the expectations of the plan, resources, time
and costs to a business are increased, a disruption with no contingency plan or
plan to address and recover can cause dramatic and even for a small business
irreparable damage.
References
·
ready.gov, 2015. Retrieved
from: http://www.ready.gov/business/implementation/continuity
· Wikipedia.org, 2015. Retrieved from: https://en.wikipedia.org/wiki/Disaster_recovery_plan
· ready.gov, 2015. Retrieved from: http://www.ready.gov/business/implementation/continuity
· smallbusinesscomputing.com, 2015. Retrieved from: http://www.smallbusinesscomputing.com/News/ITManagement/5-tips-to-build-an-effective-disaster-recovery-plan.html
· Wikipedia.org, 2015. Retrieved from: https://en.wikipedia.org/wiki/Disaster_recovery_plan
· ready.gov, 2015. Retrieved from: http://www.ready.gov/business/implementation/continuity
· smallbusinesscomputing.com, 2015. Retrieved from: http://www.smallbusinesscomputing.com/News/ITManagement/5-tips-to-build-an-effective-disaster-recovery-plan.html
No comments:
Post a Comment