IT Disaster Recovery Planning – “No worries, we have a backup?!”

Reading Time: 3 minutes

When asked about their organization’s IT Disaster Recovery (ITDR) plans, some will smile and say, “Yes, we have a backup and it is fully outsourced.” This type of response will set off a few red flags with the Business Continuity Planners, but many organizations do not understand why it is so problematic.

This article will outline what effective ITDR planning entails, and why having a backup is only a small part of a much larger discussion.

IT systems and applications are an integral part of all organizations and can pose unique challenges and needs in terms of disaster recovery. Some operations can be completely halted by an IT disruption, and recovery often requires specific skills, detailed planning and testing.

ITDR Planning depends on Business Impact Analysis (BIA) and Risk Assessments

The goal of ITDR planning is to prioritize the recovery of various IT systems and applications and to ensure that recovery capabilities meet operational requirements.

The first step in successful ITDR planning is understanding business recovery requirements, what IT systems and applications your organization use and determining which specific functions or services they support. Some functions may have manual workarounds, but many tasks cannot be performed without the available IT systems.

For example, there may be a way to manually process payments if the need arises, but there is no way to respond to customer e-mails without access to the Internet. Organizations must be aware of what their key vital functions or services are and know which IT systems or applications are supporting them.

However, being aware of these dependencies is only part of the planning process. The matter is further complicated by the presence of service/functions inter-dependencies as very few processes happen in a vacuum.

Organizational functions depend not only on the IT systems that support them but also on other functions and services (internal and external to the organization). To accurately prioritize the recovery of IT systems, organizations cannot ignore their indirect importance to all functions.

Some functions or processes rank low in priority when evaluated independently, but they may be available to enable some of the high-ranking ones.

RTO and RPO will be driven by BIA findings

Once an organization has mapped out all dependencies and inter-dependencies (Business Impact Analysis process), they can then evaluate their recovery time and point objectives (RTO/RPO) and their recovery capabilities.

This step is where the idea of having a backup often gives organizations a false sense of security. Many do not realize that the mere presence of data backups does not guarantee that services will be able to come back online in the required time and in the required order.

As an example, an organization may have requirements to restore all emails up to the last 6 hours before an incident within a time period of 4 hours to restore the service following the incident. Unfortunately, their email server data backups may only have emails from up to 1 days before the incident and it may take 12 hours following the incident to have the data restored.

This gap between recovery requirements and capabilities can create problems while being completely avoidable.

Proper ITDR planning will allow your organization to address any such gaps to become truly resilient to incidents and disasters. Having an accurate idea of recovery requirements and capabilities will also allow you to perform a cost-benefit analysis to determine which solutions are right for your organization.

ITDR Plans must be tested and exercised 

Once the solutions are chosen, there is also a requirement for testing and training. Scheduled ITDR testing will ensure that the solutions work in real crisis situations.

Some things cannot be predicted until they happen, which is why untested solutions are not real solutions. Similarly, ITDR stakeholder training is required to ensure that the human elements of ITDR solutions work as well as the technical components.

Testing allows the stakeholders to be more familiar with the procedures and execute them when required. It also exposes any parts of the ITDR plan which will need to be updated.

Returning to the example of e-mail server backups, testing and training will ensure that the service recovery function properly and that anyone involved in the recovery process knows exactly what to do.