8.

Information System Controls

8.3 The Disaster Recovery Plan

 Disaster Recovery Plan (DRP)
• A disaster Recovery Plan (DRP) is a documented process or
set of procedures to recover and protect an information
system in the event of a disaster.
• Such a plan, ordinarily documented in written form,
specifies procedures an organization is to follow in the
event of a disaster.
• It is a comprehensive statement of consistent actions to be
taken before, during and after a disaster".
• The disaster could be natural or man-made.
• Given organizations' increasing dependency on information
systems to run their operations, a DRP, sometimes
erroneously called a Continuity of Operations Plan (COOP),
is increasingly associated with the recovery of information
systems data, assets, and facilities.
 Objectives of a DRP
• Organizations cannot always avoid disasters, but with
careful planning the effects of a disaster can be minimized.
• The objective of a DRP is
– to minimize downtime
– to minimize data loss.
• The primary objective is to protect the organization in the
event that ALL or part of its operations and/or computer
services are rendered unusable.
• The Disaster Recovery Plan
– Minimizes the disruption of operations
– Ensures that there is some level of organizational stability
– Ensures an orderly recovery after a disaster will prevail.
• Minimizing downtime and data loss is measured in terms of
two concepts: the Recovery Time Objective (RTO) and
the Recovery Point Objective (RPO).
 Recovery Time Objective (RTO)

• The RTO is the time within which a business

process must be restored, after a major
incident (MI) has occurred, in order to avoid
unacceptable consequences associated with a
break in business continuity.
 Recovery Point Objective (RPO).
• The RPO is the age of files that must be
recovered from backup storage for normal
operations to resume if a computer, system, or
network goes down as a result of a Major
Incident.
• The RPO is expressed backwards in time (that is,
into the past) starting from the instant at which
the MI occurs, and can be specified in seconds,
minutes, hours, or days.
• The RPO is the maximum acceptable amount of
data loss measured in time.
 Benefits of a DRP
• Like every insurance plan, there are benefits that
can be obtained from the drafting of a disaster
recovery plan. Some of these benefits are:
1. Providing a sense of security
2. Minimizing risk of delays
3. Guaranteeing the reliability of standby systems
4. Providing a standard for testing the plan
5. Minimizing decision-making during a disaster
6. Reducing potential legal liabilities
7. Lowering unnecessarily stressful work environment
 Types of plans
• There is no one right type of disaster recovery
plan, nor is there a one-size-fits-all disaster
recovery plan.
• However, there are three basic strategies that
feature in all disaster recovery plans:
1. Preventive Measures
2. Detective Measures
3. Corrective Measures.
 1. Preventive Measures
• Preventive measures will try to prevent a disaster
from occurring.
• These measures seek to identify and reduce risks.
• They are designed to mitigate or prevent an event
from happening.
• These measures may include
– keeping data backed up and off site,
– using surge protectors,
– installing generators
– conducting routine inspections.
 2. Detective Measures
• Detective measures are taken to discover the
presence of any unwanted events within the IT
infrastructure.
• Their aim is to uncover new potential threats.
• They may detect or uncover unwanted events.
• These measures include
– installing fire alarms,
– using up-to-date antivirus software,
– holding employee training sessions,
– and installing server and network
monitoring software.
 3. Corrective Measures
• Corrective measures are aimed to restore a
system after a disaster or otherwise unwanted
event takes place.
• These measures focus on fixing or restoring the
systems after a disaster.
• Corrective measures may include
– keeping critical documents in the Disaster Recovery
Plan
– or securing proper insurance policies, after a "lessons
learned" brainstorming session.
 Developing a DRP
• A disaster recovery plan must answer at least
three basic questions:
1. What is its objective and purpose,
2. Who will be the people or teams who will be
responsible in case any disruptions happen, and
3. What will these people do (the procedures to be
followed) when the disaster strikes.
 Developing a DRP (2)
• The entire process involved in developing a Disaster
Recovery Plan consists of 10 steps:
1. Obtaining top management commitment
2. Establishing a planning committee
3. Performing a risk assessment
4. Establishing priorities for processing and operations
5. Determining recovery strategies
6. Collecting data
7. Organizing and documenting a written plan
8. Developing testing criteria and procedures
9. Testing the plan
10. Obtaining plan approval
 1. Obtaining Top Management Commitment

• For a DRP to be successful, the central responsibility for

the plan must reside on top management.
• Management is responsible for coordinating the DRP
and ensuring its effectiveness within the organization.
• It is also responsible for allocating adequate time and
resources required in the development of an effective
plan.
• Resources that management must allocate include
both financial considerations and the effort of all
personnel involved.
2. Establishing a Planning Committee (PC)

• A PC is appointed to oversee the development

and implementation of the plan.
• The PC includes representatives from all
functional areas of the organization.
• Key PC members customarily include the
operations manager and the data processing
manager.
• The PC also defines the scope of the plan.
 3. Performing a Risk Assessment
• The PC prepares a risk analysis and a business impact
analysis (BIA) that includes a range of possible disasters, including
natural, technical and human threats.
• Each functional area of the organization is analyzed to determine
the potential consequence and impact associated with several
disaster scenarios.
• The risk assessment process also evaluates the safety of critical
documents and vital records.
• Traditionally, fire has posed the greatest threat to an organization.
Intentional human destruction, however, should also be considered.
• A thorough plan provides for the “worst case” situation:
destruction of the main building. It is important to assess the
impacts and consequences resulting from loss of information and
services.
• The PC also analyzes the costs related to minimizing the potential
exposures.
 4. Establishing Priorities for
Processing and Operations
• At this point, the critical needs of each department within the organization are
evaluated in order to prioritize them.
• Establishing priorities is important because no organization possesses infinite
resources and criteria must be set as to where to allocate resources first.
• Some of the areas often reviewed during the prioritization process are functional
operations, key personnel and their functions, information flow, processing
systems used, services provided, existing documentation, historical records, and
the department's policies and procedures.
• Processing and operations are analyzed to determine the maximum amount of
time that the department and organization CAN OPERATE WITHOUT each
critical system. This will later get mapped into the Recovery Time Objective.
• A critical system is defined as that which is part of a system or procedure
necessary to continue operations should a department, computer centre, main
facility or a combination of these be destroyed or become inaccessible.
• A method used to determine the critical needs of a department is to document
all the functions performed by each department. Once the primary functions
have been identified, the operations and processes are then RANKED in order of
priority: essential, important and non-essential.
 5. Determining Recovery Strategies
• During this phase, the most practical alternatives for processing in case of
a disaster are researched and evaluated.
• ALL ASPECTS of the organization are considered, including physical
facilities, computer hardware and software, communications links, data
files and databases, customer services provided, user operations, the
overall management information systems (MIS) structure, end-
user systems, and any other processing operations.
• Alternatives, dependent upon the evaluation of the computer function,
may include: the provision of more than one data centre, the installation
and deployment of multiple computer system, duplication of service
centre, consortium arrangements, lease of equipment, and any
combinations of the above.
• Written agreements for the alternatives selected are prepared, specifying
contract duration, termination conditions, system testing, cost, any
special security procedures, procedure for the notification of system
changes, hours of operation, the specific hardware and other equipment
required for processing, personnel requirements, definition of the
circumstances constituting an emergency, priorities, and other
contractual issues.
 6. Collecting Data
• In this phase, data collection takes place. Among the
recommended data gathering materials and
documentation often included are various lists (critical
telephone numbers list, master call list, master vendor list,
notification checklist), inventories (communications
equipment, documentation, office equipment,
forms, insurance policies, data centre computer
hardware, office supply, off-site storage location
equipment, telephones, etc.), software and data files
backup/retention schedules, temporary location
specifications, any other such other lists, materials,
inventories and documentation.
• Pre-formatted forms are often used to facilitate the data
gathering process.
 7.Organizing and Documenting a Written Plan
• Next, an outline of the plan’s contents is prepared to guide the
development of the detailed procedures. The Top management then
reviews and approves the proposed plan.
• It is during this phase that the actual written plan is then developed
in its entirety, including all detailed procedures to be used before,
during, and after a disaster.
• The procedures include methods for maintaining and updating the
plan to reflect any significant internal, external or systems changes.
• The procedures allow for a regular review of the plan by key
personnel within the organization.
• The disaster recovery plan is structured using a team approach.
Specific responsibilities are assigned to the appropriate team for
each functional area of the organization. Teams responsible for
administrative functions, logistics, user support, computer backup,
restoration and other important areas in the organization are
identified.
 8. Developing Testing
Criteria and Procedures
• Best practices dictate that DRPs be thoroughly tested and
evaluated on a regular basis (at least annually).
• Thorough DR plans include documentation with the procedures for
testing the plan.
• The tests will provide the organization with the assurance that all
necessary steps are included in the plan. Other reasons for testing
include:
 Determining the feasibility and compatibility of backup facilities and
procedures.
 Identifying areas in the plan that need modification.
 Providing training to team managers and team members.
 Demonstrating the ability of the organization to recover.
 Providing motivation for maintaining and updating the disaster
recovery plan.
 9. Testing the Plan
• After testing procedures have been completed, an initial
"dry run" of the plan is performed by conducting a
structured walk-through test.
• The test will provide additional information regarding any
further steps that may need to be included, changes in
procedures that are not effective, and other appropriate
adjustments. These may not become evident unless an
actual dry-run test is performed.
• The plan is subsequently updated to correct any problems
identified during the test.
• Initially, testing of the plan is done in sections and after
normal business hours to minimize disruptions to the
overall operations of the organization. As the plan is further
polished, future tests occur during normal business hours.
 10. Obtaining Plan Approval

• Once the DRP has been written and tested,

the plan is then submitted to management for
approval.
• It is top management’s ultimate responsibility
that the organization has a documented and
tested plan.
 Common Mistakes Organizations Make
in Coming up with DRPs
• Due to its high cost, disaster recovery plans are
not without critics. Cormac Foster has identified
five "common mistakes" organizations often
make related to disaster recovery planning:
1. Lack of buy-in
2. Incomplete RTOs and RPOs
3. Systems Oversight
4. Lax security
5. Outdated plans
 1. Lack of buy-in
• One factor is the perception by executive
management that DR planning is "just another fake
earthquake drill" or CEOs that fail to make DR
planning and preparation a PRIORITY, are often
significant contributors to the failure of a DR plan.
 2. Incomplete RTOs and RPOs
• Another critical point is failure to include each and
every important business process or a block of data.
• "Every item in your DR plan requires a Recovery Time
Objective (RTO) defining maximum process downtime
or a Recovery Point Objective (RPO) noting an
acceptable restore point.
• Anything less creates ripples that can extend the
disaster's impact." As an example, "payroll, accounting
and the weekly customer newsletter may not be
mission-critical in the first 24 hours, but left alone for
several days, they can become more important than
any of your initial problems."
 3. Systems Oversight
• A third point of failure involves focusing only on DR
without considering the larger business continuity
needs: "Data and systems restoration after a disaster
are essential, BUT every business process in your
organization will need IT support, and that support
requires planning and resources.“
• As an example, corporate office space lost to a disaster
can result in an instant pool of teleworkers which, in
turn, can overload a company's VPN overnight,
overwork the IT support staff at the blink of an eye and
cause serious bottlenecks and monopolies with the
dial-in PBX system.
 4. Lax security
• When there is a disaster, an organization's data and
business processes become vulnerable.
• As such, security can be more important than the raw
speed involved in a disaster recovery plan's RTO.
• The most critical consideration then becomes securing the
new data pipelines: from new VPNs to the connection from
offsite backup services.
• Another security concern includes documenting every step
of the recovery process—something that is especially
important in highly regulated industries, government
agencies, or in disasters requiring post-mortem forensics.
• Locking down or remotely wiping lost handheld devices is
also an area that may require addressing.
 5. Outdated Plans
• Another important aspect that is often overlooked
involves the frequency with which DR Plans are
updated.
• Yearly updates are recommended but some industries
or organizations require more frequent updates
because business processes evolve or because of
quicker data growth.
• To stay relevant, disaster recovery plans should be an
integral part of all business analysis processes, and
should be revisited at every major corporate
acquisition, at every new product launch and at every
new system development milestone.