Disasters seem to occur more frequently than ever — cybercrime, fires, earthquakes, floods. Planning for disaster scenarios has become a fixture in all aspects of business and nowhere is it more important than in an organization’s IT strategy and system resiliency.
A well-executed disaster recovery plan can be the difference between a business recovering from a disaster or closing its doors. Properly executed, a disaster plan enables a business to continue to serve its customers, produce its products and meet its business commitments to the greatest extent possible, as quickly as possible, following disaster events.
Ideally, preparing for a disaster begins with the design of the IT system. In this scenario, disaster recovery is part of the business’s overall IT strategy and system resiliency is engineered in from the beginning. Each service critical to the operation of the business such as email, file storage, e-commerce sites and business applications is identified. Multiple ways to assure continued access or prompt return to service are built-in.
Conducting a risk assessment is a good first step to evaluate the current state of the organization’s disaster preparedness. It should identify:
• Business services critical to the company’s operation and the timeframe in which disruption of service would cause damage to the business.
• How the services are delivered to the business — secondary or tertiary means of obtaining the service if the primary delivery mechanism is compromised.
• Recovery time objectives for all IT services.
• Perceived risk of damage to the organization — monetary, business reputation and market share, should services become unavailable.
• Regulatory and compliance guidelines, if any, that could be impacted.
The results of the assessment provide a business framework for decision making and options for improvements to disaster planning. This assessment will allow you to balance budget realities against quantified risks.
As with most IT solutions there are good, better and best solutions for dealing with disasters. A well done assessment will help in identifying appropriate trade-offs, balancing potential business impacts, business liability and budgetary realities. Being unable to move immediately to the “best” disaster recovery options should not deter making improvements.
Recommended practice would include:
• Backup of data and system configurations. Backups permit restoration of data should a facility or IT equipment be destroyed, fail, or become compromised. Routinely scheduled backups, monitored for completeness, need to be performed at intervals appropriate to the business, but not less frequently than daily.
Backups should be “off-sited” to a secondary location, ideally geographically distant from the business location, i.e. outside of an earthquake zone. This is a “must have” to assure business continuity.
(Backups must be tested by periodic restoration testing. A backup is only as good as the results of the last successful restore.)
• Imaged systems. Entire servers are imaged and these digital images are sent to offsite repositories. Restoring an imaged system takes considerably less time than rebuilding hardware and restoring data files.
• IT recovery sites are identified and engaged. In accordance with the business’s return to service objectives, these sites will contain IT resources configured and ready to be put into production should the need arise. These locations can provide fully redundant systems where data is replicated on an ongoing basis or may simply offer hardware resources onto which applications and data can be restored.
Soni Lampert is the principal and CEO of KLH Consulting Inc. in Santa Rosa.
KLH is an underwriter of North Bay Business Journal's Protecting Your Business Cybersecurity Conference (nbbj.news/security18) in Santa Rosa on Sept. 28.