– Mark Buchanan, director of information security at Savvis (www.savvis.com), says:
Managing access rights in a disaster recovery situation.
Ensure that the common disasters are planned and tested. Ensure systems are redundant from a data center perspective, capacity is appropriate for HVAC, power, staffing and telecommunications are redundant. From a system level, ensure that a plan is in place to bring up the most critical systems first. The system plan needs to be documented and updated and the team supporting those systems needs to review them on a regular basis. From a user perspective, communications to the users about how to access key systems needs to be decided on with communications plans for who will instruct the users about any changes to processes or system usage. The more of these items that can be automated, the better. It is important, however, to ensure that testing of the automation is on the list of items to test during exercising the disaster recovery plans.
Draft a plan.
Remember that having a plan is better than not having a plan. Exercise the plan. Gather executives or key people together and talk through exactly what the disaster involves and have them talk through the incident and ensure that there is consensus on how well each of the elements could perform. When exercising, rely on the documentation over the people in the room. While we hope no individual is harmed during a disaster, this isn’t a realistic situation if it’s not written down. During the exercise, you need someone to transcribe the events. This provides a list of the gaps that will need to be addressed and provide lessons learned which can be used for the next exercise.
Before Getting Started
You have to know what’s important to your business. Business Impact Assessments (BIAs) need to be performed with Risk Assessments (RAs) providing the information to help plan the way forward with the building and implementing of a sustainable disaster recovery plan. Once the BIAs and RAs are completed, you need to identify whether your gaps are technological, procedural, personnel or some other gap. A priority on fixing those gaps needs to be assessed and then driven forward within the organization.
There is a need for a documentation repository to store the plans in a central location that can be tracked and updated on a regular basis. While it is common desire for each team to maintain their specific plans, should a disaster occur and affect that team, there is a possibility that business knowledge could be lost or need to be recreated. The disaster recovery program will need to be endorsed within the company to ensure the employees understand the level of importance.
While there are numerous tools that can be used to assist in managing disaster recovery within a company, investing in the human capital to do the analysis can be the largest draw. This can be done with the assistance of consultants who understand the right questions to ask to ensure that a quality analysis is performed and that the gaps are documented for remediation. As an example, and going to the far end of the spectrum, if paper clips are, for some reason, integral to the operation of your business, and paper clips were unavailable, what is your fallback plan? This is the same that goes with your employees’ computers, financial systems, database systems and onto the kiosks, phones or other mechanisms used to communicate with your customers along with the facilities that your employees utilize. What the analysis needs and should show is that critical items needed to perform some identified level of business and include the plans that employees can use should a disaster disable systems, facilities or, unfortunately, people’s ability to assist with certain processes.
The benefit will be a clear picture of the critical areas within the business and a plan on how to overcome them, should the worst-case scenario occur to a business. The pitfalls can be over-thinking the analysis and trying to solve for every disaster. If you keep the core portions of your business in sight and use general disaster concepts – such as loss of facility, loss of functionality or loss of personnel – you can get yourself off to a good start. Practicing the disaster recovery items will help to identify new gaps and will keep the plans fresh in the minds of your team members.