Creating an IT

Disaster Recovery Plan

Disaster Recovery vs Business Continuity

Events

Plan Development Determining which services (thus servers) DR Plan design parameters Select a Strategy Test

Questions/discussion

A web-based aid for planning

THEY ARE NOT EQUIVALENT!

Disaster Recovery Plan

Vs

Business Continuity Plan

IT Disaster Recovery Plan is just a part of a Business Continuity Plan

Credit:

www.theiia.org/technology

Events Causing Disruptions

• Natural– Hurricane– Flood– Tornadoes– Earthquakes– Fire

• Man-made– Power outage– Cooling outage– Network outage– Chemical spills– Civil unrest– Disgruntled person– Water main break– Computer viruses– Fire

Funnel Cloud in downtown Baton RougeSeptember 18, 2009

There is no magic bullet!

But there are some guiding parameters to help you develop an adequate plan.

1. Identify which servers2. Determine values for two critical design

parameters: RTO and RPO3. Decide on a strategy4. TEST IT

1. Determine which servers

Identify department’s business functions, lines of service

External and Internal

Determine which ones are “critical”

1. Determine which servers (cont)

What application programs managed by your department support those critical lines of business

Which server(s) support those application programs

1. Determine which servers (cont)

Now you have identified which servers must have a DR Plan.

Servers and applications not supporting any critical business functions don’t need a DR Plan.

Note: Office space, classroom space, buildings, etc, that are used for critical business functions are covered by the Business Continuity Plan, not the IT Disaster Recovery Plan.

2. Disaster Recovery Design Parameters

• Dependent on the requirements of the business function(s)

• Two categories:• How quickly the service must be restored (RTO)• How current the restored data must be (RPO)

Examples:If Payroll function must be up within 2 days, DR Plan must be less than or equal to that. (RTO)

Student course enrollment data must be data from current semester. (RPO)

2. Disaster Recovery Design Parameters

RTORecovery Time Objective

How quickly must the service be restored?

(How long can the business function be without the service?)

2. Disaster Recovery Design Parameters

RPO Recovery Point Objective

How old can the backups be used to restore the system?

(How many updates can be lost/discarded/recreated– those entered since the backups were taken?)

2. Disaster Recovery Design Parameters

3. Decide on a strategy

Frequency of backupsLocation of backupsContract for hot site

Contract for quick shipMirrored site

Mutual assistance agreement(Hope Santa brings a server)

Plans can address multiple threats• An “all hazards” plan

Store your backups outside of the “blast” zone, and your plan, too!

Write your plan as a recipe for someone else (hired gun) to execute

4. TEST IT

You must test your plan• Document your test results• Improve upon your plan• Repeat!

Remember, users are waiting!

The Institute of Internal Auditorshttp://www.theiia.org/guidance/technology/Click on “Global Technology Audit Guide”, then “Business Continuity Management”

FEMAhttp://www.fema.gov/business/bc.shtm

Disaster Recovery Journalhttp://drj.com http://www.drj.com/index.php?option=com_content&task=view&id=761&Itemid=454 http://www.drj.com/index.php?option=com_content&task=view&id=753&Itemid=449

North Carolina State Universityhttp://www.ncsu.edu/ehs/BCP/index.php http://www.ncsu.edu/ehs/BCP/planning_templates/ingredients_plan.php

Continuity Centralhttp://www.continuitycentral.com/bcpd.htm

LSUhttp://lsucpt.lsu.edu