Post on 19-Jan-2017
How to write an IT Disaster Recovery plan
www.databarracks.com | 2www.databarracks.com | 2
DISCLAIMER
These are universal principles, but every
plan is unique
www.databarracks.com | 3www.databarracks.com | 3
IT DR PLAN VS BUSINESS CONTINUITY PLAN
Poli
cyManagement
IT Infrastructure
BCP
IT Disaster Recovery
www.databarracks.com | 4www.databarracks.com | 4
IT DR PLAN VS BUSINSESS CONTINUITY PLAN
Business Continuity Planning
IT Disaster Recovery
Business Continuity Planning
IT Disaster
Recovery
www.databarracks.com | 5www.databarracks.com | 5
HOW TO WRITE AN IT DR PLANSelect the teams and determine responsibility
• Risk register and Matrix1. Risk identification
• Business Impact Analysis (BIA)2. Assess vulnerability to those risks
• Business Impact Analysis (BIA) 3. Determine impact on the business
• Service catalogues and technology dependency mapping
4. Identify critical business functions / IT services
• Putting the capability in place 5. Design & implement mitigation strategies
• Writing the runbook 6. Agree activation plans
• Agree testing, documentation and KPIs 7. Testing
• Keeping the DR plan up to date 8. Ongoing changes and maintenance
www.databarracks.com | 6www.databarracks.com | 6
SELECTING THE TEAM
www.databarracks.com | 7www.databarracks.com | 7
1. RISK IDENTIFICATION2. ASSESS VULNERABILITY 3. DETERMINE IMPACTRisk assessment & Business Impact Analysis (BIA)
www.databarracks.com | 8www.databarracks.com | 8
4. IDENTIFY CRITICAL BUSINESS FUNCTIONS & IT SERVICES• Think services not IT assetsDefining your recovery objectives
www.databarracks.com | 9www.databarracks.com | 9
www.databarracks.com | 10www.databarracks.com | 10
5. DESIGN AND IMPLEMENT MITIGATION STRATEGIES
• People• Facilities• Suppliers• Replication and backup
Think beyond technology
www.databarracks.com | 11www.databarracks.com | 11
6. AGREE ACTIVATION PLANSWriting the runbook
www.databarracks.com | 12www.databarracks.com | 12
6. AGREE ACTIVATION PLANS
• To fail over, or not to fail over?• When should you ‘invoke’ or
move from Incident Response Team to Crisis Management Team?
Writing the runbook
www.databarracks.com | 13www.databarracks.com | 13
6. AGREE ACTIVATION PLANS
Name(contact number)
Name(contact number)
Name(contact number)
Name(contact number)
Name(contact number)
Name(contact number)
Name(contact number)
Name(contact number)
Name(contact number)
Communication - call-trees, contact card, mass notifications
www.databarracks.com | 14www.databarracks.com | 14
6. AGREE ACTIVATION PLANS
• Make these plans specific enough that they can be followed but general enough to cover different incidents
Example incidents:
• IT failure• Power failure• Cyber incident
Plan for the incidents you have identified
www.databarracks.com | 15www.databarracks.com | 15
7. TESTING
• IT failure– SAN failure• Power failure– Kingsway fire• Cyber incident– You’ve been hacked
Example disasters
www.databarracks.com | 16www.databarracks.com | 16
7. TESTING
Have you tested?
Was it successful?
Did it meet your recovery objectives?
KPIs and Metrics
www.databarracks.com | 17www.databarracks.com | 17
8. ONGOING CHANGES & MAINTENANCE
www.databarracks.com | 18www.databarracks.com | 18
IF YOU REMEMBER NOTHING ELSE!
1. Know who is responsible and in charge
2. Have a plan of how to communicate (staff, customers and suppliers)
3. Write the plan (or update the plan)
www.databarracks.com | 19
RESOURCES
• Business Continuity Institute– http://www.thebci.org/
• World Economic Forum Global Risk Report– http://
www.weforum.org/reports/global-risks-report-2015
• London Risk Register– http://
www.london.gov.uk/mayor-assembly/mayor/london-resilience/risks
• Cross-sector Safety and Security Communication– http://www.vocal.co.uk/cssc/
• Environment Agency – flood warnings– http://
apps.environment-agency.gov.uk/flood/31618.aspx
• Business continuity management systems -- Guidelines for business impact analysis (BIA)– http://
www.iso.org/iso/catalogue_detail.htm?csnumber=50054
Questions?