designing a disaster recovery policy by ian murphy

Designing a Disaster Recovery Policy

byIan Murphy

Scenario

Sitting at your desk when you are called in by your boss and told that the company needs a disaster recovery plan and you have been chosen to write it.

What do you do?

• Don’t Panic

• Ask for a pay rise or promotion

• Start looking for a new job

• Check the location of the nearest off licence

• Get up-to-date photos of your partner, wife, children, dog…

Why?

Disaster recovery planning is complex and crosses all departmental and political boundaries.

If the policy fails, it will be a career ending event.

Where do you start?

• Ensure the disaster recovery plan is fully supported by the board. Without this you will not have the political or financial support you need

• Create a team with multi-discipline skills

• Define Critical Systems

This means look at the entire building, it’s services such as water, electricity, telephony and even the fire system.

What do you do if the security card readers fail?

Most critical problems are caused by little things. Big things are easy to guess and plan for.

• Evaluate the risks to EVERY department.

Do you know what is really critical to your business?

Do you have access to the risk assessment required by the Turnbull Report?

Establish an order of priority for each risk.

Is there a recovery sequence where systems are dependant on other systems?

• What is an acceptable minimal level of functionality?

What do departments need to function?

What does the business need to function?

What redundant systems do you need?

What premises can you use?

What do your insurers mandate?

What does the regulator require?

• Assign Roles to key personnel

Ensure all key personnel are contactable

Do you have valid contact details?

Who are their deputies?

What are their tasks?

Can your develop training programmes?

Is it part of their job requirement or an additional skill?

• DOCUMENT EVERYTHING!

• DOCUMENT EVERYTHING!

• DOCUMENT EVERYTHING!

• DOCUMENT EVERYTHING!

• DOCUMENT EVERYTHING!

• DOCUMENT EVERYTHING!

• DOCUMENT EVERYTHING!

• DOCUMENT EVERYTHING!

• DOCUMENT EVERYTHING!

• DOCUMENT EVERYTHING!

• TEST

Run scheduled tests just like fire alarms

Telecom hotels, hospitals, govt installations even throw the power switch. Could you?

Test each part

Test the whole plan – with minimal warning close the office and move staff to the backup site, even if that is in another town.

• Have no blame post mortems after each exercise.

Blame means people hide things.

Blame prevents learning.

Next time it might be down to you.

Conclusion

• Disaster Recovery means Recovery

• If you don’t plan for it, then it will go wrong

• Everyone must be involved

• THINK

• PLAN

• PRACTICE

• REPEAT