best practices in disaster recovery planning and testing
DESCRIPTION
Axcient and industry expert Paul Kirvan have put together this presentation on avoiding common disaster recovery mistakes and leveraging industry best practices to create a technology disaster recovery plan that works best for you. This presentation gives you the many elements necessary of a well-executed disaster recovery plan, including: - Guidelines for creating your own Disaster Recovery plan - A checklist of key items to consider based on your business objectives - The common mistakes and pitfalls to avoid - Technology considerations for Disaster Recovery - Tips for planning and executing a successful Disaster Recovery test Whether you're in the process of creating a disaster recovery plan or you already have one in place, this presentation will guide you through the steps you need to follow to help ensure your plan is complete.TRANSCRIPT
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Best Practices in
DR Planning and Testing
Paul F Kirvan, CISA, FBCI Independent BC/DR Consultant
Member of the Board and Secretary
The Business Continuity Institute USA Chapter
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Agenda
1. Introduction
2. Plan Components
3. Mistakes and Pitfalls to Avoid
4. DR Technology Options
5. Tips for Planning DR Tests
6. Summary
7. Q&A
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Why is DR Important?
• Accepted way to ensure that critical data, IT systems and
networks can be recovered in an emergency
• Ensures that corporate business objectives can be
achieved, despite a disruption
• Increasingly accepted by management as a strategy for
keeping the business operational
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Quick Poll
Do you currently have a Disaster Recovery plan in place?
a. Yes, I have a comprehensive DR plan at my company
b. Yes, but needs more work
c. No, but would like to get one ready
d. No, and have no plans to create one
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Quick Poll
Do you currently have a Disaster Recovery plan in place?
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
What Do You Need?
A good disaster recovery plan needs:
• Support from senior management
• Funding approved by management
• Structured plan framework
• Access to qualified staff
• Access to relevant information
• Documentation and testing
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
What’s Your Goal with the Plan?
Build disaster recovery plans and associated
documentation based on a structured framework that is
consistent with good practices and standards.
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
DR Plan Activities
• Data gathering, interviews, analysis
• DR standards and good practice, emergency response
procedures, data backup and recovery procedures,
system recovery and restart processes, plan templates
• Tests to ensure that plan procedures and processes work
as designed
• Maintenance activities to keep plans up to date and
accurate
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Standards and Good Practice
• Standards – NFPA 1600:2010; ISO 24762:2008; ISO
27031:2011; NIST 800-34
• Regulations – NASD 2510/3520; NYSE 446
• Good Practice – BCI Good Practice Guidelines, FFIEC
Handbook
• Corporate DR policies
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
What You Need to Identify
• DR objectives of the systems, networks or other IT assets
(e.g., uninterrupted operation, max downtime 4.0 hrs)
• Risks and/or threats to the achievement of the DR
objectives
• Define and document the processes and procedures
needed to recover and reactivate the IT assets
• Identify preventive measures to mitigate DR risks to an
acceptable level
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Plan Components
The following pages list the typical components found in an IT
disaster recovery plan. There may be some variations based on
your organization’s requirements, but generally the following items
should be included.
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Plan Components
A good DR plan usually includes the following
components: • Company DR policies
• DR plan documents
• Business impact analysis reports
• Risk assessment reports
• Exercise results
• IT DR procedures (in the plan)
• Supporting documents (e.g., data backup process, off-site storage
process, vendor contracts, diagrams, maintenance contracts, training
plans)
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Plan Components
If there’s an existing plan, use it as a starting point
Define plan scope, purpose, authority
Define a policy statement
Define management approval and funding
Identify planning and response teams
Identify critical IT resources
Identify risks and their impact on IT assets
Determine recovery time objectives (RTOs)
Determine recovery point objectives (RPOs)
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Plan Components
Preventive controls (e.g., backup power)
Response and recovery strategies
Data backup and recovery methods, compared to existing data
storage and retrieval procedures
Potential use of alternate IT sites, e.g., a backup data center,
collocated data center, the cloud
Potential use of hot sites, cold sites
Potential use of alternate work (e.g., office) sites, and the technology
needs for those sites
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Plan Components
Process for equipment replacement
Process for obtaining spare parts
Staff roles and responsibilities in a disaster
Event notification procedures
Damage assessment procedures
Process and criteria for plan activation
Identify who is authorized to declare a disaster
Recovery / failover procedures
System restart / failback procedures
Resumption of business procedures
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Plan Components
Step-by-step procedures for recovery of
IT operations
Desktop systems
Data
Hardware
Operating systems
Applications
Databases
LANs and WANs
Voice and VoIP systems
Servers
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Step-by-step procedures for recovery of
Web sites
Mainframes
Distributed systems
Wireless technology
Specialized systems
Information security
User access
Physical security
Vital records
Plan Components
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Plan Components
Step-by-step procedures for
Alerting first responder organizations
Alerting family members
Alerting primary/alternate vendors
Alerting staff, senior management
Alerting clients, stakeholders
Escalating recovery efforts
Help desk support
Using call trees
Activating automated notification systems
Activating conference bridges
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Plan Components
Links to emergency management and incident response plans,
business continuity plans
Process for exercising DR plans
Process for creating a DR awareness program
Process for DR team training
Process for DR training of employees
Process for communicating with the media
Designated company spokesperson
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
The next set of slides provides a sample DR plan
outline. While most plans will be different, this outline
includes the most common plan components and is
consistent with standards and good practice.
Plan Components
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Plan Components
DR Plan Outline - 1
• Revision History
• Table of Contents
• Emergency Response Actions
‐ Assembly Points
‐ Emergency Call-in Number
‐ Key Personnel Contact Info
‐ Notification Calling Tree
‐ External Contacts
‐ External Contacts Calling Tree
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Plan Components
DR Plan Outline - 2
• Policy Statement
• Objectives
• Plan Overview
• Plan Updating
• Plan Documentation Storage
• Backup Strategies
• Emergency Response
‐ Plan Triggering Events
‐ Assembly Points
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Plan Components
DR Plan Outline - 3
• Activation of Emergency Management Team
• Technology Services Team
• Emergency Alert, Escalation and DRP Activation
• DR Procedures and Actions
‐ Contact with Employees
‐ Backup Staff
‐ Recorded Messages / Updates
‐ Alternate Recovery Facilities / Hot Site
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Plan Components
DR Plan Outline - 4
• Personnel and Family Notification
• Communications with Media, Key Stakeholders
• Media and Key Stakeholders Contact
• Media and Key Stakeholders Team
• Rules for Dealing with Media, Key Stakeholders
• Insurance Requirements
• Financial and Legal Issues
‐ Financial Assessment
‐ Financial Requirements
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Plan Components
DR Plan Outline - 5
• Legal Actions
• DR Plan Exercising
• Appendix A – Technology DR Plans
‐ Production Environment
‐ Private Cloud Environment
‐ Internal IT Environment at HQ
‐ Local Area Network (LAN)
‐ Voice over IP (VoIP) System
‐ Remote Connectivity / VPN
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Plan Components
DR Plan Outline - 6
• Appendix B – Forms and Reports
‐ Management of DR Activities Forms
‐ Communications and Reporting Form
‐ Disaster Recovery Incident Recording Form
‐ Disaster Recovery Activity Report Form
‐ Mobilizing the Disaster Recovery Team Form
‐ Mobilizing the Business Recovery Team Form
‐ Monitoring Business Recovery Progress Form
‐ Business Process/Function Recovery Form
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Mistakes and Pitfalls to Avoid (the not-so-obvious things)
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Mistakes and Pitfalls to Avoid
Failure to obtain senior management support
No budget (i.e., no plan)
Lack of upfront research (e.g., risks, RTO/RPO)
Lack of documentation (e.g., assume native knowledge will be
available)
No step-by-step procedures (assume you know what to do first,
second, who to call, etc.)
No plan testing (e.g., rolling the dice)
No regular plan reviews and updates
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Mistakes and Pitfalls to Avoid
No DR team training (nobody knows what to do)
Assume that IT staff knows what to do
Assume that IT staff will be available in an emergency
Assume that backup and recovery procedures will work when needed
Assume that systems and networks will work properly when in backup
or recovery mode
Assume that backed-up data will be available when needed
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
DR Technology Options
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Quick Poll
What technologies are you currently using for Disaster Recovery?
a. Local backup to disk or tape
b. Cloud backup
c. Server replication (either locally or to off-site facility)
d. Hybrid technology with local and cloud protection
e. Collocation of data center
f. Other
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Quick Poll
What technologies are you currently using for Disaster Recovery?
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
DR Technology Options
Data backup and recovery to an alternate site, e.g., backup data
center
Application backup and recovery to an alternate site, e.g., backup
data center
Off-site data storage using a third-party firm
Redundant components, e.g., servers, storage devices, network
components
Diversely run networks, e.g., alternate service using a different carrier
and different paths
System failover / failback technologies to rapidly recover and restart
disrupted systems
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Current Process New Cloud Options
Application backup and recovery to an alternate site or data center
Application backup and recovery to the cloud
File/data/database backup and recovery to an alternate site / data center
File/data/database backup and recovery to the cloud
Server backup and recovery via failover to an alternate site / data center
Server backup and recovery via failover to the cloud
Cloud-based solutions have become very popular as
primary and alternate backup and recovery strategies.
DR Technology Options
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Current Process New Cloud Options
Recover the minimum configuration of servers, applications, network resources if it’s necessary to relocate to an alternate office site
“Office virtualization”, which has server failover, access to IP addresses and Active Directory in the cloud; this means rapid office recovery and minimum downtime
Conduct DR plan tests using a local, on-site environment or alternate backup data center resource
Streamline DR tests using a cloud-based and automated DR testing environment
Traditional DR activities can be automated and streamlined
to encourage more testing and reduce risks from disruptions.
DR Technology Options
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Tips for Planning DR Tests
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Quick Poll
How often do you test your DR plan and/or the ability to recover from a
disaster?
a. I don’t test
b. Once a year
c. Two to four times a year
d. Every month
e. Not as often as I should
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Quick Poll
How often do you test your DR plan and/or the ability to recover from a
disaster?
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Tips for Planning DR Tests
1. Decide what you want to test, e.g., data recovery, system failover to
a backup site
2. Determine if production systems will be negatively affected during
the test
3. Conduct the test in a non-production environment, e.g., R&D
4. Select test participants and alternates
5. Document step-by-step procedures for performing the test
6. Secure a conference room or suitably equipped work area for the
test
7. Schedule the test so as not to interfere with production activities
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Tips for Planning DR Tests
8. Notify all IT teams and groups of the test at least two weeks in
advance
9. Include a scribe / timekeeper
10. (If possible) Conduct a dry run to validate that the test procedures
will/should work
11. Complete the test, keeping notes of all actions performed, time
needed for each activity
12. Prepare an after-action report summarizing what worked, what didn’t
work and lessons learned
13. Update the DR plan based on test results
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
Summary
Develop and document a plan .. follow it
Senior management supports the plan
Policies, procedures, metrics
Document, document, document
Test, test, test
Maintenance and regular review
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
About Axcient Leader in Recovery-as-a-Service
One SaaS Platform
Backup Disaster
Recovery
Business
Continuity WAN
Optimization Dedupe
vs.
Rapid Recovery Physical & Virtual Application
Continuity
Cloud
Virtualization
True Cloud
Platform
CONFIDENTIAL – DO NOT DISTRIBUTE. Copyright © 2014 Axcient, Inc. All Rights Reserved.
For more information, visit axcient.com or call 800 715.2339
@Axcient linkedin.com/company/axcient axcient.com/facebook
Paul Kirvan, CISA, FBCI
Phone (908) 902-2586
Email [email protected]