Loss of critical files, network outage, hardware failure… An IT disaster is something that you never want to happen.
However, the risks of an IT disaster can be mitigated with appropriate preparation. Since IT is woven into every business known today, the Disaster Recovery (DR) planning of any business inevitably includes an IT portion that requires particular attention.
So, what do you need to know about Disaster Recovery planning for IT?
1. The purpose of an IT DR plan help the company recover as quickly and effectively as possible from an unforeseen IT disaster or emergency. Such an emergency would interrupt information systems and business operations. The plan should ensure that:
- All employees fully understand their duties in implementing the DR plan. This means that the appropriate portions of the plan should be discussed with employees and tested.
- Proposed contingency arrangements are cost-effective. This is where planning and preparation can really save you lots of money if you encounter an IT disaster.
- Disaster recovery capabilities as applicable to key vendors and service providers. Your disaster recovery is only as good as those you rely on to provide equipment, services, etc.
2. Who should write the DR plan? DR planning for IT requires preliminary study and thorough understanding of the company business model and IT infrastructure. Ideally, the IT DR planning would be done by your own IT department or an IT consultant who has done previous work for you. Having someone who is new to your environment write and test your IT DR plan may drive up your costs, or leave you with a DR plan that is disconnected from reality.
3. What should the DR plan include?
It is easy to get carried away and write a document of such volume that will never be read by anyone (except the author). Needless to say, the size and content of DR documents for SMEs and large enterprises will differ, as the size and complexity of their IT infrastructure is also very different. Here is a brief list of the content sections that SMEs should include in their DR plan.
- A policy statement that establishes the business requirements for the IT DR plan. Typically, a business would have a statement on IT DR requirements in its policies.
- Key personnel and vendors contact information. This information will be priceless if an IT disaster is encountered.
- A clearly defined DR team that outlines responsibilities for each team member, as well as a calling tree so that each team member know who they are responsible to contact and all team members and staff are notified of the incident.
- An overview of the IT infrastructure, including a definition of the critical business process supported by IT, list of systems and their functions, network and system diagrams.
- Backup office locations.
- For each actual disaster event considered in the IT DR plan,
- a description of the event;
- risk-impact analysis, discussing the probability of a particular disaster event versus its potential business impact;
- restoration requirements – this should be determined by upper-level management;
- and restoration procedures.
It is easy to get carried away in defining and describing all possible IT disaster scenarios; this is why good communication with management is important – in order to narrow down the scope of the DR planning to key events with highest business impact or highest probability.
4. What should the IT DR plan NOT include?
The DR plan for IT should not include portions that are covered by the main business disaster recovery plan, which covers all aspects of the business (including insurance, property and personnel management, etc.), not just the IT portion.
5. What parts of the plan should be tested? It really depends on the budget you set aside for DR planning. Ideally, all parts of the plan – from complete loss of the office and emergency relocation, to virus infection, to loss of the phone system. Realistically, SMEs will not have the budget to test their entire DR plan, therefore key events must be pin-pointed and tested. For example, loss of a server, loss of critical files, loss of internet access, call tree simulation.