Beruflich Dokumente
Kultur Dokumente
In this e-guide
In this e-guide:
But even the most diligently prepared disaster recovery plan should be
Disaster recovery
awareness and testing subject to review from time-to-time to ensure it delivers the expected
require training, strategic results.
plans
In this guide, we take a look at the steps enterprise can and should take
Evaluating BC/DR program to ensure, should their infrastructure fail, they can continue to trade and
performance
operate, and why it pays to regularly test the robustness of their disaster
recovery processes.
Case study: Cloud
collaboration boosts
Cumbria County Council's
Caroline Donnelly, Datacentre Editor
disaster response abilities
Page 1 of 38
Disaster recovery and business continuity
In this e-guide
Disaster recovery risk assessment and business impact analysis (BIA) are
Disaster recovery training
crucial steps in the development of a disaster recovery plan. But, before we
and staffing strategies
look at them in detail, we need to locate disaster recovery risk assessment
and business impact assessment in the overall planning process.
Coming up with a new
configuration and change
To do that, let us remind ourselves of the overall goals of disaster recovery
management plan
planning, which are to provide strategies and procedures that can help
return IT operations to an acceptable level of performance as quickly as
Disaster recovery possible following a disruptive event. The speed at which IT assets can be
awareness and testing
returned to normal or near-normal performance will impact how quickly the
require training, strategic
organisation can return to business as usual or an acceptable interim state
plans
of operations.
Evaluating BC/DR program Having established our mission, and assuming we have management
performance
approval and funding for a disaster recovery initiative, we can establish a
project plan.
Case study: Cloud
collaboration boosts A disaster recovery project has a fairly consistent structure, which makes it
Cumbria County Council's easy to organise and conduct plan development activity.
disaster response abilities
Page 2 of 38
Disaster recovery and business continuity
In this e-guide
Disaster recovery
awareness and testing
Adapted with permission from the BCM Lifecycle developed by the Business Continuity Institute.
require training, strategic
plans As you can see from The IT Disaster Recovery Lifecycle illustration, the IT
disaster recovery process has a standard process flow. In this, the BIA is
Evaluating BC/DR program typically conducted before risk assessment. The BIA identifies the most
performance important business functions and the IT systems and assets that support
them. Next, the risk assessment examines the internal and external threats
Case study: Cloud and vulnerabilities that could negatively impact IT assets.
collaboration boosts
Cumbria County Council's
disaster response abilities
Page 3 of 38
Disaster recovery and business continuity
Following the BIA and risk assessment, the next steps are to define, build
In this e-guide and test detailed disaster recovery plans that can be invoked in case
s critical IT assets. Such plans
Disaster recovery: Risk provide a step-by-step process for responding to a disruptive event with
assessment and business
steps designed to provide an easy-to-use and repeatable process for
impact analysis
recovering damaged IT assets to normal operation as quickly as possible.
Disaster recovery training Detailed response planning and the other key parts of disaster recovery
and staffing strategies planning, such as plan maintenance, are, however, outside the scope of this
article so let us get back to looking at disaster recovery risk assessment and
Coming up with a new business impact assessment in detail.
configuration and change
management plan Disaster recovery risk assessment
Case study: Cloud Risk assessments focus on the risks that can lead to these outcomes.
collaboration boosts Peter Barnes, FBCI, managing director of London-based 2C Consulting said,
Cumbria County Council's the impact on
disaster response abilities
Page 4 of 38
Disaster recovery and business continuity
Disaster recovery
awareness and testing
require training, strategic
plans
Page 5 of 38
Disaster recovery and business continuity
Based on experience and available statistics, you can estimate the likelihood
In this e-guide of specific events occurring on a scale of 0 to 1 (0.0 = will never occur, and
1.0 = will always occur). You can do the same with the impact of the event,
Disaster recovery: Risk using a 0 to 1 range (0.0 = no impact at all, and 1.0 = total loss of operations).
assessment and business
The final column lists the product of likelihood x impact, and this becomes
impact analysis
your risk factor. Those events with the highest risk factor are the ones your
disaster recovery plan should primarily aim to address.
Disaster recovery training
and staffing strategies Another way to capture and display risk information is with a risk matrix.
Entries in each part of the above table can be plotted on a four-quadrant
Coming up with a new matrix, as shown here.
configuration and change
management plan
Disaster recovery
awareness and testing
require training, strategic
plans
Page 6 of 38
Disaster recovery and business continuity
Page 7 of 38
Disaster recovery and business continuity
showed hardware failure (server and SAN), connectivity loss and database
In this e-guide corruption (in that order) as the main causes of downtime. A 2010 SunGard
report said the most common cause of UK invocations was hardware,
Disaster recovery: Risk followed by power and
assessment and business
impact analysis Water damage is a key risk to organisations in the UK, and sometimes the
Page 8 of 38
Disaster recovery and business continuity
Risks can affect the entire company or just small parts of it. Operational and
In this e-guide financial losses may be significant, and the impact of these events could
Page 9 of 38
Disaster recovery and business continuity
protection, the amount to which the business can tolerate disruptions and
In this e-guide the minimum IT service levels needed by the business.
to define the
Disaster recovery: Risk
assessment and business
the tolerances to an outage for critical applications or infrastructure
impact analysis
and reduce the risk of service loss, such that you can provide service to the
Disaster recovery training business in an acceptable timeframe.
and staffing strategies
Disaster recovery
awareness and testing
require training, strategic
plans
Page 10 of 38
Disaster recovery and business continuity
In this e-guide
What are some steps companies can do to mitigate downtime resulting from
Disaster recovery training
a lack of trained IT staff in the aftermath of a disaster? Obviously, one
and staffing strategies
answer is "Train additional IT staff members to perform IT tasks," but how
realistic is that? And what if those staffers are unable to respond following a
Coming up with a new
disaster as well?
configuration and change
management plan
Business continuity plans and disaster recovery training plans should
examine the staffing issue initially as part of the business impact analysis
Disaster recovery (BIA) and risk assessment (RA) phases. These initiatives should identify
awareness and testing
staffing issues that need to be addressed. From a budget perspective,
require training, strategic
adding staff may not be an option. If that's the case, cross-training of
plans
existing IT staff is highly recommended, as is rotating the alternate staff in
and out of production assignments, if possible, to ensure their skills are
Evaluating BC/DR program
current.
performance
If your organization has only one data center and your budget cannot
Case study: Cloud underwrite a second data center, consider one of the many hosted data
collaboration boosts center options currently available. These can be found under such headings
Cumbria County Council's
disaster response abilities
Page 11 of 38
Disaster recovery and business continuity
Disaster recovery training If your recovery time objectives (RTOs) are aggressive, it may be necessary
and staffing strategies to arrange for data backup and recovery services, in addition to other
managed IT services, to ensure that interruptions to your production
Coming up with a new systems will be minimal. Of course, if your organization has more than one
configuration and change data center, and if the data centers are sufficiently distant from each other
management plan (e.g., at least 20-30 miles), you could replicate data from one data center to
the other and mitigate the impact of a staffing loss by spreading your IT
Disaster recovery staff across sites and ensuring there is plenty of cross-training of all
awareness and testing employees.
require training, strategic
plans
Next article
Evaluating BC/DR program
performance
Page 12 of 38
Disaster recovery and business continuity
In this e-guide
Page 13 of 38
Disaster recovery and business continuity
Indeed, no one does change management for the hell of it. IT organizations
In this e-guide follow established practices and procedures in the hopes of minimizing
outages and maximizing service levels (the metric by which many of them
Disaster recovery: Risk are judged). But while we all want more uptime and the better outcomes that
assessment and business
change management promises, the number of organizations that have
impact analysis
effective processes in place is small.
Page 14 of 38
Disaster recovery and business continuity
Disaster recovery: Risk Among the problems that organizations have cited are high costs for
assessment and business software and consulting, difficulty in populating the database, intergroup
impact analysis politics, and inflated expectations about CMDB capabilities.
Evaluating BC/DR program "There are 5% of organizations that are so complex that they need a CMDB
performance -- and have the resources to actually do it," he said. But for the remaining
95%, implementing such a project is rarely worth the cost, time or effort,
Case study: Cloud England said.
collaboration boosts
Cumbria County Council's
disaster response abilities
Page 15 of 38
Disaster recovery and business continuity
"The main reason you would do a CMDB project is for impact assessment,"
In this e-guide England noted. "If people can answer questions about the impact of a
change fast enough, then you don't need to invest in a CMDB."
Disaster recovery: Risk
assessment and business For that 5% of shops that have paid their dues implementing a CMDB,
impact analysis however, it can be a beautiful thing.
Disaster recovery
awareness and testing
require training, strategic
plans
Page 16 of 38
Disaster recovery and business continuity
In this e-guide
Once you have drawn up a detailed disaster recovery plan, the next stages
Disaster recovery training
in the project are twofold: to prepare and deliver disaster recovery
and staffing strategies
awareness and training programmes so all employees are prepared to
respond as required by the plan in an emergency, and to to carry out
Coming up with a new
disaster recovery testing to ensure the plan works properly and that DR
configuration and change
management plan teams know their roles and responsibilities.
Disaster recovery
awareness and testing ISO/IEC 27031:2010, Information technology Security techniques
require training, strategic Guidelines for information and communication technology readiness
plans for business continuity
Evaluating BC/DR program This is the global standard for IT disaster recovery as it applies to end users.
performance Another ISO standard, ISO/IEC 24762, addresses Information and
communications technology disaster recovery from a service provider
Case study: Cloud
perspective. Both these standards can help you develop and implement ICT
collaboration boosts disaster recovery programmes.
Cumbria County Council's
disaster response abilities
Page 17 of 38
Disaster recovery and business continuity
Disaster recovery: Risk implemented to ensure that processes are in place to regularly promote ICT
assessment and business DR awareness in general, as well as assess and enhance competency of all
impact analysis relevant personnel key to the successful implementation of ICT DR
Page 18 of 38
Disaster recovery and business continuity
Be sure that any awareness activities are approved by management and HR,
In this e-guide as well as your own IT management. Your messages should be informative
Page 19 of 38
Disaster recovery and business continuity
Disaster recovery
awareness and testing instances, the whole set of IRBC [ICT readiness for business continuity]
require training, strategic
elements and processes, including ICT recovery, cannot be proven in one
plans
Page 20 of 38
Disaster recovery and business continuity
relocation of staff to an alternate site), and the business. For each of these
In this e-guide factors, critical information will be identified in the business impact analysis,
or BIA.
Disaster recovery: Risk
assessment and business Types of tests
impact analysis
ISO 27031 makes some key points with regard to disaster recovery testing:
Disaster recovery training
and staffing strategies
should not expose the organisation to an unacceptable level of risk. The test
and exercise programme should define how the risk of individual exercise is
Coming up with a new
addressed. Top-management sign-off on the programme should be obtained
configuration and change
and a clear explanation of the ass
management plan
Disaster recovery wider business continuity management scope and objectives and
awareness and testing complementary to the organisation's broader exercise programme. Each
require training, strategic
test and exercise should have both business objectives (even where there is
plans
no business involvement) and defined technical objectives to test or validate
Page 21 of 38
Disaster recovery and business continuity
In this e-guide
Page 22 of 38
Disaster recovery and business continuity
critical systems from this kind of test could result in a serious disruption to
In this e-guide the organisation.
Disaster recovery: Risk Tests have several key goals, as stated in ISO 27031:
assessment and business
impact analysis Build confidence throughout the organisation that resilience and
recovery strategies will satisfy the business requirements.
Demonstrate that critical ICT services can be maintained and
Disaster recovery training recovered within agreed service levels or recovery objectives
and staffing strategies regardless of the incident.
Demonstrate that critical ICT services can be restored to pre-test
Coming up with a new state in the event of an incident at the recovery location.
configuration and change Provide staff members with an opportunity to familiarise themselves
management plan with the recovery process.
Train staff and ensure they have adequate knowledge of ICT DR
plans and procedures.
Disaster recovery Verify that ICT DR plans are synchronised with the ICT infrastructures
awareness and testing and business environment.
require training, strategic Identify opportunities for improving ICT DR strategies or recovery
plans processes.
Provide audit evidence and demonstrate the organisation's ICT
Evaluating BC/DR program service competence.
performance
Developing disaster recovery testing plans
IT disaster recovery testing plans provide a step-by-step process for:
Case study: Cloud
collaboration boosts
Setting the stage of the exercise by defining the test scope
Cumbria County Council's
disaster response abilities
Page 23 of 38
Disaster recovery and business continuity
Page 24 of 38
Disaster recovery and business continuity
In this e-guide
Disaster recovery
awareness and testing
require training, strategic
plans
Page 25 of 38
Disaster recovery and business continuity
Next activities
In this e-guide
Once your DR plans have been tested and your awareness and training
Disaster recovery: Risk plans have been initiated, the next steps are to initiate a maintenance
assessment and business programme and initiate an audit and review programme. The first ensures all
impact analysis the previous DR activities we have been discussing are scheduled for annual
or semiannual review, testing and updating. The second ensures that all DR
Disaster recovery training programme activities are aligned with established policies and operational
and staffing strategies controls. Another part of the audit process is to establish a process of
continuous improvement. This ensures that DR programmes remain aligned
Coming up with a new to the business as well as international standards and good DR practice.
configuration and change
management plan
Next article
Disaster recovery
awareness and testing
require training, strategic
plans
Page 26 of 38
Disaster recovery and business continuity
In this e-guide
Page 27 of 38
Disaster recovery and business continuity
Disaster recovery
awareness and testing
require training, strategic
plans
Page 28 of 38
Disaster recovery and business continuity
In both cases, the business continuity staff examined key operations within
In this e-guide the company in detail. A business impact analysis (BIA) is typically used to
gather information. Data from a BIA and risk assessment (RA) should
Disaster recovery: Risk identify what could happen if there was a disruption to the supply chain,
assessment and business
technology or other important business function. Analysis of other
impact analysis
companies' experiences can shed light on possible outcomes of a supply
chain and/or technology failure and will also identify strategies to prevent
Disaster recovery training these disasters from occurring.
and staffing strategies
By analyzing all elements in a supply chain, for example, and asking pointed
Coming up with a new questions regarding the impact of a supply chain disruption, business
configuration and change continuity analysts can pinpoint areas of greatest risk to a supply chain and
management plan thereby also identify strategies to prevent disruptions and mitigate the
severity of disruptions that may occur. The same can be true of critical
Disaster recovery technology operations.
awareness and testing
require training, strategic Performance evaluation of BC/DR programs should be an ongoing activity.
plans An organization's BC staff should regularly examine all aspects of company
business operations, identify internal/external risks to those operations and
Evaluating BC/DR program then identify potential solutions to address those risks. Outcomes may come
performance in the form of modifications to BC plan procedures, updates to BC policies,
revisions to IT infrastructure operations, changes to training programs and
Case study: Cloud revisions to plan exercises.
collaboration boosts
Cumbria County Council's
disaster response abilities
Page 29 of 38
Disaster recovery and business continuity
It's been said time and again that business continuity and disaster recovery
In this e-guide plans are living documents. They reflect current business operations and
requirements, and as such must be fluid enough to adapt quickly and
Disaster recovery: Risk dynamically reflect changes in those operational attributes. A key part of the
assessment and business
performance evaluation process is that it is an ongoing activity. It's not
impact analysis
something that occurs annually or on an ad hoc basis.
Page 30 of 38
Disaster recovery and business continuity
In this e-guide
Page 31 of 38
Disaster recovery and business continuity
Disaster recovery -sharing solutions people were finding for themselves were
awareness and testing hosted all over the world with no guarantee about the security measures in
require training, strategic
plans
Any file-sharing platform the council decided to use would need to let
Evaluating BC/DR program employees share documents with external third-parties without them
performance requiring an account, he adds.
Page 32 of 38
Disaster recovery and business continuity
Disaster recovery
awareness and testing Objective Connect, with the service allowing team members to share
require training, strategic
important documents, often at short notice, for use in court cases.
plans
hour to share
th
Evaluating BC/DR program sensitive and important case material with a barrister who might be going to
performance court that afternoon. So it is essential for them to set up access for external
Page 33 of 38
Disaster recovery and business continuity
time, and most of those files were 20MB to 30MB apiece, with photos in
Case study: Cloud them as well. It quickly became a huge beast of data we were moving
collaboration boosts
Cumbria County Council's
disaster response abilities
Page 34 of 38
Disaster recovery and business continuity
In this e-guide
the asset and the cost, requiring input from external contractors and civil
Disaster recovery: Risk engineers.
assessment and business
impact analysis
what resources and when, because you get updates when the other party
Disaster recovery training
and staffing strategies
that information onto design so they can come up with solutions, and that
Coming up with a new
configuration and change
management plan
Meanwhile, the list of assets his team needs to keep a watchful eye on
continues to grow, as a result of subsequent weather events causing fresh
Disaster recovery
damage.
awareness and testing
require training, strategic
-survey some of the bridges because of high
plans
Page 35 of 38
Disaster recovery and business continuity
Maxwell says setting up a Sharepoint site for Sheard and his team would
In this e-guide have bee
Disaster recovery
awareness and testing Onwards and upwards
require training, strategic
plans While Objective Connect has proved a sound investment, Maxwell admits
the council has taken a tentative approach to adopting cloud technologies,
Evaluating BC/DR program because of concerns about the maturity and reliability of off-premise
performance technologies.
Page 36 of 38
Disaster recovery and business continuity
-premise
In this e-guide
felt the cloud market is mat
Disaster recovery: Risk
assessment and business
impact analysis Next article
Disaster recovery
awareness and testing
require training, strategic
plans
Page 37 of 38
Disaster recovery and business continuity
In this e-guide
Page 38 of 38