Disaster Recovery Plan (DRP)

SuperClass
 (Not rated)
 (Not rated)
Chat
Home>Homework Answsers>Business & Finance homework help>Accounting homework help

 

Abstract

Business continuity and disaster recovery is an ever-present, growing concern for many organizations and businesses alike. Although some organizations would like to think that they are immune to the threat of emergencies and disasters, whether it be human-made, natural, intentional, or accidental, the truth is no organization is immune, as they can occur in any organization. Organizations must learn how to protect themselves and mitigate the adverse effects of emergencies and disasters. A disaster recovery plan is one of the most important strategies to prepare and protect an organization from disasters and emergencies. This paper discusses the need for a disaster recovery plan and the procedures to include in a typical plan.


 

Disaster Recovery Planning

As organizations rely more on technology and electronic data for their daily business operations, the occurrences of disasters and the amount of data and information technology hardware, software, and equipment lost to disasters appear to be increasing. Organizations are estimated to lose revenue and incur expenses every year due to disasters, unpreparedness, and lost productivity. Costs associated with disasters and being unprepared for such can be detrimental to an organization. The increased occurrence, costs, and impact of disasters and emergencies and the consequential loss present valid concerns for organizations. Measures must be taken to protect organizations from disasters. The more organizations know about disasters and emergencies, the more they can do to prepare and protect themselves. One way an organization can prepare and protect itself is to create and implement a disaster recovery plan (DRP).

Create a Plan

Organizations need to create a disaster recovery plan (DRP) that can address any type of disaster, is easy to follow, and easy to understand. The plan should be customized to meet the unique needs of the organization. According to Hall (2011), steps in a typical disaster recovery plan (DRP) include the following:

1.      “Identify critical applications

2.      Create a disaster recovery team

3.      Provide site backup

4.      Specify backup and off-site storage procedures” (p. 51).

These steps provide a foundation for an adequate business continuity and disaster recovery plan. They also help ensure that the disaster recovery plan is systematic and simple.

Create a Disaster Recovery Team

Although Hall implies identifying critical applications as the first step of the disaster recovery process, it may be more beneficial for an organization to create a disaster recovery team first. DRPs typically identify the specific personnel or individuals involved in the business continuity efforts, including a team coordinator, team leaders over various groups, group members associated with recovery efforts, and alternates (Sungard, 2014). Hall (2011) “presents an organizational chart depicting the composition of a disaster recovery team,” which includes three groups:

1.      “Second-Site Facilities Group

2.      Program and Data Backup Group

3.      Data Conversion and Data Control Group” (p. 53).

Each group or team has a specific objective and consists of several members. Hall (2011) recommends that team members be experts in their area to provide the most benefit to the team and ultimately the organization. As Hall (2011) recommends, “task responsibility must be cleared defined and communicated to the personnel involved” to ensure everyone knows and understands their roles, responsibilities, and the expectations of them.

Sungard (2014) recommends that the recovery team personnel section of the plan include contact information (workphone, cellphone, address, and e-mail addresses) for all recovery team personnel. This information is helpful to get in contact with the recovery team personnel in the event of disaster or emergency. However, if contact information is included within the plan, it is important to continually update this section of the plan for personnel/workforce changes. Additionally, all employees of an organization need to know what to do and who to contact if they discover an emergency. Employees need to have a sense of responsibility in the event of an emergency or disaster, and contact the appropriate personnel from the disaster recovery team.

One of the responsibilities of the DRP team is to identify the organization’s risk of emergency and disasters. The team should identify emergency and disaster threats that the organization is or may be exposed to. This will assist the team in identifying the recovery strategies and resources required to recover from disasters within predetermined acceptable timeframes (Sandhu & NIIT, 2002). The team should establish what the acceptable timelines are for recovery and restoration, as well as identify critical applications.

Identify Critical Applications

            After creating a disaster recovery team, the next step in a DRP is to identify the organization’s critical applications and files (Hall, 2011). To do this, the organization must evaluate their business processes and determine which are critical to their operations, or which are a convenience and not a necessity (Chernicoff, 2007). As recommended by Hall (2011), the plan should focus on short-term survivability, rather than a long term solution restoring the organization’s full functioning capacity. Short-term survivability focuses on the functions of the organization that generate cash flows and revenues. Essentially, the organization should identify which IT infrastructure is essential to the performance of the organization. From here, the organization can determine the applications, files, and even the equipment they need to generate such cash flows.

The organization must determine the minimum technology resources and applications required to continue or restore those processes (Chernicoff, 2007). Critical equipment and resource requirements vary depending on the organization; however, they may include, but are not limited to workstations, computers, telephones, VPNs, servers, and the applications required to process business transactions (Sungard, 2014). Once the minimum technology resources are determined, the organization should be prepared to preserve this and not eliminate any resources below the minimum level (Chernicoff, 2007). If the minimum technology level is not upheld, business continuity could be in jeopardy.

In addition to determining the minimum technology resources required to run minimal business operations, the organization must also look at how to alter procedures and processes if this becomes reality. As the organization will be running on minimal resources, less essential procedures or steps within a process may be delayed or altered until the organization returns to running on full capacity. However, the organization must recognize that there are some processes that should not be delayed or in which the adverse impact should be mitigated. One example may include the processing of payroll since employees may live paycheck to paycheck and depend on their regularly scheduled income to survive. This is important whether an organization is encountering a disaster or not. On the contrary, approving training requests may not be as important or among the top priorities at the time. Normal procedures, such as to how sales are processed, may be altered to accommodate reduced resources. In addition to considering critical applications and minimum technology needed, organizations and the DRP team must also provide site backup to continue operations in the event of an emergency or disaster.

Provide Site Backup

            A critical part of a DRP is to provide “for duplicate data processing facilities following a disaster” (Hall, 2011, p. 52). Hall (2011) suggests that the most common second-site backup options are “mutual aid impact; empty shell or cold site; recovery operations center or hot site; and internally provided backup” (p. 52). According to Hall (2011), each option provides different advantages and disadvantages. The mutual aid pact is a reciprocal agreement between two or more organizations that will assist each other in data processing and sharing of resources, including IT equipment and space, in the event of an emergency or disaster of one of the organization’s locations. This can be a give and take relationship, and although it can come at no or minimal cost, it is one option that requires trust in the other organization(s) to uphold their end of the agreement when and if the time comes.

            The empty shell or cold site plan is a second site, such as a building, that could serve as a data center if needed. However, it is a shell in the sense that it is an empty building ready to house the minimal hardware to run critical applications, as defined earlier in the DRP. This option may provide cost savings. However, the significant disadvantage is that the organization must have the contacts and resources to obtain the IT equipment needed to fill the site in the event of a disaster. If not, this option will only be an empty shell, as the name implies and will be of little benefit to the organization.

On the contrary, a recovery operations center is a fully operational backup data center that has all the necessary hardware and IT equipment present in service to continue operations. However, it comes at a price as an organization must pay for access rights. In addition, a wide-spread disaster or emergency may take out or effect the capabilities of the center, depending upon its location. Larger organizations may have the option of internally provided backup if they have multiple data processing centers. According to Hall (2011), “this permits firms to develop standardized hardware and software configurations, which ensure functional compatibility among their data processing centers and minimize cutover problems in the event of a disaster” (p. 54). However, not all organizations have this option available.

The DRP team should research all of the site backup options available to the organization and decide which options is are best to meet the organization’s needs. When creating the DRP, the team should include procedures necessary to support the relocation, including but not limited to identifying any IT equipment needs, providing all critical applications, files and documentation, and reissuing VPN tokens or other credentials (Sungard, 2014). In addition, it may be helpful to include contact information for the site backup location. After the DRP team determines the best second-site backup for the organization’s needs, then they need to consider backup and off-site storage procedures.

Backup and Off-Site Storage Procedures

            According to Hall (2011), “all data files, applications, documentation, and supplies needed to perform critical functions should be automatically backed up and stored at a secure off-site location” (p. 54). Data and storage procedures should be clearly identified in the plan and assigned to specific personnel to ensure responsibility and completion (Microsoft, 2014). Back up and off-site storage procedures should specify whether the entire network or select computers should be backed up, including operating system backup and application backup (Microsoft, 2014). At a minimum, the previously determined critical applications required for minimal operations should be backed up. In addition, backups of data files need to be considered. According to Hall (2011), “databases should be copied daily to high-capacity, high-speed media, such as tape or CDs/DVDs and secured off-site” (p. 55). Procedures should be established to secure both the storage device and the backup media, whether it be physical security measures or electronic controls.

Backup and off-site storage procedures should be established for documentation, supplies, and source documents. Hall (2011) recommends that end-user manuals be backed up as personnel who do not typically process transactions may be performing these tasks in the event of a disaster or emergency. Critical supplies required for daily operations, such as checks and purchase orders, as well as a copy of the DRP, should be stored at the off-site location (Hall, 2011). Microsoft (2014) recommends that source documents, such as hardware and software inventory records, as well as receipts for software and hardware purchases also be stored at the off-site location.

In the DRP, the location of the off-site backup and storage should be identified, along with contact information and any credentials needed to access the backups and storage media. One option, although not the only option, is backing up important systems and files securely off-site in the cloud, as they can then quickly be recovered and restored. Additionally, organizations may want to consider migrating applications and systems, especially those determined critical, to the cloud so they can be accessed whenever and wherever needed.

All backup and off-site storage procedures should be performed routinely, either by data processing personnel or automatically by the systems. In either case, the assigned personal should ensure that the backups and storage procedures are completed correctly and that systems and files can be recovered or restored at any time.

Test and Maintain

Disaster recovery planning is a continual process as risks of disasters and emergencies are always changing. It is recommended that the organization test the DRP to evaluate the procedures documented in the plan for effectiveness and appropriateness (Sandhu & NIIT, 2002).Organizations should test their recovery plan step-by-step regularly to have proof and peace of mind knowing that if the organization ever needs it, it will work quickly and effectively. The recovery team should be performing routine maintenance of the DRP, including incorporating suggested improvements into the plan after testing and throughout its lifetime (Sandhu & NIIT, 2002).

Conclusion

In summary, an organization must develop a recovery team to create a disaster recovery plan (DRP) that includes identifying critical applications, providing site backup, and identifying backup and off-site storage procedures. Other procedures may be included in the plan based on the organization. The recovery team and organization must then implement the DRP and follow through on the plan procedures. The DRP should be continually tested and maintained to consistently prepare the organization for evolving disasters and emergencies.


 

References

Chernicoff, D. (2007). Disaster-Preparedness Checklist. Windows IT Pro, 13(2), 49-52.

Hall, J. (2011). Information Technology Auditing (3rd ed.). Mason, OH: South-Western, Cengage Learning.

Microsoft. (2014). Creating Backup and Off-Site Storage Procedures. Retrieved from http://technet.microsoft.com/en-us/library/cc960728.aspx.

Sandhu, R., & NIIT. (2002). Disaster Recovery Planning. Cincinnati, Ohio: Premier Press.

 

Sungard Availability Services (2014). What’s in a Business Continuity Disaster Recovery Plan Template? The Building Blocks for a Successfully Recovery Program. Retrieved from http://www.sungardas.com/Documents/disaster-recovery-plan-template-SFW-WPS-086.pdf.

    • 10 years ago
    Report issue
    Disaster Recovery Plan (DRP) A+ Tutorial use as Guide
    NOT RATED

    Purchase the answer to view it

    • disaster_recovery_plan_drp.docx