A Primer on How to Create a Bullet-Proof Disaster Recovery Plan for the Entire Organization

A Primer on How to Create a Bullet-Proof Disaster Recovery Plan for the Entire Organization

Elizabeth M. Ferrarini,

She is a free-lance writer from Boston, Massachusetts. Reach her at iswive@aol.com

Minutes after the first of two planes plunged into the World Trade Center's Twin Towers on September 11, 2001, Morgan Stanley Dean Witter, Inc., the largest tenant in the World Trade Center, declared a disaster and rushed its disaster recovery plan into place with the help of SunGard Recovery Solutions, a third-party disaster recovery service provider. At the last time, about seven other tenants in the World Trade Center followed suit and contacted SunGard.

The events of September have made disaster recovery planning rise to the top of every organization's IT department priority list. Until the first attack on the World Trade Center in 1993, few companies had even invested in shared data backups. Raging Wire Telecommunications, a California disaster recovery firm, estimates that the 1993 bombing put half the 350 companies in the World Trade Center out of business because of the disruption. Thanks to improvements in disaster recovery planning, more tenants of the recent World Center disaster will be spared, according to Raging Wire. However, about 82 percent of all companies still don't have adequate disaster recovery plans in place, according to Raging Wire.

Too often, its takes a catastrophic event to propel organizations to consider more rigorous disaster recovery plans. After all, the purpose of a disaster recovery plan is to allow an organization to recover in case of an unforeseen event, everything form a major systems outage, such as a tornado demolishing a data center to a building fire destroying the facility and everything in it. A study by the University of Texas found that 85 percent of businesses depend totally or heavily on information technology systems to stay in business, and that a loss of those systems would cost businesses up to 40 percent of their daily revenues.

A disaster can strike at any time. In fact, there are more than 35 types of disasters, ranging from the most common - power outages -- to the most catastrophic - earthquakes. In essence, a disaster includes any type of interruption of service that results from some force beyond the organization's control. Disaster recovery provides systematic procedures for how to react to and how to recover from that ominous external or internal force. Disaster recovery planning, which complements business continuity and contingency planning, ensures the ability of the organization to function effectively if an unforeseen event severely disrupted normal operations.

The following template will help the key individuals in your organization to go through the thought process for preparing a disaster recovery plan, which's aimed at restoring all critical business functions, rather than disparate functions such as the data center, alone.

Gather Information

Organize the Project

A successful initiative of this magnitude requires these things: support from senior management associated with the organization, a dedicated disaster recovery team whose members have knowledge of critical business systems, and a well thought out planning strategy and testing strategy.

The disaster recovery coordinator, working with the appropriate team leaders, should perform steps 3 to 7. Senior executives responsible for disaster recovery planning will perform the first two steps.

1. Determine which senior executive(s) will have overall responsibility for disaster

recovery.

2. Have this executive appoint disaster recovery coordinator.

3. Appoint a disaster recovery team leader for each operational unit, such as server

backup or telephone system.

4. Convene disaster recovery planning team and sub-teams as appropriate.

5. Working with senior executives responsible for disaster recovery, the disaster

recovery coordinator should identify the following:

Scope - the areas to be covered by the disaster recovery plan

Objectives - what is worked towards and what is the course of action that the

disaster recovery team intends to follow

Assumptions - what is being taken for granted or accepted as true without proof?

6. Set project timetable and draft project plan, including assignment of task

responsibilities.

7. Obtain senior management's approval for scope, assumptions, and project plan.

Conduct Business Impact Analysis

The disaster recovery planning team should perform this step to identify which business departments, functions, or systems are most vulnerable to potential threats, what are the potential types of threat, and what effect would each identified potential threat have on each of the vulnerable areas within the organization.

1. Identify functions, processes, and systems.

2. Interview information systems support personnel.

3. Interview business unit personnel.

4. Analyze results to determine critical systems, applications, and business

processes.

5. Prepare impact analysis on interruption on critical systems.

Conduct Risk Assessment

The disaster recovery planning team should work with the organization's technical and security person to determine the probability of each functional business units' critical systems becoming severely disrupted and to document the amount of acceptable risk the business unit can tolerate. For each critical system, provide the following information:

1. Review physical

...