For those who need a refresher course in disaster recovery, here are standard disaster recovery best practices according to the Disaster Recovery Institute.
1. Program Initiation and Management
Establish the need for a Business Continuity Management (BCM) Program, including resilience strategies, recovery objectives, business continuity, operational risk management considerations and crisis management plans. The prerequisites within this effort include obtaining management support and organizing and managing the formulation of the functions or processes required to construct the BCM framework.
2. Risk Evaluation and Control
Determine the risks (events or surroundings) that can adversely affect the organization and its resources (example(s) include: people, facilities, technologies) due to business interruption; the potential loss from such events can cause the controls needed to avoid or mitigate the effects of those risks. As an outcome of the above, a cost benefit analysis will be required to justify the investment in controls.
3. Business Impact Analysis (BIA)
Identify the impacts resulting from business interruptions that can affect the organization and techniques that can be used to quantify and qualify such impacts. Identify time-critical functions, their recovery priorities, and inter-dependencies so that recovery time objectives can be established and approved.
4. Business Continuity Strategies
Leverage the outcome of the Business Impact Analysis and Risk Evaluation to develop and recommend business continuity strategies. The basis for these strategies is both the recovery time and point objectives in support of the organization’s critical functions.
5. Emergency Response and Operations
Identify an organizations’ readiness to respond to an emergency in a coordinated, timely and effective manner. Develop and implement procedures for initial response and stabilization of situations until the arrival of authorities having jurisdiction (if/when).
6. Business Continuity Plans
Design, develop, and implement Business Continuity Plans that provide continuity and/or recovery as identified by the organization’s requirements.
7. Awareness and Training Programs
Prepare a program to create and maintain corporate awareness and enhance the skills required to develop and implement Business Continuity Management.
8. Business Continuity Plan Exercise, Audit and Maintenance
Establish an exercise/testing program which documents plan exercise requirements including the planning, scheduling, facilitation, communications, auditing and post review documentation. Establish a maintenance program to keep plans current and relevant. Establish an audit process which will validate compliance with standards, review solutions, verify appropriate levels of maintenance and exercise activities and validate the plans to ensure they are current, accurate and complete.
9. Crisis Communications
Develop and document the action plans to facilitate communication of critical continuity information. Coordinate and exercise with stakeholders and the media to ensure clarity during crisis communications.
10. Coordination with External Agencies
Establish applicable procedures and policies for coordinating continuity and disaster recovery activities with external agencies (local, regional, national, emergency responders, defense, etc.) while ensuring compliance with applicable statutes and regulations.
Patrick R. Dunn, CISSP, CBCP
Principal Consultant – Disaster Recovery & Business Continuity