Time and time again, I see people investing hours into their disaster recovery (DR) plan, only to see the fruits...
of their labor go up in smoke. From developing the document to taking it for a test drive, a lot of effort can be quickly wasted by simple oversights -- specifically with change management.
For starters, there's usually a disconnect between DR plans and the rest of the IT infrastructure. Why? There are two things that consistently contribute to the problem. The first is a lack of buy-in. Management often doesn't care about the content in the DR document. They just want one to get IT auditors off their backs. This is exacerbated by the fact that management may lack a comprehensive understanding of what it takes to effectively keep IT going in the event of a disaster.
The second issue contributing to this disconnect is that the folks responsible for managing the DR function (typically IT administrators) may not get the resources they need to be proactive. Systems change and business processes evolve, yet no one has time to update the DR plan.
So, how can an organization get a handle on change management as it relates to DR? For many, especially the big accounting and consulting firms, the answer is the Information Technology Infrastructure Library (ITIL). While implementing the change management components outlined in ITIL is a good long-term goal, it can be difficult. There are many issues to consider, including existing culture, politics, attitudes, personalities, business processes, etc.
Get a handle on your change management process
When formalizing a change management process, it is important to consider the following points: First, you have to get management on board and IT has to have the resources to make things happen. Those responsible for DR need incentives to do the right things. If a specific issue doesn't personally benefit someone, they aren't going to have the incentive to do what's right -- much less excel at it.
So, tie DR plan management in with performance reviews. Whether it's combining consistent planning updates with subsequent testing or annual independent auditor ratings, management has to raise the bar and encourage employees to be responsible.
Change management is merely formalizing the way we communicate and properly setting the expectations of everyone involved. There are software applications available such as Tamp Systems DRS and ErLogix that can help you centrally manage your DR plan.
Once you get your DR plan basics in place, I highly recommend investing in such an application. If implemented the right way, it can pay for itself quickly. Plus, it fits nicely into the three critical pillars of IT: visibility, control and automation. I can't think of a better way to please the auditors and show management that their DR money is being well spent.
About the author: Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent information security assessments. Kevin has authored/co-authored seven books on information security including "Hacking For Dummies" and "Hacking Wireless Networks For Dummies". He's also the creator of the "Security On Wheels" information security audio books and blog. Kevin can be reached at firstname.lastname@example.org.