Protecting your firm's investment in its technology infrastructure and its ability to conduct business are good reasons to implement a business continuity and disaster recovery program.
- Begin by obtaining management approval and funding for a BC/DR activity.
- Learn all you can about your organization by researching the firm, interviewing company leaders, and reading annual reports and other relevant documentation.
- Find out about any previous experience the organization had with disasters and other disruptive incidents, how they responded, lessons learned, etc.
- Review any previous BC/DR work done by the organization. For example, did the firm have a previous BC/DR plan? If so, how well did it work and what happened to it?
- Review results from previous analytical activities, such as a business impact analysis and/or risk assessment. It may be appropriate to update these documents to determine what changes are needed in a new or updated BC/DR activity.
- Meet with key department leaders and stakeholders to identify issues that should be addressed in a BC/DR activity.
- Talk with other organizations about how they addressed similar BC/DR issues and what ultimately worked for them.
- If you need to obtain specific information, use a request for information (RFI) or request for quotation (RFQ).
- Discuss your findings and observations with colleagues such as IT leadership, company risk managers, company facilities and security staff, business unit leaders, and company strategic planners.
- Identify and prioritize operational, financial, human resources, and other issues that will better tailor plans to the organization’s needs.
- Create a table or spreadsheet that summarizes the findings and results of your discovery. This will help you tailor BC/DR solutions to the needs of the business.
Follow these steps, and if the organization already has BC/DR plans, use your findings to update existing plans to better fit the organization’s requirements. If your organization does not have a business continuity or disaster recovery program, meet with management to discuss steps for a new BC/DR program that aligns with management’s perceived needs and satisfies business objectives. Results of such a meeting may not initially be a plan, but it should help you focus your efforts.
Once you create a framework for a BC/DR activity conduct a table-top walk-through to see if it meets management’s needs as defined in your previous meetings. If management wants a more detailed plan, the next step is to drill down to the details, e.g., procedures to recover a server, perform a server failover to a backup unit, or organize a relocation of staff to an alternate site.
Consider using BC/DR standards as part of your development efforts. Existing standards such as BS 25999:2007, NFPA 1600:2010, NIST SP 800-34, ASIS SPC.1-2009, ISO 27031, and ISO 24762 can be obtained for little or no cost, and can provide an effective starting point and structure to your program and plans.
Let’s briefly examine some examples of tailoring a business continuity/disaster recovery program to your business' needs:
- As the result of a recent merger, a firm discovers its data protection requirements have expanded significantly, especially because the new company was backing up its data on-site. The outcome was to change the data backup strategy from one in which tapes were shipped once a week to an off-site storage facility to a data mirroring application where data was replicated in real-time to an off-site data storage facility. Outcomes: More reliable and timely data backups; lower recovery point objective (RPO)
- In an effort to stabilize data storage costs and reduce physical space, a school district signs up for a cloud-based data storage service. Outcome: Secure data storage, fast data recovery assured when needed, additional storage space.
- An IT department discovers it can leverage its other field offices as backup data storage sites by installing NAS devices in each field office and sending backup files after hours to each office via the Internet. Outcome: Diversified data storage solution.
Investments in business continuity and disaster recovery can range from nothing (e.g., take your chances) to millions of dollars in annual spending for hot sites, backup data centers, redundant servers, meshed data network infrastructures, storage area networks, and many other solutions. The time you spend researching the business and then tailoring a business continuity/disaster recovery program to business and operational needs will help you achieve better value for money from BC/DR investments.
Finally, once the investments have been made, and you have implemented BC/DR solutions that support your business needs, be sure to regularly exercise those solutions and keep all pertinent documentation up to date.
About this author: Paul Kirvan, CISA, FBCVI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He has been directly involved with dozens of IT/telecom consulting and audit engagements ranging from governance program development, program exercising, execution and maintenance, and RFP preparation and response. Kirvan currently works as an independent business continuity consultant/auditor and is the secretary of the Business Continuity Institute USA chapter. He can be reached at firstname.lastname@example.org.
This was first published in December 2011