We can probably all agree on the importance of keeping disaster recovery and business continuity plans up to date,...
but what's the best way to keep these documents current? Here are some suggestions to motivate you to find the time and make the effort.
How large are your disaster recovery (DR) and business continuity (BC) plans? In this case, we're talking page count. If your DR and BC plans are 50 to 100 pages or more, it will be difficult to step aside from your primary duties -- unless the plans are your primary responsibilities -- and focus on something that you hope you never have to use.
Begin by zeroing in on the sections of the disaster recovery and business continuity plans that are most likely to change in the course of a year. These will probably include the following:
- Emergency team names and contact details
- Lists of mission-critical equipment
- Lists of mission-critical apps
- Lists of vendors and suppliers
- Lists of vital records and critical business documents
- Lists of office supplies
- Lists of manufacturing components, such as raw materials and partially finished products
- Organization charts
- Lists of minimal operational requirements to resume business
- Lists of emergency supplies, such as medical supplies, flashlights and radios
- Lists of employees and contact details for calling trees (if used)
Remember, it's not necessary to update the entire plan at one time. The key is to perform the review and update the plan components on a regular basis. You may decide that, based on the above list, you can update sections of the plan within different time frames, perhaps annually, every other year or quarterly.
If you have a staff, delegate the updating of disaster recovery and business continuity plans to one or more of your team members. By breaking the plans into more manageable parts, the task of updating becomes less onerous, especially to the person who gets the assignment.
Drilling down into business continuity, disaster recovery and BIAs
For department-level plans, you must depend on someone (plus someone to back up that person) from the department to take responsibility for plan updating. Consider the same strategy as above: Break the plan into smaller, more manageable parts. It will help to have a schedule to remind department plan owners to update their plans or at least a section of their plans. Reminding plan owners periodically of an update activity may actually help to increase awareness of the business continuity plans and remind them of the importance of their plans.
Many of the same components in business continuity plans will be in disaster recovery plans, especially lists of emergency team members, vendors, systems and applications, and diagrams of networks or equipment racks. Some activities, such as regular testing of backup diesel/natural gas generators or uninterruptible power systems, may be performed as part of facilities and IT operations testing, respectively. Test scripts should be reviewed following changes to the technology infrastructure -- updates to operating systems, and changes in database management systems, security equipment (such as firewall rules) and network components. Be sure to perform DR plan updates whenever changes to IT assets occur.
Updating a business impact analysis, by contrast, can be a challenge unless you can simplify the process. Ask the BIA owner to review the document and identify anything that has changed, such as priorities for recovery, dependencies (both internal and external), mission-critical business processes, required technologies, required vital records and any other relevant BIA measurements.
You can try breaking this activity into smaller components:
- Update business processes
- Update dependencies
- Update required technologies
However, changes in business processes may necessitate a re-evaluation of all BIA measurements associated with a specific process. As such, it may be more of a challenge to do a "fragmented" BIA update.
Having a schedule for updating disaster recovery and business continuity plans is an important starting point. Be sure to follow the schedule and make note of the updates, as this may be an important piece of audit evidence. Next, break the updating process into smaller, more manageable bites as a way to make it less of an "all or nothing" proposition.
Guidelines for disaster recovery and business continuity planning
Who to involve in the BC/DR planning process is a broad issue
What happens when your disaster recovery plan funding is low