What is a Disaster Recovery Plan?
A disaster recovery plan (DRP) is an essential document for any size business. The DRP is a documented approach that provides a planned, structured approach to resume business activities after a disaster or incident such as a ransomware attack. The disaster recovery plan includes identifying critical information technology (IT) systems, prioritizing activities based on the company’s recovery time objective (RTO), and providing step-by-step procedures and processes to recover the company’s systems and networks. The plan includes restarting and recovery of critical business systems.
Determining Recovery Point Objective and Recovery Time Objective
Each company has a different recovery point objective (RPO) based on their business needs. To determine the RPO a company needs to find the amount of data that can be lost during efforts to recover from an incident. A business might be able to recover with a loss of 6 hours or 6 days. This time period determines the backup frequency for the organization.
The recovery time objective (RTO) is the determination of the time period that it will take to resume normal business operations after a disaster or incident. The recovery time determines the number of resources that are necessary to meet the objective. The shorter amount of time the more resources that are necessary to meet the objective.
Defining Mission Critical Assets
Creating a disaster recovery plan starts with determining what information and systems are critical and how long they can be offline before the business is severely impacted. Once this is determined, a plan can be made on what level of disaster recovery is required from having system back-ups onsite to always having a complete system (hot site) ready for continuity of business. Offsite or remote backups are an important part of the data recovery process in a disaster recovery plan.
Assigning roles and responsibilities
The next step is clearly defining all roles and responsibilities for the disaster recovery plan. Creating an accountability chart to ensure that all roles and responsibilities are filled makes implementation easier when an incident occurs. It is also important to frequently test the disaster recovery plan with personnel, so each person is familiar and comfortable with their assigned role and necessary contacts.
Testing the Disaster Recovery Plan
Once the plan has been created, it is important to review and practice frequently the actions that are required to ensure the plan is working effectively and efficiently. During practice sessions, it may be determined that different resources are needed or changes in the system environment have created different recovery objects. Different types of disasters and incidents should be practiced to ensure personnel are comfortable with the tasks associated with each and can easily determine what needs to be done to meet the goals of disaster recovery.