Business Continuity Planning is the activity performed by an organization to ensure that critical business functions will be available to customers, suppliers, regulators, and other entities that must have access to those functions. These activities include many daily chores such as project management, system backups, change control, and help desk. Business continuity is not something implemented at the time of a disaster; Business Continuity refers to those activities performed daily to maintain service, consistency, and recoverability.
Disaster Recovery Planning (DRP) is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster. Disaster recovery is a subset of business continuity.
Business Continuity / Disaster Recovery Plans come in various forms, each reflecting the corporation’s particular set of circumstances. The following are some of the general step required to develop and implement a plan.
- Policy Statement (Goal of plan, reasons and resources)
- Business Impact Analysis (how does a shutdown impact the business financially and otherwise)
- Identify Preventive Steps (can disaster be avoided by taking prudent steps)
- Recovery Strategies (how and what you will need to recover)
- Plan Development (Write plan and implement plan elements)
- Plan buy-in and testing (very important so that everyone knows the plan and knows what to do)
- Maintenance (continuous changes to reflect current situation)
Control measures are steps or mechanisms that can reduce or eliminate various threats for organizations. Different types of measures can be included in BCP/DRP.
Disaster recovery planning is a subset of a larger process known as business continuity planning and should include planning for resumption of applications, data, hardware, communications (such as networking) and other IT infrastructure. A business continuity plan (BCP) includes planning for non-IT related aspects such as key personnel, facilities, crisis communication and reputation protection, and should refer to the disaster recovery plan (DRP) for IT related infrastructure recovery / continuity. This article focuses on disaster recovery planning as related to IT infrastructure. Types of measures:
- Preventive measures – These controls are aimed at preventing an event from occurring.
- Detective measures – These controls are aimed at detecting or discovering unwanted events.
- Corrective measures – These controls are aimed at correcting or restoring the system after a disaster or an event.
These controls should be always documented and tested regularly.
The following is a list of the most common strategies for data protection.
- Backups made to tape and sent off-site at regular intervals
- Backups made to disk on-site and automatically copied to off-site disk, or made directly to off-site disk
- Replication of data to an off-site location, which overcomes the need to restore the data (only the systems then need to be restored or synchronized). This generally makes use of storage area network (SAN) technology
- High availability systems which keep both the data and system replicated off-site, enabling continuous access to systems and data
In many cases, an organization may elect to use an outsourced disaster recovery provider to provide a stand-by site and systems rather than using their own remote facilities.
In addition to preparing for the need to recover systems, organizations must also implement precautionary measures with an objective of preventing a disaster in the first place. These may include some of the following:
- Local mirrors of systems and/or data and use of disk protection technology such as RAID
- Surge protectors — to minimize the effect of power surges on delicate electronic equipment
- Uninterruptible power supply (UPS) and/or backup generator to keep systems going in the event of a power failure
- Fire preventions — alarms, fire extinguishers
- Anti-virus software and other security measures