In various companies, I have assumed the role of IT Manager in many shapes, forms and job titles. One of the first things that I have usually done as part of that transition has been to look for Disaster Recovery & Business Continuity plans. Mostly, they didn’t exist. Occasionally, they were in various states of readiness. One firm in particular had an excellent Network Manager who didn’t realize that he had been preparing and updating a pretty good tactical DR plan for several years.
Every single year without fail, the highrise office tower that the company was headquartered in would pull the plug on all 40-some-odd floors, and make repairs and updates to its electrical, mechanical, HVAC and other life supporting systems. In preparation for this big event, every single server, every router, switch and even desktops, had to be visited in order to prepare and shut down clean so as to protect critical data and resources. This often involved taking the extra time to patch, test, fail-over and repeat, before everything goes black. This is a monumental task, and I think I still owe that guy a big thank you and a small beer for maintaining such a good inventory checklist, as well as doing the majority of the heavy lifting during those crazy weekends. (Cheers Al!)
With this documentation in hand, it was fairly easy to determine what were the “crown jewels” within the organization, what the business could not afford to be without for an extended length of time, and also, what needed to be stood up fast in the event of catastrophe. The exercise also made clear what needed to be backed up, what needed to be duplicated, and what required full, live replication in order to meet both disaster and continuity goals.
What are those goals?
- Disaster Recovery Planning is the act of strategizing against the worst case scenario, where your place of business is completely removed from the map. It involves rebuilding and restarting the core business in as short a time as possible, while still maintaining an acceptable level of information security.
- Business Continuity Planning is the act of strategizing how you would continue to do business securely under adverse and challenging conditions. Communication is still flowing, you have a commercial presence, business may be impaired or slowed, but you are still an operating entity.
The major difference here is that in one plan, you expect to be standing in a charred hole with a handful of melted tapes. In the other, you are hugging your data close as the smoke clears from your overheated, but quickly replaced data server. Both types of plan can aid in building the initial other plan, and many components of one plan will be shared, supporting, or enhancing the other. Having one set of plans will definitely allow you to revisit the other previously developed plan and add to and improve it exponentially. Just don’t forget that they are not one and the same.
In the example above, there was a (planned and controlled) disaster in that the business normally performed at the HQ site could not be performed, and staff could not enter the site until power had been restored at least 24 hours later. There was also some continuity planning done, as replication was forced and validated, and critical functions were shifted to another office in Montreal. Because of the detailed and comprehensive tactical plans that had already been prepared, it took very little time to develop a full-on Project Plan for the event, and to develop the strategic and step-by-step operational DR/BC plans that could be shared with upper management.