The goal of disaster recovery is to “minimize the effects of a disaster and to take the necessary steps to ensure that the resources, personnel, and business processes are able to resume operation in a timely manner.” Basically disaster recovery deals with what to do in a disaster situation and its immediate ramifications, while business continuity deals more with what to do in the long run. The basic steps towards a continuity plan as developed by the National Institute of Standards and Technology (NIST) are the following:
- Develop the continuity planning policy statement
- Conduct the business impact analysis
- Identify preventive controls
- Develop recovery strategies
- Develop the contingency plan
- Test the plan and conduct training and exercises
- Maintain the plan
(ISC)2 has similar guidelines using different names. They use: project initiation, BIA, recovery strategy, plan design and development, implementation, testing, and continual maintenance. In the project initiation, a business continuity coordinator should be identified, along with a committee under their leadership. Their first course of action should be to create a continuity planning policy statement. Next, during the business impact analysis, a functional analysis needs to be performed, which looks at the maximum tolerable downtime, operational disruption and productivity, financial considerations, regulatory responsibilities, and reputation. It is during this step that the business continuity plan (BCP) team identifies possible threats and estimates their probability. During the recovery strategies step, the committee must discover the most cost-effective recovery mechanisms to address the threats. They need to define the recovery strategy, which includes facility decisions (hot, warm, or cold sites, or possibly reciprocal agreements or redundant sites), backups (including software, hardware, and human backups if moves must be made), and insurance.
In the recovery and restoration step, the coordinator should define several teams including damage assessment, legal, salvage, restoration, security, and several other teams. Goals are needed that define responsibility, authority, priorities, and implementation and testing. Without proper goals, it is impossible to know what the team is trying to achieve. It needs to be specific enough that it can be measured. If it is too vague, then there will be no way of doing this.
During the implementation stage, the continuity plan is live. Copies of the plan need to be kept in multiple locations, on and off site, as well as in more than one format (digital/physical). People need to be designated as key individuals who are in charge of managing call trees in the event of an emergency and implementing specific tasks. From this comes the testing and revising step, which happens continuously. Environments change, so revisions are needed and testing should be performed regularly. Some companies are moving away from testing, which implies passing or failing, and moving to regular exercises that promote improvement. Any changes in the environment need to be reflected in the plan. The final step or point is to maintain the plan. There is no use of having a plan if the company is just going to let it go to waste and not implement anything.
No comments:
Post a Comment