A comprehensive recovery plan will minimize the effect of a natural disaster on business continuity, compliance and data loss. A good plan also helps speed recovery from cyberattacks.
If your organization's disaster recovery plan is outdated, insufficient, or even worse, doesn't exist, let these events motivate you to analyze, review, or create a recovery strategy now, before you need it.
So what is a disaster recovery plan and what should it include?
Here are eight steps to creating a disaster recovery plan that will help prevent data loss, facilitate business continuity, and ensure your sensitive data and SLAs remain in compliance.
Step 1: Create a disaster response team and document responsibilities
During a crisis, your disaster response team will lead recovery efforts and disseminate information to employees, customers and stakeholders.
Assign each team member specific tasks during the response and document them so everyone knows who oversees what. You will also need support staff for key team members if a designated leader is not available during a crisis.
Step 2: Define clear RTOs and RPOs
One of the most important components of a disaster recovery plan is establishing the recovery time objective (RTO) and recovery point objective (RPO).
RTO is the period of time that an application can be down before your business is negatively impacted. RTO varies greatly between applications because some applications may be down for just a few seconds before the business, customers, or users are affected. On the other hand, others may be down for hours, days or weeks.
RTOs are calculated based on the importance of the application:
- Near-zero RTO: Mission-critical applications that need failover
- Four-hour RTO: Less critical, so there is time for in-place recovery from bare metal.
- RTO of eight or more hours: Non-essential applications that can be down indefinitely.
Your recovery point objective (RPO) is the greatest amount of data that can be lost before your business is significantly harmed. This component of the IT disaster recovery plan determines how frequently data needs to be backed up.
The amount you're willing to spend to back up a given application also comes into play as you're working to control IT costs:
- RPO close to zero: Use continuous replication (mission-critical data). This requirement will require effective business continuity solutions that virtually eliminate downtime.
- Four-hour RPO: Use scheduled snapshot replication.
- 8-24 hour RPO: Use existing backup solution (data that can potentially be recreated from other repositories).
Step 3: Make a blueprint of your network infrastructure
Creating detailed documentation of your network infrastructure will make it much easier to rebuild your system after a disaster, especially if a computer attack has corrupted the network.
Different system components have different levels of importance to business continuity, so be sure to prioritize each service as mission critical, essential, or nonessential so they can be restored in the appropriate order. Don't forget to include system dependencies in your plan, as they can affect how you prioritize recovery.
Step 4: Select a disaster recovery solution
Storage capacity, recovery time, and configuration complexity will affect the cost of a disaster recovery solution. In many cases, you are choosing between a solution that offers fast recovery times but can lose days of data, and a solution that maintains system availability but kills it with high complexity and costs.
Look for a disaster recovery solution that affordably protects your systems and applications from data loss. Solutions that also minimize complexity, make it easier to manage backup and disaster recovery, and restore service level agreements.
Step 5: Create a checklist of criteria to initiate the disaster response plan.
Only a few incidents warrant a full implementation of your disaster response plan. Creating a checklist of criteria to identify what constitutes a disaster helps your recovery team know when it's time to take action without wasting resources or money by overreacting to a minor threat.
To ensure data and operations are quickly restored after a disaster, create step-by-step instructions in plain language so your team can begin the disaster recovery effort as soon as it is safe to do so.
Store a copy of the disaster recovery plan off the network or on immutable storage to protect it from corruption during a ransomware attack or physical loss from a natural disaster.
