Disaster Recovery Planning
By Geoffrey H. Wold
Part III of III
This is the third part of a series that describe specific methods for organizing and writing a comprehensive disaster recovery plan. The first part of this series described the process for developing a thorough disaster recovery plan. The second article described specific methods for organizing and writing a comprehensive disaster recovery plan. This article presents particular methods and materials that can expedite the data collection process.
Disaster recovery is a concern of the entire organization, not just data processing. To develop an effective plan, all departments should be involved. Within all departments the critical needs should be identified. Critical needs include all information and equipment needed in order to continue operations should a department be destroyed or become inaccessible.
DETERMINING CRITICAL NEEDS
To determine the critical needs of the organization, each department should document all the functions performed within that department. An analysis over a period of two weeks to one month can indicate the principle functions performed inside and outside the department, and assist in identifying the necessary data requirements for the department to conduct its daily operations satisfactorily. Some of the diagnostic questions that can be asked include:
1. If a disaster occurred, how long could the department function without the existing equipment and departmental organization?
2. What are the high priority tasks including critical manual functions and processes in the department? How often are these tasks performed, e.g., daily, weekly, monthly, etc.?
3. What staffing, equipment, forms and supplies would be necessary to perform the high priority tasks?
4. How would the critical equipment, forms and supplies be replaced in a disaster situation?
5. Does any of the above information require long lead times for replacement?
6. What reference manuals and operating procedure manuals are used in the department? How would these be replaced in the event of a disaster?
7. Should any forms, supplies, equipment, procedure manuals or reference manuals from the department be stored in an off-site location?
8. Identify the storage and security of original documents. How would this information be replaced in the event of a disaster? Should any of this information be in a more protected location?
9. What are the current microcomputer backup procedures? Have the backups been restored? Should any critical backup copies be stored off-site?
10. What would the temporary operating procedures be in the event of a disaster?
11.How would other departments be affected by an interruption in the department?
12.What effect would a disaster at the main computer have on the department?
13.What outside services/vendors are relied on for normal operation?
14.Would a disaster in the department jeopardize any legal requirements for reporting?
15.Are job descriptions available and current for the department?
16. Are department personnel cross-trained?
17. Who would be responsible for maintaining the departments contingency plan?
18. Are there other concerns related to planning for disaster recovery?
The critical needs can be obtained in a consistent manner by using a User Department Questionnaire. As illustrated, the questionnaire focuses on documenting critical activities in each department and identifying related minimum requirements for staff, equipment, forms, supplies, documentation, facilities and other resources.
SETTING PRIORITIES ON PROCESSING AND OPERATIONS
Once the critical needs have been documented, management can set priorities within departments for the overall recovery of the organization. Activities of each department could be given priorities in the following manner
Essential activities - A disruption in service exceeding one day would jeopardize seriously the operation of the organization.
Recommended activities - a disruption of service exceeding one week would jeopardize seriously the operation of the organization.
Nonessential activities - This information would be convenient to have but would not detract seriously from the operating capabilities if it were missing.
A systematic approach to records management is an important part of a comprehensive disaster recovery plan. Additional benefits include:
Reduced storage costs.
Expedited customer service.
Federal and state regulatory compliance.
Records are not only retained as proof of financial transactions, but also to verify compliance with legal and regulatory requirements. In addition, businesses must satisfy retention requirements as an organization and employer. These records are used for independent examination and verification of sound business practices. Federal and State requirements for records retention must be analyzed by each organization individually. Each organization should have its legal counsel approve its own retention schedule.
As well as retaining records, the organization should be aware of the specific record salvage techniques and procedures to follow for different types of media. Potential types of media include:
OTHER DATA GATHERING TECHNIQUES
Other information that can be compiled by using preformatted data gathering forms include:
Equipment Inventory to document all critical equipment required by the organization. If the recovery lead time is longer than acceptable, a backup alternative should be considered.
Master vendor List to identify vendors that provide critical goods and services.
Office Supply Inventory to record the critical office supply inventory to facilitate replacement. If an item has a longer lead time than is acceptable, a larger quantity should be stored off-site.
Forms Inventory Listing to document all forms used by the organization to facilitate replacement. This list should include computer forms and non-computer forms.
Documentation Inventory Listing to record inventory of critical documentation manuals and materials. It is important to determine whether backup copies of the critical documentation are available. They may be stored on disk, obtained from branch offices, available from outside sources, vendors and other sources.
Critical Telephone Numbers to list critical telephone numbers, contact names, and specific services for organizations and vendors important in the recovery process.
Notification Checklist to document responsibilities for notifying personnel, vendors and other parties. Each team should be assigned specific parties to contact.
Master Call List to document employee telephone numbers.
Backup Position Listing to identify backup employees for each critical position within the organization. Certain key personnel may not be available in a disaster situation; therefore, backups for each critical position should be identified.
Specifications for Off-Site Location to document the desired/required specifications of a possible alternative site for each existing location.
Off-Site Storage Location Inventory to document all materials stored off-site.
Hardware and Software Inventory Listing to document the inventory of hardware and software.
Telephone Inventory Listing to document existing telephone systems used by the organization.
Insurance Policies Listing to document insurance policies in force.
Communications Inventory Listing to document all components of the communications network.
There are several PC-based disaster recovery planning systems that can be used to facilitate the data gathering process and to develop the plan. Typically, these systems emphasize either a database application or a word processing application. The most comprehensive systems use a combination of integrated applications.
Some PC-based systems include a sample plan that can be tailored to the unique requirements of each organization. Other materials can include instructions which address the disaster recovery related issues that the organization must consider during the planning process such as disaster prevention, insurance analysis, record retention and backup strategies. Specialized consulting may also be available with the system to provide on-site installation, training and consulting on various disaster recovery planning issues.
The benefits of using a PC-based system for developing a disaster recovery plan include:
A systematic approach to the planning process.
An effective method for maintenance.
A significant reduction in time and effort in the planning and development process.
A proven technique.
Recently, other PC-based tools have been developed to assist with the process, including disaster recovery planning tutorial systems and software to facilitate the testing process.
Disaster recovery planning involves more than off-site storage or backup processing. Organizations should also develop written, comprehensive disaster recovery plans that address all the critical operations and functions of the business. The plan should include documented and tested procedures, which, if followed, will ensure the ongoing availability of critical resources and continuity of operations.
The benefits of developing a comprehensive disaster recovery plan include:
Minimizing potential economic loss.
Decreasing potential exposures.
Reducing the probability of occurrence.
Reducing disruptions to operations.
Ensuring organizational stability.
Providing an orderly recovery.
Minimizing insurance premiums.
Reducing reliance on certain key individuals.
Protecting the assets of the organization.
Ensuring the safety of personnel and customers.
Minimizing decision-making during a disastrous event.
Minimizing legal liability.
Geoffrey H. Wold is the National Director of
Information Systems and Technology Consulting for the CPA/Consulting firm of
McGladrey & Pullen. He has written four books on disaster recovery planning.
This article adapted from Vol. 5 #3.
Disaster Recovery World© 1997, and Disaster Recovery Journal© 1997, are
copyrighted by Systems Support, Inc. All rights reserved. Reproduction in whole
or part is prohibited without the express written permission form Systems