Disaster Recovery Planning
Process
By Geoffrey H.
Wold
Part
III of III
This is the third part of a series that describe
specific methods for organizing and writing a comprehensive disaster recovery
plan. The first part of this series described the process for developing a
thorough disaster recovery plan. The second article described specific methods
for organizing and writing a comprehensive disaster recovery plan. This article
presents particular methods and materials that can expedite the data collection
process.
Disaster recovery is a concern of the entire organization, not just
data processing. To develop an effective plan, all departments should be
involved. Within all departments the critical needs should be identified.
Critical needs include all information and equipment needed in order to continue
operations should a department be destroyed or become
inaccessible.
DETERMINING CRITICAL NEEDS
To determine the critical
needs of the organization, each department should document all the functions
performed within that department. An analysis over a period of two weeks to one
month can indicate the principle functions performed inside and outside the
department, and assist in identifying the necessary data requirements for the
department to conduct its daily operations satisfactorily. Some of the
diagnostic questions that can be asked include:
1. If a disaster
occurred, how long could the department function without the existing equipment
and departmental organization?
2. What are the high priority tasks including
critical manual functions and processes in the department? How often are these
tasks performed, e.g., daily, weekly, monthly, etc.?
3. What staffing,
equipment, forms and supplies would be necessary to perform the high priority
tasks?
4. How would the critical equipment, forms and supplies be replaced in
a disaster situation?
5. Does any of the above information require long lead
times for replacement?
6. What reference manuals and operating procedure
manuals are used in the department? How would these be replaced in the event of
a disaster?
7. Should any forms, supplies, equipment, procedure manuals or
reference manuals from the department be stored in an off-site location?
8.
Identify the storage and security of original documents. How would this
information be replaced in the event of a disaster? Should any of this
information be in a more protected location?
9. What are the current
microcomputer backup procedures? Have the backups been restored? Should any
critical backup copies be stored off-site?
10. What would the temporary
operating procedures be in the event of a disaster?
11.How would other
departments be affected by an interruption in the department?
12.What effect
would a disaster at the main computer have on the department?
13.What outside
services/vendors are relied on for normal operation?
14.Would a disaster in
the department jeopardize any legal requirements for reporting?
15.Are job
descriptions available and current for the department?
16. Are department
personnel cross-trained?
17. Who would be responsible for maintaining the
departments contingency plan?
18. Are there other concerns related to
planning for disaster recovery?
The critical needs can be obtained in a
consistent manner by using a User Department Questionnaire. As illustrated, the
questionnaire focuses on documenting critical activities in each department and
identifying related minimum requirements for staff, equipment, forms, supplies,
documentation, facilities and other resources.
SETTING PRIORITIES ON
PROCESSING AND OPERATIONS
Once the critical needs have been documented,
management can set priorities within departments for the overall recovery of the
organization. Activities of each department could be given priorities in the
following manner
Essential activities - A disruption in service exceeding
one day would jeopardize seriously the operation of the organization.
Recommended activities - a disruption of service exceeding one week would
jeopardize seriously the operation of the organization.
Nonessential
activities - This information would be convenient to have but would not detract
seriously from the operating capabilities if it were missing.
RECORD
RETENTION
GUIDELINES
A systematic approach to records management is
an important part of a comprehensive disaster recovery plan. Additional benefits
include:
Reduced storage costs.
Expedited customer service.
Federal and state regulatory compliance.
Records are not only retained as
proof of financial transactions, but also to verify compliance with legal and
regulatory requirements. In addition, businesses must satisfy retention
requirements as an organization and employer. These records are used for
independent examination and verification of sound business practices. Federal
and State requirements for records retention must be analyzed by each
organization individually. Each organization should have its legal counsel
approve its own retention schedule.
As well as retaining records, the
organization should be aware of the specific record salvage techniques and
procedures to follow for different types of media. Potential types of media
include:
Paper
Magnetic
Microfilm/Microfiche
Image
Photographic
Other
OTHER DATA GATHERING TECHNIQUES
Other
information that can be compiled by using preformatted data gathering forms
include:
Equipment Inventory to document all critical equipment required by
the organization. If the recovery lead time is longer than acceptable, a backup
alternative should be considered.
Master vendor List to identify vendors
that provide critical goods and services.
Office Supply Inventory to record
the critical office supply inventory to facilitate replacement. If an item has a
longer lead time than is acceptable, a larger quantity should be stored
off-site.
Forms Inventory Listing to document all forms used by the
organization to facilitate replacement. This list should include computer forms
and non-computer forms.
Documentation Inventory Listing to record inventory
of critical documentation manuals and materials. It is important to determine
whether backup copies of the critical documentation are available. They may be
stored on disk, obtained from branch offices, available from outside sources,
vendors and other sources.
Critical Telephone Numbers to list critical
telephone numbers, contact names, and specific services for organizations and
vendors important in the recovery process.
Notification Checklist to
document responsibilities for notifying personnel, vendors and other parties.
Each team should be assigned specific parties to contact.
Master Call List
to document employee telephone numbers.
Backup Position Listing to identify
backup employees for each critical position within the organization. Certain key
personnel may not be available in a disaster situation; therefore, backups for
each critical position should be identified.
Specifications for Off-Site
Location to document the desired/required specifications of a possible
alternative site for each existing location.
Off-Site Storage Location
Inventory to document all materials stored off-site.
Hardware and Software
Inventory Listing to document the inventory of hardware and software.
Telephone Inventory Listing to document existing telephone systems used by the
organization.
Insurance Policies Listing to document insurance policies in
force.
Communications Inventory Listing to document all components of the
communications network.
There are several PC-based disaster recovery
planning systems that can be used to facilitate the data gathering process and
to develop the plan. Typically, these systems emphasize either a database
application or a word processing application. The most comprehensive systems use
a combination of integrated applications.
Some PC-based systems include a
sample plan that can be tailored to the unique requirements of each
organization. Other materials can include instructions which address the
disaster recovery related issues that the organization must consider during the
planning process such as disaster prevention, insurance analysis, record
retention and backup strategies. Specialized consulting may also be available
with the system to provide on-site installation, training and consulting on
various disaster recovery planning issues.
The benefits of using a PC-based
system for developing a disaster recovery plan include:
A systematic
approach to the planning process.
Pre-designed methodologies.
An
effective method for maintenance.
A significant reduction in time and
effort in the planning and development process.
A proven
technique.
Recently, other PC-based tools have been developed to assist
with the process, including disaster recovery planning tutorial systems and
software to facilitate the testing process.
CONCLUSION
Disaster
recovery planning involves more than off-site storage or backup processing.
Organizations should also develop written, comprehensive disaster recovery plans
that address all the critical operations and functions of the business. The plan
should include documented and tested procedures, which, if followed, will ensure
the ongoing availability of critical resources and continuity of
operations.
The benefits of developing a comprehensive disaster recovery plan
include:
Minimizing potential economic loss.
Decreasing potential
exposures.
Reducing the probability of occurrence.
Reducing
disruptions to operations.
Ensuring organizational stability.
Providing an orderly recovery.
Minimizing insurance premiums.
Reducing
reliance on certain key individuals.
Protecting the assets of the
organization.
Ensuring the safety of personnel and customers.
Minimizing decision-making during a disastrous event.
Minimizing legal
liability.
Geoffrey H. Wold is the National Director of
Information Systems and Technology Consulting for the CPA/Consulting firm of
McGladrey & Pullen. He has written four books on disaster recovery planning.
This article adapted from Vol. 5 #3.
Disaster Recovery World© 1997, and Disaster Recovery Journal© 1997, are
copyrighted by Systems Support, Inc. All rights reserved. Reproduction in whole
or part is prohibited without the express written permission form Systems
Support, Inc.