| |
 |
Newsletter - Fall 2007
Preparing for the Worst
Arieh Davidoff, Manager, Computer Forensics Group |
|
In today's electronic business environment, having a
plan for recovering from potential disasters is not an
option- it is a necessity. Consider this: 43 percent
of businesses that experience a disaster-related loss
of computer records never re-open.
So what is a disaster recovery plan? Simply
stated, a disaster recovery plan (DRP) is a formalized
set of recovery procedures and protective measures
which increase the likelihood that an organization
will continue to function or will be able to resume
functioning after a disaster strikes.
A disaster in this context is an event that
negatively affects business operations by destroying
or preventing access to computer records. Disasters
can be regional in scale, such as a hurricane or flu
pandemic, or small internal incidents like a fire, flooding
or even hardware theft. An effective DRP addresses
both large and small-scale disasters.
To develop an effective DRP, it is important to
understand the information technology (IT) environment
as users see it. Users rarely are interested in the
number of servers required to make a critical business
application work; they simply want to be able to run the
software. To keep an application functioning properly
however, all of its parts must be functioning properly.
These parts, or "tiers," may include Web, application
and database servers, and may be accessed using
remote tools such as Citrix or Virtual Private Networks
(VPNs). All tiers must be protected against a potential
disaster. Procedures to protect only a database server
housing computer records saves the records, but
renders them effectively useless without the other
tiers in place.
Building trust and confidence in employees
so they believe the business can survive a disaster
is another important element of an effective DRP.
Communication goes a long way toward instilling
this trust. A simple twice-yearly training seminar, for
example, could be instituted to give employees an
understanding about what may happen in a disaster,
what they can expect from the business and what
will be expected of them. Multi-lingual phone trees and
regularly updated hotlines should be a part of the plan.
Of course, testing critical emergency communication
equipment and updating phone tree and address lists
regularly is critical.
In a disaster, everything becomes more difficult
and employees may be injured or unable to travel.
Therefore, instructions must be easy to follow and,
ideally, in step-by-step format. Copies of recovery
procedures should be placed in well-known, secure
and easily accessible locations. And, each recovery
role should be shared by at least two employees.
While a company's DRP must be in writing,
a written plan alone won't suffice- procedures must
be regularly tested and employees must be regularly
trained to know what to do in an emergency. Critical
systems should be tested every six months, and
non-critical systems every year. Generators and other
backup equipment should be tested under real-world
conditions every few months. Further, recovery
procedures must be updated every time the IT
environment undergoes a significant change.
Bottom line, there is no substitute for being
prepared. An effective DRP- one that protects a
company's records, applications and employees--
is a company's best defense against a disaster.
|
|
|
|
