Basic Steps in Disaster-Recovery Planning
The disaster-recovery planning process may vary from organization to organization, but
the basic steps that must be performed in all cases are listed below:

Establish a planning committee. The top management of the organization must be
involved in the development of the disaster-recovery plan. Management should be
responsible for coordinating the disaster-recovery plan and ensuring its
effectiveness within the organization. Adequate time and resources must be
committed to the development of an effective plan, with the resources under
consideration including financial considerations and the effort of all personnel
involved. The planning committee should include representatives from all
operational areas of the organization. This is essential, since it is common that
separate plans exist for each department, and these plans must be coordinated.
Failure to do this can result in multiple demands on the same resource,
incompatible strategies, time delays, and, in the worst case, the failure to properly
carry out the plan in the case of emergency.

Identify serious risks. The planning committee should carry out a risk and
business-impact analysis that includes a range of possible disasters, including
natural, technical, and human threats. Each operational area of the organization
should be analyzed to determine the potential consequence and impact associated
with several disaster scenarios. The risk-assessment process should also evaluate
the safety of critical documents and vital records. Traditionally, fire has posed the
greatest threat to organizations. Intentional human tampering, however, should
also be considered. The plan should provide for the "worst case" scenario: the
destruction of the main building. It is important to assess the impacts and
consequences resulting from the loss of information and services. The planning
committee should also analyze the costs related with minimizing potential

exposures.

Establish priorities. Here you should determine what are the most important
considerations for processing and operations and carefully evaluate the critical
requirements of each department. Determine the maximum amount of time that the
department and organization can operate without each critical system. Critical
needs are defined as the necessary procedures and equipment required to continue
operations should a department, computer center, main facility or a combination of
these be destroyed or become inaccessible.

Determine recovery strategies. Here, you should consider all aspects of your
organization's information system, including the following:

Facilities

Hardware

Software

Communications

Data files

Customer services

User operations

End-user systems

Other processing operations


Assign a disaster team. Once this has been done, you should then develop disaster
recognition and initial-reaction procedures. At a minimum, these must include the
following:

Initial reaction procedures to a disaster report

Notification procedures for police, fire, medical care

Notification procedures for management

Procedures for mobilizing the disaster team

Procedures for assessing the damage and registering critical-events logs for
audit purposes

Take a complete inventory of all equipment and software. This is an essential part
of any recovery plan. At minimum, it should include the following:

A listing of all equipment by type and model number. The list should
include equipment such as mission-critical servers, mainframe computers,
bridges, routers and gateways.

Name, address and telephone number of the manufacturer/vendor.

Date of purchase and original cost.

Locations of third-party equipment suppliers.

Associated software packages, including all software required for the

operation of mission-critical equipment. The software inventory must
include the following information: the purpose of the software; date of
acquisition; license and version number; original cost; address and
telephone number of the vendor; names, addresses, and phone numbers of
service and technical-support centers, etc.

Develop recovery procedures. You should take into consideration the following
aspects:

Procedures for ensuring and maintaining physical security

Coordination of restoration for the original site

Restoration of electronic equipment

Reloading of software

Restoration of power, UPS, common building systems

Replacement of fire-suppression systems

Rewiring of the building

Restoring the LAN

Restoring the WAN connections

Document the plan. Try to make the plan easily understandable for any technical
person or other co-workers who might be called upon to help execute the plan or
support recovery efforts. Whenever possible, illustrate the plan with diagrams. A

comprehensive recovery plan generally includes the following information:

Emergency call lists for management and recovery teams

Vendor call out and escalation lists

Inventory and report forms

Carrier call out and escalation lists

Maintenance forms

Hardware lists and serial numbers

Software lists and license numbers

Team-member duties and responsibilities

Network schematic diagrams

Equipment-room floor-grid diagrams

Contract and maintenance agreements

Special operating instructions for sensitive equipment

Cellular telephone inventory and agreements

Miscellaneous


Present the plan to all staff and train employees.

Test the plan and review it with all employees. If necessary, you should re-
evaluate and re-document your plan after having done this.
Understand that disaster recovery planning is not a short-term project. On the contrary, it
is a very complex, labor-intensive, and time-consuming process. Furthermore, it is also
not a project that you can forget about after it has been set up and approved. An efficient
recovery plan is one that works, so it must be kept current and updated. In order to ensure
this, it must be revised, tested, and practised on a regular basis. In other words, your
disaster-recovery plan must be a living plan!
Basic steps of a typical disaster recovery plan are outlined in Fig. 2.1
.

Figure 2.1: The basic steps of a typical disaster recovery plan
Emerging Technologies for Disaster-Recovery Solutions
In traditional disaster-recovery planning, a complete daily backup to tape is the key
feature. After backup, tapes are usually shipped to a safe site. Theoretically, when a
disaster strikes, these backup copies are shipped to an alternate site, where IT specialists
perform the recovery, and the business can be up and running again. According to
statistical data, more than 75% of all companies in the United States rely on this
technique. This is understandable, since tape backup is a traditional, well-tested, and
workable technology. More importantly, it involves relatively low costs. However, this
approach also has its drawbacks. First, it carries a 24-hours recovery period, meaning 24
to 48 hours of downtime (for example, one day to ship the tapes to alternate site, and
another day to restore, troubleshoot, and actually get the system working again). If your
company can afford 48 hours downtime then this traditional approach is appropriate.
However, many companies can't afford even one hour of downtime, and the number of
such companies is growing constantly (e-businesses, for example).
To meet these needs, new technologies have been developed, such as electronic vaulting
and mirroring. With electronic vaulting, data backup is performed over the network to a

remote site. Some companies use vaulting because they find it to be a more convenient,
reliable and automated way to do nightly backups. Some companies use the computer at
the vaulting site (the "catcher") as a temporary replacement for the down server. In this
case, performance might suffer, but service still won't be totally interrupted. However,
electronic vaulting involves a minimum of twice the cost of a traditional tape backup and,
furthermore, can't alone help you to achieve a recovery window of less than one hour. To
achieve even shorter recovery times, it is necessary to mirror data to an identical system
dedicated to performing the mirroring function. At the protected server, a probe is
installed that continuously sends "OK" messages to the mirroring server. When the probe
ceases to send these messages (or sends an emergency request), the mirroring machine
steps in. Theoretically, this recovery scheme provides instantaneous recovery (even in the
event of a large-scale emergency, where communication services or Internet services may
be affected, it is possible to bring the mirroring system up within an hour). Banks, stock
exchanges, or e-commerce companies often employ this scheme. Most other companies
can't afford this technology, but current trends indicate that its use will grow significantly
with the growth of e-commerce.
Disaster-Recovery Services Market
As has already been mentioned, disaster-recovery planning is very, very crucial and very,
very complicated. Therefore, along with performing the basic steps in your disaster-
recovery plan and making technical decisions, you have to decide whether you are going
to implement the plan in-house or use the services of a specialized disaster-recovery firm.
The main advantages of in-house disaster-recovery planning are obvious-better control
and lower costs. However, despite these advantages, there are also drawbacks:

Proper disaster-recovery planning is much easier said than done. It really is
difficult and consumes a lot of employee time.

Any money-saving techniques always involve certain compromises (such as
performance degradation, for example).
Because of this, if you decide to implement the disaster-recovery plan in-house, it is

recommended that you consider retaining a consulting firm to help you define your needs
and develop proper procedures. After all, if you suffer a data loss as a result of disaster,
you don't want any additional surprises.
In today's business environment, more and more organizations, especially large ones, are
opting to utilize specialized companies providing disaster-recovery services. The largest
and best-known of these service providers, accounting for a 90% share of the entire
market, are the following: