Your business has invested significant time, money and planning to ensure its success, yet there’s one step many business owners haven’t taken that can help your business to continue to succeed when the unthinkable happens, a disaster. Without a proper plan, 25% of businesses fail to reopen following a major disaster, according to the U.S. Small Business Administration. Even small disasters can have a huge impact on how you do business. Disasters are unpredictable, yet you can still plan for them. An Information Technology (IT) recovery plan is a subset of your disaster plan and allows your business to prepare if your key IT assets are damaged or lost. This white paper is designed for businesses that do not have a plan in place. It provides five steps that will assist you in developing a simplified IT disaster recovery plan with the goal of helping your business return to normal as soon as possible if a disaster strikes.
Step 1. Identify Key Assets
In order for your business to know what it needs to protect, you must first identify your key assets. Since the focus of this white paper is IT Disaster Recovery, begin by making a list of key IT assets at your business. Some examples of IT assets include:
- Hardware items needed to conduct business, such as computers, your networks, printers and credit card machines
- Connectivity to the Internet
- Software for daily functions including email, data storage, inventory, proprietary programs and client information
- Data and backup data
- Backup power
Step 2. Identify Threats
Once you have developed a list of key assets, you will need to identify the hazards unique to your business. When thinking about disasters, many organizations start with the large disasters, like a tornado, and begin planning from there. The reality is that smaller situations can also wreak havoc on a business and are much more likely to happen. For the next step of your planning, you will make a list of all natural and man-made hazards that will put your business at risk. You will then rate the probability of the threat happening to your business and the impact. The following chart is an example.
Probability ranking 1=least likely, 5= extremely likely. Impact rating 1 = minor impact. 5 = total destruction.
Step 3. Build an IT Recovery Plan
After identifying assets and threats, the next step is to begin building your IT Recovery Plan. The following plan strategy is a simplified version of a disaster plan. To build your plan, you will need to collect information about your assets and how will you recover them.
- List the key components your business needs to provide service. Items may include Internet and phone connectivity, software applications, data and data restoration and hardware such as computers, your firewall, printers and servers.
- Determine theRTO (Recovery Time Objectives) for each component you listed.
- List how quickly each service needs to be brought back up. List in hours or days.
- List your recovery strategy for each item and whether it is internal or external.
List the items in a chart with the Component and RTO as shown below.
Additionally, include the following details if possible.
- Map network details with prioritization of application needs.
- Include a detailed network diagram.
- Application list for servers and workstations.
- Identify cloud services needed along with prioritization.
- Any credentials needed.
- IP addresses or web addresses needed to bring back online.
- List those responsible for each area of IT in your company.
- If you are outsourcing IT, do you have their disaster recovery plan?
- List contact information for your partners, including emergency contact information.
- Include a list of hardware and software vendors with contact information.
Step 4. Implementation
Now that you have completed the first three steps, you will need to plan how to implement your IT recovery plan.
- Assemble an emergency response team. List the names and contact information of the key employees that will respond to the disaster. Include the following:
- Name, cell phone number, address and emergency contact information.
- Designate a disaster recovery coordinator and identify key employees that will respond to the disaster. Responsibilities may include:
- Immediate response to the disaster and contacting emergency services
- Assessment of the extent of the disaster and its impact on the business, data, etc.
- Determining which steps of the disaster recovery plan should be activated
- Activation of the emergency response team
- Notification of employees, customers and media
- Define the procedures that will need to be followed. Some items you may wish to include are:
- Internal notification calling tree for key response employees
- External notification calling tree for external contacts such as your insurance company, hardware and software vendors, utility providers and the like.
- Implement recovery of key businesses components as identified in step 3.
Step 5. Test and Publish Your Plan
Finally, you will need to test each element of your disaster recovery plan and make adjustments as needed. Testing your plan is an essential element step in your disaster plan development and ensures the staff you have identified as part of the response team are familiar with your plan and will be ready to implement it should the need arise.
Once you are satisfied with the results of your tests, publish your IT Disaster Recovery plan in both physical media (a binder) and make sure it is available in secure digital media, in multiple locations, as you may not have access to any or all of your locations. Your plan should be reviewed with all employees regularly and assessed annually.
In conclusion, disaster response is all about planning, process and training. IT Disaster Recovery planning can help ensure your business is prepared when the unthinkable happens. The most important thing is to start somewhere and work the plan on an ongoing basis. This white paper is intended as a starting point for your business to prepare your plan. There are several resources available to your business to assist you in further developing a disaster plan, including the U.S. Small Business Administration and ready.gov.
**This document is not meant to be a comprehensive disaster plan, rather an introduction into basic IT Disaster Recovery thinking and planning**