IT Security and Disaster Recovery Planning

It is now generally recognized that business continuity planning and disaster recovery planning are vital activities. However, the creation of (and maintenance of) a sound business continuity and disaster recovery plan, is a complex undertaking, involving a series of steps.

Prior to creation of the plan itself, it is essential to consider the potential impacts of disaster and to understand the underlying risks: these are the foundations upon which a sound business continuity plan or disaster recovery plan should be built. Following these activities the plan itself must be constructed - no small task. This itself must then be maintained, tested and audited to ensure that it remains appropriate to the needs of the organization. And what about the support infrastructure and services?

Crisis management is the enterprise's first response to an event that could change the way business operations are normally conducted. A well-managed approach to such an event will help significantly to ensure the employees, customers, partners, and the general public continue to have confidence in the viability of the enterprise.

Gartner Group defines business continuity planning as a process with five essential components:

  • Disaster Recovery
  • Business Recovery
  • Business Resumption
  • Contingency Planning
  • Crisis Management (required for the entire event)

Definition: Disaster

A disaster is "an occurrence inflicting widespread destruction and/or distress." For the purposes of planning this means that the facilities, computing resources, or major components thereof, are deemed unavailable for operations. The following are the major purposes of this document:

  • To plan for ongoing operations in the event of a disaster.
  • To detail and describe the level of contingency preparations for management review.
  • To prioritize and outline the recovery of pre-defined critical components, systems, and applications.
  • To develop an organizational preparedness so that disruption and chaos are minimized if a disaster should occur.
  • To anticipate vulnerabilities regarding the security and protection of the data center facilities.