Week 9

Business Continuity and Disaster Recovery Planning

• Running a business continuity and disaster recovery planning project involves developing business continuity and disaster recovery plans, testing them, training users, and maintaining a planning life cycle.

What is a Disaster?

• A disaster is any natural or man-made event that disrupts business operations, requiring a significant and coordinated effort to achieve recovery.

Types of Disasters

• Natural disasters include:
  • Geological: earthquakes, volcanoes, lahars, tsunamis, landslides, and sinkholes
  • Meteorological: hurricanes, tornados, wind storms, hail, ice storms, snow storms, rainstorms, and lightning
  • Other: avalanches, fires, floods, meteors and meteorites, and solar storms
  • Health: widespread illnesses, quarantines, and pandemics
• Man-made disasters include:
  • Labor: strikes, walkouts, and slow-downs that disrupt services and supplies
  • Social-political: war, terrorism, sabotage, vandalism, civil unrest, protests, demonstrations, cyber attacks, and blockades
  • Materials: fires, hazardous materials spills
  • Utilities: power failures, communications outages, water supply shortages, fuel shortages, and radioactive fallout from power plant accidents

How Disasters Affect Businesses

• Disasters can cause:
  • Casualties: employee or family member injuries, fatalities, or care for others
  • Direct damage to facilities and equipment
  • Transportation infrastructure damage: delays deliveries, supplies, and employee commutes
  • Communications outages
  • Utilities outages

How BCP and DRP Support Data Security

• BCP and DRP support availability, which is one of the three pillars of data security, along with confidentiality and integrity.

Developing Key Recovery Targets

• Obtain senior management buy-in on key recovery metrics, such as:
  • MTD (maximum tolerable downtime)
  • RTO (recovery time objective)
  • RPO (recovery point objective)
  • RCO (recovery consistency objective)
  • RCapO (recovery capacity objective)
• Publish these metrics in a database or spreadsheet listing all business processes.

Sample Recovery Time Objectives

• RTOs vary depending on the technology required, such as:
  • 8-14 days: new equipment, data recovery from backup
  • 4-7 days: cold systems, data recovery from backup
  • 2-3 days: warm systems, data recovery from backup
  • 12-24 hours: warm systems, recovery from high-speed backup media
  • 6-12 hours: hot systems, recovery from high-speed backup media
  • 3-6 hours: hot systems, data replication
  • 1-3 hours: clustering, data replication
  • < 1 hour: clustering, near real-time data replication

Criticality Analysis

• Rank processes by criticality criteria, such as:
  • MTD
  • RTO
  • RPO
  • RCO
  • RCapO
  • Cost of downtime or other metrics
  • Qualitative criteria: reputation, market share, goodwill

Business Resumption Planning

• Business resumption planning involves:
  • Alternate work locations
  • Alternate personnel
  • Communications: emergency, support of business processes
  • Standby assets and equipment
  • Access to procedures, business records

Restoration and Recovery

• Restoration and recovery involve:
  • Repairs to facilities and equipment
  • Replacement equipment
  • Restoration of utilities
  • Resumption of business operations in primary business facilities

Improving System Resilience and Recovery

• Improving system resilience and recovery involves:
  • Off-site media storage: assurance of data recovery
  • Server clusters: improved availability, geographic clusters
  • Data replication: hardware, OS, DBMS, application, current data on multiple servers even in remote places

Training Staff

• Training staff involves:
  • Everyday operations
  • Recovery procedures
  • Emergency procedures
  • Resumption procedures