Do you lose sleep?
Disaster recovery comprises the processes, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organisation, after a natural or human-induced disaster. Disaster recovery is a subset of business continuity. While business continuity involves planning for keeping all aspects of a business functioning in the midst of disruptive events, disaster recovery focuses on the IT or technology systems that support business functions.
Disaster recovery as a concept developed in the mid to late 1970s as computer centre managers began to recognise the dependence of their organisations on their computer systems. At that time, most systems were batch-oriented mainframes which in many cases could be down for a number of days before significant damage would be done.
As awareness of disaster recovery grew, an industry developed to provide backup computer centres, with Sun Information Systems (which later became Sungard Availability Systems) becoming the first major US commercial hot site vendor, established in 1978 in Philadelphia.
During the 1980s and 1990s, IT disaster recovery awareness and the disaster recovery industry grew rapidly, driven by the advent of open systems and real-time processing (which increased the dependence of organisations on their IT systems). Another driving force in the growth of the industry was increasing government regulations mandating business continuity and disaster recovery plans.
With the rapid growth of the internet through the late 1990s and into the 2000s, enterprises of all sizes became further dependent on the continuous availability of their IT systems, with many companies setting an objective of 99.999% availability of critical systems. This increasing dependence on IT systems, as well as increased awareness from large-scale disasters such as 9/11, contributed to the further growth of various disaster recovery related industries, from high-availability solutions to hot-site facilities.
Importance of disaster recovery planning
As IT systems have become increasingly critical to the smooth operation of a company, and arguably the economy as a whole, the importance of ensuring the continued operation of those systems, or the rapid recovery of the systems, has increased.
It is estimated that most large companies spend between 2% and 4% of their IT budget on disaster recovery planning, with the aim of avoiding larger losses in the event that the business cannot continue to function due to loss of IT infrastructure and data. Of companies that had a major loss of business data, 43% never reopen, 51% close within two years, and only 6% will survive long-term.
As a result, preparation for continuation or recovery of systems needs to be taken seriously. This involves a significant investment of time and money with the aim of ensuring minimal losses in the event of a disruptive event.
Classification of disasters
Disasters can be classified in two broad categories. The first is natural disasters such as flooding. While preventing a natural disaster is very difficult, measures such as good planning which includes mitigation measures can help to reduce or avoid losses. The second category is man-made disasters. These include hazardous material spills, infrastructure failure, or human error. In these instances surveillance and mitigation planning are invaluable towards avoiding or lessening losses from these events.
Control measures in recovery plan
Control measures are steps or mechanisms that can reduce or eliminate threats. Different types of measures can be included in BCP/DRP. Disaster recovery planning is a subset of a larger process known as business continuity planning and should include planning for resumption of applications, data, hardware, communications (such as networking) and other IT infrastructure. A business continuity plan (BCP) includes planning for non-IT related aspects such as key personnel, facilities, crisis communication and reputation protection. It should refer to the disaster recovery plan (DRP) for IT related infrastructure recovery / continuity. This article focuses on disaster recovery planning as related to IT infrastructure.
Types of measures:
1. Preventive measures – these controls are aimed at preventing an event from occurring.
2. Detective measures – these controls are aimed at detecting or discovering unwanted events.
3. Corrective measures – these controls are aimed at correcting or restoring the system after a disaster or an event.
These controls should be always documented and tested regularly.
Prior to selecting a disaster recovery strategy, a disaster recovery planner should refer to the organisation’s business continuity plan which should indicate the key metrics of recovery point objective (RPO) and recovery time objective (RTO) for various business processes (such as the process to run payroll, generate an order, etc). The metrics specified for the business processes must then be mapped to the underlying IT systems and infrastructure that support those processes.
Incomplete RTOs and RPOs can quickly derail a disaster recovery plan. Every item in the DR plan requires a defined recovery point and time objective. Failure to create them may lead to significant problems that can extend the disaster’s impact. Once the RTO and RPO metrics have been mapped to IT infrastructure, the DR planner can determine the most suitable recovery strategy for each system. An important note here is that the business ultimately sets the IT budget and therefore the RTO and RPO metrics need to fit with the available budget. While most business unit heads would like zero data loss and zero time loss, the cost associated with that level of protection may make the desired high availability solutions impractical.
In many cases, an organisation may elect to use an outsourced disaster recovery provider to provide a stand-by site and systems rather than using their own remote facilities.
In addition to preparing for the need to recover systems, companies must also implement precautionary measures with an objective of preventing a disaster in the first place. These may include the following:
- Local mirrors of systems and / or data and use of disk protection technology such as RAID
- Surge protectors – to minimize the effect of power surges on delicate electronic equipment
- Uninterruptible power supply (UPS) and / or backup generators to keep systems going in the event of a power failure
- Fire preventions – alarms, fire extinguishers
- Anti-virus software and other security measures
If you would like to discuss disaster recovery, by all means email us or call 020 8941 2187. An initial consultation is free of charge.