IT systems are vulnerable to a variety of disruptions, ranging from mild (e.g., short-term power outage, disk drive failure) to severe (e.g., terrorism, equipment destruction, fire, acts of God). Much vulnerability may be minimized or eliminated through technical, management, or operational solutions as part of the organization's risk management effort; however, it is virtually impossible to completely eliminate all risks. IET's Disaster Recovery planning is designed to mitigate the risk of network and service unavailability by focusing effective and efficient recovery solutions.
DISASTER RECOVERY PLANNING
Network management encompasses a broad range of activities to identify, control, and mitigate risks to an IT system or Network. First, risk management should identify threats and vulnerabilities so that appropriate controls can be put into place to either prevent incidents from happening or to limit the effects of an incident. These security controls protect an IT system against three classifications of threats.
- Natural—e.g., hurricane, tornado and fire
- Terrorism—e.g., talibans, if they destroy installations and facilities
- Human3—e.g., operator error, sabotage and implant of malicious code
- Environmental—e.g., equipment failure, software error, telecommunications network outage, and electric power failure.
The relationship between identifying and implementing security controls, developing and maintaining the recovery plan, and implementing the recovery plan once the event has occurred.
For example, in many cases, critical resources may reside outside the organization's control (such as electric power or telecommunications), and the organization may be unable to ensure their availability. Responses to these types of incidents involve activities outside the scope of IT recovery planning. Similarly, this document does not address incident response activities associated with preserving evidence for computer forensics analysis following an illegal intrusion, denial-of-service attack, introduction of malicious logic, or other cyber crime.
To effectively determine the specific risks to a Network or IT system during service interruption, a risk assessment of the Network environment is required. A thorough risk assessment should identify the system vulnerabilities, threat, and current controls and attempt to determine the risk based on the likelihood and threat impact. These risks should then be assessed and a risk level assigned (e.g., high, medium, or low). Because risks can vary over time and new risks may replace old ones as a system evolves, the risk management process must by ongoing and dynamic. The person responsible for IT contingency planning must be aware of risks to the system and recognize whether the current contingency plan is able to address residual risks completely and effectively.
IET disaster recovery planning represents a broad scope of activities designed to sustain and recover critical IT services following an emergency. IET disaster recovery planning fits into a much broader emergency preparedness environment that includes Administration and network maintenance process continuity and recovery planning, ultimately, Customer would use a suite of plans to properly prepare response, recovery, and continuity activities for disruptions affecting the organization's network servers, network operations, and the services. Because there is an inherent relationship between a server and the process it supports, there should be coordination between each plan during development and updates to ensure that recovery strategies and supporting resources neither negate each other nor duplicate efforts. The successful completion of such a project requires the close cooperation of management from all areas of Information Systems as well as network areas supported by Information Systems. Senior personnel from Information Systems and user areas must be significantly involved throughout the phase for the planning & implementation process to be successful. In closing, it is important to keep in mind that the aim of the planning process is to:
- Assess existing vulnerabilities;
- Implement disaster avoidance and prevention procedures;
- Develop a comprehensive plan that will enable the organization to react appropriately and in a timely manner if disaster strikes.
Disaster Recovery Program (DRP)
As suggested by its name, the DRP applies to major, usually catastrophic, events that deny access to the network resources & services for an extended period. Frequently, IET DRP refers to an IT-focused plan designed to restore operability of the target systems, applications, or computer facility at an alternate location after an emergency. The DRP scope may overlap that of an IT contingency plan; however, the DRP is narrower in scope and does not address minor disruptions that do not require relocation.
IET follows the following Disaster Recovery Procedures;
- Pre-Planning Activities (Project Initiation)
- Pre-Planning Activities (Project Initiation)
- Vulnerability Assessment and General Definition
- Overall Network Impact Analysis
- Detailed Definition of Requirements
- Plan Development
- Testing Program
- Maintenance Program
- Initial Plan Testing and Plan Implementation
- Planning Scope and Plan Objectives
- Project Organization and Staffing
- Project Control
- Schedule of Deliverables
- Resource Requirements
The primary objective of a Network Disaster Recovery Plan is to enable an organization IT team to survive a disaster and to reestablish normal network operations. In order to survive, the organization must assure that critical network operations can resume normal processing within a reasonable time frame. Therefore, the goals of the Network Disaster Recovery Plan are to:
- Identify weaknesses and implement a network disaster prevention program;
- Minimize the duration of a serious disruption to network operations;
- Facilitate effective co-ordination of recovery tasks; andc
- Reduce the complexity of the recovery effort.
Historically, the data processing function alone has been assigned the responsibility for providing contingency planning. Frequently, this has led to the development of recovery plans to restore computer resources in a manner that is not fully responsive to the needs of the Network supported by those resources. Recovery planning is a Network issue rather than a data processing issue. In today's environment, the effects of long-term operations outage may have a catastrophic impact. The development of a viable recovery strategy must, therefore, be a product not only of the provider's of the organization's data processing, communications and operations centre services, but also the users of those services and management personnel who have responsibility for the protection of the network assets.
The methodology used in this plan, emphasize the following key points:
- Providing management with a comprehensive understanding of the total effort required to develop and maintain an effective recovery plan;
- Obtaining commitment from appropriate professionals to support and participate in the effort;
- Defining recovery requirements from the perspective of functions;
- Documenting the impact of an extended loss to operations and key network functions;
- Focusing appropriately on disaster prevention and impact minimization, as well as orderly recovery;
- Selecting project teams that ensure the proper balance required for plan development;
- Training of the Customer's network disaster recovery team which will work in coordination with IET.
- Developing a contingency plan that is understandable, easy to use and easy to maintain; and
- Defining how contingency planning considerations must be integrated into ongoing disaster recovery planning and systems restore processes in order for the plan to remain viable over time.
Since recovery planning is a very complex and labor intensive process, it therefore requires redirection of valuable technical staff and information processing resources as well as appropriate funding. In order to minimize the impact such an undertaking would have on scarce resources, the project for the development and implementation of disaster recovery should be part of the organization's normal planning activities. The IET proposed disaster recovery methodology consists of eight separate phases, as described below.
Phase 1 - Pre-Planning Activities (Project Initiation)
Phase 1 is used to obtain an understanding of the existing and projected computing environment of the organization. This enables the project to refine the scope of the project and the associated work program; develop project schedules; and identify and address any issues that could have an impact on the delivery and the success of the project. During this phase a Committee should be established comprising of both IET and Customer's technical team. The committee should have the overall responsibility for providing direction and guidance to the technical team. The committee should also make all decisions related to the recovery planning effort. Two other key deliverables of this phase are: the development of a policy to support the recovery programs; and an awareness program to educate management and senior individuals who will be required to participate in the process.Download Interactive Diaster Recovery Profile