10 Essential Components of an Effective Disaster Recovery Plan

Data is the lifeblood of any enterprise. However, backup and data recovery investments can be difficult to sell internally because their benefits aren’t readily apparent on the bottom line. Just like any insurance policy, these systems matter most when the unpredictable happens, such as a hurricane, fire, flood or cyber-attack. With data and cyber-security in the spotlight, enterprises of all sizes are taking a closer look at how to cope if and when a breach or other incident that impacts the business occurs. Having a well-designed disaster recovery (DR) plan can be the difference between bouncing back from an incident or going under. In this eWEEK slide show, Larry Novak, service manager for cloud recovery at ViaWest, highlights the key components an effective DR plan should have.

Your business should have a document that provides the scope of the plan, objectives and assumptions. This should identify the address and location of the production site and the recovery site and include maps and directions as necessary. It should also describe when to put the plan in motion. What are the triggers that would cause a disaster declaration and activation of the DR plan?

An overview of your recovery strategy should provide a brief description of the tools and methods to be used to recover critical systems. This includes not only the names and location of your backups, but also the procedure necessary to retrieve the backup files. 

Equally as important as your infrastructure are the people behind it. Your DR plan should list the members and their titles, telephone numbers and email addresses for the various teams involved in recovery, such as senior leadership; an authorized list of names who can declare a disaster; the recovery team; and the damage assessment team. The conference bridge line also should be included in the document.

Your plan should list the infrastructure that will be required at the recovery site in order to have fully functional and operational systems. This includes the equipment for firewalls, switches, routers, storage, LANs and internet connectivity. Also, provide a list of servers (and their configurations) for backup and restoration software, security and virtual host servers. Prioritized List of Critical Applications and Systems

Not all of your applications are business-critical. The DR plan should not only include a list of the applications and databases that should be recovered but also the sequence in which they should be restored. Expected Recovery Point Objective (RPO) and Recovery Time Objective (RTO), which can vary depending on your unique company needs, should be listed for each system. A list of the hardware required for each system should also be documented.

You don’t want to leave anyone scratching their heads during a disaster. A section of the plan should include detailed steps that the IT staff will follow to recover the infrastructure (based on your prioritized list) and applications and systems (based on your minimum critical infrastructure).

When the DR plan is activated, it should include a detailed script that can be followed and executed by the recovery team leader. The script should contain each of the tasks involved in a recovery, and who is responsible for performing those tasks.

The DR plan should contain a section that identifies how often the plan should be tested, as well as a list of dates that the plan was tested with a brief summary of the results, and a list of and/or links to any post-test documents and lessons learned. The steps necessary to “failback”—restore operations to a primary machine or facility after a DR test or actual disaster—should be identified.

Each member of the various teams involved in DR should be familiar with his or her defined role. A list of everyone involved in the recovery process should be included in your documentation, along with their role and responsibility. A secondary or backup person also should be listed for each member.

An inventory list of all of the equipment at the production site and the recovery site should be included in the plan.  A current, detailed diagram of the entire network—including circuit IDs—should also be part of the plan.