Disaster recovery

From Wikipedia, the free encyclopedia
Jump to: navigation, search
This article is about business continuity planning. For societal disaster recovery, see emergency management.
For other uses, see DRP (disambiguation).
Question book-new.svg
 This article needs additional citations for verification.
Please help improve this article by adding reliable references. Unsourced material may be challenged and removed. (January 2010)
This article contains instructions, advice, or how-to content. The purpose of Wikipedia is to present facts, not to train. Please help improve this article either by rewriting the how-to content or by moving it to Wikiversity or Wikibooks. (September 2009)

Disaster recovery is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster. Disaster recovery is a subset of business continuity. While business continuity involves planning for keeping all aspects of a business functioning in the midst of disruptive events, disaster recovery focuses on the IT or technology systems that support business functions.

Contents

[edit] History

Disaster recovery as a concept developed in the mid to late 1970s as computer center managers began to recognize the dependence of their organizations on their computer systems. At that time most systems were batch-oriented mainframes which in many cases could be down for a number of days before significant damage would be done to the organization[1].

As awareness of Disaster Recovery grew an industry developed to provide backup computer centers, with Sun Information Systems (which later became Sungard Availability Systems) becoming the first major US commercial hot site vendor, established in 1978 in Philadelphia[2].

During the 1980s and 1990s, IT disaster recovery awareness and the disaster recovery industry grew rapidly, driven by the advent of open systems and real-time processing (which increased the dependence of organizations on their IT systems). Another driving force in the growth of the industry was increasing government regulations mandating business continuity and disaster recovery plans for organizations in various sectors of the economy.

With the rapid growth of the Internet through the late 1990s and into the 2000s, organizations of all sizes became further dependent on the continuous availability of their IT systems, with many organizations setting an objective of 99.999% availability of critical systems. This increasing dependence on IT systems, as well as increased awareness from large-scale disasters such as 9/11, contributed to the further growth of various disaster recovery related industries, from high-availability solutions to hot-site facilities.

[edit] Classification of Disasters

Disasters can be classified in two broad categories. The first is natural disasters such as floods, hurricanes, tornadoes or earthquakes. While preventing a natural disaster is very difficult, measures such as good planning which includes mitigation measures can help reduce or avoid losses. The second category is man made disasters. These include hazardous material spills, infrastructure failure or bio-terrorism. In these instances surveillance and mitigation planning are invaluable towards avoiding or lessening losses from these events.

[edit] General steps to follow while creating BCP/DRP

  1. Identify the scope and boundaries of business continuity plan. First step enables us to define scope of BCP. It provides an idea for limitations and boundaries of plan. It also includes audit and risk analysis reports for institution’s assets.
  2. Conduct a business impact analysis (BIA). Business impact analysis is the study and assessment of effects to the organization in the event of the loss or degradation of business/mission functions resulting from a destructive event. Such loss may be financial, or less tangible but nevertheless essential (e.g. human resources, shareholder liaison)
  3. Sell the concept of BCP to upper management and obtain organizational and financial commitment. Convincing senior management to approve BCP/DRP is key task. It is very important for security professionals to get approval for plan from upper management to bring it to effect.
  4. Each department will need to understand its role in plan and support to maintain it. In case of disaster, each department has to be prepared for the action. To recover and to protect the critical functions, each department has to understand the plan and follow it accordingly. It is also important for each department to help in the creation and maintenance of its portion of the plan.
  5. NIST tool set can be used for doing BCP. National Institute of Standards and Technologies has published tools which can help in creating BCP.

With the increasing importance of information technology for the continuation of business critical functions, combined with a transition to an around-the-clock economy, the importance of protecting an organization's data and IT infrastructure in the event of a disruptive situation has become an increasing and more visible business priority in recent years.

It is estimated that most large companies spend between 2% and 4% of their IT budget on disaster recovery planning, with the aim of avoiding larger losses in the event that the business cannot continue to function due to loss of IT infrastructure and data. Of companies that had a major loss of business data, 43% never reopen, 51% close within two years, and only 6% will survive long-term. This results in a majority of failed businesses.[3]

[edit] Control measures in recovery plan

Control measures are steps or mechanisms that can reduce or eliminate various threats for organizations. Different types of measures can be included in BCP/DRP. Disaster recovery planning is a subset of a larger process known as business continuity planning and should include planning for resumption of applications, data, hardware, communications (such as networking) and other IT infrastructure. A business continuity plan (BCP) includes planning for non-IT related aspects such as key personnel, facilities, crisis communication and reputation protection, and should refer to the disaster recovery plan (DRP) for IT related infrastructure recovery / continuity. This article focuses on disaster recovery planning as related to IT infrastructure. Types of measures:

  1. Preventive measures - These controls are aimed at preventing an event from occurring.
  2. Detective measures - These controls are aimed at detecting or discovering unwanted events.
  3. Corrective measures - These controls are aimed at correcting or restoring the system after disaster or event.

These controls should be always documented and tested regularly.

[edit] Strategies

Prior to selecting a disaster recovery strategy, a disaster recovery planner should refer to their organization's business continuity plan which should indicate the key metrics of recovery point objective (RPO) and recovery time objective (RTO) for various business processes (such as the process to run payroll, generate an order, etc.). The metrics specified for the business processes must then be mapped to the underlying IT systems and infrastructure that support those processes. [4]

Once the RTO and RPO metrics have been mapped to IT infrastructure, the DR planner can determine the most suitable recovery strategy for each system. An important note here however is that the business ultimately sets the IT budget and therefore the RTO and RPO metrics need to fit with the available budge . While most business unit heads would like zero data loss and zero time loss, the cost associated with that level of protection may make the desired high availability solutions impractical.

The following is a list of the most common strategies for data protection.

In many cases, an organization may elect to use an outsourced disaster recovery provider to provide a stand-by site and systems rather than using their own remote facilities.

In addition to preparing for the need to recover systems, organizations must also implement precautionary measures with an objective of preventing a disaster in the first place. These may include some of the following:

[edit] See also

[edit] References

  1. ^ A Brief History of Disaster Recovery. PDF File
  2. ^ SunGard Data Systems: Company history. SunGard History
  3. ^ Hoffer, Jim. "Backing Up Business - Industry Trend or Event." Health Management Technology, Jan 2001 [1]
  4. ^ Gregory, Peter. CISA Certified Information Systems Auditor All-in-One Exam Guide, 2009. ISBN 9780071487559. Page 480.

National Institute of Standards and Technology http://www.nist.gov

[edit] Further reading

-- International Organization for Standardization --

[edit] External links

Wikibooks has a book on the topic of
Retrieved from "http://en.wikipedia.org/wiki/Disaster_recovery"
Personal tools
Namespaces
Variants
Actions
Navigation
Interaction
Toolbox
Print/export
Languages