Recently, Hurricane Dorian slammed into the Bahamas, and drifted north up the Atlantic Ocean.
Our thoughts and prayers go out to those affected by the storm! Even as our thoughts go out to others, we must also use this devastating incident to remind ourselves that disasters happen.
Use this as an opportunity to check if your organization is fully prepared with a disaster recovery plan.
Water and electronics do not mix. An office flooded by surge tides, doused with rainwater from broken windows or damaged roofs, or even hosed down by firefighters during a fire, will likely lose all functionality from the local electronics.
However, even though the hurricane triggered our awareness of the forces of nature, we cannot forget that there are many possible causes of IT system failure: Human error, malicious actors, malware, or even the failure of a software program or hardware component.
How ready is your organization to recover from such a disaster?
How quickly does your organization need to recover in order to avoid business loss?
If you own a car wash, and the only electronics of note are a single register and a credit card machine, it is simple and quick to replace that damaged equipment. You’d be back up and running in no time. You could probably even go cash-only for a few days in a pinch.
Yet, if you run a hedge fund, you can’t stop trading just because your systems were flooded. Restoring a full set of local machines, servers, and the security to protect them all will not be a trivial task.
The Best Options for Your Disaster Recovery Plan
There is no one-size-fits-all disaster recovery plan, because each organization is different.
Private businesses, non-profits, hospitals, state and local governments all have different functions that require disaster recovery at different paces. Sometimes, the priorities are easy and core to the organization.
For example, hospitals prioritize patient safety and welfare, so all equipment related to basic healthcare (lights, heart monitors, etc.) will be the first priority for recovery. Meanwhile, advanced diagnostics (MRI, etc.) might have secondary priority, and so on.
Yet, within the same organization, not everyone will agree upon which systems are most critical.
The finance department may become distressed at the idea that accounts receivable will not be able to process checks for a week, and insist that their systems be up and running ASAP.
The sales team, on the other hand, will insist that business will grind to a halt if they cannot access their client information and place orders. Yet, it’s the IT department’s budget that pays for the recovery time, not theirs.
Only the managers within the organization can truly weigh the priorities of the organization against the department specific desires, and the budget required to make the disaster recovery happen.
Choosing the Right Plan for Recovery
Immediate recovery may not be feasible with your organization’s manpower and budgetary resources. So, how do you choose who waits?
Fortunately, there are well-established ways for a business or IT manager to weigh the conflicting needs.
Ready.gov, a National Public service campaign launched in February 2003, provides a formal business continuity planning process framework, and the NIST Contingency Planning: High Impact System Template can be used to address the technical requirements in a formalized fashion.
A quick Google search will also reveal other resources, such as the Business Continuity Plan Template available on SmartSheet.com.
While the forms and the framework appear complicated, it can be summarized in four general stages: Evaluation, Strategies, Development, and Testing/Maintenance.
Phase 1 – Evaluate the Impact of the Systems
A strong disaster recovery plan involves evaluating your IT systems, and rank them by urgency.
What must be up in mere hours? Perhaps telephone systems and email?
What should be up in days? Perhaps the file server and the full accounting system?
What is OK to recover after a few weeks? Perhaps archival systems?
Beyond urgency, the managers also need an evaluation of the importance of the data.
What data is required for the most urgent needs?
What data should be available for the services that come back online in a few days?
For example, from an urgency standpoint, perhaps payroll is okay to have back online in a few days, and a file server was determined to be okay to wait a week – but if the payroll database is pulling from employee records stored on the file server, then there is a disconnect in the priorities that needs to be resolved.
Resolution, in this case, could be either to move up the urgency of the file server or to move the payroll database to a more critical asset that is brought back faster than the original file server.
A sometimes neglected dimension of disaster recovery is factoring the likelihood of particular events occurring into the calculation of the priorities.
Hurricanes and earthquakes may not hit us in Pittsburgh, but snowstorms and building fires certainly must be considered. Hackers may be a rare occurrence, but coffee spills on keyboards can happen quite frequently in a large office.
This three-dimensional approach segregates and separates, creating a weighted scale that can be used to set priorities. After all, some items of great importance may be regulatory and non-urgent.
For example, let’s consider an urgent care clinic. In a disaster, the urgent care clinic needs to be up and running to help its patients.
The systems to support patient care should take precedence. However, there are also laws that provide clinics with a mandate to store and protect patient data – even if the patients are no longer local or active patients.
While it is a regulatory imperative to restore old patient data eventually, it obviously is of no use immediately after the disaster.
On to Phase Two
At the end of this first phase of planning first phase, the organization will have a list of potential disasters, the equipment and staff affected, and the priority for recovery for the affected systems.
The organization will also have prioritized the potential disasters and understand which ones need to be addressed first because they will be the most likely and most serious.
The next phases to create strategies for disaster recovery, development of the recovery processes, and the testing and maintenance of those processes will be covered the next time in this blog.
In the meantime, Ideal Integrations is available to help you with your organizations’ disaster recovery plans involving IT systems. Our portfolio of services and technologies can help you quickly recover from a variety of potential disasters – or even stop some from happening at all!
Complete the form below, or Click Here to contact us today to learn more about how we can help you!